CN114157480B - Method, device, equipment and storage medium for determining network attack scheme - Google Patents
Method, device, equipment and storage medium for determining network attack scheme Download PDFInfo
- Publication number
- CN114157480B CN114157480B CN202111455071.7A CN202111455071A CN114157480B CN 114157480 B CN114157480 B CN 114157480B CN 202111455071 A CN202111455071 A CN 202111455071A CN 114157480 B CN114157480 B CN 114157480B
- Authority
- CN
- China
- Prior art keywords
- attack
- network attack
- host
- scheme
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000006399 behavior Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 230000004927 fusion Effects 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 description 13
- 238000011156 evaluation Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 8
- 230000007123 defense Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the disclosure provides a method, a device, equipment and a storage medium for determining a network attack scheme. The method comprises the following steps: acquiring resource information of an attack source host and host information of an attack destination host; determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host; the network attack knowledge graph is constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme. In this way, the target network attack scheme suitable for both sides of the attack can be automatically and rapidly determined based on the network attack knowledge graph, and the determination efficiency of the network attack scheme is improved.
Description
Technical Field
The disclosure relates to the field of network security, and in particular relates to a method, a device, equipment and a storage medium for determining a network attack scheme.
Background
In recent years, network attack events are frequent, trojan horse, worm and luxury attack layers on the Internet are endless, and serious threat is formed to network security. Therefore, it is necessary to perform attack and defense tests on the network to test the protection capability of the network. However, in the network attack and defense test at present, a fixed attack scheme is formulated mainly by means of personal capability and experience of an attacker, and the efficiency is low.
Disclosure of Invention
The present disclosure provides a method, an apparatus, a device, and a storage medium for determining a network attack scenario, which can improve the determination efficiency of the network attack scenario.
In a first aspect, an embodiment of the present disclosure provides a method for determining a network attack scenario, where the method includes:
acquiring resource information of an attack source host and host information of an attack destination host;
determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host; the network attack knowledge graph is constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme.
In some implementations of the first aspect, obtaining resource information of an attack source host and host information of an attack destination host includes:
executing a query instruction corresponding to the resource information to acquire the resource information of the attack source host;
and carrying out host scanning on the attack target host to acquire host information of the attack target host.
In some implementations of the first aspect, the process of establishing a network attack knowledge graph includes:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain a network attack triplet;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain a network attack knowledge graph.
In some implementations of the first aspect, determining, from a network attack knowledge graph, a target network attack scheme according to resource information of an attack source host and host information of an attack destination host includes:
determining one or more candidate network attack schemes matched with the resource information and the host information from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host;
calculating the attack coefficient of each candidate network attack scheme;
and determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme.
In some implementations of the first aspect, calculating the attack coefficients of each candidate network attack scenario includes:
determining an attack index which is accordant with each candidate network attack scheme from a plurality of preset attack indexes;
and calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is met by each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
In some implementations of the first aspect, determining that the candidate network attack scenario in which the attack coefficient satisfies the preset attack condition is a target network attack scenario includes:
determining that the candidate network attack scheme with the attack coefficient larger than or equal to a preset threshold value is a target network attack scheme; or,
and sequencing the candidate network attack schemes according to the sequence of the attack coefficients from large to small, determining the first N candidate network attack schemes as target network attack schemes, wherein N is a positive integer greater than or equal to 1.
In some implementations of the first aspect, the method further includes:
and outputting prompt information of the target network attack scheme to prompt the user to execute corresponding attack operation.
In a second aspect, an embodiment of the present disclosure provides a device for determining a network attack scenario, where the device includes:
the acquisition module is used for acquiring the resource information of the attack source host and the host information of the attack destination host;
the determining module is used for determining a target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host; the network attack knowledge graph is constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
In a fourth aspect, the disclosed embodiments provide a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a method as described above.
In a fifth aspect, the disclosed embodiments provide a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
In the method, the target network attack scheme suitable for both sides of the attack can be automatically and rapidly determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host, so that the determination efficiency of the network attack scheme is improved, and the subsequent development of the network attack and defense test is facilitated.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
FIG. 2 is a flow chart illustrating a method for determining a network attack scenario provided by an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating another method for determining a network attack scenario provided by an embodiment of the present disclosure;
fig. 4 is a block diagram of a determining apparatus for a network attack scenario according to an embodiment of the present disclosure;
fig. 5 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Aiming at the problems in the background art, the embodiment of the disclosure provides a method, a device, equipment and a storage medium for determining a network attack scheme. Specifically, the target network attack scheme suitable for both attack parties can be automatically and rapidly determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host, so that the determination efficiency of the network attack scheme is improved, and the subsequent development of the network attack and defense test is facilitated.
The method, the device, the equipment and the storage medium for determining the network attack scheme provided by the embodiment of the disclosure are described in detail below through specific embodiments with reference to the accompanying drawings.
Fig. 1 illustrates a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented, as shown in fig. 1, an electronic device 110, an attack source host 120, and an attack destination host 130 may be included in the operating environment 100, and the electronic device 110 may be communicatively connected to the attack source host 120 and the attack destination host 130 through a wired network or a wireless network.
The electronic device 110 may be a mobile electronic device or a non-mobile electronic device. For example, the mobile electronic device may be a tablet computer, a notebook computer, a palm top computer, or an Ultra-mobile personal computer (UMPC) or the like, and the non-mobile electronic device may be a personal computer (Personal Computer, PC) or a server or the like. The attack source host 120 is a host that initiates an attack, and the attack destination host 130 is a host that is attacked. Alternatively, the electronic device 110 may also act as the attack source host 120, without limitation.
As an example, the electronic device 110 may obtain the resource information of the attack source host 120 and the host information of the attack destination host 130, may use the resource information as an attribute of the resource entity to characterize the resource entity, and may use the host information as an attribute of the host entity to characterize the host entity.
And then automatically and quickly determining a target network attack scheme suitable for both attack parties from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host, thereby improving the determination efficiency of the network attack scheme. The network attack knowledge graph is a knowledge graph, namely a knowledge base, constructed according to a network attack triplet, wherein the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme. In the network attack knowledge graph, the resource information is used as an attribute for representing the resource entity, the network attack scheme is used as an attribute for representing the attack behavior, namely the relation, and the host information is used as an attribute for representing the host entity.
A method for determining a network attack scenario provided by an embodiment of the present disclosure will be described in detail, where an execution subject of the determination method may be the electronic device 110 shown in fig. 1.
Fig. 2 shows a flowchart of a method 200 for determining a network attack scenario according to an embodiment of the disclosure, where, as shown in fig. 2, the determining method 200 may include the following steps:
s210, acquiring the resource information of the attack source host and the host information of the attack destination host.
Specifically, a query instruction corresponding to the resource information can be executed, so that the resource information of the attack source host can be quickly obtained. The resource information may include attack utilization tools, user login credentials, etc., which may be used as attributes of the resource entity to characterize the resource entity.
The host scanning can be performed on the attack target host, and the host information of the attack target host can be rapidly acquired. The host information may include operating system information, port service information, authority level information, application information, and the like, which may be used as attributes of the host entity to characterize the host entity.
It should be noted that, the attributes of the host entity are obtained in the attack activity, and most of the attributes of the resource entity are accumulated by the attacker and a small part of the attributes are generated in the attack activity.
S220, determining a target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host.
The network attack knowledge graph is constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme. In the network attack knowledge graph, the resource information is used as an attribute for representing the resource entity, the network attack scheme is used as an attribute for representing the attack behavior, namely the relation, and the host information is used as an attribute for representing the host entity. That is, the resource information is associated with the host information based on the network attack scenario.
In this way, the target network attack scheme matched with the resource information of the current attack source host and the host information of the current attack destination host can be determined from the network attack knowledge graph.
In some embodiments, one or more candidate network attack schemes matching the resource information and the host information may be determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host.
Attack coefficients are then calculated for each candidate network attack scenario. Specifically, the attack index which is met by each candidate network attack scheme can be determined from a plurality of preset attack indexes, the sum of the weights of each candidate network attack scheme is calculated according to the weight corresponding to the attack index which is met by each candidate network attack scheme, and the sum of the weights of each candidate network attack scheme is used as the attack coefficient of each candidate network attack scheme. In this way, the attack coefficients of each candidate network attack scheme can be rapidly calculated by combining the attack indexes.
Alternatively, the sum of the weights of each candidate cyber attack scenario may be calculated by a preset summation formula, where the preset summation formula may be as follows:
wherein S represents the sum of weights of candidate network attack schemes, n represents the number of evaluation indexes, and k i Weight value x representing ith evaluation index i The boolean value of the candidate network attack scheme relative to the ith evaluation index is shown, specifically, the boolean value of the ith evaluation index is 1 if the candidate network attack scheme accords with the ith evaluation index, and the boolean value of the ith evaluation index is 0 if the candidate network attack scheme does not accord with the ith evaluation index.
Optionally, the weight of the evaluation index may be set according to an actual attack principle, for example, the authority residence takes precedence over other operations, the attack across the network segment takes precedence over the attack in the network segment, the authority of other hosts is obtained based on the legal user credentials and takes precedence over the vulnerability exploitation attack, and the passive information collection based on the hosts takes precedence over the active network scanning, which is not limited herein.
It is assumed that attack indicators 1-4 are provided, specifically as follows:
attack index 1: whether a rights stay operation is performed in the network;
attack index 2: whether it is a cross-segment attack;
attack index 3: whether to trigger an intrusion detection alarm;
attack index 4: will not fail during the attack.
The weight of the evaluation index is set according to the attack principle, the weight of the attack index 1 is 0.4, the weight of the attack index 2 is 0.3, the weight of the attack index 3 is 0.2, and the weight of the attack index 4 is 0.1 in consideration of the influence of the network environment.
And then determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme. Specifically, it may be determined that the candidate network attack scenario whose attack coefficient is greater than or equal to the preset threshold value is the target network attack scenario. The plurality of candidate network attack schemes can be sequenced according to the sequence of the attack coefficients from large to small, the first N candidate network attack schemes are determined to be the target network attack schemes, and N is a positive integer greater than or equal to 1. In this way, the network attack scheme with the outstanding attack effect can be selected as the target network attack scheme from at least one candidate network attack scheme based on the attack coefficient.
In some embodiments, the process of establishing the network attack knowledge graph may include:
network attack data is obtained, for example from a network security forum, an encyclopedia library, news information or a conversation. And carrying out knowledge extraction on the network attack behavior data to obtain a network attack triplet, and further carrying out knowledge fusion and knowledge processing on the network attack triplet to obtain a network attack knowledge graph. Therefore, a knowledge base for assisting the user in carrying out the network attack and defense test can be quickly constructed based on a large amount of network attack behavior data.
According to the embodiment of the disclosure, the target network attack scheme suitable for both sides of the attack can be automatically and rapidly determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host, so that the determination efficiency of the network attack scheme is improved, and the subsequent development of the network attack and defense test is facilitated.
In some embodiments, the prompt information of the target network attack scheme can be output to prompt the user to execute the corresponding attack operation, so that the user can execute the network attack and defense test conveniently.
The following may be a detailed description of the determination method 200 provided in the embodiment of the present disclosure with reference to fig. 3, which is specifically as follows:
as shown in fig. 3, operating system information, port service information, authority level information and the like of the attack source host, and an attack utilization tool, a user login credential and the like of the attack destination host can be obtained, the operating system information, the port service information and the authority level information are used as attributes of a host entity, and the attack utilization tool and the user login credential are used as attributes of a resource entity.
And then inputting the attribute of the resource entity and the attribute of the host entity into a network attack knowledge graph, determining a candidate network attack scheme from the network attack knowledge graph, and assuming that the candidate network attack scheme comprises an attack scheme 1, an attack scheme 2 and an attack scheme 3. And then calculating attack coefficients of the attack schemes 1, 2 and 3, wherein the attack coefficient of the attack scheme 3 is larger than that of the attack scheme 1, the attack coefficient of the attack scheme 1 is larger than that of the attack scheme 2, and outputting the attack scheme 3, the attack scheme 1 and the attack scheme 2 according to the sequence of the attack coefficients from large to small. And further, the determination of the network attack scheme is completed.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 4 illustrates a block diagram of a determining apparatus 400 of a network attack scenario provided according to an embodiment of the present disclosure, and as shown in fig. 4, the determining apparatus 400 may include:
the acquiring module 410 is configured to acquire resource information of an attack source host and host information of an attack destination host.
And the determining module 420 is configured to determine a target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host. The network attack knowledge graph is constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme.
In some embodiments, the obtaining module 410 is specifically configured to:
and executing a query instruction corresponding to the resource information to acquire the resource information of the attack source host.
And carrying out host scanning on the attack target host to acquire host information of the attack target host.
In some embodiments, the process of establishing the network attack knowledge graph includes:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain a network attack triplet;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain a network attack knowledge graph.
In some embodiments, the determining module 420 is specifically configured to:
and determining one or more candidate network attack schemes matched with the resource information and the host information from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host.
And calculating the attack coefficients of each candidate network attack scheme.
And determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme.
In some embodiments, the determining module 420 is specifically configured to:
and determining the attack index which is met by each candidate network attack scheme from a plurality of preset attack indexes.
And calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is met by each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
In some embodiments, the determining module 420 is specifically configured to:
determining that the candidate network attack scheme with the attack coefficient larger than or equal to a preset threshold value is a target network attack scheme; or,
and sequencing the candidate network attack schemes according to the sequence of the attack coefficients from large to small, determining the first N candidate network attack schemes as target network attack schemes, wherein N is a positive integer greater than or equal to 1.
In some embodiments, the determining apparatus 400 further comprises:
and the output module is used for outputting prompt information of the target network attack scheme and prompting a user to execute corresponding attack operation.
It can be appreciated that each module/unit in the determining apparatus 400 shown in fig. 4 has a function of implementing each step in the determining method 200 provided in the embodiment of the disclosure, and can achieve a corresponding technical effect, which is not described herein for brevity.
Fig. 5 illustrates a block diagram of an electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic device 500 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic device 500 may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the electronic device 500 may include a computing unit 501 that may perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data required for the operation of the electronic device 500 may also be stored. The computing unit 501, ROM502, and RAM503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
A number of components in electronic device 500 are connected to I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the electronic device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the various methods and processes described above, such as method 200. For example, in some embodiments, the method 200 may be implemented as a computer program product, including a computer program, tangibly embodied on a computer-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM502 and/or the communication unit 509. When the computer program is loaded into RAM503 and executed by computing unit 501, one or more steps of method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
The various embodiments described above herein may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-a-chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a computer-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include one or more wire-based electrical connections, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that, the present disclosure further provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are configured to cause a computer to perform the method 200 and achieve corresponding technical effects achieved by performing the method according to the embodiments of the present disclosure, which are not described herein for brevity.
In addition, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 200.
To provide for interaction with a user, the embodiments described above may be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The above-described embodiments may be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A method for determining a network attack scenario, the method comprising:
acquiring resource information of an attack source host and host information of an attack destination host;
determining a target network attack scheme matched with the resource information and the host information from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host; the network attack knowledge graph is a knowledge graph constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme.
2. The method according to claim 1, wherein the obtaining the resource information of the attack source host and the host information of the attack destination host includes:
executing the query instruction corresponding to the resource information to acquire the resource information of the attack source host;
and carrying out host scanning on the attack target host to acquire host information of the attack target host.
3. The method according to claim 1, wherein the network attack knowledge graph establishment process includes:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain the network attack triples;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain the network attack knowledge graph.
4. The method of claim 1, wherein the determining a target network attack scenario matching the resource information and the host information from a network attack knowledge-graph according to the resource information of the attack source host and the host information of the attack destination host comprises:
according to the resource information of the attack source host and the host information of the attack destination host, determining one or more candidate network attack schemes matched with the resource information and the host information from the network attack knowledge graph;
calculating the attack coefficient of each candidate network attack scheme;
and determining that the candidate network attack scheme with the attack coefficient meeting the preset attack condition is the target network attack scheme.
5. The method of claim 4, wherein the calculating attack coefficients for each candidate network attack scenario comprises:
determining an attack index which is accordant with each candidate network attack scheme from a plurality of preset attack indexes;
and calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is met by each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
6. The method of claim 4, wherein the candidate cyber attack scenario in which the determined attack coefficient satisfies the preset attack condition is the target cyber attack scenario, comprising:
determining that the candidate network attack scheme with the attack coefficient larger than or equal to a preset threshold value is the target network attack scheme; or,
and sequencing the plurality of candidate network attack schemes according to the sequence of the attack coefficients from large to small, determining the first N candidate network attack schemes as the target network attack scheme, wherein N is a positive integer greater than or equal to 1.
7. The method according to any one of claims 1-6, further comprising:
and outputting prompt information of the target network attack scheme to prompt a user to execute corresponding attack operation.
8. A network attack scenario determination apparatus, the apparatus comprising:
the acquisition module is used for acquiring the resource information of the attack source host and the host information of the attack destination host;
the determining module is used for determining a target network attack scheme matched with the resource information and the host information from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host; the network attack knowledge graph is a knowledge graph constructed according to a network attack triplet, and the network attack triplet comprises resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack destination host corresponding to the network attack scheme.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111455071.7A CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111455071.7A CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114157480A CN114157480A (en) | 2022-03-08 |
| CN114157480B true CN114157480B (en) | 2024-01-26 |
Family
ID=80455658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111455071.7A Active CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157480B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114615092B (en) * | 2022-05-11 | 2022-08-02 | 安徽华云安科技有限公司 | Network attack sequence generation method, device, equipment and storage medium |
| CN116866193B (en) * | 2023-09-05 | 2023-11-21 | 中国电子信息产业集团有限公司第六研究所 | Network attack drilling method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079669A1 (en) * | 2009-12-28 | 2011-07-07 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network attack protection |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN113407728A (en) * | 2021-05-07 | 2021-09-17 | 浙江工业大学 | Knowledge graph construction and query recommendation system in radio signal attack and defense field |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制系统有限责任公司 | Attack tracing method based on strategy |
-
2021
- 2021-12-01 CN CN202111455071.7A patent/CN114157480B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079669A1 (en) * | 2009-12-28 | 2011-07-07 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network attack protection |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN113407728A (en) * | 2021-05-07 | 2021-09-17 | 浙江工业大学 | Knowledge graph construction and query recommendation system in radio signal attack and defense field |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制系统有限责任公司 | Attack tracing method based on strategy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114157480A (en) | 2022-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114157480B (en) | Method, device, equipment and storage medium for determining network attack scheme | |
| CN110557393B (en) | Network risk assessment method and device, electronic equipment and storage medium | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| CN113010896B (en) | Method, apparatus, device, medium and program product for determining abnormal object | |
| CN114363019B (en) | Training method, device, equipment and storage medium for phishing website detection model | |
| CN110730164A (en) | Safety early warning method, related equipment and computer readable storage medium | |
| CN113312560A (en) | Group detection method and device and electronic equipment | |
| CN113312611A (en) | Password detection method, device, equipment and computer readable storage medium | |
| CN115589339A (en) | Network attack type identification method, device, equipment and storage medium | |
| CN113452700B (en) | Method, device, equipment and storage medium for processing safety information | |
| CN110830518B (en) | Traceability analysis method and device, electronic equipment and storage medium | |
| CN113704256A (en) | Data identification method and device, electronic equipment and storage medium | |
| CN114615092B (en) | Network attack sequence generation method, device, equipment and storage medium | |
| CN113610904A (en) | Method, system, computer and medium for generating three-dimensional (3D) local point cloud countermeasure sample | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN115829053B (en) | Model operation strategy determination method and device, electronic equipment and storage medium | |
| CN116341023B (en) | Block chain-based service address verification method, device, equipment and storage medium | |
| CN115865519B (en) | Data processing method and system suitable for network attack and defense virtual simulation | |
| CN115296917B (en) | Asset exposure surface information acquisition method, device, equipment and storage medium | |
| CN115576852B (en) | Quality evaluation method, device, equipment and storage medium of fuzzy test case | |
| CN116418600B (en) | Node security operation and maintenance method, device, equipment and storage medium | |
| CN116471079A (en) | LDAP injection vulnerability detection method and device | |
| CN116112245A (en) | Attack detection method, attack detection device, electronic equipment and storage medium | |
| CN116248340A (en) | Interface attack detection method and device, electronic equipment and storage medium | |
| CN116383332A (en) | Method, device and equipment for generating vulnerability restoration sequence table based on knowledge graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |