CN117240622A - Method and device for collecting attack simulation samples in batches based on HTTP protocol - Google Patents
Method and device for collecting attack simulation samples in batches based on HTTP protocol Download PDFInfo
- Publication number
- CN117240622A CN117240622A CN202311506157.7A CN202311506157A CN117240622A CN 117240622 A CN117240622 A CN 117240622A CN 202311506157 A CN202311506157 A CN 202311506157A CN 117240622 A CN117240622 A CN 117240622A
- Authority
- CN
- China
- Prior art keywords
- attack
- simulated
- vulnerability
- loopholes
- loophole
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004088 simulation Methods 0.000 title claims abstract description 22
- 238000012795 verification Methods 0.000 claims abstract description 69
- 230000004044 response Effects 0.000 claims abstract description 30
- 230000014509 gene expression Effects 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 20
- 230000006399 behavior Effects 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 7
- 230000008439 repair process Effects 0.000 claims description 4
- 238000012360 testing method Methods 0.000 abstract description 13
- 230000008569 process Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 230000006835 compression Effects 0.000 description 3
- 238000007906 compression Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 239000013065 commercial product Substances 0.000 description 2
- 238000013523 data management Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application provides a method and a device for collecting attack simulation samples in batches based on an HTTP (hyper text transport protocol), which are characterized in that loopholes and query expressions are obtained from a loophole library, and the loopholes obtained from the loophole library are subjected to duplication removal processing according to the loopholes stored in a security verification platform, so as to obtain the loopholes after duplication removal; determining an attack environment to be simulated according to the query expression; starting an HTTP proxy server; simulating an attack behavior of the environment to be simulated attack through the loopholes after the duplication removal; and recording HTTP request and response packets of the simulated attack row of the vulnerability environment to be simulated attack through the HTTP proxy server, and storing the HTTP request and response packets in the security verification platform. The application can utilize the vulnerability to simulate an attacker to attack and be used as a test case of the security verification platform; the security verification platform reduces the risk of introducing new attacks to the user, and reduces the collection difficulty of the security verification platform test cases.
Description
Technical Field
The embodiment of the application belongs to the technical field of network security, and particularly relates to a method and a device for collecting attack simulation samples in batches based on an HTTP protocol.
Background
Most of the security verification platforms in the current industry test the security defenses of an enterprise network by constructing a vulnerability shooting range in the actual environment of the enterprise and simulating attacks. The method has the following two defects:
constructing a vulnerability shooting range can generate new exposed surfaces, and can bring unexpected attacks to enterprises; because the number of the loopholes is large, the commercial product environment is not easy to build, and the difficulty of collecting the loophole shooting range environment in the actual process is greatly increased.
Disclosure of Invention
In order to solve or alleviate the problems in the prior art, the method utilizes the vulnerability to simulate an attacker to attack by writing the program, and obtains the HTTP traffic as the test case of the security verification platform, so as to solve the problems that a new attack surface can be generated and the test case is not easy to collect when the vulnerability shooting range is built in the prior art.
In a first aspect, the present application provides a method for batch collecting attack simulation samples based on HTTP protocol, where the method includes:
obtaining loopholes and query expressions from a loophole library, and performing duplication removal processing on the loopholes obtained from the loophole library according to the loopholes stored in the security verification platform to obtain duplicated loopholes;
determining an attack environment to be simulated according to the query expression;
starting an HTTP proxy server;
simulating an attack behavior of the environment to be simulated attack through the loopholes after the duplication removal;
and recording HTTP request and response packets of the simulated attack row of the vulnerability environment to be simulated attack through the HTTP proxy server, and storing the HTTP request and response packets in the security verification platform.
As a preferred embodiment of the present application, the performing, according to the loopholes stored in the security verification platform, a deduplication process on loopholes obtained from the loophole library includes:
determining the number of each vulnerability obtained from the vulnerability database, wherein the number comprises a cve number, a cnvd number and a custom number;
determining whether a vulnerability which is the same as the attribute of the vulnerability obtained from the vulnerability database exists in the security verification platform according to the number of the vulnerability;
if yes, updating the loopholes obtained from the loophole database into the security verification platform is not needed; and if not, updating the loopholes obtained from the loophole database into the security verification platform.
As a preferred embodiment of the present application, the determining the attack environment to be simulated according to the query expression includes:
acquiring a preliminary attack environment to be simulated through the FOFA search engine;
and querying in the preliminary environment to be simulated through the query expression to determine the environment to be simulated attack.
As a preferred embodiment of the present application, before performing the deduplication processing on the obtained vulnerability according to the vulnerability stored in the security verification platform, the method includes:
loading the stored loopholes in the security verification platform and the loopholes obtained from the loophole library into a memory to perform duplication removal processing on the obtained loopholes;
and constructing a first storage structure in the memory according to different attributes of the stored loopholes in the security verification platform.
In a preferred embodiment of the present application, after obtaining the duplicate vulnerability information, the method includes:
loading a classification dictionary in the security verification platform into a memory;
and mapping the vulnerability identifications obtained from the vulnerability library into vulnerability identifications in the security verification platform according to the classification dictionary, and constructing a second storage structure in a memory according to the mapping relation between the vulnerability identifications in the security verification platform and the vulnerability identifications obtained from the vulnerability library.
As a preferred embodiment of the present application, after the HTTP proxy server is started, the method includes:
and loading the description file and the attribute of the utilization mode of the loophole after the duplication removal into a memory, wherein the attribute comprises a loophole title, the influence generated by the loophole, a loophole repair suggestion and a loophole reference link.
As a preferred embodiment of the present application, the simulating, by the HTTP proxy server, the attack behavior of the environment information to be simulated by the loophole after the duplication removal includes:
acquiring a description file and an attribute of the utilization mode of the loophole after duplication removal from the memory;
determining the type of the loophole after duplication removal according to the description file and the attribute of the loophole after duplication removal;
if the type of the loophole after the duplication removal is the FOFA type, calling a to-be-simulated attack environment containing the loophole after the duplication removal through a FOFA search engine interface;
traversing the to-be-simulated attack environment list to determine whether the to-be-simulated attack environment is online, and if so, attacking the online to-be-simulated attack environment through the loopholes after duplication removal;
judging whether the attack is successful, if so, recording HTTP request and response packet of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server, and storing the HTTP request and response packet in a security verification platform.
In a preferred embodiment of the present application, the determining the type of the loophole after duplication removal according to the description file and the attribute of the loophole after duplication removal includes:
judging whether the FOFA field of the loophole after the duplication removal contains "=", and if so, determining that the loophole after the duplication removal is of the FOFA type.
In an embodiment of the present application, after recording, by the HTTP proxy server, an HTTP request and a response packet for simulating an attack behavior of the vulnerability after the duplication removal to the environment to be simulated, the method includes:
judging whether the attack environment to be simulated is a sensitive attack environment to be simulated or not;
if yes, the identification of the sensitive attack environment to be simulated is replaced by the characteristic character string.
Compared with the prior art, the embodiment of the application obtains the loopholes and the query expression from the loophole library, and performs duplication removal processing on the loopholes obtained from the loophole library according to the loopholes stored in the security verification platform to obtain duplicated loopholes; determining an attack environment to be simulated according to the query expression; starting an HTTP proxy server; simulating an attack behavior of the environment to be simulated attack through the loopholes after the duplication removal; and recording HTTP request and response packets of the simulated attack row of the vulnerability environment to be simulated attack through the HTTP proxy server, and storing the HTTP request and response packets in the security verification platform. The application can utilize the vulnerability to simulate an attacker to attack and be used as a test case of the security verification platform; the security verification platform reduces the risk of introducing new attacks to the user, and reduces the collection difficulty of the security verification platform test cases.
In a second aspect, an embodiment of the present application further provides an apparatus for batch collecting attack simulation samples based on HTTP protocol, including:
the deduplication module is used for acquiring loopholes and query expressions from a loophole library, performing deduplication processing on the loopholes acquired from the loophole library according to the loopholes stored in the security verification platform, and acquiring the loopholes subjected to deduplication;
the determining module is used for determining an attack environment to be simulated according to the query expression;
the starting module is used for starting the HTTP proxy server;
the attack module is used for simulating attack behaviors of the environment to be simulated attack through the loopholes after the duplication removal;
and the recording module is used for recording HTTP request and response packets of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server and storing the HTTP request and response packets in the security verification platform.
Compared with the prior art, the device for collecting attack simulation samples in batches based on the HTTP protocol has the same beneficial effects as the first aspect and is not described in detail herein.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. Some specific embodiments of the application will be described in detail hereinafter by way of example and not by way of limitation with reference to the accompanying drawings. The same reference numbers in the drawings denote the same or similar parts or portions, and it will be understood by those skilled in the art that the drawings are not necessarily drawn to scale, in which:
fig. 1 is a schematic flow chart of a method for batch collection of attack simulation samples based on HTTP protocol according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus for batch collection of attack simulation samples based on HTTP protocol according to an embodiment of the present application.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present application with reference to the accompanying drawings. It will be apparent that the described embodiments are merely some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
In a first aspect, as shown in fig. 1, the present application provides a method for collecting attack simulation samples in batches based on HTTP protocol, where the method includes:
step S01, obtaining loopholes and query expressions from a loophole library, and performing duplication removal processing on the loopholes obtained from the loophole library according to the loopholes stored in a security verification platform to obtain duplicated loopholes;
it should be noted that, the vulnerability database includes vulnerability databases composed of a national information security vulnerability database, a general vulnerability disclosure vulnerability database and a custom vulnerability database, and is mainly used for constructing a national information security vulnerability data management platform for operation and maintenance.
And the vulnerability library stores query expressions which mainly determine the attack environment to be simulated.
Firstly, the loopholes are required to be called from the loophole library so as to store the loopholes which are not in the security verification platform, and in order to avoid that the loopholes obtained from the loophole library cannot be repeated with the loopholes in the security verification platform, the loophole library is required to be subjected to duplication removal processing.
As a preferred embodiment of the present application, before performing the deduplication processing on the obtained vulnerability according to the vulnerability stored in the security verification platform, the method includes:
loading the stored loopholes in the security verification platform and the loopholes obtained from the loophole library into a memory to perform duplication removal processing on the obtained loopholes;
and constructing a first storage structure in the memory according to different attributes of the stored loopholes in the security verification platform.
In order to improve the duplication removal efficiency, the obtained loopholes are duplicated and then in the memory, so that the loopholes stored in the security verification platform and the loopholes obtained from the loophole library need to be loaded into the memory. After the vulnerability is deduplicated, the deduplicated vulnerability needs to be stored in a security verification platform. Specifically, the loopholes stored in the security verification platform are loaded into the memory, and a cveMap (map [ cve _id ] pool), a cnvdMap (map [ cnvd_id ] pool), and a ctMap (map [ chatin_number ] pool) structure is constructed.
Specifically, performing deduplication processing on vulnerabilities obtained from the vulnerability database includes:
determining the number of each vulnerability obtained from the vulnerability database, wherein the number comprises a cve number, a cnvd number and a custom number;
determining whether a vulnerability which is the same as the attribute of the vulnerability obtained from the vulnerability database exists in the security verification platform according to the number of the vulnerability;
if yes, updating the loopholes obtained from the loophole database into the security verification platform is not needed; and if not, updating the loopholes obtained from the loophole database into the security verification platform.
It should be noted that, the cnvd number is a vulnerability from a national information security vulnerability database, the cve number is a vulnerability from a general vulnerability disclosure vulnerability database, and the vulnerabilities in the custom vulnerability database are vulnerabilities not available in the national information security vulnerability database and the general vulnerability disclosure vulnerability database.
In a preferred embodiment of the present application, after obtaining the duplicate vulnerability information, the method includes:
loading a classification dictionary in the security verification platform into a memory;
and mapping the vulnerability identifications obtained from the vulnerability library into vulnerability identifications in the security verification platform according to the classification dictionary, and constructing a second storage structure in a memory according to the mapping relation between the vulnerability identifications in the security verification platform and the vulnerability identifications obtained from the vulnerability library.
It should be noted that, the security verification platform is provided with a classification dictionary, the classification dictionary is used for uniformly identifying the loopholes obtained from the loophole library and the loopholes in the security verification platform, and meanwhile, a mapping relationship is established between the loopholes obtained from the loophole library and the loopholes in the security verification platform in a memory, and specifically, the second storage structure is a healthy value storage structure.
Step S02, determining an attack environment to be simulated according to the query expression;
step S02 specifically includes:
acquiring a preliminary attack environment to be simulated through the FOFA search engine;
and querying in the preliminary environment to be simulated through the query expression to determine the environment to be simulated attack.
It should be noted that, the FOFA is a professional web space search engine, which can search for target information in a specific area through various keywords, grammar, and the like. Unlike conventional search engines, FOFA is more focused on the collection and analysis of information for various entities in the network space.
The vulnerability to be attacked is determined in step S01, and is a vulnerability after duplication removal, and the vulnerability after duplication removal is stored in the security verification platform. The method also needs to determine the attack environment to be simulated of the vulnerability to be attacked, that is, the attack environment to be simulated in the vulnerability simulation process has special requirements, and specifically, the preliminary attack environment to be simulated is obtained through the FOFA search engine; and then inquiring in the preliminary environment to be simulated through the inquiry expression to determine the environment to be simulated and attacked, wherein the inquiry expression is stored in a vulnerability library.
Step S03, starting an HTTP proxy server;
it should be noted that, an HTTP proxy server needs to be started to collect HTTP request and response packets of an environment to be emulated by a vulnerability emulation attack.
After the HTTP proxy server is started, the method comprises the following steps:
and loading the description file and the attribute of the utilization mode of the loophole after the duplication removal into a memory, wherein the attribute comprises a loophole title, the influence generated by the loophole, a loophole repair suggestion and a loophole reference link.
It should be noted that, specifically, a poc_1.Json compression packet derived from the vulnerability library is loaded, where the poc_1.Json compression packet includes a vulnerability list and an utilization mode of each vulnerability, and a pocMap (map binding_id) poc structure is constructed in the memory;
all json files in a vulnerabilities folder derived from the vulnerability library are loaded, the vulnerabilities folder comprises properties of the vulnerability, the properties comprise vulnerability titles, vulnerability generating effects, vulnerability repair suggestions and vulnerability reference links, and a vulnerap (map [ binding_id ] vul) structure is constructed in a memory.
Step S04, simulating attack behaviors of the environment to be simulated attack through the loopholes after duplication removal;
step S04, specifically includes:
acquiring a description file and an attribute of the utilization mode of the loophole after duplication removal from the memory;
determining the type of the loophole after duplication removal according to the description file and the attribute of the loophole after duplication removal;
if the type of the loophole after the duplication removal is the FOFA type, calling a to-be-simulated attack environment containing the loophole after the duplication removal through a FOFA search engine interface;
traversing the to-be-simulated attack environment list to determine whether the to-be-simulated attack environment is online, and if so, attacking the online to-be-simulated attack environment through the loopholes after duplication removal; judging whether the attack environment to be simulated is on line or not by the following method: and (3) trying to perform tcp connection test with the attack environment to be simulated, setting the timeout time to be 5 seconds, judging that the attack environment to be simulated is online if a response exists in 5 seconds, and judging that the attack environment to be simulated is not online if no response exists in more than 5 seconds.
Judging whether the attack is successful, if so, recording HTTP request and response packet of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server, and storing the HTTP request and response packet in a security verification platform.
It should be noted that, step S04 mainly describes how to simulate the attack process by the vulnerability. Specifically, traversing the poc_code folder, the poc_code folder is obtained from decompression of the poc_1.Json compression packet.
Traversing the poc_code folder specifically includes the following:
extracting a binding_id according to the name of the poc_code folder;
acquiring the attribute vulnerabilities corresponding to the poc_codes and the description file poc information of the vulnerability exploitation modes from the vulMap and the pocMap according to the binding_id;
then the verification type of the poc needs to be judged;
firstly, judging whether the vulnerability is of the FOFA type, if not, judging whether the vulnerability is of the FOFA type: skipping, and processing the next poc_code folder;
if the vulnerability is of the FOFA type: judging whether the FOFA field contains "=", if not, skipping the loophole, and processing the next loophole; if it comprises: calling an api interface of the FOFA search engine to obtain an attack environment to be simulated containing the vulnerability;
then traversing the to-be-simulated attack environment returned by the FOFA search engine, wherein the attack behavior through the loopholes mainly aims at the on-line to-be-simulated attack environment, so that whether the environment is on-line or not needs to be detected, if the to-be-simulated attack environment is off-line through detection, skipping the to-be-simulated attack environment, and processing the next to-be-simulated attack environment; if online, the vulnerability simulation hacker attacks the attack environment to be simulated;
after the attack is carried out on the online environment to be simulated by the loophole simulation hacker, if the attack is unsuccessful, the next online environment to be simulated is carried out to continuously try the attack;
if the attack is successful, the HTTP request and response packet is recorded by the HTTP proxy server and stored in the security verification platform so as to be multiplexed. In a specific application scenario, only HTTP request and response packets are obtained as security verification platform test cases so as to test network security defenses.
After recording the HTTP request and response packet of the attack behavior simulated by the loophole after the duplication removal to the environment to be simulated attack by the HTTP proxy server, the method comprises the following steps:
judging whether the attack environment to be simulated is a sensitive attack environment to be simulated or not;
if yes, the identification of the sensitive attack environment to be simulated is replaced by the characteristic character string.
It should be noted that when the attack environment to be simulated is attacked by the loophole after the duplication, the attack environment to be simulated may be some sensitive environments, so the identification of the sensitive attack environment to be simulated needs to be replaced by the characteristic character string.
And step S05, recording HTTP request and response packets of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server, and storing the HTTP request and response packets in the security verification platform.
According to the embodiment of the application, the flow simulated by the attack is collected in batches based on the HTTP protocol and is used as a test case of the security verification platform so as to test the network security defense capability, and the vulnerability range is required to be built in an actual environment to simulate the attack to test the network security defense capability unlike the prior art, so that the problem that new exposed surfaces are possibly generated when the vulnerability range is built and unexpected attacks are brought can be avoided. Meanwhile, the problems that the commercial product environment is not easy to build and the difficulty of collecting the environment of the vulnerability shooting range in the actual process is increased due to the large number of vulnerabilities are avoided.
In a second aspect, as shown in fig. 2, an embodiment of the present application further provides an apparatus for collecting attack simulation samples in batches based on HTTP protocol, including:
the deduplication module 21 is configured to obtain a vulnerability and a query expression from a vulnerability database, and perform deduplication processing on the vulnerability obtained from the vulnerability database according to the vulnerability stored in the security verification platform, so as to obtain a deduplicated vulnerability;
a determining module 22, configured to determine an attack environment to be simulated according to the query expression;
a starting module 23, configured to start the HTTP proxy server;
the attack module 24 is configured to simulate an attack behavior of the attack environment to be simulated through the loophole after duplication removal;
and the recording module 25 records HTTP request and response packets of the simulated attack row of the environment to be simulated attack through the loophole after the duplication removal by the HTTP proxy server and stores the HTTP request and response packets in the security verification platform.
Compared with the prior art, the device for collecting attack simulation samples in batches based on the HTTP protocol has the same beneficial effects as the first aspect and is not described in detail herein.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (10)
1. A method for batch acquisition of attack simulation samples based on HTTP protocol, comprising:
obtaining loopholes and query expressions from a loophole library, and performing duplication removal processing on the loopholes obtained from the loophole library according to the loopholes stored in the security verification platform to obtain duplicated loopholes;
determining an attack environment to be simulated according to the query expression;
starting an HTTP proxy server;
simulating an attack behavior of the environment to be simulated attack through the loopholes after the duplication removal;
and recording HTTP request and response packets of the simulated attack row of the vulnerability environment to be simulated attack through the HTTP proxy server, and storing the HTTP request and response packets in the security verification platform.
2. The method of claim 1, wherein the performing deduplication processing on vulnerabilities obtained from the vulnerability library according to vulnerabilities stored in a security verification platform comprises:
determining the number of each vulnerability obtained from the vulnerability database, wherein the number comprises a cve number, a cnvd number and a custom number;
determining whether a vulnerability which is the same as the attribute of the vulnerability obtained from the vulnerability database exists in the security verification platform according to the number of the vulnerability;
if yes, updating the loopholes obtained from the loophole database into the security verification platform is not needed; and if not, updating the loopholes obtained from the loophole database into the security verification platform.
3. The method for batch collection of attack simulation samples based on HTTP protocol according to claim 1, wherein the determining the attack environment to be simulated according to the query expression comprises:
acquiring a preliminary attack environment to be simulated through the FOFA search engine;
and querying in the preliminary environment to be simulated through the query expression to determine the environment to be simulated attack.
4. The method for batch collection of attack simulation samples based on HTTP protocol as set forth in claim 1, wherein before performing the deduplication processing on the obtained vulnerabilities according to the vulnerabilities stored in the security verification platform, the method comprises:
loading the stored loopholes in the security verification platform and the loopholes obtained from the loophole library into a memory to perform duplication removal processing on the obtained loopholes;
and constructing a first storage structure in the memory according to different attributes of the stored loopholes in the security verification platform.
5. The method for batch collection of attack simulation samples based on HTTP protocol as set forth in claim 1, wherein after obtaining the deduplicated vulnerability information, the method comprises:
loading a classification dictionary in the security verification platform into a memory;
and mapping the vulnerability identifications obtained from the vulnerability library into vulnerability identifications in the security verification platform according to the classification dictionary, and constructing a second storage structure in a memory according to the mapping relation between the vulnerability identifications in the security verification platform and the vulnerability identifications obtained from the vulnerability library.
6. The method for batch collection of attack simulation samples based on HTTP protocol as set forth in claim 1, wherein after the HTTP proxy server is started, the method comprises:
and loading the description file and the attribute of the utilization mode of the loophole after the duplication removal into a memory, wherein the attribute comprises a loophole title, the influence generated by the loophole, a loophole repair suggestion and a loophole reference link.
7. The method for batch collection of attack simulation samples based on HTTP protocol as set forth in claim 6, wherein the simulating the attack behavior of the attack environment information to be simulated by the HTTO proxy server through the loopholes after the duplication removal comprises:
acquiring a description file and an attribute of the utilization mode of the loophole after duplication removal from the memory;
determining the type of the loophole after duplication removal according to the description file and the attribute of the loophole after duplication removal;
if the type of the loophole after the duplication removal is the FOFA type, calling a to-be-simulated attack environment containing the loophole after the duplication removal through a FOFA search engine interface;
traversing the to-be-simulated attack environment list to determine whether the to-be-simulated attack environment is online, and if so, attacking the online to-be-simulated attack environment through the loopholes after duplication removal;
judging whether the attack is successful, if so, recording HTTP request and response packet of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server, and storing the HTTP request and response packet in a security verification platform.
8. The method of claim 7, wherein the determining the type of the vulnerability after deduplication according to the description file and the attribute of the utilization mode of the vulnerability after deduplication comprises:
judging whether the FOFA field of the loophole after the duplication removal contains "=", and if so, determining that the loophole after the duplication removal is of the FOFA type.
9. The method of claim 1, wherein after recording, by the HTTP proxy server, HTTP request and response packets for the vulnerability after the deduplication to simulate an attack by the environment to be attacked, the method comprises:
judging whether the attack environment to be simulated is a sensitive attack environment to be simulated or not;
if yes, the identification of the sensitive attack environment to be simulated is replaced by the characteristic character string.
10. An apparatus for batch collection of attack simulation samples based on HTTP protocol, comprising:
the deduplication module is used for acquiring loopholes and query expressions from a loophole library, performing deduplication processing on the loopholes acquired from the loophole library according to the loopholes stored in the security verification platform, and acquiring the loopholes subjected to deduplication;
the determining module is used for determining an attack environment to be simulated according to the query expression;
the starting module is used for starting the HTTP proxy server;
the attack module is used for simulating attack behaviors of the environment to be simulated attack through the loopholes after the duplication removal;
and the recording module is used for recording HTTP request and response packets of the simulated attack row of the environment to be simulated attack by the loophole after the duplication removal through the HTTP proxy server and storing the HTTP request and response packets in the security verification platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311506157.7A CN117240622B (en) | 2023-11-13 | 2023-11-13 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311506157.7A CN117240622B (en) | 2023-11-13 | 2023-11-13 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117240622A true CN117240622A (en) | 2023-12-15 |
| CN117240622B CN117240622B (en) | 2024-01-23 |
Family
ID=89088408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311506157.7A Active CN117240622B (en) | 2023-11-13 | 2023-11-13 | Method and device for collecting attack simulation samples in batches based on HTTP protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117240622B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
| US20130055394A1 (en) * | 2011-08-24 | 2013-02-28 | Yolanta Beresnevichiene | Network security risk assessment |
| US20140082737A1 (en) * | 2012-09-19 | 2014-03-20 | International Business Machines Corporation | Mining attack vectors for black-box security testing |
| US20150242636A1 (en) * | 2014-02-25 | 2015-08-27 | The Board Of Regents, The University Of Texas System | Systems and methods for automated detection of application vulnerabilities |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN114969760A (en) * | 2022-06-16 | 2022-08-30 | 成都欧珀通信科技有限公司 | Vulnerability detection method and device, computer readable medium and electronic equipment |
| CN115801464A (en) * | 2023-02-06 | 2023-03-14 | 北京长亭未来科技有限公司 | Analog simulation method, system, equipment and storage medium based on TCP protocol attack |
-
2023
- 2023-11-13 CN CN202311506157.7A patent/CN117240622B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
| US20130055394A1 (en) * | 2011-08-24 | 2013-02-28 | Yolanta Beresnevichiene | Network security risk assessment |
| US20140082737A1 (en) * | 2012-09-19 | 2014-03-20 | International Business Machines Corporation | Mining attack vectors for black-box security testing |
| US20150242636A1 (en) * | 2014-02-25 | 2015-08-27 | The Board Of Regents, The University Of Texas System | Systems and methods for automated detection of application vulnerabilities |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN114969760A (en) * | 2022-06-16 | 2022-08-30 | 成都欧珀通信科技有限公司 | Vulnerability detection method and device, computer readable medium and electronic equipment |
| CN115801464A (en) * | 2023-02-06 | 2023-03-14 | 北京长亭未来科技有限公司 | Analog simulation method, system, equipment and storage medium based on TCP protocol attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117240622B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
| CN109375945B (en) | Firmware version detection method and vulnerability repair rate evaluation method for Internet of things equipment | |
| CN107180192B (en) | Android malicious application detection method and system based on multi-feature fusion | |
| CN111221625B (en) | File detection method, device and equipment | |
| CN111800404B (en) | Method and device for identifying malicious domain name and storage medium | |
| CN111723371A (en) | Method for constructing detection model of malicious file and method for detecting malicious file | |
| CN113239365B (en) | Vulnerability repairing method based on knowledge graph | |
| CN112328499A (en) | Test data generation method, device, equipment and medium | |
| CN114650176A (en) | Phishing website detection method and device, computer equipment and storage medium | |
| CN117061202A (en) | Attack link generation method based on knowledge graph of multi-source vulnerability data | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN117240622B (en) | Method and device for collecting attack simulation samples in batches based on HTTP protocol | |
| CN117081801A (en) | Fingerprint identification method, device and medium for content management system of website | |
| CN115242487B (en) | APT attack sample enhancement and detection method based on meta-behavior | |
| CN113987486B (en) | Malicious program detection method and device and electronic equipment | |
| CN114817928A (en) | Network space data fusion analysis method and system, electronic device and storage medium | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| CN113596061A (en) | Network security vulnerability response method and system based on block chain technology | |
| CN117609175B (en) | Configurable industrial control file acquisition and analysis method and system | |
| CN116502009B (en) | Webpage filtering method, device, equipment and storage medium | |
| KR102495329B1 (en) | Malware detection system using lstm method to provide a service vaccine platform with high detction rate | |
| CN117082524B (en) | Wireless communication safety protection method, device and system | |
| KR102655234B1 (en) | Method and apparatus for retrieving packet at high-speed | |
| CN112580037B (en) | Method, device and equipment for repairing virus file data | |
| Matin | Ransomware Extraction Using Static Portable Executable (PE) Feature-Based Approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |