CN116431460B - Database capability verification and evaluation method and device, computer equipment and storage medium - Google Patents
Database capability verification and evaluation method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116431460B CN116431460B CN202310702306.0A CN202310702306A CN116431460B CN 116431460 B CN116431460 B CN 116431460B CN 202310702306 A CN202310702306 A CN 202310702306A CN 116431460 B CN116431460 B CN 116431460B
- Authority
- CN
- China
- Prior art keywords
- database
- attack
- safety protection
- response
- assets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 99
- 238000012795 verification Methods 0.000 title claims abstract description 87
- 230000004044 response Effects 0.000 claims abstract description 214
- 238000004088 simulation Methods 0.000 claims abstract description 101
- 230000008520 organization Effects 0.000 claims abstract description 46
- 238000009960 carding Methods 0.000 claims abstract description 38
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012423 maintenance Methods 0.000 claims description 45
- 238000013515 script Methods 0.000 claims description 39
- 238000004590 computer program Methods 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 4
- 230000007547 defect Effects 0.000 abstract description 10
- 238000010276 construction Methods 0.000 abstract description 5
- 238000004422 calculation algorithm Methods 0.000 description 24
- 230000000875 corresponding effect Effects 0.000 description 21
- 238000004458 analytical method Methods 0.000 description 12
- 238000000605 extraction Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 238000012550 audit Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 101100406523 Dictyostelium discoideum orcA gene Proteins 0.000 description 2
- 101100518414 Dictyostelium discoideum orcB gene Proteins 0.000 description 2
- 101100350427 Dictyostelium discoideum orcC gene Proteins 0.000 description 2
- 101100350438 Dictyostelium discoideum orcD gene Proteins 0.000 description 2
- 101100462271 Dictyostelium discoideum orcE gene Proteins 0.000 description 2
- 101100462282 Dictyostelium discoideum orcF gene Proteins 0.000 description 2
- 101150053401 ORC2 gene Proteins 0.000 description 2
- 101150115825 ORC3 gene Proteins 0.000 description 2
- 101150059085 ORC4 gene Proteins 0.000 description 2
- 101150106197 ORC5 gene Proteins 0.000 description 2
- 101150049405 ORC6 gene Proteins 0.000 description 2
- 101100438988 Pyrococcus furiosus (strain ATCC 43587 / DSM 3638 / JCM 8422 / Vc1) cdc6 gene Proteins 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 101150095319 orc1 gene Proteins 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention discloses a database capacity verification and evaluation method, a database capacity verification and evaluation device, computer equipment and a storage medium. The method comprises the following steps: deploying a database security protection capability verification and evaluation tool; linking existing safety measures by using an assessment tool; detecting database assets and combing the database assets to obtain combing results; calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set; simulating attack on the database to obtain a simulation result; capturing the real response of the safety protection measures according to the simulation result to obtain a real response data set; comparing the expected response with the actual response deviation to obtain a comparison result; evaluating the safety protection capability of the database to obtain an evaluation report; and outputting an evaluation report. The method provided by the embodiment of the invention can be used for effectively finding the defects of the current safety protection measures, providing support for the safety construction of the database system of the organization and improving the safety protection level of the database system of the organization.
Description
Technical Field
The present invention relates to databases, and more particularly, to a database capability verification and evaluation method, apparatus, computer device, and storage medium.
Background
In the network system type, the database assets are favored by hackers due to the sensitivity, and the hackers can want to attack the database to obtain sensitive data stored in the database or influence the normal operation of other network systems by attacking the database, so that the conventional single penetration test and vulnerability scanning cannot meet the security assessment work of the database system.
Therefore, it is necessary to design a new method to effectively find out the defects of the current safety protection measures, provide support for the safety construction of the database system of the organization and improve the safety protection level of the database system of the organization.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a database capacity verification and evaluation method, a database capacity verification and evaluation device, computer equipment and a storage medium.
In order to achieve the above purpose, the present invention adopts the following technical scheme: the database capability verification and evaluation method comprises the following steps:
deploying a database security protection capability verification and evaluation tool;
linking existing safety measures by using the assessment tool;
Detecting database assets and combing the database assets to obtain combing results;
calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set;
simulating attack on the database to obtain a simulation result;
capturing the real response of the safety protection measures according to the simulation result to obtain a real response data set;
comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result;
evaluating the safety protection capability of the database according to the comparison result to obtain an evaluation report;
and outputting the evaluation report.
The further technical scheme is as follows: the database assets include database system information, database network information, database credential information, corresponding business application information using the database, client software information connecting the database, programming language SDK information operating the database.
The further technical scheme is as follows: the detecting the database assets and carding the database assets to obtain the carding result comprises:
detecting database assets;
and combing the database assets, and recording the connection state and network information of the database assets to form a database connection mark set so as to obtain a combing result.
The further technical scheme is as follows: the calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set comprises the following steps:
judging whether the carding result is in the protection range of the safety protection equipment and the strategy by detecting the connectivity of the carding result and the existing safety protection equipment and the strategy set so as to obtain a communication link of the carding result and the existing safety protection equipment and the strategy set;
extracting attack loads in the security protection capability verification script to obtain an extraction result;
and calculating an expected response risk value set of the database asset in application service, the database itself and database operation and maintenance by the connection link of the extraction result and the combing result and the existing safety protection equipment and strategy set to obtain the expected response risk value set.
The further technical scheme is as follows: the simulating the attack on the database to obtain the simulation result comprises the following steps:
according to the database connection mark set and the security protection capability verification script, simulating an attack time interval set, calculating an attack sequence of each database asset to generate a simulated attack sequence priority set;
aiming at the simulation attack sequence priority set and the security protection capability verification script, each database asset in the organization is sequentially subjected to simulation attack through the security protection capability verification script, and a simulation attack mark set is generated to obtain a simulation result.
The further technical scheme is as follows: the comparing the expected response and the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result comprises:
and determining whether an intersection exists between the expected response risk value set and the real response data set so as to obtain a comparison result.
The further technical scheme is as follows: and evaluating the safety protection capability of the database according to the comparison result to obtain an evaluation report, wherein the evaluation report comprises the following steps:
and evaluating the database security protection capability from the service, operation and maintenance and network layers according to the comparison result to obtain an evaluation report.
The invention also provides a database capacity verification and evaluation device, which comprises:
the deployment unit is used for deploying the database security protection capability verification and evaluation tool;
a linkage unit for linking existing safety measures with the evaluation tool;
the asset processing unit is used for detecting database assets and combing the database assets to obtain combing results;
the risk value calculation unit is used for calculating the expected response of the safety protection measures according to the carding result so as to obtain an expected response risk value set;
The attack unit is used for simulating attack on the database to obtain a simulation result;
the capturing unit is used for capturing the real response of the safety protection measures according to the simulation result so as to obtain a real response data set;
the comparison unit is used for comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result;
the evaluation unit is used for evaluating the safety protection capability of the database according to the comparison result so as to obtain an evaluation report;
and the output unit is used for outputting the evaluation report.
The invention also provides a computer device which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method when executing the computer program.
The present invention also provides a storage medium storing a computer program which, when executed by a processor, implements the above method.
Compared with the prior art, the invention has the beneficial effects that: the invention uses BAS technology to automatically arrange, construct and automatically execute the verification script invasion and attack simulation of the database assets in the organization, thereby discovering the safety protection defects of the database assets in a plurality of layers such as business, system self, operation and maintenance and the like. The method can realize continuous and omnibearing safety evaluation of database assets, effectively find out the defects of the current safety protection measures, provide support for the safety construction of an organization database system and improve the safety protection level of the organization database system.
The invention is further described below with reference to the drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a database capability verification and evaluation method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a database capability verification and evaluation method according to an embodiment of the present invention;
FIG. 3 is a schematic sub-flowchart of a database capability verification and evaluation method according to an embodiment of the present invention;
FIG. 4 is a schematic sub-flowchart of a database capability verification and evaluation method according to an embodiment of the present invention;
FIG. 5 is a schematic sub-flowchart of a database capability verification and evaluation method according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of a database capability verification evaluation device provided by an embodiment of the present invention;
FIG. 7 is a schematic block diagram of an asset processing unit of a database capability verification evaluation device provided by an embodiment of the present invention;
FIG. 8 is a schematic block diagram of a risk value calculation unit of the database capability verification evaluation device according to the embodiment of the present invention;
FIG. 9 is a schematic block diagram of an attack unit of a database capability verification evaluation device according to an embodiment of the present invention;
fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic diagram of an application scenario of a database capability verification and evaluation method according to an embodiment of the present invention. Fig. 2 is a schematic flowchart of a database capability verification evaluation method according to an embodiment of the present invention. The database capacity verification evaluation method is applied to the server. The server performs data interaction with the terminal, realizes the utilization of BAS technology and means, and establishes different attack links by using the application service, the database itself and the attack simulation scenario of the database operation and maintenance at three angle levels, so as to realize the continuous omnibearing safety evaluation of the database assets in the organization from point to line and from line to surface, thereby effectively finding the defects of the current safety protection measures, providing support for the safety construction of the database system of the organization, and continuously improving the safety protection level of the database system of the organization by the method and the system.
BAS technology (intrusion and attack simulation, breach and Attack Simulation) provides a technique that can automatically simulate complex network attacks against an organization according to the needs of the organization's security operator, thereby testing the security of the organization's network system. The BAS is different from the common penetration test and vulnerability scanning in that the BAS supports a free combination attack technology, sets an attack scene and simulates an attack link, and can find security weak points which cannot be found in the conventional security test, such as data leakage simulation, phishing attack simulation, malicious software attack simulation, even lateral attack simulation from an external network to an internal network, and the like.
Fig. 2 is a flowchart of a database capability verification and evaluation method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S190.
S110, deploying a database security protection capability verification and evaluation tool.
In this embodiment, the database security protection capability verification evaluation tool is deployed in an intra-organization network environment in a bypass manner, and is provided with a playbook scenario set, i.e. a security protection capability verification scenario, for performing security protection capability verification from three levels of an application service, a database itself and a database operation and maintenance, and based on these playbook scenario sets, the BAS process of the database system is completed, and the security protection capability of the current database system of the organization is evaluated by capturing the response of the database system itself and the existing security protection measures to the playbook. Playbook is written in languages including, but not limited to Python, go, shell, powershell, etc., to evaluate database services installed on Windows/Linux systems, and the written Playbook is issued and executed by the SOAR technique. The playbook of the database security protection capability verification and evaluation tool at the application business level mainly simulates an attacker to realize an attack scene, such as SQL injection, dirty data and the like, on a database system through business; in the scene of the database, the playbook directly attacks the database system by directly sending the existing vulnerability poc to the database system and by using exp simulation attackers through the open ports of the database and the like; in the database operation and maintenance scene, the playbook performs attack simulation based on dangerous SQL and other modes on the premise of having valid database identity authority.
S120, utilizing the assessment tool to link the existing safety protection measures.
In this embodiment, the database security capability verification and evaluation tool needs existing security protection means in the linkage organization, mainly including security devices such as IPS, WAF, firewall, situation awareness, log audit, and the like, and obtains responses of these security devices when executing a playbook.
S130, detecting the database assets and combing the database assets to obtain combing results.
In this embodiment, the result of the carding is a collection of connection status and network information for database assets.
In one embodiment, referring to fig. 3, the step S130 may include steps S131 to S132.
S131, detecting the database assets.
In this embodiment, the database assets include database system information, database network information, database credential information, corresponding business application information using the database, client software information connecting the database, and programming language SDK information operating the database.
Specifically, the database security protection capability verification and evaluation tool needs to detect and comb database system assets in the current organization network before performing evaluation, and the database asset information includes the following contents:
Database system information including, but not limited to, database type, database version, operating system environment information for installing the database, etc.;
database network information including, but not limited to, database ip, database service port, etc.;
database credential information including, but not limited to, database account numbers, database passwords, database access token, etc.;
corresponding business application information using the database, including but not limited to application ip, application port, application URL, etc.;
client software information for connecting to the database including, but not limited to, client software name, client software version, etc.;
the programming language SDK information of the operational database includes, but is not limited to Java Database SDK, python Database SDK, etc.
S132, combing the database assets, and recording the connection state and network information of the database assets to form a database connection mark set so as to obtain a combing result.
In this embodiment, there is an algorithm InitConnect, which determines, for the acquired database asset network information data set N and database asset credential information data set a, whether the database asset can be normally connected, and generates a database connection flag set M;
The algorithm InitConnect is specifically implemented as follows, and for the database asset network information dataset N, the detected network information such as ip and port of each database asset is contained, and is represented as { N } 1 ,N 2 ,......N n -a }; for database asset credential information data set A, which contains credential information such as account numbers and passwords of each database asset after being combed, the credential information is expressed as { A } 1 ,A 2 ,......A n }. Setting the database asset network information data in the current organization network asN x The database asset credential information data is A x I.e. calculate InitConnect (N) x ,A x )。
If InitConnect (N) x ,A x ) =0, i.e. the database asset has an abnormality and cannot be successfully connected, the database asset cannot execute the relevant attack simulation playbook of the operation and maintenance layer, and at this time, the connection state and the network information of the database asset are recorded in the database connection flag set M; if InitConnec (N) x ,A x ) =1, meaning that the database asset can be successfully connected and accessed, all playbooks in the database security capability verification and assessment tool can be executed, and the connection status, network information and credential information of the database asset are recorded in the database connection flag set M.
And S140, calculating the expected response of the safety protection measures according to the carding result so as to obtain an expected response risk value set.
In this embodiment, the set of expected response risk values refers to expected response risk values for the database asset at the application business, the database itself, and the database operation and maintenance.
Specifically, there is an algorithm ExCal that verifies a playbook scenario set P for a database connection flag set M, a current existing security protection device and policy set S, and a security protection capability, calculates a risk value for each database asset under the current security protection measures, and generates an expected response risk value set E.
In one embodiment, referring to fig. 4, the step S140 may include steps S141 to S143.
S141, judging whether the carding result is in the protection range of the safety protection equipment and the strategy by detecting the connectivity of the carding result and the existing safety protection equipment and the strategy set so as to obtain a communication link of the carding result and the existing safety protection equipment and the strategy set;
s142, extracting attack loads in the security protection capability verification script to obtain an extraction result.
In this embodiment, the extraction result refers to the attack load in the security protection capability verification scenario.
S143, calculating an expected response risk value set of the database assets in application service, the database itself and database operation and maintenance by the connection link of the extraction result and the combing result and the existing safety protection equipment and strategy set, so as to obtain the expected response risk value set.
Specifically, the algorithm ExCal is specifically implemented as follows, and is directed to a database connection flag set M, which contains database asset information and status flags that have undergone connection verification, and is expressed as { M } 1 ,M 2 ,......M n -a }; aiming at the current existing safety protection equipment and a strategy set S, the deployment state of each safety equipment in an organization and the strategy information thereof are contained, and are expressed as { S } 1 ,S 2 ,......S n -a }; the playbook script set P is verified for the security protection capability, wherein all playbook scripts completing the BAS attack simulation flow are contained and are expressed as { P } 1 ,P 2 ,......P n }. Setting the connection mark of the database in the current organization network as M x Existing safety protection equipment and strategy S x The safety protection capability verifies that the playbook script is P x I.e. calculate ExCal { (M) x ,S x ),P x }。
In algorithm ExCal { (M) x ,S x ),P x In }, first, M is detected x And S is equal to x Connectivity decision database connection M x Whether or not safety protection equipment and strategy S are in use x Is within the protection scope of:
if (M) x ,S x ) =0, then indicate S x For M x No effective protection exists;
if (M) x ,S x ) =1, then indicate S x For M x Can effectively protect; obtaining M x And S is equal to x After the connected link of (1), verifying script P for safety protection capability x The main attack load in the database is extracted, the extracted load is input into an algorithm through a link, an expected response risk value set of the database asset in application service, the database itself and the database operation and maintenance is calculated, and the value set is stored into an expected response risk value set E.
S150, simulating attack on the database to obtain a simulation result.
In this embodiment, the simulation result refers to a simulated attack flag set generated by performing a simulated attack on each database asset in the organization through the security protection capability verification scenario.
Specifically, there is an algorithm AckOd, which is used for verifying a playbook scenario set P, a simulated attack time interval set T, aiming at a database connection mark set M and a security protection capability, calculating an attack sequence for each database asset, and generating a simulated attack sequence priority set O; there is an algorithm actdb, which verifies a playbook scenario set P against the priority set O of the simulated attack sequence and the security protection capability, sequentially performs a simulated attack on each database asset in the organization through the playbook, and generates a simulated attack flag set V.
In one embodiment, referring to fig. 5, the step S150 may include steps S151 to S152.
S151, according to the database connection mark set and the security protection capability verification script, simulating an attack time interval set, calculating an attack sequence of each database asset to generate a simulated attack sequence priority set.
Specifically, the algorithm AckOd is specifically implemented as follows, and is specific to the database connection flag set M, which includes database asset information and status flags that have undergone connection verification, and is denoted as { M } 1 ,M 2 ,......M n -a }; the playbook script set P is verified for the security protection capability, wherein all playbook scripts completing the BAS attack simulation flow are contained and are expressed as { P } 1 ,P 2 ,......P n -a }; aiming at the attack time interval set T, an attack time interval set { T ] under different network states is obtained 1 ,T 2 ,......T n }. Setting the connection mark of the database in the current organization network as M x The safety protection capability verifies that the playbook script is P x The attack time interval is T x I.e. calculate AckOd { (M) x ,P x ),T x }。
In algorithm AckOd { (M x ,P x ),T x In the attack time interval T x Connection to database flag M x The connection timeout information in the database is positively correlated, and the shorter the connection timeout is, the attack time interval T is x The shorter will be the attack sequence set O x The greater the sequence priority, namely: when M x [ "timeout time"]<M x+1 [ "timeout time"]T is then x <T x+1 Thereby, can obtain: o (O) x >O x+1 。
And S152, aiming at the simulation attack sequence priority set and the security protection capability verification script, sequentially performing simulation attack on each database asset in the organization through the security protection capability verification script, and generating a simulation attack mark set to obtain a simulation result.
In this embodiment, the algorithm actdb is specifically implemented as follows, and is directed to the simulation attack sequence priority set O, where a database asset sequence to be subjected to simulation attack is included, and is expressed as { O } 1 ,O 2 ,......O n -a }; the playbook script set P is verified for the security protection capability, wherein all playbook scripts completing the BAS attack simulation flow are contained and are expressed as { P } 1 ,P 2 ,......P n }. Setting the priority of the simulation attack sequence in the current organization network as O x The safety protection capability verifies that the playbook script is P x I.e. calculate AckDb (O) x ,P x )。
If AckDb (O) x ,P x ) =0, i.e. the database attack sequence is executed abnormally, the simulation attack is not completed, V x Recording a failure flag bit; ackDb (O) x ,P x ) =1, i.e. the database attack sequence performs normally, the simulation attack is completed, V x Recording the successful flag bit to form a simulation result.
S160, capturing the real response of the safety protection measures according to the simulation result so as to obtain a real response data set.
In this embodiment, the real response data set refers to a combination of a set of database system self response data and a plurality of sets of security device response data, wherein the response data quantity is positively correlated with the number of database-security device links.
Specifically, there is an algorithm GetRe, which captures the correspondence on the database and the security device after the execution of the playbook simulated attack scenario, and generates a real response set R, for the simulated attack marker set V, the existing security protection device and policy set S, and the database connection marker set M;
The algorithm GetRE is specifically implemented as follows, and is directed to the simulated attack flag set V, which contains all the executed simulated attack flags, denoted as { V ] 1 ,V 2 ,......V n -a }; for the database connection flag set M, which contains the database asset information and the status flag that have been subjected to connection verification, the connection flag set is denoted as { M } 1 ,M 2 ,......M n -a }; aiming at the current existing safety protection equipment and a strategy set S, the deployment state of each safety equipment in an organization and the strategy information thereof are contained, and are expressed as { S } 1 ,S 2 ,......S n }. Setting the simulated attack sign in the current organization network as V x The database connection mark is M x Existing safety protection equipment and strategy S x That is, calculate GetRE { (V) x ,M x ),(V x ,S x )}。
In algorithm GetRE { (V) x ,M x ),(V x ,S x ) In the }, the real response result R obtained after the algorithm is executed x The system comprises a group of database system self response data and a plurality of groups of safety device response data, wherein the response data quantity is positively related to the number of database-safety device links.
S170, comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result.
In this embodiment, the comparison result refers to the deviation of the expected response from the actual response.
Specifically, determining whether an intersection exists between the expected response risk value set and the real response data set to obtain a comparison result.
In this embodiment, there is an algorithm CopVR, which compares the difference between the expected response and the actual response with respect to the expected response risk value set E and the actual response set R, and generates a comparison result set C;
the algorithm CopVR is embodied as follows, and is expressed as { E }, for the set of expected response risk values E, which contains all expected response data after playbook execution 1 ,E 2 ,......E n -a }; for the real response set R, which contains all real response data after the playbook is executed, the real response set R is expressed as { R } 1 ,R 2 ,......R n }. Let the expected response risk value in the current organization network be E x The real response data is R x I.e. calculate CopVR (E x ,R x )。
If CopVR (E) x ,R x ) =0, i.e. the expected response risk value does not intersect with the real response data, the comparison result C x Indicating that the expected response is completely inconsistent with the actual response; if 0 is<CopVR(E x ,R x )<1, which means that the expected response risk value and the real response data have intersection, and the comparison result C x Indicating that the expected response partially coincides with the actual response; if CopVR (E) x ,R x ) =1, i.e. the expected response risk value and the true response data have an intersection exactly equal to themselves, at which time the comparison result C x Indicating that the expected response is exactly in line with the actual response.
And S180, evaluating the safety protection capacity of the database according to the comparison result to obtain an evaluation report.
In this embodiment, the evaluation report refers to a report formed by evaluating the security protection capability of the database from the service, operation and maintenance and network levels.
Specifically, the database security protection capability is evaluated from the service, operation and maintenance and network layers according to the comparison result, so as to obtain an evaluation report.
Specifically, the comparison result set C generated according to the algorithm CopVR can analyze the database security protection capability inside the organization:
CC database for storing dataThe system itself +C Security device ;C Database system itself />C Database-service +C Database-database +C Database-operation and maintenance ;
C Security device C Security device-service +C Security device database +C Security device-operation and maintenance ;
If C Database-service If the data is smaller than 1, the database system does not have or has imperfect security protection capability on the database attack from the business level;
if C Database-database If the security protection capability is smaller than 1, the database system does not have or has imperfect security protection capability on loopholes from the database system;
if C Database-operation and maintenance If the security protection capability is smaller than 1, the database system does not have or has imperfect security protection capability on the database attack from the operation and maintenance level;
If C Security device-service If the security protection capability is smaller than 1, the security device is not provided with or has imperfect security protection capability on the attack from the business layer database;
if C Security device database If the security protection capability is smaller than 1, the security device is not provided with or has imperfect security protection capability on loopholes from the database system;
if C Security device-operation and maintenance If the security level is smaller than 1, the security device is not provided with or has imperfect security protection capability for the database attack from the operation and maintenance level.
And S190, outputting the evaluation report.
In this embodiment, after the output evaluation report is finished after all the playbook execution ends and the result analysis is completed, the BAS process is finished, and the database security protection capability verification evaluation report of the present organization is output according to the analysis result, and the report is issued and notified to the user.
For example: the organization network has three database systems of mysqlServer1, oracleServer1 and mssqlServer1, and comprises two security devices of database firewall dbFirewall1 and situation awareness nssa 1. Both dbFirewall1 and nssa1 are accessed into the organization network in a bypass deployment mode, and all three database systems are within the protection range of two safety devices.
Under the condition that a database system, safety equipment and a network normally operate, the database can respond to requests from the aspects of business, operation and maintenance, ports and the like, both the dbFirewall1 and the nssa1 can audit the requests and the responses, and the dbFirewall1 is provided with a safety strategy to defend against attacks aiming at the database.
The database security protection capability verification and evaluation tool dbBASITE is deployed in an organization network in a bypass deployment mode, and the dbBASITE can be deployed in a single device mode or can be installed on an independent Linux server in a software mode. In this example, dbBASITE is installed on a server of Ubuntu 18.04 system, and the main program and scenario library of dbBASITE are deployed under the/root/dbbas directory. The script library adopts yaml file format, and is respectively a business layer script library boPlay.yml, an operation and maintenance script library mtPlay.yml and a network script library netPlay.yml, and the dbBASTter main program calls a Python Poc script at the bottom layer through a script library index to perform attack simulation.
The dbBAST links the dbFirewall1 and the nssa1 through the dbBAST main program, and performs real-time capturing on data such as audit records, executed corresponding security policies and responses on the dbFirewall1 and the nssa1 after corresponding APIkey authentication through an API interface opened by the dbFirewall1 and the nssa1, and analyzes and cleans the corresponding data.
The database system information in the organization is detected, and the database service ip, port, version information and the like in the network are detected by the dbBAST main program through network scanning tools such as nmap, masscan and the like. In this example, three sets of database system information, N respectively, are obtained after network probing 1 {mysqlServer1:[mysql,192.168.10.33,3306,v5.7]}、N 2 {oracleServer1:[oracle,192.168.10.47,1521,v11]}、N 3 {mssqlServer1:[sql server,192.168.23.4,1433,v2012]-a }; obtaining the corresponding credential information of the three groups of database systems through password scanning and manual entry, wherein the credential information is A respectively 1 {mysqlServer1:[root,toor]}、A 2 {oracleServer1:[system,oracle]}、A 3 {mssqlServer1:[sa,1]}. After the detection of the database system information, the algorithm InitConnect is used for analysis, and the database asset network information data set N x Is { { mysqlServer1: [ mysql,192.168.10.33,3306, v5.7 ]]},{oracleServer1:[oracle,192.168.10.47,1521,v11]},{mssqlServer1:[sql server,192.168.23.4,1433,v2012]Database asset credential information dataset A } x Is { { mysqlServer1: [ root, tor ]]},{oracleServer1:[system,oracle]},{mssqlServer1:[sa,1]-calculating InitConnect (N) x ,A x ) = ({{mysqlServer1:[mysql,192.168.10.33,3306,v5.7]},{oracleServer1:[oracle,192.168.10.47,1521,v11]},{mssqlServer1:[sql server,192.168.23.4,1433,v2012]}},{{mysqlServer1:[root,toor]},{oracleServer1:[system,oracle]},{mssqlServer1:[sa,1]}}). If InitConnect (N) x ,A x ) =0, i.e. the database asset has an anomaly and cannot be successfully connected, and the database asset cannot execute the relevant attack simulation playbook at the operation and maintenance level; if InitConnect (N) x ,A x ) =1, meaning that the database asset can be successfully connected and accessed, all playbooks in the database security capability verification assessment tool can be performed. The database connection flag set M generated at this time x = {M 1 ,M 2 ,M 3 } = {(N 1 ,A 1 ,1,3ms),(N 2 ,A 2 ,0,timeout),(N 3 ,A 3 ,1,1ms)}。
In the present example, M x = {(N 1 ,A 1 ,1,3ms),(N 2 ,A 2 ,0,timeout),(N 3 ,A 3 1,1 ms) }, which means that two database systems, mysqlServer1, mssqlServer1, can be normally accessed successfully with the credential through the network, while the oracleServer1 database system network or credential storeIn case of abnormality; s is S x = {dbFirewall1,nssa1},P x = { boplay. Yml, mtplayl, netplayl }. Analysis was performed using the algorithm ExCal, i.e., exCal { (M) was calculated x ,S x ),P x } = {{{(N 1 ,A 1 ,1,3ms),(N 2 ,A 2 ,0,timeout),(N 3 ,A 3 1,1 ms) }, { dbFirewall1, nssa1}, { boplay. Yml, mtPlay. Yml, netPlay. Yml }. In the present example, M x Are all at S x Within the protective range of (M) x ,S x ) Are all 1; all playbooks can be executed with mysqlServer1 and mssqlServer1 connection flag bit of 1, whereas oracleServer1 cannot execute the operation and maintenance level Playbook because connection flag bit of 0. The set of expected response risk values E generated at this time x = {E 1 ,E 2 ,E 3 } = {{1,(boPlay.yml,mtPlay.yml,netPlay.yml)},{1,(boPlay.yml,mtPlay.yml,netPlay.yml)},{1,(boPlay.yml,netPlay.yml)}}。
In the present example, M x [ "timeout time"]= {3ms, timeout,1ms }, due to T x And M is as follows x Positive correlation, therefore T x = {{x(3ms),x(timeout),x(1ms)},x>1};P x = { boplay. Yml, mtplayl, netplayl }. Analysis was performed using the algorithm AckOd, i.e., computing AckOd { (M) x ,P x ),T x } = {({(N 1 ,A 1 ,1,3ms),(N 2 ,A 2 ,0,timeout),(N 3 ,A 3 ,1,1ms)},{boPlay.yml,mtPlay.yml,netPlay.yml}),{{x(3ms),x(timeout),x(1ms)},x>1}}. In this example, the connection timeout of the mysqlServer1 database is 3ms, the connection timeout of the oracleserver1 database exceeds the maximum value by timeout due to abnormal connection by 1ms, and the connection timeout of the mssqlServer1 database is 1ms, so when the BAS simulation attack flow is performed, the priority sequence should be mssqlServer1 >mysqlServer1>oracleServer1. The simulation attack sequence priority set O generated at the moment x = {O 1 ,O 2 ,O 3 } = {O(mssqlServer1),O(mysqlServer1),O(oracleServer1)}。
In this example, BAS simulation attack sequence priority set O is obtained x After that, p will be verified according to the security protection capabilityThe labbook script set P x And carrying out simulated attack on each database asset in turn, and calculating a simulated attack mark set of each database. BAS simulation attack sequence priority set O x = {O(mssqlServer1),O(mysqlServer1),O(oracleServer1)},P x = { boplay. Yml, mtplayl, netplayl }, analysis was performed using the algorithm actdb, i.e. actdb (O x ,P x ) { { O (mssqlServer 1), O (mysqlServer 1), O (oracleServer 1) }, { boplay. Yml, mtPlay. Yml, netPlay. Yml }. If AckDb (O) x ,P x ) =0, i.e. it indicates that there is an abnormality in the execution of the database attack sequence, and the simulation attack is not completed; ackDb (O) x ,P x ) =1, i.e. it means that the database attack sequence performs normally and the simulation attack is completed. In this example, oracleServer1 fails mtplayyml attack due to abnormal connection, so that the generated simulated attack flag set V x = {V 1 ,V 2 ,V 3 } = {{mssqlServer1,1,1,1},{mysqlServer1,1,1,1},{oracleServer1,1,0,1}}。
Analysis was performed using the algorithm GetRE, i.e., getRE { (V) was calculated x ,M x ),(V x ,S x )} = {({{mssqlServer1,1,1,1},{mysqlServer1,1,1,1},{oracleServer1,1,0,1}},{(N 1 ,A 1 ,1,3ms),(N 2 ,A 2 ,0,timeout),(N 3 ,A 3 1,1 ms) }, ({ { mssqlServer1, 1}, { mysqlServer1, 1}, { oracleServer1, 0,1}, { dbFirewall1, nssa1 }) }. In this embodiment, for the mssql server1 database system, the response Rms1 of the database itself to the service level Playbook simulation attack, the response Rms2 of the database itself to the operation and maintenance level Playbook simulation attack, the response Rms3 of the database itself to the network level Playbook simulation attack, the response Rms4 of the dbFirewall1 to the service level Playbook simulation attack, the response Rms5 of the dbFirewall1 to the operation and maintenance level Playbook simulation attack, the response Rms6 of the dbFirewall1 to the network level Playbook simulation attack, the response Rms7 of the nssa1 to the service level Playbook simulation attack, the response Rms8 of the nssa1 to the operation and maintenance level Playbook simulation attack, and the response Rms9 of the nssa1 to the network level Playbook simulation attack are obtained; for the oracleServer1 database system, The method comprises the steps of obtaining a response Rorc1 of a database self corresponding to a business level Playbook simulation attack, a response Rorc2 of the database self corresponding to a network level Playbook simulation attack, a response Rorc3 of dbFirewall1 corresponding to the business level Playbook simulation attack, a response Rorc4 of dbFirewall1 corresponding to the network level Playbook simulation attack, a response Rorc5 of a nssa1 corresponding to the business level Playbook simulation attack and a response Rorc6 of a nssa1 corresponding to the network level Playbook simulation attack; for the mysqlServer1 database system, the response Rmy1 of the database itself to the service level Playbook simulation attack, the response Rmy2 of the database itself to the operation and maintenance level Playbook simulation attack, the response Rmy3 of the database itself to the network level Playbook simulation attack, the response Rmy4 of the dbFirewall1 to the service level Playbook simulation attack, the response Rmy5 of the dbFirewall1 to the operation and maintenance level Playbook simulation attack, the response Rmy6 of the dbFirewall1 to the network level Playbook simulation attack, the response Rmy7 of the nssa1 to the service level Playbook simulation attack, and the response Rmy8 of the nssa1 to the operation and maintenance level Playbook simulation attack, and the response Rmy9 of the nssa1 to the network level Playbook simulation attack are obtained. The real response set R thus generated x = {R 1 ,R 2 ,R 3 } = {(R ms1 ,R ms2 ,R ms3 ,R ms4 ,R ms5 ,R ms6 ,R ms7 ,R ms8 ,R ms9 ),(R orc1 ,R orc2 ,R orc3 ,R orc4 ,R orc5 ,R orc6 ),(R my1 ,R my2 ,R my3 ,R my4 ,R my5 ,R my6 ,R my7 ,R my8 ,R my9 )}。
In this example, ex= { {1, (boplay.yml, mtplayyml, netplayyml) }, {1, (boplay.yml, netplayyml) } = { (0,1,0,1,1,1,0.5,0.5,0.5), (0,0,1,1,0.5,0.5), (0,1,0,1,1,1,0.5,0.5,0.5) }, in the expected result of calculation, mssqlServer1 and mysqlServer1 each achieve the defensive ability against the operation and maintenance level database attack by self-configuration (corresponding flag value is 1), but none of the three database systems themselves has the defensive ability from the business and network level database attacks (corresponding flag value is 1)0) dbFirewall1 has the capability of defending the attack from the database at the business, operation and maintenance and network level (corresponding mark value is 1), and nssa1 has the capability of auditing the attack from the database at the business, operation and maintenance and network level (corresponding mark value is 0.5) for the three databases; r is R x = {R 1 ,R 2 ,R 3 } = {(R ms1 ,R ms2 ,R ms3 ,R ms4 ,R ms5 ,R ms6 ,R ms7 ,R ms8 ,R ms9 ),(R orc1 ,R orc2 ,R orc3 ,R orc4 ,R orc5 ,R orc6 ),(R my1 ,R my2 ,R my3 ,R my4 ,R my5 ,R my6 ,R my7 ,R my8 ,R my9 ) = { (0,0,0,0.5,1,1,0.5,0,0.5), (0,0,1,1,0.5,0.5), (0,1,0,1,0,0,0.5,0,0.5) }. I.e. calculate CopVR (E x ,R x ) ={C 1 ,C 2 ,C 3 } = {{(0,1,0,1,1,1,0.5,0.5,0.5),(0,0,1,1,0.5,0.5),(0,1,0,1,1,1,0.5,0.5,0.5)},{(0,1,0,1,0,0,0.5,0,0.5),(0,0,1,1,0.5,0.5),(0,0,0,0.5,1,1,0.5,0,0.5)}} = {(1,1,1,1,0,0,1,0,1),(1,1,1,1,1,1),(1,0,1,0,1,1,1,0,1)}。
In this example, the comparison result set Cx analysis can be obtained:
for the mssqlServer1 database,
C mssqlServer 1-service-self =1, the true response is consistent with the expected outcome;
C mssqlServer 1-operation and maintenance-self =1, the true response is consistent with the expected outcome;
C mssqlServer 1-network-itself =1, the true response is consistent with the expected outcome;
C mssqlServer 1-service-dbFirewall 1 =1, the true response is consistent with the expected outcome;
C mssqlServer 1-operation and maintenance-dbFirewall 1 =0, the true response is inconsistent with the expected result;
C mssqlServer 1-network-dbFirewall 1 =0, the true response is inconsistent with the expected result;
C mssqlServer1-business-nssa 1 =1, the true response is consistent with the expected outcome;
C mssqlServer 1-operation and maintenance-nssa 1 =0, the true response is inconsistent with the expected result;
C mssqlServer 1-network-nssa 1 =1, the true response is consistent with the expected outcome;
according to the results, the protection capability evaluation result of the mssqlServer1 database in the organization can be obtained by analysis, and the protection capability evaluation result is as follows: the security device dbFirewall1 has defects in defending operation and maintenance and network level attacks aiming at the mssqlServer1 database, and the security device nssa1 cannot audit the attack record from the operation and maintenance level.
For the oracleServer1 database,
C OracleServer 1-service-itself =1, the true response is consistent with the expected outcome;
C OracleServer 1-network-itself =1, the true response is consistent with the expected outcome;
C oracleServer 1-service-dbFirewall 1 =1, the true response is consistent with the expected outcome;
C oracleServer 1-network-dbFirewall 1 =1, the true response is consistent with the expected outcome;
C oracleServer 1-service-nssa 1 =1, the true response is consistent with the expected outcome;
C oracleServer 1-network-nssa 1 =1, the true response is consistent with the expected outcome;
according to the result, the protection capability evaluation result of the oracleServer1 database in the organization can be obtained by analysis, and the protection capability evaluation result is as follows: the security protection capability of the oracleServer1 database in the organization is consistent with expectations.
For the mysqlServer1 database,
C mysqlServer 1-service-itself =1, the true response is consistent with the expected outcome;
C mysqlServer 1-operation and maintenance-itself =0, the true response is inconsistent with the expected result;
C mysqlServer 1-network-itself =1, the true response is consistent with the expected outcome;
C mysqlServer 1-service-dbFirewall 1 =0, the true response is inconsistent with the expected result;
C mysqlServer 1-operation-dbFirewall 1 =1, the true response is consistent with the expected outcome;
C mysqlServer 1-network-dbFirewall 1 =1, the true response is consistent with the expected outcome;
C mysqlServer 1-service-nssa 1 =1, the true response is consistent with the expected outcome;
C mysqlServer 1-operation and maintenance-nssa 1 =0, the true response is inconsistent with the expected result;
C mysqlServer 1-network-nssa 1 =1, the true response is consistent with the expected outcome;
according to the result, the protection capability evaluation result of the mysqlServer1 database in the organization can be obtained by analysis, and the protection capability evaluation result is as follows: the mysql server1 database cannot defend attacks from the operation and maintenance level as expected due to its configuration defects, the security device dbFirewall1 cannot defend attacks from the business level against the mysql server1 database, and the security device nssa1 cannot audit the record of attacks from the operation and maintenance level.
And outputting a report from the verification and evaluation result of the security protection capability of the database in the organization obtained by analysis, wherein the output report can be customized into a format of xlsx, docx, pdf, csv, html and the like.
According to the method, the flow and the operation of a hacker invading the database in a real scene are simulated, the operation response and the safety protection action are captured, whether the attack operation is subjected to effective protection action or not is judged, and the key nodes are reported.
According to the database capacity verification and evaluation method, the BAS technology is used for automatically arranging, constructing an automatic link and simulating automatically executed verification scenario invasion and attack on database assets in an organization, so that safety protection defects of the database assets in multiple layers such as business, system self, operation and maintenance and the like are found. The method can realize continuous and omnibearing safety evaluation of database assets, effectively find out the defects of the current safety protection measures, provide support for the safety construction of an organization database system and improve the safety protection level of the organization database system.
Fig. 6 is a schematic block diagram of a database capability verification evaluation apparatus 300 according to an embodiment of the present invention. As shown in fig. 6, the present invention also provides a database capability verification evaluation apparatus 300 corresponding to the above database capability verification evaluation method. The database capability verification evaluation apparatus 300 includes a unit for performing the above database capability verification evaluation method, and may be configured in a server. Specifically, referring to fig. 6, the database capability verification and evaluation device 300 includes a deployment unit 301, a linkage unit 302, an asset processing unit 303, a risk value calculation unit 304, an attack unit 305, a capturing unit 306, an alignment unit 307, an evaluation unit 308, and an output unit 309.
A deployment unit 301, configured to deploy a database security protection capability verification and assessment tool; a linkage unit 302 for linking existing safety measures with the evaluation tool; an asset processing unit 303, configured to probe a database asset and comb the database asset to obtain a comb result; a risk value calculating unit 304, configured to calculate an expected response of the security protection measure according to the carding result, so as to obtain an expected response risk value set; an attack unit 305, configured to simulate an attack on the database to obtain a simulation result; a capturing unit 306, configured to capture a real response of the safety protection measure according to the simulation result, so as to obtain a real response data set; a comparison unit 307, configured to compare the expected response with the actual response deviation according to the expected response risk value set and the actual response data set, so as to obtain a comparison result; the evaluation unit 308 is configured to perform an evaluation of the database security protection capability according to the comparison result, so as to obtain an evaluation report; and an output unit 309 for outputting the evaluation report.
In one embodiment, as shown in fig. 7, the asset processing unit 303 includes a probe subunit 3031 and a comb subunit 3032.
A probing subunit 3031 for probing database assets; and the carding subunit 3032 is configured to comb the database asset, record the connection state and the network information of the database asset, and form a database connection flag set to obtain a combing result.
In one embodiment, as shown in fig. 8, the risk value calculating unit 304 includes a detecting subunit 3041, a extracting subunit 3042, and an expected calculating subunit 3043.
The detection subunit 3041 is configured to determine whether the carding result is within a protection range of the security protection device and the policy by detecting connectivity between the carding result and the existing security protection device and the policy set, so as to obtain a communication link between the carding result and the existing security protection device and the policy set; an extraction subunit 3042, configured to extract an attack load in the security protection capability verification scenario, so as to obtain an extraction result; and the expected calculation subunit 3043 is configured to calculate an expected response risk value set of the database asset in the application service, the database itself, and the database operation and maintenance by using the extracted result and the carded result and the communication link of the existing security protection device and the policy set, so as to obtain the expected response risk value set.
In one embodiment, as shown in fig. 9, the attack unit 305 includes a priority calculating subunit 3051 and an analog subunit 3052.
The priority calculating subunit 3051 is configured to calculate an attack sequence for each database asset according to the database connection flag set and the security protection capability verification scenario, and the simulated attack time interval set, so as to generate a simulated attack sequence priority set; the simulation subunit 3052 is configured to perform simulation attack on each database asset in the organization in turn according to the simulation attack sequence priority set and the security protection capability verification scenario, and generate a simulation attack flag set to obtain a simulation result.
In an embodiment, the comparing unit 307 is configured to determine whether an intersection exists between the expected response risk value set and the real response data set, so as to obtain a comparison result.
In an embodiment, the evaluation unit 308 is configured to evaluate the security protection capability of the database from the service, the operation and maintenance, and the network layer according to the comparison result, so as to obtain an evaluation report.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the database capability verification and evaluation device 300 and each unit may refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, the description is omitted here.
The database capability verification evaluation apparatus 300 described above may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be a stand-alone server or may be a server cluster formed by a plurality of servers.
With reference to FIG. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032 includes program instructions that, when executed, cause the processor 502 to perform a database capability verification evaluation method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the non-volatile storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform a database capability verification evaluation method.
The network interface 505 is used for network communication with other devices. It will be appreciated by those skilled in the art that the structure shown in FIG. 10 is merely a block diagram of some of the structures associated with the present inventive arrangements and does not constitute a limitation of the computer device 500 to which the present inventive arrangements may be applied, and that a particular computer device 500 may include more or fewer components than shown, or may combine certain components, or may have a different arrangement of components.
Wherein the processor 502 is configured to execute a computer program 5032 stored in a memory to implement the steps of:
deploying a database security protection capability verification and evaluation tool; linking existing safety measures by using the assessment tool; detecting database assets and combing the database assets to obtain combing results; calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set; simulating attack on the database to obtain a simulation result; capturing the real response of the safety protection measures according to the simulation result to obtain a real response data set; comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result; evaluating the safety protection capability of the database according to the comparison result to obtain an evaluation report; and outputting the evaluation report.
The database assets comprise database system information, database network information, database credential information, corresponding business application information using a database, client software information connecting the database, and programming language SDK information operating the database.
In one embodiment, when the processor 502 implements the probing database assets and carding the database assets to obtain a carded result, the following steps are specifically implemented:
detecting database assets; and combing the database assets, and recording the connection state and network information of the database assets to form a database connection mark set so as to obtain a combing result.
In one embodiment, when the step of calculating the expected response of the security protection measure according to the carding result to obtain the set of risk values of the expected response is implemented by the processor 502, the following steps are specifically implemented:
judging whether the carding result is in the protection range of the safety protection equipment and the strategy by detecting the connectivity of the carding result and the existing safety protection equipment and the strategy set so as to obtain a communication link of the carding result and the existing safety protection equipment and the strategy set; extracting attack loads in the security protection capability verification script to obtain an extraction result; and calculating an expected response risk value set of the database asset in application service, the database itself and database operation and maintenance by the connection link of the extraction result and the combing result and the existing safety protection equipment and strategy set to obtain the expected response risk value set.
In one embodiment, when the step of simulating the attack on the database to obtain the simulation result is implemented by the processor 502, the following steps are specifically implemented:
according to the database connection mark set and the security protection capability verification script, simulating an attack time interval set, calculating an attack sequence of each database asset to generate a simulated attack sequence priority set; aiming at the simulation attack sequence priority set and the security protection capability verification script, each database asset in the organization is sequentially subjected to simulation attack through the security protection capability verification script, and a simulation attack mark set is generated to obtain a simulation result.
In an embodiment, when the processor 502 performs the step of comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result, the following steps are specifically implemented:
and determining whether an intersection exists between the expected response risk value set and the real response data set so as to obtain a comparison result.
In an embodiment, when the processor 502 performs the step of evaluating the database security protection capability according to the comparison result to obtain the evaluated report, the following steps are specifically implemented:
And evaluating the database security protection capability from the service, operation and maintenance and network layers according to the comparison result to obtain an evaluation report.
It should be appreciated that in an embodiment of the application, the processor 502 may be a central processing unit (Central Processing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program comprises program instructions, and the computer program can be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program which, when executed by a processor, causes the processor to perform the steps of:
deploying a database security protection capability verification and evaluation tool; linking existing safety measures by using the assessment tool; detecting database assets and combing the database assets to obtain combing results; calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set; simulating attack on the database to obtain a simulation result; capturing the real response of the safety protection measures according to the simulation result to obtain a real response data set; comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result; evaluating the safety protection capability of the database according to the comparison result to obtain an evaluation report; and outputting the evaluation report.
The database assets comprise database system information, database network information, database credential information, corresponding business application information using a database, client software information connecting the database, and programming language SDK information operating the database.
In one embodiment, the processor, when executing the computer program to implement the probing database assets and carding the database assets to obtain the carding result, specifically implements the following steps:
detecting database assets; and combing the database assets, and recording the connection state and network information of the database assets to form a database connection mark set so as to obtain a combing result.
In one embodiment, when the processor executes the computer program to implement the step of calculating the expected response of the security measure according to the carding result to obtain the set of risk values of the expected response, the following steps are specifically implemented:
judging whether the carding result is in the protection range of the safety protection equipment and the strategy by detecting the connectivity of the carding result and the existing safety protection equipment and the strategy set so as to obtain a communication link of the carding result and the existing safety protection equipment and the strategy set; extracting attack loads in the security protection capability verification script to obtain an extraction result; and calculating an expected response risk value set of the database asset in application service, the database itself and database operation and maintenance by the connection link of the extraction result and the combing result and the existing safety protection equipment and strategy set to obtain the expected response risk value set.
In one embodiment, when the processor executes the computer program to implement the database simulation attack to obtain the simulation result, the processor specifically implements the following steps:
according to the database connection mark set and the security protection capability verification script, simulating an attack time interval set, calculating an attack sequence of each database asset to generate a simulated attack sequence priority set; aiming at the simulation attack sequence priority set and the security protection capability verification script, each database asset in the organization is sequentially subjected to simulation attack through the security protection capability verification script, and a simulation attack mark set is generated to obtain a simulation result.
In one embodiment, when the processor executes the computer program to implement the step of comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result, the method specifically includes the following steps:
and determining whether an intersection exists between the expected response risk value set and the real response data set so as to obtain a comparison result.
In an embodiment, when the processor executes the computer program to perform the step of evaluating the database security protection capability according to the comparison result to obtain an evaluated report, the following steps are specifically implemented:
And evaluating the database security protection capability from the service, operation and maintenance and network layers according to the comparison result to obtain an evaluation report.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (8)
1. The database capability verification and evaluation method is characterized by comprising the following steps of:
deploying a database security protection capability verification and evaluation tool;
linking existing safety measures by using the assessment tool;
detecting database assets and combing the database assets to obtain combing results;
calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set;
simulating attack on the database to obtain a simulation result;
capturing the real response of the safety protection measures according to the simulation result to obtain a real response data set;
comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result;
evaluating the safety protection capability of the database according to the comparison result to obtain an evaluation report;
outputting the evaluation report;
the detecting the database assets and carding the database assets to obtain the carding result comprises:
detecting database assets;
combing the database assets, recording the connection state of the database assets and the database ip and ports, and forming a database connection mark set to obtain a combing result; judging whether the database assets can be normally connected according to the acquired database ip, port information data set and database credential information data set, and generating a database connection mark set;
The calculating the expected response of the safety protection measures according to the carding result to obtain an expected response risk value set comprises the following steps:
detecting connectivity of the database connection mark set and the current existing safety protection equipment and strategy set, and judging whether the database connection mark set is within the protection range of the current existing safety protection equipment and strategy set; if not, indicating that the existing safety protection equipment and the strategy set have no effective protection on the database connection mark set; if yes, the existing safety protection equipment and the strategy set are indicated to effectively protect the database connection mark set, after the existing safety protection equipment and the strategy set are obtained and the communication link of the database connection mark set is obtained, attack loads in the safety protection capacity verification script are extracted, an expected response risk value set of the database asset in application service, the database and database operation and maintenance is calculated according to the extracted loads and the link, and the values are stored in the expected response risk value set.
2. The database capability verification evaluation method of claim 1, wherein the database assets include database system information, database ips and ports, database credential information, corresponding business application information using the database, client software information connecting the database, programming language SDK information operating the database.
3. The method of claim 1, wherein the simulating the attack on the database to obtain the simulation result comprises:
according to the database connection mark set and the security protection capability verification script, simulating an attack time interval set, calculating an attack sequence of each database asset to generate a simulated attack sequence priority set;
aiming at the simulation attack sequence priority set and the security protection capability verification script, each database asset in the organization is sequentially subjected to simulation attack through the security protection capability verification script, and a simulation attack mark set is generated to obtain a simulation result.
4. The method of claim 1, wherein comparing the expected response to the actual response bias based on the expected response risk value set and the actual response data set to obtain a comparison result comprises:
and determining whether an intersection exists between the expected response risk value set and the real response data set so as to obtain a comparison result.
5. The method for verifying and evaluating database security capability according to claim 1, wherein the evaluating database security capability according to the comparison result to obtain an evaluation report comprises:
And evaluating the database security protection capability from the service, operation and maintenance and network layers according to the comparison result to obtain an evaluation report.
6. A database capability verification evaluation apparatus, comprising:
the deployment unit is used for deploying the database security protection capability verification and evaluation tool;
a linkage unit for linking existing safety measures with the evaluation tool;
the asset processing unit is used for detecting database assets and combing the database assets to obtain combing results;
the risk value calculation unit is used for calculating the expected response of the safety protection measures according to the carding result so as to obtain an expected response risk value set;
the attack unit is used for simulating attack on the database to obtain a simulation result;
the capturing unit is used for capturing the real response of the safety protection measures according to the simulation result so as to obtain a real response data set;
the comparison unit is used for comparing the expected response with the actual response deviation according to the expected response risk value set and the actual response data set to obtain a comparison result;
the evaluation unit is used for evaluating the safety protection capability of the database according to the comparison result so as to obtain an evaluation report;
The output unit is used for outputting the evaluation report;
the asset processing unit comprises a detection subunit and a carding subunit;
a detection subunit for detecting database assets; the combing subunit is used for combing the database assets, recording the connection state of the database assets and the database ip and ports, and forming a database connection mark set so as to obtain combing results; judging whether the database assets can be normally connected according to the acquired database ip, port information data set and database credential information data set, and generating a database connection mark set;
the risk value calculation unit is used for detecting connectivity between the database connection mark set and the current existing safety protection equipment and strategy set and judging whether the database connection mark set is within the protection range of the current existing safety protection equipment and strategy set; if not, indicating that the existing safety protection equipment and the strategy set have no effective protection on the database connection mark set; if yes, the existing safety protection equipment and the strategy set are indicated to effectively protect the database connection mark set, after the existing safety protection equipment and the strategy set are obtained and the communication link of the database connection mark set is obtained, attack loads in the safety protection capacity verification script are extracted, an expected response risk value set of the database asset in application service, the database and database operation and maintenance is calculated according to the extracted loads and the link, and the values are stored in the expected response risk value set.
7. A computer device, characterized in that it comprises a memory on which a computer program is stored and a processor which, when executing the computer program, implements the method according to any of claims 1-5.
8. A storage medium storing a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310702306.0A CN116431460B (en) | 2023-06-14 | 2023-06-14 | Database capability verification and evaluation method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310702306.0A CN116431460B (en) | 2023-06-14 | 2023-06-14 | Database capability verification and evaluation method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116431460A CN116431460A (en) | 2023-07-14 |
| CN116431460B true CN116431460B (en) | 2023-09-08 |
Family
ID=87092930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310702306.0A Active CN116431460B (en) | 2023-06-14 | 2023-06-14 | Database capability verification and evaluation method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116431460B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
| WO2018100718A1 (en) * | 2016-12-01 | 2018-06-07 | 三菱電機株式会社 | Evaluation device, evaluation method for security product, and evaluation program |
| CN111143853A (en) * | 2019-12-25 | 2020-05-12 | 支付宝(杭州)信息技术有限公司 | Application security assessment method and device |
| CN115801464A (en) * | 2023-02-06 | 2023-03-14 | 北京长亭未来科技有限公司 | Analog simulation method, system, equipment and storage medium based on TCP protocol attack |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220210200A1 (en) * | 2015-10-28 | 2022-06-30 | Qomplx, Inc. | Ai-driven defensive cybersecurity strategy analysis and recommendation system |
| US11777979B2 (en) * | 2020-05-11 | 2023-10-03 | Firecompass Technologies Pvt Ltd | System and method to perform automated red teaming in an organizational network |
-
2023
- 2023-06-14 CN CN202310702306.0A patent/CN116431460B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
| WO2018100718A1 (en) * | 2016-12-01 | 2018-06-07 | 三菱電機株式会社 | Evaluation device, evaluation method for security product, and evaluation program |
| CN111143853A (en) * | 2019-12-25 | 2020-05-12 | 支付宝(杭州)信息技术有限公司 | Application security assessment method and device |
| CN115801464A (en) * | 2023-02-06 | 2023-03-14 | 北京长亭未来科技有限公司 | Analog simulation method, system, equipment and storage medium based on TCP protocol attack |
Non-Patent Citations (1)
| Title |
|---|
| "A Cyber Attack Modeling and Impact Assessment framework";I. Kotenko等;《2013 5th International Conference on Cyber Conflict (CYCON 2013)》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116431460A (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Khera et al. | Analysis and impact of vulnerability assessment and penetration testing | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
| US11902307B2 (en) | Method and apparatus for network fraud detection and remediation through analytics | |
| Dahbul et al. | Enhancing honeypot deception capability through network service fingerprinting | |
| US11586728B2 (en) | Methods for detecting system-level trojans and an integrated circuit device with system-level trojan detection | |
| Bairwa et al. | Vulnerability scanners-a proactive approach to assess web application security | |
| CN114268452A (en) | Network security protection method and system | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Aboelfotoh et al. | A review of cyber-security measuring and assessment methods for modern enterprises | |
| JP4843546B2 (en) | Information leakage monitoring system and information leakage monitoring method | |
| CN116431460B (en) | Database capability verification and evaluation method and device, computer equipment and storage medium | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| US11108800B1 (en) | Penetration test monitoring server and system | |
| CN111800427B (en) | Internet of things equipment evaluation method, device and system | |
| CN112784274A (en) | Linux platform based malicious sample detection and collection method and system, storage medium and equipment | |
| CN113627808A (en) | Safety evaluation method and system for third-party intelligent power internet of things equipment of power distribution network | |
| JP6987406B2 (en) | Penetration test monitoring server and system | |
| Pütz et al. | Unleashing iot security: Assessing the effectiveness of best practices in protecting against threats | |
| KR102580469B1 (en) | Method for management for cyber security threat and attack surface and apparatus for performing the method | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Hu et al. | Security Assessment of Android-Based Mobile Terminals | |
| CN111695121B (en) | Website vulnerability online evaluation method and device | |
| CN115705429A (en) | Method and system for monitoring computer system of semiconductor manufacturing machine | |
| Fischer-Hübner et al. | Combining verified and adaptive system components towards more secure computer architectures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |