CN115801400A - Automatic permeation method and device - Google Patents
Automatic permeation method and device Download PDFInfo
- Publication number
- CN115801400A CN115801400A CN202211431153.2A CN202211431153A CN115801400A CN 115801400 A CN115801400 A CN 115801400A CN 202211431153 A CN202211431153 A CN 202211431153A CN 115801400 A CN115801400 A CN 115801400A
- Authority
- CN
- China
- Prior art keywords
- attack
- technical
- target
- tactical
- target attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 81
- 238000001764 infiltration Methods 0.000 claims abstract description 121
- 230000008595 infiltration Effects 0.000 claims abstract description 108
- 230000008569 process Effects 0.000 claims abstract description 30
- 238000004590 computer program Methods 0.000 claims description 19
- 230000035515 penetration Effects 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 230000000149 penetrating effect Effects 0.000 claims description 2
- 238000013515 script Methods 0.000 claims description 2
- 238000001228 spectrum Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 101150099000 EXPA1 gene Proteins 0.000 description 5
- 102100029095 Exportin-1 Human genes 0.000 description 5
- 101100119348 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) EXP1 gene Proteins 0.000 description 5
- 101100269618 Streptococcus pneumoniae serotype 4 (strain ATCC BAA-334 / TIGR4) aliA gene Proteins 0.000 description 5
- 108700002148 exportin 1 Proteins 0.000 description 5
- 238000000605 extraction Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 101100520660 Drosophila melanogaster Poc1 gene Proteins 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 101100520662 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) PBA1 gene Proteins 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The application provides an automatic infiltration method and an automatic infiltration device, which are applied to the technical field of network security, and the method comprises the following steps: acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object; determining a target attack path according to a target attack object, an attack point and a technical and tactical map; the technical and tactical atlas is used for representing the relationship between a plurality of attack objects and the technical and tactical techniques used in the infiltration process, the technical and tactical techniques comprise attack tools used in the infiltration process, and the target attack object is one of the attack objects; and automatically permeating attack points on the target attack object based on the target attack path. In the scheme, according to the technical and tactical map constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved; furthermore, predictable, interoperable, presentable attack paths may be achieved.
Description
Technical Field
The application relates to the technical field of network security, in particular to an automatic infiltration method and device.
Background
With the rapid development of information technology, the network security problem is more prominent, and the network space is gradually regarded as the "fifth space" against the country in the continental, sea, air and space, and becomes the focus of international social attention. The security hole has been developed as a "strategic weapon" in the form of a contemporary war, and as the network war is developed toward a normalized trend, the security hole is like a non-timing bomb, and once a hacker attacks the security hole, the information system in the national key field will suffer an unprecedented disaster.
In order to match with the requirements of a security system, the information system is regularly subjected to security vulnerability detection, which becomes a daily work for security operation and maintenance personnel. In the prior art, acquisition of an attack instruction or an attack method of an attack point is generally realized through Artificial Intelligence (AI) analysis or machine learning, but a complete automatic penetration attack path cannot be acquired by adopting the above method.
Disclosure of Invention
An object of the embodiments of the present application is to provide an automatic infiltration method and an automatic infiltration device, so as to solve a technical problem in the prior art that a complete automatic infiltration attack path cannot be obtained.
In a first aspect, an embodiment of the present application provides an automatic infiltration method, including: acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object; determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas; the technical and tactical map is used for representing the relationship between a plurality of attack objects and the technical and tactical used in the infiltration process, the technical and tactical comprises attack tools used in the infiltration process, and the target attack object is one of the attack objects; and automatically permeating the attack points on the target attack object based on the target attack path.
In the above scheme, before executing automatic infiltration, the technical map may be determined in advance according to the relationship between the multiple attack objects and the technical used in the infiltration process, so that after the target attack object is obtained, the corresponding target attack path may be found from the technical map according to the target attack object and the attack points existing on the target attack object, and the attack points on the target attack object may be automatically infiltrated based on the target attack path. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved; in addition, by adopting the automatic infiltration method provided by the embodiment of the application, the predictability, the interference and the presentation of the attack path can be realized.
In an optional embodiment, before the obtaining the target attack object, the method further includes: and constructing and forming the technical and tactical map according to the relationship between the technical and tactical objects. In the above scheme, before performing automatic infiltration, a technical-tactical map may be constructed in advance according to the relationship between the technical tactics and a plurality of attack objects, so that a target attack path may be determined according to the technical-tactical map. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
In an optional embodiment, before the constructing the technical tactic atlas according to the technical tactics and the plurality of attack objects, the method further comprises: adding new technical tactics and/or adjusting the relation between the technical tactics and the attack objects; and updating the technical and tactical atlas according to the new technical and tactical and the new relationship to obtain a new technical and tactical atlas. In the scheme, after the technical and tactical atlas is constructed and formed, the technical and tactical atlas can be updated according to actual conditions. The method can adjust the relation between the technical tactics and a plurality of attack objects by adding a new technical tactics crane, realize the updating of the technical tactics map and further improve the flexibility of automatic infiltration.
In an alternative embodiment, the attack tool comprises: the system comprises a target information collection tool, an attack analysis and identification tool, an attack point verification tool, an attack point utilization tool and a post-penetration tool.
In an alternative embodiment, the technical tactics further comprise: and the right-lifting tool, the right-maintaining tool, the evidence and the lateral attack tool are used in the post-infiltration process.
In an optional implementation manner, the determining a target attack path according to the target attack object, the attack point, and the technical and tactical atlas includes: determining a sub-map corresponding to the target attack object according to the target attack object and the technical-tactical map; determining a plurality of candidate attack paths corresponding to the target attack object according to the sub-map and the attack point; and determining one candidate attack path in the candidate attack paths as the target attack path. In the above scheme, a sub-graph spectrum corresponding to the target attack object may be determined from the technical-tactical graph spectrum according to the target attack object, and a plurality of candidate attack paths corresponding to the target attack object may be determined according to the sub-graph spectrum and attack points existing on the target attack object. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
In a second aspect, embodiments of the present application provide an automatic permeation device, including: the acquisition module is used for acquiring a target attack object and determining attack points existing on the target attack object according to the target attack object; the determining module is used for determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas; the technical and tactical map is used for representing the relationship between a plurality of attack objects and the technical and tactical used in the infiltration process, the technical and tactical comprises attack tools used in the infiltration process, and the target attack object is one of the attack objects; and the penetration module is used for automatically penetrating the attack points on the target attack object based on the target attack path.
In the above scheme, before performing automatic infiltration, the technical map may be determined in advance according to a relationship between a plurality of attack objects and a technical map used in an infiltration process, so that after a target attack object is obtained, a corresponding target attack path may be found from the technical map according to the target attack object and attack points existing on the target attack object, and the target attack object is automatically infiltrated based on the target attack path. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved; in addition, by adopting the automatic infiltration method provided by the embodiment of the application, the predictability, the interference and the presentation of the attack path can be realized.
In an alternative embodiment, the automatic infiltration apparatus further comprises: and the construction module is used for constructing and forming the technical and tactical map according to the relationship between the technical and tactical data and the attack objects. In the above scheme, before performing automatic infiltration, a technical and tactical map may be constructed in advance according to the relationship between the technical and tactical objects, so that a target attack path may be determined according to the technical and tactical map. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
In an alternative embodiment, the automatic infiltration apparatus further comprises: the adjusting module is used for adding new technical tactics and/or adjusting the relation between the technical tactics and the attack objects; and the updating module is used for updating the technical and tactical atlas according to the new technical and tactical and the new relationship to obtain a new technical and tactical atlas. In the scheme, after the technical and tactical atlas is constructed and formed, the technical and tactical atlas can be updated according to the actual situation. The method can adjust the relation between the technical tactics and a plurality of attack objects by adding a new technical tactics crane, realize the updating of the technical tactics map and further improve the flexibility of automatic infiltration.
In an alternative embodiment, the attack tool comprises: the system comprises a target information collection tool, an attack analysis and identification tool, an attack point verification tool, an attack point utilization tool and a post-penetration tool.
In an alternative embodiment, the technical tactic further comprises: and the right-lifting tool, the right-maintaining tool, the evidence and the transverse attack tool are used in the post-infiltration process.
In an optional embodiment, the determining module is specifically configured to: determining a sub-map corresponding to the target attack object according to the target attack object and the technical-tactical map; determining a plurality of candidate attack paths corresponding to the target attack object according to the sub-map and the attack point; and determining one candidate attack path in the candidate attack paths as the target attack path. In the above scheme, a sub-graph spectrum corresponding to the target attack object may be determined from the technical-tactical graph spectrum according to the target attack object, and a plurality of candidate attack paths corresponding to the target attack object may be determined according to the sub-graph spectrum and attack points existing on the target attack object. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
In a third aspect, embodiments of the present application provide a computer program product comprising computer program instructions that, when read and executed by a processor, perform the automatic infiltration method according to the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the auto-infiltration method of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium storing computer program instructions, which, when executed by a computer, cause the computer to perform the automatic infiltration method according to the first aspect.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flow chart of an automatic infiltration method provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of a technical-tactical atlas provided by an embodiment of the present application;
fig. 3 is a block diagram of an automatic infiltration apparatus according to an embodiment of the present disclosure;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of an automatic infiltration method provided in an embodiment of the present application, where the automatic infiltration method may include the following steps:
step S101: and acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object.
Step S102: and determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas.
Step S103: and automatically permeating attack points on the target attack object based on the target attack path.
Specifically, in step S101, the target attack object is one of a plurality of attack objects, where an attack object is an object that may be attacked in the network space.
It should be noted that, in the embodiment of the present application, the specific implementation of the attack object is not specifically limited, and those skilled in the art may appropriately adjust the implementation according to actual situations. For example, the attack object may include an operating system, application software, a World Wide Web (Web) system, an Internet of Things (IOT) device, an industrial control device or hardware, and the like.
In addition, the embodiment of the present application is not limited to the specific implementation of obtaining the target attack object, and those skilled in the art may also make appropriate adjustments according to actual situations. For example, the target attack object may be user-input; or, an attack object can be randomly determined from a plurality of attack objects as a target attack object; alternatively, one attack object may be determined as a target attack object from among a plurality of attack objects in a preset order, and the like.
After the target attack object is obtained, the attack point existing on the target attack object can be determined according to the target attack object, wherein the attack point existing on the target attack object refers to a vulnerability or a weak point which can be utilized or infiltrated. As an implementation manner, the target attack object may be scanned by using an attack point scanning tool, so as to obtain the attack points existing on the target attack object.
Wherein, the vulnerability refers to a place where a defect exists on the target attack object, and the vulnerability refers to a place where a defect may exist on the target attack object; for example, a website has a login window that can be a weak point because of the process of submitting information.
It can be understood that, the number of attack points existing on the determined target attack object is not particularly limited in the embodiment of the present application, and a person skilled in the art may make appropriate adjustments according to actual situations, where the number of attack points may be one or more.
As an implementation manner, attack points existing on a target attack object can be completely scanned by using an attack point scanning device; as another embodiment, an attack point scanning device may also be used to scan out the attack point part existing on the target attack object, for example: only one attack point is scanned, only a preset time is scanned, etc.
In step S102, a technical and tactical map is used to represent the relationship between a plurality of attack targets and the technical and tactical data used in the infiltration process, wherein the map is a mesh pattern formed by organizing data in the form of two-dimensional points and lines.
It is understood that the points in the technical-tactic map may include a plurality of attack objects, attack points existing on the plurality of attack objects, and a technical tactic used in the infiltration process, and the lines in the technical-tactic map may represent a relationship between the plurality of attack objects and the technical tactic used in the infiltration process.
It should be noted that, the embodiment of the present application does not specifically limit the specific implementation manner of obtaining the technical and tactical atlas, and a person skilled in the art may make appropriate adjustments according to actual situations. For example, a predetermined tactical atlas may be read from the local or cloud; alternatively, technical and tactical maps sent by other devices can be received; alternatively, a technical tactical map or the like may be constructed from the relationship between a technical tactic and a plurality of attack objects.
Further, the technical tactics include attack tools used in the infiltration process. It should be noted that the embodiment of the present application does not specifically limit the implementation manner of the technical arts, and those skilled in the art can make appropriate adjustments according to actual situations. For example, the technical tactics may include attack point verification scripts (e.g., POC, etc.), attack point utilization tools (e.g., EXP, etc.), attack point attack PAYLOADs (e.g., PAYLOAD, etc.), and the like.
According to the target attack object and the attack point obtained in step S101 and the technical and tactical atlas determination, a target attack path may be determined, where the target attack path may be one of a plurality of attack paths, and the attack path is a path that implements an attack process from discovery to post-infiltration of the attack point.
As an embodiment, the attack path may include information collection, attack modeling or analysis, attack point verification, attack point utilization, post-infiltration, and the like; wherein, the post-penetration may include forensics, rights extraction, rights maintenance, lateral attacks, and the like.
It should be noted that, the embodiment of the present application is not limited to the specific implementation of determining the target attack path, and those skilled in the art may also make appropriate adjustments according to actual situations. For example, an attack path is determined from the technical and tactical atlas as a target attack path directly according to a target attack object and an attack point; or determining a plurality of attack paths corresponding to the target attack object from the technical and tactical atlas according to the target attack object and the attack point, and then determining one attack path from the plurality of attack paths as the target attack path.
In step S103, the target attack object may be automatically infiltrated in advance based on the target attack path determined in step S102.
As an implementation manner, the attack condition and the attack manner associated with the target attack path may be acquired according to the target attack path, and then the target attack object may be subjected to automatic attack point penetration by using the attack condition and the attack manner.
In the above scheme, before performing automatic infiltration, the technical map may be determined in advance according to a relationship between a plurality of attack objects and a technical map used in an infiltration process, so that after a target attack object is obtained, a corresponding target attack path may be found from the technical map according to the target attack object and attack points existing on the target attack object, and the target attack object is automatically infiltrated based on the target attack path. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved; in addition, by adopting the automatic infiltration method provided by the embodiment of the application, the predictability, the interference and the presentation of the attack path can be realized.
Further, on the basis of the foregoing embodiment, before the foregoing step S101, the automatic infiltration method provided in the embodiment of the present application may further include the following steps:
and constructing a technical and tactical map according to the relationship between the technical and tactical data and a plurality of attack objects.
Specifically, before executing the automatic infiltration method provided in the embodiment of the present application, a corresponding technical and tactical atlas may be created. The technical tactics suitable for the attack object can be obtained for the attack object, and then the technical tactics are connected with the corresponding attack object to form a part of the technical tactics map.
Please refer to fig. 2, and fig. 2 is a schematic diagram of a technical-tactical atlas provided in an embodiment of the present application, it should be noted that fig. 2 only shows a part of the technical-tactical atlas, where an attack object includes a target a, an attack point existing on the attack object is a vulnerability 1, and a technical tactics associated with the vulnerability 1 on the target a includes: the POC1, EXP1, and Payload1, payload2, and Payload3 associated with the EXP1, the encoding and channel connection method for each Payload, and the evidence, right extraction, right maintenance, and the like in the post-infiltration process.
In the above scheme, before performing automatic infiltration, a technical-tactical map may be constructed in advance according to the relationship between the technical tactics and a plurality of attack objects, so that a target attack path may be determined according to the technical-tactical map. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
Further, on the basis of the above embodiment, before the step of constructing the technical tactical atlas according to the relationship between the technical tactics and the plurality of attack objects, the automatic infiltration method provided in the embodiment of the present application may further include the following steps:
step 1), adding new technical tactics and/or adjusting the relation between the technical tactics and a plurality of attack objects.
And step 2), updating the technical and tactical atlas according to the new technical and tactical and the new relationship to obtain a new technical and tactical atlas.
In the scheme, after the technical and tactical atlas is constructed and formed, the technical and tactical atlas can be updated according to the actual situation. The method can adjust the relation between the technical tactics and a plurality of attack objects by adding a new technical tactics crane, realize the updating of the technical tactics map and further improve the flexibility of automatic infiltration.
Further, on the basis of the above embodiments, the attack tool includes: the system comprises a target information collecting tool, an attack analysis and identification tool, an attack point verification tool, an attack point utilization tool and a post penetration tool.
Further, on the basis of the above embodiments, the technical and tactical arts further include: and the right-lifting tool, the right-maintaining tool, the evidence and the transverse attack tool are used in the post-infiltration process.
Further, on the basis of the foregoing embodiment, the step S102 may specifically include the following steps:
and step 1), determining a sub-map corresponding to the target attack object according to the target attack object and the technical-tactical map.
And 2) determining a plurality of candidate attack paths corresponding to the target attack object according to the sub-graph spectrum and the attack points.
And 3), determining one candidate attack path in the candidate attack paths as a target attack path.
Specifically, in the step 1), a part corresponding to the target attack object may be determined from the technical-tactical atlas, so as to obtain a sub-atlas corresponding to the target attack object. Fig. 2 can be regarded as a sub-graph spectrum of the target a.
In step 2), a plurality of candidate attack paths corresponding to the target attack object may be determined from the sub-map corresponding to the target attack object. Also taking fig. 2 as an example, the following candidate attack paths corresponding to the target a can be determined from the sub-graph spectrum of the target a shown in fig. 2:
attack path 1: an attack point scanning tool, a target A, a vulnerability 1 and a Poc1;
attack path 2: an attack point scanning tool, a target A, a vulnerability 1, an EXP1, a Payload1 (encode 1| bind), a weight extraction 1, a dimensional weight 1 and information acquisition;
attack path 3: an attack point scanning tool, a target A, a vulnerability 1, an EXP1, a Payload1 (encode 2| reverse), a right extraction 2, a right maintenance 2 and information acquisition;
attack path 4: the method comprises the steps of an attack point scanning tool, a target A, a vulnerability 1, an EXP1, a Payload3 (Standalone), a right-lifting 2, a right-maintaining 2 and information acquisition.
In the step 3), one attack path may be determined as a target attack path from the plurality of candidate attack paths. Therefore, after the technical and tactical atlas is constructed, a target attack path can be determined based on the technical and tactical atlas, and automatic infiltration is performed.
In the above scheme, a sub-graph spectrum corresponding to the target attack object may be determined from the technical-tactical graph spectrum according to the target attack object, and a plurality of candidate attack paths corresponding to the target attack object may be determined according to the sub-graph spectrum and attack points existing on the target attack object. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
Referring to fig. 3, fig. 3 is a block diagram of an automatic infiltration apparatus according to an embodiment of the present disclosure, where the automatic infiltration apparatus 300 may include: an obtaining module 301, configured to obtain a target attack object, and determine an attack point existing on the target attack object according to the target attack object; a determining module 302, configured to determine a target attack path according to the target attack object, the attack point, and the technical-tactical atlas; the technical and tactical atlas is used for representing the relationship between a plurality of attack objects and technical and tactical used in the infiltration process, the technical and tactical comprises attack tools used in the infiltration process, and the target attack object is one of the attack objects; and the infiltration module 303 is configured to perform automatic infiltration on the attack point on the target attack object based on the target attack path.
In the above scheme, before performing automatic infiltration, the technical map may be determined in advance according to a relationship between a plurality of attack objects and a technical map used in an infiltration process, so that after a target attack object is obtained, a corresponding target attack path may be found from the technical map according to the target attack object and attack points existing on the target attack object, and the target attack object is automatically infiltrated based on the target attack path. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved; in addition, by adopting the automatic infiltration method provided by the embodiment of the application, the predictability, the interference and the presentation of the attack path can be realized.
Further, on the basis of the above embodiment, the automatic infiltration apparatus 300 further comprises: and the construction module is used for constructing and forming the technical and tactical map according to the relationship between the technical and tactical data and the attack objects.
In the above scheme, before performing automatic attack point penetration, a technical tactical map may be constructed in advance according to the relation between the technical tactics and a plurality of attack objects, so that a target attack path may be determined according to the technical tactical map. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
Further, on the basis of the above embodiment, the automatic infiltration apparatus 300 further comprises: the adjusting module is used for adding new tactics and/or adjusting the relation between the tactics and the attack objects; and the updating module is used for updating the technical and tactical atlas according to the new technical and tactical and the new relationship to obtain a new technical and tactical atlas.
In the scheme, after the technical and tactical atlas is constructed and formed, the technical and tactical atlas can be updated according to actual conditions. The technical and tactical map can be updated by adding a new technical and tactical fire crane to adjust the relationship between the technical and tactical targets, so that the flexibility of automatic penetration is improved.
Further, on the basis of the above embodiment, the attack tool includes: the system comprises a target information collection tool, an attack analysis and identification tool, an attack point verification tool, an attack point utilization tool and a post-penetration tool.
Further, on the basis of the above embodiments, the technical tactics further include: and the right-lifting tool, the right-maintaining tool, the evidence and the lateral attack tool are used in the post-infiltration process.
Further, on the basis of the foregoing embodiment, the determining module 302 is specifically configured to: determining a sub-map corresponding to the target attack object according to the target attack object and the technical and tactical map; determining a plurality of candidate attack paths corresponding to the target attack object according to the sub-map and the attack point; determining one candidate attack path of the plurality of candidate attack paths as the target attack path.
In the above scheme, a sub-graph spectrum corresponding to the target attack object may be determined from the technical-tactical graph spectrum according to the target attack object, and a plurality of candidate attack paths corresponding to the target attack object may be determined according to the sub-graph spectrum and attack points existing on the target attack object. Therefore, according to the technical and tactical atlas constructed in advance, a complete target attack path of automatic infiltration can be obtained, the difficulty of realizing automatic infiltration is reduced, and the working efficiency of automatic infiltration can be improved.
Referring to fig. 4, fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device 400 includes: at least one processor 401, at least one communication interface 402, at least one memory 403 and at least one communication bus 404. Wherein the communication bus 404 is used for implementing direct connection communication of these components, the communication interface 402 is used for communicating signaling or data with other node devices, and the memory 403 stores machine-readable instructions executable by the processor 401. When the electronic device 400 is in operation, the processor 401 communicates with the memory 403 via the communication bus 404, and the machine-readable instructions, when invoked by the processor 401, perform the auto-penetration method described above.
For example, the processor 401 of the embodiment of the present application may read the computer program from the memory 403 through the communication bus 404 and execute the computer program to implement the following method: step S101: and acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object. Step S102: and determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas. Step S103: and automatically permeating attack points on the target attack object based on the target attack path.
The processor 401 may include one or more integrated circuit chips, which may have signal processing capabilities. The Processor 401 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Network Processor (NP), or other conventional processors; the Processor may also be a dedicated Processor, including a Neural-Network Processing Unit (NPU), a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, and a discrete hardware component. Also, when there are a plurality of processors 401, some of them may be general-purpose processors, and the other may be special-purpose processors.
The Memory 403 includes one or more of, but not limited to, random Access Memory (RAM), read Only Memory (ROM), programmable Read-Only Memory (PROM), erasable Programmable Read-Only Memory (EPROM), electrically Erasable Programmable Read-Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that electronic device 400 may include more or fewer components than shown in fig. 4 or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof. In this embodiment, the electronic device 400 may be, but is not limited to, an entity device such as a desktop computer, a notebook computer, a smart phone, an intelligent wearable device, a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device 400 is not necessarily a single device, but may be a combination of multiple devices, such as a server cluster, and the like.
Embodiments of the present application further provide a computer program product comprising a computer program stored on a computer-readable storage medium, the computer program comprising computer program instructions, when the computer program instructions are executed by a computer, the computer being capable of performing the steps of the automatic infiltration method in the above embodiments, for example, including: acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object; determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas; the technical and tactical atlas is used for representing the relationship between a plurality of attack objects and technical and tactical used in the infiltration process, the technical and tactical comprises attack tools used in the infiltration process, and the target attack object is one of the attack objects; and automatically permeating attack points on the target attack object based on the target attack path.
Embodiments of the present application further provide a computer-readable storage medium, which stores computer program instructions, when the computer program instructions are executed by a computer, the computer is caused to execute the automatic infiltration method described in the foregoing method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units into only one type of logical function may be implemented in other ways, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that, if the functions are implemented in the form of software functional modules and sold or used as independent products, the functions may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. An automatic infiltration method, comprising:
acquiring a target attack object, and determining attack points existing on the target attack object according to the target attack object;
determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas; the technical and tactical atlas is used for representing the relationship between a plurality of attack objects and technical and tactical used in the infiltration process, the technical and tactical comprises attack tools used in the infiltration process, and the target attack object is one of the attack objects;
and automatically permeating the attack points on the target attack object based on the target attack path.
2. The automatic infiltration method of claim 1, wherein prior to the obtaining the target attack object, the method further comprises:
and constructing and forming the technical and tactical map according to the relationship between the technical and tactical objects.
3. The automatic infiltration method of claim 2, wherein prior to the constructing the tactical profile from the tactical constructs in relation to the plurality of attack objects, the method further comprises:
adding new technical tactics and/or adjusting the relation between the technical tactics and the attack objects;
and updating the technical and tactical atlas according to the new technical and tactical and the new relationship to obtain a new technical and tactical atlas.
4. The automatic infiltration method of any of claims 1-3, characterized in that the attack tool comprises: the system comprises a target information collecting tool, an attack analysis and identification tool, an attack point verification tool, an attack point utilization tool and a post penetration tool.
5. The automatic infiltration method of any of claims 1-3, wherein the technical tactics further comprise: and the right-lifting tool, the right-maintaining tool, the evidence and the transverse attack tool are used in the post-infiltration process.
6. The auto-infiltration method of claim 1, wherein determining a target attack path from the target attack object, the attack point, and a technical-tactical atlas comprises:
determining a sub-map corresponding to the target attack object according to the target attack object and the technical and tactical map;
determining a plurality of candidate attack paths corresponding to the target attack object according to the sub-map and the attack point;
determining one candidate attack path of the plurality of candidate attack paths as the target attack path.
7. An automatic infiltration device, comprising:
the acquisition module is used for acquiring a target attack object and determining attack points existing on the target attack object according to the target attack object;
the determining module is used for determining a target attack path according to the target attack object, the attack point and the technical and tactical atlas; the technical and tactical atlas is used for representing the relationship between a plurality of attack objects and technical and tactical techniques used in the infiltration process, the technical and tactical techniques comprise attack tools, attack scripts and attack models used in the infiltration process, and the target attack object is one of the attack objects;
and the penetration module is used for automatically penetrating the attack points on the target attack object based on the target attack path.
8. A computer program product comprising computer program instructions which, when read and executed by a processor, perform the auto-infiltration method of any of claims 1-6.
9. An electronic device, comprising: a processor, a memory, and a bus;
the processor and the memory are communicated with each other through the bus;
the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the auto-infiltration method of any of claims 1-6.
10. A computer-readable storage medium storing computer program instructions that, when executed by a computer, cause the computer to perform the auto-infiltration method of any of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211431153.2A CN115801400A (en) | 2022-11-14 | 2022-11-14 | Automatic permeation method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211431153.2A CN115801400A (en) | 2022-11-14 | 2022-11-14 | Automatic permeation method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115801400A true CN115801400A (en) | 2023-03-14 |
Family
ID=85438003
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211431153.2A Pending CN115801400A (en) | 2022-11-14 | 2022-11-14 | Automatic permeation method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115801400A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10637883B1 (en) * | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
CN113868656A (en) * | 2021-09-30 | 2021-12-31 | 中国电子科技集团公司第十五研究所 | Behavior pattern-based APT event homology judgment method |
CN114091034A (en) * | 2021-11-12 | 2022-02-25 | 绿盟科技集团股份有限公司 | Safety penetration testing method and device, electronic equipment and storage medium |
CN115037508A (en) * | 2022-04-25 | 2022-09-09 | 哈尔滨工业大学(威海) | Multi-step attack modeling method and system for industrial control system |
-
2022
- 2022-11-14 CN CN202211431153.2A patent/CN115801400A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10637883B1 (en) * | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
CN113868656A (en) * | 2021-09-30 | 2021-12-31 | 中国电子科技集团公司第十五研究所 | Behavior pattern-based APT event homology judgment method |
CN114091034A (en) * | 2021-11-12 | 2022-02-25 | 绿盟科技集团股份有限公司 | Safety penetration testing method and device, electronic equipment and storage medium |
CN115037508A (en) * | 2022-04-25 | 2022-09-09 | 哈尔滨工业大学(威海) | Multi-step attack modeling method and system for industrial control system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
CN112019521B (en) | Asset scoring method and device, computer equipment and storage medium | |
CN111581643B (en) | Penetration attack evaluation method and device, electronic device and readable storage medium | |
US11522885B1 (en) | System and method for information gain for malware detection | |
EP3547121B1 (en) | Combining device, combining method and combining program | |
CN106034149A (en) | Account identification method and device | |
CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
CN112685771A (en) | Log desensitization method, device, equipment and storage medium | |
CN106415577B (en) | System and method for identifying the source of a suspicious event | |
CN107515778A (en) | A kind of origin method for tracing and system based on context-aware | |
EP4102772B1 (en) | Method and apparatus of processing security information, device and storage medium | |
US20240330453A1 (en) | Bit-level data extraction and threat detection | |
CN111726352A (en) | Method, apparatus, computer device and medium for visually monitoring probe status | |
CN111885034B (en) | Internet of things attack event tracking method and device and computer equipment | |
CN115801400A (en) | Automatic permeation method and device | |
CN114817913A (en) | Code detection method and device, computer equipment and storage medium | |
KR20220072939A (en) | Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques | |
US20190303605A1 (en) | Information processing apparatus, control method, and program | |
CN116737850A (en) | Graph neural network model training method for APT entity relation prediction | |
CN116701403A (en) | Database management method, device, electronic equipment, program unit and storage medium | |
CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
CN113254672B (en) | Method, system, equipment and readable storage medium for identifying abnormal account | |
TW201933165A (en) | Security design apparatus, security design method, and security design program | |
CN114003784A (en) | Request recording method, device, equipment and storage medium | |
CN113128440A (en) | Target object identification method, device, equipment and storage medium based on edge equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230314 |
|
RJ01 | Rejection of invention patent application after publication |