CN116521507A - Boundary safety device testing method, device, equipment and storage medium - Google Patents

Boundary safety device testing method, device, equipment and storage medium Download PDF

Info

Publication number
CN116521507A
CN116521507A CN202210069038.9A CN202210069038A CN116521507A CN 116521507 A CN116521507 A CN 116521507A CN 202210069038 A CN202210069038 A CN 202210069038A CN 116521507 A CN116521507 A CN 116521507A
Authority
CN
China
Prior art keywords
attack
equipment
test
target
boundary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210069038.9A
Other languages
Chinese (zh)
Inventor
刘益敏
张成果
孙逊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202210069038.9A priority Critical patent/CN116521507A/en
Publication of CN116521507A publication Critical patent/CN116521507A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3692Test management for test results analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of computers, and discloses a boundary safety equipment testing method, a device, equipment and a storage medium. According to the method, target boundary safety equipment and a plurality of test attack cases are determined according to the received equipment test instruction, and target equipment is selected from equipment managed by the target boundary safety equipment; according to the multiple test attack cases, simulating attack on the target equipment from the cloud; when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary security equipment are obtained, and attack network addresses in the attack alarm logs are read; and matching the plurality of attack alarm logs with a plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to the matching result. The process of carrying out the safety test on the target safety equipment can be automatically executed according to the equipment test instruction, so that manual intervention is not needed, a great amount of labor cost is saved, and the execution efficiency of the safety equipment test on the boundary can be improved.

Description

Boundary safety device testing method, device, equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a boundary security device testing method, apparatus, device, and storage medium.
Background
The boundary safety device is a safety product installed between an intranet and an extranet and used for providing safety protection for the intranet device, and is important for protecting an external network attack by the enterprise, so that the safety of the boundary safety device needs to be tested, however, the prior art generally carries out random attack by a Proof of concept (POC) mode, and the manual verification has low execution efficiency and is difficult to cover all attack types, so that the testing effect of the boundary safety device is not ideal.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a boundary safety equipment testing method, a device, equipment and a storage medium, and aims to solve the technical problems that the test of the boundary safety equipment in the prior art depends on manual test and the execution efficiency is low.
To achieve the above object, the present invention provides a boundary safety equipment testing method, which includes the steps of:
Determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
according to the multiple test attack cases, simulating attack on the target equipment from the cloud;
when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary safety equipment are obtained, and attack network addresses in the attack alarm logs are read;
and matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
Optionally, the step of performing the attack simulation on the target device from the cloud according to the plurality of test attack cases includes:
setting corresponding attack execution addresses for each test attack case;
simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
Optionally, the step of setting a corresponding attack execution address for each test attack case includes:
acquiring a plurality of network addresses from a preset network address pool;
And setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
Optionally, the step of matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security device according to the matching result includes:
matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address to obtain a matching result;
determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result;
and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
Optionally, after the step of determining whether the test attack case without the corresponding attack alarm log exists according to the matching result, the method further includes:
if the safety test result exists, judging that the safety test result of the target boundary safety equipment is unsafe;
taking the test attack case without the corresponding attack alarm log as a target attack case;
and generating a security analysis report according to the security test result and the target attack case.
Optionally, the step of generating a security analysis report according to the security test result and the target attack case includes:
acquiring an application identifier corresponding to the target attack application;
searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier;
and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
Optionally, the step of determining the target boundary security device and the plurality of test attack cases according to the received device test instruction includes:
analyzing the received equipment test instruction to obtain a target equipment identifier, a target equipment address and a use case query condition;
determining target boundary safety equipment according to the target equipment identifier and the target equipment address;
searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
Optionally, before the step of determining the target boundary security device according to the target device identifier and the target device address, the method further includes:
extracting security verification data from the equipment test instruction, and acquiring an instruction transmitting device corresponding to the equipment test instruction;
Searching a device access secret key corresponding to the instruction sending device;
encrypting the target equipment identifier, the target equipment address and the use case query condition according to the equipment access key through a preset encryption algorithm to obtain safety check data;
and if the security verification data is consistent with the security verification data, executing the step of determining the target boundary security equipment according to the target equipment identifier and the target equipment address.
Optionally, the step of encrypting the target device identifier, the target device address and the use case query condition according to the device access key by using a preset encryption algorithm to obtain security check data includes:
carrying out hash operation on the use case query condition to obtain a conditional hash value;
performing hash operation on the target equipment address to obtain an address hash value;
combining and splicing the conditional hash value, the address hash value and the target equipment identifier according to a preset combination rule to obtain conditional splicing data;
and encrypting the conditional splice data according to the equipment access key through a preset encryption algorithm to obtain safety check data.
Optionally, when the simulation attack is finished, the step of acquiring the plurality of attack alarm logs generated by the target boundary security device and reading the attack network address in each attack alarm log includes:
when the simulation attack is finished, acquiring an attack log set generated by the target boundary safety equipment;
acquiring a preset cloud simulation identifier, screening the attack logs in the attack log set according to the cloud simulation identifier, and acquiring a plurality of attack alarm logs;
and reading the attack network address in each attack alarm log.
Optionally, the step of selecting a target device from the devices managed by the target boundary security device includes:
performing network delay detection on the equipment managed by the target boundary safety equipment to obtain network delay values corresponding to the equipment managed by the target boundary safety equipment;
and selecting target equipment from the equipment managed by the target boundary safety equipment according to the network delay value.
In addition, in order to achieve the above object, the present invention also provides a boundary safety equipment testing device, which includes the following modules:
the instruction execution module is used for determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
The simulation attack module is used for performing simulation attack on the target equipment from the cloud according to the plurality of test attack cases;
the log acquisition module is used for acquiring a plurality of attack alarm logs generated by the target boundary security equipment when the simulated attack is finished, and reading attack network addresses in the attack alarm logs;
and the security judging module is used for matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
Optionally, the attack simulation module is further configured to set a corresponding attack execution address for each test attack case; simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
Optionally, the attack simulating module is further configured to obtain a plurality of network addresses from a preset network address pool; and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
Optionally, the security decision module is further configured to match the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, so as to obtain a matching result; determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result; and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
Optionally, the security determination module is further configured to determine that the security test result of the target boundary security device is unsafe if the security test result exists; taking the test attack case without the corresponding attack alarm log as a target attack case; and generating a security analysis report according to the security test result and the target attack case.
Optionally, the security determination module is further configured to obtain an application identifier corresponding to the target attack application; searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier; and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
Optionally, the instruction execution module is further configured to parse the received device test instruction to obtain a target device identifier, a target device address, and a case query condition; determining target boundary safety equipment according to the target equipment identifier and the target equipment address; searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
In addition, to achieve the above object, the present invention also proposes a boundary safety device testing apparatus including: the boundary safety device testing method comprises a processor, a memory and a boundary safety device testing program which is stored in the memory and can run on the processor, wherein the boundary safety device testing program realizes the steps of the boundary safety device testing method when being executed by the processor.
In addition, in order to achieve the above object, the present invention also proposes a computer-readable storage medium having stored thereon a boundary safety device test program which, when executed, implements the steps of the boundary safety device test method as described above.
According to the method, target boundary safety equipment and a plurality of test attack cases are determined according to the received equipment test instruction, and target equipment is selected from equipment managed by the target boundary safety equipment; according to the multiple test attack cases, simulating attack on the target equipment from the cloud; when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary security equipment are obtained, and attack network addresses in the attack alarm logs are read; and matching the plurality of attack alarm logs with a plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to the matching result. The process of carrying out the safety test on the target safety equipment can be automatically executed according to the equipment test instruction, so that manual intervention is not needed, a great amount of labor cost is saved, and the execution efficiency of the safety equipment test on the boundary can be improved.
Drawings
FIG. 1 is a schematic diagram of an electronic device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a boundary safety equipment testing method according to the present invention;
FIG. 3 is a flowchart of a second embodiment of a boundary safety equipment testing method according to the present invention;
FIG. 4 is a flowchart of a third embodiment of a boundary safety equipment testing method according to the present invention;
FIG. 5 is a block diagram of a first embodiment of a boundary safety equipment testing apparatus according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a boundary safety device testing device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the electronic device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or may be arranged in different components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a boundary safety equipment test program may be included in the memory 1005 as one type of storage medium.
In the electronic device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the electronic device of the present invention may be disposed in a boundary safety device test device, where the electronic device invokes a boundary safety device test program stored in the memory 1005 through the processor 1001, and executes the boundary safety device test method provided by the embodiment of the present invention.
An embodiment of the present invention provides a boundary safety device testing method, and referring to fig. 2, fig. 2 is a flow chart of a first embodiment of a boundary safety device testing method according to the present invention.
In this embodiment, the boundary safety device testing method includes the following steps:
Step S10: and determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment.
It should be noted that, the execution body of the embodiment may be the boundary safety device testing device, and the boundary safety device testing device may be a cloud server deployed in the cloud, or may be other devices capable of implementing the same or similar functions, which is not limited in this embodiment, and in the present embodiment and the embodiments below, the boundary safety device testing device is taken as an example to describe the boundary safety device testing method of the present invention.
The target boundary security device may be a boundary security device to be tested, and the test attack case may be an attack case preset or specified by a user. The determining of the target boundary security device and the plurality of test attack cases according to the received device test instruction may be determining target device information and a plurality of case identifications according to the received device test instruction, searching the corresponding target boundary security device according to the target device information, and searching in a preset case library according to the plurality of case identifications to obtain a plurality of test attack cases. The target device information may include information such as a device name, a device network address (IP address), and the preset use case library may be a database preset by a manager or a security operation and maintenance person of the boundary security device test device and storing a large number of test attack use cases.
In practical use, the target boundary security device may be a security product deployed between an intranet and an extranet, and the device managed by the target boundary security device may be a device accessing the intranet, for example: office computers, printers, etc. The selecting the target device from the devices managed by the target boundary security device may be randomly selecting the device managed by the target boundary security device as the target device. Of course, in order to ensure the effect of performing the simulation attack on the selected target device, a device with better performance may be selected as far as possible as the target device.
Further, in order to ensure the effect of performing the simulation attack on the target device as much as possible, the step of selecting the target device from the target boundary security device management device according to the embodiment may include:
performing network delay detection on the equipment managed by the target boundary safety equipment to obtain network delay values corresponding to the equipment managed by the target boundary safety equipment;
and selecting target equipment from the equipment managed by the target boundary safety equipment according to the network delay value.
It should be noted that, the intranet inside a part of enterprises may be a multi-layer network, at this time, the network delay value of accessing the intranet device from the external network may be higher, or even the device may not be normally accessed, if the network delay value is higher, an abnormality may occur in a simulation attack, so as to affect the test of the boundary security device, in order to avoid such a phenomenon, the network delay detection may be performed on the device managed by the target boundary security device first, so as to obtain the network delay value corresponding to each device managed by the target boundary security device, and then the target device is selected according to the network delay value, so that the network delay value corresponding to the selected target device is lower, thereby ensuring the effect of performing the simulation attack on the target device.
In actual use, selecting the target device from the devices managed by the target boundary security device according to the network delay value may be sorting the devices managed by the target boundary security device according to the network delay value from small to large to obtain a sorting result, and then taking the first device in the sorting result as the target device. Of course, the performance of the first device in the ranking result may be poor, the effect of the simulated attack may not be ideal, in order to ensure the effect of the simulated attack as much as possible, the network delay value may be compared with the preset delay threshold, the devices with the corresponding network delay value smaller than the preset delay threshold may be ranked according to the performance of the devices from high to low, the performance ranking result is obtained, and then the first device in the performance ranking result is used as the target device.
Step S20: and simulating attack on the target equipment from the cloud according to the plurality of test attack cases.
It may be understood that each test attack case may include a corresponding attack script, and performing, according to the plurality of test attack cases, a simulation attack on the target device from the cloud end may be that the boundary security device test device executes the attack script corresponding to each test attack case, so as to perform the simulation attack on the target device from the cloud end.
Step S30: and when the simulation attack is finished, acquiring a plurality of attack alarm logs generated by the target boundary safety equipment, and reading attack network addresses in the attack alarm logs.
It can be understood that if the target boundary security device detects the attack behavior corresponding to the test attack case, a corresponding attack alarm log is generated, and then all attack alarm logs generated by the target boundary security device can be read. The attack alarm log may include information such as an attack network address, an attack initiator identifier, and the like, where the attack network address may be a network address of the attack initiator, and the attack initiator identifier may be a device unique identifier of a device used by the attack initiator, for example: and (5) machine code. The attack network address in the attack alarm log is read by analyzing the attack alarm log and extracting the attack network address in the attack alarm log.
Further, the logs that may be generated by the target boundary security device during the simulation of the attack may not only include the attack alarm log, but also include other types of logs, and in order to accurately distinguish the attack alarm log from other logs, a specific attacker identifier may be set, and the logs generated by the target boundary security device are screened by using the attacker identifier, where in this case, step S30 may include:
When the simulation attack is finished, acquiring an attack log set generated by the target boundary safety equipment;
acquiring a preset cloud simulation identifier, screening the attack logs in the attack log set according to the cloud simulation identifier, and acquiring a plurality of attack alarm logs;
and reading the attack network address in each attack alarm log.
It should be noted that, the obtaining the attack log set generated by the target boundary security device may be reading all attack logs generated by the target boundary security device during the execution of the simulated attack, and constructing the attack log set according to the obtained logs. The preset cloud simulation identifier may be a specific attacker identifier that is preset.
In actual use, the attack logs in the attack log set are screened according to the preset cloud simulation identifier, the multiple attack alarm logs can be obtained by comparing the preset cloud simulation identifier with the corresponding attacker identifiers of all the attack logs in the attack log set, and removing the attack logs with different corresponding attacker identifiers in the attack log set from the preset cloud simulation identifier.
It can be understood that, according to the preset cloud simulation identifier, the preset cloud simulation identifier is used for screening the attack logs in the attack log set, so that other logs irrelevant to the test attack case can be eliminated, and the execution efficiency of the boundary safety equipment test method is improved.
Step S40: and matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
It should be noted that, matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address may be to obtain the network address of the boundary security device test device, screen out the attack alarm logs corresponding to the attack network address different from the network address of the boundary security device test device, and then match the remaining plurality of attack alarm logs with the plurality of test attack cases, determine whether the number of the test attack cases matches the number of the attack alarm logs, and determine whether all attack behaviors corresponding to the test attack cases are detected, thereby determining the security of the target boundary security device.
According to the embodiment, target boundary safety equipment and a plurality of test attack cases are determined according to the received equipment test instruction, and target equipment is selected from equipment managed by the target boundary safety equipment; according to the multiple test attack cases, simulating attack on the target equipment from the cloud; when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary security equipment are obtained, and attack network addresses in the attack alarm logs are read; and matching the plurality of attack alarm logs with a plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to the matching result. The process of carrying out the safety test on the target safety equipment can be automatically executed according to the equipment test instruction, so that manual intervention is not needed, a great amount of labor cost is saved, and the execution efficiency of the safety equipment test on the boundary can be improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of a boundary safety equipment testing method according to the present invention.
Based on the first embodiment, the step S20 of the boundary safety equipment testing method of the present embodiment includes:
step S201: and setting corresponding attack execution addresses for each test attack case.
Note that the attack execution address may be a network address used when executing the test attack case.
In practical use, if all the test attack cases use the same network address during execution, the attack network addresses corresponding to the plurality of attack alarm logs generated by the target boundary security device when the attack behaviors are monitored are the same, at this time, it is difficult to make a one-to-one correspondence between the test attack cases and the attack alarm logs, whether the attack behaviors corresponding to the test attack cases are not detected is judged by determining whether the number of the attack alarm logs is consistent with the number of the test attack cases or not as far as possible, the test granularity of security test on the target boundary security device is thicker, and the effect is poor, and in order to facilitate the correspondence between the test attack cases and the attack alarm logs, the corresponding attack execution addresses can be set for each test attack case before executing the test attack cases.
In a specific implementation, in order to ensure that the attack execution addresses corresponding to the test attack cases are different as much as possible, so that the test attack cases and the attack alarm log can be in one-to-one correspondence, so that the test granularity is finer, and the test effect is improved, the step S201 in this embodiment may include:
acquiring a plurality of network addresses from a preset network address pool;
and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
It should be noted that, the preset network address pool may be a set of values preset by an administrator of the boundary safety equipment testing apparatus, for example: set. The preset network address pool stores a plurality of network addresses which can be simulated by the boundary safety equipment testing equipment.
In practical use, the obtaining the plurality of network addresses from the preset network address pool may be obtaining a total number of cases of the test attack case, and obtaining the network addresses with the same number as the total number of cases in the preset network address pool according to the total number of cases, thereby obtaining the plurality of network addresses.
It can be understood that the network addresses in the preset network address pool are not repeated, a plurality of network addresses with the number consistent with the total number of cases are obtained, and then corresponding attack execution addresses are set for each test attack case according to the plurality of network addresses, so that the attack execution addresses corresponding to each test attack case can be ensured to be different, the test attack case and the attack alarm log can be in one-to-one correspondence, the test granularity is thinner, and the test effect is improved.
Step S202: simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
It should be noted that, the simulating the attack execution address from the cloud to perform the simulated attack on the target device according to the test attack case may be that the attack execution address corresponding to the test attack case is read before the test attack case is executed, the attack execution address is simulated from the cloud, and then the attack script corresponding to the test attack case is executed to perform the simulated attack on the target device.
Accordingly, step S40 in this embodiment may include:
step S401: and matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address to obtain a matching result.
It should be noted that, the matching between the plurality of attack alarm logs and the plurality of test attack cases according to the attack network address may be that the attack execution address corresponding to each test attack case is read, and the attack network address corresponding to the attack alarm log is consistent with the attack execution address corresponding to the test attack case, and then the attack network address and the attack execution address corresponding to the test attack case are corresponding to each other, so as to obtain a matching result finally.
Step S402: and determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result.
It can be understood that the matching result includes the mapping relation between each test attack case and each attack alarm log, so that whether the test attack case without the corresponding attack alarm log exists can be rapidly determined according to the matching result.
Step S403: and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
It can be understood that if the test attack cases without the corresponding attack alarm logs do not exist, the attack behaviors generated when all the test attack cases are executed are detected by the target boundary safety equipment, and the safety of the target boundary safety equipment is very strong, so that the safety test result of the target boundary safety equipment can be judged to be equipment safety.
In a specific implementation, if there is a test attack case without a corresponding attack alarm log, it indicates that some attack behaviors corresponding to the test attack case are not detected by the target boundary security device, and at this time, the user needs to be reminded that the target boundary security device has a security defect, so after step S402 of this embodiment, the method may further include:
If the safety test result exists, judging that the safety test result of the target boundary safety equipment is unsafe;
taking the test attack case without the corresponding attack alarm log as a target attack case;
and generating a security analysis report according to the security test result and the target attack case.
If the test attack case without the corresponding attack alarm log exists, the fact that the attack behavior generated when part of the test attack case is executed is not detected by the target boundary safety equipment, and the safety protection of the target boundary safety equipment is defective is indicated, so that the safety test result of the target boundary safety equipment can be judged to be unsafe, the test attack case without the corresponding attack alarm log can be taken as the target attack case at the moment, then a safety analysis report is generated according to the safety test result and the target attack case, and the safety analysis report is displayed to a user to prompt the user that the safety defect exists in the target boundary safety equipment.
Further, in order to facilitate the user to cope with the defect existing in the target boundary security device, the step of generating the security analysis report according to the security test result and the target attack case in this embodiment may further include:
Acquiring an application identifier corresponding to the target attack application;
searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier;
and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
It should be noted that, the case identifier may be a unique identifier of the target test attack case, and the case identifier may be allocated to the administrator of the intranet security device test equipment when the administrator sets the case identifier. The preset security policy library may be a preset database including a large number of security adjustment policies, and the security adjustment policies may be policies for avoiding existing security defects, for example: prohibited from transmitting large files, prohibited from transmitting files with specific suffixes, prohibited from multiple consecutive accesses for a short time, and the like.
It can be understood that the user generally lacks protection knowledge related to security protection, and even if the attack type, attack behavior and severity are known, the attack type, attack behavior and severity may not be handled, so that a corresponding security adjustment policy may be added when the security defect analysis report is generated, and the user may avoid the existing security defect according to the security adjustment policy in the security defect analysis report, so as to improve the use experience of the user.
According to the embodiment, the corresponding attack execution addresses are set for the test attack cases before the test attack cases are executed, then the target equipment is simulated according to the test attack cases from the cloud simulation attack execution addresses, when a plurality of attack alarm logs are matched with the plurality of test attack cases according to the attack network addresses, the attack network addresses corresponding to the attack alarm logs can be compared with the attack execution addresses of the test attack cases, and a matching result is obtained, so that whether the test attack cases without corresponding attack alarm logs exist or not can be rapidly determined according to the matching result, and the security test result for carrying out security test on the target boundary security equipment can be accurately determined.
Referring to fig. 4, fig. 4 is a flowchart of a third embodiment of a boundary safety equipment testing method according to the present invention.
Based on the first embodiment, the step S10 of the boundary safety equipment testing method of the present embodiment includes:
step S101: and analyzing the received equipment test instruction to obtain the target equipment identification, the target equipment address and the use case query condition.
It should be noted that the target device identifier may be a device identifier of the boundary security device that needs to be tested. The target device address may be the network address of the boundary security device that needs to be tested. The case query condition may be a condition set by the user for selecting a test attack case.
Step S102: and determining target boundary safety equipment according to the target equipment identifier and the target equipment address.
It should be noted that, determining the target boundary security device according to the target device identifier and the target device address may be to compare the target device identifier and the target device address with the device identifiers and the device addresses of the boundary security devices, and determine the target boundary security device according to the comparison result.
Furthermore, since the boundary security device testing device is deployed in the cloud, and is in the extranet environment, the boundary security device testing device may be attacked by a malicious attacker, so as to avoid such a phenomenon, to improve the security of the boundary security device testing device, before step S102 in this embodiment, the method may further include:
extracting security verification data from the equipment test instruction, and acquiring an instruction transmitting device corresponding to the equipment test instruction;
searching a device access secret key corresponding to the instruction sending device;
encrypting the target equipment identifier, the target equipment address and the use case query condition according to the equipment access key through a preset encryption algorithm to obtain safety check data;
and if the security verification data is consistent with the security verification data, executing the step of determining the target boundary security equipment according to the target equipment identifier and the target equipment address.
The security verification data is data for verifying whether the device test instruction is an instruction forged by a malicious attacker, and the device test instruction may further include a sender identifier corresponding to the device test instruction, and the corresponding instruction sending device may be found according to the sender identifier. The device access key corresponding to the instruction sending device may be a device access key corresponding to the instruction sending device searched in a preset device key mapping table. The preset device key mapping table may be preset by a manager of the boundary security device test device, where the preset device key mapping table may include a mapping relationship between device information and a device access key. The preset encryption algorithm may be preset by an administrator of the boundary security device test device, and the preset encryption algorithm may be a symmetric encryption algorithm.
It will be appreciated that if the security verification data is consistent with the security verification data, it means that the device test instruction is not a counterfeit instruction by a malicious attacker, and therefore, subsequent steps may be performed.
Further, if the target device identifier, the target device address and the case query condition are encrypted according to the device access key only by the preset encryption algorithm to obtain the security check data, the possibility of cracking the encryption mode is high, and in order to improve security, in this embodiment, the step of encrypting the target device identifier, the target device address and the case query condition according to the device access key by the preset encryption algorithm to obtain the security check data may include:
Carrying out hash operation on the use case query condition to obtain a conditional hash value;
performing hash operation on the target equipment address to obtain an address hash value;
combining and splicing the conditional hash value, the address hash value and the target equipment identifier according to a preset combination rule to obtain conditional splicing data;
and encrypting the conditional splice data according to the equipment access key through a preset encryption algorithm to obtain safety check data.
It should be noted that, the hash operation may be performed by a preset hash algorithm, and the preset hash algorithm may be an MD5 algorithm, which may be, of course, other similar algorithms. The preset combination rule may be preset by an administrator of the boundary safety equipment test equipment.
In actual use, the conditional hash value, the address hash value and the target device identifier are combined and spliced according to a preset combination rule, so that the conditional splicing data can be obtained by respectively carrying out character splitting on the conditional hash value, the address hash value and the target device identifier according to the preset combination rule to obtain a conditional character set, an address character set and an identification character set, and then carrying out cross splicing on characters in the conditional character set, the address character set and the identification character set to obtain the conditional splicing data. For example: the condition stitching data obtained after character cross stitching is assumed to be 'adhbecfj' under the condition that the condition character set, the address character set and the identification character set are { a, b, c }, { d, e, f }, { h, i and j }, respectively.
It can be understood that, before encryption, the target device identifier, the target device address and the case query condition are converted and then spliced by a specific rule, and then the spliced data are encrypted, so that the difficulty of a malicious attacker in cracking the encryption mode can be greatly increased, and the security is improved.
Step S103: searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
It should be noted that the preset use case library may be a database which is preset by a manager or a security operation and maintenance person of the boundary security device test device and stores a large number of attack use cases. Searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases can be that the test attack cases meeting the case query conditions are searched in the preset case library to obtain a plurality of test attack cases.
The embodiment obtains the target equipment identification, the target equipment address and the use case query condition by analyzing the received equipment test instruction; determining target boundary safety equipment according to the target equipment identifier and the target equipment address; searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases. Because the test attack use cases can be searched in the preset use case library according to the use case query conditions when the test attack use cases are determined, a plurality of test attack use cases are obtained, so that a user does not need to set a large number of use case identifications when a large number of test attack use cases need to be specified, the user operation is simplified, and the use experience of the user is improved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium is stored with a boundary safety equipment testing program, and the boundary safety equipment testing program realizes the steps of the boundary safety equipment testing method when being executed by a processor.
Referring to fig. 5, fig. 5 is a block diagram showing the structure of a first embodiment of the boundary safety equipment testing apparatus according to the present invention.
As shown in fig. 5, the boundary safety equipment testing apparatus provided by the embodiment of the present invention includes:
the instruction execution module 10 is configured to determine a target boundary security device and a plurality of test attack cases according to a received device test instruction, and select a target device from devices managed by the target boundary security device;
the simulated attack module 20 is configured to perform simulated attack on the target device from the cloud according to the plurality of test attack cases;
the log obtaining module 30 is configured to obtain a plurality of attack alarm logs generated by the target boundary security device when the simulated attack is ended, and read an attack network address in each attack alarm log;
and the security decision module 40 is configured to match the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determine the security of the target boundary security device according to the matching result.
According to the embodiment, target boundary safety equipment and a plurality of test attack cases are determined according to the received equipment test instruction, and target equipment is selected from equipment managed by the target boundary safety equipment; according to the multiple test attack cases, simulating attack on the target equipment from the cloud; when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary security equipment are obtained, and attack network addresses in the attack alarm logs are read; and matching the plurality of attack alarm logs with a plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to the matching result. The process of carrying out the safety test on the target safety equipment can be automatically executed according to the equipment test instruction, so that manual intervention is not needed, a great amount of labor cost is saved, and the execution efficiency of the safety equipment test on the boundary can be improved.
Further, the attack simulation module 20 is further configured to set a corresponding attack execution address for each test attack case; simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
Further, the attack simulation module 20 is further configured to obtain a plurality of network addresses from a preset network address pool; and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
Further, the security decision module 40 is further configured to match the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, so as to obtain a matching result; determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result; and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
Further, the security determination module 40 is further configured to determine that the security test result of the target boundary security device is unsafe if the security test result exists; taking the test attack case without the corresponding attack alarm log as a target attack case; and generating a security analysis report according to the security test result and the target attack case.
Further, the security determination module 40 is further configured to obtain an application identifier corresponding to the target attack application; searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier; and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
Further, the instruction execution module 10 is further configured to parse the received device test instruction to obtain a target device identifier, a target device address, and a case query condition; determining target boundary safety equipment according to the target equipment identifier and the target equipment address; searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
Further, the instruction execution module 10 is further configured to extract security verification data from the device test instruction, and obtain an instruction sending device corresponding to the device test instruction; searching a device access secret key corresponding to the instruction sending device; encrypting the target equipment identifier, the target equipment address and the use case query condition according to the equipment access key through a preset encryption algorithm to obtain safety check data; and if the security verification data is consistent with the security verification data, executing the step of determining the target boundary security equipment according to the target equipment identifier and the target equipment address.
Further, the instruction execution module 10 is further configured to perform a hash operation on the use case query condition to obtain a conditional hash value; performing hash operation on the target equipment address to obtain an address hash value; combining and splicing the conditional hash value, the address hash value and the target equipment identifier according to a preset combination rule to obtain conditional splicing data; and encrypting the conditional splice data according to the equipment access key through a preset encryption algorithm to obtain safety check data.
Further, the log obtaining module 30 is further configured to obtain an attack log set generated by the target boundary security device when the simulated attack is ended; acquiring a preset cloud simulation identifier, screening the attack logs in the attack log set according to the cloud simulation identifier, and acquiring a plurality of attack alarm logs; and reading the attack network address in each attack alarm log.
Further, the instruction execution module 10 is further configured to perform network delay detection on the device managed by the target boundary security device, so as to obtain a network delay value corresponding to each device managed by the target boundary security device; and selecting target equipment from the equipment managed by the target boundary safety equipment according to the network delay value.
It should be understood that the foregoing is illustrative only and is not limiting, and that in specific applications, those skilled in the art may set the invention as desired, and the invention is not limited thereto.
It should be noted that the above-described working procedure is merely illustrative, and does not limit the scope of the present invention, and in practical application, a person skilled in the art may select part or all of them according to actual needs to achieve the purpose of the embodiment, which is not limited herein.
In addition, technical details not described in detail in this embodiment may refer to the boundary safety device testing method provided in any embodiment of the present invention, which is not described herein.
Furthermore, it should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read Only Memory)/RAM, magnetic disk, optical disk) and including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
The invention discloses A1, a boundary safety equipment testing method, which comprises the following steps:
determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
according to the multiple test attack cases, simulating attack on the target equipment from the cloud;
when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary safety equipment are obtained, and attack network addresses in the attack alarm logs are read;
and matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
A2, the boundary safety equipment testing method according to A1, wherein the step of performing simulation attack on the target equipment from the cloud according to the plurality of test attack cases comprises the following steps:
Setting corresponding attack execution addresses for each test attack case;
simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
A3, the boundary security equipment testing method as described in A2, wherein the step of setting the corresponding attack execution address for each test attack case comprises the following steps:
acquiring a plurality of network addresses from a preset network address pool;
and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
A4, the boundary safety equipment testing method according to A1, wherein the steps of matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address and determining the safety of the target boundary safety equipment according to the matching result comprise the following steps:
matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address to obtain a matching result;
determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result;
and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
A5, after the step of determining whether the test attack case without the corresponding attack alarm log exists according to the matching result, the boundary security device testing method as described in A4 further includes:
if the safety test result exists, judging that the safety test result of the target boundary safety equipment is unsafe;
taking the test attack case without the corresponding attack alarm log as a target attack case;
and generating a security analysis report according to the security test result and the target attack case.
A6, the boundary security equipment testing method according to A5, the step of generating a security analysis report according to the security test result and the target attack case includes:
acquiring an application identifier corresponding to the target attack application;
searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier;
and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
A7, the boundary safety device testing method according to A1, wherein the step of determining the target boundary safety device and a plurality of test attack cases according to the received device testing instruction comprises the following steps:
Analyzing the received equipment test instruction to obtain a target equipment identifier, a target equipment address and a use case query condition;
determining target boundary safety equipment according to the target equipment identifier and the target equipment address;
searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
A8, the boundary safety equipment testing method according to A7, before the step of determining the target boundary safety equipment according to the target equipment identifier and the target equipment address, further comprises:
extracting security verification data from the equipment test instruction, and acquiring an instruction transmitting device corresponding to the equipment test instruction;
searching a device access secret key corresponding to the instruction sending device;
encrypting the target equipment identifier, the target equipment address and the use case query condition according to the equipment access key through a preset encryption algorithm to obtain safety check data;
and if the security verification data is consistent with the security verification data, executing the step of determining the target boundary security equipment according to the target equipment identifier and the target equipment address.
A9, the boundary safety equipment testing method as set forth in A8, wherein the step of encrypting the target equipment identifier, the target equipment address and the use case query condition according to the equipment access key through a preset encryption algorithm to obtain safety check data comprises the following steps:
Carrying out hash operation on the use case query condition to obtain a conditional hash value;
performing hash operation on the target equipment address to obtain an address hash value;
combining and splicing the conditional hash value, the address hash value and the target equipment identifier according to a preset combination rule to obtain conditional splicing data;
and encrypting the conditional splice data according to the equipment access key through a preset encryption algorithm to obtain safety check data.
A10, the boundary safety equipment testing method according to any one of A1-A9, wherein when the simulation attack is finished, the steps of obtaining a plurality of attack alarm logs generated by the target boundary safety equipment and reading attack network addresses in the attack alarm logs comprise:
when the simulation attack is finished, acquiring an attack log set generated by the target boundary safety equipment;
acquiring a preset cloud simulation identifier, screening the attack logs in the attack log set according to the cloud simulation identifier, and acquiring a plurality of attack alarm logs;
and reading the attack network address in each attack alarm log.
A11, the boundary safety equipment testing method according to any one of A1-A9, wherein the step of selecting a target equipment from the target boundary safety equipment management equipment comprises the following steps:
Performing network delay detection on the equipment managed by the target boundary safety equipment to obtain network delay values corresponding to the equipment managed by the target boundary safety equipment;
and selecting target equipment from the equipment managed by the target boundary safety equipment according to the network delay value.
The invention also discloses a B12 and a boundary safety equipment testing device, wherein the boundary safety equipment testing device comprises the following modules:
the instruction execution module is used for determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
the simulation attack module is used for performing simulation attack on the target equipment from the cloud according to the plurality of test attack cases;
the log acquisition module is used for acquiring a plurality of attack alarm logs generated by the target boundary security equipment when the simulated attack is finished, and reading attack network addresses in the attack alarm logs;
and the security judging module is used for matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
B13, the boundary safety equipment testing device as described in B12, wherein the simulated attack module is further configured to set a corresponding attack execution address for each test attack case; simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
B14, the boundary safety equipment testing device as described in B13, wherein the simulated attack module is further configured to obtain a plurality of network addresses from a preset network address pool; and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
B15, the boundary safety equipment testing device as described in B12, wherein the safety judging module is further configured to match the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, so as to obtain a matching result; determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result; and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
B16, the boundary safety device testing apparatus of B15, where the safety determination module is further configured to determine that the safety test result of the target boundary safety device is unsafe if the safety determination module exists; taking the test attack case without the corresponding attack alarm log as a target attack case; and generating a security analysis report according to the security test result and the target attack case.
B17, the boundary safety equipment testing device of B16, the said security decision module, is used for obtaining the application case label that the said goal attacks the application case corresponds to; searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier; and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
The boundary safety equipment testing device according to claim 12, wherein the instruction execution module is further configured to parse the received equipment testing instruction to obtain a target equipment identifier, a target equipment address, and a use case query condition; determining target boundary safety equipment according to the target equipment identifier and the target equipment address; searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
The invention also discloses C19, a boundary safety equipment test equipment, which comprises: the boundary safety device testing method comprises a processor, a memory and a boundary safety device testing program which is stored in the memory and can run on the processor, wherein the boundary safety device testing program realizes the steps of the boundary safety device testing method when being executed by the processor.
The invention also discloses D20 and a computer readable storage medium, wherein the computer readable storage medium is cut to the upper storage of the boundary safety equipment testing program, and the boundary safety equipment testing program realizes the steps of the boundary safety equipment testing method when being executed.

Claims (10)

1. A boundary safety equipment testing method, characterized in that the boundary safety equipment testing method comprises the following steps:
determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
according to the multiple test attack cases, simulating attack on the target equipment from the cloud;
when the simulation attack is finished, a plurality of attack alarm logs generated by the target boundary safety equipment are obtained, and attack network addresses in the attack alarm logs are read;
and matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
2. The boundary security device testing method of claim 1, wherein the step of simulating attacks on the target device from the cloud according to the plurality of test attack cases comprises:
Setting corresponding attack execution addresses for each test attack case;
simulating the attack execution address from the cloud to simulate attack on the target equipment according to the test attack use case.
3. The boundary security device testing method of claim 2, wherein the step of setting the corresponding attack execution address for each test attack case comprises:
acquiring a plurality of network addresses from a preset network address pool;
and setting corresponding attack execution addresses for each test attack case according to the plurality of network addresses.
4. The boundary security device testing method of claim 1, wherein the step of matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address and determining the security of the target boundary security device according to the matching result comprises:
matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address to obtain a matching result;
determining whether a test attack case without a corresponding attack alarm log exists or not according to the matching result;
and if the safety test result does not exist, judging that the safety test result of the target boundary safety equipment is equipment safety.
5. The boundary security device testing method of claim 4, wherein after the step of determining whether there is a test attack case without a corresponding attack alarm log according to the matching result, further comprising:
if the safety test result exists, judging that the safety test result of the target boundary safety equipment is unsafe;
taking the test attack case without the corresponding attack alarm log as a target attack case;
and generating a security analysis report according to the security test result and the target attack case.
6. The boundary security device testing method of claim 5, wherein the step of generating a security analysis report from the security test result and the target attack case comprises:
acquiring an application identifier corresponding to the target attack application;
searching a corresponding security adjustment strategy in a preset security strategy library according to the use case identifier;
and generating a security analysis report according to the security test result, the target attack case and the security adjustment strategy.
7. The boundary security device testing method of claim 1, wherein the step of determining the target boundary security device and the plurality of test attack cases based on the received device testing instructions comprises:
Analyzing the received equipment test instruction to obtain a target equipment identifier, a target equipment address and a use case query condition;
determining target boundary safety equipment according to the target equipment identifier and the target equipment address;
searching in a preset case library according to the case query conditions to obtain a plurality of test attack cases.
8. A boundary safety equipment testing apparatus, characterized in that the boundary safety equipment testing apparatus comprises the following modules:
the instruction execution module is used for determining target boundary safety equipment and a plurality of test attack cases according to the received equipment test instruction, and selecting target equipment from equipment managed by the target boundary safety equipment;
the simulation attack module is used for performing simulation attack on the target equipment from the cloud according to the plurality of test attack cases;
the log acquisition module is used for acquiring a plurality of attack alarm logs generated by the target boundary security equipment when the simulated attack is finished, and reading attack network addresses in the attack alarm logs;
and the security judging module is used for matching the plurality of attack alarm logs with the plurality of test attack cases according to the attack network address, and determining the security of the target boundary security equipment according to a matching result.
9. A boundary safety equipment testing apparatus, characterized in that the boundary safety equipment testing apparatus comprises: a processor, a memory and a boundary safety device test program stored on the memory and executable on the processor, which boundary safety device test program when executed by the processor implements the steps of the boundary safety device test method of any one of claims 1-7.
10. A computer readable storage medium, wherein the computer readable storage medium has stored thereon a boundary safety device test program, which when executed implements the steps of the boundary safety device test method according to any one of claims 1-7.
CN202210069038.9A 2022-01-20 2022-01-20 Boundary safety device testing method, device, equipment and storage medium Pending CN116521507A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210069038.9A CN116521507A (en) 2022-01-20 2022-01-20 Boundary safety device testing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210069038.9A CN116521507A (en) 2022-01-20 2022-01-20 Boundary safety device testing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116521507A true CN116521507A (en) 2023-08-01

Family

ID=87392649

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210069038.9A Pending CN116521507A (en) 2022-01-20 2022-01-20 Boundary safety device testing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116521507A (en)

Similar Documents

Publication Publication Date Title
US10534915B2 (en) System for virtual patching security vulnerabilities in software containers
Chalvatzis et al. Evaluation of security vulnerability scanners for small and medium enterprises business networks resilience towards risk assessment
CN106355092B (en) System and method for optimizing anti-virus measurement
Li et al. A novel approach for software vulnerability classification
CN110049028B (en) Method and device for monitoring domain control administrator, computer equipment and storage medium
CN116361807A (en) Risk management and control method and device, storage medium and electronic equipment
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
CN115935356A (en) Software security testing method, system and application
Aarya et al. Web scanning: existing techniques and future
CN116521507A (en) Boundary safety device testing method, device, equipment and storage medium
CN114003918A (en) Cloud security operation method and device, electronic equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN116846570A (en) Vulnerability assessment method and analysis equipment
Kahtan et al. Evaluation dependability attributes of web application using vulnerability assessments tools
CN116614423A (en) Intranet security equipment testing method, device, equipment and storage medium
CN113691518B (en) Information analysis method, device, equipment and storage medium
CN111027052A (en) Application program version-based virtual machine document discrimination method and device and storage equipment
CN117421253B (en) Interface security test method, device, equipment and storage medium
CN117596041B (en) Method and device for detecting validity of security rule
CN117040927B (en) Password service monitoring system and method
RU2696951C1 (en) Method of protecting software from undeclared capabilities contained in obtained updates
CN117896145A (en) Method, system, equipment and storage medium for testing simulated attack
CN114462474A (en) Sample retrace method, apparatus, device, storage medium, and program
CN116975857A (en) Lesu software detection method, system, equipment and storage medium
CN116800532A (en) Back door attack event processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination