CN115408697A

CN115408697A - Method, device, equipment and product for evaluating ability of defensive personnel in network shooting range

Info

Publication number: CN115408697A
Application number: CN202110587861.4A
Authority: CN
Inventors: 董航; 陈昊; 徐一; 张峰; 徐扬
Original assignee: China Mobile Communications Group Co Ltd
Current assignee: China Mobile Communications Group Co Ltd
Priority date: 2021-05-27
Filing date: 2021-05-27
Publication date: 2022-11-29

Abstract

The invention discloses a method, a device, equipment and a product for evaluating the ability of defensive personnel in a network shooting range, wherein the method comprises the following steps: after the drilling is finished, acquiring vulnerability availability condition identification results and vulnerability utilization expected hazard identification results of defense drilling participants in a defense competition drilling scene of a network shooting range; calculating a vulnerability identification ability score value; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in an execution drilling scene in the drilling process; calculating the vulnerability repair and reinforcement capability score values of the defense drilling participants; and calculating the ability evaluation score value of the defense exercise participant according to the score values. The method can accurately evaluate the bug repairing and reinforcing capability of the defensive personnel in the network shooting range, can avoid the problem that the evaluation of the capability of the defensive personnel depends on the capability of the attacking party too much, avoids the problem of single evaluation index, and improves the accuracy and the rationality of the security drilling evaluation.

Description

Method, device, equipment and product for evaluating ability of defensive personnel in network shooting range

Technical Field

The invention relates to the technical field of IT application, in particular to a method and a device for evaluating the ability of defensive personnel in a network shooting range, terminal equipment and a computer program product.

Background

When the existing network security training platform or exercise system carries out capability evaluation, quantitative evaluation is only carried out on the defense capability of the shooting range, but the evaluation on the defense capability of staff in the shooting range is lacked; or, only attach importance to the utilization and repair skills of a single vulnerability without the concept of a scene, and the ability evaluation of the defenders departing from the network shooting range environment may be limited by the number of network nodes and the number of vulnerability types in the network area, so that the evaluation means and evaluation indexes of trained personnel are single, the real ability level of the trained personnel cannot be accurately evaluated, and the usability and stability of real network services are likely to be influenced in the safety emergency drilling process.

In addition, the existing network shooting range and the evaluation of the capability of network security drilling personnel focus on the behavior log monitoring in the attack and defense confrontation scene. The defense evaluation of the scheme belongs to non-active evaluation, namely the launching of the defense behavior may depend on the attack behavior, and the evaluation of the capability of the defensive personnel is excessively dependent on the capability of the red-party personnel. And along with the reduction of the ability of the personnel of the attacker, the evaluation dimensionality of the defensive party is reduced to zero, so that the evaluation result of the personnel of the defensive party is lack of rationality.

Disclosure of Invention

The invention mainly aims to provide a method, a device, a terminal device and a computer program product for evaluating the ability of defensive personnel in a network target range, which aim to solve the problems that the existing evaluation of the ability of defensive personnel depends too much on the ability of red-square personnel, the evaluation index is single and the evaluation accuracy is low, and improve the accuracy and the rationality of security exercise evaluation.

In order to achieve the above object, an embodiment of the present invention provides a method for evaluating capabilities of defensive people in a network shooting range, where the method includes the following steps:

after the drilling is finished, acquiring a vulnerability availability condition identification result and a vulnerability expected hazard identification result of a defense drilling participant in a defense competition drilling scene of a network shooting range, wherein the defense drilling participant performs vulnerability repair drilling based on a pre-designed drilling scene in the drilling process;

calculating the vulnerability recognition capability score of the defense drilling participant according to the vulnerability available condition recognition result and the vulnerability expected harm recognition result;

acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the execution scene in the drilling process;

calculating vulnerability repair and reinforcement capability score values of the defense drilling participants according to the execution data;

and calculating the capability evaluation score of the defense drilling participants according to the vulnerability identification capability score and the vulnerability repair and reinforcement capability score of the defense drilling participants.

Optionally, after the drilling is finished, before the step of obtaining the vulnerability availability condition identification result and the vulnerability expected hazard identification result of the defense drilling participant in the defense competition drilling scene of the network shooting range, the method further includes:

designing the drilling scene, wherein the drilling scene comprises: the method comprises the steps of drilling a network topology, a plurality of network nodes which possibly have the vulnerability or cover a plurality of vulnerability types, a vulnerability utilization route and an EXP attack script aiming at each network node with the vulnerability.

in the drilling process, executing a vulnerability utilization verification program of the network node in the drilling scene, and calling a corresponding EXP attack script at a preset time interval;

if the EXP attack script fails to be executed, switching to the EXP attack script variants and executing again until all the EXP attack script variants fail to be executed;

recording the execution time, the execution success times, the execution failure times and the total execution times of the EXP attack script and the EXP attack script variant through the vulnerability utilization verification program, recording a sequence of a single EXP attack script first execution failure event corresponding to each defense drill participant and arranged according to the time sequence, obtaining the vulnerability repair sequence and each relevant parameter of each defense drill participant, using the vulnerability repair sequence and each relevant parameter as the execution data, and storing the vulnerability repair sequence and each relevant parameter in a drill database.

Optionally, after the drilling is finished, the step of obtaining the vulnerability availability condition identification result of the defense drilling participant in the defense competition drilling scene of the network shooting range includes:

after the drilling is finished, collecting the number of the bugs correctly identified by the bug available conditions identified by the defense drilling participants in the drilling scene, wherein the bug available conditions are obtained by evaluating the available conditions of the bugs in the drilling scene based on the retrieval results of the bug information database after the defense drilling participants find the bugs;

and calculating to obtain the vulnerability available condition identification result based on the vulnerability number correctly identified by the vulnerability available conditions of the defense drilling participants and the actual vulnerability total number in the drilling scene.

Optionally, after the drilling is finished, the step of obtaining the vulnerability exploitation expected hazard identification result of the defense drilling participant in the defense competition drilling scene of the network shooting range includes:

after the drilling is finished, collecting the number of correctly identified bugs of expected results of the bug explorations identified by the defense drilling participants in the drilling scene, wherein the expected results of the bug explorations are obtained by evaluating the actual possible damage of the bugs of the available bugs in the drilling scene based on the retrieval results of a bug information database after the defense drilling participants identify the available bugs;

and calculating to obtain the expected damage identification result of the vulnerability based on the vulnerability number correctly identified by the vulnerability expected result of the defense drilling participant and the preset total number of vulnerabilities under the drilling scene.

Optionally, the step of calculating vulnerability fix and reinforcement capability score values of the defense drill participants according to the execution data includes:

acquiring a vulnerability repair sequence of the defense drilling participants in the execution data;

calculating to obtain vulnerability repair sequence strategy scores of the defense drill participants based on vulnerability repair sequences of the defense drill participants and preset optimal vulnerability repair sequences and repair strategy total scores of the drill scenes;

based on the execution data, obtaining the total number of bug fixes, the number of bug fixes of a specific type and the EXP attack script variable number of execution failure of a single bug of the defense drill participant;

calculating to obtain vulnerability repair reinforcement scores of the defense drilling participants based on the total vulnerability repair amount of the defense drilling participants, the vulnerability repair amount of a specific type and the EXP attack script variation number of the execution failure of a single vulnerability;

and calculating to obtain the vulnerability repair and reinforcement capability score values of the defense drill participants based on the vulnerability repair sequencing strategy score and the vulnerability repair reinforcement score.

Optionally, the step of calculating, based on the total number of bug fixes of the defense drill participant, the number of bug fixes of a specific type, and the number of variants of EXP attack scripts failing to execute a single bug, a bug fix reinforcement score of the defense drill participant includes:

calculating to obtain the overall vulnerability repair failure rate average weighted AFFR of the defense drilling participants based on the total vulnerability repair amount of the defense drilling participants, the EXP attack script variable number of the execution failure of a single vulnerability and the preset vulnerability total amount of the drilling scenes;

calculating to obtain the specific type vulnerability repair failure average weighting SFFR of the defense drilling participants based on the specific type vulnerability repair number of the defense drilling participants, the EXP attack script variable number of the execution failure of a single vulnerability and the total number of the specific type vulnerabilities of the drilling scene;

and calculating to obtain the vulnerability repair reinforcement score of the defense drilling participant based on the overall vulnerability repair failure rate average weighted AFFR and the specific type vulnerability repair failure average weighted SFFR.

In addition, the embodiment of the invention also provides a defensive personnel capacity evaluation device in the network shooting range, which comprises:

the system comprises an identification result acquisition module, a vulnerability utilization condition identification module and a vulnerability utilization expected hazard identification module, wherein the vulnerability utilization condition identification module is used for acquiring vulnerability utilization condition identification results and vulnerability utilization expected hazard identification results of defense drilling participants in a defense competition drilling scene of a network shooting range after drilling is finished, and the defense drilling participants perform vulnerability remediation drilling based on a pre-designed drilling scene in the drilling process;

the recognition capability calculation module is used for calculating the vulnerability recognition capability score value of the defense drill participant according to the vulnerability utilizable condition recognition result and the vulnerability utilization expected hazard recognition result;

the execution recording module is used for acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability exploitation verifying program of a network node in the drilling scene in the drilling process;

the repair reinforcement capability calculation module is used for calculating the vulnerability repair and reinforcement capability score values of the defense drilling participants according to the execution data;

and the evaluation score calculation module is used for calculating the capability evaluation score of the defense drilling participant according to the vulnerability identification capability score of the defense drilling participant and the vulnerability repair and reinforcement capability score.

In addition, the embodiment of the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the computer program, when executed by the processor, implements the method for assessing ability of defenders in a network shooting range as described above.

Furthermore, an embodiment of the present invention further provides a computer program product, which includes a computer program, and when being executed by a processor, the computer program implements the method for assessing the ability of defenders in a network shooting range as described above.

According to the method, the device, the terminal equipment and the computer program product for evaluating the capability of the defensive personnel in the network shooting range, after the drilling is finished, a vulnerability utilizable condition identification result and a vulnerability utilization expected hazard identification result of a defensive drilling participant in a defensive competition drilling scene of the network shooting range are obtained, wherein the defensive drilling participant performs vulnerability repair drilling based on a pre-designed drilling scene in the drilling process; calculating the vulnerability recognition capability score value of the defense drill participant according to the vulnerability utilizable condition recognition result and the vulnerability utilizable expected hazard recognition result; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the execution scene in the drilling process; calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data; and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score. According to the embodiment of the invention, due to the adoption of the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

Drawings

FIG. 1 is a schematic diagram of functional modules of a terminal device to which a defensive personnel capability assessment device belongs in a network shooting range according to the invention;

FIG. 2 is a schematic flow chart diagram illustrating a method for assessing the ability of defensive personnel in a network target range according to an exemplary embodiment of the present invention;

FIG. 3 is a schematic flow chart of a Hamming distance algorithm in an embodiment of the evaluation method for the ability of defenders in a network shooting range according to the present invention;

fig. 4 is a flowchart illustrating a method for assessing the ability of defenders in a network shooting range according to another exemplary embodiment of the present invention.

The implementation, functional features and advantages of the present invention will be further described with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The main solution of the embodiment of the invention is as follows: after the drilling is finished, acquiring a vulnerability availability condition identification result and a vulnerability expected hazard identification result of a defense drilling participant in a defense competition drilling scene of a network shooting range, wherein the defense drilling participant performs vulnerability repair drilling based on a pre-designed drilling scene in the drilling process; calculating the vulnerability recognition capability score of the defense drilling participant according to the vulnerability available condition recognition result and the vulnerability expected harm recognition result; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene during the drilling process; calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data; and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score. According to the embodiment of the invention, due to the adoption of the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

The technical terms related to the embodiment of the invention are as follows:

target range: the network target range is an important infrastructure aiming at network attack and defense drilling and network new technology evaluation and is used for improving the stability, the safety and the performance of a network and an information system. Its main functions include: (1) evaluating and verifying a network attack and defense weapon; (2) training and competitive competition of personnel are supported; and (3) scientific experiments and new technology verification.

EXP (exploit): generally, the method refers to a vulnerability exploitation program, and achieves the purpose of an attacker by exploiting vulnerabilities in software, wherein the vulnerabilities are malicious.

payload: the "payload" of the attack. Refers to the code or instruction that is actually executed in the target system after the exploit is successful.

And (3) performing repair and reinforcement drilling of the bluesquare: the method refers to a drilling mode that only defensive personnel (blue square) participate and attack and defense countermeasures are not performed, and the defensive personnel need to repair a plurality of known bugs within a specified time.

Red-prescription ability dependence: the evaluation method is limited to the capability of an attacker (the red party), so that the evaluation of the capability of a defender (the blue party) is inaccurate. Such as: the red party cannot implement attack behaviors aiming at a certain bug, and the repairing effect of the bug of the blue party cannot be evaluated.

And (3) vulnerability available conditions: the method refers to a constraint condition which needs to be overcome when defensive personnel utilize vulnerabilities in a scene under a network shooting range scene. Such as: access rights of the target network node, network connectivity constraints, request frequency limits, etc.

Exploit expected effects: the method refers to the expected effect which can be achieved after the defense personnel complete the vulnerability exploitation in the network shooting range scene. Such as: and acquiring access addresses, effective user passwords and the like of other fragile network nodes in the scene.

The embodiment of the invention considers that in the existing related scheme, for some network security competitions, such as CTF competitions and the like, single vulnerability utilization and repair skills are emphasized, the concept of a scene does not exist, the evaluation means and the evaluation index are single, and the real capability level of the personnel can not be accurately evaluated. Moreover, the existing network range personnel capability assessment usually focuses on the assessment of the attacker, and the assessment of the defending party personnel is equal to zero, namely the attacker obtains the score, and the defending party personnel lose the corresponding score. The defense personnel are too passive under the evaluation scheme, so how to effectively evaluate the abilities of the defense personnel in the network target range environment is a difficult and significant topic.

Some existing network target range defense capability assessment schemes quantitatively assess the defense capability of a target range, and start with the severity of potential attack risk, two actions and two dimensions of response of equipment with a defense function during attack defense, so that the defense effect is quantified and the objective assessment of the defense efficiency is realized aiming at the design defects of a defense system and the problems existing in the actual operation of the equipment, but the assessment of the defense capability of target range personnel cannot be realized.

In addition, the existing related network defense and attack analysis scheme provides a game theory method, network security situation is analyzed in real time through a defense and attack dynamic perception model based on the game theory, and income of both the defense and the attack is maximized by utilizing Nash balance degree, so that real-time and accurate evaluation is made on the network security situation, and better reference is provided for network security defense decision of workers. The scheme focuses on calculating the maximum income of the attacking party and the defending party, the attacking party and the defending party participate together, the problem that the defending party is in a passive position in the attack and defense actual combat capability evaluation is relieved through a game theory method, and the vulnerability repairing and reinforcing capability of the defending party cannot be calculated.

The existing network shooting range and network security drill personnel capability evaluation schemes focus on behavior log monitoring in a real person confrontation scene. Respectively monitoring the attack and defense behaviors on an attack side virtual machine and a defense side virtual machine to form an attack and defense behavior log; acquiring attack and defense behavior logs from an attacking party virtual machine and a defending party virtual machine; extracting attack and defense behavior key information from the attack and defense behavior log; and matching the key information of the attack and defense behaviors according to a preset grading rule, determining the attack and defense experiment grading corresponding to the attacker and the defense, and not actively sensing the vulnerability repair reinforcement behaviors of defensive personnel.

The existing related vulnerability risk basic evaluation scheme is realized based on CVSS scores, a basic evaluation index weight distribution method is redesigned on the basis of CVSS evaluation, the weights of the basic evaluation indexes are optimally distributed according to the relative importance of the basic evaluation indexes, and the basic evaluation index weight distribution method is combined with a grey relevance index weight solving method, so that although the evaluation result is more objective, the diversity of the evaluation result is improved, and vulnerability threats are visually distinguished, the scheme is the CVSS score-based basic evaluation index weight distribution method, does not relate to scene concepts, and is used for carrying out vulnerability evaluation on a single vulnerability. The expected effect of the exploit is actual threat of the exploit and actual damage caused by permutation and combination difference of exploit dependency relations under a network target range scene.

In addition, when it is determined that a network region is attacked by a scoped network bug, the method for determining the network security emergency capability of the related network periodically sends a bug detection packet to network devices in the network region, finally determines the time length required when the proportion of the network devices with bugs in the network region is reduced to a preset proportion, and then determines the network security emergency capability of the network region based on the time length. However, the scheme is separated from a network shooting range scene, the network security emergency capacity is judged according to the bug repair proportion, the evaluation dimensionality is single, and the scheme is applied to the network shooting range, and is used for investigating the bug identification capacity, the bug repair strategy making capacity and the bug repair reinforcing capacity of defensive personnel.

In fact, existing network shooting ranges and network security drill personnel capability evaluation schemes focus on behavior log monitoring in the attack and defense confrontation scene. However, the scheme cannot objectively and accurately evaluate the vulnerability repair and reinforcement capability of defensive personnel, and the defects are shown as follows:

(1) According to the scheme, scores are scored according to rules through attack and defense behavior log monitoring, attack and defense behaviors monitored by an attack and defense behavior monitoring unit comprise attack behaviors and defense behaviors, the attack behaviors comprise SQL injection behaviors, any file uploading behaviors, cross-site script attack behaviors and unauthorized access behaviors, the defense behaviors comprise backdoor file clearing behaviors, attacker account number creation deletion behaviors and attacker access connection blocking behaviors, and the technical scheme can realize matching and scoring of defense behavior events, can evaluate the attack response capability of a defender, but does not investigate the available condition identification and actual vulnerability assessment capability of the defender in the view angle.

(2) The defense evaluation of the scheme is non-active evaluation, namely the launching of the defense behavior can depend on the attack behavior, and the evaluation of the ability of the defenders depends too much on the ability of the red-party personnel. If an attacker with limited capability is faced with the attack target and cannot find available vulnerabilities and backdoor establishment points, i.e. eventually fails to establish backdoors, the backdoor clearing behavior or backdoor clearing rate of the defender becomes meaningless. Therefore, along with the reduction of the ability of the attacker, the evaluation dimension of the defender is reduced to zero, and the evaluation result of the defender lacks rationality.

In addition, in an existing method for determining network security emergency capacity, the network security emergency capacity is determined according to a time length required when the proportion of the network devices with vulnerabilities in a network area is reduced to a preset proportion. However, the scheme cannot well evaluate the vulnerability recognition capability and vulnerability repair reinforcement capability of defensive personnel, and the defects are shown as follows:

(1) The scheme is separated from the network shooting range environment, the network shooting range environment is used as a training field of network security personnel and a test field of attack and defense weapons, a scene containing various vulnerability types can be provided, various network security risk events can be simulated, and the vulnerability repairing and reinforcing capability of defenders can be comprehensively evaluated. The ability evaluation of the defensive personnel departing from the network target range environment may be limited by the number of network nodes and the number of vulnerability categories in the network area, so that the problem of inaccurate ability evaluation is caused, and the usability and stability of real network services are likely to be influenced in the process of security emergency drilling.

(2) The method only calculates the proportion of the vulnerability devices based on the response result of the vulnerability detection packet, and determines the network security emergency capacity through the time required when the proportion of the vulnerability network devices is reduced to the preset proportion. The implementation mode of the scheme is rough, calculation of a bug fixing strategy and a bug fixing effect of a defender is lacked, and the problem that the accuracy of the evaluation result of the ability of the defender is poor exists.

Based on the analysis, the embodiment of the invention provides a method for evaluating the vulnerability repair reinforcement capability of a defense party in a network shooting range. And inspecting the vulnerability available condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of defensive personnel in the network target range scene. The method can solve the problems that the evaluation of the abilities of defensive personnel depends too much on the abilities of the personnel in the red side and the evaluation index is single.

Specifically, referring to fig. 1, fig. 1 is a functional module schematic diagram of a terminal device to which a defensive personnel ability evaluation device in a network shooting range belongs. The defensive personnel capacity evaluation device in the network target range can be a device which is independent of the terminal equipment and can realize data processing, and the device can be borne on the terminal equipment in a hardware or software mode. The terminal device can be an intelligent mobile terminal such as a mobile phone and a tablet personal computer, and can also be a network device such as a server.

In this embodiment, the terminal device to which the defense ability assessment apparatus belongs in the network shooting range at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.

The memory 130 stores an operating system and a defensive personnel capacity evaluation program in a network target range; the output module 110 may be a display screen, a speaker, etc. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.

As an embodiment, the defensive people ability evaluation program in the network range in the memory 130 implements the following steps when executed by the processor:

after the drilling is finished, acquiring vulnerability availability condition identification results and vulnerability expected hazard identification results of defense drilling participants in a defense competition drilling scene of a network shooting range, wherein the defense drilling participants perform vulnerability repair drilling based on a pre-designed drilling scene in the drilling process;

acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene during the drilling process;

calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data;

and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score.

According to the scheme, after the drilling is finished, vulnerability availability condition identification results and vulnerability expected hazard identification results of defense drilling participants in a defense competition drilling scene of a network shooting range are obtained, wherein the defense drilling participants perform vulnerability repair drilling based on a pre-designed drilling scene in the drilling process; calculating the vulnerability recognition capability score value of the defense drill participant according to the vulnerability utilizable condition recognition result and the vulnerability utilizable expected hazard recognition result; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene during the drilling process; calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data; and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score. According to the embodiment of the invention, due to the adoption of the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

Based on the above terminal device architecture but not limited to the above architecture, embodiments of the method of the present invention are presented.

Referring to fig. 2, fig. 2 is a schematic flow chart of an exemplary embodiment of a method for evaluating the ability of defensive personnel in a network target range according to the present invention. The method for evaluating the ability of defensive personnel in the network target range comprises the following steps:

step S101, after the drilling is finished, acquiring vulnerability availability condition identification results and vulnerability expected hazard identification results of defense drilling participants in defense competition drilling scenes of a network shooting range, wherein the defense drilling participants perform vulnerability repair drilling based on pre-designed drilling scenes in the drilling process;

specifically, the scheme of the embodiment provides a new network shooting range defense competition drilling mode, namely a bluesquare restoration and reinforcement drilling. In the course of the bluesquare restoration and reinforcement drilling, only defensive personnel participate, and the defensive personnel do not have an attack and defense countermeasure link, and need to restore a plurality of known bugs within a specified time. Based on the mode, the vulnerability repair reinforcing capability of defensive personnel in the network target range is accurately evaluated, and the vulnerability identification capability based on the drilling scene and the vulnerability repair and reinforcing capability are investigated.

The life cycle of the blue square restoration and reinforcement drilling is divided into three stages of drilling design, drilling data collection and drilling evaluation.

In the present embodiment, a drilling scene is designed in advance in the drilling design stage, and drilling related data collection is performed in advance in the drilling data collection stage.

In the drilling process, defense drilling participants serve as defense personnel to perform vulnerability repair drilling based on a pre-designed drilling scene.

Wherein the drill scene comprises: the method comprises the steps of practicing a network topology, a plurality of network nodes which may have bugs or cover a plurality of bug types, a bug utilization route and an EXP attack script aiming at each network node with bugs.

Specifically, in the drilling design stage, a drilling scheme designer needs to prepare a network topology of a drilling scene, a plurality of network nodes which may have vulnerabilities or cover a plurality of vulnerability types, a vulnerability exploitation route, and an EXP attack script for each network node having vulnerabilities.

The network topology structure comprises a multi-level network, a plurality of network nodes in the network are distributed into different internal networks, and a hierarchical relationship and flexibly configurable network connectivity exist between the internal networks so as to simulate a complex real network. Network hierarchy relationships and network connectivity are designed by the drill plan designer.

The network node is a host in the network topology and includes a certain number of vulnerabilities. Therefore, a drill plan designer needs to prepare a plurality of different types of vulnerability application environments, such as Windows system vulnerability/Microsoft Office suite vulnerability, PHP software vulnerability, java software vulnerability, javaScript software vulnerability, etc., based on different operating system platforms and different application development languages, so as to subdivide the staff multidimensional ability of defense shooting ranges. Each vulnerability has a vulnerability scene dependency relationship, for example, the front-end network node can obtain certain information (domain names or IP addresses of other internal services, effective account passwords of other internal services, and the like) through hole leakage utilization, and the information exposure caused by the vulnerability of the front-end network node of the rear-end network node enables the vulnerability which is originally unavailable to be changed into the available vulnerability.

The vulnerability utilization route is a combination of vulnerability utilization effects of the network nodes, and a designer of the drilling scheme should pay attention to the reasonability of the route when designing the vulnerability utilization route, so that all vulnerability nodes of the vulnerability utilization route have vulnerability utilization feasibility, the maximum harm effect can be finally achieved, and the optimal restoration strategy and the total restoration strategy score of a scene are provided. The drilling scheme designer needs to define a key network node set, and can determine the key network node when one of the following two conditions is met: the first function is to take the upper part and the lower part. For example, a must-pass node entering the next intranet when the attacker network permeates; and (II) the network node has the high-risk vulnerability utilization effect. Meanwhile, the restoration fullness of each vulnerability is comprehensively set according to whether the key network nodes and the vulnerability utilization hazard degree exist, and the distribution of the vulnerability restoration fullness values in the scene conforms to normal distribution.

The EXP attack script aiming at each network node with the vulnerability is called by the vulnerability utilization verification program, and whether the vulnerability of the target environment is repaired can be judged according to whether the EXP attack script fails to be executed or not. The EXP attack script should have variations such as changing the utilization, changing the injection point, changing the payload (variants that can bypass WAF and redundant string variants), etc.

And carrying out drilling related data collection in advance in a drilling data collection stage.

In the drilling process, the vulnerability utilization verification program of the network node continuously runs, the EXP attack script is executed at fixed time intervals, if the EXP attack script fails to be executed, the EXP attack script is automatically switched to the EXP attack script variants and executed again until all the variants fail to be executed. And completely recording the attack time, attack success times, attack failure times and total attack times of the EXP attack script and the EXP attack script variant by the vulnerability utilization verification program.

After the drilling is finished, collecting the vulnerability availability condition identification result and vulnerability expected hazard identification result of the drilling participants in a questionnaire mode, and calculating the vulnerability identification capability score value based on the drilling scene. Meanwhile, according to data recorded by the vulnerability utilization verification program in the drilling process, the vulnerability repair and reinforcement capability score values of the drilling participants are calculated, and finally the final capability evaluation score values of the drilling participants are comprehensively calculated.

Specifically, after the drill is finished, firstly, defense drill participants are obtained as defense personnel, and a vulnerability availability condition identification result and a vulnerability expected hazard identification result in a defense competition drill scene of a network shooting range.

Specifically, as an implementation manner, after the drilling is finished, the vulnerability availability condition identification result of the defense drilling participant in the defense competition drilling scene of the network shooting range is obtained, and the following scheme may be adopted:

after the drilling is finished, collecting the quantity of the bugs correctly identified by the bug available conditions identified by the defense drilling participants in the drilling scene, wherein the bug available conditions are obtained by evaluating the available conditions of the bugs in the drilling scene based on the retrieval result of a bug information database after the bug is found by the defense drilling participants;

Specifically, as an implementation manner, after the drilling is finished, the vulnerability utilization expected hazard recognition result of the defense drilling participants in the defense competition drilling scene of the network shooting range is obtained, and the following scheme may be adopted:

The following elaborates the calculation process of the vulnerability exploitation condition identification result and the vulnerability expected hazard identification result:

in this embodiment, the vulnerability recognition capability evaluation value based on the drilling scene is calculated by two evaluation indexes in a comprehensive manner. One of the indexes is a vulnerability availability condition identification rate index ECRR corresponding to the vulnerability availability condition identification result; the other index is an expected result identification rate index ERRR of the exploit, which corresponds to the expected damage identification result of the exploit.

For the vulnerability availability Condition Recognition Rate index (ECRR), the vulnerability availability Condition in the vulnerability information database often deviates from the real network scene, and the vulnerability availability Condition Recognition Rate index focuses on the research and judgment ability of the defensive personnel on the vulnerability availability Condition under the real network environment. The defense personnel can initiate vulnerability scanning on the known network nodes by utilizing tools such as a vulnerability scanner and the like, or identify possible vulnerabilities in the known network nodes in a fuzzy test mode. Once finding the vulnerability, the defenders need to continuously evaluate the available conditions of the vulnerability in the drilling scene based on the retrieval result of the vulnerability information database. For example, defensive personal discoveryThe target network node has a remote code execution vulnerability, and based on a retrieval result of a vulnerability information database, the vulnerability itself does not have extra authority constraint, but under a network target range scene, the vulnerability may have some available condition constraints, such as: access rights of the target network node, network connectivity constraints, request frequency constraints, etc. The defenders need to enumerate all existing vulnerability exploitable conditions of the vulnerability based on the current drill-in shooting range environment. After the drill is finished, the drill plan designer can initiate questionnaire survey, collect the vulnerability availability condition identification results of defense drill participants as defensive personnel, and the corresponding vulnerability availability condition identification rate index ECRR (recorded as R) _ecr ) The calculation formula of (2) is as follows:

wherein, C is the number of the bugs correctly identified by the available conditions, and N is the total number of the bugs.

For an expected Result Recognition Rate index (ERRR) of the vulnerability exploitation, the vulnerability exploitation effect in the vulnerability information database is often limited to the application or system where the vulnerability is located, and under a real network scene, the influence generated by a single vulnerability can be diffused and actually influences other network nodes. The identification rate index of the expected result of the exploit focuses on the judgment capability of the defense personnel on the expected result of the exploit under the real network environment. And the defensive personnel continues to evaluate the actual possible damage of the vulnerability under the drilling scene based on the retrieval result of the vulnerability information database according to the identified available vulnerability. For example, a defender finds that an XSS vulnerability exists in a target node, and knows that the vulnerability has a utilization effect of stealing cookies of a specific user based on a retrieval result of a vulnerability information database, so that actual network harm is limited, and the effect of acquiring more server rights cannot be achieved.Similar to this, the defender needs to give the actual possible harm of the vulnerability and exploit the expected results. After the drill is finished, the drill plan designer can initiate questionnaire survey, collect the expected damage identification result of the exploit of the defense drill participants as defensive personnel, and the corresponding expected result identification rate index ERRR (marked as R) of the exploit _err ) The calculation formula of (2) is as follows:

wherein E is the number of correctly identified expected results of the vulnerability exploitation, and N is the total number of vulnerabilities.

In specific implementation, in order to calculate the two recognition rate indexes, after the practice is finished, the number of vulnerabilities correctly recognized under available conditions of the defense practice participants and the number of vulnerabilities correctly recognized with expected results can be collected in a questionnaire form.

The questionnaire survey development form is a plurality of choices, and after the practice is finished, the questionnaire is automatically issued to the defense practice participants, and the defense practice participants need to answer and submit within a limited time. After questionnaire survey is finished, processing is carried out according to questionnaire submitting results through a score accounting program (wherein, the options of vulnerability available conditions or vulnerability expected results are selected more or less, and processing is carried out according to wrong answers), the correct vulnerability number identified by vulnerability available conditions and the correct vulnerability number identified by vulnerability expected results are counted, and two index values of ECRR and ERRR are respectively calculated according to the formula and added to serve as the vulnerability identification capability evaluation value of the defense drill participants based on the drill scene.

Step S102, calculating vulnerability identification ability scores of the defense drilling participants according to the vulnerability available condition identification results and vulnerability expected harm identification results;

as described above, the vulnerability exploitation condition recognition result and the indicator corresponding to the vulnerability exploitation expected hazard recognition result are added, and the vulnerability recognition capability score value of the defense drill participant is obtained through calculation.

Step S103, acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene in the drilling process;

as described above, the drilling-related data collection is performed in advance in the drilling data collection stage.

Specifically, in the drilling process, a vulnerability exploitation verification program of a network node in the drilling scene is executed, and a corresponding EXP attack script is called at a preset time interval; if the EXP attack script fails to be executed, switching to the EXP attack script variants and executing again until all the EXP attack script variants fail to be executed; recording the execution time, the execution success times, the execution failure times and the total execution times of the EXP attack script and the EXP attack script variant through the vulnerability utilization verification program, recording a sequence of a single EXP attack script first execution failure event corresponding to each defense drill participant and arranged according to the time sequence, obtaining the vulnerability repair sequence and each relevant parameter of each defense drill participant, using the vulnerability repair sequence and each relevant parameter as the execution data, and storing the vulnerability repair sequence and each relevant parameter in a drill database.

Step S104, calculating vulnerability repair and reinforcement ability score values of the defense drilling participants according to the execution data;

specifically, as an implementation manner, first, a vulnerability repair sequence of the defense drilling participants in the execution data is obtained, where the vulnerability repair sequence of the defense drilling participants can be obtained according to a sequence of first execution failure events of a single EXP attack script corresponding to the defense drilling participants in the execution data;

then, calculating to obtain vulnerability repair sequence strategy scores of the defense drilling participants based on vulnerability repair sequences of the defense drilling participants and preset optimal vulnerability repair sequences and repair strategy total scores of the drilling scenes;

the concrete implementation is as follows:

calculating to obtain the average weighted AFFR of the total vulnerability repair failure rate of the defense drill participants based on the total vulnerability repair amount of the defense drill participants, the EXP attack script variable number of the execution failure of a single vulnerability and the preset total vulnerability amount of the drill scene;

And finally, calculating to obtain the vulnerability repair and reinforcement capability score values of the defense drill participants based on the vulnerability repair sequence strategy score and the vulnerability repair reinforcement score.

The calculation process of vulnerability fix and consolidation capability score values of the defense drill participants is described in detail as follows:

in this embodiment, the vulnerability repair and reinforcement capability score values are calculated comprehensively by two evaluation indexes, one of which is vulnerability repair sequencing strategy score FSS, and the other is vulnerability repair reinforcement score FES.

For vulnerability repair sequencing Strategy scoring (FSS, fix Strategy Score), in a real network security attack and defense scene, the time for a defensive worker to repair a vulnerability is very limited, so that the capability of quickly positioning key vulnerability nodes and preferentially repairing is very important. The vulnerability repair sequence strategy scoring index focuses on investigating vulnerability repair strategies of defensive personnel, pays more attention to benefits brought by the overall repair effect, the vulnerability repair and reinforcement capacity is not equal to the sum of the scores of single vulnerability repairs, and the vulnerability repair sequence influences the final vulnerability repair capacity evaluation.

The exploit verifier records the sequence of first execution failure events of a single vulnerability EXP in the form of a timeline, such as: vulnerability D (00. To measure the difference between the actual repair order and the optimal repair order, a customized hamming distance algorithm, the flow of which can be seen with reference to fig. 3, can be used to calculate the score value.

The bug fix precedence order strategy score FSS (recorded as S) _fs ) The calculation formula of (2) is as follows:

wherein d is a Hamming distance, l is the length of the optimal repair sequence, and m is the total score of the repair strategy.

For example, assume that there are A, B, C, D with four bugs in total, the optimal repair sequence is C- > B- > A- > D, and the repair strategy is always 100. According to the bug repairing sequence D- > B- > A, the length of the actual repairing sequence is smaller than the length of the optimal repairing sequence, the residual bits of the actual repairing sequence are filled by an invalid value X, therefore, the Hamming distance between CBAD and DBAX is 2, and the FSS value is 50.

For the vulnerability repair reinforcement Score (FES, fix Effect Score), the calculated vulnerability repair reinforcement Score index aims to get rid of the red power dependence, namely, the vulnerability is limited to the difference of the capabilities of attackers, and whether the vulnerability is completely repaired or not cannot be accurately and effectively verified. In this embodiment, after the execution of the EXP attack script fails, the next execution of the exploit verifier automatically switches to another EXP script, that is, the variant of the EXP attack script, and executes the exploit verifier again until all the variants fail to be executed. The vulnerability repair reinforcement scoring index considers the objective fact that the defense personnel generally have vulnerability repair capability items, so that the overall vulnerability repair failure Rate Average weighting (AFFR, average Failed Fix Rate) and the Specific vulnerability repair failure Average weighting (SFFR, specific Failed Fix Rate) are provided according to different vulnerability types, and the vulnerability repair and reinforcement capability of the defense personnel can be evaluated more accurately.

Wherein, the score (marked as F) of the defender repairing the vulnerability k _k ) The calculation formula is as follows:

wherein s is _k For the repair of vulnerability k, full score, C _fk Number of variants failing EXP attack for vulnerability k, C _k Is the EXP total variation number of the vulnerability k.

Overall vulnerability repair failure rate average weighted AFFR (denoted as R) _af ) The calculation formula of (2) is as follows:

wherein N is _F To repair the number of vulnerabilities, N is the total number of vulnerabilities.

Average weighting of bug fixing failures of a specific type, i.e. SFFR (denoted as R) of a specific bug type t _sft ) The calculation formula of (2) is as follows:

wherein N is _Ft To repair the number of type t vulnerabilities, N _t Is the total number of type t vulnerabilities.

Vulnerability repair consolidation score FES (denoted S) _fe ) The calculation formula of (c) is:

wherein N is _type Is the number of types of vulnerabilities.

In the drilling process, the vulnerability exploitation verifying program runs continuously, the first execution failure event sequence of each vulnerability EXP attack script and the execution time, the execution success times, the execution failure times and the execution total times of each EXP attack script and different variant scripts are collected and stored in a drilling database.

After the drilling is finished, reading various data values in a drilling database through a score accounting program, respectively calculating the vulnerability repair sequence, the total number of vulnerability repairs, the number of specific types of vulnerability repairs and the EXP attack script execution failure variable number of a single vulnerability, and calculating and adding two index values of FSS and FES according to the formula to be used as vulnerability repair and reinforcement capability evaluation values.

And S105, calculating the capability evaluation score of the defense drilling participant according to the vulnerability identification capability score and the vulnerability repair and reinforcement capability score of the defense drilling participant.

The accuracy of the vulnerability availability condition identification result and vulnerability utilization harmfulness identification result of the defensive personnel in the network target range scene can verify the score of the vulnerability repair reinforcement capability of the defensive personnel, so that the final defensive personnel vulnerability repair and reinforcement capability evaluation value S is calculated and output by a score accounting program after the practice is finished, and the following calculation formula is adopted:

S＝(R _err +R _ecr )×(S _fs +S _fe )。

wherein R is _ecr Characterizing vulnerability available condition identification results; r _err Characterizing vulnerability exploitation expected hazard identification results; s _fe Characterizing vulnerability repair reinforcement scores; s _fe And characterizing vulnerability repair sequencing strategy scores.

According to the scheme, after the drilling is finished, vulnerability availability condition identification results and vulnerability expected hazard identification results of defense drilling participants in a defense competition drilling scene of a network shooting range are obtained, wherein the defense drilling participants perform vulnerability repair drilling based on a pre-designed drilling scene in the drilling process; calculating the vulnerability recognition capability score of the defense drilling participant according to the vulnerability available condition recognition result and the vulnerability expected harm recognition result; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene during the drilling process; calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data; and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score. According to the embodiment of the invention, due to the adoption of the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

Referring to fig. 4, fig. 4 is a flowchart illustrating a method for evaluating the ability of defenders in a network shooting range according to another exemplary embodiment of the present invention. In addition to the embodiment shown in fig. 2, in step S101, after the end of the drilling, before acquiring the vulnerability exploitation condition recognition result and the vulnerability expected hazard recognition result of the defense drilling participant in the defense competition drilling scene of the network shooting range, the method further includes:

step S1001, in the drilling process, executing a vulnerability exploitation verification program of the network node in the drilling scene, and calling a corresponding EXP attack script at a preset time interval;

step S1002, if the EXP attack script fails to be executed, switching to the EXP attack script variants and executing again until all the EXP attack script variants fail to be executed;

step S1003, recording the execution time, the execution success times, the execution failure times and the total execution times of the EXP attack script and the EXP attack script variants through the vulnerability utilization verification program, recording a sequence of first execution failure events of a single EXP attack script, which corresponds to each defense drilling participant and is arranged according to the time sequence, obtaining the vulnerability repair sequence and each relevant parameter of each defense drilling participant, using the vulnerability repair sequence and each relevant parameter as the execution data, and storing the execution data in a drilling database.

Compared with the embodiment shown in fig. 2, the embodiment further includes a scheme of recording the bug fixing sequence and the relevant parameters of each defense drilling participant through the bug exploit validation program of the network node.

Specifically, the scheme of the embodiment aims to get rid of the red-square capability dependence, namely, the method is limited to the difference of the capabilities of the attacker, and whether the vulnerability is completely repaired cannot be accurately and effectively verified. In this embodiment, after the execution of the EXP attack script fails, the next execution of the exploit verifier automatically switches to another EXP script, that is, the variant of the EXP attack script, and executes the exploit verifier again until all the variants fail to be executed.

According to the embodiment of the invention, by adopting the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

Compare the behavior log monitoring scheme under the current live confrontation scene, this embodiment has following advantage:

(1) Under the environment of a network target range, the repairing and reinforcing capacity of defensive personnel can be calculated more accurately. According to the method, under the actual target range environment, the difference between the actual exploitation Condition and the actual exploitation hazard of the bare engine target and the difference between the actual repair priority of a single vulnerability due to the permutation and combination difference of the exploitation dependency relationship are fully considered, so that two indexes of vulnerability Exploitation Condition Recognition Rate (ECRR) and vulnerability utilization Expected Result Recognition Rate (ERRR) are calculated, and the capability score of a final defensive worker is influenced by the two indexes.

(2) The method is a blue-square vulnerability repairing and reinforcing capability evaluation method under a network shooting range competition mode focused on Lan Fangneng force evaluation, only blue-square participation is achieved, and attack and defense countermeasures are not performed. Two indexes of Average weighting of the total vulnerability repair failure Rate (AFFR) and Average weighting of Specific type vulnerability repair failure (SFFR) are provided, the problem that the capability of a defensive worker depends on the capability of an attacker can be solved, meanwhile, various vulnerability types are subdivided, the SFFR is respectively calculated, the objective fact that the defensive worker generally has strong and weak items of vulnerability repair capability is fully considered, and the capability evaluation of the defensive worker is more comprehensive and accurate.

Compared with the existing scheme for determining the network safety emergency capacity by reducing the time required by the proportion of the network equipment with the loopholes in the network area to the preset proportion, the scheme of the embodiment has the following advantages:

(1) The drilling mode is based on the network shooting range environment, a drilling scheme designer can flexibly set vulnerability repair technology investigation points, various network nodes containing different types of vulnerabilities are combined, various network security risk events are simulated, a complex heterogeneous defense drilling scheme is formed, the vulnerability repair reinforcing capability of defenders can be comprehensively evaluated, and not only can the vulnerability repair reinforcing capability of defenders be evaluated, but also the vulnerability identification capability of the defenders can be evaluated.

(2) Continuously running the vulnerability utilization verification program, collecting a first execution failure event sequence of each vulnerability EXP attack script, and the execution time, the execution success times, the execution failure times and the total execution times of each EXP attack script and different variant scripts, and calculating a vulnerability repair strategy of a defensive staff; and replacing a plurality of EXPs and variants thereof to continuously verify the vulnerability exploitation, so that the effectiveness of vulnerability repair and the strength of repair reinforcement can be checked. The vulnerability repair reinforcing capacity score value of the defensive personnel is comprehensively calculated from two aspects, and the vulnerability repair reinforcing capacity of the defensive personnel can be comprehensively and accurately evaluated.

In addition, the embodiment of the invention also provides a defensive personnel capacity evaluation device in the network target range, which is characterized by comprising the following components:

Further, the ability assessment device for defenders in the network shooting range further comprises:

a design module for designing the drilling scene, the drilling scene comprising: the method comprises the steps of practicing a network topology, a plurality of network nodes which may have bugs or cover a plurality of bug types, a bug utilization route and an EXP attack script aiming at each network node with bugs.

Further, the execution recording module is further configured to execute a vulnerability exploitation verification program of a network node in the drilling scene in the drilling process, and call a corresponding EXP attack script at a preset time interval;

Further, the identification result obtaining module is further configured to collect, after the drilling is finished, the number of bugs correctly identified by the bug available conditions identified by the defense drilling participant in the drilling scene, where the bug available conditions are obtained by evaluating the available conditions of the bugs in the drilling scene based on the retrieval results of the bug information database after the bug is found by the defense drilling participant;

Further, the identification result obtaining module is further configured to collect, after the drilling is finished, the number of correctly identified vulnerabilities of the vulnerability exploitation expected result identified by the defense drilling participant in the drilling scene, wherein the vulnerability exploitation expected result is obtained by evaluating the actual possible damage of the vulnerability of the available vulnerability in the drilling scene based on a retrieval result of a vulnerability information database after the defense drilling participant identifies the available vulnerability;

Further, the repair reinforcement capability calculation module is further configured to obtain a bug repair sequence of the defense drill participant in the execution data;

based on the execution data, obtaining the total quantity of bug fixes, the quantity of bug fixes of a specific type and the EXP attack script variable quantity of execution failure of a single bug of the defense drill participant;

Further, the repair reinforcement capability calculation module is further configured to calculate, based on the total number of bug repairs of the defense drilling participant, the number of variants of the EXP attack script that fails to execute a single bug, and the total number of bugs of the preset drilling scene, an average weighted AFFR of the total bug repair failure rate of the defense drilling participant;

calculating to obtain the specific type vulnerability repair failure average weighting SFFR of the defense drilling participants based on the specific type vulnerability repair number of the defense drilling participants, the EXP attack script variable number of the execution failure of a single vulnerability and the preset specific type vulnerability total number of the drilling scenes;

In this embodiment, please refer to the above embodiments, which are not described herein again.

The embodiment of the invention also provides a terminal device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein when the computer program is executed by the processor, the method for evaluating the capability of defending personnel in the network target range is realized.

Since the defender ability evaluation program in the network shooting range is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and no further description is given here.

An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the method for evaluating the ability of a defender in a network shooting range is implemented.

Compared with the prior art, the method, the device, the terminal equipment and the computer program product for evaluating the ability of the defensive personnel in the network shooting range, provided by the embodiment of the invention, have the advantages that after the drilling is finished, the vulnerability availability condition identification result and the vulnerability expected hazard identification result of the defense drilling participants in the defense competition drilling scene of the network shooting range are obtained, wherein the defense drilling participants perform vulnerability repair drilling based on the pre-designed drilling scene in the drilling process; calculating the vulnerability recognition capability score value of the defense drill participant according to the vulnerability utilizable condition recognition result and the vulnerability utilizable expected hazard recognition result; acquiring execution data recorded by calling a corresponding EXP attack script by a vulnerability utilization verification program of a network node in the drilling scene during the drilling process; calculating vulnerability repair and reinforcement capability scores of the defense drilling participants according to the execution data; and calculating the capability evaluation score of the defense drilling participant according to the vulnerability recognition capability score of the defense drilling participant and the vulnerability repairing and reinforcing capability score. According to the embodiment of the invention, due to the adoption of the preset drilling scene, a network topological structure, network nodes covering various vulnerability types and a vulnerability utilization route can be designed according to needs in the drilling scene, so that the capability evaluation of defense drilling participants can be better performed, particularly, the capability of defense party personnel is evaluated from the aspects of vulnerability identification, vulnerability repair and reinforcement, and the vulnerability availability condition identification capability, vulnerability actual hazard evaluation capability, vulnerability repair strategy and vulnerability repair and reinforcement effectiveness of the defense drilling participants as the defense personnel are inspected in the network target range scene.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A method for assessing the ability of defensive personnel in a network shooting range is characterized by comprising the following steps:

calculating the vulnerability recognition capability score value of the defense drill participant according to the vulnerability utilizable condition recognition result and the vulnerability utilizable expected hazard recognition result;

2. The method for assessing the ability of defenders in a network shooting range according to claim 1, wherein the step of obtaining the vulnerability exploitation condition recognition result and vulnerability expected hazard recognition result of defense drilling participants in the defense competition drilling scene of the network shooting range after the drilling is finished further comprises:

designing the drilling scene, wherein the drilling scene comprises: the method comprises the steps of practicing a network topology, a plurality of network nodes which may have bugs or cover a plurality of bug types, a bug utilization route and an EXP attack script aiming at each network node with bugs.

3. The method for assessing the ability of defenders in a network shooting range according to claim 1, wherein the step of obtaining the vulnerability exploitation condition recognition result and vulnerability expected hazard recognition result of defense drilling participants in the defense competition drilling scene of the network shooting range after the drilling is finished further comprises:

4. The method for assessing the ability of defenders in a network shooting range according to claim 1, wherein the step of obtaining the vulnerability availability condition recognition result of the defense drill participants in the defense competition drill scene of the network shooting range after the drill is finished comprises:

5. The method for assessing the ability of defenders in a network shooting range according to claim 1, wherein the step of obtaining the results of vulnerability exploitation expected hazard recognition of defense drilling participants in the defense competition drilling scene of the network shooting range after the drilling is finished comprises:

after the drill is finished, collecting the quantity of correctly identified bugs of expected results of the bugs identified by the defense drill participants in the drill scene, wherein the expected results of the bugs are obtained by evaluating the actual possible damage of the bugs of the available bugs in the drill scene based on the retrieval results of a bug information database after the defense drill participants identify the available bugs;

6. The method for assessing the competency of defenders in a network firing ground according to claim 3, wherein the step of calculating the vulnerability fix and consolidation competency score values of the defense drill participants according to the execution data comprises:

7. The method for assessing the ability of defenders in a network firing ground according to claim 6, wherein the step of calculating the vulnerability fix consolidation scores of the defense drilling participants based on the total number of vulnerability fixes, the number of vulnerability fixes of specific types and the EXP attack script variable number of execution failure of a single vulnerability of the defense drilling participants comprises:

8. A defensive personnel ability assessment device in a network shooting range is characterized by comprising:

9. A terminal device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing a method of assessing a person's ability to defend in a network shooting range as claimed in any one of claims 1 to 7.

10. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method for assessing the competence of a defender in a network firing ground according to any one of claims 1 to 7.