CN116170224A - Penetration test method, device, equipment and medium - Google Patents

Penetration test method, device, equipment and medium Download PDF

Info

Publication number
CN116170224A
CN116170224A CN202310184683.XA CN202310184683A CN116170224A CN 116170224 A CN116170224 A CN 116170224A CN 202310184683 A CN202310184683 A CN 202310184683A CN 116170224 A CN116170224 A CN 116170224A
Authority
CN
China
Prior art keywords
attack
data
vulnerability
target
target object
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310184683.XA
Other languages
Chinese (zh)
Inventor
姜宁
聂滢
卢永頔
舒敏根
陈国�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202310184683.XA priority Critical patent/CN116170224A/en
Publication of CN116170224A publication Critical patent/CN116170224A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a penetration test method, a penetration test device, penetration test equipment and penetration test media, wherein the penetration test method comprises the following steps: performing network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object, wherein the first vulnerability data is known vulnerability data; determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data and the attack prediction model; generating a target attack graph of the target object based on the first network asset data, the first vulnerability data and the unknown vulnerability data; inputting a target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph; and performing an automatic penetration test on the target object based on the optimal attack path of the target attack graph. According to the embodiment of the application, the limitation of the penetration test scheme can be reduced, and the penetration test effect is improved.

Description

Penetration test method, device, equipment and medium
Technical Field
The application belongs to the technical field of network security, and particularly relates to a penetration test method, a penetration test device, penetration test equipment and penetration test media.
Background
Currently, enterprises in various industries pay more and more attention to network security vulnerability mining and penetration testing, and prevent the network security vulnerability mining and penetration testing. However, due to relatively high learning curve, time cost and personnel requirements of the attack technology, the penetration test service personnel are in a scarce state for a long time, and the contradiction between supply and demand is more prominent. The artificial intelligent energized network security penetration test technology can reduce the technical threshold to a certain extent, and changes the manual-based penetration test into an automatic or semi-automatic operation mode.
In the related technology, in the traditional automatic penetration test scheme, known vulnerability information is obtained from a public channel, and a penetration path is planned through the known vulnerability information, but the unknown vulnerability cannot be known, so that the penetration path of the unknown vulnerability cannot be planned, the limitation of the penetration test scheme is higher, and the penetration test effect is poor.
Disclosure of Invention
The embodiment of the application aims to provide a penetration test method and a device thereof, which can reduce the limitation of a penetration test scheme and improve the penetration test effect.
In a first aspect, embodiments of the present application provide a penetration test method, the method comprising: performing network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object, wherein the first vulnerability data is known vulnerability data; determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data and the attack prediction model; generating a target attack graph of the target object based on the first network asset data, the first vulnerability data and the unknown vulnerability data; inputting a target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph; and performing an automatic penetration test on the target object based on the optimal attack path of the target attack graph.
In some implementations of the first aspect, determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and the attack prediction model includes: constructing a network security knowledge graph and a relationship path set based on the first network asset data and the first vulnerability data; acquiring historical attack data from the first network asset data; constructing attack sample data based on historical attack data; inputting a network security knowledge graph, a relation path set and attack sample data into the attack prediction model to obtain an attack path set output by the attack prediction model, wherein the attack path set comprises a plurality of unknown vulnerability attack paths; performing vulnerability mining on target network asset data in the first network asset data by using a fuzzy test technology to obtain unknown vulnerability data of a target object; the first network asset data comprises asset data of each network node corresponding to the target object, the network nodes covered by the unknown vulnerability attack paths are target network nodes, and the target network asset data are asset data of the target network nodes.
In some implementations of the first aspect, before determining the unknown vulnerability data of the target object, the method further includes: constructing a first classifier and a second classifier, wherein the first classifier is used for judging whether an attack occurs, and the second classifier is used for judging whether the attack is a 0day vulnerability attack under the condition that the attack occurs; an attack prediction model is generated based on the first classifier and the second classifier.
In some implementations of the first aspect, inputting the target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph includes: inputting a target attack graph to a trained deep learning engine, so that the deep learning engine distributes first scores for all network nodes in the target attack graph, determines second scores of multiple target attack paths corresponding to the target attack graph based on the first scores of all network nodes, and outputs a target attack path with the highest second score as an optimal attack path of the target attack graph; the first score is used for representing the vulnerability availability of the network node, and the second score is determined based on the first score of the network node covered by the target attack path.
In some implementations of the first aspect, before inputting the target attack graph to the trained deep learning engine, the method further includes: under the condition that flow sample data are obtained, constructing a plurality of experimental topological environments based on the flow sample data; scanning a plurality of experimental topological environments to obtain scanning data of each experimental topological environment; converting the scanning data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs; and training the deep learning engine by taking a plurality of sample attack graphs as input data and taking the optimal attack path of the sample attack graphs as output data to obtain the trained deep learning engine.
In some implementations of the first aspect, constructing a plurality of experimental topology environments based on traffic sample data includes: extracting key characteristic data in the flow sample data; acquiring second network asset data based on the key feature data; and constructing an experimental topological environment according to the second network asset data and the preset known vulnerability data.
In some implementations of the first aspect, after determining the unknown vulnerability data of the target object, the method further includes: and respectively writing the unknown vulnerability data and the utilization mode thereof into a vulnerability database and a database of a penetration testing tool, wherein the penetration testing tool is used for performing penetration testing on the target object.
In a second aspect, embodiments of the present application provide a penetration test apparatus comprising: the system comprises a mapping processing module, a target object acquisition module and a target object acquisition module, wherein the mapping processing module is used for carrying out network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object, wherein the first vulnerability data is known vulnerability data; the determining module is used for determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data and the attack prediction model; the generation module is used for generating a target attack graph of the target object based on the first network asset data, the first vulnerability data and the unknown vulnerability data; the input module is used for inputting the target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph; and the test module is used for carrying out automatic penetration test on the target object based on the optimal attack path of the target attack graph.
In some implementations of the second aspect, the determining module includes: the building unit is used for building a network security knowledge graph and a relationship path set based on the first network asset data and the first vulnerability data; an obtaining unit, configured to obtain historical attack data from the first network asset data; the construction unit is also used for constructing attack sample data based on the historical attack data; the input unit is used for inputting the network security knowledge graph, the relation path set and the attack sample data into the attack prediction model to obtain an attack path set output by the attack prediction model, wherein the attack path set comprises a plurality of unknown vulnerability attack paths; the vulnerability mining unit is used for performing vulnerability mining on target network asset data in the first network asset data by utilizing a fuzzy test technology to obtain unknown vulnerability data of a target object; the first network asset data comprises asset data of each network node corresponding to the target object, the network nodes covered by the unknown vulnerability attack paths are target network nodes, and the target network asset data are asset data of the target network nodes.
In some implementations of the second aspect, the apparatus further includes: the construction module is used for constructing a first classifier and a second classifier before unknown vulnerability data of a target object are determined, wherein the first classifier is used for judging whether an attack occurs, and the second classifier is used for judging whether the attack is a 0day vulnerability attack under the condition that the attack occurs; the generation module is further used for generating an attack prediction model based on the first classifier and the second classifier.
In some implementations of the second aspect, the input module is specifically configured to: inputting a target attack graph to a trained deep learning engine, so that the deep learning engine distributes first scores for all network nodes in the target attack graph, determines second scores of multiple target attack paths corresponding to the target attack graph based on the first scores of all network nodes, and outputs a target attack path with the highest second score as an optimal attack path of the target attack graph; the first score is used for representing the vulnerability availability of the network node, and the second score is determined based on the first score of the network node covered by the target attack path.
In some implementations of the second aspect, the apparatus further includes: the construction module is used for constructing a plurality of experimental topological environments based on the flow sample data under the condition that the flow sample data is acquired before the target attack graph is input to the trained deep learning engine; the scanning module is used for scanning a plurality of experimental topological environments to obtain scanning data of each experimental topological environment; the conversion module is used for converting the scanning data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs; the training module is used for training the deep learning engine by taking a plurality of sample attack graphs as input data and taking the optimal attack path of the sample attack graph as output data to obtain a trained deep learning engine.
In some implementations of the second aspect, the building block includes: the extraction unit is used for extracting key feature data in the flow sample data; the acquisition unit is used for acquiring second network asset data based on the key characteristic data; the construction unit is used for constructing an experimental topological environment according to the second network asset data and preset known vulnerability data.
In some implementations of the second aspect, the apparatus further includes: the system comprises a writing module, a penetration test tool and a target object, wherein the writing module is used for writing unknown vulnerability data of the target object and the utilization mode thereof into a vulnerability database and a database of the penetration test tool respectively after the unknown vulnerability data of the target object are determined, and the penetration test tool is used for performing penetration test on the target object.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory storing computer program instructions; the processor when executing the computer program instructions implements the steps of the penetration test method as in the first aspect.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the penetration test method as in the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product stored in a non-volatile storage medium, the computer program product being executable by at least one processor to implement the steps of the penetration test method as in the first aspect.
In a sixth aspect, embodiments of the present application provide a chip comprising a processor and a communication interface, the communication interface and the processor being coupled, the processor being configured to execute programs or instructions for implementing the steps of the penetration test method as in the first aspect.
The application provides a penetration test method, a device, equipment and a medium, wherein a target object is a penetration test object, and under the scene of performing penetration test on the target object, network mapping processing is performed on the target object to obtain first network asset data and known first vulnerability data of the target object. On the basis, unknown vulnerability data of the target object can be determined based on the first network asset data, the first vulnerability data and the attack prediction model. Based on the method, the first network asset data, the first vulnerability data and the unknown vulnerability data are combined, a target attack graph of the target object can be generated, and the target attack graph is input into the trained deep learning engine, so that an optimal attack path of the target attack graph can be obtained. According to the method and the device, the target object can be comprehensively detected through the attack prediction model so as to obtain unknown vulnerability data possibly existing in the target object, and the limitation that known vulnerability information can be obtained only through a public channel in the traditional scheme is broken through. And after network asset data, known vulnerability data and unknown vulnerability data required by the penetration test object are accurately acquired, a target attack graph with wider vulnerability coverage range can be generated for the target object by combining the three types of data, and the optimal attack path can be searched in the known vulnerability range and the unknown vulnerability range, and is the penetration path aiming at the target object, so that the penetration path planning about the known vulnerability and the unknown vulnerability can be realized, the limitation that the traditional scheme can only search the optimal attack path in the known vulnerability range is improved, the comprehensiveness of the penetration test on the target object is improved, and the penetration test effect is further improved.
Drawings
In order to more clearly describe the technical solutions of the embodiments of the present application, the following will briefly describe the drawings that are required to be used in the embodiments of the present application.
FIG. 1 is a flow chart of a penetration test method according to an embodiment of the present application;
FIG. 2 is a flow chart of a penetration test method according to another embodiment of the present application;
FIG. 3 is a flow chart of a penetration testing method according to yet another embodiment of the present application;
FIG. 4 is a schematic structural view of a penetration testing apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application are described in detail below to make the objects, technical solutions and advantages of the present application more apparent, and to further describe the present application in conjunction with the accompanying drawings and the detailed embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative of the application and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by showing examples of the present application.
Currently, enterprises in various industries pay more and more attention to network security vulnerability mining and penetration testing, and prevent the network security vulnerability mining and penetration testing. However, due to relatively high learning curve, time cost and personnel requirements of the attack technology, the penetration test service personnel are in a scarce state for a long time, and the contradiction between supply and demand is more prominent. The artificial intelligent energized network security penetration test technology can reduce the technical threshold to a certain extent, and changes the manual-based penetration test into an automatic or semi-automatic operation mode.
In the related technology, in the traditional automatic penetration test scheme, known vulnerability information is obtained from a public channel, and a penetration path is planned through the known vulnerability information, but the unknown vulnerability cannot be known, so that the penetration path of the unknown vulnerability cannot be planned, the limitation of the penetration test scheme is higher, and the penetration test effect is poor. For example, for uncertain penetration targets and means of defense, such as mimicry defense, honeypots, etc., traditional automated penetration test schemes will not perform as intended.
In order to improve the problems in the related art, the embodiment of the application provides a penetration test method, which effectively reduces transaction risk, improves transaction safety of users, and further improves the problems that online sales risk is relatively high and transaction risk cannot be effectively reduced for users in the related art.
The penetration test method provided by the embodiment of the application is described in detail below through specific embodiments and application scenes thereof with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a penetration testing method according to an embodiment of the present application, where an execution subject of the penetration testing method may be an electronic device.
The electronic device may be a mobile phone, a tablet computer, an intelligent wearable device, an edge side device, a cloud service device, a server or a server cluster, and the like, which is not particularly limited in this application.
The penetration test method of the present application will be described below by taking an electronic device as an example of an execution subject of the penetration test method. It should be noted that the execution subject and the application scenario are not limited to the present application.
As shown in FIG. 1, the penetration test method provided by embodiments of the present application may include steps 110-150.
Step 110, performing network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object.
The target object is a penetration test object, and the first vulnerability data is known vulnerability data.
Step 120, determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and the attack prediction model.
Step 130, generating a target attack graph of the target object based on the first network asset data, the first vulnerability data, and the unknown vulnerability data.
And 140, inputting the target attack graph into the trained deep learning engine to obtain an optimal attack path of the target attack graph.
And 150, performing an automatic penetration test on the target object based on the optimal attack path of the target attack graph.
In the penetration test method provided by the embodiment of the application, in a scene of performing penetration test on a target object, firstly, performing network mapping processing on the target object to obtain first network asset data and known first vulnerability data of the target object. On the basis, unknown vulnerability data of the target object can be determined based on the first network asset data, the first vulnerability data and the attack prediction model. Based on the method, the first network asset data, the first vulnerability data and the unknown vulnerability data are combined, a target attack graph of the target object can be generated, and the target attack graph is input into the trained deep learning engine, so that an optimal attack path of the target attack graph can be obtained. According to the method and the device, the target object can be comprehensively detected through the attack prediction model so as to obtain unknown vulnerability data possibly existing in the target object, and the limitation that known vulnerability information can be obtained only through a public channel in the traditional scheme is broken through. And after network asset data, known vulnerability data and unknown vulnerability data required by the penetration test object are accurately acquired, a target attack graph with wider vulnerability coverage range can be generated for the target object by combining the three types of data, and the optimal attack path can be searched in the known vulnerability range and the unknown vulnerability range, and is the penetration path aiming at the target object, so that the penetration path planning about the known vulnerability and the unknown vulnerability can be realized, the limitation that the traditional scheme can only search the optimal attack path in the known vulnerability range is improved, the comprehensiveness of the penetration test on the target object is improved, and the penetration test effect is further improved. Meanwhile, in the method, no traversal type vulnerability try is needed, the time cost is greatly increased, a large number of inaccurate vulnerability attack tries are avoided, and the concealment and the accuracy of penetration test operation are improved.
A specific implementation of the above steps is described in detail below in connection with specific embodiments.
Step 110 is involved in performing network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object.
The target object is a working environment, for example, the target object may be a device to be tested or a system to be tested.
In some embodiments, the target object may correspond to each network node, and the first network asset data may include asset data for each network node to which the target object corresponds, which may include, but is not limited to: internetworking protocol (Internet Protocol, IP) address, service protocol, service port, operating system type, application type middleware, application, network routing information.
In some embodiments, the first vulnerability data may include, but is not limited to: vulnerability identification number of target object, vulnerability assessment information of universal vulnerability scoring system (Common Vulnerability Scoring System, CVSS).
Step 120 is involved of determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and the attack prediction model.
The known vulnerability data is vulnerability data which can be obtained through a public channel, and the unknown vulnerability data is vulnerability data which cannot be obtained through the public channel.
In some embodiments of the present application, prior to step 120, the method may further comprise the steps of: constructing a first classifier and a second classifier, wherein the first classifier is used for judging whether an attack occurs, and the second classifier is used for judging whether the attack is a 0day vulnerability attack under the condition that the attack occurs; an attack prediction model is generated based on the first classifier and the second classifier.
Thus, by constructing the first classifier and the second classifier, an attack prediction model that can judge a single-step attack to output a possible unknown vulnerability attack path can be generated.
In some embodiments, the electronic device may acquire attack data as a first positive sample, non-attack data as a first negative sample, and train the first classifier; the attack data can be divided into known vulnerability attack data and unknown vulnerability attack data, the electronic device can take the unknown vulnerability attack data as a second positive sample, the known vulnerability attack data as a second negative sample, and the second classifier is trained.
The unknown vulnerability attack data may be, for example, 0day vulnerability attack data, where 0day vulnerability refers to a generic name of system vulnerability that is not found by a security vendor but may be mastered by a hacker organization, and correspondingly, 0day vulnerability attack refers to a network attack initiated by an attacker using the mastered 0day vulnerability.
In some embodiments, the attack prediction model utilizes a Logistic Regression model to construct a binary classifier to implement link prediction, and on the basis of completing path characteristic calculation, a score function is designed to synthesize different path characteristics, and the score for the establishment of the relationship to be detected is calculated, wherein the higher the score is, the higher the probability that the relationship is established is. The training process is to solve a set of parameters that minimize the value of the loss function on the sample set as an optimal solution.
In some embodiments of the present application, fig. 2 is a schematic flow chart of a penetration test method according to another embodiment of the present application, and the step 120 may include steps 210 to 250 shown in fig. 2.
Step 210, constructing a network security knowledge graph and a relationship path set based on the first network asset data and the first vulnerability data.
Step 220, obtaining historical attack data from the first network asset data.
The historical attack data is the data of the target object which is attacked before the current moment.
In step 230, attack sample data is constructed based on the historical attack data.
The attack sample data may include first sample data and second sample data, where the first sample data includes all data of the target object that is attacked, the second sample data may be obtained from the first sample data, and the second sample data is data of the target object that is attacked by the 0day vulnerability.
And 240, inputting the network security knowledge graph, the relation path set and the attack sample data into the attack prediction model to obtain an attack path set output by the attack prediction model.
The attack path set comprises a plurality of unknown vulnerability attack paths predicted by an attack prediction model, wherein the unknown vulnerability attack paths are paths for an attacker to initiate attack on a target object by using unknown vulnerabilities existing in network nodes, and the unknown vulnerability attack paths can be 0day vulnerability attack paths.
The relationship path set RP is derived based on the relationship type set R and the attribute type set P.
Step 250, performing vulnerability mining on the target network asset data in the first network asset data by using the fuzzy test technology to obtain unknown vulnerability data of the target object.
The first network asset data comprises asset data of each network node corresponding to the target object, network nodes covered by a plurality of unknown vulnerability attack paths in the attack path set are target network nodes, and the target network asset data are asset data of the target network nodes.
In the embodiment of the application, the fuzzy test Fuzzing vulnerability mining method based on unknown vulnerability attack path prediction and the penetration test attack path planning technology based on deep reinforcement learning are integrated, so that blindness of Fuzzing is avoided, and a scheme of searching an optimal attack path only in a known vulnerability range in the prior art is improved.
In some embodiments, a loop-free attack sequence consisting of a set of single-step attacks that include a 0day vulnerability attack is denoted (A, E). Wherein A is a single step attack set, E is a directed edge set linking the single step attacks. By means of the knowledge-graph principle, the network security knowledge graph (Cybersecurity Knowledge Graph, CKG) is represented by a triplet (CSO, FACT, T). Wherein, csco= (C, R, P) is a network security ontology, C is a class set, R is a relationship type set, P is an attribute type set, FACT is a set of data knowledge represented in a resource description framework (Resource Description Framework, RDF) triplet format, and T is a set of type dependencies of classes in csco and entity objects in FACT. The 0day vulnerability graph (0day AttackGraph,0day-AG) is further denoted (A, priv, L, prob). Wherein A= { a0} { ak } is a single step attack set consisting of 0day vulnerability attack and known attacks, the single step attack a is represented by a binary group (host, vull), host is a target object, vull is vulnerability of utilization, priv is a front-back permission set of the single step attack, L= { A×Priv } { Priv×A }, is a link existing between the single step attack and the permission, represents a front-back relation among the single step attacks, and Prob is a set of occurrence probability of the single step attack. The sequence formed by a group of relation types in the network security knowledge graph CKG is marked as rp. The knowledge graph CKG forms the following relationship with the attack graph 0 day-AG: the CKG is used as a knowledge base and is the input of an attack prediction algorithm, so that required knowledge is provided for attack prediction; the 0day vulnerability attack graph 0-AG is a graphical representation of the attack prediction result. The relationship path differs from the attack path as follows: rp is used as a feature for performing attack prediction by a logistic regression model in a path ordering algorithm; the 0day vulnerability attack path 0day-AP is an attack path prediction result extracted by taking 0day-AG as a reference and combining the occurrence probability of multi-step attack.
In some embodiments, after inputting the network security knowledge graph, the set of relationship paths, and the attack sample data to the attack prediction model, the attack prediction model may perform the steps of:
1) Initializing variables: a, L, prob, priv, thr, cons,0day-AP, comprehensive utilization set
Figure BDA0004104075390000111
2) Selecting an attacker: att= selectAttacker (CKG);
3) Extracting a system equipment set: host≡ selectHost (CKG);
4) Query attacker initial set of permissions: init_priv≡query_privilege (att, CKG);
5) Performing first classifier LCA and second classifier LCZ training: lca.fit (D1); lcz.fit (D2); d1 is training sample data of the first classifier, and D2 is training sample data of the second classifier;
6) The following logic is executed:
6.1. executing a while cycle, firstly calculating characteristics, if the first classifier judges that the attack does not occur, jumping out of the cycle, otherwise continuing;
6.2. if the second classifier judges that the attack is a 0day vulnerability attack, querying a 0day vulnerability entity utilized by the 0day vulnerability attack in the network security knowledge graph, and querying the attack intention of an attacker on the target object;
6.3. creating a right entity meeting the attack intention as an attack post-right, inquiring the result of inquiring the vulnerability utilization of the known vulnerability entity of the attack utilization in a network security knowledge graph, and evaluating the right acquired by an attacker as the post-right according to the result;
6.4. Then constructing a single-step attack, and if the attack is judged not to be a new attack, jumping out of the cycle;
6.5, further extracting the probability of attack occurrence, inquiring the front authority of the attack, updating the authority obtained by an attacker in the network security knowledge graph, and ending the prediction if no new attack appears in the current prediction;
6.6. if the attack path appears, the target authority is checked, the attack path is extracted, and a 0day vulnerability attack path set 0day-AP is output.
In some embodiments, after the network security knowledge graph, the relationship path set, and the attack sample data are input to the attack prediction model in step 240, the attack prediction model may further output a 0day attack graph 0 day-ag= (a, priv, L, prob), a comprehensive utilization set CE, and an optimal attack path 0day-AP-Final.
In the embodiment of the application, after attack prediction is completed, the vulnerability and the pre-post conditions of attack utilization are mined by utilizing the query function of the graph database and taking the start-stop entity and the relation path as conditions, a single-step attack is constructed, and a 0day attack graph is generated.
In some embodiments, after step 250, the method may further comprise: and respectively writing the unknown vulnerability data and the utilization mode thereof into a vulnerability database and a database EXP of the penetration test tool.
The penetration test tool is used for performing penetration test on the target object.
Thus, unknown vulnerability knowledge is expanded in the known vulnerability database, the penetration testing capability is enhanced for the penetration testing tool, and the new vulnerability knowledge and vulnerability exploiting method can continuously improve the vulnerability database and the penetration testing tool capability and also improve the penetration testing effect.
In the embodiment of the application, in a penetration test operation scene, aiming at a penetration test operation environment (namely a target object), network mapping processing is performed firstly, then, according to network asset data obtained by network mapping, scanning of known vulnerabilities is performed, then, on the basis of obtaining the known vulnerabilities, excavation of unknown vulnerabilities is further performed, and finally, attack graph generation, attack path planning and automatic penetration test are performed, so that preset penetration test operation is completed.
Step 130 is involved, generating a target attack graph of the target object based on the first network asset data, the first vulnerability data, and the unknown vulnerability data.
The target attack graph can be an attack tree for representing interdependence relationship between attack behaviors and attack steps; each node of the attack tree represents an attack behavior or a network node, and the root node represents the final target of the attack behavior, so long as a child node is attacked, the parent node can also be attacked.
The target attack graph may reflect attack paths for an attacker to initiate an attack on a target object using network nodes with known vulnerabilities and/or unknown vulnerabilities in the target object, each attack path may cover at least one network node.
And (140) inputting a target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph.
The vulnerability availability of the optimal attack path is highest, so that the optimal attack path is the most probably used attack path when an attacker initiates attack on a target object.
In some embodiments of the present application, step 140 may specifically include: inputting a target attack graph to the trained deep learning engine, so that the deep learning engine distributes first scores for all network nodes in the target attack graph, determines second scores of multi-item target attack paths corresponding to the target attack graph based on the first scores of all network nodes, and outputs a target attack path with the highest second score as an optimal attack path of the target attack graph.
The first score is used for representing the vulnerability availability of the network node, and the second score is determined based on the first score of the network node covered by the target attack path.
In some embodiments, the second score for the target attack path may be the sum of the first scores for all network nodes covered by the target attack path.
In other embodiments, the second score of the target attack path may be a ratio of a sum of the first scores of all network nodes covered by the target attack path to a first number, where the first number is the number of all network nodes covered by the target attack path.
In some embodiments of the present application, in order for the deep learning engine to accurately output the optimal attack path with the highest vulnerability availability, fig. 3 is a schematic flow chart of a penetration test method according to still another embodiment of the present application, and before step 140, the method may further include steps 310-340 shown in fig. 3.
In step 310, in the case of obtaining flow sample data, a plurality of experimental topology environments are constructed based on the flow sample data.
Step 320, scanning a plurality of experimental topological environments to obtain scanning data of each experimental topological environment.
And step 330, converting the scan data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs.
And 340, training the deep learning engine by taking a plurality of sample attack graphs as input data and the optimal attack path of the sample attack graphs as output data to obtain the trained deep learning engine.
In some embodiments of the present application, step 310 may specifically include the following steps: extracting key characteristic data in the flow sample data; acquiring second network asset data based on the key feature data; and constructing an experimental topological environment according to the second network asset data and the preset known vulnerability data.
In some embodiments of the present application, to meet the training data standard of deep reinforcement learning, accumulation of data samples is required by the acquisition and generation mode. A large amount of sample data is acquired by collaboration with a network target range, sharing sample website crawling, and self-owned data accumulation. The network topology structure for testing is built based on sample data in the next module, targets are built based on the topologies, required data are obtained through scanning, and vulnerability information is combined and used for inputting an attack tree generation program.
In some embodiments, the traffic sample data may include an asset data set, a security breach data set, and a background traffic data set, which may be stored in a file on a sample data server.
The asset data set may collect network asset information in various network environments for various channels such as probe or collaboration, including hardware information, software information (base software, middleware, application software, etc.), network information (IP address, open port and network protocol, network topology), application information, supply chain information, and security information (vulnerability and vulnerability).
The security vulnerability data set is formed by fusion of a mainstream vulnerability database (NVD, CNVD, CNNVD, CVE) and includes vulnerability identification numbers, CVSS general vulnerability assessment information (including base score, time score and environment score, and integrated score based on these 3 dimension scores).
The background traffic data set may contain a large amount of traffic data, log data, traffic data for effective attacks, mainly for constructing a verification environment.
In some embodiments, the extracting key feature data in the flow sample data may specifically include: obtaining data to be processed in flow sample data; and processing the data to be processed to obtain key characteristic data.
In some embodiments, the process flow may specifically include the following steps:
1) And reading characteristic information (more than 80 dimensions in total) of various data packets from the pcap file, and outputting the characteristic information in a csv table form after analysis is completed. The primary statistics of the extracted network traffic data samples are in units of one transmission control protocol (Transmission Control Protocol, TCP) flow or one user datagram protocol (User Datagram Protocol, UDP) flow. The TCP stream is terminated by a FIN (i.e., finish) flag, the UDP is limited by a set flow timeout, and the exceeding time is judged to be terminated. There are many data packets in one TCP flow, three handshakes before transmitting information and four handshakes again. Statistics in one stream are counted as extracted features. And the statistical characteristics are divided into forward and backward directions, the forward direction is defined from the source address to the destination address, the reverse direction is defined from the destination address to the source address, and a mark is constructed for each stream.
2) And reading the data packet information from the pcap file one by one, adding the data packet information into the corresponding stream, setting a stream variable, and storing all TCP and UDP streams which are not finished currently.
3) In the process of adding the data packet to the stream, the statistical characteristics of each stream are continuously updated, and the numerical value after the statistics is finished is recorded into the csv file.
3) Judging whether the newly added data packet belongs to all current unfinished flows, if so, judging whether the data packet is forward or reverse, and then judging whether the time is overtime or not, if not, judging whether the data packet contains a FIN mark, and if not, adding the data packet into the corresponding flow.
4) If the previous judgment is not in all the current unfinished streams, directly creating a new stream, wherein the new stream only contains the current data packet and is stored into the stream variable.
5) If the flow belongs to a current flow which is not ended and is overtime or a FIN mark exists, the current flow is ended, the corresponding flow is removed from the flow variable after overtime, the new flow is stored in the flow variable, and the corresponding flow is directly removed from the flow variable after the FIN mark exists.
6) And the flow is finished, and the flow variable function is directly called to dump the flow data.
7) The following key characteristic data are obtained from the network traffic sample data according to the steps: IP address, service protocol, service port, operating system type, application type middleware, application, network routing information.
In the embodiment of the application, the sample data processing and synthesizing method based on the optimal attack path of the deep reinforcement learning training supports the extraction of network asset information from discrete multi-source samples, further simulates real network conditions to build diversified target environments, obtains scanning data by using an OVAL scanner, converts the scanning data into an attack graph description file required by an attack graph, and solves the problem of massive sample data required by the deep reinforcement learning training engine.
In some embodiments of the present application, the step 320 may specifically include: utilizing system vulnerability scanning and analyzing software Nessus or a scanner supporting Open Vulnerability Assessment Language (OVAL) to perform vulnerability scanning on experimental topology environment; and receives the scan data returned by the scanner.
The scan data may include real IP addresses, ports and protocols used, related data of real network servers with known vulnerabilities, etc.
In some embodiments, the step 330 converts the scan data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs, which may specifically include: saving the scanning data as a service data set file; converting the service data set file into an attack graph description file; and calling an attack graph generation tool (multistage, vulnerability analysis, mulval), and converting the attack graph description file into an attack graph esp file to obtain a sample attack graph.
The sample attack graph may be a tree structure for characterizing interdependence between attack behaviors and attack steps, and the tree structure is an attack tree.
In some embodiments, the service data set file may be saved as a file named with the corresponding extension in the format shown in Table (1):
watch (1)
Figure BDA0004104075390000161
/>
In some embodiments of the present application, deep reinforcement learning (DRL, deep Reinforcement Learning) is a product of a combination of deep learning and reinforcement learning that integrates the powerful understanding capabilities of deep learning, as well as the decision making capabilities of reinforcement learning, enabling end-to-end learning. The appearance of deep reinforcement learning makes reinforcement learning technology truly practical, and can solve the complex problem in the real scene. Attack and defense countermeasure is a complex system, and according to the analysis, we introduce a relative DQN model algorithm to provide intelligent decision support for the penetration test tool.
From an algorithmic point of view, the reinforcement Learning (DQN) algorithm is derived from classical Q-Learning. In Q-learning, the Q value (i.e., quality value) of a "state-action" pair is estimated by iterative updates based on experiences, i.e., for each action that can be taken in a state, we can update the value estimate of the original "state-action" pair using the received instant prize and the value estimate for the new state.
The DQN algorithm trains the mean square error MSE that minimizes the time difference error TD-error. The DQN algorithm uses two key strategies to adapt Q-Learning to deep neural networks: one is "empirical replay" (experience replay), each "state-action" pair is stored in a memory replay buffer and randomly sampled for use in the training network to enable reuse of training data and removal of correlations from successive track samples; secondly, a separate "target network" is used to achieve stabilization of the training, so the TD-error is not calculated from the changing targets originating from the training network, but from the stabilized targets generated by a substantially fixed network.
The DQN algorithm training process simulates penetration attack, and the core idea is that an attacker is equivalent to an Agent of the DQN model, the target environment of penetration test is described by a simplified attack matrix, the attack path is equivalent to that of one node of the attack matrix moving to another node, and finally moving to a target server. The reward points Q (s, a) playing a key role in the training process are converted from the CVSS of the vulnerability contained in each node in the target network, the value range is 0-100, and the value needs to be corrected according to the verification result.
The typical deep reinforcement learning DQN algorithm is applied to the step of attack path generation, and the specific workflow is as follows:
step 1: based on the attack graph generated in the step 320, combining the security vulnerability library information, generating a transfer matrix required by the DRL algorithm, and distributing a reward score to each node according to the attack tree node, wherein the assignment method comprises the following steps: 1) Setting the reward point of the initial node as 0.01 and the reward point of the target node as 100; 2) For each node that exploits a vulnerability, using the vulnerability availability value as a reward score; 3) A 1.5 point bonus point is set for a node executing code or accessing a file in consideration of the higher available value of the node in the penetration test; 4) For any other node on the attack tree, setting the bonus point to be 0, and if no path exists between the two nodes, setting the bonus point to be-1; 5) Training the transfer matrix as an input to the DQN model to determine a total return for all possible attack paths;
step 2: in the training algorithm, 100 attack trees in each batch are taken as a unit, and are input into an algorithm engine batch by batch to serve as training data. Because the reward points represent vulnerability availability, the actual conditions of the reward points are adjusted according to the verification results executed by manual spot check or calling penetration test tools, and the rationality of the reward points is corrected;
Step 3: in the training iteration process, the average rewarding change of the DQN model on a certain attack path in the experimental topology generally has small value at the beginning of rewarding, gradually rises after multiple iterations, and can output the optimal attack path at the moment when the rewarding is stable.
Step 150 is involved, performing an automated penetration test on the target object based on the optimal attack path of the target attack graph.
In some embodiments, the electronic device may perform an automated penetration test on the target object by invoking an automated penetration test tool to complete the penetration test operation.
In the application, under the condition of penetration test attack path training, a large number of attack graphs are generated according to various network environments, and then the attack graphs are sent to a deep reinforcement learning engine for training to obtain an optimal attack path. Specifically, a large number of network data samples are collected, data extraction and data synthesis are carried out on the samples, a diversified target environment is built by simulating real network conditions, a vulnerability scanner supporting the OVAL standard is called to scan the target environment, so as to obtain the scanning result data in the OVAL format, then the scanning data are converted into an attack graph compatible with Mulval, the attack graph is input to a DQN deep reinforcement learning engine for training, so that an optimal attack path is obtained, and finally an automatic penetration testing tool is called for verifying the attack path.
Under the condition of penetration test operation, the goal is to find out security holes of the operation environment as much as possible, so that on the basis of completing asset mapping for a target network, a hole mining module is further integrated to conduct attack path prediction on 0day unknown holes, on the premise that the possibility of 0day hole attack is predicted, hole mining is conducted on related systems, then an optimal attack path is obtained by using a deep reinforcement learning engine verified by training scenes, and finally an automatic penetration test tool is called to complete penetration test operation.
It can be understood that, in the penetration test method provided in the embodiments of the present application, the execution body may be an electronic device, or a control module in the penetration test apparatus for executing the penetration test method. The penetration test apparatus will be described in detail below.
Fig. 4 is a schematic structural diagram of a penetration test apparatus according to an embodiment of the present application. As shown in fig. 4, the penetration test apparatus 400 may include: a mapping processing module 410, a determination module 420, a generation module 430, an input module 440, and a test module 450.
The mapping processing module 410 is configured to perform network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object, where the first vulnerability data is known vulnerability data; a determining module 420, configured to determine unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and the attack prediction model; a generating module 430, configured to generate a target attack graph of the target object based on the first network asset data, the first vulnerability data, and the unknown vulnerability data; the input module 440 is configured to input a target attack graph to the trained deep learning engine, so as to obtain an optimal attack path of the target attack graph; and the testing module 450 is used for performing automatic penetration testing on the target object based on the optimal attack path of the target attack graph.
In some implementations of the second aspect, the determining module 420 includes: the building unit is used for building a network security knowledge graph and a relationship path set based on the first network asset data and the first vulnerability data; an obtaining unit, configured to obtain historical attack data from the first network asset data; the construction unit is also used for constructing attack sample data based on the historical attack data; the input unit is used for inputting the network security knowledge graph, the relation path set and the attack sample data into the attack prediction model to obtain an attack path set output by the attack prediction model, wherein the attack path set comprises a plurality of unknown vulnerability attack paths; the vulnerability mining unit is used for performing vulnerability mining on target network asset data in the first network asset data by utilizing a fuzzy test technology to obtain unknown vulnerability data of a target object; the first network asset data comprises asset data of each network node corresponding to the target object, the network nodes covered by the unknown vulnerability attack paths are target network nodes, and the target network asset data are asset data of the target network nodes.
In some implementations of the second aspect, the apparatus further includes: the construction module is used for constructing a first classifier and a second classifier before unknown vulnerability data of a target object are determined, wherein the first classifier is used for judging whether an attack occurs, and the second classifier is used for judging whether the attack is a 0day vulnerability attack under the condition that the attack occurs; the generating module 430 is further configured to generate an attack prediction model based on the first classifier and the second classifier.
In some implementations of the second aspect, the input module 440 is specifically configured to: inputting a target attack graph to a trained deep learning engine, so that the deep learning engine distributes first scores for all network nodes in the target attack graph, determines second scores of multiple target attack paths corresponding to the target attack graph based on the first scores of all network nodes, and outputs a target attack path with the highest second score as an optimal attack path of the target attack graph; the first score is used for representing the vulnerability availability of the network node, and the second score is determined based on the first score of the network node covered by the target attack path.
In some implementations of the second aspect, the apparatus further includes: the construction module is used for constructing a plurality of experimental topological environments based on the flow sample data under the condition that the flow sample data is acquired before the target attack graph is input to the trained deep learning engine; the scanning module is used for scanning a plurality of experimental topological environments to obtain scanning data of each experimental topological environment; the conversion module is used for converting the scanning data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs; the training module is used for training the deep learning engine by taking a plurality of sample attack graphs as input data and taking the optimal attack path of the sample attack graph as output data to obtain a trained deep learning engine.
In some implementations of the second aspect, the building block includes: the extraction unit is used for extracting key feature data in the flow sample data; the acquisition unit is used for acquiring second network asset data based on the key characteristic data; the construction unit is used for constructing an experimental topological environment according to the second network asset data and preset known vulnerability data.
In some implementations of the second aspect, the apparatus further includes: the system comprises a writing module, a penetration test tool and a target object, wherein the writing module is used for writing unknown vulnerability data of the target object and the utilization mode thereof into a vulnerability database and a database of the penetration test tool respectively after the unknown vulnerability data of the target object are determined, and the penetration test tool is used for performing penetration test on the target object.
According to the penetration test device, the target object is the penetration test object, and under the scene of performing penetration test on the target object, network mapping processing is performed on the target object to obtain first network asset data and known first vulnerability data of the target object. On the basis, unknown vulnerability data of the target object can be determined based on the first network asset data, the first vulnerability data and the attack prediction model. Based on the method, the first network asset data, the first vulnerability data and the unknown vulnerability data are combined, a target attack graph of the target object can be generated, and the target attack graph is input into the trained deep learning engine, so that an optimal attack path of the target attack graph can be obtained. According to the method and the device, the target object can be comprehensively detected through the attack prediction model so as to obtain unknown vulnerability data possibly existing in the target object, and the limitation that known vulnerability information can be obtained only through a public channel in the traditional scheme is broken through. And after network asset data, known vulnerability data and unknown vulnerability data required by the penetration test object are accurately acquired, a target attack graph with wider vulnerability coverage range can be generated for the target object by combining the three types of data, and the optimal attack path can be searched in the known vulnerability range and the unknown vulnerability range, and is the penetration path aiming at the target object, so that the penetration path planning about the known vulnerability and the unknown vulnerability can be realized, the limitation that the traditional scheme can only search the optimal attack path in the known vulnerability range is improved, the comprehensiveness of the penetration test on the target object is improved, and the penetration test effect is further improved.
The penetration test device provided in the embodiment of the present application can realize each process implemented by the electronic device in the method embodiment of fig. 1 to 3, and can achieve the same technical effects, and for avoiding repetition, no description is given here.
Fig. 5 is a schematic hardware structure of an electronic device according to an embodiment of the present application.
As shown in fig. 5, the electronic device 500 in this embodiment may include a processor 501 and a memory 502 storing computer program instructions.
In particular, the processor 501 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 502 may include mass storage for data or instructions. By way of example, and not limitation, memory 502 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, magnetic tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. Memory 502 may include removable or non-removable (or fixed) media, where appropriate. Memory 502 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 502 is a non-volatile solid state memory. The Memory may include Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic disk storage media devices, optical storage media devices, flash Memory devices, electrical, optical, or other physical/tangible Memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) having software including computer-executable instructions and which, when executed (e.g., by one or more processors), are operable to perform the operations described with reference to the methods in accordance with embodiments of the present application.
The processor 501 implements any one of the penetration test methods of the above embodiments by reading and executing computer program instructions stored in the memory 502.
In one example, electronic device 500 may also include communication interface 503 and bus 510. As shown in fig. 5, the processor 501, the memory 502, and the communication interface 503 are connected to each other by a bus 510 and perform communication with each other.
The communication interface 503 is mainly used to implement communication between each module, apparatus, unit and/or device in the embodiments of the present application.
Bus 510 includes hardware, software, or both that couple the components of the online data flow billing device to each other. By way of example, and not limitation, the buses may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a micro channel architecture (MCa) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of the above. Bus 510 may include one or more buses, where appropriate. Although embodiments of the present application describe and illustrate a particular bus, the present application contemplates any suitable bus or interconnect.
The electronic device provided in the embodiment of the present application can implement each process implemented by the electronic device in the method embodiment of fig. 1 to 3, and can implement the same technical effects, so that repetition is avoided, and no further description is given here.
In combination with the penetration test method in the above embodiment, the embodiment of the application may be implemented by providing a computer storage medium. The computer storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement the steps of any of the penetration test methods of the above embodiments.
In connection with the penetration test method of the above embodiments, embodiments of the present application may be implemented by providing a computer program product. The (computer) program product is stored in a non-volatile storage medium, which program product, when being executed by at least one processor, implements the steps of any of the penetration test methods of the above embodiments.
The embodiment of the application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled with the processor, the processor is used for running a program or instructions, each process of the above penetration test method embodiment can be realized, the same technical effect can be achieved, and in order to avoid repetition, the description is omitted here.
It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, chip systems, or system-on-chip chips, etc.
It should be clear that the present application is not limited to the particular arrangements and processes described above and illustrated in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions, or change the order between steps, after appreciating the spirit of the present application.
The functional blocks shown in the above-described structural block diagrams may be implemented in hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the present application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and the like. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be different from the order in the embodiments, or several steps may be performed simultaneously.
Aspects of the present disclosure are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to being, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware which performs the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the foregoing, only the specific embodiments of the present application are described, and it will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein. It should be understood that the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present application, which are intended to be included in the scope of the present application.

Claims (10)

1. A method of penetration testing, the method comprising:
performing network mapping processing on a target object to obtain first network asset data and first vulnerability data of the target object, wherein the first vulnerability data is known vulnerability data;
determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and an attack prediction model;
generating a target attack graph of the target object based on the first network asset data, the first vulnerability data, and the unknown vulnerability data;
Inputting the target attack graph to a trained deep learning engine to obtain an optimal attack path of the target attack graph;
and performing an automatic penetration test on the target object based on the optimal attack path of the target attack graph.
2. The method of claim 1, wherein the determining unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and an attack prediction model comprises:
constructing a network security knowledge graph and a relationship path set based on the first network asset data and the first vulnerability data;
acquiring historical attack data from the first network asset data;
constructing attack sample data based on the historical attack data;
inputting the network security knowledge graph, the relation path set and the attack sample data into the attack prediction model to obtain an attack path set output by the attack prediction model, wherein the attack path set comprises a plurality of unknown vulnerability attack paths;
performing vulnerability mining on target network asset data in the first network asset data by using a fuzzy test technology to obtain unknown vulnerability data of the target object;
The first network asset data includes asset data of each network node corresponding to the target object, the network nodes covered by the plurality of unknown vulnerability attack paths are target network nodes, and the target network asset data are asset data of the target network nodes.
3. The method of claim 1, wherein prior to said determining unknown vulnerability data of the target object, the method further comprises:
constructing a first classifier and a second classifier, wherein the first classifier is used for judging whether an attack occurs, and the second classifier is used for judging whether the attack is a 0day vulnerability attack under the condition that the attack occurs;
the attack prediction model is generated based on the first classifier and the second classifier.
4. The method of claim 1, wherein the inputting the target attack graph to the trained deep learning engine results in an optimal attack path for the target attack graph, comprising:
inputting the target attack graph to the trained deep learning engine, so that the deep learning engine distributes first scores for all network nodes in the target attack graph, determines second scores of multiple target attack paths corresponding to the target attack graph based on the first scores of all network nodes, and outputs the target attack path with the highest second score as an optimal attack path of the target attack graph;
Wherein the first score is used to characterize vulnerability availability of the network node, and the second score is determined based on the first score of the network node covered by the target attack path.
5. The method of claim 1, wherein prior to the inputting the target attack graph to the trained deep learning engine, the method further comprises:
under the condition that flow sample data are obtained, constructing a plurality of experimental topological environments based on the flow sample data;
scanning the experimental topological environments to obtain scanning data of each experimental topological environment;
converting the scanning data of each experimental topological environment into a sample attack graph to obtain a plurality of sample attack graphs;
and training the deep learning engine by taking the plurality of sample attack graphs as input data and the optimal attack path of the sample attack graph as output data to obtain a trained deep learning engine.
6. The method of claim 5, wherein said constructing a plurality of experimental topology environments based on said traffic sample data comprises:
extracting key feature data in the flow sample data;
acquiring second network asset data based on the key feature data;
And constructing the experimental topological environment according to the second network asset data and preset known vulnerability data.
7. The method of claim 1, wherein after the determining the unknown vulnerability data of the target object, the method further comprises:
and respectively writing the unknown vulnerability data and the utilization mode thereof into a vulnerability database and a database of a penetration test tool, wherein the penetration test tool is used for performing penetration test on the target object.
8. A permeation testing device, said device comprising:
the system comprises a mapping processing module, a target object acquisition module and a target object acquisition module, wherein the mapping processing module is used for carrying out network mapping processing on the target object to obtain first network asset data and first vulnerability data of the target object, wherein the first vulnerability data is known vulnerability data;
a determining module, configured to determine unknown vulnerability data of the target object based on the first network asset data, the first vulnerability data, and an attack prediction model;
the generation module is used for generating a target attack graph of the target object based on the first network asset data, the first vulnerability data and the unknown vulnerability data;
the input module is used for inputting the target attack graph to the trained deep learning engine to obtain an optimal attack path of the target attack graph;
And the testing module is used for carrying out automatic penetration testing on the target object based on the optimal attack path of the target attack graph.
9. An electronic device, the device comprising: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the steps of the penetration test method according to any one of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the penetration test method according to any of claims 1-7.
CN202310184683.XA 2023-02-20 2023-02-20 Penetration test method, device, equipment and medium Pending CN116170224A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310184683.XA CN116170224A (en) 2023-02-20 2023-02-20 Penetration test method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310184683.XA CN116170224A (en) 2023-02-20 2023-02-20 Penetration test method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116170224A true CN116170224A (en) 2023-05-26

Family

ID=86411289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310184683.XA Pending CN116170224A (en) 2023-02-20 2023-02-20 Penetration test method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116170224A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116405325A (en) * 2023-06-07 2023-07-07 鹏城实验室 Network security testing method based on security knowledge graph and related equipment
CN117473512A (en) * 2023-12-28 2024-01-30 湘潭大学 Vulnerability risk assessment method based on network mapping

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116405325A (en) * 2023-06-07 2023-07-07 鹏城实验室 Network security testing method based on security knowledge graph and related equipment
CN116405325B (en) * 2023-06-07 2023-09-12 鹏城实验室 Network security testing method based on security knowledge graph and related equipment
CN117473512A (en) * 2023-12-28 2024-01-30 湘潭大学 Vulnerability risk assessment method based on network mapping
CN117473512B (en) * 2023-12-28 2024-03-22 湘潭大学 Vulnerability risk assessment method based on network mapping

Similar Documents

Publication Publication Date Title
CN116170224A (en) Penetration test method, device, equipment and medium
CN110445653B (en) Network state prediction method, device, equipment and medium
Holgado et al. Real-time multistep attack prediction based on hidden markov models
US8914320B2 (en) Graph generation method for graph-based search
US20160239661A1 (en) Information processing apparatus, information processing method, and program
CN113259176B (en) Alarm event analysis method and device
CN112733045B (en) User behavior analysis method and device and electronic equipment
CN113032792A (en) System service vulnerability detection method, system, equipment and storage medium
KR20210065687A (en) Apparatus, method, storage medium of storing program and computer program for analyzing cyber assets damage using system operation status information
CN111935185B (en) Method and system for constructing large-scale trapping scene based on cloud computing
CN113923003A (en) Attacker portrait generation method, system, equipment and medium
CN116094850B (en) Network protocol vulnerability detection method and system based on system state tracking graph guidance
CN116208416A (en) Attack link mining method and system for industrial Internet
CN114095235B (en) System identification method, device, computer equipment and medium
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
CN111625807A (en) Equipment type identification method and device
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN113486337B (en) Network security situation element identification system and method based on particle swarm optimization
CN114462588B (en) Training method, system and equipment of neural network model for detecting network intrusion
CN116933272B (en) Game vulnerability real-time analysis method, device and system
CN112800185B (en) Method and device for generating and matching text of interface node in mobile terminal
CN115442154B (en) Method and system for verifying deep analysis of modular industrial control protocol packet
CN115102758B (en) Method, device, equipment and storage medium for detecting abnormal network flow
US20240152604A1 (en) System and method for automatically generating playbook and verifying validity of playbook based on artificial intelligence
You Construction of Early Warning Mechanism of University Education Network Based on the Markov Model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination