CN116170225A - System testing method, device, equipment and storage medium based on network target range - Google Patents
System testing method, device, equipment and storage medium based on network target range Download PDFInfo
- Publication number
- CN116170225A CN116170225A CN202310184902.4A CN202310184902A CN116170225A CN 116170225 A CN116170225 A CN 116170225A CN 202310184902 A CN202310184902 A CN 202310184902A CN 116170225 A CN116170225 A CN 116170225A
- Authority
- CN
- China
- Prior art keywords
- attack
- testing
- tested
- data
- technical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a system testing method, device, equipment and storage medium based on a network target range, wherein the method comprises the following steps: acquiring data to be tested; determining known attack events corresponding to the data to be tested from a preset database; according to the known attack event, arranging a technical and tactical chain for testing; and testing the safety of the system corresponding to the data to be tested according to the technical and tactical chain for testing, and obtaining a test result. According to the method and the device, the known attack event corresponding to the data to be tested is screened from the database, and the technical and tactical chain for testing is arranged according to the known attack event, so that the safety of the system corresponding to the data to be tested can be obtained according to the technical and tactical chain for testing, and a test result is obtained, namely, the accuracy of testing the system based on the network target range is ensured by making the standard of the test flow and determining the test range.
Description
Technical Field
The present disclosure relates to the field of network information technologies, and in particular, to a system testing method, device, equipment and storage medium based on a network target range.
Background
The predominant method for network-based range system testing is penetration testing, which includes manual penetration testing and automatic penetration testing.
However, whether the penetration test is a manual penetration test or an automatic penetration test, the accuracy of the test result of the penetration test on the system of the network target range is greatly dependent on the professional knowledge and the professional skill of the attack tester, and the test results obtained by different attack testers may be completely different, so that the accuracy of the system evaluation of the network target range is low.
Disclosure of Invention
In view of the foregoing, the present application provides a system testing method, device, equipment and storage medium based on a network target range, which aims to improve accuracy of system evaluation on the network target range.
In order to achieve the above object, the present application provides a system testing method based on a network target range, the system testing method based on the network target range includes the following steps:
acquiring data to be tested;
determining known attack events corresponding to the data to be tested from a preset database;
according to the known attack event, arranging a technical and tactical chain for testing;
and testing the safety of the system corresponding to the data to be tested according to the technical and tactical chain for testing, and obtaining a test result.
Illustratively, the known attack event includes a first known attack event and a second known attack event, and the step of determining the known attack event corresponding to the data to be tested from a preset database includes:
according to the preset database, a first APT organization set with attack initiation frequency greater than a preset frequency is determined, and a second APT organization set corresponding to the industry of the data to be tested is determined;
determining a first known attack event applied by the first APT organization set and the second APT organization set in a preset time range according to the preset database;
and extracting the data characteristics of the data to be tested, and determining a second known attack event corresponding to the data characteristics from the preset database.
Illustratively, the step of determining a second known attack event corresponding to the data feature from the preset database includes:
the data features comprise a system type to be tested, a scene area to be tested, a scene node to be tested, a scene access strategy to be tested and a scene Jing Loudong to be tested;
and determining second known attack events corresponding to the data features from a preset database according to any one of the data features.
Illustratively, the step of orchestrating a test technical and tactical chain based on the known attack event comprises:
determining an attack technical and tactical chain adopted by the known attack event from the preset database, and determining attack characteristics of the attack technical and tactical chain;
according to the attack characteristics, arranging an initial technical and tactical chain for penetration test;
and removing repeated items in the initial technical and tactical chain to obtain the technical and tactical chain for testing.
The step of testing the security of the system corresponding to the data to be tested according to the technical and tactical chain for testing to obtain a test result includes:
extracting technical features of the technical and tactical chain for testing;
determining an attack tool with the technical and tactical feature matching degree larger than a preset matching degree from the preset database;
according to the technical characteristics and the attack tool, initiating test attack on a system corresponding to the data to be tested to obtain an attack result;
and testing the safety of the system according to the attack result to obtain a test result.
Exemplary, the step of testing the security of the system according to the attack result to obtain a test result includes:
According to the attack result, determining an attack technology used in a test process, and determining a detected attack technology detected by the system in the attack technology and a blocked attack technology blocked by the system;
and testing the security of the system according to the attack technology, the detected attack technology and the blocked attack technology to obtain a test result.
Illustratively, the step of testing the security of the system according to the attack technique, the detected attack technique and the blocked attack technique to obtain a test result includes:
according to the attack technology and an attack technology set in a preset attack technology frame, calculating attack technology coverage rate of the attack technology in the attack technology set in the current test process;
acquiring a weight value corresponding to the attack technology;
according to the detected attack technology, the blocked attack technology and the weight value, respectively calculating the attack technology detection rate and the attack technology blocking rate of the system;
and testing the safety of the system according to the attack technology coverage rate, the attack technology detection rate and the attack technology blocking rate to obtain a test result.
To achieve the above object, the present application further provides a system testing device based on a network target range, the device including:
the acquisition module is used for acquiring data to be tested;
the determining module is used for determining known attack events corresponding to the data to be tested from a preset database;
the arrangement module is used for arranging a technical and tactical chain for testing according to the known attack event;
and the test module is used for testing the corresponding system of the data to be tested according to the technical and tactical chain for testing to obtain a test result.
To achieve the above object, the present application further provides a system testing device based on a network target range, the device including: a memory, a processor, and a network-based system test program stored on the memory and executable on the processor, the network-based system test program configured to implement the steps of the network-based system test method as described above.
For the purpose of achieving the above object, the present application also provides a computer storage medium having stored thereon a network-based system test program which, when executed by a processor, implements the steps of the network-based system test method as described above.
Compared with the situation that the accuracy of the system evaluation of the network target range is low because the accuracy of the test result of the penetration test on the system of the network target range depends on the professional knowledge and the professional skill of the attack tester to a great extent in the related art, in the application, the data to be tested are acquired, the known attack event corresponding to the data to be tested is determined from the preset database by establishing and using the preset database, the known attack event is used as a reference, the corresponding technical and tactical chain for test is arranged, the safety of the system corresponding to the data to be tested is tested according to the technical and tactical chain for test, the test result is obtained, namely, the corresponding test flow is formulated, the overall flow normalization when the system corresponding to the data to be tested is ensured, the known attack event corresponding to the data to be tested is further determined from the preset database, the accuracy of the reference data when the system corresponding to be tested is ensured according to the known attack event, and the accuracy of the technical and tactical chain for test is enabled to be more close to the actual technical and tactical event for the test when the system to be tested is more practical.
Drawings
FIG. 1 is a flow chart of a first embodiment of a system testing method based on a network target range according to the present application;
FIG. 2 is a flow chart of a second embodiment of a system testing method based on a network target range according to the present application;
FIG. 3 is a flowchart of a third embodiment of a system testing method based on a network target range according to the present application;
fig. 4 is a schematic structural diagram of a hardware running environment according to an embodiment of the present application.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of a system testing method based on a network target range.
Embodiments of the present application provide embodiments of a network-based system testing method, it being noted that although a logic sequence is shown in the flow diagrams, in some cases, the steps shown or described may be performed in a different order than that shown or described herein. For convenience of description, each step of performing a subject description network-based system test method including:
Step S110: acquiring data to be tested;
the data to be tested is data provided by a user needing to perform security test, and mainly comprises a to-be-tested object, a test method, test time, signed authorization protocol and the like.
Wherein a certain type of system (industrial local area network, educational platform network, etc.) provided by a customer is taken as an object to be tested;
the test method can adopt a mode of attack and defense exercise test in a network target range, and uses an attack means to break through a defense system in the system so as to determine the safety performance of the system, and the system network of the object to be tested is accessed into the network target range in a federal target range mode and is used as a defender in the network target range, so that the attack test of the system is implemented;
wherein, the test time is determined according to the specific wish of the customer;
the signing authorization protocol is mainly used for acquiring the authorization willingness of a customer, limiting important data which are related to a system of an object to be tested and maintain normal operation, and temporarily not disclosing data and the like, and meanwhile, the authorization protocol contains the contents of the object to be tested, a test mode, test time and the like, and the protocol is a written protocol of a common customer and a test party.
For example, the data to be tested should include relevant information of the object to be tested, such as the type of system to be tested, the area of the scene to be tested, the nodes of the scene to be tested, the access policy of the scene to be tested, and the vulnerability of the scene to be tested.
The type of the system to be tested comprises an industrial local area network, an education platform network and other networks or platforms which are put into operation.
The scene area to be tested is an actual application scene of the object to be tested, taking a local area network and an internet of things as examples, wherein the situation that the areas of the two networks are different in size exists, the communication effects in the networks are different, the local area network is not normally opened to the outside, and the internet of things can adaptively open part of rights.
The scene nodes to be tested are mainly the conditions of all nodes in scenes applied by different systems, and comprise the connection among all the nodes, the integral structure formed by the nodes and the like.
The scene access strategy to be tested is mainly used for establishing access connection between the external network and the network to which the system belongs, and different access strategies are formulated aiming at the networks of different systems so as to avoid the situations that data in the system are directly acquired by the external network, and data leakage risks are generated.
The scene holes to be tested may be corresponding holes known to the client and existing in the network to which the system belongs, for example, the risk of data being stolen, firewall holes, and the like.
All of the data may be obtained through communication with the customer, and the data forms include, but are not limited to, software data, written data, electronic document data, and the like.
Step S120: determining known attack events corresponding to the data to be tested from a preset database;
the preset database should be a pre-established database or knowledge base containing data related to the known APT (Advanced Persistent Threat ) organization, attack technical chains and attack tools corresponding to the attack technical, etc.
The data related to the APT organization includes, but is not limited to, records of attack activities or known attack events of the APT organization, attack targets and adopted attack technical and tactical chains of the APT organization, industries to which the attack targets of the APT organization belong, related data or information related to attacks of the APT organization on certain systems by the APT organization corresponding to common or typical attack means, and the like.
The building of the preset database can set corresponding special mapping rules, for example, a mapping relation is built between known attack events implemented by the APT organization and corresponding attacked targets and corresponding features of the attacked targets, a mapping relation is built between the known attack events implemented by the APT organization and an attack technical and tactical chain adopted by the APT organization, a mapping relation is built between the attack technical and tactical chain adopted by the APT organization and corresponding attack tools, and the like, namely, the known attack events implemented by the APT organization and data related to the known attack events are built into corresponding mapping relations so as to facilitate the subsequent use of the preset database.
In summary, when the data to be tested is obtained, a known attack event corresponding to the data to be tested can be queried from a preset database.
Step S130: according to the known attack event, arranging a technical and tactical chain for testing;
in the preset database, known attack events correspond to data such as corresponding attack technical and tactics chains, so that corresponding data can be referenced from the preset database according to the known attack events, and corresponding test technical and tactics chains can be arranged.
The technical and tactical chain for testing is formed by arranging the sequence of attack of different attack tools by using different attack tools.
Illustratively, the step of orchestrating a test technical and tactical chain based on the known attack event comprises:
step a: determining an attack technical and tactical chain adopted by the known attack event from the preset database, and determining attack characteristics of the attack technical and tactical chain;
the method comprises the steps of storing known attack events implemented by an APT organization and attack technical and tactical chains corresponding to the known attack events in a preset database, carrying out actual analysis on the attack technical and tactical chains, and determining corresponding attack characteristics of the attack technical and tactical chains, so that corresponding attack tools are selected according to the attack characteristics, and the attack technical and tactical chains for testing are arranged.
Step b: according to the attack characteristics, arranging an initial technical and tactical chain for penetration test;
step c: and removing repeated items in the initial technical and tactical chain to obtain the technical and tactical chain for testing.
The attack characteristics comprise attack contents of an attack technical and tactical chain, such as attack sequence, attack mode, attack means, attack functions corresponding to the attack mode and the attack means, and the like.
In an exemplary scenario, especially in a scenario of attack and defense drilling (or attack and defense testing) of a federal target range, attack tools that an attacker can choose are numerous and complex, and at least one attack tool corresponding to the attack function can be queried for the same attack function, so that all available attack tools need to be considered when the attack technical and tactical chain for testing is compiled, and the available attack tools can be determined by determining the attack characteristics of the attack technical and tactical chain, and then the attack technical and tactical chain for testing is compiled according to different permutation and combination effects.
In addition, when the technical and tactical chains for test are organized, the technical and tactical chains for attack corresponding to the known attack events are directly determined from the preset database, however, the situation that the same type of attack technical and tactical chains are used may exist in different known attack events, and meanwhile, when the known attack events corresponding to the data to be tested are directly determined from the preset database, the known attack events adopting the same attack means for different scenes exist in the known attack events, and at this time, the situation that the technical and tactical chains for test are repeatedly organized directly according to the known attack events exists.
Therefore, when the technical and tactical chain is arranged, the initial technical and tactical chain for the penetration test is firstly arranged according to the attack characteristics, and the duplicate removal (duplicate removal) treatment is carried out on the initial technical and tactical chain, so that the repeated items of the test technical and tactical chain used in the test are avoided, and the test efficiency is improved.
Step S140: and testing the safety of the system corresponding to the data to be tested according to the technical and tactical chain for testing, and obtaining a test result.
And after the technical and tactical chain for testing is arranged, the system corresponding to the data to be tested can be tested by using the technical and tactical chain for testing, so that the system is subjected to attack testing in the environment of a network shooting range, the security functions of the system, such as defending, detecting, blocking and the like, for dealing with external attacks are tested, the security of the system is further determined, and a test result is obtained based on the security.
The test result is mainly the effect of the safety function adopted by the system when the technical and tactical chain for testing is used for attacking the system, meanwhile, the selection of the technical and tactical chain for testing covers the known attack event, the attack technical and tactical chain and other data corresponding to the data to be tested in the preset database, and the accuracy of the system during testing is ensured.
Compared with the situation that the accuracy of the system evaluation of the network target range is low because the accuracy of the test result of the penetration test on the system of the network target range depends on the professional knowledge and the professional skill of the attack tester to a great extent in the related art, in the application, the data to be tested are acquired, the known attack event corresponding to the data to be tested is determined from the preset database by establishing and using the preset database, the known attack event is used as a reference, the corresponding technical and tactical chain for test is arranged, the safety of the system corresponding to the data to be tested is tested according to the technical and tactical chain for test, the test result is obtained, namely, the corresponding test flow is formulated, the overall flow normalization when the system corresponding to the data to be tested is ensured, the known attack event corresponding to the data to be tested is further determined from the preset database, the accuracy of the reference data when the system corresponding to be tested is ensured according to the known attack event, and the accuracy of the technical and tactical chain for test is enabled to be more close to the actual technical and tactical event for the test when the system to be tested is more practical.
Referring to fig. 2, fig. 2 is a schematic flow chart of a second embodiment of a system testing method based on a network target range according to the present application, and the second embodiment is provided based on the first embodiment of the system testing method based on the network target range according to the present application, where the method further includes:
step S210: according to the preset database, a first APT organization set with attack initiation frequency greater than a preset frequency is determined, and a second APT organization set corresponding to the industry of the data to be tested is determined;
when determining an attack event from a preset database, taking into account the active condition of the APT organization and the type of the known attack event for screening, for example, the APT organization which does not generate an attack activity for a long time may have a condition of not generating a continuous attack any more before the last record of the known attack event implemented by the APT organization is five years, for example, there are a plurality of organizations of different types in the APT organization, the organizations of which may tend to attack in different fields and industries, the known attack events corresponding to different industry types have differences, and meanwhile, there are also cases where one type of attack means is adopted across a plurality of industries.
In summary, when a known attack event is determined from a preset database, on one hand, active APT organizations are selected, and on the other hand, APT organizations of industries corresponding to data to be tested, namely, a first APT organization set and a second APT organization set, respectively, are selected.
The attack frequency refers to the number of times of attack initiated by the APT organization in recent years (for example, two years, three years or five years), and the preset frequency is a threshold set according to the attack frequency of most APT organizations, so that APT organizations with higher attack frequency are screened out, and the first APT organization set is obtained.
For different industries, in order to ensure the accuracy of the test, besides determining the first APT organization set which is partially active, a second APT organization set of the industry corresponding to the data to be tested is further determined, and the activity degree (the judgment of attack frequency) of the second APT organization set is not required to be considered when the second APT organization set is determined.
Step S220: determining a first known attack event applied by the first APT organization set and the second APT organization set in a preset time range according to the preset database;
after screening out the APT organization sets meeting the requirements, the known attack event corresponding to the first APT organization set and the second APT organization set may be determined from the preset database, and meanwhile, the known attack event needs to limit the time of generation of the known attack event, that is, the known attack event is initiated by the APT organization within the preset time range, so as to ensure the accuracy when the first known attack event is used as a reference to program the test technical and tactics chain, for example, with the continuous development of network security, the APT organization may be easily intercepted and blocked if only the attack means before many years are adopted, and the attack means adopted by the APT organization may also be developed accordingly, so that the corresponding initiation time of the first known attack event is limited, which is helpful to improve the accuracy when testing.
Step S230: and extracting the data characteristics of the data to be tested, and determining a second known attack event corresponding to the data characteristics from the preset database.
The data characteristics of the data to be tested comprise the type of the system to be tested, the area of the scene to be tested, the nodes of the scene to be tested, the access strategy of the scene to be tested and the loopholes of the scene to be tested.
And according to the characteristics contained in the data characteristics, the data characteristics are used as matching items, and the matching is correspondingly carried out from a preset database, so that a second known attack event corresponding to the data characteristics can be obtained.
Illustratively, the step of determining a second known attack event corresponding to the data feature from the preset database includes:
step d: and determining second known attack events corresponding to the data features from a preset database according to any one of the data features.
When a second known attack event corresponding to the data feature is determined from a preset database according to the data feature, the feature is respectively used as a to-be-matched item and matched with the data in the preset database, so that a group of corresponding second known attack events are obtained through matching according to any data feature, five groups of corresponding second known attack events can be obtained through matching from the preset database according to the data feature, and the situation that feature data is directly mixed to be used as a matching item and the number and the related range of the obtained second known attack events are small is avoided.
In this embodiment, according to the preset database, a first APT organization set with an attack initiation frequency greater than a preset frequency is determined, and a second APT organization set corresponding to the industry of the data to be tested is determined; determining a first known attack event applied by the first APT organization set and the second APT organization set in a preset time range according to the preset database; extracting data characteristics of the data to be tested, determining a second known attack event corresponding to the data characteristics from the preset database, namely, determining a corresponding first APT organization set and a corresponding second APT organization set according to attack frequency and industries corresponding to the data to be tested respectively, ensuring that a range related to the selected APT organization set corresponds to the data to be tested, ensuring the accuracy of the first known attack event, determining a second known attack event according to the data characteristics, ensuring the second known attack event, and taking the whole content of the first known attack event and the whole content of the second known attack event as reference content in test so as to ensure that the range related in test is wide and the accuracy in test.
Referring to fig. 3, fig. 3 is a schematic flow chart of a third embodiment of a system testing method based on a network target range according to the present application, and the third embodiment is provided based on the first embodiment and the second embodiment of the system testing method based on the network target range according to the present application, where the method further includes:
Step S310: extracting technical features of the technical and tactical chain for testing;
the technical and tactical chain for test is obtained according to the corresponding arrangement of the technical and tactical chain for attack, the attack characteristics of the technical and tactical chain for test and the attack characteristics corresponding to the technical and tactical chain for attack have certain difference, namely the arrangement effect achieved by the arrangement mode has the same attack effect corresponding to the attack event, but can be distinguished on the attack characteristics, therefore, the technical and tactical characteristics of the technical and tactical chain for test are only the attack characteristics of the corresponding technical and tactical chain for test, the attack characteristics comprise attack sequences, attack trends, attack means, attack processes and the like, the attack effect which can be met by the technical and tactical characteristics is the same as the attack effect which can be met by the attack characteristics, but the characteristic content which can be contained by the technical and tactical characteristics is more than or equal to the characteristic contained by the attack characteristics.
Step S320: determining an attack tool with the technical and tactical feature matching degree larger than a preset matching degree from the preset database;
according to the technical characteristics, corresponding attack tools can be determined from a preset database, but attack contents contained in the technical characteristics are possibly complex, the attack characteristics which can be realized by the attack tools are correspondingly different from the technical characteristics, and in order to ensure the test accuracy, the characteristics in the technical characteristics are required to be replaced adaptively, namely the range of the selected attack tools is enlarged, and when the attack tools are selected, the selected requirement is reduced adaptively, namely the attack tools which have 80% matching similarity with the technical characteristics are all classified as usable attack tools by setting the preset matching degree to be 80%.
Step S330: according to the technical characteristics and the attack tool, initiating test attack on a system corresponding to the data to be tested to obtain an attack result;
according to the technical characteristics and the attack tool, the attack flow of the technical and tactical chain for testing can be implemented, at the moment, according to the technical characteristics, the attack tool is used for launching test attack on the system corresponding to the data to be tested, so that an attack result is obtained, the attack result comprises the aim of attack achievement and the aim of attack failure, and the situation of achieving the aim of attack can be further divided into the situation that the attack flow is detected but the system is not. In addition, the situation that the attack objective is not achieved is the situation that the attack flow is blocked or successfully defended by the detected system to deal with.
Step S340: and testing the safety of the system according to the attack result to obtain a test result.
According to the attack result, the security testing process of the system can be completed, so that a testing result is obtained, wherein the testing result mainly comprises the testing result after the system is attacked and is divided into a defending result or a attacked and broken result which are generated by the system under different attack conditions.
Meanwhile, when outputting a corresponding test report according to the test result, the report content can be customized according to the customer requirement, for example, according to the test result, the existing vulnerability easy to be broken by the system is listed, or the successful defending condition of the system is assessed, and the report content such as the existing defending advantage of the system is listed.
Exemplary, the step of testing the security of the system according to the attack result to obtain a test result includes:
step e: according to the attack result, determining an attack technology used in a test process, and determining a detected attack technology detected by the system in the attack technology and a blocked attack technology blocked by the system;
step f: and testing the security of the system according to the attack technology, the detected attack technology and the blocked attack technology to obtain a test result.
And completing the completeness test of the system according to the attack result, thereby obtaining a test result, and mainly determining the detection effect of the system on external attacks and the blocking effect on the external attacks according to corresponding data in the attack result, including the attack technology used in the test process, and the detected attack technology successfully detected by the system and the blocked attack technology successfully blocked by the system in the attack technology, namely the attack technology successfully detected by the statistical system and the attack technology successfully blocked by the system.
Illustratively, the step of testing the security of the system according to the attack technique, the detected attack technique and the blocked attack technique to obtain a test result includes:
step g: according to the attack technology and an attack technology set in a preset attack technology frame, calculating attack technology coverage rate of the attack technology in the attack technology set in the current test process;
step h: acquiring a weight value corresponding to the attack technology;
step i: according to the detected attack technology, the blocked attack technology and the weight value, respectively calculating the attack technology detection rate and the attack technology blocking rate of the system;
step j: and testing the safety of the system according to the attack technology coverage rate, the attack technology detection rate and the attack technology blocking rate to obtain a test result.
The specific method for evaluating the detection effect of the system against the external attack and the blocking effect of the external attack can be used for preparing a corresponding evaluation calculation formula.
The evaluation calculation formula comprises attack technology coverage rate, attack technology detection rate and attack technology blocking rate.
The calculation formula of the attack technical coverage rate is as follows: attack technique coverage= (sum of attack technique number used in attack +.sum of all attack technique number within preset attack technique frame) ×100%. The preset attack technical framework is an attack technical framework which is agreed and accepted by relevant personnel, and all the attack technologies known in the prior art are contained in the attack technical framework.
The calculation formula of the attack technology detection rate is as follows: attack technique detection rate= (sum of detected attack technique weights +.attack technique weight sum) ×100%.
The calculation formula of the attack technology blocking rate is as follows: attack technique blocking rate= (sum of blocked attack technique weights +.attack technique weight sum) ×100%.
When the detection rate of the attack technology and the blocking rate of the attack technology are calculated, the calculation is required according to the weight value corresponding to each attack technology, wherein the weight value of the attack technology is the weight value which is allocated to all attack technologies in the attack technology frame in advance, the specific allocation situation is determined according to the use frequency corresponding to each attack technology, and the higher the use frequency is, the larger the weight value is.
And calculating the sum of attack technology weights in the attack technology detection rate and the attack technology blocking rate, wherein the sum is the sum of weight values corresponding to the attack technologies used in the test process.
The sum of the attack technology weights is the sum of the weights corresponding to the attack technology successfully detected by the system in the test process.
The sum of the weights of the blocking attack technology is the sum of the weights corresponding to the attack technology successfully blocked by the system in the test process.
In this embodiment, technical features of the technical and tactical chain for testing are extracted; determining an attack tool with the technical and tactical feature matching degree larger than a preset matching degree from the preset database; according to the technical characteristics and the attack tool, initiating test attack on a system corresponding to the data to be tested to obtain an attack result; according to the attack result, testing the safety of the system to obtain a test result, namely carrying out attack testing on the corresponding system of the data to be tested through an attack tool corresponding to a technical and tactical chain for testing, thereby completing the whole test flow, further according to the detection and blocking condition of the system on the attack technology in the test flow, formulating a standard for correspondingly evaluating the safety of the system, and formulating a calculation formula for corresponding evaluation, thereby ensuring the clarity of the result tested by the system, and providing the result to a customer in an intuitive data form, thereby improving the use comfort when the customer reads the test result.
In addition, the application also provides a system testing device based on the network target range, which comprises:
the acquisition module is used for acquiring data to be tested;
The determining module is used for determining known attack events corresponding to the data to be tested from a preset database;
the arrangement module is used for arranging a technical and tactical chain for testing according to the known attack event;
and the test module is used for testing the corresponding system of the data to be tested according to the technical and tactical chain for testing to obtain a test result.
Illustratively, the determining module includes:
the first determining submodule is used for determining a first APT organization set with the attack initiation frequency larger than a preset frequency according to the preset database and determining a second APT organization set of the industry corresponding to the data to be tested;
the second determining submodule is used for determining a first known attack event applied by the first APT organization set and the second APT organization set in a preset time range according to the preset database;
the first extraction submodule is used for extracting data characteristics of the data to be tested and determining a second known attack event corresponding to the data characteristics from the preset database.
Illustratively, the extraction submodule includes:
and the first determining unit is used for determining second known attack events corresponding to the data features from a preset database according to any one of the data features.
Illustratively, the orchestration module comprises:
a third determining submodule, configured to determine an attack technical and tactical chain adopted by the known attack event from the preset database, and determine attack characteristics of the attack technical and tactical chain;
the arrangement sub-module is used for arranging an initial technical and tactical chain for penetration test according to the attack characteristics;
and the removing sub-module is used for removing repeated items in the initial technical and tactical chain to obtain the technical and tactical chain for testing.
Illustratively, the test module includes:
the second extraction submodule is used for extracting technical features of the technical and tactical chain for testing;
the matching sub-module is used for determining an attack tool with the technical and tactical feature matching degree larger than the preset matching degree from the preset database;
the testing sub-module is used for launching testing attack to the system corresponding to the data to be tested according to the technical and tactical characteristics and the attack tool to obtain an attack result;
and the testing sub-module is used for testing the safety of the system according to the attack result to obtain a testing result.
Illustratively, the test submodule includes:
a second determining unit, configured to determine an attack technique used in a testing process according to the attack result, and determine a detected attack technique detected by the system from among the attack techniques, and a blocked attack technique blocked by the system;
And the testing unit is used for testing the security of the system according to the attack technology, the detected attack technology and the blocked attack technology to obtain a testing result.
Illustratively, the test unit includes:
the first computing subunit is used for computing attack technology coverage rate of the attack technology in the attack technology set in the current test process according to the attack technology and an attack technology set in a preset attack technology frame;
the acquisition subunit is used for acquiring the weight value corresponding to the attack technology;
the second calculating subunit is used for respectively calculating the attack technology detection rate and the attack technology blocking rate of the system according to the detected attack technology, the blocked attack technology and the weight value;
and the testing subunit is used for testing the safety of the system according to the attack technology coverage rate, the attack technology detection rate and the attack technology blocking rate to obtain a testing result.
The specific implementation manner of the system testing device based on the network target range is basically the same as that of each embodiment of the system testing method based on the network target range, and is not repeated here.
In addition, the application also provides system test equipment based on the network target range. As shown in fig. 4, fig. 4 is a schematic structural diagram of a hardware running environment according to an embodiment of the present application.
By way of example, fig. 4 may be a schematic diagram of a hardware operating environment of a network-based system testing device.
As shown in fig. 4, the system testing device based on the network target range may include a processor 401, a communication interface 402, a memory 403 and a communication bus 404, where the processor 401, the communication interface 402 and the memory 403 complete communication with each other through the communication bus 404, and the memory 403 is used for storing a computer program; the processor 401 is configured to implement the steps of the system testing method based on the network target range when executing the program stored in the memory 403.
The communication bus 404 mentioned above for the network-based system test equipment may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus 404 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 402 is used for communication between the above-described network-based system testing device and other devices.
The Memory 403 may include a random access Memory (Random Access Memory, RMD) or may include a Non-Volatile Memory (NM), such as at least one disk Memory. Optionally, the memory 403 may also be at least one storage device located remotely from the aforementioned processor 401.
The processor 401 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
The specific implementation manner of the system test device based on the network target range is basically the same as the above embodiments of the system test method based on the network target range, and will not be described herein.
In addition, the embodiment of the application also provides a computer storage medium, wherein the computer storage medium stores a system test program based on the network target range, and the system test program based on the network target range realizes the steps of the system test method based on the network target range when being executed by a processor.
The specific implementation manner of the computer storage medium is basically the same as the above embodiments of the system testing method based on the network target range, and will not be repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present application.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the claims, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application, or direct or indirect application in other related technical fields are included in the scope of the claims of the present application.
Claims (10)
1. The system testing method based on the network target range is characterized by comprising the following steps of:
acquiring data to be tested;
determining known attack events corresponding to the data to be tested from a preset database;
according to the known attack event, arranging a technical and tactical chain for testing;
and testing the safety of the system corresponding to the data to be tested according to the technical and tactical chain for testing, and obtaining a test result.
2. The system testing method based on network range as claimed in claim 1, wherein the known attack event includes a first known attack event and a second known attack event, and the step of determining the known attack event corresponding to the data to be tested from a preset database includes:
according to the preset database, a first APT organization set with attack initiation frequency greater than a preset frequency is determined, and a second APT organization set corresponding to the industry of the data to be tested is determined;
Determining a first known attack event applied by the first APT organization set and the second APT organization set in a preset time range according to the preset database;
and extracting the data characteristics of the data to be tested, and determining a second known attack event corresponding to the data characteristics from the preset database.
3. A network-based system testing method according to claim 2, wherein said step of determining from said pre-set database a second known attack event corresponding to said data signature comprises:
the data features comprise a system type to be tested, a scene area to be tested, a scene node to be tested, a scene access strategy to be tested and a scene Jing Loudong to be tested;
and determining second known attack events corresponding to the data features from a preset database according to any one of the data features.
4. A method of testing a network-based system according to claim 1, wherein the step of programming a test technical chain based on the known attack event comprises:
determining an attack technical and tactical chain adopted by the known attack event from the preset database, and determining attack characteristics of the attack technical and tactical chain;
According to the attack characteristics, arranging an initial technical and tactical chain for penetration test;
and removing repeated items in the initial technical and tactical chain to obtain the technical and tactical chain for testing.
5. The method for testing a system based on a network shooting range according to claim 1, wherein the step of testing the security of the system corresponding to the data to be tested according to the technical and tactical chain for testing to obtain a test result comprises the steps of:
extracting technical features of the technical and tactical chain for testing;
determining an attack tool with the technical and tactical feature matching degree larger than a preset matching degree from the preset database;
according to the technical characteristics and the attack tool, initiating test attack on a system corresponding to the data to be tested to obtain an attack result;
and testing the safety of the system according to the attack result to obtain a test result.
6. The method for testing a system based on a network range according to claim 5, wherein the step of testing the security of the system according to the attack result to obtain a test result comprises:
according to the attack result, determining an attack technology used in a test process, and determining a detected attack technology detected by the system in the attack technology and a blocked attack technology blocked by the system;
And testing the security of the system according to the attack technology, the detected attack technology and the blocked attack technology to obtain a test result.
7. The method of claim 6, wherein the step of testing the security of the system according to the attack technique, the detected attack technique, and the blocked attack technique to obtain a test result comprises:
according to the attack technology and an attack technology set in a preset attack technology frame, calculating attack technology coverage rate of the attack technology in the attack technology set in the current test process;
acquiring a weight value corresponding to the attack technology;
according to the detected attack technology, the blocked attack technology and the weight value, respectively calculating the attack technology detection rate and the attack technology blocking rate of the system;
and testing the safety of the system according to the attack technology coverage rate, the attack technology detection rate and the attack technology blocking rate to obtain a test result.
8. A network-based system testing device, wherein the network-based system testing device comprises:
The acquisition module is used for acquiring data to be tested;
the determining module is used for determining known attack events corresponding to the data to be tested from a preset database;
the arrangement module is used for arranging a technical and tactical chain for testing according to the known attack event;
and the test module is used for testing the corresponding system of the data to be tested according to the technical and tactical chain for testing to obtain a test result.
9. A network-based system testing apparatus for a range, the apparatus comprising: a memory, a processor and a network-based system test program stored on the memory and executable on the processor, the network-based system test program configured to implement the steps of the network-based system test method of any one of claims 1 to 7.
10. A computer storage medium, wherein a network-based system test program is stored on the computer storage medium, which when executed by a processor, implements the steps of the network-based system test method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310184902.4A CN116170225A (en) | 2023-02-16 | 2023-02-16 | System testing method, device, equipment and storage medium based on network target range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310184902.4A CN116170225A (en) | 2023-02-16 | 2023-02-16 | System testing method, device, equipment and storage medium based on network target range |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116170225A true CN116170225A (en) | 2023-05-26 |
Family
ID=86419902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310184902.4A Pending CN116170225A (en) | 2023-02-16 | 2023-02-16 | System testing method, device, equipment and storage medium based on network target range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116170225A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116405325A (en) * | 2023-06-07 | 2023-07-07 | 鹏城实验室 | Network security testing method based on security knowledge graph and related equipment |
-
2023
- 2023-02-16 CN CN202310184902.4A patent/CN116170225A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116405325A (en) * | 2023-06-07 | 2023-07-07 | 鹏城实验室 | Network security testing method based on security knowledge graph and related equipment |
| CN116405325B (en) * | 2023-06-07 | 2023-09-12 | 鹏城实验室 | Network security testing method based on security knowledge graph and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210288995A1 (en) | Operational Network Risk Mitigation System And Method | |
| CN109861985B (en) | IP wind control method, device, equipment and storage medium based on risk grade division | |
| EP2979424B1 (en) | Method and apparatus for detecting a multi-stage event | |
| Caltagirone et al. | The diamond model of intrusion analysis | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| US20160055335A1 (en) | Method and apparatus for detecting a multi-stage event | |
| WO2019222662A1 (en) | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN114915475B (en) | Method, device, equipment and storage medium for determining attack path | |
| Moskal et al. | Extracting and evaluating similar and unique cyber attack strategies from intrusion alerts | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN116170225A (en) | System testing method, device, equipment and storage medium based on network target range | |
| Rasmi et al. | Attack intention analysis model for network forensics | |
| CN113468542A (en) | Exposed surface asset risk assessment method, device, equipment and medium | |
| Yermalovich et al. | Formalization of attack prediction problem | |
| Al-Hamami et al. | Development of a network-based: Intrusion Prevention System using a Data Mining approach | |
| CN111901286B (en) | APT attack detection method based on flow log | |
| CN113329026A (en) | Attack capability determination method and system based on network target range vulnerability drilling | |
| Schaffhauser et al. | Efficient detection and recovery of malicious PowerShell scripts embedded into digital images | |
| RU2683631C1 (en) | Computer attacks detection method | |
| CN114244543B (en) | Network security defense method, device, computing equipment and computer storage medium | |
| CN114884740B (en) | AI-based intrusion protection response data processing method and server | |
| Cadalzo et al. | Canopy: A Learning-based Approach for Automatic Low-and-Slow DDoS Mitigation. | |
| CN116032536A (en) | Network security capability evaluation method, device and equipment | |
| CN116846570A (en) | Vulnerability assessment method and analysis equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |