CN117499151A - Method and device for constructing network target range - Google Patents

Method and device for constructing network target range Download PDF

Info

Publication number
CN117499151A
CN117499151A CN202311635104.5A CN202311635104A CN117499151A CN 117499151 A CN117499151 A CN 117499151A CN 202311635104 A CN202311635104 A CN 202311635104A CN 117499151 A CN117499151 A CN 117499151A
Authority
CN
China
Prior art keywords
network
information
attack
file
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311635104.5A
Other languages
Chinese (zh)
Inventor
徐亚民
周杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202311635104.5A priority Critical patent/CN117499151A/en
Publication of CN117499151A publication Critical patent/CN117499151A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method and a device for constructing a network target range, wherein the method comprises the steps that when a security operation center platform detects network attack behaviors, victim information and attack behavior information of the network attack behaviors are obtained; wherein the victim information includes: operating system information, software information, dependent software component information and the like of the victim server are used for constructing a network target range to be tested; generating an attack file according to the attack behavior information; generating a vulnerability verification file according to the attack file, and generating a mirror image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced; constructing a network target range mirror image for reproducing the vulnerability environment by utilizing the mirror image composition file; performing network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed; and if the network target range mirror image is determined to be successfully constructed, outputting the network target range mirror image.

Description

Method and device for constructing network target range
Technical Field
The application relates to the technical field of networks, in particular to a method and a device for constructing a network shooting range.
Background
Network attacks are often encountered in enterprise production activities, and when a network attack is successful, network security operators need to respond to the network attack at a first time. To meet the demands of improving the network security capabilities of related personnel in terms of analyzing the details of network attacks, it is often necessary to build some software application environments with vulnerabilities for the personnel to use.
A platform that integrates multiple software application defect environments is referred to as a network target range. The network target range constructed by the existing technology for constructing the network target range has lower reduction degree, and the constructed network target range and the real network environment have larger gap, so that the loopholes existing in the real network environment and the application scenes of the loopholes are difficult to restore. The network target range with low reduction degree obviously cannot meet the details of network attack analysis, and the requirement of personnel on network security capability is improved.
Disclosure of Invention
For this purpose, the application discloses a method and a device for constructing a network target range so as to improve the reduction degree of the network target range.
A first aspect of the present application provides a method of constructing a networked range, comprising:
when a security operation center platform detects a network attack behavior, acquiring attack behavior information and victim information of the network attack behavior; the victim information comprises a basic mirror image, an operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information and operating system log information, and the attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, attack load, a request message, a protocol type and an original log;
Generating an attack file according to the attack behavior information; the attack file comprises vulnerability exploitation information and auxiliary information;
generating a vulnerability verification file according to the attack file, and generating a mirror image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced;
constructing a network target range image for reproducing the vulnerability environment by utilizing the image composition file;
performing network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed;
and if the network target range mirror image is determined to be successfully constructed, outputting the network target range mirror image.
Optionally, after performing a network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed, the method further includes:
if the network target range environment construction failure is determined, generating a new image composition file according to the attack file, and returning to execute the step of constructing the network target range image for reproducing the vulnerability environment by using the image composition file until the failure times are greater than a failure times threshold or the network target range environment construction is successful;
If the failure times are greater than the failure times threshold, outputting error reporting information and marking the functional points of execution failure.
Optionally, the generating a vulnerability verification file according to the attack file and generating an image composition file according to the victim information include:
determining target software and other software depending on the target software according to the attack file, wherein the target software is the software aimed at by the network attack behavior;
obtaining containerized deployment information of the target software and containerized deployment information of the other software from a target system, wherein the target system is a system to which the target software belongs;
determining the starting sequence of the target software and the other software in the target system;
combining the containerized deployment information of the target software and the containerized deployment information of the other software according to the starting sequence to obtain a mirror image composition file;
and forming the vulnerability verification file by the vulnerability utilization information and the vulnerability information of the same type recorded in the attack file.
Optionally, the performing a network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed includes:
Operating the network range mirror image to obtain a network range container corresponding to the network range mirror image;
performing network attack on the network target range container based on the vulnerability verification file;
if the network attack on the network target range container is successful, determining that the network target range mirror image is successfully constructed;
if the network attack on the network range container fails, determining that the network range mirror construction fails.
Optionally, when the secure operation center platform detects a network attack, acquiring attack behavior information of the network attack behavior includes:
in response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
and receiving attack behavior information of the network attack behavior fed back by the security operation center according to the information acquisition request.
A second aspect of the present application provides an apparatus for constructing a networked range, comprising:
the system comprises an acquisition unit, a security operation center platform, a network management unit and a network management unit, wherein the acquisition unit is used for acquiring attack behavior information and victim information of the network attack behavior when the security operation center platform detects the network attack behavior, the victim information comprises a basic mirror image, an operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information and operating system log information, and the attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, attack load, a request message, a protocol type and an original log;
The first generation unit is used for generating an attack file according to the attack behavior information; the attack file comprises a basic mirror image, an operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information, operating system log information, vulnerability exploitation information and auxiliary information;
the second generating unit is used for generating a vulnerability verification file according to the attack file and generating an image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced;
the construction unit is used for constructing a network target range image for reproducing the vulnerability environment by utilizing the image composition file;
the verification unit is used for carrying out network attack on the network target range image based on the vulnerability verification file so as to verify whether the network target range image is successfully constructed;
and the output unit is used for outputting the network target range mirror image if the network target range mirror image is successfully constructed.
Optionally, the second generating unit is further configured to, if it is determined that the construction of the network target environment fails, generate a new image composition file according to the attack file, and return to perform the step of constructing the network target environment for reproducing the vulnerability environment by using the image composition file until the failure frequency is greater than a failure frequency threshold or the construction of the network target environment is successful;
the output unit is further configured to output error reporting information and mark a functional point of execution failure if the failure number is greater than the failure number threshold.
Optionally, the second generating unit generates a vulnerability verification file according to the attack file, and when generating an image composition file according to the victim information, the second generating unit is specifically configured to:
determining target software and other software depending on the target software according to the attack file, wherein the target software is the software aimed at by the network attack behavior;
obtaining containerized deployment information of the target software and containerized deployment information of the other software from a target system, wherein the target system is a system to which the target software belongs;
determining the starting sequence of the target software and the other software in the target system;
Combining the containerized deployment information of the target software and the containerized deployment information of the other software according to the starting sequence to obtain a mirror image composition file;
and forming the vulnerability verification file by the vulnerability utilization information and the vulnerability information of the same type recorded in the attack file.
Optionally, the verifying unit performs a network attack on the network target image based on the vulnerability verification file, so as to verify whether the network target image is successfully constructed, which is specifically configured to:
operating the network range mirror image to obtain a network range container corresponding to the network range mirror image;
performing network attack on the network target range container based on the vulnerability verification file;
if the network attack on the network target range container is successful, determining that the network target range mirror image is successfully constructed;
if the network attack on the network range container fails, determining that the network range mirror construction fails.
Optionally, when the secure operation center platform of the obtaining unit detects a network attack, the obtaining unit is specifically configured to:
in response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
And receiving attack behavior information of the network attack behavior fed back by the security operation center according to the information acquisition request.
The beneficial effect of this scheme lies in:
the network target range mirror image can be generated and verified by utilizing the information of the network attack behaviors actually encountered by the safe operation center, so that the generated network target range mirror image can be ensured to highly restore the real network environment and network loopholes of the safe operation center, and the effect of constructing the network target range with high restoration degree is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of a method of constructing a networked range provided in an embodiment of the present application;
FIG. 2 is a flowchart of a method for generating an image composition file and a vulnerability verification file according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an apparatus for constructing a network shooting range according to an embodiment of the present application;
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
First, some terms that may be related to the present application will be explained.
Network target range. A network target is a virtual or physical environment for network security training and practice. The network target generally comprises a series of virtual machines, operating systems and application programs, and the virtual machines and the application programs are all preset with various loopholes and potential safety hazards, so that the network target can simulate the scene that a computer system actually used by an enterprise is attacked by a network, and thus scene support is provided for network security training and practice.
An enterprise-level network information security operation center (Security Operations Center, SOC) is an enterprise-level network security platform, integrates various types of network security equipment, log acquisition service and big data storage modules, and ensures the safe and stable operation of a production system.
In order to solve the problem of low reduction degree of the network target range constructed in the prior art, the embodiment of the application provides a method and a device for constructing the network target range, and the method can be executed by a software system (hereinafter referred to as a construction system) for constructing the network target range. When the enterprise-level network information security operation center detects that the network attack is successful, the construction system can extract needed relevant information from a server where the network attack occurs, and is used for automatically constructing a network target image reflecting the vulnerability environment for network security researchers to analyze, and can store the constructed image in the SOC platform, so that a basic environment is provided for training the network security capability of enterprise staff, the network security protection capability of the enterprise can be effectively improved, and the network security risk is reduced.
The security operation center of the enterprise can detect each computer system of the enterprise, and when any software running on any computer system is attacked by the network, the security operation center can discover the network attack. Correspondingly, in the present application, the vulnerability environment may be understood as an operation environment when any software under network attack is attacked. In other words, the network target range mirror image constructed by the scheme can be used for resculpting the running environment of the attacked software, so that the network target range with higher reduction degree is provided.
Referring to fig. 1, a flowchart of a method for constructing a network target range according to an embodiment of the present application is provided, and the method may include the following steps.
S101, when the security operation center platform detects the network attack, attack behavior information and victim information of the network attack behavior are obtained.
The attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, an attack load, a request message, a protocol type and an original log.
The execution subject of the method provided in this embodiment may be the aforementioned construction system.
The victim information includes base images, operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information, operating system log information.
In S101, the manner of acquiring the attack behavior information may be:
in response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
and receiving attack behavior information of network attack behavior fed back by the security operation center according to the information acquisition request.
After detecting the network attack action of any software in the computer system of the enterprise and determining that the network attack action is successfully executed, the secure operation center sends a notification event to the construction system, wherein the notification event is used for indicating that the corresponding software encounters the successfully executed network attack action, and then the construction system can respond to the notification event and send an information acquisition request for acquiring key information of the network attack action to the secure operation center. After receiving the information acquisition request, the security operation center feeds back the attack behavior information detected during the network attack behavior to the construction system.
In the attack behavior information, the vulnerability type refers to the type of the detected vulnerability utilized by the current network attack behavior, the attack time refers to the time point of encountering the current network attack behavior, and the IP address of an attacker refers to the IP address of the equipment initiating the current network attack behavior.
The attack load (payload) refers to an instruction executed by an attacker expecting the system to be attacked, the protocol type refers to the network protocol type used by an attack request, and the request message refers to a message sent by an attacker customer service end to the attacked victim server.
Optionally, the attack behavior information may further include network attack traffic information, which characterizes the data traffic size of the secure operation center when attacked.
The acquisition mode of the victim information is identical to the acquisition mode of the attack behavior, and is not repeated.
S102, generating an attack file according to attack behavior information; the attack file includes exploit information and auxiliary information.
The attack file may be a file of any format, and the format of the attack file is not limited in this embodiment. As one example, the attack file may be a json format file.
The foregoing victim information and attack files are described below.
Base image (image) refers to selecting a corresponding base image, for example Ubuntu, debian, centOS, according to the vulnerability type and reproduction requirement. The basic mirror image can understand the information of the attacked digital asset (including software and data) when the corresponding software is monitored to suffer the network attack behavior.
As an example, the base image may be "image": "ubuntu: last".
Operating system version (os_version) and patch information (patches), the operating system version of the target system and the installed patch information need to be known in order to determine if a known vulnerability exists. The operating system version refers to the version of the operating system to which the software subject to the network attack in the secure operation center belongs, and patch information is used for indicating whether the operating system of the version has patches installed, specifically which patches are installed, and the like.
By way of example, the operating system version may be "os_version": 20.04".
The patch information may be:
"patches":[{"name":"openssl","version":"1.1.1f-1ubuntu2.2"}]。
the software information (software) refers to related information of software that encounters the current network attack, for example, the software a of the security operation center encounters the current network attack, that is, the target of the current network attack is the software a, and then the software information may include related information of the software a, including but not limited to a name, version, function, and the like of the software a.
As an example, the software information may be: "software" [ { "name": "Weblogic", "version": "12.2.1.3" } ].
Software dependent component information (dependencies) refers to other component information that is required for normal operation of software that is subject to an attack. For example, the software a of the secure operation center encounters the current network attack, that is, the current network attack targets are the software a, and the normal operation of the software a depends on the software B and the software C, so the software dependent component information may include the information of the software B and the software C, including but not limited to the names, versions, functions, and the like of the software B and the software C.
As an example, the software dependent component information may be: "dependencies" ({ "name": "libssl-dev", "version": "1.1.1f-1ubuntu2.2" }, { "name": "mysql-client", "version": "5.7" }.
Port and service information (ports), which refers to the open ports and running services on the target system, for vulnerability scanning and attack, require configuration of these information into the image file. The target system is an operating system to which the software subjected to the network attack behavior belongs.
As an example, the port and service information may be: "ports": [ { "port":80, "service": "http" }, { "port":22, "service": "ssh" } ].
Operating system configuration information (os_config), if some vulnerabilities need to be reproduced, specific configuration information of the target system, such as a configuration file of a Web server, etc., needs to be known.
As an example, the operating system configuration information may be: "os_config" { "apache_config": "path/to/apache_config_file" }.
Network configuration information (network_config) requires configuration of network connection modes inside and outside the container, such as port mapping, bridging network, and the like.
As an example, the network configuration information may be:
operating system user information (users) that requires the creation and configuration of operating system users for vulnerability scanning, attacks, etc.
As an example, operating system user information may be "users" [ { "name": "admin", "password": "password" } ].
Operating system log information (logs) that needs to be exported to the host for analysis and monitoring.
As an example, the operating system log information may be "logs" [ { "path": "/var/log," host_path ":"/path/to/log "} ].
In the above examples of each item of information, the format of the information is json format.
Exploit information (explicit_info) triggers attack behavior information when a network attack is successful. In the following examples, target_ip and target_port represent the IP address and port number of the attacker, payload represents the vulnerability type, and time represents the attack time.
Auxiliary information (additional_info), and other necessary information is manually added when the construction failure exceeds a threshold according to actual requirements.
The attack file may be generated by the attack behavior information:
after the construction system receives the attack behavior information, the construction system determines the received attack behavior information as exploit information, then detects whether the information input manually exists before executing S102, if so, determines the information input manually as auxiliary information, if not, determines that the auxiliary information is empty, and finally combines the information according to a specific format to obtain the attack file.
As one example, the json-format attack file generated in S102 may be the following file instance.
S103, generating a vulnerability verification file according to the attack file, and generating a mirror image composition file according to the victim information, wherein the mirror image composition file comprises mirrors required by a vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced.
The mirror composition file may also be referred to as a docker-composition file. The mirror image composition file is used for defining a containerized deployment mode of the vulnerability environment.
The vulnerability verification file is used for verifying the vulnerability environment and ensuring that the vulnerability environment can be successfully reproduced.
The format of the image composition file is not limited in this embodiment, and in some examples, the image composition file may be a template file in YAML format.
As an example, the image composition file generated in step S103 may be a template file instance in the YAML format as follows.
In the above example, image: ubuntu:20.04 indicates the mirror image required by the vulnerability environment, webogic, db and networks are arranged in order, the container start-up order is indicated, ports and subsequent port numbers 80:8080, and 22:22 indicate port mapping.
Referring to fig. 2, in step S103, a vulnerability verification file is generated according to an attack file, and a manner of generating an image composition file according to victim information may include the following steps.
S201, determining target software and other software depending on the target software according to the victim information.
The construction system can determine the target software aimed at the current network attack according to the software information in the victim information, rely on the software component information, determine other software and components on which the target software depends, for example, can determine that the target software aimed at the current network attack is webogic, and the other software on which the target software depends comprises libssl-dev and mysql-client.
S202, obtaining the containerized deployment information of the target software and the containerized deployment information of other software from the target system.
The containerized deployment information of the target software and other software can be read from a system log of the target system to which the target software belongs. In the step, the construction system can extract the access path of the system log of the target system from the operating system information of the victim information, then access the system log of the target system according to the access path, and acquire the containerized deployment mode of the target software and other software from the system log.
S203, determining the starting sequence of the target software and other software in the target system.
The start-up sequence may also be obtained from a system log of the target system. The construction system can inquire in the system log of the target system which software the target system starts before the attack time, and the time stamps of the software, and determine the starting sequence of the target software and other software according to the time stamps of the target software and other software.
S204, combining the containerized deployment information of the target software and the containerized deployment information of other software according to the starting sequence to obtain a mirror image composition file.
When the mirror image constituent files are combined, software with a front starting sequence is started, corresponding containerized deployment information is arranged in front of the mirror image constituent files, software with a rear starting sequence is started, and corresponding containerized deployment information is arranged behind the mirror image constituent files, so that the starting sequence of the containers can be reflected through the containerized deployment information.
For example, if the starting sequence is that the other software B is started first, then the target software a is started, and then the target software C is started, then the containerized deployment information of the other software B is arranged at the beginning of the file in the mirror image composition file, after the containerized deployment information of the other software B is ended, the containerized deployment information of the target software a is containerized deployment information of the target software a, and after the containerized deployment information of the target software a is ended, the containerized deployment information of the other software C is obtained.
S205, the vulnerability utilization information and the vulnerability information of the same kind recorded in the attack file are formed into a vulnerability verification file.
The similar vulnerability information refers to other vulnerability utilization information with the same vulnerability type recorded in the attack file corresponding to the corresponding vulnerability type and the attack behavior. For example, the exploit information recorded in the attack file corresponding to the present attack behavior is recorded as exploit information 1, where the type of the exploit is type X, and network attack behaviors that exploit vulnerabilities of type X have occurred twice before the present attack behavior, where the exploit information corresponding to the two network attack behaviors is the exploit information of the same type in S205.
S104, constructing a network target range image for reproducing the vulnerability environment by using the image composition file.
In step S104, the construction system may use the existing technology of packaging image files to package the image component files into an image file, which is a network target image. The specific packaging process can be referred to in the related art, and will not be described in detail.
Optionally, when the network target range mirror image is constructed, considering that a plurality of vulnerabilities are integrated in the same environment and possibly have mutual influence or conflict, an independent container file can be packaged corresponding to each vulnerability existing in the target system, so that when the network target range mirror image is operated, a plurality of mutually independent containers are generated, each container has only one vulnerability, and therefore vulnerability isolation and separation are achieved, and different vulnerabilities are prevented from being influenced or conflicting with each other.
S105, performing network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed.
If it is determined that the network target image construction is successful, step S106 is performed, and if it is determined that the network target image construction is failed, step S107 is performed.
The method for verifying whether the network range mirror is successfully constructed may include:
A1, running the network range mirror image to obtain a network range container corresponding to the network range mirror image.
In step A1, a network range container may be generated based on cloud-based technology.
And A2, performing network attack on the network target range container based on the vulnerability verification file.
In step A2, when a network attack is performed on the network target container, a plurality of pieces of exploit information recorded in the file can be obtained from the exploit verification file, and then the network attack is performed on the network target container according to the attack load recorded in the exploit information and by utilizing the exploit corresponding to the type of the exploit.
Optionally, when the network target range container includes a plurality of containers independent from each other, each container has only one vulnerability, each network attack may find a container with the vulnerability of the type in the plurality of containers according to the vulnerability type utilized, and attack the container.
A3, if the network attack on the network target range container is successful, determining that the network target range mirror image is constructed successfully.
And A4, if the network attack on the network target range container fails, determining that the network target range mirror image construction fails.
In the steps A3 and A4, if the network attack is successful, it is indicated that the corresponding vulnerability exists, and then the success of the construction of the network target range image can be determined, and if the network attack is failed, it is indicated that the corresponding vulnerability does not exist, and then the failure of the construction of the network target range image can be determined.
If the vulnerability verification file records a plurality of pieces of vulnerability information, the network target image can be determined to be successfully constructed under the condition that the network attack initiated based on each piece of vulnerability information is successful, and if at least one piece of vulnerability information corresponding to the network attack fails, the network target image is determined to be failed to construct.
S106, outputting the network target range mirror image.
Alternatively, the output network range image may be uploaded to an image warehouse for storage.
S107, generating a new image composition file according to the attack file.
In step S107, the construction system may determine, according to the attack file, more other software that the target software depends on, and combine the further determined containerized deployment information of the other software into the image composition file according to the corresponding starting sequence, to obtain a new image composition file.
For example, assuming that the generated first version of image composition file includes the containerized deployment information of the target software a and the other software B and C directly depended on by the target software, when generating the new image composition file, the building system may further obtain containerized deployment information of the other software D and E depended on by the other software B and C, and add the containerized deployment information of the other software D and E to the image composition file to obtain the new image composition file. The other software D and E correspond to the software indirectly relied on by the target software a.
Optionally, before generating the new image composition file, a prompt message may be output to prompt a related technician to manually input information for assisting in generating the image composition file, where the information may be recorded in auxiliary information of the attack file, and then the building system may use the auxiliary information to generate the new image composition file when generating the new image composition file.
Optionally, the building system may further update the containerized deployment information of the old image component file, update the containerized deployment information of the low version therein to the containerized deployment information of the high version therein, or update the containerized deployment information of the high version therein to the containerized deployment information of the low version, thereby obtaining the new image component file.
S108, judging whether the failure times are larger than a failure times threshold value.
If the number of failures is greater than the threshold number of failures, step S109 is executed, and if the number of failures is not greater than the threshold number of failures, step S104 is executed again.
The failure times threshold can be set as required, and is not limited. Illustratively, the failure number threshold may be set to 3.
The number of failures may be understood as the number of times that step S105 is performed and the verification result is a build failure, for example, the number of failures is 1 when S105 is performed for the first time and the build failure is determined, the number of failures is 2 when S105 is performed for the second time and the build failure is determined, the number of failures is 3 when S105 is performed for the third time and the build failure is determined, and so on.
In some alternative embodiments, step S108 may also be performed after the image component file is generated, where the number of failures may be changed to the number of times the image component file is generated, and the threshold of failure times may be changed to the threshold of times the image component file is generated. That is, S108 may instead determine whether the number of times the image constituent file is generated is less than the generation number threshold.
In this case, if the number of times the image composition file is generated is less than the generation number threshold, S105 may be performed to verify whether the construction is successful, and if the number of times the image composition file is generated is greater than or equal to the generation number threshold, S109 may be performed to prompt a related technician to regenerate the image composition file after manually modifying the attack file.
Correspondingly, in the case that S108 is performed before S105 is performed, if S105 verifies that the construction of the network target image fails, S107 may be directly performed, S108 is performed after a new image composition file is generated through S107 to determine whether the number of times of generating the image composition file is smaller than the threshold number of times of generating, and if so, S105 is performed again.
After each time the attack file is manually modified, the failure times or the times of generating the mirror image to form the file are cleared, and the accumulation is restarted.
S109, outputting error reporting information and marking the functional point of the execution failure.
The functional points with failure execution refer to functional points with failure network attack behaviors in the network target range mirror image.
The error reporting information may include marking information of the functional points of the execution failure, the number of failures, the network target image, the attack file and the image composition file when each failure occurs, and in addition, the error reporting information may also prompt a related technician to manually intervene.
The function point of marking execution failure is used for assisting the manual completion of modification of the attack file. After the attack file is manually modified, the above steps S103 to S109 may be repeated until the network target image is successfully constructed.
Optionally, the number of manual modification times of the attack file may also have a corresponding modification time threshold, and if the number of times of manually modifying the attack file reaches the modification time threshold, the attack file may not be modified any more, and the network target image may not be attempted to be constructed any more. In this case, the build system may output a detailed build report and an error log.
The beneficial effects of this embodiment lie in:
the construction method provided by the embodiment can quickly construct the network target range image when the network attack is successful, is used for network security operation and maintenance and analysis by researchers, avoids the influence of irrelevant operation on subsequent network attack analysis, can provide stable, real and reproducible vulnerability environments for enterprise staff to use, solves the problems that the existing network target range cannot train aiming at the characteristics of the enterprise, has poor training effect and can not provide a vulnerability reproduction environment truly, and has certain practicability and popularization value. The network target range mirror image can be generated and verified by utilizing the information of the network attack behaviors actually encountered by the safe operation center, so that the generated network target range mirror image can be ensured to highly restore the real network environment and network loopholes of the safe operation center, and the effect of constructing the network target range with high restoration degree is achieved.
Further, the embodiment also has the following beneficial effects:
according to the technical scheme, based on network attacks suffered by enterprises in daily life, the data are often sensitive data, so that a traditional target range cannot provide a more targeted network target range for training, the patent can utilize enterprise complete information, a json and docker-compound. Yml file format is designed, vulnerability reproduction environment construction information is obtained when the network attacks are successful, the vulnerability can be reproduced efficiently and stably, network security personnel can input more energy into network security analysis, and a training environment which accords with the characteristics of the enterprise is provided.
According to the technical scheme, the capability of the enterprise security equipment is fully exerted through linkage with the SOC platform, the rapid response to the security event is realized, efficient and accurate resculpting can be carried out on the vulnerability environment, convenience is brought to the vulnerability research of security researchers, and the problems that the vulnerability environment is low in reproduction success rate and high in construction cost due to the fact that vulnerability information is missing and inaccurate are solved, and the enterprise is helped to process the security vulnerability existing in the application in time.
The embodiment of the application also provides a device for constructing the network shooting range, please refer to fig. 3, which is a schematic structural diagram of the device, and the device may include the following units.
The acquiring unit 301 is configured to acquire attack behavior information and victim information of a network attack behavior when the security operation center platform detects the network attack behavior, where the attack behavior information includes a vulnerability type, an IP address of an attacker, and attack time;
the attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, an attack load, a request message, a protocol type and an original log;
the victim information includes base images, operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information, operating system log information.
A first generating unit 302, configured to generate an attack file according to the attack behavior information; the attack file comprises exploit information and auxiliary information;
a second generating unit 303, configured to generate a vulnerability verification file according to the attack file, and generate a mirror image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced;
A construction unit 304, configured to construct a network target image for reproducing the vulnerability environment by using the image composition file;
a verification unit 305, configured to perform a network attack on the network target image based on the vulnerability verification file, so as to verify whether the network target image is successfully constructed;
and the output unit 306 is configured to output the network target range image if the network target range image is determined to be successfully constructed.
Optionally, the second generating unit 303 is further configured to, if it is determined that the network target environment is failed to be built, generate a new image composition file according to the attack file, and return to perform the step of building the network target image for reproducing the vulnerability environment by using the image composition file until the failure frequency is greater than the failure frequency threshold or the network target environment is successfully built;
the output unit 306 is further configured to output error reporting information and mark a functional point of execution failure if the number of failures is greater than the failure number threshold.
Optionally, the second generating unit 303 generates a vulnerability verification file according to the attack file, and is specifically configured to:
determining target software and other software depending on the target software according to the victim information, wherein the target software is software aimed at by network attack behaviors;
Obtaining containerized deployment information of target software and containerized deployment information of other software from a target system, wherein the target system is a system to which the target software belongs;
determining the starting sequence of target software and other software in a target system;
combining the containerized deployment information of the target software and the containerized deployment information of other software according to a starting sequence to obtain a mirror image composition file;
and forming the vulnerability verification file by the vulnerability utilization information and the vulnerability information of the same type recorded in the attack file.
Optionally, the verification unit 305 performs a network attack on the network target image based on the vulnerability verification file, so as to verify whether the network target image is successfully constructed, which is specifically configured to:
operating the network target range mirror image to obtain a network target range container corresponding to the network target range mirror image;
performing network attack on the network target range container based on the vulnerability verification file;
if the network attack on the network target range container is successful, determining that the network target range mirror image is constructed successfully;
if the network attack on the network range container fails, determining that the network range mirror construction fails.
Optionally, when the secure operation center platform of the obtaining unit 301 detects a network attack, the obtaining unit is specifically configured to:
In response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
and receiving attack behavior information of network attack behavior fed back by the security operation center according to the information acquisition request.
The specific working principle and the beneficial effects of the device for constructing the network target range provided in this embodiment can be referred to the relevant steps and beneficial effects of the method for constructing the network target range provided in any embodiment of the present application, and are not described in detail.
An embodiment of the present application further provides an electronic device, please refer to fig. 4, which is a schematic structural diagram of the electronic device, and the electronic device may include a memory 401 and a processor 402.
Wherein the memory 401 is used for storing a computer program;
the processor 402 is configured to execute the above-mentioned computer program, and in particular, is configured to implement a method for constructing a network target range according to any embodiment of the present application.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
For convenience of description, the above system or apparatus is described as being functionally divided into various modules or units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present application.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in the embodiments or some parts of the embodiments of the present application.
Finally, it is further noted that relational terms such as first, second, third, fourth, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (10)

1. A method of constructing a networked range, comprising:
when a security operation center platform detects a network attack behavior, acquiring attack behavior information and victim information of the network attack behavior; the victim information comprises a basic mirror image, an operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information and operating system log information, and the attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, attack load, a request message, a protocol type and an original log;
generating an attack file according to the attack behavior information; the attack file comprises vulnerability exploitation information and auxiliary information;
generating a vulnerability verification file according to the attack file, and generating a mirror image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced;
Constructing a network target range image for reproducing the vulnerability environment by utilizing the image composition file;
performing network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed;
and if the network target range mirror image is determined to be successfully constructed, outputting the network target range mirror image.
2. The method of claim 1, wherein after performing a network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed, further comprising:
if the network target range environment construction failure is determined, generating a new image composition file according to the attack file, and returning to execute the step of constructing the network target range image for reproducing the vulnerability environment by using the image composition file until the failure times are greater than a failure times threshold or the network target range environment construction is successful;
if the failure times are greater than the failure times threshold, outputting error reporting information and marking the functional points of execution failure.
3. The method of claim 1, wherein generating a vulnerability verification file from the attack file and generating an image composition file from the victim information comprises:
Determining target software and other software depending on the target software according to the victim information, wherein the target software is the software aimed at by the network attack behavior;
obtaining containerized deployment information of the target software and containerized deployment information of the other software from a target system, wherein the target system is a system to which the target software belongs;
determining the starting sequence of the target software and the other software in the target system;
combining the containerized deployment information of the target software and the containerized deployment information of the other software according to the starting sequence to obtain a mirror image composition file;
and forming the vulnerability verification file by the vulnerability utilization information and the vulnerability information of the same type recorded in the attack file.
4. The method of claim 1, wherein the performing a network attack on the network target image based on the vulnerability verification file to verify whether the network target image was successfully constructed comprises:
operating the network range mirror image to obtain a network range container corresponding to the network range mirror image;
performing network attack on the network target range container based on the vulnerability verification file;
If the network attack on the network target range container is successful, determining that the network target range mirror image is successfully constructed;
if the network attack on the network range container fails, determining that the network range mirror construction fails.
5. The method according to claim 1, wherein when the secure operation center platform detects a network attack, obtaining attack information of the network attack, includes:
in response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
and receiving attack behavior information of the network attack behavior fed back by the security operation center according to the information acquisition request.
6. An apparatus for constructing a networked range, comprising:
the system comprises an acquisition unit, a security operation center platform, a network management unit and a network management unit, wherein the acquisition unit is used for acquiring attack behavior information and victim information of the network attack behavior when the security operation center platform detects the network attack behavior, the victim information comprises a basic mirror image, an operating system version and patch information, software dependent component information, port and service information, operating system configuration information, network configuration information, operating system user information and operating system log information, and the attack behavior information comprises a vulnerability type, an IP address of an attacker, attack time, attack load, a request message, a protocol type and an original log;
The first generation unit is used for generating an attack file according to the attack behavior information; the attack file comprises vulnerability exploitation information and auxiliary information;
the second generating unit is used for generating a vulnerability verification file according to the attack file and generating an image composition file according to the victim information; the image composition file comprises images required by the vulnerability environment, a container starting sequence and port mapping; the vulnerability verification file is used for verifying whether the vulnerability environment is successfully reproduced;
the construction unit is used for constructing a network target range image for reproducing the vulnerability environment by utilizing the image composition file;
the verification unit is used for carrying out network attack on the network target range image based on the vulnerability verification file so as to verify whether the network target range image is successfully constructed;
and the output unit is used for outputting the network target range mirror image if the network target range mirror image is successfully constructed.
7. The apparatus of claim 6, wherein the second generating unit is further configured to, if it is determined that the network target environment construction fails, generate a new image composition file according to the attack file, and return to perform the network target image step of constructing a vulnerability environment using the image composition file until the failure number is greater than a failure number threshold or the network target environment construction is successful;
The output unit is further configured to output error reporting information and mark a functional point of execution failure if the failure number is greater than the failure number threshold.
8. The apparatus of claim 6, wherein the second generating unit is configured to, when generating the vulnerability verification file from the attack file and the image composition file from the victim information, specifically:
determining target software and other software depending on the target software according to the victim information, wherein the target software is the software aimed at by the network attack behavior;
obtaining containerized deployment information of the target software and containerized deployment information of the other software from a target system, wherein the target system is a system to which the target software belongs;
determining the starting sequence of the target software and the other software in the target system;
combining the containerized deployment information of the target software and the containerized deployment information of the other software according to the starting sequence to obtain a mirror image composition file;
and forming the vulnerability verification file by the vulnerability utilization information and the vulnerability information of the same type recorded in the attack file.
9. The apparatus according to claim 6, wherein the verification unit performs a network attack on the network target image based on the vulnerability verification file to verify whether the network target image is successfully constructed, specifically for:
Operating the network range mirror image to obtain a network range container corresponding to the network range mirror image;
performing network attack on the network target range container based on the vulnerability verification file;
if the network attack on the network target range container is successful, determining that the network target range mirror image is successfully constructed;
if the network attack on the network range container fails, determining that the network range mirror construction fails.
10. The apparatus of claim 6, wherein when the acquiring unit secure operation center platform detects a network attack, the acquiring unit is specifically configured to:
in response to the detection of successful execution of the network attack behavior by the security operation center, sending an information acquisition request to the security operation center;
and receiving attack behavior information of the network attack behavior fed back by the security operation center according to the information acquisition request.
CN202311635104.5A 2023-12-01 2023-12-01 Method and device for constructing network target range Pending CN117499151A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311635104.5A CN117499151A (en) 2023-12-01 2023-12-01 Method and device for constructing network target range

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311635104.5A CN117499151A (en) 2023-12-01 2023-12-01 Method and device for constructing network target range

Publications (1)

Publication Number Publication Date
CN117499151A true CN117499151A (en) 2024-02-02

Family

ID=89678245

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311635104.5A Pending CN117499151A (en) 2023-12-01 2023-12-01 Method and device for constructing network target range

Country Status (1)

Country Link
CN (1) CN117499151A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117852048A (en) * 2024-03-08 2024-04-09 华中科技大学 Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117852048A (en) * 2024-03-08 2024-04-09 华中科技大学 Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method
CN117852048B (en) * 2024-03-08 2024-06-07 华中科技大学 Multi-dimensional attack vector-based soft and hard combined Internet of vehicles shooting range construction method

Similar Documents

Publication Publication Date Title
US9658914B2 (en) Troubleshooting system using device snapshots
US8302196B2 (en) Combining assessment models and client targeting to identify network security vulnerabilities
CN110597918B (en) Account management method, account management device and computer readable storage medium
TW201407341A (en) Method, device and system of repairing software run-time error
CN117499151A (en) Method and device for constructing network target range
CN112860645B (en) Processing method, device, computer equipment and medium for offline compressed file
CN109684155B (en) Monitoring configuration method, device, equipment and readable storage medium
CN112818307B (en) User operation processing method, system, equipment and computer readable storage medium
CN110990335B (en) Log archiving method, device, equipment and computer readable storage medium
CN111885210A (en) Cloud computing network monitoring system based on end user environment
CN110088744A (en) A kind of database maintenance method and its system
US12013972B2 (en) System and method for certifying integrity of data assets
CN111901147B (en) Network access control method and device
CN110365714B (en) Host intrusion detection method, device, equipment and computer storage medium
CN112131041A (en) Method, apparatus and computer program product for managing data placement
CN112422527B (en) Threat assessment system, method and device for substation power monitoring system
CN110798356B (en) Firmware monitoring method and device, storage medium and computer equipment
CN110677483B (en) Information processing system and trusted security management system
CN114386047A (en) Application vulnerability detection method and device, electronic equipment and storage medium
CN114499880A (en) Method and device for transmitting operation and maintenance data of gas turbine
CN117033086B (en) Recovery method and device of operating system, storage medium and server management chip
CN118646595A (en) Method, equipment and storage medium for repairing server to avoid secret mutual trust
CN118118189A (en) Data discrimination method, device, equipment and readable storage medium
CN117667646A (en) Mirror image verification method and device, electronic equipment and storage medium
CN110941838A (en) Database access method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination