CN114915467A - System and method for realizing network security attack and defense drilling - Google Patents

Abstract

The invention discloses a system and a method for realizing network security attack and defense drilling, which are characterized in that the system comprises preparation, trial operation, execution, evaluation and duplication, wherein the preparation, the definition of a drilling target, the establishment of a drilling scene and the deployment of infrastructures required by the scene comprise 3 submodules of a scene model, infrastructure arrangement and vulnerability injection, the trial operation comprises manual test and automatic verification, the execution comprises 3 modes of automation, mixing and manual operation, the evaluation comprises log analysis and investigation, and the duplication analyzes the whole drilling to determine any newly found technical and non-technical problems needing to be solved before the drilling is rerun. By the method and the device, the problems that network security skills, talents, complexity and efficiency are in shortage, and the current attack and defense drilling process cannot reflect the real-world dynamic environment and adapt to the continuously changing requirements can be solved.

Description

System and method for realizing network security attack and defense drilling

Technical Field

The invention relates to the technical field of computers, information security, network shooting ranges, attack and defense drilling, automatic deployment, security control and configuration error detection, in particular to a system and a method for realizing the network security attack and defense drilling.

Background

The development of a network security operation drill is a difficult and challenging task, creating an environment for such a drill is error-prone and is mostly manual. Creating such a network security drilling environment and executing drilling scenarios may be accomplished using a network firing ground. However, the efficiency of the operation-based drill is low at present.

The prior art has been striving to make the process of performing a rehearsal of network security operations more efficient and less labor intensive. These prior art techniques successfully address inefficiencies in network security combat and defense drilling. However, most of the prior art is limited to deployment of infrastructure for combat and defense exercises. In addition, since the evolving cyber-security threats are dynamic, the scenarios need to be modeled to be adaptive enough to adapt to the changes of the scenario requirements before and after the scenario deployment. In addition, for a real network security attack and defense drilling environment, it is necessary to autonomously perform network security drilling operations. These actions include simulating virtual users and generating network traffic, as well as performing defense and attack actions in a drilling environment. Traditionally, these tasks are the responsibility of a human team; therefore, there is a need to increase the level of automation, make the drill life cycle more efficient, and thus address the well-known problem of talent shortage in global network security skills.

Disclosure of Invention

For the defects and shortcomings of the network security, a system and a method for realizing the network security attack and defense drilling are provided, a platform (or a cloud platform) is provided for developing the network security attack and defense drilling, a plurality of tasks in the life cycle of the network security drilling can be automated, and a model-driven method (1) is used for modeling roles of different teams in the network security drilling and (2) an automated workpiece artifact is generated, so that the functions of the automated workpiece artifacte are efficiently executed in an autonomous mode.

The system for realizing the network security attack and defense drilling is characterized by comprising 5 modules of preparation, commissioning, execution, evaluation and duplication;

preparing, defining a drilling target, formulating a drilling scene, deploying infrastructure required by the scene, including 3 submodules of a scene model, infrastructure arrangement and vulnerability injection, modeling a logical network topology with vulnerabilities, defining abilities of attackers and defenders to attack or defend the vulnerabilities, analyzing and logically verifying possible attack and defense strategies, adopting a domain-specific language DSL to specify different network security operation and maintenance operation requirements during drilling, and simplifying the network security operation and maintenance into five operations in one drilling: infrastructure orchestrators, vulnerability injectors, attacker agents, defender agents, and traffic generators, which have their specific attributes in the network security drilling scenario;

the scene model comprises scene language instantiation, formal scene specification and formal scene verification;

the infrastructure orchestration, including cloud infrastructure orchestration, converts formally verified modeled scenarios to a simulated network topology by using the infrastructure as an IaC code programming technique in which templates of the infrastructure orchestration are generated; this is deployed on a cloud instance;

the cloud infrastructure arrangement not only has the function of arranging infrastructures on cloud computing and cloud storage comprising Openstack, Microsoft cloud, Google cloud and Amazon cloud; but also provides the ability to build a local cloud infrastructure without relying on a third party infrastructure, Openstack provides a HEAT template based infrastructure;

the vulnerability injection can be performed on the infrastructure generated by the cloud infrastructure arrangement, different operating system automation technologies are used based on the customized vulnerability injector, vulnerabilities are injected according to the requirements of the scene model, the operating system automation technologies are basically deployed on machines in the simulation network to open SSH connection, and Bash, Powershell and Python scripts are used for operating software vulnerabilities, service vulnerabilities and configuring vulnerabilities. The method can modify the scene after the infrastructure is deployed, and inject new loopholes when needed, so that the scene is more flexible and balanced;

the scene language is instantiated, is carried out through the developed scene language and is logically verified through Datalog;

the formal scene specification adopts a network killer chain cyber kill chain model method, which comprises the following steps: reconnaissance, weaponization, delivery, attack vulnerabilities, installation, command and control, target action;

the formal scene verification combines the concept of scene language with Datalog modeling and provides the capability of modeling and verifying the network security drilling scene;

the commissioning, including manual testing and automatic verification, debugs drill scenes and infrastructure to prevent any errors, during the commissioning, will check different scene attributes to determine if the deployed scene meets the specified requirements in the scene model;

the execution comprises 3 modes of automation, mixing and manual operation, and the network security drilling is executed by different teams to realize the target defined in the drilling scene;

the evaluation, including log analysis and investigation, will evaluate the performance of different participating teams in the network security drill according to the achieved goals;

the review, which will analyze the entire drill to determine any newly discovered technical and non-technical issues that need to be addressed before re-running the drill, determines the issues in the scenario, including which solutions are included in the next iteration, by analyzing the feedback of the survey.

A method for realizing network security attack and defense drilling is characterized by comprising the following steps:

1) preparing;

2) performing test operation;

3) executing;

4) evaluating;

5) and (5) copying the disc and jumping to the step 1).

The invention has the technical effects that:

the application provides a realization system and method of network security offense and defense drill, its characterized in that, the system, including preparation, trial run, execution, aassessment and reply, the preparation, the target of definition drill makes the scene of drill to the required infrastructure of deployment scene, including scene model, infrastructure arrangement and leak injection 3 submodule, the trial run, including manual test and automatic verification, the execution, including automatic, mix and 3 kinds of manual modes, the aassessment, including log analysis and investigation, reply, will analyze whole drill to confirm the technological and non-technical problem of any new discovery that need solve before rerun drill. By the method and the device, the problems that network security skills, talents, complexity and efficiency are in shortage, and the current attack and defense drilling process cannot reflect the real-world dynamic environment and adapt to the continuously changing requirements can be solved.

Drawings

FIG. 1 is a schematic diagram of an enterprise network of an implementation system and method for network security offense and defense drilling according to the present invention;

fig. 2 is a schematic diagram of an architecture of a system and a method for implementing network security offense and defense drilling according to the present invention.

Detailed Description

The invention is described in further detail below with reference to the figures and examples:

fig. 1 is a schematic diagram of an enterprise network of an implementation system and method for network security attack and defense drilling according to the present invention. It consists of a network of segments, each of which carries services and devices related to a specific task: (i) the server contains internal services (i.e., is not publicly accessible), (ii) the DMZ contains public services (i.e., is exposed to the outside world), and (iii) the internet of things connects field devices (i.e., sensors, actuators, and controllers). These three networks are located behind firewalls, protecting the perimeter of the company. The firewall is intentionally opened to the DMZ to allow remote connections. The Domain Name Server (DNS), named ns, translates the symbolic name of the DMZ host to its actual IP address. The infrastructure is connected to the public internet through the backbone of an internet service provider.

There are different types of network security operation drilling scenarios, which are classified according to the network topology used to execute the scenarios. They all include one blue team and one red team. The general goal of the fleet is to protect the assets (e.g., data and services) of an enterprise. The specific goal of the red team is to steal data from a private database on the database. The blue team, as a role of the enterprise IT security department, has full access to the internal network, while the red team has access to the public internet only through remote client machines.

There are several scenarios in which the infrastructure of fig. 1 can perform, one of which is described below.

Scenario 1 (host secure 1): in this case, the red team can achieve its goals by exploiting some security vulnerabilities in www server configurations, including:

1. www hosts a Content Management System (CMS) that uses administrator accounts to authenticate database management systems (DBMS) running on a database.

2. www runs an HTTP server, disclosing the user's home directory; this allows dictionary-based enumeration of existing accounts.

3. www an enumeratable user has a weak password, i.e. a password that is subject to brute force attacks.

4. The www administrator is faced with a vulnerability to permission upgrades. This vulnerability allows an attacker to gain the administrator's rights.

The execution of scenario 1 is now described by simulating the attack of the red team. The attack steps are as follows:

1. initially, the red team scans the machines (connected to the client (through the remote desktop) and scans www) of the home page in the enterprise network as shown in FIG. 1. Running the scan and sniff tool software nmap shows that the server is open on ports 80(http) and 22 (ssh).

2. Then, the nmap script http userdirenum is run, and two users, namely the backup and the administrator manager, are enumerated.

3. The manager's password is brute force cracked using the hydra and rockyou word lists.

4. Once the Reunion has obtained the password, they can log in www as an administrator (via ssh) and perform the privilege escalation.

5. Php of the red team is read by using root authority and the administrator access account of the database is obtained.

6. In this way, the red team can browse all existing records in the database and can steal sensitive data.

Early network security attack and defense exercise systems, namely: "network Range", the term originally appearing in the 70 and 80 th 20 th century, describes a class of mainframe supercomputers developed by the CDC (Control Data Corporation). These computers are used for mathematically intensive tasks and modeling of complex natural phenomena. The network shooting range provides interactive representation of the enterprise/organization environment, including tools, application programs, network architecture and personnel functions; they are used in network security training, testing and educational scenarios in controlled and secure environments to provide a realistic network security experience.

In the life cycle of the network security exercise, not only the red team and the blue team, but also a plurality of teams play different roles, as follows:

1. white team

White team members are subject matter experts who define the goals of network security drilling and plan the scenario. They can help other participating teams understand the scene and provide prompts.

2. Green team

The green team members are responsible for deploying the network security drilling infrastructure according to the scene specifications developed by the white team members. They are also responsible for monitoring and maintaining the drilling infrastructure during network security drilling.

3. Red team

The members of the red team are attackers in the network security drill. They attack the network security infrastructure developed by the members of the green team to achieve the goals defined by the members of the white team.

4. Blue team

The member of the blue team is a defender of network security drilling. They defend against the network security infrastructure developed by the green team members to achieve the goals defined by the white team members.

There are different types of network security operation and maintenance exercise scenarios, which are classified according to the network topology used to execute the scenarios.

1. Jeopardy style capture flag

The jeopardy-style ctf (jeopardy style capture The flag) contest uses The simplest network topology, where both individual and team attackers can access machines through a network where vulnerabilities exist. An attacker must exploit these holes and retrieve a unique string called a flag. This flag is then used for scoring purposes. These drills are time-limited, so whichever scores are the most, will eventually be declared the winner.

2. Attack/defense

Attack/defense network security drills are team-based drills in which each team has access to the network and is responsible for maintaining/defending the services of different machines in the network. These teams have the ability to attack other team networks and disrupt the operation of the service. Flags (flags) and service availability statistics are mainly used for scoring purposes.

3. Red team/blue team

The red/blue team drill is target-oriented, wherein an attacker/red team is assigned a target to penetrate into the enterprise/organization and perform certain tasks, such as data filtering and manipulation. The blue team performs actions related to event responses and forensics to determine the target of the red team. The drill is intended to improve the skills of both the red and blue teams, and is mainly evaluated according to which team definitely achieves the target.

Fig. 2 is a schematic diagram of an architecture of a system and a method for implementing network security offense and defense drilling according to the present invention. Including preparation, commissioning, execution, evaluation, and replication of 5 modules.

The preparation comprises the steps of defining a drilling target, formulating a drilling scene, deploying infrastructure required by the scene, comprising a scene model, infrastructure arrangement and vulnerability injection 3 submodules, modeling a logic network topology with vulnerabilities, defining the capabilities of attackers and defenders for attacking or defending the vulnerabilities, and analyzing and logically verifying possible attack and defense strategies. DSL (domain specific language) is adopted to specify different network security operation and maintenance operation requirements during the drill. DSL provides a layer of abstraction to address domain-specific problems without the necessary overhead of dealing with common programming languages. The network security operation and maintenance are simplified into five operations in one exercise: an infrastructure orchestrator, a vulnerability injector, an attacker agent, a defender agent, and a traffic generator. These operations have their specific attributes in a network security drilling scenario; to simplify matters, the attributes of the scene modeling language are expressed in BNF (Backus-Naur form). BNF is a notation technique for context-free syntax, and is also used to describe the syntax of languages used in computing, such as computer programming languages.

The scene model comprises scene language instantiation, formal scene specification and formal scene verification.

The scenario language is instantiated through the developed scenario language and logically verified through Datalog.

Before defining an actual scene modeling language, some basic variables used in the language are first defined: these basic variables are used to define the characters, strings, integers, IP addresses, ranges and CIDRs used in the rest of the language.

The infrastructure orchestrator is composed of two parts, namely a subnet and a machine.

The first partial molecular net is used for representing a network connected with a machine. It requires specifying three things in the language:

(a) CIDR (CIDR values such as 10.10.0.10/24)

(b) Name (string value representing subnet name, e.g. Public)

(c) Network interface (network ID character string value)

The second part of the machine is a host machine; a host is a virtual machine and/or machine that connects to a specified subnet and injects vulnerabilities therein. It requires specifying several terms in the language:

(a) name (string, representing Machine name, e.g. Machine1)

(b) Operating system (string value, operating system id)

(c) Key (string, for maintaining and monitoring SSH key)

(d) Dependence (string, name of subnet when computer is connected)

After the machine is deployed, the vulnerability injection can be carried out through the vulnerability injector. The process of the vulnerability injector needs the following attributes:

(a) machine IP (IP address of deployed machine, e.g. 10.10.1.10)

(b) MachineUserID (string, representing an administrator user account (e.g., root) on a deployed computer)

(c) Machine UserPassword (string, representing the administrator user password (e.g., the toar) for the deployed machine)

(d) OS (character string, for Machine name, such as Machine1)

(e) Vulnerability (string, indicating the type of vulnerability to be injected into a machine, e.g. Weak Password)

(f) Parameters (strings, representing vulnerability-specific parameters, e.g. "passswa | apollo")

After injecting the vulnerability, the attack agent may verify it. It can also be used to simulate the behavior of an attacker during a network security drill. The attack agent needs to specify six attributes before execution.

(a) ToolName (character string, indicating the tool name to be used by an agent such as nmap)

(b) AgentIP (IP address, denoting a Kali Linux-based machine in network topology, e.g. 10.10.1.5)

(c) AgentUserID (string, representing administrator user account (e.g., root) of Kali Linux machine)

(d) AgentUserPasword (string, representing administrator user password (e.g. toor) of Kali Linux machine)

(e) Parameters (strings, representing attack agent operation-specific parameters, e.g. -sS-sV)

(f) Target (IP address, deployed machine, e.g. 10.10.1.10)

To increase friction and realism in cyber-security drilling, a defense agent, defenser agent, can be injected into a deployed machine, which has the following five attributes.

(a) Machine IP (IP address, indicating deployed machine, e.g. 10.10.1.10)

(b) MachineUserID (string value, representing an administrator user account (e.g., root) on a deployed computer)

(c) Machine UserPassword (string, representing the administrator user password (e.g., the toar) for the deployed machine)

(d) OS (character string, Windows, etc. deployed machine operating system name)

(e) Parameters (strings, which represent the operation-specific parameters of the defense agent in CSV files such as netstat-ano | taskkill/F/PID).

In order to keep the scene execution dynamic with the real traffic, two modules of the traffic generator are defined. First is tcpralay, which can replay pre-recorded network traffic using a PCAP file. Second, there is also a VncBot that can simulate user behavior from a pre-recorded VDO file. These modules have six requirements similar to attack agents:

(a) ToolName (character string, representing tool name to be used by VncBot, etc. agent)

(b) AgentIP (IP address, Kali Linux based machine, present in network topology, e.g. 10.10.1.5)

(c) AgentUserID (string, representing administrator user account for Kali Linux machine (e.g., root))

(d) AgentUserPassword (character string, representing administrator user password of Kali Linux machine (such as toor))

(e) Parameters (strings, representing operation-specific parameters for the attack agent, e.g., test. vdo | toor, where toor is the password of a VNC-enabled machine deployed in the drilling infrastructure)

(f) Target (IP address, indicating deployed machine, e.g. 10.10.1.10)

In the official scene specification, various models have been proposed to simulate the behavior of attackers and defenders during network engagement. These models focus on a series of events that cause a computer system to be hacked. One of the methods of the network killer chain (cyber kill chain) model is to protect the computer network from being destroyed spyware. The network killing chain comprises the following steps and stages:

(a) and (3) scouting: finding intrusion through e-mail, meeting, etc.

(b) Weaponization: malicious intent is implemented through PDF and word files for intrusion purposes.

(c) Delivering: the intrusion payload is sent primarily via email attachment, USB, and web site.

(d) Attack vulnerability: the intrusion is at and centered on its target.

(e) Installation: a hacker is provided with a method of accessing the hacked system.

(f) Command and control: after obtaining access rights, all control of the intruded system is obtained and controlled manually, rather than automatically through an Internet controller server.

(g) Target action: information and resources of the past six stages are acquired.

There are two main reasons for selecting the network killer chain in the present application: first, it is a very mature and well-known modeling technique, and second, it provides a layer of simplicity and abstraction, with more emphasis on core technology steps than other models.

(a) Scene formalization background

Formally modeling the scene using Datalog and verifying different scene attributes. Datalog is a programming language based on declarative logic. The method is used for large-scale software analysis, automatic evaluation of network security matrixes and verification of network security drilling scenes, and is suitable for serving as a formal model of the network security drilling scenes. It consists of two parts: facts and clauses. The fact corresponds to a part of the elements of the phenomenon. Clauses refer to information derived from other subsets of information. Clauses depend on terms that may contain variables; however, this cannot be proven. It determines whether a particular term conforms to a particular fact or clause. If this happens, the particular query is validated by the query engine and the necessary facts and clauses are provided.

When running a Datalog operation, the specified conditions include a combination of two facts and one clause. The present application specifies a condition that, if a query is valid, a particular response will be expected at the end of the query. The conclusion of the above experiment is that a specific response was received and the query was satisfied. By using clauses with variables, the engine can pinpoint and find the result. As a specific example, consider the fact that "John is the parent of Harry" and "Harry is the parent of Lary". One clause will allow a fact to be inferred from other facts. In this example, one wants to know "who is the grandfather in Lary? ". A deductive clause can be made with three variables X, Y and Z: if X is the parent of Y and Y is the parent of Z, then X is the grandparent of Z. To represent facts and clauses, Datalog uses the horn clause in its general form:

L0:-L1…Ln

each instance of L represents text in the form of a predicate symbol that contains one or more terms. A term may have a constant or variable value. The Datalog clause has two parts: the left part is called the head and the right part is called the body. The subject of a clause may be null, which makes the clause a fact. A body containing at least text represents a rule in a clause. The above-mentioned facts that "John is the father of Harry" and "Harry is the father of Lary" are stated as follows:

father (John, Harry)

Father (Harry, Lary)

If X is the parent of Y, which is the parent of Z, then X will be the grandparent of Z, which can be expressed as follows:

GrandFather(Z,X):-Father(Y,X),Father(Z,Y)

(b) scene formalization

Scene formalization defines four basic predicates for scene modeling, namely 1) links, 2) vulnerabilities, 3) capabilities, and 4) killer chains. The fact of the scene model is as follows:

the Link predicate is logically represented as Link (H, N), which has two variables: host H and network N. H is a string value representing a machine name (virtual machine name), and N is a string value representing a network name connected thereto. For a specific example, assume that the host name "Machine 1" connected to the network name "Public" can be expressed as:

Link(‘Machine 1’,‘Public’)

the Vulnerable predicate is logically represented as Vulnerable (H, V), which has two variables host H (the specified machine name) and V (the string value that represents the presence of a particular vulnerability in H). As a specific example, the "Machine 1" is vulnerable to the "SSHBruteforce" attack, which can be expressed as:

Vulnerable(‘Machine 1’,‘SSHBruteForce’)

the capability predicate is logically represented as capability ('V', 'a', 'DE') which has three variables V, i.e., the vulnerabilities present in H, a being a boolean value indicating whether a particular vulnerability V is exploitable by an attacker and DE indicating whether a particular vulnerability V is defendable by a defender.

Specific examples of "sshbreteforce" vulnerabilities that can be exploited by an attacker but that are defendable against are as follows:

Capability(‘SSHBruteForce’,‘YES’,‘NO’)

the KillChain predicate is logically represented as KillChain (H, R, W, D, E, C, O). It has seven variables host H and the original KillChain process including reconnaissance R, weaponization W, delivery D, attack E, command and control C, and action and target O. The boolean value of the KillChain process variable is assigned based on V present in H. According to KillChain, a specific example of a fully available host "Machine 1" is shown below:

Kill Chain(‘Machine 1’,‘YES’,‘YES’,‘YES’,‘YES’,‘YES’,‘YES’,‘YES’)

and the formal scene verification develops a scene modeling and verification tool. The tool combines the concept of scenario language with Datalog modeling, while providing the ability to model and validate network security drill scenarios. In the scene modeler, the user may specify the following:

(a) the network topology required by the scene;

(b) the type of machine present in the network;

(c) a type of vulnerability present in the machine;

(d) attackers and defenders can exploit or defend against the capabilities of these vulnerabilities.

After the specification is provided to the modeler, the modeler may generate instances required for the network security drill operations orchestration and generate formal models in Datalog. Different types of logical analysis may be performed prior to actual deployment; some examples of security attributes and issues that may be verified include:

(a) which machines can be accessed from a particular point in the network?

(b) Which machines are vulnerable to attack, are reachable by attackers?

(c) Which machines are vulnerable to attack, but a defender can defend to limit the attacker's access to the network?

This is achieved by defining clauses that contain specific rules related to the scene. First, different hosts need to be logically connected. This may be accomplished by creating a rule for a direct bidirectional link connection between hosts using variables X and Y, as follows:

CanReach(X,Y)≤Link(Y,X)

second, similar to the case of grandparents and grandchildren, to determine which hosts in the network are indirectly connected, a new CanReach may be created using variable Z. This can be used to find a direct link between X and Y, and X and Z through an indirect link between Y:

CanReach(X,Y)≤Link(X,Y)

CanReach(X,Y)≤Link(X,Z)

which machines to check for connection to a Machine with a particular vulnerability (e.g., BufferOveflow), such as Machine1, can be verified by the following clause:

CanReach(‘Mahine 1’,Y)&Vulnerable(Y,‘BufferOver Flow’)

to check which hosts are connected to a vulnerable host, such as Machine1, which is not defendable by the defender, the following clauses can be used for verification:

Capability(V,‘YES’,‘NO’)&CanReach(‘Mahine 1’,Y)&

Vulnerable(Y,V)

in order to integrate the kill chain concept into the model, the present application may specify the impact of a vulnerability injected in the host, whether the vulnerability allows an attacker to perform steps such as reconnaissance, attack, etc. This effect is a boolean value that indicates the kill chain phase that an attacker can theoretically reach. The present application may create the following clauses:

Capability(V,‘YES’,‘NO’)&CanReach(‘Mahine 1’,Y)&

Vulnerable(Y,V)&Kill Chain(Y,‘YES’,YES’,YES’,YES’,Y ES’,YES’,YES’)

the scene may be validated at runtime before the drill infrastructure is actually deployed. The verification process uses facts and clauses generated in Datalog syntax by developed tools. By means of mathematical logical operations, in particular transitive relations, the Datalog engine can return attribute verification results according to given requirements. These queries are similar to SQL queries, and different attributes can be verified using logical operators such as and or. If the attribute is verified, the Datalog engine will return an output containing the element that the query verified. If the output is null, the attribute is considered unverified.

And (4) arranging the infrastructure, wherein at the stage of arranging the infrastructure, the formally verified modeling scene is converted into a simulation network topology. This conversion is achieved by using the infrastructure as a Code programming technique (IaCInfrastructure as Code) in which the templates of the infrastructure layout are generated; this is deployed on a cloud embodiment. Several cloud providers such as Microsoft (Microsoft), Google (Google), and Amazon (Amazon) offer infrastructure orchestration techniques, but they are a pay solution for closed source code. The present application has chosen a number of solutions, including the name Openstack, that provide functionality similar to Microsoft, Google, and Amazon; however, it also provides the ability to build a local cloud infrastructure without relying on a third party infrastructure. Openstack provides infrastructure orchestration of HEAT templates. The HEAT template provides an interface for specifying the requirements of the network topology and the types of systems present in the network.

The vulnerability injection, in this network topology, is a difficult process. Different infrastructure configuration techniques, such as anchor and Puppet, may be used for vulnerability injection. However, the present application selects a fundamentally different vulnerability injection technique and develops a customized vulnerability injector. And injecting the vulnerability according to the requirements of the scene model by using different operating system automation technologies. These operating system automation techniques are basically deployed on machines in the simulation network to open SSH connections and operate software, services and configuration vulnerabilities using Bash, Powershell and Python scripts. This enables the scene to be modified after infrastructure deployment and new vulnerabilities to be injected as needed, making the scene more flexible and balanced.

The cloud infrastructure arrangement not only has the function of arranging infrastructures on cloud computing and cloud storage comprising Openstack, Microsoft cloud, Google cloud and Amazon cloud; but also provides the ability to build a local cloud infrastructure independent of third party infrastructure, Openstack provides an infrastructure based on HEAT templates that provide an interface for specifying the requirements of the network topology and the types of systems present in the network.

The commissioning, including manual testing and automatic validation, debugs drill scenarios and infrastructure to prevent any errors, during which different scenario attributes will be checked to determine if the deployed scenarios meet the specified requirements in the scenario model. The present application divides this phase into two parts.

1) Manual testing

Manual testing is performed as a quality assurance process to verify different scene requirements. During this time, the deployed infrastructure is manually checked for any anomalies. This is achieved by manually performing commissioning, including checking the network topology and vulnerability of attack injection.

2) Automatic authentication

Manually performing a drill also typically requires a lot of time. To address this problem, the present application uses an attacker agent to automatically validate different scene attributes. The attacker agent is a Kali Linux based host in the deployed network infrastructure. It receives instructions from the scenario language for actions to be taken. Modeling a vulnerability as being injected into a host, a model of the attacker's proxy operation is also generated to verify vulnerability attributes. Such automatic verification includes different network link connections and vulnerability existence, as well as attack paths.

The execution comprises 3 modes of automation, mixing and manual operation; network security drills are performed by different teams to achieve the goals defined in the drill scenario. The preparation work and the resulting commissioning takes the most time during the life cycle of the network security drill. When these parts are completed, the exercise can be performed; however, finding the right person to train is a challenge, because if you want to do a blue team drill, you need a red team, and vice versa. To solve this problem, automation is also added in the execution section, so that the proposed drill can be executed in a lower manner.

1) Automatic

In automatic execution, attacker and defender operations may be specified to test different network security scenarios in an automated manner. To this end, the present application uses agent-based techniques to inject attacker and defender agents into the drill infrastructure. This agent performs attacker and defender operations following the requirements specified in DSL.

2) Mixing of

In hybrid execution, the automation agent may simulate an attacker or defender against a human team in a network security drill. In the mixed execution, the requirement of the opponent team is cancelled, so that the dependence of the network security exercise life cycle on the human input is reduced, and the low efficiency of searching the human team is reduced.

3) Hand operated

In manual execution, a normal network security drill is performed, with all participants being human. The proposed system supports manual execution of network security drills according to training requirements. In manual execution, both the red team and the blue team consist of human participants performing cyber attacks and defenses within the drilling infrastructure.

The evaluation, including log analysis and investigation; the performance of different participating teams in network security drilling will be assessed according to the achieved goals. The performance in the network security drill can be evaluated using a flag and/or a red flag. The flag is a text string that the participant must capture from the system to obtain a score. Another variation of this approach is called dynamic scoring. The time required to capture the flag, the number of times the flag is captured is also taken into account to obtain higher and lower scores. Such a scoring mechanism can be easily integrated into the system of the present application. However, the present application selects a more systematic evaluation method, as shown below.

1) Log analysis

Command line history of the drill participants is collected and can be used to analyze the participants' abilities and the types of skills they possess. An artificial intelligence AI model is planned to be trained for this purpose and used to classify the skill sets of the drill participants according to the killer chain kill chain. This is not within the scope of the present application since data is still being collected from the drill, working on this part.

2) Investigation

Pre-drill and post-drill surveys are used to determine any skill improvement of the drill participants and to obtain qualitative data of the drill.

The review will analyze the entire drill to determine any newly discovered technical and non-technical issues that need to be addressed before re-running the drill. By analyzing the feedback of the survey, it is determined which solutions are included in the scenario, including in the next iteration (i.e., jumping to the preparation module).

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.

Claims (2)

1. The system for realizing the network security attack and defense drilling is characterized by comprising 5 modules of preparation, commissioning, execution, evaluation and duplication;

the method comprises the steps of preparing, defining a drilling target, formulating a drilling scene, deploying infrastructure required by the scene, comprising a scene model, infrastructure arrangement and vulnerability injection 3 submodules, modeling a logic network topology with the vulnerability, defining the capability of attacking or defending the vulnerability of an attacker and an defender, analyzing and logically verifying possible attack and defense strategies, and adopting a domain specific language DSL to specify different network security operation and maintenance operation requirements during drilling, wherein the network security operation and maintenance are simplified into five operations in one drilling: infrastructure orchestrators, vulnerability injectors, attacker agents, defender agents, and traffic generators, which have their specific attributes in the network security drilling scenario;

the scene model comprises scene language instantiation, formal scene specification and formal scene verification;

the infrastructure orchestration, including cloud infrastructure orchestration, converts formally verified modeled scenarios to a simulated network topology by using the infrastructure as an IaC code programming technique in which templates of the infrastructure orchestration are generated; this is deployed on a cloud instance;

the cloud infrastructure arrangement not only has the function of arranging infrastructures on cloud computing and cloud storage comprising Openstack, Microsoft cloud, Google cloud and Amazon cloud; but also provides the ability to build a local cloud infrastructure without relying on a third party infrastructure, Openstack provides a HEAT template based infrastructure;

the vulnerability injection can be performed on the infrastructure generated by the cloud infrastructure arrangement, different operating system automation technologies are used based on the customized vulnerability injector, vulnerabilities are injected according to the requirements of the scene model, the operating system automation technologies are basically deployed on machines in the simulation network to open SSH connection, and Bash, Powershell and Python scripts are used for operating software vulnerabilities, service vulnerabilities and configuring vulnerabilities. The method can modify the scene after the infrastructure is deployed, and inject new loopholes when needed, so that the scene is more flexible and balanced;

the scene language is instantiated, is carried out through the developed scene language and is logically verified through Datalog;

the formal scene specification adopts a network killer chain cyber kill chain model method, which comprises the following steps: reconnaissance, weaponization, delivery, attack vulnerabilities, installation, command and control, target action;

the formal scene verification combines the concept of scene language with Datalog modeling and provides the capability of modeling and verifying the network security drilling scene;

the commissioning, including manual testing and automatic validation, debugs drill scenes and infrastructure to prevent any errors, during the commissioning, will check different scene attributes to determine whether the deployed scenes meet the specified requirements in the scene model;

the execution comprises 3 modes of automation, mixing and manual operation, and the network security drilling is executed by different teams to realize the target defined in the drilling scene;

the evaluation, including log analysis and investigation, will evaluate the performance of different participating teams in the network security drill according to the achieved goals;

the review, which will analyze the entire drill to determine any newly discovered technical and non-technical issues that need to be addressed before re-running the drill, determines the issues in the scenario, including which solutions are included in the next iteration, by analyzing the feedback of the survey.

2. A method for realizing network security attack and defense drilling is characterized by comprising the following steps:

1) preparing;

2) performing test operation;

3) executing;

4) evaluating;

5) and (5) copying the disc and jumping to the step 1).

Images