CN117040783A - Network attack and defense efficiency evaluation system and method - Google Patents

Abstract

The application discloses a system and a method for evaluating network attack and defense efficiency, wherein the system comprises: the system comprises an environment construction module, an attack and defense training module and an index system module; the attack and defense training module provides a network attack and defense training scene; the index system module provides construction indexes, a construction model, calculation and gives an evaluation result; the environment construction module provides a basic environment required by the attack and defense training. The application can effectively meet the application requirements of various complex network attack and defense scenes, and has convenient operation and high flexibility.

Description

Network attack and defense efficiency evaluation system and method

Technical Field

The application relates to a performance evaluation method, belongs to the technical field of network security, and particularly relates to a system and a method for evaluating network attack and defense performance.

Background

The network attack effect evaluation is to study the direct effect of the information system under the network attack in the complex network environment, and to test the effectiveness of the network attack by giving qualitative and quantitative evaluation analysis results. The task of the network attack effect evaluation is as follows: on the one hand, before network attack, predicting the expected combat effect of the attack mode; on the other hand, after the network attack task is completed, the actual combat effectiveness of the attack mode is mastered.

The network attack effect evaluation is different from and related to the common network security evaluation, and has the same points that the network attack effect evaluation is used for evaluating the security characteristics of the network, a certain performance index parameter is required to be acquired from a target network, and a specific evaluation model is used for processing the network attack effect evaluation and outputting an evaluation result; the method is characterized in that network security assessment focuses on checking the loopholes existing in the system, and is generally realized through system vulnerability scanning, while attack effect assessment focuses on researching the influence of attack on network security performance, and certain security performance indexes are required to be extracted to measure the change condition of the network performance before and after attack.

At present, the basic flow of network attack and defense effect evaluation comprises the following steps: firstly, carrying out network attack simulation based on a network attack test environment; then comprehensively tracking, recording, describing and analyzing the network attack behavior of the attack information system, classifying according to different attack modes, and establishing an information database of the network attack behavior; and giving an effect evaluation report of the evaluated network attack behavior according to the requirements of the evaluation model and the quantitative index by using the collected related information data.

However, the existing network attack and defense effect evaluation technology still has the following problems:

1. the consideration of network attack and defense scene complexity is quite poor. Along with the development of information technology, the network attack and defense field scene is more and more complex, however, the current efficiency evaluation is only applicable to a single attack and defense scene, is mostly a customized scheme, and cannot be flexibly applicable to a complex network attack and defense scene.

2. The evaluation means is single, and the requirements of complex network attack and defense scenes cannot be met;

3. the model is single in type, an embedded single model is often provided, the model is not editable and adjustable, and the model algorithm is relatively late and needs to be customized and developed again.

Disclosure of Invention

According to one aspect of the application, a network attack and defense efficiency evaluation system is provided, which can be applied to various complex network attack and defense application scenes, provides various evaluation models, supports custom editing, expands the evaluation models according to the needs of actual service types, and improves the suitability and accuracy of network attack and defense efficiency evaluation.

The network attack and defense efficacy evaluation system comprises:

the environment construction module is used for constructing a network environment;

the attack and defense training module is used for establishing a network attack and defense training scene;

the index system module is used for constructing indexes and is based on an index matching evaluation model; based on the evaluation model, analyzing the network security performance difference before and after the occurrence of the network attack task according to the security performance index to obtain a network attack effectiveness evaluation result;

wherein the evaluation model comprises: an existing evaluation model and a user-defined evaluation model; when the evaluation model is a user-defined evaluation model, the index system module acquires indexes constructed by the user and the user-defined evaluation model, and associates the indexes and the user-defined evaluation model.

Preferably, the index system module adopts at least one of the following modes when constructing the index: the user creates an index and imports the index.

Preferably, the method of introducing the index at least includes one of the following: file import and third party interface import.

Preferably, the existing assessment model comprises at least one of: classical analytic hierarchy process model, fuzzy analytic hierarchy process higher order algorithm model.

Preferably, the index system module performs the following steps when constructing the user-defined evaluation model: updating an algorithm library of the evaluation model, establishing a new evaluation model by utilizing a new algorithm, selecting indexes for verification, and finally generating the evaluation model for training.

Preferably, the construction mode of the evaluation model comprises at least one of the following: hierarchical modeling and DAG modeling.

Preferably, the index system is further used for matching calculation means of the evaluation model according to different evaluation modes in network attack and defense.

Preferably, the calculating means includes:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores need to be submitted, the evaluation model adopts an automatic scoring mode.

Preferably, the calculation mode of the evaluation model includes at least one of the following: rule engine computation, computation based on big data computation engine.

Preferably, the network attack and defense training scenario comprises at least one of the following: red-blue countermeasure, emergency response, security assessment, synergistic defenses;

when the network attack and defense training scene is a new scene, prompting a user to call the index system module, and constructing a user-defined evaluation model.

Preferably, the system further comprises a user center module for configuring and managing information of personnel participating in the network attack and defense training, wherein the personnel comprises: students taking part in the drill, guiding and regulating personnel, operation and maintenance personnel and referees.

Preferably, the system further comprises a system management module for system name, topic, online user management.

Preferably, the index system module further comprises a model recommendation sub-module, wherein the model recommendation sub-module is used for providing a selectable evaluation model for a user according to a recommendation index, and the rule of the recommendation index is matched according to the type of the attack and defense training scene.

According to still another aspect of the present application, there is provided a network attack and defense performance evaluation method, including:

constructing an index, and matching an evaluation model based on the index, wherein the evaluation model comprises: an existing evaluation model and a user-defined evaluation model; the user-defined evaluation model is associated with an index constructed by a user;

aiming at a network attack task, configuring a network environment and constructing a network attack and defense training scene;

based on the process data generated by the network attack and defense training, the evaluation model is utilized to carry out model evaluation, and a network attack efficiency evaluation result is output.

Preferably, the construction index adopts at least one of the following modes: creating an index and importing the index by a user; the index introduction mode at least comprises one of the following modes: file import and third party interface import.

Preferably, the existing assessment model comprises at least one of: classical analytic hierarchy process model, fuzzy analytic hierarchy process higher order algorithm model.

Preferably, the construction of the user-defined evaluation model includes the following steps: updating an algorithm library of the evaluation model, establishing a new evaluation model by utilizing a new algorithm, selecting indexes for verification, and finally generating the evaluation model for training.

Preferably, the construction mode of the evaluation model comprises at least one of the following: hierarchical modeling and DAG modeling.

Preferably, the calculation means of the evaluation model corresponds to different evaluation modes in network attack and defense, and comprises at least one of the following:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores are required to be submitted, the evaluation model adopts an automatic scoring mode;

preferably, the calculation mode of the evaluation model includes at least one of the following: rule engine computation, computation based on big data computation engine.

Preferably, the network attack and defense training scenario comprises at least one of the following: red-blue countermeasure, emergency response, security assessment, synergistic defenses;

when the network attack and defense training scene is a new scene, prompting a user to call the index system module, and constructing a user-defined evaluation model.

Preferably, the method further comprises the steps of configuring and managing personnel information of the network attack and defense training, wherein the personnel comprises the following steps: students taking part in the drill, guiding and regulating personnel, operation and maintenance personnel and referees.

Preferably, the performing model evaluation by using the evaluation model includes: and providing a selectable evaluation model for the user according to a recommendation index, wherein the rule of the recommendation index is selected and matched according to the type of the attack and defense training scene.

The application has the beneficial effects that:

1) The system and the method for evaluating the network attack and defense efficiency are suitable for complex network attack and defense scenes, and comprise the following steps: scene red and blue countermeasure, safety evaluation, emergency response, defense coordination and other various scenes. According to the performance index matching evaluation model in scene type, therefore the evaluation model of the application can be highly self-adaptive.

2) The assessment model library provided by the application not only comprises the existing assessment models, but also can be used for constructing user-defined assessment models according to requirements, and the assessment models are various in variety and easy to expand. In particular, for situations where the model accuracy is insufficient or new scenes are desired, editing the assessment model may be selected; or updating an algorithm library, modeling, selecting an index for online verification, and finally providing a verified model for training. The application reduces the difficulty of model configuration, improves the accuracy of the matching of the evaluation model, and can transversely expand the provided evaluation model according to different service types.

3) The calculation means of the evaluation model provided by the application is flexible and corresponds to different evaluation modes in network attack and defense. For example, when the evaluation mode is that a plurality of referees are required to score and finally summarize and recheck to obtain a final score, the application provides a manual scoring card model for the scene for the user to input and finally output the score; when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by referees, the application provides a semi-automatic scoring model for the scene; the present application provides an automatic scoring model when the evaluation is all objective questions or requires total delivery of system scores.

4) The evaluation model provided by the application has various calculation modes, such as rule engine calculation and calculation based on big data calculation engine, and can support mass offline calculation and real-time calculation.

5) The modeling process of the evaluation model provided by the application is easier to understand by a user through graphical configuration.

Drawings

FIG. 1 is a schematic diagram of a network attack and defense performance evaluation system according to an embodiment of the present application;

FIG. 2 is a flowchart illustrating a network attack and defense performance evaluation method according to an embodiment of the present application;

FIG. 3 is a user interface for modeling in accordance with one embodiment of the present application;

FIG. 4 is a user interface for performance evaluation according to one embodiment of the present application.

Detailed Description

The present application is described in detail below with reference to examples, but the present application is not limited to these examples.

Referring to fig. 1, a schematic structural diagram of a network attack and defense performance evaluation system according to an embodiment of the application is shown, where the system includes an environment construction module, an index system module, an attack and defense training module, a user center module, and a system management module. Wherein:

the environment construction module is used for constructing basic network environments required by network attack and defense training, including various router, virtual machine, attack machine and target machine environments;

the attack and defense training module is used for establishing a network attack and defense training scene, including training scenes such as red and blue countermeasure, emergency response, safety evaluation and defense coordination;

the index system module is used for constructing or selecting indexes; selecting or creating an assessment model, the creating an assessment model comprising: selecting the index for verification, submitting the model, and obtaining a user-defined evaluation model; analyzing the network security performance difference before and after the occurrence of the network attack task by using the evaluation model to obtain a network attack effectiveness evaluation result;

the user center module is used for configuring students, guide operators, operation and maintenance personnel, referees and the like participating in the exercise and managing personnel information;

the system management module is used for managing system names, topics and online users.

The index system module adopts modes including but not limited to: the user creates an index and imports the index. The manner of introducing the index includes, but is not limited to: file import and third party interface import.

The assessment models in the index system module are multiple in variety and easy to expand, and can be transversely expanded according to different service types, so that multiple adaptation models are provided for the network attack and defense training scene. By creating the evaluation model, the new scene needs can be met, and a set of templates such as index establishment, algorithm selection, modeling, adjustment and measurement are provided for users. According to different algorithms, the model can be longitudinally expanded, an existing algorithm can be selected, the algorithm is submitted, and meanwhile online modeling capability is provided. The algorithms include, but are not limited to, classical analytic hierarchy process, fuzzy analytic hierarchy process, and higher order algorithm models.

The index system module executes the following steps when constructing a user-defined evaluation model: updating an algorithm library of the evaluation model, establishing a new evaluation model by utilizing a new algorithm, selecting indexes for verification, and finally generating the evaluation model for training.

The construction mode of the evaluation model comprises but is not limited to layering modeling and DAG modeling.

The index system is also used for matching the calculation means of the evaluation model according to different evaluation modes in network attack and defense.

The calculation means includes:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores need to be submitted, the evaluation model adopts an automatic scoring mode.

The method is used for selecting one or more calculation means in a manual scoring mode, a semi-automatic scoring mode and an automatic scoring mode according to actual application requirements, and performing single use or combined use.

The calculation mode of the evaluation model includes, but is not limited to: rule engine computation, computation based on big data computation engine.

In one embodiment, the index system module further includes a model recommendation sub-module, configured to provide a selectable evaluation model list for a user, where evaluation models in the list may be arranged in descending order of recommendation indexes, and rules of the recommendation indexes are selected to match according to types of the attack and defense training scenarios. If the current training is red and blue, the evaluation model is screened from the evaluation model library according to red and blue countermeasure indexes, and the recommended models of different training scenes are different, so that the difficulty of model configuration is reduced; if the model accuracy is insufficient or attack and defense evaluation research is desired, a user-defined module can be selected to enter an evaluation model editing page, an algorithm library can be updated, modeling is performed, the selection index is verified on line, and finally the model is submitted for training.

The application also provides a network attack and defense efficiency evaluation method, as shown in fig. 2, in one embodiment, the method comprises the following steps:

s1: and constructing an index library.

The index may be created by the user himself, and also supports importing the index, including but not limited to: file import (Excel, markDown, txt, json), third party interface import (data may be collected from a machine or third party interface).

S2: and constructing an evaluation model.

Step S2 is performed on the basis of the index constructed in the step S1, and the model is submitted after modeling is completed.

The calculation means of the evaluation model corresponds to different evaluation modes in network attack and defense, and one or more of the following modes are adopted according to actual needs:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores need to be submitted, the evaluation model adopts an automatic scoring mode.

In one embodiment, modeling can be performed by a hierarchical modeling manner, including the following steps:

s211, opening the canvas, and dragging the index into the canvas;

s212, maintaining a hierarchical relationship layer by layer upwards, putting an algorithm module at the junction of the hierarchical nodes, inputting calculation rules, and arranging a calculation engine such as a drools in the background;

s213, modeling is completed and submitted.

In one embodiment, modeling may be performed by DAG modeling, comprising the steps of:

s221, opening the computing module in a canvas, and dragging the computing module into the canvas;

s222, submitting a pre-written calculation module jar which contains source codes with algorithm calculation processes, wherein the module is the same with real-time operation in offline mode, and the selected calculation scene modes are different;

s223, modeling is completed and submitted.

The application uses big data technology modeling to consider off-line and real-time calculation scenes.

And the offline scene adopts batch calculation and verifies the network attack and defense effects.

The real-time computing scene is mainly used for showing the situation of the drilling cockpit (living broadcast hall), and the showing comprises attack defending conditions and real-time score computing.

The front data access is realized through kafka access, spark technology is used in an offline scene, flink technology is used in a real-time calculation scene, and the calculated result is stored in an elastic search for a system to quickly inquire.

S3: attack and defense exercise is performed.

The attack and defense exercise is the source of the evaluation object. The application supports various scenes such as red and blue countermeasure, emergency response, cooperative defense, safety evaluation and the like. The method comprises the steps of configuring and managing personnel information of network attack and defense training, wherein the personnel comprises the following steps: students taking part in the drill, guiding and regulating personnel, operation and maintenance personnel and referees.

S4: and (5) debugging and completing the evaluation task.

Model evaluation is carried out based on network attack and defense process data, and model adjustment and measurement can be carried out in the evaluation process, wherein the adjustment and measurement contents comprise: and (5) configuring model output parameters, selecting a model algorithm, and finally outputting an evaluation result. And providing a selectable evaluation model for the user according to a recommendation index, wherein the rule of the recommendation index is selected and matched according to the type of the attack and defense training scene.

Example 1

Taking a red-blue countermeasure scene as an example, the network attack and defense performance evaluation system and method disclosed by the application are adopted in the scene, and the specific using steps are as follows.

1. And (5) constructing indexes and establishing an evaluation index library.

The attack and defense training related index information can be constructed by a mode of creation or import. The import may be imported from a third party interface, supporting online presentation and maintenance. The index preference can be filled in when the index preference is imported. Taking the red-blue countermeasure of the present embodiment as an example, the index may be filled with "red-blue countermeasure", and of course, may be a combination of a plurality of types.

2. And constructing an evaluation algorithm library and updating the algorithm.

The system itself is pre-fabricated with hierarchical classical analytic hierarchy process, fuzzy analytic hierarchy process model. The algorithm may be updated later, such as updating weights of classical hierarchies.

3. And (5) constructing a model and establishing an evaluation model library.

For example: when the model is constructed, the mode of constructing the model can be selected from layering modeling/DAG modeling. And finishing modeling according to the construction mode selected by the user, and entering into the painting. And dragging the indexes selected from the evaluation index library into a canvas, maintaining the hierarchical relationship layer by layer according to index preference or common index recommendation by default, and putting an algorithm module at the junction of the hierarchical nodes, as shown in figure 3. And the editing algorithm module is used for selecting an algorithm from the evaluation algorithm library, inputting a calculation rule and submitting a model.

4. And (5) performing attack and defense training.

And selecting a model, wherein when a leader configures indexes of the attack and defense training, an evaluation model library matches the model according to the recommended indexes in real time, and in the embodiment, the evaluation model is selected by a user according to the ranking of the recommended indexes from top to bottom. The range of the recommended index is designed according to 0-5, 5 is recommended optimally, 0 is unmatched, and 1-4 are matched in different degrees.

Assuming that indexes configured in the current training are A, B and C respectively, the evaluation model library calculates a recommendation index according to the satisfaction degree of the indexes according to the A, B and C three indexes. Such as: when the three indexes of A, B, C are simultaneously satisfied, the recommendation index is 5; when only A, B index is met, the recommended index should be 3.3 (2/3*5), the others are pushed inward in turn. When the indexes are not matched, prompting the user to re-model, and informing the user whether the missing indexes are imported. The application solves the technical problems that the evaluation models in the existing system training are all fixed and the indexes in the models cannot be expanded.

5. And (5) completing evaluation of network attack effectiveness.

As shown in FIG. 4, the application provides multiple evaluation modes for users according to the practical training scene.

When the evaluation mode is that a plurality of referees are required to score and final scores are obtained through final summarization and rechecking, the application provides a manual scoring card model for the scene, namely user input and system output scores;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by referees, the application provides a semi-automatic scoring model for the scene;

the present application provides an automatic scoring model when the evaluation is all objective questions or requires total delivery of system scores.

While the application has been described in terms of preferred embodiments, it will be understood by those skilled in the art that various changes and modifications can be made without departing from the scope of the application, and it is intended that the application is not limited to the specific embodiments disclosed.

Claims (9)

1. A network attack and defense performance evaluation system, the system comprising:

the environment construction module is used for constructing a network environment;

the attack and defense training module is used for establishing a network attack and defense training scene;

the index system module is used for constructing indexes and matching an evaluation model according to the indexes; based on the evaluation model, analyzing the network security performance difference before and after the occurrence of the network attack task according to the security performance index to obtain a network attack effectiveness evaluation result;

wherein the evaluation model comprises: an existing evaluation model and a user-defined evaluation model; when the evaluation model is a user-defined evaluation model, the index system module acquires indexes constructed by the user and the user-defined evaluation model, and associates the indexes and the user-defined evaluation model.

2. The system for evaluating network attack and defense performance according to claim 1, wherein the index system module is configured to use at least one of the following methods: creating an index and importing the index by a user;

preferably, the method of introducing the index at least includes one of the following: file importing and third party interface importing;

preferably, the existing assessment model comprises at least one of: classical analytic hierarchy process model, fuzzy analytic hierarchy process higher order algorithm model;

preferably, the index system module performs the following steps when constructing the user-defined evaluation model: updating an algorithm library of the evaluation model, establishing a new evaluation model by utilizing a new algorithm, selecting indexes for verification, and finally generating the evaluation model for training;

preferably, the construction mode of the evaluation model comprises at least one of the following: hierarchical modeling and DAG modeling;

preferably, the index system is further used for matching calculation means of an evaluation model according to different evaluation modes in network attack and defense;

preferably, the calculating means includes:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores are required to be submitted, the evaluation model adopts an automatic scoring mode;

preferably, the calculation mode of the evaluation model includes at least one of the following: rule engine computation, computation based on big data computation engine.

3. The network attack and defense performance evaluation system according to claim 1, wherein the network attack and defense training scenario comprises at least one of: red-blue countermeasure, emergency response, security assessment, synergistic defenses;

when the network attack and defense training scene is a new scene, prompting a user to call the index system module, and constructing a user-defined evaluation model.

4. The system for evaluating the effectiveness of network attack and defense according to claim 1, further comprising a user center module for configuring and managing information of personnel participating in the training of network attack and defense, wherein the personnel comprises: students taking part in the drill, guiding and regulating personnel, operation and maintenance personnel and referees.

5. The system of claim 1, further comprising a system management module for managing system names, topic configuration, and online user management.

6. The system of claim 1, wherein the index system module further comprises a model recommendation sub-module for providing a selectable evaluation model for the user according to a recommendation index, wherein the rules of the recommendation index are matched according to the type of the attack and defense training scenario.

7. The network attack and defense efficiency evaluation method is characterized by comprising the following steps:

constructing an index, and matching an evaluation model based on the index, wherein the evaluation model comprises: an existing evaluation model and a user-defined evaluation model; the user-defined evaluation model is associated with an index constructed by a user;

aiming at a network attack task, configuring a network environment and constructing a network attack and defense training scene;

based on the process data generated by the network attack and defense training, the evaluation model is utilized to carry out model evaluation, and a network attack efficiency evaluation result is output.

8. The network attack and defense performance evaluation method according to claim 7, wherein the manner of constructing the index at least includes one of: creating an index and importing the index by a user; the index introduction mode at least comprises one of the following modes: file importing and third party interface importing;

preferably, the existing assessment model comprises at least one of: classical analytic hierarchy process model, fuzzy analytic hierarchy process higher order algorithm model;

preferably, the construction of the user-defined evaluation model includes the following steps: updating an algorithm library of the evaluation model, establishing a new evaluation model by utilizing a new algorithm, selecting indexes for verification, and finally generating the evaluation model for training;

preferably, the construction mode of the evaluation model comprises at least one of the following: hierarchical modeling and DAG modeling;

preferably, the calculation means of the evaluation model corresponds to different evaluation modes in network attack and defense, and comprises at least one of the following:

when the evaluation mode is that a plurality of referees are required to score, and finally summarizing and rechecking to obtain a final score, the evaluation model adopts a manual scoring mode based on a scoring card model;

when the evaluation mode is that part of objective questions need to be automatically scored and subjective questions need to be scored by a referee, the evaluation model adopts a semi-automatic scoring mode;

when the evaluation mode is all objective questions or all system scores are required to be submitted, the evaluation model adopts an automatic scoring mode;

preferably, the calculation mode of the evaluation model includes at least one of the following: rule engine computation, computation based on big data computation engine.

9. The network attack and defense performance evaluation method according to claim 7, wherein the network attack and defense training scenario comprises at least one of: red-blue countermeasure, emergency response, security assessment, synergistic defenses;

when the network attack and defense training scene is a new scene, prompting a user to call the index system module, and constructing a user-defined evaluation model;

preferably, the method further comprises the steps of configuring and managing personnel information of the network attack and defense training, wherein the personnel comprises the following steps: students, guide operators, operation and maintenance personnel and referees who participate in the exercise;

preferably, the performing model evaluation by using the evaluation model includes: and providing a selectable evaluation model for the user according to a recommendation index, wherein the rule of the recommendation index is selected and matched according to the type of the attack and defense training scene.