CN115987641A - Attack testing method and device, electronic equipment and storage medium - Google Patents
Attack testing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115987641A CN115987641A CN202211669141.3A CN202211669141A CN115987641A CN 115987641 A CN115987641 A CN 115987641A CN 202211669141 A CN202211669141 A CN 202211669141A CN 115987641 A CN115987641 A CN 115987641A
- Authority
- CN
- China
- Prior art keywords
- candidate
- attack
- determining
- nodes
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application provides an attack testing method, an attack testing device, electronic equipment and a storage medium, wherein the attack testing method comprises the following steps: acquiring equipment information of each electronic equipment in a system to be tested; generating a system structure diagram according to the equipment information of each piece of electronic equipment; determining nodes of which the equipment information meets preset conditions as candidate nodes; determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes; determining a target attack path from a plurality of candidate attack paths according to a preset rule; and carrying out attack test on the test system by using the target attack path. The attack testing method can automatically determine the target attack path according to the communication connection relation of the electronic equipment in the system to be tested and the equipment information of each electronic equipment, so that the problems that the efficiency is low when the attack path is selected manually, and the difference between the attack paths selected by different persons is large and the difference between the test results is large are avoided.
Description
Technical Field
The present application relates to the field of network security, and in particular, to an attack testing method and apparatus, an electronic device, and a storage medium.
Background
The penetration attack test is a network security analysis technology, and particularly, the network system security is evaluated from the perspective of an attacker by attacking a tested network system by means of a hacker attack. The method can be used for discovering system bugs, assisting bug fixing, performing security reinforcement and the like. The traditional penetration attack test is usually implemented by a security service engineer, the penetration attack test mainly depends on the personal experience of the security service engineer, and the experience of different security service engineers is different, so that the project implementation result is different from person to person.
Disclosure of Invention
In view of this, the present application provides an attack testing method, apparatus, electronic device and storage medium, which at least partially solve the problems in the prior art.
In one aspect of the present application, an attack testing method is provided, including:
and acquiring the equipment information of each electronic equipment in the system to be tested.
Generating a system structure diagram according to the equipment information of each piece of electronic equipment; the system structure diagram comprises one electronic device corresponding to each node, the nodes contain device information of the corresponding electronic devices, and a connecting line between any two nodes represents that the two nodes are in communication connection.
And determining the nodes of which the equipment information meets the preset conditions as candidate nodes to obtain a plurality of candidate nodes.
Determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes.
And determining a target attack path from the candidate attack paths according to a preset rule.
And carrying out attack test on the test system by using the target attack path.
In an exemplary embodiment of the present application, the device information includes a device type and device configuration information.
The method for determining the node with the device information meeting the preset condition as the candidate node to obtain a plurality of candidate nodes includes:
determining a detection rule set corresponding to each node according to the equipment type corresponding to each node; the set of detection rules includes at least one detection rule.
And detecting the equipment configuration information of the corresponding node by using each detection rule set.
And if the current node accords with any detection rule in the corresponding detection rule set, determining the current node as a candidate node.
In an exemplary embodiment of the present application, the determining a target attack path from a plurality of candidate attack paths according to a preset rule includes:
determining a priority score corresponding to each candidate attack path; and the priority score is determined according to the candidate nodes in the corresponding candidate attack path.
And determining a target attack path from a plurality of candidate attack paths according to the priority scores.
In an exemplary embodiment of the present application, the determining, as a target attack path, from a plurality of candidate attack paths according to the priority scores includes:
and determining the candidate attack paths of which the corresponding candidate node number meets the preset number condition as the intermediate attack paths.
And determining the middle attack path with the highest corresponding priority value as a target attack path.
In an exemplary embodiment of the present application, each device type has a corresponding device score; the device score is used to indicate the importance of the corresponding electronic device.
The determining the priority score corresponding to each candidate attack path includes:
and determining the priority score corresponding to each candidate attack path according to the equipment scores corresponding to all candidate nodes in each candidate attack path.
In an exemplary embodiment of the present application, after obtaining the plurality of candidate nodes, the method further includes:
and determining the vulnerability score corresponding to each candidate node according to the detection rule which each candidate node accords with.
The determining the priority score corresponding to each candidate attack path according to the device scores corresponding to all candidate nodes in each candidate attack path includes:
and determining the priority score corresponding to each candidate attack path according to the equipment scores and the vulnerability scores corresponding to all candidate nodes in each candidate attack path.
In an exemplary embodiment of the present application, each of the detection rules includes a corresponding base vulnerability score; each device type has a corresponding device weight.
The determining the vulnerability score corresponding to each candidate node according to the detection rule met by each candidate node comprises the following steps:
and determining the vulnerability score of each candidate node according to the equipment weight of each candidate node and the basic vulnerability score corresponding to the detection rule which is accorded with the equipment weight.
In another aspect of the present application, there is provided an attack testing apparatus including:
and the acquisition module is used for acquiring the equipment information of each electronic equipment in the system to be tested.
The generating module is used for generating a system structure diagram according to the equipment information of each piece of electronic equipment; the system structure diagram comprises a system structure diagram and a plurality of nodes, wherein each node corresponds to one electronic device, the nodes contain device information of the corresponding electronic device, and a connecting line between any two nodes represents that the two nodes are in communication connection.
And the node determining module is used for determining the nodes of which the equipment information meets the preset conditions as candidate nodes so as to obtain a plurality of candidate nodes.
The first path determining module is used for determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes.
And the second path determining module is used for determining a target attack path from the candidate attack paths according to a preset rule.
And the test module is used for carrying out attack test on the test system by using the target attack path.
In another aspect of the present application, an electronic device is provided that includes a processor and a memory.
The processor is configured to perform the steps of any of the above methods by calling a program or instructions stored in the memory.
In another aspect of the application, a non-transitory computer readable storage medium is provided, storing a program or instructions that causes a computer to perform the steps of any of the methods described above.
According to the attack testing method, the system structure diagram corresponding to the system to be tested can be generated according to the communication connection relation of the electronic equipment in the system to be tested and the equipment information of each electronic equipment. And then determining the nodes of the system structure chart which meet the preset conditions as candidate nodes. The selected node is a node which can be used as an attacked device, namely, the selected node has a certain security vulnerability. After the candidate nodes are determined, the candidate attack paths can be determined according to the position of each candidate node in the system structure chart and the communication connection relation among the candidate nodes. The candidate attack paths are the attack paths that can be used for performing the penetration attack test. And then determining a target attack path from the candidate attack paths according to a preset rule so as to realize attack testing through a better or optimal attack path. The attack testing method can automatically determine the target attack path according to the communication connection relation of the electronic equipment in the system to be tested and the equipment information of each electronic equipment, so that the problems that the efficiency is low when the attack path is selected manually, and the difference between the attack paths selected by different persons is large and the difference between the test results is large are avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of an attack testing method according to an embodiment of the present application.
Fig. 2 is a block diagram of a structure of an attack testing apparatus according to an embodiment of the present disclosure.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, based on the embodiments in the present disclosure, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
Referring to fig. 1, in an aspect of the present application, there is provided an attack testing method, including the following steps:
s100, acquiring equipment information of each electronic equipment in the system to be tested. The device information may include, among other things, a device type and device configuration information. The device types may be office devices, client devices, routers, switches, databases, mail servers, printing devices, firewalls, domain controllers, administrator servers, and the like. The device configuration information may include host system version information, port opening information, service version information, service opening information, hardware version information, and the like.
S200, generating a system structure diagram according to the equipment information of each piece of electronic equipment. The system structure diagram comprises a system structure diagram and a plurality of nodes, wherein each node corresponds to one electronic device, the nodes contain device information of the corresponding electronic device, and a connecting line between any two nodes represents that the two nodes are in communication connection.
S300, determining the nodes of which the equipment information meets the preset conditions as candidate nodes to obtain a plurality of candidate nodes. Specifically, the node which is easily attacked by the attacking means or the attacking technique (i.e. the node with the security vulnerability) can be determined through the preset condition, and whether the node can be attacked successfully or not can be determined through the corresponding device information.
S400, determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes. The position of the candidate node in the system structure diagram can indicate the importance degree of the candidate node, and whether the candidate node can be directly connected by an external network or not can be quickly determined. In the system structure diagram, an electronic device having a communication connection relationship with only one node or a node directly connected to an external network may be used as an ingress node (i.e., a node that is attacked first).
It is known that a network system is damaged when a domain controller or an administrator server is successfully penetrated, and therefore, the successful penetration of the domain controller or the administrator server is the final objective of the penetration attack test. Therefore, in this embodiment, in each candidate attack path, the device type corresponding to the node corresponding to the key point of the path should be the domain controller or the administrator server,
and S500, determining a target attack path from the candidate attack paths according to a preset rule. The target attack path determined by the preset rule may be the candidate attack path with the least electronic devices on the attack path, or the candidate attack path with the lowest overall attack difficulty. The specific preset rules can be designed according to actual requirements.
S600, using the target attack path to carry out attack test on the test system. The attack test can be a penetration attack test, a specific test method can be set according to actual requirements, and attack means used in the attack test can be selected according to the type of equipment corresponding to the node on the target attack path and security vulnerabilities.
The attack testing method provided by this embodiment generates a system structure diagram corresponding to the system to be tested according to the communication connection relationship of the electronic devices in the system to be tested and the device information of each electronic device. And then determining the nodes of the system structure chart which accord with the preset conditions as candidate nodes. The selected node is a node which can be used as an attacked device, namely, the selected node has a certain security vulnerability. After the candidate nodes are determined, the candidate attack paths can be determined according to the position of each candidate node in the system structure chart and the communication connection relation among the candidate nodes. The candidate attack paths are the attack paths that can be used for the penetration attack test. And then determining a target attack path from the candidate attack paths according to a preset rule so as to realize attack testing through a better or optimal attack path. The attack testing method provided by the embodiment can automatically determine the target attack path according to the communication connection relation of the electronic equipment in the system to be tested and the equipment information of each electronic equipment, so that the problems that the efficiency is low when the attack path is selected manually, and the difference between the attack paths selected by different persons is large and the difference between the test results is large are avoided.
In an exemplary embodiment of the application, the step S300 includes the following steps:
and S310, determining a detection rule set corresponding to each node according to the equipment type corresponding to each node. The set of detection rules includes at least one detection rule. The detection rules can be set correspondingly according to attack methods or attack means in a preset attack mode knowledge graph. For example, if a certain attack means can attack a client device using the version a windows system, a corresponding detection rule may be set for the client device, and the detection rule may be to determine whether the corresponding device uses the version a windows system.
And S320, detecting the equipment configuration information of the corresponding node by using each detection rule set.
S330, if the current node accords with any detection rule in the corresponding detection rule set, the current node is determined as a candidate node.
In particular, the detection rules may include, but are not limited to, the detection rules provided below:
whether the system of the domain control server is a lower version of win server 2008r2;
whether the domain control server has high authority;
whether the number of the domain control servers is two or more;
whether a PC system in the office network is XP and win7 of a low version or not is judged;
a database which is unauthorized to be accessed by Redis is arranged in the database cluster;
whether the administrator server is a lower version of the win7 system.
In this embodiment, a detection rule set that can be directly used for detecting whether each node has a security vulnerability is determined according to a device type corresponding to each node. And detected using a set of detection rules. Carry out omnidirectional leak detection to each node in order to realize, more accurate definite candidate node, and can avoid carrying out the problem appearance that invalid detected.
In an exemplary embodiment of the present application, the step S500 includes:
s510, determining the corresponding priority score of each candidate attack path. And the priority score is determined according to the candidate nodes in the corresponding candidate attack path.
S520, determining a plurality of candidate attack paths as target attack paths according to the priority scores.
In this embodiment, the priority score of each candidate attack path is determined according to the candidate nodes in each candidate attack path. The priority score can be determined according to at least one of the number of candidate nodes in the candidate path, the importance degree of the candidate nodes and the vulnerability number of the candidate nodes. The smaller the number of candidate nodes is, the fewer devices which need to be attacked are, and the attack efficiency can be improved. The higher the importance degree of the candidate node is, the greater the help of the candidate node on subsequent attacks after being trapped by the attack is. The larger the number of the loopholes of the candidate node is, the lower the difficulty of trapping the candidate node is or the more selectable attack modes are.
Therefore, in the application, the priority score corresponding to each candidate attack path is determined through the method, and a better or optimal candidate attack path can be selected as a target attack path, so that the efficiency of the penetration attack test is improved.
In an exemplary embodiment of the present application, the determining, as a target attack path, from a plurality of candidate attack paths according to the priority scores includes:
and determining the candidate attack paths of which the corresponding candidate node number meets the preset number condition as the intermediate attack paths.
And determining the middle attack path with the highest corresponding priority level value as a target attack path.
In practical implementation, when determining the priority score of each candidate attack path, a situation may occur in which the number of candidate nodes on the path is particularly large, but the corresponding priority score is also high. However, it is known that, when a malicious attack is performed, the probability of being discovered is higher as more attacking devices are used, and therefore, the candidate attack path is obviously not suitable as the target attack path. Therefore, in the embodiment, the candidate attack paths are deleted through a preset number condition, so that the candidate attack paths are prevented from being determined as target attack paths, and the accuracy of the determined target attack paths is improved.
In an exemplary embodiment of the present application, each device type has a corresponding device score. The device score is used to indicate the importance of the corresponding electronic device. For example, the device score of the domain controller is highest and the device score of the client device is lowest.
The determining the priority score corresponding to each candidate attack path includes:
and determining the priority score corresponding to each candidate attack path according to the equipment scores corresponding to all candidate nodes in each candidate attack path.
Specifically, the device scores corresponding to all candidate nodes in each candidate attack path may be added to obtain the priority score of the candidate attack path. At this time, the higher the priority value is, the higher the attacked value of the corresponding candidate attack path is, so that the accuracy of the determined target attack path is higher.
In an exemplary embodiment of the present application, after obtaining the plurality of candidate nodes, the method further includes:
and determining the vulnerability score corresponding to each candidate node according to the detection rule met by each candidate node.
The determining the priority score corresponding to each candidate attack path according to the device scores corresponding to all candidate nodes in each candidate attack path comprises the following steps:
and determining the priority score corresponding to each candidate attack path according to the equipment scores and the vulnerability scores corresponding to all candidate nodes in each candidate attack path.
Specifically, each detection rule includes a corresponding basic vulnerability score; each device type has a corresponding device weight.
The determining the vulnerability score corresponding to each candidate node according to the detection rule met by each candidate node comprises the following steps:
and determining the vulnerability score of each candidate node according to the equipment weight of each candidate node and the basic vulnerability score corresponding to the detection rule which is accorded with the equipment weight. The vulnerability score can be obtained by weighting and summing the basic vulnerability score by the equipment weight.
The basic copper leakage score can be determined according to the number of attack means corresponding to the detection rule corresponding to the basic copper leakage score or the difficulty level of attack. The higher the means of attack or the lower the difficulty of attack, the higher the corresponding base vulnerability score. And because the same vulnerability is on different types of electronic equipment, the value of the vulnerability varies from attacker to attacker. For example, if vulnerability a is of much higher value to an attacker on the domain controller than vulnerability a is on the client device. Therefore, in the embodiment, the determined priority value can reflect the value of the vulnerability in the candidate attack path and the difference of the attack values of the same vulnerability on different types of equipment, so that the determined priority is more accurate, and the accuracy of the subsequently determined target attack path is improved.
Referring to fig. 2, in another aspect of the present application, an attack testing apparatus is provided, which includes:
and the acquisition module is used for acquiring the equipment information of each electronic equipment in the system to be tested.
The generating module is used for generating a system structure diagram according to the equipment information of each piece of electronic equipment; the system structure diagram comprises a system structure diagram and a plurality of nodes, wherein each node corresponds to one electronic device, the nodes contain device information of the corresponding electronic device, and a connecting line between any two nodes represents that the two nodes are in communication connection.
And the node determining module is used for determining the nodes of which the equipment information meets the preset conditions as candidate nodes so as to obtain a plurality of candidate nodes.
The first path determining module is used for determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes.
And the second path determining module is used for determining a target attack path from the candidate attack paths according to a preset rule.
And the test module is used for carrying out attack test on the test system by using the target attack path.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the present application. The electronic device is only an example, and should not bring any limitation to the function and the use range of the embodiment of the present application.
The electronic device is in the form of a general purpose computing device. Components of the electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components (including the memory and the processor).
Wherein the storage stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present application as described in the "exemplary methods" section above of this specification.
The memory may include readable media in the form of volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
The bus may be any representation of one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. Also, the electronic device may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter. The network adapter communicates with other modules of the electronic device over the bus. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the present application may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present application described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present application and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An attack testing method, comprising:
acquiring equipment information of each electronic equipment in a system to be tested;
generating a system structure diagram according to the equipment information of each piece of electronic equipment; the system comprises a system structure chart and a plurality of nodes, wherein each node in the system structure chart corresponds to one electronic device, the nodes contain device information of the corresponding electronic devices, and a connecting line between any two nodes represents that the two nodes are in communication connection;
determining nodes of which the equipment information meets preset conditions as candidate nodes to obtain a plurality of candidate nodes;
determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes;
determining a target attack path from a plurality of candidate attack paths according to a preset rule;
and carrying out attack test on the test system by using the target attack path.
2. The attack testing method according to claim 1, wherein the device information includes a device type and device configuration information;
the method for determining the node with the device information meeting the preset condition as the candidate node to obtain a plurality of candidate nodes includes:
determining a detection rule set corresponding to each node according to the equipment type corresponding to each node; the detection rule set comprises at least one detection rule;
detecting the equipment configuration information of the corresponding node by using each detection rule set;
and if the current node accords with any detection rule in the corresponding detection rule set, determining the current node as a candidate node.
3. The attack testing method according to claim 2, wherein the determining a target attack path from a plurality of candidate attack paths according to a preset rule comprises:
determining a priority score corresponding to each candidate attack path; the priority score is determined according to candidate nodes in the corresponding candidate attack path;
and determining a plurality of candidate attack paths as target attack paths according to the priority scores.
4. The attack testing method according to claim 3, wherein the determining from a plurality of candidate attack paths as the target attack path according to the priority scores comprises:
determining candidate attack paths of which the corresponding candidate node number meets a preset number condition as intermediate attack paths;
and determining the middle attack path with the highest corresponding priority value as a target attack path.
5. The attack testing method according to any one of claims 3 or 4, characterized in that each device type has a corresponding device score; the device score is used for representing the importance degree of the corresponding electronic device;
the determining the priority score corresponding to each candidate attack path includes:
and determining the priority score corresponding to each candidate attack path according to the equipment scores corresponding to all candidate nodes in each candidate attack path.
6. The attack testing method according to claim 5, wherein after the obtaining of the plurality of candidate nodes, the method further comprises:
determining a vulnerability score corresponding to each candidate node according to a detection rule which each candidate node accords with;
the determining the priority score corresponding to each candidate attack path according to the device scores corresponding to all candidate nodes in each candidate attack path includes:
and determining the priority score corresponding to each candidate attack path according to the equipment scores and the vulnerability scores corresponding to all candidate nodes in each candidate attack path.
7. The attack testing method according to claim 6, wherein each of the detection rules includes a corresponding base vulnerability score; each device type has a corresponding device weight;
the determining the vulnerability score corresponding to each candidate node according to the detection rule met by each candidate node comprises the following steps:
and determining the vulnerability score of each candidate node according to the equipment weight of each candidate node and the basic vulnerability score corresponding to the detection rule which is accorded with the equipment weight.
8. An attack testing apparatus, comprising:
the acquisition module is used for acquiring the equipment information of each electronic equipment in the system to be tested;
the generating module is used for generating a system structure diagram according to the equipment information of each piece of electronic equipment; the system structure diagram comprises a system structure diagram and a plurality of nodes, wherein each node corresponds to one electronic device, the nodes contain device information of the corresponding electronic device, and a connecting line between any two nodes represents that the two nodes are in communication connection;
the node determining module is used for determining nodes of which the equipment information meets preset conditions as candidate nodes so as to obtain a plurality of candidate nodes;
the first path determining module is used for determining a plurality of candidate attack paths according to the position of each candidate node in the system structure chart; each candidate attack path comprises at least two candidate nodes;
the second path determining module is used for determining a target attack path from a plurality of candidate attack paths according to a preset rule;
and the test module is used for carrying out attack test on the test system by using the target attack path.
9. An electronic device comprising a processor and a memory;
the processor is adapted to perform the steps of the method of any one of claims 1 to 7 by calling a program or instructions stored in the memory.
10. A non-transitory computer readable storage medium storing a program or instructions for causing a computer to perform the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669141.3A CN115987641A (en) | 2022-12-23 | 2022-12-23 | Attack testing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211669141.3A CN115987641A (en) | 2022-12-23 | 2022-12-23 | Attack testing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987641A true CN115987641A (en) | 2023-04-18 |
Family
ID=85971751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211669141.3A Pending CN115987641A (en) | 2022-12-23 | 2022-12-23 | Attack testing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987641A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040945A (en) * | 2023-10-10 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Method, device, medium and equipment for determining protection strategy of electronic equipment |
| CN117478435A (en) * | 2023-12-28 | 2024-01-30 | 中汽智联技术有限公司 | Whole vehicle information security attack path generation method and system |
-
2022
- 2022-12-23 CN CN202211669141.3A patent/CN115987641A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040945A (en) * | 2023-10-10 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Method, device, medium and equipment for determining protection strategy of electronic equipment |
| CN117040945B (en) * | 2023-10-10 | 2024-02-02 | 深圳安天网络安全技术有限公司 | Method, device, medium and equipment for determining protection strategy of electronic equipment |
| CN117478435A (en) * | 2023-12-28 | 2024-01-30 | 中汽智联技术有限公司 | Whole vehicle information security attack path generation method and system |
| CN117478435B (en) * | 2023-12-28 | 2024-04-09 | 中汽智联技术有限公司 | Whole vehicle information security attack path generation method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9264444B2 (en) | Systems and methods for determining an objective security assessment for a network of assets | |
| CN115987641A (en) | Attack testing method and device, electronic equipment and storage medium | |
| RU2514140C1 (en) | System and method for improving quality of detecting malicious objects using rules and priorities | |
| US20110307956A1 (en) | System and method for analyzing malicious code using a static analyzer | |
| US20190081970A1 (en) | Specifying system, specifying device, and specifying method | |
| US20210160260A1 (en) | Automatic Categorization Of IDPS Signatures From Multiple Different IDPS Systems | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN112953896A (en) | Playback method and device of log message | |
| CN111767548A (en) | Vulnerability capturing method, device, equipment and storage medium | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN114553551B (en) | Method and device for testing intrusion prevention system | |
| CN115964701A (en) | Application security detection method and device, storage medium and electronic equipment | |
| CN109714371B (en) | Industrial control network safety detection system | |
| CN113839912B (en) | Method, device, medium and equipment for analyzing abnormal host by active and passive combination | |
| CN109933990B (en) | Multi-mode matching-based security vulnerability discovery method and device and electronic equipment | |
| CN116781426B (en) | Port repairing method and device, storage medium and electronic equipment | |
| CN117009962B (en) | Anomaly detection method, device, medium and equipment based on effective label | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN114996668B (en) | Processing method, device, equipment and medium of open source assembly | |
| CN117077138B (en) | Anomaly detection method, system, medium and equipment based on browser | |
| CN113010268B (en) | Malicious program identification method and device, storage medium and electronic equipment | |
| CN111309311B (en) | Vulnerability detection tool generation method, device, equipment and readable storage medium | |
| CN117040938B (en) | Abnormal IP detection method and device, electronic equipment and storage medium | |
| CN117034261B (en) | Exception detection method and device based on identifier, medium and electronic equipment | |
| CN115967566A (en) | Network threat information processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |