CN116962057A - Multi-user collaborative network security emergency response and exercise platform and operation method thereof - Google Patents
Multi-user collaborative network security emergency response and exercise platform and operation method thereof Download PDFInfo
- Publication number
- CN116962057A CN116962057A CN202310947898.2A CN202310947898A CN116962057A CN 116962057 A CN116962057 A CN 116962057A CN 202310947898 A CN202310947898 A CN 202310947898A CN 116962057 A CN116962057 A CN 116962057A
- Authority
- CN
- China
- Prior art keywords
- exercise
- network
- security
- attack
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000004044 response Effects 0.000 title claims abstract description 51
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000004891 communication Methods 0.000 claims abstract description 20
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 238000003860 storage Methods 0.000 claims abstract description 14
- 238000011156 evaluation Methods 0.000 claims abstract description 13
- 230000000007 visual effect Effects 0.000 claims abstract description 4
- 238000005553 drilling Methods 0.000 claims description 56
- 238000005516 engineering process Methods 0.000 claims description 47
- 238000002474 experimental method Methods 0.000 claims description 40
- 238000007726 management method Methods 0.000 claims description 31
- 238000012360 testing method Methods 0.000 claims description 29
- 230000008569 process Effects 0.000 claims description 24
- 238000004088 simulation Methods 0.000 claims description 22
- 238000012986 modification Methods 0.000 claims description 16
- 230000004048 modification Effects 0.000 claims description 16
- 230000007123 defense Effects 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 12
- 238000012549 training Methods 0.000 claims description 11
- 230000035515 penetration Effects 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 7
- 230000010354 integration Effects 0.000 claims description 4
- 238000013500 data storage Methods 0.000 claims description 3
- 238000005304 joining Methods 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 2
- 230000010485 coping Effects 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 description 7
- 230000006872 improvement Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 238000007418 data mining Methods 0.000 description 3
- 238000007794 visualization technique Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000001934 delay Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- UQGKUQLKSCSZGY-UHFFFAOYSA-N Olmesartan medoxomil Chemical compound C=1C=C(C=2C(=CC=CC=2)C2=NNN=N2)C=CC=1CN1C(CCC)=NC(C(C)(C)O)=C1C(=O)OCC=1OC(=O)OC=1C UQGKUQLKSCSZGY-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012731 temporal analysis Methods 0.000 description 1
- 238000000700 time series analysis Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09B—EDUCATIONAL OR DEMONSTRATION APPLIANCES; APPLIANCES FOR TEACHING, OR COMMUNICATING WITH, THE BLIND, DEAF OR MUTE; MODELS; PLANETARIA; GLOBES; MAPS; DIAGRAMS
- G09B9/00—Simulators for teaching or training purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Educational Technology (AREA)
- Educational Administration (AREA)
- Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a network security emergency response and exercise platform with multi-user cooperation and an operation method thereof, which comprises a server side, a client side and a storage side, wherein a user can log in the server side for operation through the client side, a virtual experiment scene is built by using an exercise scene management module, communication and cooperation are carried out through a shared file system and a real-time communication tool, the user can handle network attack events in real time and reflect operation in real time through remote desktop software, a monitoring and log module records operation and events in real time, a statistics and analysis module generates a report and visual display, and an exercise result evaluation module evaluates and analyzes exercise results. The platform provides various emergency exercise scenes, improves the safety threat coping capability of emergency response personnel, and ensures traceability and version control of cooperative operation through the virtualized platform, the shared file system and the version control system.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a multi-person collaborative network security emergency response and exercise platform and an operation method thereof.
Background
With the rapid development and popularization of internet technology, network security issues have become one of the important challenges facing various industries and enterprises. Network attack means are increasingly complex and diversified, and if effective measures cannot be taken for prevention and countermeasures, serious economic loss and reputation damage can be caused. Thus, implementing a network security emergency exercise is an important measure for protecting network security.
The network security emergency exercise is a network security work which can acquire authority by any means and attack a specified target machine to approach actual combat, and is mainly implemented by attacking and defending exercise in a real network environment, so that the overall security protection capability of the network is comprehensively evaluated according to exercise content, and the aim of enabling a security team to rapidly respond and process when a security event occurs is achieved, improving the capability of internal collaborative disposal and preventing the occurrence of risk events.
The network security emergency exercise technology based on the virtual technology is to create and manage various virtual machines and virtual networks through a virtualization platform, construct an environment similar to an actual network, simulate various network attacks and vulnerabilities, and test security defenses and emergency response capabilities of enterprises or organizations. The successful network security emergency exercise system needs to comprehensively consider the demands and targets of organizations, and is continuously invested and focused, and the emergency response effect can be continuously improved by means of planning, simulating scenes, training, learning, evaluating, improving and the like, so that a part of network security emergency exercise platforms cannot completely simulate the real network environment and cannot provide real network attack and emergency response conditions. This may lead to a large difference between the exercise results and the actual situation, and the skills and experience of emergency responders cannot be effectively cultivated.
The network security emergency exercise platform in the prior art mainly has the following defects:
1. the emergency exercise scene provided by some platforms is limited and cannot cover various network attacks with different types and complexity, emergency response personnel can only exercise specific types of attacks, and the capability of coping with diversified security threats is lacking. 2. The lack of comprehensive evaluation, the partial exercise platform only provides basic attack and emergency simulation, and the lack of comprehensive evaluation and feedback on the exercise process makes it difficult for exercise participants to know their own advantages and disadvantages in different aspects, and no targeted improvement and promotion can be performed. 3. Lacking in immediate response, part of emergency exercise platforms cannot provide immediate emergency response and interaction, and in actual network attack, time is very critical, and quick response is a key factor for protecting network safety. If the exercise platform is unable to provide immediate response and interaction, emergency response personnel's emergency capability may not be effectively fostered.
Disclosure of Invention
Aiming at the defects of the prior art, the application provides a network security emergency response and exercise platform with a plurality of people cooperated and an operation method thereof.
The technical scheme adopted for solving the technical problems is as follows: a multi-person collaborative web security emergency response and exercise platform, comprising: the server side comprises a user management module, a drilling scene management module, an event generation module, a monitoring and logging module, a statistics and analysis module, a drilling result evaluation module and a shared file system; the client comprises a web management interface, a safety tool integration module, a drilling report and feedback module, remote desktop software and a real-time communication tool; the storage end comprises a user information and authority database, a drilling scene database, a log and statistical data storage module and a version control system; the method comprises the steps that a client logs in to an access server to conduct operation suitable for user permission, the user builds a virtual experiment scene through an exercise scene management module, all the user builds the virtual experiment scene through the shared file system, in the experiment process, all the clients communicate and cooperate through the real-time communication tool and synchronously handle network attack events in the shared file system, the user operation in the treatment process is reflected in real time through remote desktop software, a version control system stores modification history of tracking and managing shared files, the shared files are stored in a version control system, a monitoring and log module can monitor various operations and events in the exercise process in real time, log and statistical data are recorded, the statistical and analysis module performs statistics and analysis on the data in the exercise process, a report form and visual display are generated, and an exercise result evaluation module evaluates and analyzes exercise results.
Further, the server side further comprises a safety training module, wherein the safety training module is used for providing relevant safety knowledge and training data and helping participants to improve network safety consciousness and skills.
Further, the network security emergency exercise platform further comprises an auxiliary component, the auxiliary component comprises a threat information system interface and a security device interface, the threat information system interface is integrated with an external threat information system to obtain latest threat information, and the security device interface is integrated with other security devices.
Further, the exercise scene management module comprises a server, a router and a switch, wherein the server comprises a virtualization platform, the virtualization platform allows virtual machines to be created and managed, and a user side establishes a plurality of virtual environments by using the virtual machines and configures the router and the switch to establish a network environment to be simulated; the event generation module comprises an attack tool for simulating attack, and comprises a vulnerability scanning tool and a penetration testing tool.
Further, the exercise scene management module is connected with the cloud service platform, and constructs a virtual network environment comprising a virtual machine, virtual network equipment, a resource pool and the like by utilizing a virtualization technology in a cloud computing technology, and designs and configures virtual network topologies which possibly comprise a plurality of subnets, routers, switches, network firewalls or load balancers; the event generation module comprises an attack tool for simulating attack, and comprises a vulnerability scanning tool and a penetration testing tool.
Further, the exercise scene management module comprises a laboratory space, the laboratory space comprises a machine room and physical network equipment, the physical network equipment comprises a router, a switch and a firewall, the physical network equipment is used for constructing a network topology structure and isolating network areas, the network topology structure to be simulated is established by constructing various network equipment and connecting the network equipment by using network wires so as to simulate a real network architecture, some physical hosts are established as simulated attackers and victims, the physical hosts comprise an event generation module for generating simulated attack events, and the event generation module comprises a vulnerability scanning tool and a penetration testing tool.
Further, the event generation module is realized by adopting a manual intervention technology, and a user of the user terminal comprises a security expert, and the security expert can simulate various attack behaviors through manual operation so as to test the identification, defense and response capacity of a security team.
An operation method of the network security emergency exercise platform, the operation method comprises the following steps:
s1-1, a user logs in a network security emergency exercise platform through a client to acquire corresponding access rights;
Step S1-2, creating or selecting an exercise scene, setting different parameters aiming at the exercise scene, wherein the parameters comprise attack types, exercise targets and key resources, when the exercise scene is created, a user creates new experiment names, sets experiment authorities, the experiment authorities comprise experiment access authorities, experiment joining authorities and experiment editing authorities of other users, users participating in emergency exercise and having the experiment editing authorities cooperatively edit and create an experiment scene used for the exercise in a shared file system, the users having the experiment editing authorities select mirror files to be used based on the existing network equipment, security equipment, operating systems and various plug-ins, the selected mirror files are connected with the network equipment and the security equipment, an experiment environment is built, the experiment environment is named and stored in the shared file system, and meanwhile, the experiment environment file is stored on a virtualized platform through a snapshot technology and is backed up at a cloud;
step S1-3, setting drilling parameters, wherein different parameters can be set for each drilling scene, the parameters comprise attack types, drilling targets and key resources, the event generation module is used for configuring diversified drilling environments, and the implementation of the drilling environments comprises simulator technology, cloud computing technology, physical environment simulation technology and manual intervention technology;
Step S1-4, starting exercise, simulating a network security event, starting exercise, enabling personnel responsible for emergency exercise attack work to click an attacker server to conduct attack operation, enabling a monitoring and log module to log in a monitoring platform and then conduct monitoring, studying and judging alarm and judging on current network flow, informing a disposal person to dispose the event after the attack event is found, enabling personnel responsible for emergency exercise disposal work to log in the server to conduct security event disposal after the disposal task is received, enabling a plurality of users to simultaneously access and edit the same file, enabling team members to simultaneously access and cooperate in real time by using a real-time communication tool chat and a file sharing function, enabling a version control system to simultaneously access and control a shared desktop in order to track and manage modification histories of the shared file, enabling an application program, an edit file and an operation program to be opened on the shared desktop, enabling operations of any user to be reflected on the shared desktop in real time, enabling the version control system to record and manage modification histories of the file, and enabling the version control system to simultaneously access and manage modification histories of the shared file, and version control of the collaborative operation is ensured.
Further, in the step S1-3, a multi-level exercise mode is adopted, wherein the multi-level exercise mode comprises: the first-level exercise, wherein a user selects to use a physical environment simulation technology, a tool built in a physical host is utilized to attack a target by utilizing a known vulnerability so as to test the emergency response capability of a team, and the second-level exercise can be entered through the first-level exercise; the second level of exercise, in which the user of the attacker introduces the latest attack activities, vulnerability exploitation and malicious software to continue the attack through the threat information system interface, and the third level of exercise can be entered through the second level of exercise; third level exercise, human intervention simulation scenario, security expert user can simulate various attack behaviors such as fishing attack, social engineering attack, application layer attack, etc. through manual operation to test recognition, defense and response ability of security team.
Further, after step S1-2, the method further comprises the step of realizing the backup, restore and deployment of the operating system and the application programs in the computer system through the custom mirror and snapshot technology.
The beneficial effects of the application are as follows:
1. the application can provide various emergency exercise scenes, basically covers various network attacks with different types and complexity, and enables emergency response personnel to exercise aiming at the attacks with different types so as to improve the capability of the emergency response personnel to cope with diversified security threats.
2. The user can establish a virtual machine through a virtualization platform of the drilling scene management module, share a file system in the virtual machine and communicate and cooperate through a real-time communication tool, each user can use virtual machine software to connect to the virtual machine and edit shared files in real time, a version control system can record and manage modification histories of the files, traceability and version control of cooperative operation are ensured, and safety and data protection of the virtual machine and the shared files can be ensured through access control and authority management; the network security exercise platform in the application generally simulates various real attack scenes, team members can record and analyze details of attack events in real time through the collaborative editing tool, can jointly mine attack sources, analyze attack means and targets, formulate quick countermeasures and record for subsequent analysis and summary, can jointly write exercise summary and report through the collaborative editing tool after exercise is completed, can discuss and record the exercise process, discovered problems and improvement measures, ensures team agreement and generates specific feasible improvement suggestions, and is very valuable for further improving network security measures and improving security consciousness of teams. Meanwhile, collaborative editing can also improve the real-time performance and accuracy of information, and reduce errors and delays in communication and information transmission.
Drawings
FIG. 1 is a schematic diagram of a system architecture of a network security emergency exercise platform of the present application;
fig. 2 is a flow chart of the operation method of the network security emergency exercise platform of the present application.
Detailed Description
The application will be described in further detail with reference to the drawings and the detailed description. The embodiments of the application have been presented for purposes of illustration and description, and are not intended to be exhaustive or limited to the application in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiments were chosen and described in order to best explain the principles of the application and the practical application, and to enable others of ordinary skill in the art to understand the application for various embodiments with various modifications as are suited to the particular use contemplated.
Referring to fig. 1, the network security emergency response and exercise platform with the cooperation of multiple persons in the application comprises a server side, a client side and a storage side; the server side specifically comprises: the user management module is mainly responsible for authentication, authority management and maintenance of user information of the user; the drilling scene management module is responsible for creating, editing, storing and managing drilling scenes; the event generation module is used for simulating generation of various network attacks, threat information and abnormal events and sending event information to the clients participating in the exercise; the monitoring and logging module can monitor various operations and events in the drilling process in real time and record logs and statistical data; the statistics and analysis module can carry out statistics and analysis on data in the drilling process, and a report and visual display are generated; the drilling result evaluation module can evaluate and analyze drilling results, including the coping ability of participants, the loopholes and weaknesses of the system and the like; and the safety training module is used for providing relevant safety knowledge and training data and helping participants to improve network safety consciousness and skills. The client further comprises: the web management interface is used for providing the functions of participant login, scene selection, event reception, response operation and the like; the security tool integration module is used for integrating various security tools such as a firewall, an intrusion detection system, a log analysis tool and the like, and is used for defending and coping operations in the actual drilling process; and the exercise report and feedback module is used for displaying exercise results and personal performance evaluation reports to participants and providing feedback and improvement suggestions. The storage terminal comprises: a user information and rights database storing user-related information and rights settings; the drilling scene database is used for storing configuration and information of drilling scenes; and the log and statistical data storage module is used for storing the log and statistical data in the drilling process and used for subsequent analysis and report generation. In addition, the network security emergency exercise platform also comprises other auxiliary components, such as: the threat information system interface is integrated with an external threat information system to acquire latest threat information; and the security device interface is integrated with other security devices (such as a firewall, an intrusion detection system and the like) to realize attack and defense interaction in the actual drilling process. According to the network security emergency drilling platform, a user can access the platform through the web management interface to perform operations such as drilling scene creation, simulation attack execution and the like, a server side is responsible for processing a user request and storing a result into a storage side, a database is used for storing user data, drilling scene data and drilling record data, and a storage module is used for storing files and log data required by the platform; the platform can be further expanded and customized according to specific needs, for example, an automatic script execution module, an exercise recovery disc, a summarization module and the like can be added, and it is important to ensure stability, safety and reliability of the system so as to provide high-quality network security exercise experience.
In the network security emergency exercise platform, various experimental scenes can be created through an exercise scene management module, the experimental scenes are composed of virtual machines, network devices, virtual services and security tool integration modules so as to simulate real network environments and attack situations, the use of the components can help users to conduct more real and comprehensive network security exercises and training, the experimental scenes are virtual network environments and are composed of various virtual components and are used for simulating different network security events and emergency situations, and the users can conduct various attacks and deal with exercises in the scenes so as to test network security defenses. The virtual business is various business application scenes simulated in the experimental scene, for example, various banking business operations such as user login, account transfer, balance inquiry and the like can be simulated in the experimental scene of a banking network, and the use of the virtual business can be closer to the real scene, so that the user can know and deal with security threats in different business scenes. The network devices include virtual routers, switches, firewalls, etc., which simulate real network devices in an experimental scenario for creating network topologies and implementing network communications, by configuring and managing the network devices, users can simulate network attacks and defenses, as well as configuration and optimization of the network devices. The virtual machine is a virtual computer created in an experimental scene, can run different operating systems and application programs, can simulate computer equipment with different roles such as a user terminal, a server and the like, plays different roles in exercise, and simulates attack behaviors such as vulnerability exploitation, malicious software propagation and the like. Through the experimental scene, the virtual service, the network equipment and the virtual machine, the user can perform comprehensive network security exercise in a virtual network environment, a safe and controllable platform is provided, and in the process of simulating attack and coping, the user can improve the actual operation and decision making capability and enhance the coping capability to different network threats and security events. At the same time, the use of these virtual components can also avoid risks and effects on real systems.
The drilling scene management module and the event generation module adopt diversified drilling environment technology, namely, the diversified drilling environment technology is used for constructing a required network topology by adopting various technologies, simulating various attack scenes and network abnormal conditions and helping emergency teams to make corresponding response schemes, and the diversified drilling environment technology comprises but is not limited to the following embodiments.
Embodiment one:
the method is realized by a simulator technology: the drilling scene management module comprises a server, a router, a switch, a firewall and an intrusion detection system, wherein the server comprises a virtualization platform, such as VMware, virtualBox or KVM, which allows virtual machines to be created and managed and provides management functions of network and storage resources, a user can connect to the virtualization platform and access the virtual machines by installing virtual machine software on the user's own computer, the user can select proper virtual machine software, such as VMwareWorkstation, virtualBox or QEMU, according to own preference, a plurality of virtual environments, including an attacker, a victim and other network devices, are built by using the virtual machines so as to realize attack and defense simulation, a network environment which needs to be simulated, such as a local area network, the Internet and a DMZ (untrusted zone) is built by configuring the router, the switch and the like so as to simulate a real network architecture, and the virtualization environment can be quickly recovered and reset at any time, so that the drilling and multiple tests are convenient; vulnerability analysis and attack simulation are carried out on a target environment by utilizing vulnerability scanning tools (such as Nmap and OpenVAS), penetration testing tools (such as Metasplot) and the like so as to simulate real attack behaviors, network abnormal conditions can be simulated in modes of abnormal traffic injection, denial of service attack and the like, security devices such as a firewall, an intrusion detection system and the like are arranged in the simulated environment, the simulated attack behaviors are identified and responded by monitoring and analyzing network traffic in real time, and meanwhile, a log analysis tool (such as ELKStack) is used for recording and visualizing events so as to provide support for security analysis.
Embodiment two:
the cloud computing technology is used for realizing: the cloud service platform is connected through the drilling scene management module, a virtual network environment is constructed by utilizing a virtualization technology in a cloud computing technology, the virtual network environment comprises a virtual machine, virtual network equipment, a resource pool and the like, virtual network topologies are designed and configured according to actual conditions and requirements, and the topologies possibly comprise a plurality of network equipment such as subnets, routers and switches so as to simulate a real network environment, and in the virtualization environment, a proper drilling tool or an attack simulation tool is used for simulating various attack scenes. For example, phishing attacks, malicious software propagation, password cracking, denial of service attacks and the like are simulated to evaluate emergency response capability of an organization, various network abnormal conditions such as network segment isolation, traffic overload, network equipment faults and the like are simulated by configuring virtual network equipment such as a network firewall or a load balancer to verify availability and robustness of network architecture and security measures, monitoring tools are arranged in an exercise platform to monitor information of network traffic, system logs, attack events and the like, evaluation of exercise process is performed, including achievement degree, response time, security control effect and the like of an exercise target, and emergency response plans and network security protection measures are timely adjusted and improved according to evaluation results. Through cloud computing technology, the network security emergency exercise platform can provide a flexible, extensible and highly-simulated network environment, provide training and practice opportunities for security teams, improve emergency response capabilities in a relatively secure environment, and timely correct and improve security policies.
Embodiment III:
the physical environment simulation technology is used for realizing: the exercise scene management module comprises a safe laboratory space, wherein the laboratory space comprises a machine room, physical network equipment and the like, and the physical network equipment is composed of a router, a switch, a firewall and the like and is used for constructing a network topology structure and isolating a network area. By setting up various network devices (such as routers and switches) and connecting them by using network cables, network topologies needing simulation can be established, including local area networks, the internet, DMZ and the like, so as to simulate real network architecture, physical hosts which can be actual computer hardware, virtual machines and the like are set up as simulated attackers and victims, the hosts can be connected into the network devices to intervene in attack and defending behaviors in exercise, attack simulation is performed in a simulated network environment by using vulnerability scanners, penetration test tools and the like, attacks on targets by using known vulnerabilities are attempted, network anomalies such as denial of service attacks, network sniffing and the like are simulated by configuring the network devices and injecting specific traffic, and the capability of emergency response is tested.
Embodiment four:
the method is realized by a manual intervention technology: the manual intervention technology refers to a manual intervention simulation scene in a network security emergency exercise platform, simulates specific attack or network abnormal conditions, and can help security team test response capability, train emergency handling skills of personnel and evaluate effectiveness of security architecture and protection mechanism. The manual intervention technology can be used for carrying out attack simulation, and security specialists can simulate various attack behaviors such as fishing attack, social engineering attack, application layer attack and the like through manual operation so as to test the identification, defense and response capability of a security team. In emergency practice, security specialists can manually attack with known vulnerabilities to test the vulnerability of the system and the condition of the security patch, which helps to discover and repair security vulnerabilities in the system; manual intervention techniques may also be used to simulate abnormal behavior and network activity. Simulating malware behavior, network scanning, denial of service attacks, etc. by manually injecting specific traffic or generating unusual network requests to evaluate the effectiveness of the security monitoring and intrusion detection system; in emergency response exercise, a security team can simulate real security events by using a manual intervention technology to test the emergency response flow and communication coordination capacity of the team in an emergency situation, and a security expert can play the role of an attacker, a victim or staff in an enterprise to evaluate the validity of an emergency response strategy through interaction with other team members.
The application can provide different types of exercise environments to simulate various actual scenes and attack situations, and safety team can perform extensive exercise and test in the simulated environments through diversified exercise environment technologies, so that the coping capability of different types of attacks is improved. Meanwhile, the diversified exercise environment can also help the security team to better understand and evaluate security risks and defense strategies under different network deployment conditions.
Another advantage of the present application is that the present application enables collaborative editing, which may be: a shared file system, a real-time communication tool and a version control system are provided, in order to implement multi-user collaborative editing, a shared file system is required to be provided, so that a plurality of users can access and edit the same file at the same time, a network file sharing protocol (such as NFS, SMB/CIFS) or a distributed file system (such as GlusterFS, ceph) can be used, in order to facilitate communication and collaboration between users, real-time communication tools such as Slack, microsoftTeams or Riot can be used, these tools can provide chat, audio/video conversation and file sharing functions, so that team members can communicate and collaborate in real time, and the version control system can consider using a version control system such as Git in order to track and manage the modification history of the shared file, and the users can store the shared file in a Git repository and manage editing and merging of the file using a suitable branching strategy and collaboration flow. The remote desktop software such as TeamViewer, anyDesk or Chrome remote desktop can be arranged on the user computer, the user is allowed to remotely connect to another computer through a network and share and control the desktop interface of the remote desktop software, the remote desktop software is installed and configured on the computer needing to share the desktop, the desktop allowing a plurality of users to access and control the computer is ensured to be arranged, the user uses the remote desktop software on the own computer to connect to a host computer of the shared desktop, the software is usually connected in a mode of providing access codes or login credentials, the user can remotely access and control the shared desktop after inputting correct information, after the connection is successful, a plurality of users can access and control the shared desktop at the same time, the users can open application programs, edit files, operate programs and the like on the shared desktop, any user operation is reflected on the shared desktop in real time, and all users can see and respond the operations.
By using the scheme and the tool, a user can create a virtual machine through a virtualization platform of the drilling scene management module, share a file system in the virtual machine, and communicate and cooperate through a real-time communication tool. Each user can use virtual machine software to connect to the virtual machine, edit the shared file in real time, record and manage the modification history of the file by using the version control system, ensure the traceability and version control of the collaborative operation, and ensure the security and data protection of the virtual machine and the shared file by access control and authority management; the network security exercise platform in the application generally simulates various real attack scenes, team members can record and analyze details of attack events in real time through the collaborative editing tool, can jointly mine attack sources, analyze attack means and targets, formulate quick countermeasures and record for subsequent analysis and summary, can jointly write exercise summary and report through the collaborative editing tool after exercise is completed, can discuss and record the exercise process, discovered problems and improvement measures, ensures team agreement and generates specific feasible improvement suggestions, and is very valuable for further improving network security measures and improving security consciousness of teams. Meanwhile, collaborative editing can also improve the real-time performance and accuracy of information, and reduce errors and delays in communication and information transmission.
Further, the application simulates the characteristics of the network link, such as delay, packet loss, bandwidth, etc., by the simulated link technology, and the realization of the simulated link technology mainly comprises the following steps: s1, creating a model, wherein an appropriate mathematical model is required to be created to describe the characteristics of a network link, and the model can relate to parameters such as transmission delay, bandwidth, packet loss rate and the like, network protocols and transmission mechanisms; s2, configuring numerical values of various parameters in the model according to actual scenes and requirements, wherein the parameters can be set according to actual network data or adjusted according to experience and prediction; s3, inputting the configured parameters into link simulation software for simulation operation, wherein the simulation software simulates the transmission process of the network link according to the model and the parameters, and calculates related performance indexes; and S4, performing performance analysis and evaluation through results provided by simulation software, and observing indexes such as delay, throughput, bandwidth utilization rate and the like of the link to analyze the influence of a network protocol and an algorithm on the link performance. The link simulation technology does not need special hardware equipment, so long as the computer has enough computing power and memory resources, the link simulation can be performed, and when the wireless network link is simulated, the radio frequency signal generator and the receiver are used for simulating the transmission and receiving processes of wireless signals.
Further, the monitoring and logging module is implemented by a packet-grabbing technique, which is typically implemented by packet-grabbing software, which may be selected according to different operating systems and requirements, including, but not limited to, wireshark, tcpdump, microsoftNetworkMonitor, etc., which may assist the user in capturing and analyzing the data packets without requiring special hardware devices.
Further, the statistics and analysis module is implemented by a data mining technique and a visualization technique, and the statistics and analysis module commonly used in the data mining technique includes, but is not limited to: descriptive statistical analysis, correlation analysis, cluster analysis, classification and prediction analysis, anomaly detection, association rule mining, time series analysis, and the like. By applying these modules, valuable knowledge and information can be extracted from a large amount of data to support decision making and improved services, and in network experiments and tests, data mining techniques can be used to analyze packet-grabbing data, identify security vulnerabilities, performance bottlenecks, and the like. Visualization techniques may graphically present data to make it easier to understand and analyze. In network experiments and tests, visualization techniques may be used to present information of emulated links and data packets, thereby helping users to better understand network conditions.
Furthermore, the application realizes backup, restore and deployment of the operating system and the application program in the computer system through the self-defined mirror image and snapshot technology; the implementation mode of the application comprises the following steps: custom images create an image containing specific applications, settings, and files based on existing operating system and software environment configurations. The mirror image can be used for rapidly deploying computer systems with the same configuration, necessary configuration and installation are carried out on an operating system and an application program on one computer system, a disk mirror image (comprising the operating system, the application program and the setting) of the whole system is created as a custom mirror image, the custom mirror image is stored in a local storage or a cloud storage and can be used in other environments, and in the process of creating the custom mirror image, the configured computer system is used, and a software tool can be used for creating the mirror image. Snapshot techniques are typically implemented at the level of a storage system, such as a virtualization platform or Storage Area Network (SAN), that records an initial state of existing data, then captures subsequent data changes, and stores them as snapshots, creating a copy of the system state so that it can be restored to the copy state when needed, the snapshots typically only capture differencing data on the storage device to save storage space, while quickly restoring to a previous state when needed.
The application also provides a corresponding operation method based on the network security emergency response and exercise platform with the cooperation of multiple persons, and the operation method specifically comprises the following steps of:
s1-1, logging in a network security emergency exercise platform to obtain corresponding access rights;
step S1-2, creating or selecting a drilling scene, setting different parameters for the drilling scene, wherein the parameters comprise attack types, drilling targets, key resources and the like, and selecting proper drilling parameters according to actual needs. When the exercise scene is created, a user creates a new experiment name, sets experiment permission, the experiment permission comprises experiment access permission, experiment joining permission and experiment editing permission of other users, the users participating in emergency exercise and having the experiment editing permission cooperatively edit and create an experiment scene for exercise in a shared file system, the users having the experiment editing permission can select mirror files for use based on the existing network equipment, security equipment, operating systems and various plug-ins, the selected mirror files are connected with the network equipment and the security equipment, an experiment environment consistent with or similar to reality is built, the experiment environment is named and stored in the shared file system, and meanwhile the experiment environment file is stored on a virtualized platform through a snapshot technology and is backed up at a cloud. The user locks the established experimental environment, the locked experimental environment can be locked after the experimental unlocking password is input, and otherwise, the experimental environment cannot be used.
Step S1-3, setting drilling parameters, and setting different parameters such as attack types, drilling targets, key resources and the like for each drilling scene. Configuration of diversified drilling environments is carried out through the event generation module, the implementation of the drilling environments comprises, but is not limited to, simulator technology, cloud computing technology, physical environment simulation technology and manual intervention technology, and based on setting of drilling scenes, a user can select single-mode emergency drilling and can also freely combine the single-mode emergency drilling into multi-level drilling modes; the multi-level exercise mode includes: the first-level exercise can be selected by a user to use a physical environment simulation technology, a target is attacked by a tool built in a physical host through a known vulnerability, so that the emergency response capacity of a team is tested, and the second-level exercise can be entered through the first-level exercise; the second level of exercise, in which the user of the attacker can continuously attack by introducing the latest attack activities, vulnerability exploitation, malicious software and the like through a threat information system interface, and the third level of exercise can be entered through the second level of exercise; third level exercise, human intervention simulation scenario, security expert user can simulate various attack behaviors such as fishing attack, social engineering attack, application layer attack, etc. through manual operation to test recognition, defense and response ability of security team. In emergency practice, security specialists can manually attack by using known vulnerabilities to test the vulnerability of the system and the condition of security patches, which is helpful for finding and repairing security vulnerabilities in the system, in emergency response practice, security teams can simulate real security events by using manual intervention technology to test the emergency response flow and communication coordination ability of teams in emergency situations, security specialists can play the roles of an attacker, a victim or staff in enterprises, and the validity of an emergency response strategy is evaluated through interaction with other team members.
Step S1-4, starting the exercise, simulating a network security event and starting the exercise, wherein a person responsible for emergency exercise attack work can click an attacker server to perform attack operations, such as information collection, vulnerability scanning, vulnerability utilization, penetration test, horse hanging, tampering, data stealing and modification, virus placement and the like, network security monitoring equipment is arranged in an emergency exercise platform, the person responsible for emergency exercise monitoring work can log in a monitoring platform to monitor and judge current network traffic, monitor and judge alarm and judge the current network traffic, and after the attack event is found, a disposal person can be notified to dispose the event, the person responsible for emergency exercise disposal work can log in the server to dispose the security event after receiving the disposal task, such as operations of sealing and forbidden attacker IP address, backup server, offline service, checking back door, finding an invasion point, reinforcing the invasion point and the like. In response to team personnel performing secure time handling on the shared file system, multiple users can access and edit the same file simultaneously, chat, audio/video conversation and file sharing functions are used by the real-time communication tools, so that team members can communicate and cooperate in real time, the version control system can access and control the shared desktop simultaneously in order to track and manage the modification history of the shared file, they can open applications, edit files, run programs and the like on the shared desktop, any user's operation will be reflected on the shared desktop in real time, and all users can see and respond to the operation. Each user may connect to the virtual machine using virtual machine software and edit the shared file in real time. The version control system can record and manage the modification history of the file, and ensures the traceability and version control of the collaborative operation. By access control and rights management, security and data protection of virtual machines and shared files can be ensured. Therefore, a plurality of users can realize multi-user collaborative operation editing in the virtual machine environment, jointly complete tasks and share achievements.
In third level exercise, the response team can also obtain the latest threat information through the threat information system interface, and obtain the latest threat information, the attack behavior mode, the malicious software characteristics, the threat sources and the like through the threat information system interface function so as to obtain the latest attack mode in time, thereby obtaining the quick response capability of the related information exercise team in advance, integrating the security device interface with other security devices (such as a firewall, an intrusion detection system and the like), automatically modifying or resetting the configuration of the security device through the interface, simulating the specific network environment and the security policy by the exercise system, facilitating the test of the influence of different configurations on security defense, identifying the problems and the loopholes in the device configuration, and facilitating the quick treatment of the response team through the introduction of the other security devices. The log and event data generated during the emergency exercise may be stored, analyzed and managed during the emergency exercise, and these systems may help record the operational process, response time and results and provide a basis for post analysis and improvement.
The emergency response capability can be improved, and the decision and action capability of a training team under the emergency condition can be improved by simulating a real scene, so that the efficiency and accuracy of coping with the emergency are improved; the loss is prevented and reduced, the emergency exercise can help enterprises and organizations to identify potential risks and crisis, the occurrence of accidents is prevented, and measures are taken in advance to avoid or reduce the loss; investigation and evaluation, the emergency exercise can not only process problems in time after accidents occur, but also evaluate and feed back the exercise process, find defects and improve the defects; the team cooperation is enhanced, the emergency exercise can promote the cooperation and communication among team members, and trust and understanding among the team members are enhanced, so that the emergency response capability of the whole team is improved; the improved confidence of emergency exercise may make team members more confident in daily work because they know themselves have the ability to handle emergency situations.
It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art and which are included in the embodiments of the present invention without the inventive step, are intended to be within the scope of the present invention. Structures, devices and methods of operation not specifically described and illustrated herein, unless otherwise indicated and limited, are implemented according to conventional means in the art.
Claims (10)
1. A multi-person collaborative web security emergency response and exercise platform, comprising: the server side comprises a user management module, a drilling scene management module, an event generation module, a monitoring and logging module, a statistics and analysis module, a drilling result evaluation module and a shared file system; the client comprises a web management interface, a safety tool integration module, a drilling report and feedback module, remote desktop software and a real-time communication tool; the storage end comprises a user information and authority database, a drilling scene database, a log and statistical data storage module and a version control system;
the method comprises the steps that a client logs in to an access server to conduct operation suitable for user permission, the user builds a virtual experiment scene through an exercise scene management module, all the user builds the virtual experiment scene through the shared file system, in the experiment process, all the clients communicate and cooperate through the real-time communication tool and synchronously handle network attack events in the shared file system, the user operation in the treatment process is reflected in real time through remote desktop software, a version control system stores modification history of tracking and managing shared files, the shared files are stored in a version control system, a monitoring and log module can monitor various operations and events in the exercise process in real time, log and statistical data are recorded, the statistical and analysis module performs statistics and analysis on the data in the exercise process, a report form and visual display are generated, and an exercise result evaluation module evaluates and analyzes exercise results.
2. The cyber security emergency exercise platform of claim 1, wherein the server side further comprises a security training module for providing relevant security knowledge and training data to assist participants in improving cyber security awareness and skills.
3. The cyber security emergency exercise platform of claim 1, further comprising an auxiliary component including a threat intelligence system interface integrated with an external threat intelligence system to obtain up-to-date threat intelligence information and a security device interface integrated with other security devices.
4. The network security emergency exercise platform of claim 1, wherein the exercise scene management module comprises a server, a router and a switch, the server comprises a virtualization platform, the virtualization platform allows creation and management of virtual machines, a user side establishes a plurality of virtual environments by using the virtual machines, and the router and the switch are configured to establish a network environment to be simulated; the event generation module comprises an attack tool for simulating attack, and comprises a vulnerability scanning tool and a penetration testing tool.
5. The network security emergency exercise platform of claim 1, wherein the exercise scene management module is connected to the cloud service platform to construct a virtual network environment, including virtual machines, virtual network devices, resource pools, etc., by using a virtualization technology in a cloud computing technology, and designs and configures virtual network topologies, which may include a plurality of subnets, routers, switches, network firewalls, or load balancers; the event generation module comprises an attack tool for simulating attack, and comprises a vulnerability scanning tool and a penetration testing tool.
6. The network security emergency exercise platform of claim 1, wherein the exercise scenario management module comprises a laboratory space comprising a machine room, physical network devices comprising routers, switches, firewalls, the physical network devices being used to build network topologies and isolate network areas, the network topologies being built to simulate real network architecture by building various network devices and connecting them using network wires, some physical hosts being built as simulated aggressors and victims, the physical hosts comprising an event generation module for generating simulated attack events, the event generation module comprising vulnerability scanning tools and penetration testing tools.
7. The network security emergency exercise platform of claim 1, wherein the event generation module is implemented by using a manual intervention technology, and the user of the user terminal includes a security expert, and the security expert can simulate various attack behaviors through manual operation to test the recognition, defense and response capability of a security team.
8. A method of operating the cyber-security emergency exercise platform of any one of claims 1 to 7, the method of operation comprising:
s1-1, a user logs in a network security emergency exercise platform through a client to acquire corresponding access rights;
step S1-2, creating or selecting an exercise scene, setting different parameters aiming at the exercise scene, wherein the parameters comprise attack types, exercise targets and key resources, when the exercise scene is created, a user creates new experiment names, sets experiment authorities, the experiment authorities comprise experiment access authorities, experiment joining authorities and experiment editing authorities of other users, users participating in emergency exercise and having the experiment editing authorities cooperatively edit and create an experiment scene used for the exercise in a shared file system, the users having the experiment editing authorities select mirror files to be used based on the existing network equipment, security equipment, operating systems and various plug-ins, the selected mirror files are connected with the network equipment and the security equipment, an experiment environment is built, the experiment environment is named and stored in the shared file system, and meanwhile, the experiment environment file is stored on a virtualized platform through a snapshot technology and is backed up at a cloud;
Step S1-3, setting drilling parameters, wherein different parameters can be set for each drilling scene, the parameters comprise attack types, drilling targets and key resources, the event generation module is used for configuring diversified drilling environments, and the implementation of the drilling environments comprises simulator technology, cloud computing technology, physical environment simulation technology and manual intervention technology;
step S1-4, starting exercise, simulating a network security event, starting exercise, enabling personnel responsible for emergency exercise attack work to click an attacker server to conduct attack operation, enabling a monitoring and log module to log in a monitoring platform and then conduct monitoring, studying and judging alarm and judging on current network flow, informing a disposal person to dispose the event after the attack event is found, enabling personnel responsible for emergency exercise disposal work to log in the server to conduct security event disposal after the disposal task is received, enabling a plurality of users to simultaneously access and edit the same file, enabling team members to simultaneously access and cooperate in real time by using a real-time communication tool chat and a file sharing function, enabling a version control system to simultaneously access and control a shared desktop in order to track and manage modification histories of the shared file, enabling an application program, an edit file and an operation program to be opened on the shared desktop, enabling operations of any user to be reflected on the shared desktop in real time, enabling the version control system to record and manage modification histories of the file, and enabling the version control system to simultaneously access and manage modification histories of the shared file, and version control of the collaborative operation is ensured.
9. The method of claim 8, wherein the step S1-3 is performed in a multi-level exercise mode, the multi-level exercise mode including:
the first-level exercise, wherein a user selects to use a physical environment simulation technology, a tool built in a physical host is utilized to attack a target by utilizing a known vulnerability so as to test the emergency response capability of a team, and the second-level exercise can be entered through the first-level exercise;
the second level of exercise, in which the user of the attacker introduces the latest attack activities, vulnerability exploitation and malicious software to continue the attack through the threat information system interface, and the third level of exercise can be entered through the second level of exercise;
third level exercise, human intervention simulation scenario, security expert user can simulate various attack behaviors such as fishing attack, social engineering attack, application layer attack, etc. through manual operation to test recognition, defense and response ability of security team.
10. The method of claim 8, further comprising implementing the computer system for backing up, restoring and deploying operating systems and applications via custom mirroring and snapshot techniques after step S1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310947898.2A CN116962057A (en) | 2023-07-31 | 2023-07-31 | Multi-user collaborative network security emergency response and exercise platform and operation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310947898.2A CN116962057A (en) | 2023-07-31 | 2023-07-31 | Multi-user collaborative network security emergency response and exercise platform and operation method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116962057A true CN116962057A (en) | 2023-10-27 |
Family
ID=88458087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310947898.2A Pending CN116962057A (en) | 2023-07-31 | 2023-07-31 | Multi-user collaborative network security emergency response and exercise platform and operation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116962057A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117692230A (en) * | 2023-12-18 | 2024-03-12 | 永信至诚科技集团股份有限公司 | Information sharing method, system, electronic device and medium for network attack and defense exercise |
-
2023
- 2023-07-31 CN CN202310947898.2A patent/CN116962057A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117692230A (en) * | 2023-12-18 | 2024-03-12 | 永信至诚科技集团股份有限公司 | Information sharing method, system, electronic device and medium for network attack and defense exercise |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bryant et al. | A novel kill-chain framework for remote security log analysis with SIEM software | |
| Yaacoub et al. | Ethical hacking for IoT: Security issues, challenges, solutions and recommendations | |
| Erbacher et al. | A multi-phase network situational awareness cognitive task analysis | |
| Priyadarshini | Features and architecture of the modern cyber range: a qualitative analysis and survey | |
| Raj et al. | A study on metasploit framework: A pen-testing tool | |
| KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
| CN117879970B (en) | Network security protection method and system | |
| CN116962057A (en) | Multi-user collaborative network security emergency response and exercise platform and operation method thereof | |
| Aboelfotoh et al. | A review of cyber-security measuring and assessment methods for modern enterprises | |
| Salfati et al. | Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) | |
| Permann et al. | Cyber assessment methods for SCADA security | |
| Rawal et al. | Cybersecurity and Identity Access Management | |
| Zeinali | Analysis of security information and event management (SIEM) evasion and detection methods | |
| Vokorokos et al. | Sophisticated honeypot mechanism-the autonomous hybrid solution for enhancing computer system security | |
| Gomez et al. | Hands-on lab on smart city vulnerability exploitation | |
| Huang | Human-centric training and assessment for cyber situation awareness | |
| Ohta et al. | Cybersecurity solutions for major international events | |
| Karie et al. | Cybersecurity Incident Response in the Enterprise | |
| Bennett et al. | Cyberspace exercises: defending against malicious cyber actors | |
| Karagiannis et al. | AI-Powered Penetration Testing using Shennina: From Simulation to Validation | |
| Grant et al. | Identifying tools and technologies for professional offensive cyber operations | |
| Crichlow | A study on Blue Team’s OPSEC failures | |
| Corvin | A Feasibility Study on the Application of the ScriptGenE Framework as an Anomaly Detection System in Industrial Control Systems | |
| Song et al. | Network Security with Virtual Reality Based Antivirus Protection and Reduced Detection Delays | |
| Lakhdhar et al. | An approach to a graph-based active cyber defense model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |