CN116186711B - Method and device for determining defense result of test application in network attack and defense competition - Google Patents
Method and device for determining defense result of test application in network attack and defense competition Download PDFInfo
- Publication number
- CN116186711B CN116186711B CN202310011578.6A CN202310011578A CN116186711B CN 116186711 B CN116186711 B CN 116186711B CN 202310011578 A CN202310011578 A CN 202310011578A CN 116186711 B CN116186711 B CN 116186711B
- Authority
- CN
- China
- Prior art keywords
- test application
- application
- test
- defense
- repaired
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 362
- 230000007123 defense Effects 0.000 title claims abstract description 173
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000008439 repair process Effects 0.000 claims abstract description 112
- 230000006870 function Effects 0.000 claims abstract description 67
- 238000001514 detection method Methods 0.000 claims description 189
- 230000008569 process Effects 0.000 claims description 16
- 230000002265 prevention Effects 0.000 claims description 7
- 238000004140 cleaning Methods 0.000 claims description 6
- 238000012854 evaluation process Methods 0.000 abstract 1
- 230000000694 effects Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000009469 supplementation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method for determining a defense result of a test application in network attack and defense competition, which is used for testing key functions of the repaired test application, detecting a general defense repair mode of the repaired test application and detecting a target vulnerability of the repaired test application in a defense success evaluation process of a program repair package corresponding to the test application; therefore, the method provided by the application not only can detect the running state of the repaired test application and the repairing state of the loophole, but also can effectively detect and eliminate the technical means of general defense, thereby ensuring the accuracy and fairness of the defense result of the obtained test application and greatly improving the competition experience and competition fairness of contestants.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for determining a defense result of a test application in network attack and defense competition.
Background
The current network attack and defense competition mainly examines the technical capability of players through two aspects of attack and defense, wherein links of attack and defense are separated from each other and are judged separately, whether the application in the question normally provides service to the outside is required to be detected in the judgment of the defense link, and meanwhile, whether the leak of the target service in the question is repaired successfully by the players or not is required to be detected.
At present, in the defending link of the network security attack and defense competition, the defending judgment logic for judging whether the target code program is successfully repaired by the competition team to realize defending is single, and only the test application (namely the target code program) in the target question can normally provide services to the outside and whether the vulnerability of the application is repaired is judged to be defending success only when the test application in the question can normally serve the outside and the vulnerability is successfully repaired; however, such judgment logic cannot judge whether a player uses a general defense method to realize defense; the general defense can be understood as that players do not need to know what loopholes exist in the topic application, and the application can not be broken by a loophole detection module for defense judgment while normally providing services to the outside through a general repair mode or skills, so that the effect of successful defense is achieved; this breaks the fairness of the game to some extent. Therefore, a method for determining the defense result of the test application in the new network attack and defense competition is needed.
Disclosure of Invention
The application provides a method and a device for determining the defense result of a test application in network attack and defense competition, which can detect the running state of the repaired test application and the repairing state of a loophole, and can effectively detect and eliminate the technical means of the attack and defense, thereby ensuring the accuracy and fairness of the defense result of the obtained test application and greatly improving the competition experience and competition fairness of contestants.
In a first aspect, the present application provides a method for determining a defense result of a test application in a network attack and defense competition, where the method includes:
acquiring a test application and a program repair package corresponding to the test application;
repairing the test application according to the program repair package corresponding to the test application to obtain a repaired test application;
testing the key functions of the repaired test application to obtain a key function test result;
if the key function test result is that the test is passed, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result;
if the detection result of the pass-prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result;
And if the vulnerability detection result is that the detection is passed, the defending result of the test application is that the defending is successful.
In a second aspect, the present application provides a defense result determining apparatus for a test application in a network attack and defense competition, the apparatus comprising:
the data acquisition unit is used for acquiring a test application and a program repair packet corresponding to the test application;
the application repairing unit is used for repairing the test application according to the program repairing package corresponding to the test application to obtain a repaired test application;
the first testing unit is used for testing the key functions of the repaired testing application to obtain a key function testing result;
the second test unit is used for detecting a general defense repair mode of the repaired test application if the key function test result is that the test is passed, so as to obtain a general defense detection result;
the third test unit is used for carrying out target vulnerability detection on the repaired test application if the detection result of the pass prevention is detection passing, so as to obtain a vulnerability detection result;
and the result determining unit is used for determining that the defending result of the test application is successful if the vulnerability detection result is that the detection passes.
In a third aspect, the present application provides a readable medium comprising execution instructions which, when executed by a processor of an electronic device, perform the method according to any of the first aspects.
In a fourth aspect, the present application provides an electronic device comprising a processor and a memory storing execution instructions, the processor performing the method according to any one of the first aspects when executing the execution instructions stored in the memory.
According to the technical scheme, the method and the device can acquire the test application and the program repair package corresponding to the test application; then, repairing the test application according to a program repairing packet corresponding to the test application to obtain a repaired test application; then, testing the key functions of the repaired test application to obtain a key function test result; if the key function test result is that the test is passed, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result; if the detection result of the pass-prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result; and if the vulnerability detection result is that the detection is passed, the defending result of the test application is that the defending is successful. Therefore, in the process of successfully evaluating the defense of the program repair package corresponding to the test application, the method not only tests the key functions of the repaired test application, but also detects the general defense repair mode of the repaired test application and detects the target loophole of the repaired test application; in this way, the method provided by the embodiment not only can detect the running state of the repaired test application and the repairing state of the loophole, but also can effectively detect and eliminate the technical means of general defense, thereby ensuring the accuracy and fairness of the defense result of the obtained test application and greatly improving the competition experience and competition fairness of contestants.
Further effects of the above-described non-conventional preferred embodiments will be described below in connection with the detailed description.
Drawings
In order to more clearly illustrate the embodiments of the application or the prior art solutions, the drawings which are used in the description of the embodiments or the prior art will be briefly described below, it being obvious that the drawings in the description below are only some of the embodiments described in the present application, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a flow chart of a method for determining a defense result of a test application in a network attack and defense competition;
FIG. 2 is a schematic structural diagram of a defense result determining apparatus for test applications in a network attack and defense competition according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the prior art, in the defending link of the network security attack and defense competition, the defending judgment logic for judging whether the target code program is successfully repaired by the competition team is single, and usually only whether the test application (namely the target code program) in the target question can normally provide services to the outside and whether the vulnerability of the application is repaired is judged to be defending successfully only when the test application in the question can normally serve the outside and the vulnerability is successfully repaired; however, such judgment logic cannot judge whether a player uses a general defense method to realize defense; the general defense can be understood as that players do not need to know what loopholes exist in the topic application, and the application can not be broken by a loophole detection module for defense judgment while normally providing services to the outside through a general repair mode or skills, so that the effect of successful defense is achieved; this breaks the fairness of the game to some extent. That is, the conventional detection mode for the defending link only detects the running state of the service and the repairing state of the topic vulnerability, but as the contestants play the game, numerous general defending technical means are developed, so that the problem of vulnerability defect in the test application can be solved by blindly using the general defending technical means without knowing what vulnerability exists in the topic application, and to a certain extent, the fairness of the contest itself and the contest experience of other contestants are affected, and the conventional detection mode cannot avoid and detect the general defending means, so that the contest experience and the contest fairness of contestants are poor.
Therefore, the application provides a method for determining the defending result of the test application in the network attack and defense competition, which comprises the steps of firstly acquiring the test application and a program repair packet corresponding to the test application; then, repairing the test application according to a program repairing packet corresponding to the test application to obtain a repaired test application; then, testing the key functions of the repaired test application to obtain a key function test result; if the key function test result is that the test is passed, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result; if the detection result of the pass-prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result; and if the vulnerability detection result is that the detection is passed, the defending result of the test application is that the defending is successful. Therefore, in the process of successfully evaluating the defense of the program repair package corresponding to the test application, the method not only tests the key functions of the repaired test application, but also detects the general defense repair mode of the repaired test application and detects the target loophole of the repaired test application; in this way, the method provided by the embodiment not only can detect the running state of the repaired test application and the repairing state of the loophole, but also can effectively detect and eliminate the technical means of general defense, thereby ensuring the accuracy and fairness of the defense result of the obtained test application and greatly improving the competition experience and competition fairness of contestants.
Various non-limiting embodiments of the present application are described in detail below with reference to the attached drawing figures.
Referring to fig. 1, a method for determining a defense result of a test application in a network attack and defense competition in an embodiment of the present application is shown. In this embodiment, the method may include, for example, the steps of:
s101: and acquiring a test application and a program repair package corresponding to the test application.
In this embodiment, a test application may be understood as an application or a code program used for a network attack and defense competition as a test and having a vulnerability. That is, the test application may be understood as a test topic of the network attack and defense competition. In the defending link, a player is usually required to mine a security hole existing in a test application corresponding to a question, a program for repairing the security hole is formulated for the found hole according to professional knowledge of the player, and then the program for repairing the security hole is uploaded as a program repairing package corresponding to the test application and is evaluated as a defending result, namely whether the program repairing package can defend successfully (namely whether the complete hole can be repaired or not) is evaluated.
In one implementation, the program repair package may include a repaired test application identification, application repair code, and repair command script. The repaired test application identifier in the program repair package may be understood as a unique identifier for identifying a test application, and it may be understood that the test application identifiers of different test applications are different. The application repair code may be understood as a test application completed by the player after repairing the security hole, and it may be understood that the application repair code may reflect a repairing manner adopted by the player for the security hole of the test application. The repair command script may be understood as a command script for triggering replacement of the application repair code with the test application (i.e., application repair code as a repaired test application), so that after the player uploads the program repair package, the repair action may be automatically performed by using the repair command script, and then subsequent defense result evaluation detection may be performed.
S102: and repairing the test application according to the program repair package corresponding to the test application to obtain the repaired test application.
In this embodiment, after the program repair package corresponding to the test application is obtained, the test application may be repaired by using the program repair package corresponding to the test application, so as to obtain the repaired test application. For example, when the program repair package is a test application after the bug is repaired, the program repair package may be used as the test application after the bug is repaired; when the program repairing package is a section of code program for performing vulnerability supplementation on the test application, the test application can be repaired and perfected by using the program repairing package, and the repaired test application is obtained.
In one implementation, the test application that needs to be repaired may be determined first according to the repaired test application identifier in the program repair package. Then, a repair command script in the program repair package is run to trigger a repair instruction. And then, responding to the repairing instruction, and repairing the test application corresponding to the test application identifier by using the application repairing code in the program repairing package to obtain the repaired test application.
S103: and testing the key functions of the repaired test application to obtain a key function test result.
In this embodiment, after the repaired test application is obtained, the service detection module may be used to detect the key function of the repaired test application first, and when the key function failure is detected, prompt that the service detection fails; and when all the key functions are detected to normally run, prompting that the service detection is successful.
Specifically, a preset key function in the repaired test application may be detected first to determine whether the repaired test application can normally operate the preset key function. It should be noted that, the key function to perform detection may be one or more preset key functions, for example, may be a function of the test application itself, for example, if the test application is an application with a shopping function, the preset key functions may include a menu function, a payment function, a page forward and backward function, and the like. If all the preset key functions are normally operated, determining that the key function test result is that the test is passed; if at least one preset key function cannot normally run, determining that the key function test result is a test failure.
S104: and if the key function test result is that the test passes, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result.
In order to avoid accumulation along with the contestant's playing, a plurality of technical means of general defense are developed, so that the problem of the bug defect in the test application can be solved by blindly using the technical means of general defense without knowing what bug exists in the topic application by the contestant. The embodiment effectively detects and eliminates the technical means of general defense (namely general defense), namely detects and prevents the general defense behavior of the player, thereby ensuring the accuracy and fairness of the defense result of the obtained test application.
It should be noted that, the general defense repair method can be understood as that a player does not need to know what bug exists in the test application, and the application can not be broken by the bug detection of the defense judgment while normally providing services to the outside through the general repair method or skill, so as to achieve the effect of successful defense. It can be understood that the general defense repair mode can effectively realize that most vulnerabilities can not be broken by the vulnerability detection of the defense judgment while the application normally provides services to the outside, thereby achieving the effect of successful defense.
The application types (i.e., topic types) of the test application will have a web type and a pwn type, and the general defense restoration methods corresponding to these two application types will be described below.
For test applications with application type pwn: in the first general defense restoration mode, when the defense judging link detects whether the loopholes exist, the flag built in the test application is usually tried to be acquired to judge whether the loopholes are successfully repaired, and some players delete the flag or change the authority of the flag to enable the defense detecting script to not acquire the flag, so that the effect of successfully defending the loopholes without repairing the loopholes is achieved; in the second general defense restoration mode, a player also changes a program dependency library of program operation, and when the program dependency library is changed, a detection script prefabricated in a defense judging link cannot be utilized for some loopholes, so that the general defense effect is indirectly realized; and thirdly, the player can filter the command through a flow forwarding mode, and the detection command commonly used by the detection script of the defense link is forwarded to the real test application after being filtered, so that the detection script can not successfully utilize the loophole, and the effect of general defense is achieved.
For test applications with application types of Web type: in the first general defense restoration mode, players can achieve a general defense effect by deleting the flag in the test application or changing the authority of the flag in the test application; in the second general defense restoration mode, for a test application with code types of php and nodejs languages and application types of web types, a player may mount a general waf (i.e. a firewall) to achieve the purpose of repairing a vulnerability, in the mode, the player does not need to know a vulnerability point in a topic, and only needs to mount a waf capable of resisting various common vulnerabilities to enable a defense judging script to judge that the defense is successful; in a third general defense restoration mode, for a test application with a code type of java language and an application type of web type, a player can disable certain classes and methods through a java agent (namely a java agent) technology, so that vulnerabilities in the test application cannot be detected by a defense judging script under certain conditions, and the general defense effect is achieved.
Therefore, if the key function test result is that the test passes, the general defense repair mode detection can be performed on the repair mode of the repaired test application, and the general defense detection result is obtained. That is, the repair method of the test application after repair is detected, and whether a general defense repair method is adopted in the repair method is detected.
As an example, if the application type corresponding to the test application is pwn type; the general defense repair mode detection is performed on the repair mode of the repaired test application, and the specific implementation mode for obtaining the general defense detection result may be: the general protection detection module firstly cleans useless processes in the repaired test application; then, deleting the flag mark in the repaired test application, and writing in a new flag mark; if the program dependency library is not changed after the new flag mark is written, and the application repair code does not comprise a preset feature code, determining that the anti-passing detection result is passing detection; and if the new flag mark is written, the program dependence library is changed, and/or the application repair code comprises a preset feature code, determining that the anti-passing detection result is detection failure. That is, if the application type corresponding to the test application is pwn type, after the repaired test application is obtained, the detection module may be utilized to first clean useless processes in the environment of the test application, then the detection module may automatically delete the flag in the test application and write a new flag for detection, then it may detect whether the program dependency library of the test application is modified, then it may match whether a preset feature code exists in the application repair code, and it may be used to detect whether the player uses the traffic forwarding program or disables the key system call function, and only when it is detected that the program dependency library is not modified and does not match the preset feature code, the service detection is prompted to be successful.
As an example, if the application type corresponding to the test application is a web type; the general defense repair mode detection is performed on the repair mode of the repaired test application, and the specific implementation mode for obtaining the general defense detection result may be: the useless process in the repaired test application can be cleaned firstly, that is, if the application type corresponding to the test application is web type, the useless process in the environment of the test application can be cleaned firstly by utilizing the detection module after the repaired test application is obtained; then, determining the code type corresponding to the test application, such as php type, nodejs type and java type; and then, determining a general defense restoration mode corresponding to the code type according to the code type corresponding to the test application, and detecting the restoration mode of the repaired test application by utilizing the general defense restoration mode corresponding to the code type to obtain a general defense detection result. It should be noted that, in an implementation manner, before the step of determining the code type corresponding to the test application, deleting the flag identifier in the repaired test application and writing in a new flag identifier, so as to prevent the flag from being unable to be obtained by the defense detection script.
In one implementation manner, if the application type corresponding to the test application is a web type, and the code type corresponding to the test application is a php type or a nodejs type; the method for detecting the general defense repair mode by using the general defense repair mode corresponding to the code type to detect the repair mode of the repaired test application may be specifically implemented as follows:
detecting whether an application repair code in a program repair package corresponding to the test application comprises a firewall of a general defense class or not by using a preset sensitive function and a character fuzzy test mode; if not (namely, the application repair code does not comprise a firewall of a general defense class), determining that the general defense detection result is detection passing; if yes (namely, the application repair code comprises a firewall of a general defense class), determining that the general defense detection result is detection failure. That is, for the code program corresponding to the test application, the type is php type or nodejs type, the detection module performs a sensitive function and a character fuzzy test to detect whether the waf of the general defense class exists, if not (i.e. the application repair code does not include a firewall of the general defense class), the passing detection result is determined to be the passing detection; if yes (namely, the application repair code comprises a firewall of a general defense class), determining that the general defense detection result is detection failure.
In one implementation manner, if the application type corresponding to the test application is a web type and the code type corresponding to the test application is a java type; the method for detecting the general defense repair mode by using the general defense repair mode corresponding to the code type to detect the repair mode of the repaired test application may be specifically implemented as follows:
detecting whether the application repair code starts the test application by using a java proxy mode or a RASP technical mode; if not (namely, the application repair code starts the test application in a java agent mode or a RASP technical mode), determining that the anti-theft detection result is detection passing; if yes (the application repairing code starts the test application by using a java agent mode or a RASP technical mode), determining that the anti-passing detection result is detection failure. That is, for the type of the code program corresponding to the test application is java type, the detection module detects whether the application repair code in the program repair package corresponding to the test application uses a java agent to start the test application or uses a general defense mode such as RASP technology to run the test application; service detection success is returned only when the detection module does not detect that the application repair code in the program repair package uses a general defensive mode.
S105: and if the detection result of the pass prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result.
In this embodiment, if the detection result is that the detection passes, the repaired test application may perform target vulnerability detection to obtain a vulnerability detection result, that is, determine whether the repaired test application successfully repairs the security vulnerability in the original test application.
As an example, a preset exploit script may be utilized to detect whether a bug is successfully exploited in the repaired test application, e.g., running the preset exploit script to detect whether a bug is successfully exploited in the repaired test application (i.e., whether a bug is still successfully exploited in the repaired test application). If not (namely, detecting that the loopholes are successfully utilized in the repaired test application), determining that the detection result of the loopholes is passing; if yes (namely, detecting that the loopholes are successfully utilized in the repaired test application), determining that the detection result of the loopholes is detection failure. That is, in this embodiment, the vulnerability detection module may be utilized to detect whether the repaired test application is successfully repaired, that is, whether the vulnerability originally existing in the original test application has been successfully repaired; the vulnerability detection module can run a preset vulnerability exploitation script to detect whether the vulnerability can be successfully exploited, and returns to determine that the vulnerability detection result is successful in detection when the vulnerability cannot be successfully exploited, or determines that the vulnerability detection result is failed in detection.
S106: and if the vulnerability detection result is that the detection is passed, the defending result of the test application is that the defending is successful.
In this embodiment, when the vulnerability detection result is that the detection passes, the defense result of the test application is illustrated as a defense success, otherwise, when the vulnerability detection result is that the detection fails, the defense result of the test application is illustrated as a defense failure.
Next, a method flow corresponding to fig. 1 is described in conjunction with a specific embodiment, where the overall defense determination flow provided by the method in this embodiment is: firstly, a service detection module detects whether a test application service runs normally (namely whether the key function of the repaired test application is used normally), and returns to successful service detection and enters the next link when the service runs normally; then, returning to failure of service detection and ending detection when the service is abnormal; then, the anti-passing detection module starts working, and returns service detection failure and ends detection when detecting that the player uses the anti-passing technology; then, when detecting that the application repair code completed by the player does not use the anti-theft technology, returning to service detection success and entering the next step; the vulnerability detection module starts to work immediately; when the repaired vulnerability of the test application is detected to be successfully utilized, returning to defense failure and ending detection; and finally, returning to the defense success and ending the detection when the repaired test application loophole is detected to be unavailable.
According to the technical scheme, the method and the device can acquire the test application and the program repair package corresponding to the test application; then, repairing the test application according to a program repairing packet corresponding to the test application to obtain a repaired test application; then, testing the key functions of the repaired test application to obtain a key function test result; if the key function test result is that the test is passed, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result; if the detection result of the pass-prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result; and if the vulnerability detection result is that the detection is passed, the defending result of the test application is that the defending is successful. Therefore, in the process of successfully evaluating the defense of the program repair package corresponding to the test application, the method not only tests the key functions of the repaired test application, but also detects the general defense repair mode of the repaired test application and detects the target loophole of the repaired test application; in this way, the method provided by the embodiment not only can detect the running state of the repaired test application and the repairing state of the loophole, but also can effectively detect and eliminate the technical means of general defense, thereby ensuring the accuracy and fairness of the defense result of the obtained test application and greatly improving the competition experience and competition fairness of contestants.
That is, the conventional detection mode for the defending link only detects the running state of the service and the repairing state of the topic vulnerability, but as the contestants are accumulated, numerous general defending technical means are developed, so that the fairness of the contest itself and the contest experience of other contestants are affected to some extent, the conventional detection mode cannot avoid and detect the general defending means, and the general defending technical means are effectively detected and eliminated, so that the contest experience and contest fairness of contestants can be greatly improved.
Referring to fig. 2, a specific embodiment of a defense result determining apparatus for a test application in a network attack and defense competition according to the present application is shown. The apparatus of this embodiment is an entity apparatus for performing the method of the foregoing embodiment. The technical solution is essentially identical to the above embodiment, and the corresponding description in the above embodiment is also applicable to this embodiment. The device in this embodiment includes:
a data obtaining unit 201, configured to obtain a test application and a program repair packet corresponding to the test application;
an application repairing unit 202, configured to repair the test application according to a program repair packet corresponding to the test application, to obtain a repaired test application;
A first testing unit 203, configured to test the repaired key function of the test application to obtain a key function test result;
the second test unit 204 is configured to detect a general protection repair mode of the repaired test application if the key function test result is that the test is passed, so as to obtain a general protection detection result;
a third test unit 205, configured to, if the detection result of the pass protection is that the detection is passed, perform target vulnerability detection on the repaired test application, to obtain a vulnerability detection result;
and a result determining unit 206, configured to, if the vulnerability detection result is that the detection passes, determine that the defending result of the test application is that the defending is successful.
Optionally, the program repair package includes the repaired test application identifier, the application repair code and the repair command script.
Optionally, the application repair unit 202 is configured to:
operating the repair command script to trigger a repair instruction;
and responding to the repairing instruction, and repairing the test application corresponding to the test application identifier by using the application repairing code to obtain the repaired test application.
Optionally, the first testing unit 203 is configured to:
Detecting preset key functions in the repaired test application;
if all the preset key functions are normally operated, determining that the key function test result is that the test is passed;
if at least one preset key function cannot normally run, determining that the key function test result is a test failure.
Optionally, if the application type corresponding to the test application is pwn type; the second test unit 204 is configured to:
cleaning useless processes in the repaired test application;
deleting the flag mark in the repaired test application, and writing in a new flag mark;
if the program dependency library is not changed after the new flag mark is written, and the application repair code does not comprise a preset feature code, determining that the anti-passing detection result is passing detection;
and if the new flag mark is written, the program dependence library is changed, and/or the application repair code comprises a preset feature code, determining that the anti-passing detection result is detection failure.
Optionally, if the application type corresponding to the test application is a web type; the second test unit 204 is configured to:
Cleaning useless processes in the repaired test application;
determining a code type corresponding to the test application;
and determining a general defense restoration mode corresponding to the code type according to the code type corresponding to the test application, and detecting the restoration mode of the restored test application by using the general defense restoration mode corresponding to the code type to obtain a general defense detection result.
Optionally, if the code type corresponding to the test application is php type or nodejs type; the second test unit 204 is configured to:
detecting whether the application repair code comprises a firewall of a general defense class or not by using a preset sensitive function and a character fuzzy test mode;
if not, determining that the detection result of the passing prevention is detection passing; if yes, determining that the anti-passing detection result is detection failure.
Optionally, if the code type corresponding to the test application is java type; the second test unit 204 is configured to:
detecting whether the application repair code starts the test application by using a java proxy mode or a RASP technical mode;
if not, determining that the detection result of the passing prevention is detection passing; if yes, determining that the anti-passing detection result is detection failure.
Optionally, the third test unit 205 is configured to:
detecting whether the loopholes are successfully utilized in the repaired test application by using a preset loophole utilization script;
if not, determining that the vulnerability detection result is passing detection; if yes, determining that the vulnerability detection result is detection failure.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application. At the hardware level, the electronic device comprises a processor, optionally an internal bus, a network interface, a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry StandardArchitecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry StandardArchitecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 3, but not only one bus or type of bus.
And the memory is used for storing the execution instruction. In particular, a computer program that executes instructions may be executed. The memory may include memory and non-volatile storage and provide the processor with instructions and data for execution.
In one possible implementation manner, the processor reads the corresponding execution instruction from the nonvolatile memory to the memory and then runs the execution instruction, and may also acquire the corresponding execution instruction from other devices to form a defense result determining device of the test application in the network attack and defense competition on a logic level. The processor executes the execution instructions stored in the memory to implement the defense result determining method of the test application in the network attack and defense competition provided in any embodiment of the application through the executed execution instructions.
The method executed by the device for determining the defending result of the test application in the network attack and defense competition according to the embodiment of fig. 1 of the present application may be applied to a processor or implemented by the processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (CentralProcessingUnit, CPU), a network processor (NetworkProcessor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-Programmable gate arrays (FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
The embodiment of the application also provides a readable medium, wherein the readable storage medium stores an execution instruction, and when the stored execution instruction is executed by a processor of electronic equipment, the electronic equipment can be enabled to execute the method for determining the defending result of the test application in the network attack and defense competition provided by any embodiment of the application, and the method is particularly used for executing the method for determining the defending result of the test application in the network attack and defense competition.
The electronic device described in the foregoing embodiments may be a computer.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware aspects.
The embodiments of the present application are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment is mainly described in the differences from the other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (7)
1. A method for determining a defense result of a test application in a network attack and defense competition, the method comprising:
acquiring a test application and a program repair package corresponding to the test application;
repairing the test application according to the program repair package corresponding to the test application to obtain a repaired test application;
testing the key functions of the repaired test application to obtain a key function test result;
if the key function test result is that the test is passed, detecting a general defense repair mode of the repaired test application to obtain a general defense detection result;
if the detection result of the pass-prevention is that the detection is passed, performing target vulnerability detection on the repaired test application to obtain a vulnerability detection result;
if the vulnerability detection result is that the detection is passed, the defense result of the test application is that the defense is successful;
the program repairing package comprises a repaired test application identifier, an application repairing code and a repairing command script;
if the application type corresponding to the test application is pwn type; the general defense repair mode detection is carried out on the repair mode of the repaired test application to obtain a general defense detection result, and the method comprises the following steps:
Cleaning useless processes in the repaired test application;
deleting the flag mark in the repaired test application, and writing in a new flag mark;
if the program dependency library is not changed after the new flag mark is written, and the application repair code does not comprise a preset feature code, determining that the anti-passing detection result is passing detection;
if the new flag mark is written, the program dependence library is changed, and/or the application repair code comprises a preset feature code, the anti-passing detection result is determined to be detection failure;
if the application type corresponding to the test application is a web type; the general defense repair mode detection is carried out on the repair mode of the repaired test application to obtain a general defense detection result, and the method comprises the following steps:
cleaning useless processes in the repaired test application;
determining a code type corresponding to the test application;
and determining a general defense restoration mode corresponding to the code type according to the code type corresponding to the test application, and detecting the restoration mode of the restored test application by using the general defense restoration mode corresponding to the code type to obtain a general defense detection result.
2. The method of claim 1, wherein repairing the test application according to the program repair package corresponding to the test application to obtain a repaired test application comprises:
operating the repair command script to trigger a repair instruction;
and responding to the repairing instruction, and repairing the test application corresponding to the test application identifier by using the application repairing code to obtain the repaired test application.
3. The method of claim 1, wherein testing the critical functions of the repaired test application to obtain a critical function test result comprises:
detecting preset key functions in the repaired test application;
if all the preset key functions are normally operated, determining that the key function test result is that the test is passed;
if at least one preset key function cannot normally run, determining that the key function test result is a test failure.
4. The method according to claim 1, wherein if the code type corresponding to the test application is php type or nodejs type; the method for detecting the general defense restoration method by using the general defense restoration method corresponding to the code type to detect the restoration method of the restored test application, to obtain a general defense detection result, comprises the following steps:
Detecting whether the application repair code comprises a firewall of a general defense class or not by using a preset sensitive function and a character fuzzy test mode;
if not, determining that the detection result of the passing prevention is detection passing; if yes, determining that the anti-passing detection result is detection failure.
5. The method of claim 1, wherein if the code type corresponding to the test application is java type; the method for detecting the general defense restoration method by using the general defense restoration method corresponding to the code type to detect the restoration method of the restored test application, to obtain a general defense detection result, comprises the following steps:
detecting whether the application repair code starts the test application by using a java proxy mode or a RASP technical mode;
if not, determining that the detection result of the passing prevention is detection passing; if yes, determining that the anti-passing detection result is detection failure.
6. The method of claim 1, wherein the performing the target vulnerability detection on the repaired test application to obtain a vulnerability detection result comprises:
detecting whether the loopholes are successfully utilized in the repaired test application by using a preset loophole utilization script;
If not, determining that the vulnerability detection result is passing detection; if yes, determining that the vulnerability detection result is detection failure.
7. A defense result determining apparatus for a test application in a network attack and defense contest, the apparatus comprising:
the data acquisition unit is used for acquiring a test application and a program repair packet corresponding to the test application;
the application repairing unit is used for repairing the test application according to the program repairing package corresponding to the test application to obtain a repaired test application;
the first testing unit is used for testing the key functions of the repaired testing application to obtain a key function testing result;
the second test unit is used for detecting a general defense repair mode of the repaired test application if the key function test result is that the test is passed, so as to obtain a general defense detection result;
the third test unit is used for carrying out target vulnerability detection on the repaired test application if the detection result of the pass prevention is detection passing, so as to obtain a vulnerability detection result;
the result determining unit is used for determining that the defending result of the test application is successful if the vulnerability detection result is that the detection passes;
The program repairing package comprises a repaired test application identifier, an application repairing code and a repairing command script;
if the application type corresponding to the test application is pwn type; the second test unit is specifically configured to:
cleaning useless processes in the repaired test application;
deleting the flag mark in the repaired test application, and writing in a new flag mark;
if the program dependency library is not changed after the new flag mark is written, and the application repair code does not comprise a preset feature code, determining that the anti-passing detection result is passing detection;
if the new flag mark is written, the program dependence library is changed, and/or the application repair code comprises a preset feature code, the anti-passing detection result is determined to be detection failure;
if the application type corresponding to the test application is a web type; the second test unit is specifically configured to:
cleaning useless processes in the repaired test application;
determining a code type corresponding to the test application;
and determining a general defense restoration mode corresponding to the code type according to the code type corresponding to the test application, and detecting the restoration mode of the restored test application by using the general defense restoration mode corresponding to the code type to obtain a general defense detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310011578.6A CN116186711B (en) | 2023-01-05 | 2023-01-05 | Method and device for determining defense result of test application in network attack and defense competition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310011578.6A CN116186711B (en) | 2023-01-05 | 2023-01-05 | Method and device for determining defense result of test application in network attack and defense competition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116186711A CN116186711A (en) | 2023-05-30 |
| CN116186711B true CN116186711B (en) | 2023-12-12 |
Family
ID=86439635
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310011578.6A Active CN116186711B (en) | 2023-01-05 | 2023-01-05 | Method and device for determining defense result of test application in network attack and defense competition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116186711B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200037518A (en) * | 2018-10-01 | 2020-04-09 | 주식회사 시큐센 | Hacking Defense Contest System That Evaluates Optimization of Vulnerability Patch |
| CN111294333A (en) * | 2020-01-14 | 2020-06-16 | 中国传媒大学 | Construction system of open type adaptive vulnerability drilling platform |
| CN111818102A (en) * | 2020-09-09 | 2020-10-23 | 信联科技(南京)有限公司 | Defense efficiency evaluation method applied to network target range |
| CN114065214A (en) * | 2021-11-19 | 2022-02-18 | 中国工商银行股份有限公司 | Attack and defense competition method, apparatus, electronic device, medium, and program product |
| CN115408697A (en) * | 2021-05-27 | 2022-11-29 | 中国移动通信集团有限公司 | Method, device, equipment and product for evaluating ability of defensive personnel in network shooting range |
| CN115455431A (en) * | 2022-09-23 | 2022-12-09 | 苏州浪潮智能科技有限公司 | Method, device, terminal and medium for automatic code security detection and vulnerability repair |
-
2023
- 2023-01-05 CN CN202310011578.6A patent/CN116186711B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200037518A (en) * | 2018-10-01 | 2020-04-09 | 주식회사 시큐센 | Hacking Defense Contest System That Evaluates Optimization of Vulnerability Patch |
| CN111294333A (en) * | 2020-01-14 | 2020-06-16 | 中国传媒大学 | Construction system of open type adaptive vulnerability drilling platform |
| CN111818102A (en) * | 2020-09-09 | 2020-10-23 | 信联科技(南京)有限公司 | Defense efficiency evaluation method applied to network target range |
| CN115408697A (en) * | 2021-05-27 | 2022-11-29 | 中国移动通信集团有限公司 | Method, device, equipment and product for evaluating ability of defensive personnel in network shooting range |
| CN114065214A (en) * | 2021-11-19 | 2022-02-18 | 中国工商银行股份有限公司 | Attack and defense competition method, apparatus, electronic device, medium, and program product |
| CN115455431A (en) * | 2022-09-23 | 2022-12-09 | 苏州浪潮智能科技有限公司 | Method, device, terminal and medium for automatic code security detection and vulnerability repair |
Non-Patent Citations (1)
| Title |
|---|
| 计算机安全漏洞检测与漏洞修复方式分析;蒲在毅;;信息与电脑(理论版)(第09期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116186711A (en) | 2023-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104360938B (en) | A kind of fault recognition method and its system | |
| CN107315961B (en) | Program vulnerability detection method and device, computing equipment and storage medium | |
| CN109255240B (en) | Vulnerability processing method and device | |
| CN105408911A (en) | Hardware and software execution profiling | |
| CN101676876A (en) | Automatic hardware-based recovery of a compromised computer | |
| EP3121749B1 (en) | Method and apparatus for ensuring control flow integrity | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| CN111523784A (en) | Monitoring method and device for automatic execution path | |
| KR101421136B1 (en) | Method and apparatus for modeling computer program behavior for behavioral detection of malicious program | |
| CN116186711B (en) | Method and device for determining defense result of test application in network attack and defense competition | |
| Calatayud et al. | A comparative analysis of Buffer Overflow vulnerabilities in High-End IoT devices | |
| KR20180034473A (en) | Zero overhead code coverage analysis | |
| JP2006268775A (en) | Software operation modeling device and software operation monitoring device | |
| CN111767548A (en) | Vulnerability capturing method, device, equipment and storage medium | |
| CN117076301A (en) | System performance test method and device and electronic equipment | |
| CN109361674B (en) | Bypass access streaming data detection method and device and electronic equipment | |
| KR101880689B1 (en) | Apparatus and method for detecting malicious code | |
| CN110825451A (en) | Method and device for configuring and verifying small program page address | |
| CN111796911A (en) | Attack detection method for cloud platform virtual equipment and electronic device | |
| CN109002694B (en) | Method and device for positioning problem point after application code confusion | |
| CN113076540B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN112204528A (en) | Inspection device, inspection method, and inspection program | |
| CN102075377A (en) | Network equipment test system and method thereof | |
| CN110955895B (en) | Operation interception method and device and computer readable storage medium | |
| CN117220933A (en) | Vulnerability thermal repair method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Applicant after: Yongxin Zhicheng Technology Group Co.,Ltd. Address before: 100094 103, building 6, yard 9, FengHao East Road, Haidian District, Beijing Applicant before: BEIJING YONGXIN ZHICHENG TECHNOLOGY CO.,LTD. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |