CN115297010A - Permission acquisition target design method for network access equipment - Google Patents
Permission acquisition target design method for network access equipment Download PDFInfo
- Publication number
- CN115297010A CN115297010A CN202210871281.2A CN202210871281A CN115297010A CN 115297010 A CN115297010 A CN 115297010A CN 202210871281 A CN202210871281 A CN 202210871281A CN 115297010 A CN115297010 A CN 115297010A
- Authority
- CN
- China
- Prior art keywords
- target
- network access
- scene
- shooting range
- activities
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000013461 design Methods 0.000 title claims abstract description 9
- 230000000694 effects Effects 0.000 claims abstract description 42
- 238000005553 drilling Methods 0.000 claims abstract description 27
- 238000004088 simulation Methods 0.000 claims abstract description 20
- 238000012360 testing method Methods 0.000 claims abstract description 19
- 238000013439 planning Methods 0.000 claims abstract description 17
- 238000004451 qualitative analysis Methods 0.000 claims abstract description 7
- 238000004445 quantitative analysis Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims description 22
- 230000007123 defense Effects 0.000 claims description 6
- 238000010276 construction Methods 0.000 abstract description 9
- 238000012549 training Methods 0.000 abstract description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 241000282326 Felis catus Species 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 230000003631 expected effect Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a design method of a permission acquisition target facing network access equipment, which comprises the following steps: defining requirements, task planning, target constructing, setting, testing, scene drilling and analyzing reports. Defining demand activities is primarily done by the shooting range users and target analysts, systematically analyzing the shooting range user demands. The task planning activity is mainly to plan the work with homogeneity into several different subtasks according to the description document formed by the definition requirement. And constructing, setting and testing activities of the target according to qualitative analysis of the first step of definition demand activities and quantitative analysis of the second step of task planning activities, performing combined construction and setting on modules related to a plurality of subtasks, and finally performing target testing in a target range. The scene drilling activity carries out full-simulation actual combat simulation aiming at the scene target in the shooting range. The invention is beneficial to security personnel to continuously maintain the strength of battle training and well improves the efficiency of continuous combat training in the non-wartime period.
Description
Technical Field
The invention discloses a design method of a permission acquisition target facing network access equipment, belonging to the technical field of digital information.
Background
The phenomenon of spatial mutual competition of networks is becoming more and more severe, and network attacks are gradually developing from a goal of attacking individuals to a behavior of attacking national infrastructure. The researches on network attack and defense risk assessment, network attack and defense drilling and new network technologies are important strategic demands for the internet security development in China, and the network shooting range technology serving as the foundation of the strategies is particularly important. Currently, network shooting ranges have been viewed as networks in all countries.
In particular, since the 21 st century, the risks of cyber security have gradually penetrated into various industrial fields, posing a certain threat to national key infrastructure. Therefore, each country is allocated to the network target range field. The network shooting range makes a lot of breakthroughs in construction scale, construction form and load capacity. Nowadays, china enters a comprehensive informatization stage, and the requirement on the security and the robustness of a network environment is more urgent. Under the background, the current situation, the mode and the like of the network target range construction of each country are researched, and the method has profound guiding significance for improving the network target range construction level and the network safety protection capability of China.
Disclosure of Invention
The invention aims to provide a design method of a permission acquisition target facing network access equipment, which utilizes a virtualization technology to realize full scene simulation of common network access equipment on the market on the cloud so as to simulate the actual combat effect of realizing permission acquisition of unauthorized visitors through the network access equipment, thereby being beneficial to continuously maintaining the strength of battle training by security personnel and further improving the efficiency of continuous combat training in non-wartime periods. The cloud virtualization technology can meet centralized management to the maximum extent, improve the utilization rate of hardware, dynamically adjust machines and resource allocation thereof, realize high reliability and low total cost, and can realize conversion of function and service value on an industrial chain.
The technical scheme adopted by the invention for solving the technical problem is as follows: a design method for a permission acquisition target facing network access equipment comprises the following steps:
step 1: defining requirements;
the system is completed by the shooting range users and target analysts and systematically analyzes the requirements of the shooting range users;
step 2: planning a task;
according to the description document formed by the definition requirements of the step 1, planning the work with homogeneity into several different subtasks;
and 3, step 3: constructing, setting and testing a target;
according to the qualitative analysis of the defined demand activities in the step 1 and the quantitative analysis of the task planning activities in the step 2, combining, constructing and setting modules related to a plurality of subtasks, and finally performing target test in a target range;
and 4, step 4: performing scene drilling;
carrying out full-simulation actual combat simulation aiming at a scene target in a target range;
and 5: analyzing the report;
various data generated in the whole scene drilling process and the scene drilling operation process are examined and analyzed in detail, and problems possibly existing in the permission obtaining operation step realized in the process of facing the network access equipment are found by combining the target, so that the target of the shooting range user is realized.
Further, the invention forms the definition requirement of the step 1 into a description document of the target simulation actual combat effect, and performs qualitative analysis on the target event.
Further, the invention carries out quantitative analysis on the target events according to the description document to realize specific parameters or operation limits of each subtask.
Furthermore, the method and the system perform specific configuration file setting for extracting specific subsystems in a required target range, and perform a function test of a non-target user before a target event is formalized to determine related parameters so as to ensure that unexpected conditions do not occur in a scene drilling process.
Furthermore, the system opens all user inlets for target users to enter the target for actual combat drilling, and during the period, the subsystem can execute the subtasks according to the pre-configuration to simulate a real network attack and defense scene.
Has the beneficial effects that:
1. the invention utilizes the virtualization technology to realize full scene simulation on the cloud by common network access equipment on the market so as to simulate the actual combat effect of simulating an unauthorized visitor to realize authority acquisition through the network access equipment, thereby being beneficial to continuously keeping the strength of battle training of security personnel and further improving the efficiency of continuous combat training in non-wartime periods.
2. The cloud virtualization technology can meet centralized management to the maximum extent, improve the utilization rate of hardware, dynamically adjust machines and resource allocation thereof, realize high reliability and low total cost, and can realize conversion of function and service value on an industrial chain.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
FIG. 2 is a flow chart of a method of the present invention in event presentation.
Fig. 3 is a network topology diagram considering permission acquisition for three operators in the embodiment of the present invention.
Detailed Description
The invention is further described in detail in the following with reference to the accompanying drawings.
Example one
As shown in fig. 1, the present invention provides a method for designing a right acquisition target facing a network access device, in which a virtualized scene of the network access device in a shooting range is defined as a target event, and the method steps are divided into 3 time periods and 5 basic activities as shown in fig. 1.
The method comprises three event time periods, namely before a target event, after the target event and after the target event, wherein the three events of a defined demand activity, a target planning activity and a target constructing, setting and practicing activity are included in the sequence before the target event, the target event runs, an analyzing and reporting activity spans the target event and the two time periods after the target event, and a certain degree of feedback/iteration may exist between the activities before and after the time. In chronological order, the method comprises the following activities: defining requirements, task planning, target constructing, setting, testing, scene drilling and analyzing reports.
The invention defines the demand activity, mainly by the requirement of the user of the shooting range of the related personnel system analysis, the concrete expression is to form the definition requirement into the description document of the target simulation actual combat effect, the target event is qualitatively analyzed, and the subsystems which can be used are determined, and the related contents generally include but are not limited to the determined brand of the network access equipment, the specific scene of the secondary network under the network access equipment, the expected effect and the like.
The task planning activity of the invention is to plan the homogeneous work into several different subtasks according to the description document formed by defining the requirements in the first step, specifically to realize the specific parameters or operation limits of each subtask according to the description document, and to quantitatively analyze the target event, wherein the general related contents include but are not limited to the model number of the network access equipment, the firmware version number, the topology structure of the secondary network under the network access equipment, the vulnerability type, the usable tool chain and the like.
The target construction, setting and testing activities of the invention are mainly characterized in that a plurality of subtasks and related modules thereof are combined to construct and set according to qualitative analysis of a first-step defined demand activity and quantitative analysis of a second-step task planning activity, and finally, target testing is carried out in a shooting range, which is specifically represented by extracting specific subsystems in the shooting range to be required to carry out setting of specific configuration files, and one function test of a target-free user is carried out before a target event is formally carried out to determine related parameters so as to ensure that unexpected conditions can not occur in a scene drilling process, wherein the related contents generally include but are not limited to network performance of a target network, equipment performance of network access equipment and the like.
The scene practicing method mainly aims at carrying out full-simulation actual combat simulation on a scene target in a target range, and is specifically characterized in that all user inlets are opened so that target users can enter the target for actual combat practicing, and a subsystem can execute a subtask according to preconfiguration to simulate a real network attack and defense scene in the period.
The analysis report activity of the invention mainly refers to the detailed examination and analysis of various data generated in the whole scene drilling process and the scene drilling operation process, and in combination with the target, the problems possibly existing in the authority acquisition operation step realized in the process of facing the network access equipment are found, so that the targets of the shooting range users are completely realized.
In this embodiment, for example, optical modems with different architectures of three operators are respectively selected to form a simple network topology.
As shown in fig. 1, fig. 2 and fig. 3, the design method of the first embodiment of the present invention includes the following steps:
step 1: determining a brand of a network access device: network access equipment of three common operators; determining a specific scene of a secondary network under a network access device: the secondary network topology under the network access device has three situations: the system comprises a network access device, a router, a secondary network and a router, wherein the network access device is directly connected with a host; the expected effect is as follows: the influence of network performance, left traces and the like caused by the unauthorized visitor in the process of acquiring the authority of the three operator devices can be analyzed and researched through the scene target drill. According to the above situation, a corresponding document is formed.
And 2, step: as shown in fig. 3, determining the model of the network access device: the device A is a Chinese telecom optical cat F612, the device B is a Chinese Mobile optical cat F673AV9a, the device C is a computer host provided with Microsoft Windows 10, the device D is a Chinese Unicom optical cat F677V2, the device E is a D-Link DIR-645A1 1N wireless router, and the device F is a computer host provided with Microsoft Windows 7; determining a firmware version number: china telecom optical cat F612 is V5.0.0P1T1, china Mobile optical cat F673AV9a is V2.2.0P1T9, and China Unicom F677V2 is V2.0.0P1T2; determining the topological structure of a secondary network under the network access equipment: as shown in fig. 2; determining a vulnerability type: the optical modem layer adopts a backdoor leak in an official part, and the D-Link router leak is a UPnP port stack overflow leak; determining a usable toolchain: nmap, python, pwntools, and the like.
And 3, step 3: and (3) calling the IOT simulation environment subsystem in the target range to realize equipment construction of the simulation environment of the network access equipment and networking of the simulation environment according to the related parameters related in the step (2) so as to realize simulation of the environment and functions and meet the use scene requirements of other subsystems. In the subsystem, dividing the sub tasks into sub tasks of equipment performance detection, network flow detection, target environment detection, sensitive behavior detection, equipment response detection, log system detection, unexpected behavior detection and the like; and (3) when all the parameters determined in the step (2) are completely described through the configuration file, performing a pre-configuration test, and obtaining the network performance of the specific target network, the equipment performance of the network access equipment and the like if the test is successful.
And 4, step 4: and (3) performing scene drilling formally according to the pre-configured environment in the step 3. In order to open all user inlets for target users to enter the target for actual combat drilling, the subtasks managed by the subsystem can continuously record relevant data according to the aspects of equipment performance, network flow, target environment, sensitive behaviors, equipment response, unexpected behaviors and the like, and further provide data basis and guarantee for the step 5.
And 5: after the step 4 is completed, various data generated in the whole scene drilling process and the scene drilling operation process are examined and analyzed in detail, and problems possibly existing in the authority acquisition operation step realized in the process of facing the network access equipment are found by combining the targets of influence, left traces and the like of network performance in the authority acquisition process of the three operator equipment, so that the targets of the target range users are completely realized, and the specific expression is that the whole scene operation process is reviewed, data fed back by the subsystem is analyzed from observation of the problems, and a scheme for solving the problems is found.
Example two
As shown in fig. 1, the present invention provides a method for designing a network access device-oriented permission acquisition target, which defines a virtualized scene of a network access device in a shooting range as a target event, and specifically includes the following steps:
the method comprises three event time periods, namely before a target event, after the target event and after the target event, wherein the before-target event comprises three activities of defining demand activity, target planning activity and target construction, setting and practicing activity according to the sequence, the target event runs, analysis and report activities span the target event and the after-target event two time periods, and feedback/iteration of certain degree may exist between the activities before and after the time.
In chronological order, the method comprises the following activities:
1. defining requirements;
2. planning a task;
3. constructing, setting and testing a target;
4. performing scene drilling;
5. and (6) analyzing the report.
The invention mainly completes the activity of defining the requirements by the target range users and target analysts, systematically analyzes the requirements of the target range users, and specifically forms the defining requirements into a description document of the target simulation actual combat effect, qualitatively analyzes the target events, and determines which subsystems are used, wherein the related contents generally comprise but are not limited to the determined brand and model of the network access equipment, the specific scene of the secondary network under the network access equipment, the expected effect and the like.
The task planning activity of the invention is to plan the homogeneous work into several different subtasks according to the description document formed by defining the requirements in the first step, specifically to realize the specific parameters or operation limits of each subtask according to the description document, and to quantitatively analyze the target event, wherein the general related contents include but are not limited to the model number of the network access equipment, the firmware version number, the topology structure of the secondary network under the network access equipment, the vulnerability type, the usable tool chain and the like.
The target construction, setting and testing activities of the invention are mainly characterized in that according to the qualitative analysis of the first step definition demand activities and the quantitative analysis of the second step task planning activities, the modules involved by a plurality of subtasks are combined, constructed and set, and finally, the target testing is carried out in a shooting range, which is specifically represented by extracting the specific subsystem required in the shooting range to carry out the setting of specific configuration files, and before the target event is formalized, the function testing of a non-target user is carried out once to determine the related parameters so as to ensure that the unexpected conditions can not occur in the scene drilling process, and the generally involved contents include but are not limited to the network performance of a target network, the equipment performance of network access equipment and the like.
The scene drilling method is mainly used for carrying out full-simulation actual combat simulation on a scene target in a shooting range, and is specifically characterized in that all user inlets are opened so that target users can enter the target for actual combat drilling, and a subsystem can execute subtasks according to pre-configuration in the period to simulate a real network attack and defense scene.
The analysis report activity of the invention mainly refers to the detailed examination and analysis of various data generated in the whole scene drilling process and the scene drilling operation process, and in combination with the target, finds out the possible problems in the permission acquisition operation step realized in the process of facing the network access equipment, and further ensures that the target of the target spot user is completely realized.
It should be understood by those skilled in the art that the present design method is not limited to the exemplary embodiments described above, and any person skilled in the art can substitute or change the technical solution and concept of the present invention within the technical scope of the present disclosure, and all the alternatives or modifications are covered by the protection scope of the present method.
Claims (5)
1. A design method for a permission acquisition target facing network access equipment comprises the following steps:
step 1: defining requirements;
the system is completed by the shooting range users and target analysts and systematically analyzes the requirements of the shooting range users;
and 2, step: planning a task;
according to the description document formed by the definition requirements of the step 1, planning the work with homogeneity into several different subtasks;
and 3, step 3: constructing, setting and testing a target;
according to the qualitative analysis of the defined demand activities in the step 1 and the quantitative analysis of the task planning activities in the step 2, combining, constructing and setting modules related to a plurality of subtasks, and finally performing target test in a target range;
and 4, step 4: performing scene drilling;
carrying out full-simulation actual combat simulation aiming at a scene target in a target range;
and 5: analyzing the report;
various data generated in the whole scene drilling process and the scene drilling operation process are examined and analyzed in detail, and problems possibly existing in the permission obtaining operation step realized in the process of facing the network access equipment are found by combining the target, so that the target of the shooting range user is realized.
2. The method for designing the right acquisition target for the network access device according to claim 1, wherein: and (3) forming a description document of the target simulation actual combat effect according to the definition requirement of the step 1, and carrying out qualitative analysis on the target event.
3. The method for designing the right acquisition target for the network access device according to claim 1, wherein: and carrying out quantitative analysis on the target events according to the specific parameters or operation limits of each subtask realized by the description document.
4. The method for designing the right acquisition target for the network access device according to claim 1, wherein: in order to extract the specific configuration file required by the specific subsystem in the shooting range, a function test of a non-target user is carried out before a target event is formalized so as to determine the relevant parameters and ensure that an unexpected condition does not occur in the scene drilling process.
5. The method for designing the right acquisition target for the network access device according to claim 1, wherein: and opening all user inlets for target users to enter the target for actual combat drilling, wherein the subsystem can execute a subtask according to the pre-configuration to simulate a real network attack and defense scene in the period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210871281.2A CN115297010A (en) | 2022-07-22 | 2022-07-22 | Permission acquisition target design method for network access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210871281.2A CN115297010A (en) | 2022-07-22 | 2022-07-22 | Permission acquisition target design method for network access equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115297010A true CN115297010A (en) | 2022-11-04 |
Family
ID=83824474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210871281.2A Pending CN115297010A (en) | 2022-07-22 | 2022-07-22 | Permission acquisition target design method for network access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115297010A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117709077A (en) * | 2023-11-30 | 2024-03-15 | 永信至诚科技集团股份有限公司 | Simulation deduction method and system based on network target range, electronic equipment and medium |
-
2022
- 2022-07-22 CN CN202210871281.2A patent/CN115297010A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117709077A (en) * | 2023-11-30 | 2024-03-15 | 永信至诚科技集团股份有限公司 | Simulation deduction method and system based on network target range, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kholidy | Detecting impersonation attacks in cloud computing environments using a centric user profiling approach | |
| Abu-Dabaseh et al. | Automated penetration testing: An overview | |
| US20200184847A1 (en) | A system and method for on-premise cyber training | |
| Holm et al. | Sved: Scanning, vulnerabilities, exploits and detection | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| CN109462599B (en) | Honeypot management system | |
| Ahmed et al. | Detecting Computer Intrusions Using Behavioral Biometrics. | |
| CN109583711A (en) | A kind of security risk assessment whole process management system | |
| CN113822582A (en) | Attack and defense drilling system of network shooting range | |
| KR20140035146A (en) | Apparatus and method for information security | |
| Speicher et al. | Towards automated network mitigation analysis | |
| CN115297010A (en) | Permission acquisition target design method for network access equipment | |
| CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
| CN117808275A (en) | ACS visualization technology-based target range management method and system | |
| CN111245800B (en) | Network security test method and device, storage medium and electronic device | |
| Kersten et al. | 'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center | |
| Shan et al. | An approach for internal network security metric based on attack probability | |
| Sievierinov et al. | Enterprise Security Operations Center | |
| Wang et al. | Using taint analysis for threat risk of cloud applications | |
| Naqvi et al. | Quantifiable security metrics for large scale heterogeneous systems | |
| CN118101337B (en) | Intelligent defense method and system for railway network space based on information collaboration | |
| Wang et al. | An Algorithm of Optimal Penetration Path Generation under Unknown Attacks of Electric Power WEB System Based on Knowledge Graph | |
| CN112580835B (en) | Management method and device of server | |
| Ismail et al. | Optimal deployment of security policies: Application to industrial control systems | |
| CN118316729A (en) | Network security vulnerability analysis method and device based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20221104 |
|
| WD01 | Invention patent application deemed withdrawn after publication |