CN117278245A

CN117278245A - Data acquisition method, device and storage medium for Internet simulation scene

Info

Publication number: CN117278245A
Application number: CN202310928294.3A
Authority: CN
Inventors: 顾钊铨; 贾焰; 方滨兴; 马昶昶; 景晓; 李润恒; 向夏雨; 周可; 罗翠; 袁华平
Original assignee: Sichuan Yilan Situation Technology Co ltd; Guangzhou University; Peng Cheng Laboratory
Current assignee: Sichuan Yilan Situation Technology Co ltd; Guangzhou University; Peng Cheng Laboratory
Priority date: 2023-07-26
Filing date: 2023-07-26
Publication date: 2023-12-22

Abstract

The application discloses a data acquisition method, a device and a storage medium for an Internet simulation scene, wherein the method comprises the following steps: performing vulnerability scanning on the Internet simulation scene, and classifying the obtained vulnerabilities to obtain a vulnerability collection; associating the vulnerability collection with a preset attack type classification data set to obtain a basic attack corresponding to the vulnerability collection, wherein the attack type classification data set comprises a corresponding relation between the vulnerability and an intrusion attack behavior; determining a data source of a terminal side according to basic attack and a preset attack model frame, and determining a flow detection rule of a flow side according to the basic attack and a preset flow detection rule base, wherein the attack model frame comprises a corresponding relation between attack types and the data source; and carrying out targeted data acquisition based on the corresponding relation between the vulnerability collection and the data source and the flow detection rule. In the embodiment of the invention, the intrusion detection can be supported by only carrying out data acquisition on the vulnerability or the weak point, so that the system overhead of data acquisition is reduced.

Description

Data acquisition method, device and storage medium for Internet simulation scene

Technical Field

The application relates to the technical field of network attack and defense exercise, in particular to a data acquisition method, device and storage medium for an internet simulation scene.

Background

In the internet simulation environment, the attack and defense exercise needs to be monitored, and the method specifically comprises the steps of monitoring specific operations of the current attack and defense parties, researching and judging attack and defense behaviors, analyzing attack and defense mechanisms and the like. For monitoring specific behaviors of an attacker, the network intrusion behavior is actually a network intrusion behavior, in order to monitor and detect the network intrusion behavior, an intrusion detection system is generally required to be constructed in a scene, network security data is collected and the intrusion behavior is analyzed and detected, and in order to improve the accuracy and the comprehensiveness of detection, various intrusion detection modes are generally required to be utilized, such as constructing a network intrusion detection system or erecting a plurality of intrusion detection devices.

A popular intrusion detection solution is a rule-based network intrusion detection system (Nerwork Intrusion Detection System, NIDS) that detects intrusion by matching network traffic incoming via the internet with existing detection rules. The network intrusion detection system can monitor network traffic in real time, and the rule base can be designed into an incremental type, namely, if a novel network intrusion mode exists, new rules can be formulated and added into the detection rule base, but the consumption of system resources is further increased due to the gradual increase of the rule base.

Disclosure of Invention

The embodiment of the application provides a data acquisition method, a device and a storage medium for an Internet simulation scene, which can reduce the system overhead of data acquisition.

In a first aspect, an embodiment of the present application provides a data collection method for an internet simulation scenario, including:

performing vulnerability scanning on the Internet simulation scene, and classifying the obtained vulnerabilities to obtain a vulnerability collection;

associating the vulnerability aggregation with a preset attack type classification data set to obtain a basic attack corresponding to the vulnerability aggregation, wherein the attack type classification data set comprises a corresponding relation between a vulnerability and an intrusion attack behavior, and the basic attack characterizes the intrusion attack behavior in the Internet simulation scene;

determining a data source of a terminal side according to the basic attack and a preset attack model frame, and determining a flow detection rule of a flow side according to the basic attack and a preset flow detection rule base, wherein the attack model frame comprises a corresponding relation between an attack type and the data source, and the flow detection rule base comprises a corresponding relation between a vulnerability type and the flow detection rule;

and carrying out targeted data acquisition based on the corresponding relation between the vulnerability collection, the data source and the flow detection rule.

In some embodiments, performing vulnerability scanning on the internet simulation scene, and classifying vulnerabilities obtained by scanning to obtain a vulnerability collection includes:

determining network resources and network topology of the Internet simulation scene;

scanning the Internet simulation scene according to the network resources and the network topology to obtain a plurality of loopholes, wherein the loopholes correspond to the assets of the Internet simulation scene;

and collecting the plurality of vulnerabilities according to classification information in CVE (Common Vulnerabilities & Exposures, public vulnerability disclosure) to obtain a vulnerability collection.

In some embodiments, the attack type classification data set is a CAPEC (Common Attack Pattern Enumeration and Classification, attack type enumeration and classification data set); the step of associating the vulnerability collection with a preset attack type classification data set to obtain a basic attack corresponding to the vulnerability collection comprises the following steps:

correlating the vulnerability collection according to the corresponding relation between the vulnerability and the invasion attack behavior in the CAPEC and preset attack-vulnerability correlation information to obtain the corresponding relation between the vulnerability collection and the basic attack;

The attack-vulnerability association information is used as a supplementary set of the corresponding relation between vulnerabilities and intrusion attack behaviors in the CAPEC.

In some embodiments, the determining a data source at the terminal side according to the basic attack and the preset attack model framework includes:

determining an attack model framework;

and establishing a mapping between the basic attack and the attack type in the attack model framework, and determining a target data source corresponding to the basic attack.

In some embodiments, the determining an attack model framework includes:

determining tactics, technologies, sub-technologies and corresponding data sources in the framework content according to the ATT & CK (Adversarial Tactics, technologies, and Common Knowledge, combat tactics, technologies and common sense) framework;

and constructing an attack model framework according to the determined tactics, technologies, sub-technologies and corresponding data sources.

In some embodiments, the determining the traffic detection rule of the traffic side according to the basic attack and the preset traffic detection rule base includes:

determining a flow detection rule base;

and establishing a mapping between the vulnerability aggregation corresponding to the basic attack and the vulnerability types in the flow detection rule base, and determining a target flow detection rule corresponding to the basic attack.

In some embodiments, the determining a traffic detection rule base includes:

collecting a Snort rule set, and carrying out structuring treatment on data of the Snort rule set;

and constructing a flow detection rule base according to the Snort rule set after the structuring treatment.

In some embodiments, the performing targeted data collection based on the vulnerability collection, the data source, and the traffic detection rule correspondence, includes:

determining a current vulnerability aggregation and a current basic attack corresponding to the current vulnerability aggregation;

determining a data source to be acquired according to the current basic attack;

and determining the adopted flow detection rule according to the current vulnerability collection.

In a second aspect, an embodiment of the present application provides a data acquisition device for an internet simulation scenario, including:

the scanning module is used for scanning the loopholes of the Internet simulation scene and classifying the loopholes obtained by scanning to obtain a loophole collection;

the basic attack association module is used for associating the vulnerability collection with a preset attack type classification data set to obtain basic attacks corresponding to the vulnerability collection, wherein the attack type classification data set comprises a corresponding relation between vulnerabilities and intrusion attack behaviors, and the basic attacks represent the intrusion attack behaviors in the Internet simulation scene;

The mapping module is used for determining a data source at a terminal side according to the basic attack and a preset attack model frame, and determining a flow detection rule at a flow side according to the basic attack and a preset flow detection rule base, wherein the attack model frame comprises a corresponding relation between an attack type and the data source, and the flow detection rule base comprises a corresponding relation between a vulnerability type and the flow detection rule;

and the targeting acquisition module is used for carrying out targeting data acquisition based on the corresponding relation between the vulnerability collection, the data source and the flow detection rule.

In a third aspect, an embodiment of the present application provides a data acquisition device for an internet simulation scenario, including at least one processor and a memory communicatively connected to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the data acquisition method according to the first aspect.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the data acquisition method according to the first aspect.

The data acquisition method, the device and the storage medium for the Internet simulation scene have the following beneficial effects: in an internet simulation scene, classifying and collecting the scanned holes, obtaining a hole collection, associating the hole collection with basic attack, then dividing the hole collection into a terminal side and a flow side for respectively carrying out targeted data acquisition, determining a data source to be acquired by the terminal side through attack types in an attack model frame, determining a flow detection rule by the flow side through the hole types in a flow detection rule base, and supporting intrusion detection by only carrying out data acquisition on the holes or the weaknesses when the attack and defense exercise is carried out in the internet simulation scene.

Drawings

FIG. 1 is a general flow chart of a data collection method for an Internet simulation scenario provided in one embodiment of the present application;

FIG. 2 is a flowchart of a specific method of step S101 in FIG. 1;

FIG. 3 is a flowchart of a specific method of step S102 in FIG. 1;

FIG. 4 is a flowchart of a specific method of step S103 in FIG. 1;

FIG. 5 is a flowchart of a specific method of step S401 in FIG. 4;

FIG. 6 is a flowchart of a specific method of step S103 in FIG. 1;

FIG. 7 is a flowchart of a specific method of step S601 in FIG. 6;

FIG. 8 is a flowchart of a specific method of step S104 in FIG. 1;

FIG. 9 is a schematic diagram of a device for data acquisition for Internet simulation scenarios according to one embodiment of the present application;

FIG. 10 is a general flow chart of a method of data collection for an Internet simulation scenario provided by one example of the present application;

fig. 11 is a schematic structural diagram of a data acquisition device for an internet simulation scenario according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

In the application of a network technology simulation verification platform, network attack and defense exercise is generally required to construct a simulated internet scene for both attack and defense parties, wherein the internet simulation scene is different network environments set up for different attack and defense exercise targets, and the targets may be attacks against a certain vulnerability or reproduction of a certain security event, etc. In the internet simulation environment, the attack and defense exercise needs to be monitored, and the method specifically comprises the steps of monitoring specific operations of the current attack and defense parties, researching and judging attack and defense behaviors, analyzing attack and defense mechanisms and the like. For monitoring specific behaviors of an attacker, the network intrusion behavior is actually a network intrusion behavior, in order to monitor and detect the network intrusion behavior, an intrusion detection system is generally required to be built in a scene, network security data is collected and intrusion behaviors are detected by analysis, in order to improve the accuracy and the comprehensiveness of detection, multiple intrusion detection modes are generally required to be utilized, such as building the network intrusion detection system or erecting multiple intrusion detection devices, more resource loss is necessarily brought to the system, and multiple intrusion detection devices may generate differences, such as different alarms aiming at the same attack, and the differentiated alarm information is unfavorable for uniformly analyzing the intrusion behavior and is unfavorable for monitoring and studying network attacks.

A popular intrusion detection solution is a rule-based network intrusion detection system (Nerwork Intrusion Detection System, NIDS) that detects intrusion by matching network traffic incoming via the internet with existing detection rules. The specific process is that the network intrusion detection system based on rules can detect all traffic of the network segment, the traffic data is further processed to extract information format which can be used by the detection system, and then the information format is compared with known attack rules in a rule base, if the information format is successfully matched with the known attack rules, the detection system can send out alarm information to prompt abnormal behavior. Generally, the detection accuracy of the rule-based network intrusion detection system is relatively high, and the rule-based network intrusion detection system can be designed to be incremental, i.e. new rules can be formulated and added into a detection rule base if a novel network intrusion mode exists. Taking Snort as an example, the intrusion detection software with an open source is based on threat detection rules set in advance, and can monitor network traffic in real time and replay a data packet file in a pcap format. Therefore, for the existing network intrusion detection system based on rules, the detection rules are core contents, the perfection of the rule base is critical to intrusion detection, but the gradual increase of the rule base further increases the consumption of system resources.

In order to solve the problems, the embodiment provides a data acquisition method, a device and a storage medium for an internet simulation scene, wherein in the internet simulation scene, the scanned vulnerabilities are classified and collected to obtain a vulnerability collection, the vulnerability collection is associated with basic attacks and then is divided into a terminal side and a flow side for respectively carrying out targeted data acquisition, the terminal side determines that a data source needs to be acquired through attack types in an attack model frame, and the flow side determines a flow detection rule through the vulnerability types in a flow detection rule base, which is equivalent to carrying out data acquisition only on the vulnerabilities or weaknesses to support intrusion detection when carrying out attack and defense exercise in the internet simulation scene.

Referring to fig. 1, fig. 1 is a flowchart of a specific method of a data collection method according to an embodiment of the present application, where the data collection method for an internet simulation scenario includes, but is not limited to, the following steps S101 to S104.

Step S101, performing vulnerability scanning on the Internet simulation scene, and classifying the obtained vulnerabilities to obtain a vulnerability collection.

In step S101 of some embodiments, vulnerability scanning is performed on the internet simulation scene to obtain vulnerabilities under different internet simulation scenes, and vulnerabilities obtained by scanning are classified to obtain a vulnerability aggregation including multiple vulnerability types, so that vulnerability analysis and evaluation are facilitated, a better vulnerability analysis and evaluation basis can be provided, and subsequent improvement of security policies and vulnerability coping capability are facilitated.

It should be noted that, the internet simulation scene is different network environments set up for different attack and defense experimental targets, and in the stage of setting up the internet simulation scene, topology information of host resources, network environment, host loopholes and other information are recorded, so that the internet simulation scene needs to be scanned to avoid generating attack behaviors, in the process of performing loophole scanning on the internet simulation scene, loophole scanning can be performed through a vulnerability scanning tool such as an Nmap tool, a Nessus tool, an OpenVAS and the like, and loophole collection is performed according to CVE (Common Vulnerabilities & Exposus, public loophole disclosure), and the detailed description of the loophole scanning process will be omitted.

Step S102, associating the vulnerability collection with a preset attack type classification data set to obtain a basic attack corresponding to the vulnerability collection.

It should be noted that, the attack type classification data set includes a correspondence between vulnerabilities and intrusion attack behaviors, and the basic attack characterizes the intrusion attack behaviors in the internet simulation scene.

In step S102 of some embodiments, the vulnerability collection is associated with a preset attack type classification data set, so as to achieve association of vulnerabilities of an internet simulation scene and basic attacks, effectively integrate relationships between different systems, enable the data to be associated with each other and complement each other, enlarge an expression space of information, and enable each item of data to have multiple information associated with each item of data.

It should be noted that, in this embodiment, the attack type classification data set is an attack type enumeration and classification data set CAPEC, and the detailed description is omitted here.

Step S103, determining a data source at the terminal side according to the basic attack and a preset attack model frame, and determining a flow detection rule at the flow side according to the basic attack and a preset flow detection rule base.

It should be noted that, the attack model framework includes a corresponding relationship between an attack type and a data source, and the traffic detection rule base includes a corresponding relationship between a vulnerability type and a traffic detection rule.

In step S103 of some embodiments, a data source at the terminal side is determined according to a basic attack and a preset attack model frame, so that target data at the terminal side is collected later, and a flow detection rule at the flow side is determined according to a basic attack and a preset flow detection rule base, so that data at the flow side is collected later, and thus when attack and defense exercise is performed in an internet simulation scene, only data collection is performed for the vulnerabilities or weaknesses to support intrusion detection, full flow collection is not required, and consumption of system resources is reduced.

And step S104, performing targeted data acquisition based on the corresponding relation between the vulnerability collection and the data source and the flow detection rule.

In step S104 of some embodiments, targeted data collection is performed based on the correspondence between the vulnerability clusters, the data sources and the flow detection rules, so that targeted range collection is realized, and system resource consumption and time expenditure of detection are greatly reduced.

Referring to fig. 2, fig. 2 is a flowchart of a specific method of step S101 in fig. 1, and further describes step S101, where step S101 includes, but is not limited to, steps S201 to S203.

Step S201, determining network resources and network topology of the internet simulation scene.

Step S202, scanning an Internet simulation scene according to network resources and network topology to obtain a plurality of loopholes, wherein the loopholes correspond to assets of the Internet simulation scene.

Step S203, collecting the plurality of vulnerabilities according to the classification information in the public vulnerability disclosure CVE to obtain a vulnerability collection.

In steps S201 to S203 of some embodiments, in the process of performing vulnerability scanning on an internet simulation scene, first, network resources and network topology of the internet simulation scene are determined, so that a real network environment can be simulated, interactions and behaviors between components in a network can be better understood, then, the internet simulation scene is scanned according to the network resources and the network topology to obtain a plurality of vulnerabilities corresponding to assets of the internet simulation scene, and finally, the plurality of vulnerabilities are collected according to classification information in public vulnerability disclosure to obtain vulnerability collection, thereby facilitating vulnerability analysis and evaluation, providing a better vulnerability analysis and evaluation basis, facilitating subsequent improvement of security policies and improving vulnerability coping capability.

It should be noted that the CVE in this embodiment corresponds to a dictionary table, and a common name is given to widely-accepted information security vulnerabilities or vulnerabilities that have been exposed. Using a common name, users may be aided in sharing data among the various vulnerability databases and vulnerability assessment tools that are independent of each other. For example, if a vulnerability is indicated in a vulnerability report, if there is a CVE name, the corresponding patch information can be quickly found in any other CVE-compatible database, thereby further solving the security problem.

It is to be appreciated that the classification information in the CVE may be vulnerability information collected from different vulnerability disclosure channels, such as a vulnerability database, a vendor bulletin, etc., and the classification information includes, but is not limited to, information including a vulnerability name, a vulnerability number, a vulnerability description, etc., and in the process of classifying multiple vulnerabilities according to the classification information in the public vulnerability disclosure CVE, the collected vulnerabilities are classified into corresponding classification dimensions according to the classification information. Thereby facilitating subsequent queries, analysis, and summaries.

Referring to fig. 3, fig. 3 is a flowchart of a specific method of step S102 in fig. 1, and further illustrates step S102, where step S102 includes, but is not limited to, step S301.

Step S301, associating the vulnerability collection according to the corresponding relation between the vulnerability and the invasion attack behavior in the CAPEC and preset attack-vulnerability association information to obtain the corresponding relation between the vulnerability collection and the basic attack.

It should be noted that, the attack-vulnerability association information is used as a complementary set of correspondence between vulnerabilities and intrusion attack behaviors in the CAPEC.

It will be appreciated that a CAPEC is a classified dataset of common attack types, common attack patterns being: authorization attack-remote file enforcement of rights, authentication attack-cross-domain request forging, and so forth.

In step S301 of some embodiments, the vulnerability aggregation is associated according to the corresponding relationship between the vulnerability and the intrusion attack behavior in the CAPEC and the preset attack-vulnerability association information, so as to obtain the corresponding relationship between the vulnerability aggregation and the basic attack, thereby realizing the association between the vulnerability aggregation and the basic attack and being convenient for repairing the vulnerability aggregation.

It should be noted that, the classification standard of the basic attack in the embodiment is derived from a CAPEC, and in the process of associating the vulnerability collection, the CAPEC can be adopted to automatically associate, and the association can also be carried out by a semi-automatic method, wherein the semi-automatic method relies on data analysis and a machine algorithm, and provides a result by combining manual participation, so that the accurate association of the vulnerability collection is realized.

In some embodiments, the CAPEC data set is a database of classifications and descriptions of common attack patterns, including, but not limited to, attack pattern number information, attack pattern name information, attack pattern category information, attack pattern attribute information, and the like.

Referring to fig. 4, fig. 4 is a flowchart of a specific method of step S103 in fig. 1, including, but not limited to, the following steps S101 to S104.

It can be understood that in the process of determining the data source at the terminal side according to the basic attack and the preset attack model framework, the data at the terminal side, such as the operation log, the security event, etc., is mainly collected in a targeting manner through the ATT & CK framework, and then a certain part of data is collected in a targeting manner according to the definition of the data source in the ATT & CK framework, which is described in detail below.

Step S401, determining an attack model framework.

Step S402, mapping between the basic attack and the attack type in the attack model frame is established, and a target data source corresponding to the basic attack is determined.

In steps S401 to S402 of some embodiments, in the process of determining the data source of the terminal side, an attack model frame needs to be determined, where the attack model frame in this embodiment is an ATT & CK frame, so that a relatively continuous attack technique of an attacker can be observed more clearly, and because of the perfection of the frame, the attack coverage rate of the attacker can also be analyzed, and then, a mapping between the basic attack and the attack type in the attack model frame is established, so that the attack model frame collects the data source and determines the target data source corresponding to the basic attack, thereby obtaining the data source of the basic attack on the terminal side, realizing rapid detection of the data source, analyzing the attack coverage rate more clearly, and improving the discovery and defense capability for complex attacks and threat behaviors.

It should be noted that ATT & CK is a "fight tactics, technology, and general knowledge" framework for describing and classifying fight behavior based on real-world attack and defense data. The ATT & CK framework can be used for perfectly mapping the attack behaviors of the attacker, the continuous attack technology of the attacker can be observed more clearly through the framework, and the attack coverage rate of the attacker can be analyzed because of the perfection of the framework. The data source object mainly defines which data source content can locate the attack technique by gathering. For example, T1566 phishing attack techniques, whose data sources are application logs, file creation, network traffic content, more quickly locate the scope of attack by collecting these data sources. And the ATT & CK knowledge base has certain relevance to the CAPEC attack classification, such as CAPEC-98:Phishing and ATT & CK-T1566: phishing, CAPEC-469:HTTP Dos and ATT & CK-T1499.002: endpoint Denial of Service: service Exhaustion Flood, and the like, so that the relevance of the attack model framework is further enriched.

Referring to fig. 5, fig. 5 is a flowchart of a specific method of step S401 in fig. 4, and further describes step S401, where step S401 includes, but is not limited to, steps S501 to S502.

Step S501, determining tactics, technologies, sub-technologies and corresponding data sources in the framework content according to the combat tactics, technologies and common sense ATT & CK framework.

Step S502, constructing an attack model frame according to the determined tactics, technologies, sub-technologies and corresponding data sources.

In steps S501 to S502 in some embodiments, in the process of determining the attack model framework, tactics, technologies, sub-technologies and corresponding data sources in the framework content are determined according to the ATT & CK framework, so that an action mode, a target and the like of an attacker can be known, information collection and analysis, attack detection and defense and the like under the internet simulation scene are realized, finally, the attack model framework is constructed according to the determined tactics, technologies, sub-technologies and corresponding data sources, understanding of different types of attacks is deepened, and threat identification capability is improved.

It should be noted that, there are data sources corresponding to each attack technique in the ATT & CK knowledge base, and these data sources define information for detecting which data needs to be collected by the attack technique, such as process creation, registry modification, and so on. And the attack technology or sub-technology in the ATT & CK framework has data source attribute, and the data source is a data source possibly needed for detecting the attack technology. For example, the detection T1543.003Windows service sub-technology, the data source of which is a process, a Windows registry, a service, etc., is exemplified by the data source of the process, which represents collecting event logs created by the process, or by the data source of the Windows registry, which represents collecting event logs created by the Windows registry modification and the Windows registry.

Referring to fig. 6, fig. 6 is a flowchart of another specific method of step S103 in fig. 1, and further describes step S103, where step S103 includes, but is not limited to, steps S601 to S602.

Step S601, determining a flow detection rule base.

In step S601 of some embodiments, a traffic detection rule base is determined to monitor and rule match network traffic in real time.

Referring to fig. 7, fig. 7 is a flowchart of a specific method of step S601 in fig. 6, and further describes step S601, where step S601 includes, but is not limited to, steps S701 to S702.

Step S701, collecting a Snort rule set and carrying out structuring processing on data of the Snort rule set.

Step S702, a flow detection rule base is constructed according to the structured Snort rule set.

In steps S701 to S702 of some embodiments, in the process of determining the flow detection rule base, first, a Snort rule set is collected, and data of the Snort rule set is structured, so that information is convenient to extract, and then the flow detection rule base is constructed according to the Snort rule set after the structured processing, so that safety monitoring and defense requirements of an internet simulation scene can be met.

Step S602, a mapping between the vulnerability aggregation corresponding to the basic attack and the vulnerability types in the flow detection rule base is established, and a target flow detection rule corresponding to the basic attack is determined.

In steps S601 to S602 of some embodiments, in the process of determining the flow detection rule of the flow side, a flow detection rule base needs to be determined to monitor network flow in real time and match rules, and then, a mapping between the vulnerability aggregation corresponding to the basic attack and the vulnerability types in the flow detection rule base is established, so that a detection rule set corresponding to each different network attack can be obtained to determine a target flow detection rule corresponding to the basic attack, thereby realizing association of the vulnerability aggregation, the basic attack and the flow detection rule base.

It should be noted that, in the process of establishing the mapping between the vulnerability aggregation corresponding to the basic attack and the vulnerability types in the flow detection rule base, the CVE vulnerability information in the rule, that is, the Snort. Rule < - > CVE vulnerability, is extracted, and then the known association of the vulnerability aggregation and the attack type classification data set and the CVE information in the Snort. Rule are utilized to establish the mapping between the basic attack vulnerability and the Snort. Rule, where the mapping is the detection rule set corresponding to each different network attack, so as to determine the target flow detection rule corresponding to the basic attack.

It will be appreciated that, on the traffic side, typically, the monitored traffic information or pcap packets, etc., the Snort is used herein to implement an example of an intrusion detection system, and in the Snort intrusion detection rule set, there is a CVE vulnerability corresponding to the current detection rule. From the connection of CVE loopholes and detection rules rule, mapping the association of Snort rules and CVE loopholes, namely [ Snort. Rule < - > CVE loophole < - > basic attack ]. Therefore, the vulnerability existing in the internet simulation scene can be corresponding to one or more detection rules on the flow side, and when attack and defense exercise is performed in the simulation scene, only the rule corresponding to the vulnerability is required to be used for detecting the intrusion behavior, instead of the traditional full rule, so that the consumption of system resources is greatly reduced.

Notably, the Snort rule set is a rule set for the network intrusion detection system and the intrusion prevention system, and includes information such as a rule header and rule options, wherein the rule header includes metadata of rules, such as information of protocols, source addresses, destination addresses, and the like, for identifying and matching traffic in the network; the rule option is used to detect and match specific protocols, ports, data content, flags, etc. to determine if potential intrusion activity has occurred.

Referring to fig. 8, fig. 8 is a flowchart of a specific method of step S104 in fig. 1, and further illustrates step S104, where step S104 includes, but is not limited to, steps S801 to S803.

Step S801, determining a current vulnerability aggregation and a current basic attack corresponding to the current vulnerability aggregation.

Step S802, determining a data source to be acquired according to the current basic attack.

Step S803, determining the adopted flow detection rule according to the current vulnerability aggregation.

In steps S801 to S803 of some embodiments, in the process of performing targeted data collection, first, a current vulnerability aggregation and a current basic attack corresponding to the current vulnerability aggregation are determined, so that a specific attack type under an internet simulation scene can be determined, then a data source to be collected is determined according to the current basic attack, data source collection at a terminal side is realized, finally, a flow detection rule adopted according to the current vulnerability aggregation is determined, and designation of the flow detection rule at the flow side is realized, so that data collection can be performed only for vulnerabilities or weaknesses, targeted range collection is realized, and system resource consumption and time cost of detection are greatly reduced.

Referring to fig. 9, the embodiment of the application further provides a data acquisition device for an internet simulation scene, where the device includes:

The scanning module 901 is used for performing vulnerability scanning on the internet simulation scene and classifying the obtained vulnerabilities to obtain a vulnerability collection;

the basic attack association module 902 is configured to associate the vulnerability collection with a preset attack type classification data set, so as to obtain a basic attack corresponding to the vulnerability collection, where the attack type classification data set includes a correspondence between a vulnerability and an intrusion attack behavior, and the basic attack characterizes the intrusion attack behavior in the internet simulation scene;

the mapping module 903 is configured to determine a data source at a terminal side according to a basic attack and a preset attack model frame, and determine a flow detection rule at a flow side according to the basic attack and a preset flow detection rule base, where the attack model frame includes a correspondence between an attack type and the data source, and the flow detection rule base includes a correspondence between a vulnerability type and the flow detection rule;

and the targeting acquisition module 904 is used for carrying out targeting data acquisition based on the corresponding relation between the vulnerability collection and the data source and flow detection rules.

The specific implementation manner of the data acquisition device for the internet simulation scene is basically the same as the specific embodiment of the data acquisition method for the internet simulation scene, and is not repeated here.

In order to more clearly describe the above data collection method for the internet simulation scene, a specific example will be described below.

Example one:

example one is a specific example of data collection in an internet simulation scenario.

In an internet simulation scene, the method and the system actively detect asset vulnerabilities existing in the scene, and set intrusion detection rules for vulnerabilities or weaknesses in advance by actively monitoring the vulnerabilities or weaknesses possibly attacked by different network intrusion behaviors, wherein the set rules determine the range of data acquisition, and compared with the traditional full-flow acquisition, the targeted acquisition concentrates the acquisition range at the positions of the vulnerabilities/weaknesses, so that the consumption of system resources is reduced.

In the process of data acquisition, the embodiment firstly collects and sorts scene resources in advance in an Internet simulation scene, confirms the topology structure of the current scene, scans and collects which vulnerabilities or weaknesses exist in the current scene, the vulnerabilities can be utilized by an attacker in the scene, and only opens the acquisition rules when intrusion is detected by setting the data acquisition schemes of the vulnerabilities in advance, so that the range of data acquisition is greatly reduced. If hit is detected, it can be clearly known which vulnerabilities are utilized by the attacker and which are not utilized, and by mapping ATT & CK, the coverage rate of the attack can be more clearly analyzed.

The embodiment can be divided into two stages, wherein the first stage is a basic information collection and association stage, the second stage is a terminal side targeted data collection method, and the third stage is a flow side targeted data collection method.

Referring to fig. 10, fig. 10 is a flowchart of a specific method of a data collection method provided in the present application, where the data collection method for an internet simulation scenario includes, but is not limited to, the following steps S1 to S10.

The specific steps are as follows:

the first stage is mainly aimed at collecting resources, data and loopholes of a host computer in a simulation scene. The internet simulation scene is different network environments established for different attack and defense experimental targets, and the experimental targets may be attacks for a certain vulnerability or reproduction of a certain security event, etc. At this stage, topology information, network environment, host loopholes and the like of host resources are recorded, collected host loopholes are classified under a CVE system, and attack behaviors are classified according to the loophole information.

The first stage comprises the following steps:

step S1: and scanning the current Internet simulation scene by utilizing a vulnerability collection tool, and collecting vulnerabilities according to a CVE system.

Step S2: the scanned CVE vulnerabilities are related to a BA system for classification by a semi-automatic and expert knowledge method, and the relation between CVE < - > BA is established.

It should be noted that, the BA (Basic Attck) attack system is derived from a CAPEC, which is a classified data set of a common attack type, and the present embodiment has been described in detail above, and will not be described herein.

The second stage is a terminal side target data acquisition stage, and mainly aims to perform target acquisition on data of a terminal side, such as operation logs, security events and the like, through an ATT & CK system, and target acquisition of a certain part of data according to definition of a data source in the ATT & CK system.

The second stage comprises the following steps:

step S3: the ATT & CK system data collection collects tactics, technologies, sub-technologies and corresponding data sources in its framework content.

Step S4: the association construction is based on mapping between techniques in the basic attack BA and ATT & CK architecture using semi-automatic and expert knowledge.

Step S5: the ATT & CK system data source is collected.

The data source is a data source which may be needed for detecting the attack technology in the ATT & CK system, such as detecting T1543.003Windows service sub-technology, the data source is a process, a Windows registry, a service, etc., the process is exemplified by the data source, which represents the event log created by the acquisition process, or the Windows registry is exemplified by the data source, which represents the event log created by the acquisition of the modification of the Windows registry and the creation of the Windows registry.

Step S6: constructing CVE vulnerability basic attack BA < - > ATT & CK technology < - > ATT & CK data source < - > terminal side data according to the step information.

The third stage is a traffic side targeting data acquisition stage, because the network intrusion detection system based on rules takes a detection rule base as a core, the stage takes Snort as an example, the detection of traffic is carried out by Snort, and the Snort also takes the rule set as the core.

The third stage comprises the following steps:

step S7: and collecting the Snort rule set, and carrying out structural treatment to facilitate information extraction.

Step S8: CVE vulnerability information exists in many regular descriptions of Snort, and CVE vulnerability information in rule rules is extracted, namely Snort.

Step S9: and establishing a basic attack BA-CVE vulnerability-snort.rule mapping by using known CVE-BA association and CVE information in snort.rule, wherein the mapping is a detection rule set corresponding to each different network attack.

Step S10: and constructing a CVE vulnerability basic attack BA < - > snort. Rule association according to the information of the steps.

In the example provided by the invention, the acquisition range can be set for the loopholes or the weaknesses possibly utilized in the Internet simulation scene, each loophole is associated with a small data acquisition range through mapping, the terminal side depends on the data source attribute of the ATT & CK, the flow side depends on the rules of the network intrusion detection system, when the attack and defense exercise is carried out in the simulation scene, the attack and defense exercise is carried out only by carrying out data acquisition on the loopholes or weaknesses, the loophole utilization condition and the single-step attack coverage condition can be analyzed more clearly, and the attack behavior can be mapped in the ATT & CK frame, so that a further analysis basis is provided for multi-step attack detection.

Referring to fig. 11, taking as an example the control processor 1001 and the memory 1002 in the data acquisition device 1000 for an internet simulation scenario, may be connected by a bus. Memory 1002 is a non-transitory computer-readable storage medium that may be used to store non-transitory software programs as well as non-transitory computer-executable programs. In addition, the memory 1002 may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk memory, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 1002 may optionally include memory remotely located with respect to the control processor 1001, which may be connected to the data acquisition device 1000 for internet simulation scenarios via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

It will be appreciated by those skilled in the art that the device structure shown in fig. 11 does not constitute a limitation of the data acquisition device 1000 for an internet simulation scenario, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

Also provided in embodiments of the present application is a computer-readable storage medium storing computer-executable instructions that are executed by one or more control processors, for example, by one of the control processors 1001 in fig. 11, to cause the one or more control processors to perform the data acquisition method for an internet simulation scenario in the method embodiment described above.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

Claims

1. The data acquisition method for the Internet simulation scene is characterized by comprising the following steps of:

2. The method for collecting data according to claim 1, wherein the performing vulnerability scanning on the internet simulation scene and classifying vulnerabilities obtained by scanning to obtain a vulnerability collection includes:

and collecting the plurality of vulnerabilities according to the classification information in the public vulnerability disclosure CVE to obtain a vulnerability collection.

3. The data collection method according to claim 1, wherein the attack type classification data set is an attack type enumeration and classification data set CAPEC; the step of associating the vulnerability collection with a preset attack type classification data set to obtain a basic attack corresponding to the vulnerability collection comprises the following steps:

4. The data collection method according to claim 1, wherein the determining the data source at the terminal side according to the basic attack and the preset attack model frame includes:

Determining an attack model framework;

5. The method of claim 4, wherein determining an attack model framework comprises:

determining tactics, technologies, sub-technologies and corresponding data sources in the frame content according to the combat tactics, technologies and common sense ATT & CK frame;

6. The data collection method according to claim 1, wherein the determining the flow detection rule of the flow side according to the basic attack and the preset flow detection rule base includes:

determining a flow detection rule base;

7. The method of claim 6, wherein determining a traffic detection rule base comprises:

8. The data collection method according to claim 1, wherein the performing targeted data collection based on the vulnerability collection, the data source, and the traffic detection rule correspondence comprises:

determining a data source to be acquired according to the current basic attack;

9. A data acquisition device for an internet simulation scene, comprising:

10. A data acquisition device for an internet simulation scene, comprising at least one processor and a memory for communication connection with the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the data acquisition method of any one of claims 1 to 8.

11. A computer-readable storage medium storing computer-executable instructions for causing a computer to perform the data acquisition method according to any one of claims 1 to 8.