CN117610018A - Vulnerability simulation method and device - Google Patents

Vulnerability simulation method and device Download PDF

Info

Publication number
CN117610018A
CN117610018A CN202311643712.0A CN202311643712A CN117610018A CN 117610018 A CN117610018 A CN 117610018A CN 202311643712 A CN202311643712 A CN 202311643712A CN 117610018 A CN117610018 A CN 117610018A
Authority
CN
China
Prior art keywords
vulnerability
attack
information
simulation
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311643712.0A
Other languages
Chinese (zh)
Other versions
CN117610018B (en
Inventor
王广武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Dr Ma Network Technology Co ltd
Original Assignee
Shenzhen Dr Ma Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Dr Ma Network Technology Co ltd filed Critical Shenzhen Dr Ma Network Technology Co ltd
Priority to CN202311643712.0A priority Critical patent/CN117610018B/en
Publication of CN117610018A publication Critical patent/CN117610018A/en
Application granted granted Critical
Publication of CN117610018B publication Critical patent/CN117610018B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a vulnerability simulation method and device, comprising the following steps: collecting known vulnerability information, wherein the vulnerability information comprises vulnerability types, vulnerability descriptions and vulnerability utilization modes; according to the characteristics and the requirements of the system, configuring a vulnerability simulation environment, wherein the vulnerability simulation environment comprises system configuration and network configuration; in a vulnerability simulation environment, executing simulation attacks of known vulnerabilities, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability exploitation modes; according to the result of the vulnerability simulation, the security of the system is evaluated, the hazard degree of the vulnerability and the possible attack path are analyzed, and a vulnerability evaluation result is obtained; and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result. By simulating and evaluating the loopholes in the system, the manager and the security expert are helped to find and repair potential security risks, and the security of the system is improved.

Description

Vulnerability simulation method and device
Technical Field
The present invention relates to the field of computer security, and in particular, to a vulnerability simulation method and apparatus.
Background
With the development of the internet and information technology, the security of computer systems is increasingly emphasized. However, as the system is large and complex, the discovery and repair of vulnerabilities becomes difficult. Traditional vulnerability scanning methods generally only detect known vulnerabilities, but cannot simulate and evaluate unknown vulnerabilities.
The patent application document with the application number of CN202211663617.2 discloses a vulnerability simulation method and device, wherein the method comprises the following steps: responding to a first access request of the attacker equipment to the website server, intercepting the first access request, and determining a target page based on the first access request; acquiring page data corresponding to a first access request from a target page; and replacing preset sensitive data in the page data, and feeding back the page data with the replaced preset sensitive data. Drawbacks of this approach include: intercepting the first access request may result in a reduced user experience, particularly in high concurrency situations, which may negatively impact the performance of the website; determining that the target page has misjudgment only by means of the first access request, and enabling an attacker to bypass the determination of the target page by forging the request or using other technical means so as to continue the attack; the replacement of preset sensitive data in the page data can lead to the situation of replacement errors or omission, and if the replacement is inaccurate, the sensitive data can be leaked or misreported.
Therefore, it is necessary to provide a vulnerability simulation method and device.
Disclosure of Invention
The invention provides a vulnerability simulation method and device, which are used for solving the problems that in the prior art, the system scale is huge and the complexity is increased, the discovery and repair of vulnerabilities are difficult, and the traditional vulnerability scanning method can only detect known vulnerabilities and can not simulate and evaluate unknown vulnerabilities.
In order to achieve the above purpose, the present invention provides the following technical solutions:
the vulnerability simulation method comprises the following steps:
s101: collecting known vulnerability information, wherein the vulnerability information comprises vulnerability types, vulnerability descriptions and vulnerability utilization modes;
s102: according to the characteristics and the requirements of the system, configuring a vulnerability simulation environment, wherein the vulnerability simulation environment comprises system configuration and network configuration;
s103: in a vulnerability simulation environment, executing simulation attacks of known vulnerabilities, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability exploitation modes;
s104: according to the result of the vulnerability simulation, the security of the system is evaluated, the hazard degree of the vulnerability and the possible attack path are analyzed, and a vulnerability evaluation result is obtained;
s105: and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result.
Wherein, the step S101 includes:
s1011: obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
s1012: if the matching degree of the vulnerability descriptions and the preset vulnerability descriptions is higher than a preset matching degree threshold, taking the corresponding first vulnerability node as a second vulnerability node;
s1013: and acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to obtain complete vulnerability information, and completing collection.
Wherein, according to characteristics and the demand of system, dispose the loophole simulation environment, include:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
Determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
In the vulnerability simulation environment, executing simulation attack of known vulnerabilities comprises the following steps:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
if the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
if the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
And determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
Wherein determining a target anomaly management policy based on the attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
Wherein, the vulnerability simulation device includes:
the vulnerability information collection module is used for collecting known vulnerability information, wherein the vulnerability information comprises a vulnerability type, a vulnerability description and a vulnerability utilization mode;
the vulnerability simulation configuration module is used for configuring a vulnerability simulation environment according to the characteristics and the requirements of the system, wherein the vulnerability simulation environment comprises system configuration and network configuration;
the vulnerability simulation execution module is used for executing simulation attacks of known vulnerabilities in a vulnerability simulation environment, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability utilization modes;
The vulnerability assessment analysis module is used for assessing the security of the system according to the vulnerability simulation result, analyzing the damage degree and possible attack path of the vulnerability and obtaining a vulnerability assessment result;
and the repair suggestion module is used for providing corresponding bug repair suggestions and measures for the staff according to the bug evaluation result.
Wherein, the vulnerability information collection module includes:
the first sub-module for collecting vulnerability information is used for obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
the second sub-module is used for collecting the vulnerability information, and takes the corresponding first vulnerability node as a second vulnerability node if the matching degree of the vulnerability description and the preset vulnerability description is higher than a preset matching degree threshold;
and the third sub-module is used for acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to acquire complete vulnerability information, and completing the collection.
Wherein, according to characteristics and the demand of system, dispose the loophole simulation environment, include:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
Acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
In the vulnerability simulation environment, executing simulation attack of known vulnerabilities comprises the following steps:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
if the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
Acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
if the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
and determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
Wherein determining a target anomaly management policy based on the attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
Compared with the prior art, the invention has the following advantages:
a vulnerability simulation method comprising: collecting known vulnerability information, wherein the vulnerability information comprises vulnerability types, vulnerability descriptions and vulnerability utilization modes; according to the characteristics and the requirements of the system, configuring a vulnerability simulation environment, wherein the vulnerability simulation environment comprises system configuration and network configuration; in a vulnerability simulation environment, executing simulation attacks of known vulnerabilities, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability exploitation modes; according to the result of the vulnerability simulation, the security of the system is evaluated, the hazard degree of the vulnerability and the possible attack path are analyzed, and a vulnerability evaluation result is obtained; and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result. By simulating and evaluating the loopholes in the system, the manager and the security expert are helped to find and repair potential security risks, and the security of the system is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
FIG. 1 is a flowchart of a vulnerability simulation method according to an embodiment of the present invention;
FIG. 2 is a flow chart of collecting known vulnerability information according to an embodiment of the present invention;
fig. 3 is a block diagram of a vulnerability simulator in an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
The embodiment of the invention provides a vulnerability simulation method, which comprises the following steps:
s101: collecting known vulnerability information, wherein the vulnerability information comprises vulnerability types, vulnerability descriptions and vulnerability utilization modes;
S102: according to the characteristics and the requirements of the system, configuring a vulnerability simulation environment, wherein the vulnerability simulation environment comprises system configuration and network configuration;
s103: in a vulnerability simulation environment, executing simulation attacks of known vulnerabilities, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability exploitation modes;
s104: according to the result of the vulnerability simulation, the security of the system is evaluated, the hazard degree of the vulnerability and the possible attack path are analyzed, and a vulnerability evaluation result is obtained;
s105: and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result.
The working principle of the technical scheme is as follows: collecting vulnerability information, namely collecting known vulnerability information comprising vulnerability types, vulnerability descriptions and vulnerability utilization modes through various channels (such as vulnerability reports, vulnerability databases and the like), wherein the information can help to know potential security risks in the system;
the vulnerability simulation configuration is used for configuring a vulnerability simulation environment according to the characteristics and the requirements of the system, wherein the vulnerability simulation environment comprises system configuration and network configuration so as to simulate the vulnerability situation in the real environment, and the system configuration comprises an operating system version, a software version and the like; the network configuration comprises network topology, firewall settings and the like;
Performing vulnerability simulation, namely executing simulation attacks of known vulnerabilities in a vulnerability simulation environment, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability utilization modes, verifying whether the vulnerabilities in the system exist or not through the simulation attacks, and knowing the influence of the vulnerabilities on the system;
the vulnerability assessment analysis is used for assessing the security of the system according to the vulnerability simulation result, analyzing the hazard degree and possible attack path of the vulnerability, knowing the security risk in the system and determining the priority of the vulnerability;
and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result, wherein the suggestions and measures comprise patching the bug, updating a software version, enhancing access control and the like so as to improve the security of the system.
Wherein, obtaining the vulnerability assessment result comprises:
acquiring a plurality of first evaluation strategies (first evaluation strategies: strategies for evaluating the vulnerability items, including steps of feature extraction, hazard value association and adaptation evaluation) which correspond to the vulnerability items together;
traversing the first evaluation strategy in sequence, and acquiring a feature-hazard value library (a feature-hazard value library: storing association relations between different features and corresponding hazard values) corresponding to the traversed first evaluation strategy every time;
Splitting the vulnerability simulation result into a plurality of second vulnerability information items (second vulnerability information items: vulnerability information sub-items split according to the vulnerability simulation result, including specific characteristics and hazard values of the vulnerability);
extracting features of the second vulnerability information item to obtain a plurality of third features (third features: features extracted from the second vulnerability information item for association with a feature-hazard value library);
determining a hazard value corresponding to the third feature based on the feature-hazard value library, and correlating the hazard value with a corresponding second vulnerability information item;
accumulating and calculating a hazard value associated with the second vulnerability information item to obtain a hazard value sum;
acquiring a hazard value and a threshold value corresponding to the traversed first evaluation strategy, and taking a corresponding second vulnerability information item as a third vulnerability information item (the third vulnerability information item comprises vulnerability information sub-items obtained by extracting according to the characteristics and correlating the hazard value, including specific characteristics and the hazard value of the vulnerability) if the hazard value sum is greater than or equal to the hazard value and the threshold value;
acquiring an adaptation evaluation model corresponding to the traversed first evaluation strategy, carrying out adaptation evaluation on the traversed first evaluation strategy based on the adaptation evaluation model according to third vulnerability information, obtaining an adaptation value, and associating with the traversed first evaluation strategy;
When traversing the first evaluation strategy is finished, accumulating and calculating an adaptation value associated with the first evaluation strategy to obtain an adaptation value sum;
taking the maximum adaptation value and the corresponding first evaluation strategy as a second evaluation strategy;
based on the second evaluation strategy, evaluating the vulnerability item to obtain a vulnerability evaluation result, and determining the priority of the vulnerability according to the existing security risk.
The beneficial effects of the technical scheme are as follows: the system security evaluation method and system help organizations or individuals evaluate the system security, find potential vulnerabilities and security risks, provide corresponding repair suggestions and measures, help repair vulnerabilities in time, improve the system security, prevent potential attacks and data leakage, and meanwhile, through analysis of simulation attacks and evaluation results, workers can be helped to know the degree of harm of the vulnerabilities and possible attack paths, and develop security strategies and measures in a targeted manner, so that the overall security level of the system is improved.
In another embodiment, the step S101 includes:
s1011: obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
S1012: if the matching degree of the vulnerability descriptions and the preset vulnerability descriptions is higher than a preset matching degree threshold, taking the corresponding first vulnerability node as a second vulnerability node;
s1013: and acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to obtain complete vulnerability information, and completing collection.
The working principle of the technical scheme is as follows: acquiring a plurality of first vulnerability nodes from a preset vulnerability information source node set, wherein the first vulnerability nodes comprise information such as vulnerability types, vulnerability descriptions, vulnerability utilization modes and the like, and the nodes are sources of known vulnerability information;
matching the extracted vulnerability description with a preset vulnerability description, and if the matching degree is higher than a preset matching degree threshold, taking the corresponding first vulnerability node as a second vulnerability node, wherein the matching degree threshold can be set according to actual requirements and is used for screening vulnerability information conforming to the preset vulnerability description;
at least one first vulnerability information item corresponding to the vulnerability is obtained through the second vulnerability node, the first vulnerability information item is specific information in the first vulnerability node and comprises a vulnerability type, a vulnerability description, a vulnerability utilization mode and the like, and complete vulnerability information can be obtained through integrating the first vulnerability information items.
The beneficial effects of the technical scheme are as follows: the vulnerability information can be effectively collected and integrated into complete vulnerability information; the method comprises the steps that a plurality of first vulnerability nodes can be obtained through obtaining a preset vulnerability information source node set, wherein the first vulnerability nodes comprise key information such as vulnerability types, vulnerability descriptions and vulnerability utilization modes, vulnerability information conforming to the preset vulnerability descriptions can be screened out through matching the vulnerability descriptions, and as a second vulnerability node, complete vulnerability information can be obtained through obtaining first vulnerability information items and integrating information items, so that organizations or individuals can know about vulnerability conditions existing in a system, corresponding vulnerability restoration measures can be formulated, the safety of the system is improved, meanwhile, flexible matching screening can be conducted according to actual requirements through a preset matching degree threshold, and the accuracy and usability of the vulnerability information are improved.
In another embodiment, configuring the vulnerability simulation environment according to the characteristics and requirements of the system comprises:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
Acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
The working principle of the technical scheme is as follows: system configuration (operating system version, software version) of configuration vulnerability simulation environment: acquiring a preset system characteristic experience library, wherein the system characteristic experience library comprises characteristics and requirements of the system, and randomly selecting initial configuration parameters from the system characteristic experience library, wherein the initial configuration parameters comprise a certain characteristic or requirement of the system; acquiring an initial matching index value corresponding to the initial configuration parameter, wherein the value represents the matching degree of the initial configuration parameter and an actual system; if the initial matching index value is greater than or equal to a preset initial matching threshold value, taking the corresponding initial configuration parameter as a key configuration parameter; determining system configurations such as an operating system version, a software version and the like based on the key configuration parameters;
Network configuration (network topology, firewall settings) to configure vulnerability simulation environment: acquiring a preset network demand experience library, wherein the network demand experience library comprises network demands and configuration demands; randomly selecting network configuration parameters from a network demand experience library, wherein the network configuration parameters comprise a certain demand or configuration requirement of a network; acquiring a key matching index value corresponding to the key configuration parameter, wherein the value represents the matching degree of the key configuration parameter and the actual network; if the key matching index value is greater than or equal to a preset key matching threshold value, taking the corresponding network configuration parameter as an optimized network configuration parameter; determining network configuration such as network topology, firewall setting and the like based on the optimized network configuration parameters;
configuration of a vulnerability simulation environment: all the key configuration parameters and the optimized network configuration parameters are used as configuration samples, input into a preset vulnerability simulation environment configuration model for environment configuration, and the configuration of the vulnerability simulation environment is completed according to rules and algorithms of the configuration model, including system configuration and network configuration; and finally, obtaining a complete vulnerability simulation environment for subsequent simulation attack and vulnerability assessment.
Assuming that a preset system characteristic experience library comprises information items of which the operating system version is Windows 10 and the software version is Apache 2.4.29, and a preset network demand experience library comprises information items of which the network topology is of a three-layer structure and a firewall is set to allow a specific port; randomly selecting initial configuration parameters from a system characteristic experience library, and obtaining initial matching index values corresponding to the initial configuration parameters under the assumption that the version of an operating system is Windows 10, wherein the matching values are 0.8 and are higher than a preset initial matching threshold value by 0.7; taking the version of the operating system as Windows 10 as a key configuration parameter; randomly selecting network configuration parameters from a network demand experience library, and assuming that the network topology is selected to be of a three-layer structure; acquiring a key matching index value corresponding to the key configuration parameter, wherein the matching value is 0.9 and is 0.8 higher than a preset key matching threshold value; taking the network topology as a three-layer structure as an optimized network configuration parameter;
Determining that the operating system version is Windows 10 based on the key configuration parameters, determining that the network topology is of a three-layer structure based on the optimized network configuration parameters, taking the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration; completing configuration of the vulnerability simulation environment according to rules and algorithms of the configuration model, wherein the configuration comprises system configuration and network configuration; and finally, obtaining a complete vulnerability simulation environment, wherein the system is configured as Windows 10, the software version is determined according to a configuration model, the network is configured as a three-layer structure, and the firewall setting is determined according to the configuration model.
The beneficial effects of the technical scheme are as follows: the system configuration and the network configuration of the vulnerability simulation environment can be flexibly configured according to the characteristics and the requirements of the system, the configuration information items are randomly selected, and the configuration accuracy and the rationality can be ensured by screening according to the matching values and the matching threshold values, the requirements of the vulnerability simulation environment can be met by determining the specific system configuration and the specific network configuration based on the configuration information items, the finally obtained complete vulnerability simulation environment can be used for simulating attacks and vulnerability assessment, the organization or individuals can be helped to know the security of the system, corresponding vulnerability restoration measures can be formulated, and the security of the system can be improved; meanwhile, the configuration and adjustment can be flexibly carried out according to actual requirements through preset rules and algorithms for matching the threshold and the configuration model, so that the flexibility and adaptability of the configuration are improved.
In another embodiment, in a vulnerability simulation environment, a simulation attack of a known vulnerability is performed, comprising:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
if the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
if the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
and determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
The working principle of the technical scheme is as follows: acquiring a current moment for judging whether the attack reminding moment is reached; acquiring a first time length preset before the start time of the simulation attack (the first time length refers to a time period preset before the start time of the simulation attack and is used for calculating attack reminding time) and calculating attack reminding time; generating corresponding attack reminding information according to a preset attack reminding information generation rule; acquiring a second preset time length after the attacker receives the attack reminding information (the second time length refers to a preset time period after the attacker receives the attack reminding information and is used for calculating the time range of the actual attack information), and calculating the time range of the actual attack information; and generating a corresponding actual attack mode and actual attack time according to a preset actual attack information generation rule.
Assuming that the preset first time length is 1 hour, and the second time length is 30 minutes; the current time is 2023-09-20:14:00:00; the simulation attack starting time is 2023-09-20:13:00, and the attack reminding time is 2023-09-20:14:00:00 according to the first time length; the current moment reaches the attack reminding moment, and attack reminding information is generated according to a preset attack reminding information generation rule: "the system may be attacked by code injection, please take corresponding action immediately. "
The second time length preset after the attacker receives the attack reminding information is 30 minutes, and the time range of calculating the actual attack information is 2023-09-20:00:00 to 2023-09-20:14:30:00; generating an actual attack mode as code injection according to a preset actual attack information generation rule, wherein the actual attack time is 2023-09-20:14:15:00; because the actual attack mode is code injection, the method accords with the simulation attack mode of the known loopholes, and the attack execution is successful.
The beneficial effects of the technical scheme are as follows: potential loopholes in the system can be found in time through loophole simulation execution, and the safety of the system is improved; by generating attack reminding and actual attack information, the behavior of an attacker can be timely warned, and corresponding protective measures can be adopted; through exception management, a corresponding management strategy can be formulated according to the attack exception information, attack exceptions can be handled in time, and loss and risk are reduced.
In another embodiment, determining a target anomaly management policy based on attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
The training of the target attack anomaly management strategy determination model comprises the following steps:
acquiring a plurality of historical attack anomaly management records;
determining a corresponding system managed in the history attack anomaly management record as an observation target system;
acquiring a subsequent security representation value after a preset third time length after the observation target system is managed;
if the subsequent security representation value is greater than or equal to a preset first threshold value, acquiring an attack item corresponding to the historical attack anomaly management record and a first attack anomaly management strategy;
acquiring an attack exception type of an attack item;
dividing the attack items belonging to the same attack anomaly type into the same attack anomaly group, determining a first attack anomaly management strategy corresponding to the attack anomaly group, and taking the first attack anomaly management strategy as a second attack anomaly management strategy;
Based on a preset correlation analysis model, carrying out correlation analysis on a second attack abnormal management strategy and a subsequent safety representation value of a corresponding observation target system to obtain a correlation value;
inquiring a preset related value-suitability library, and determining the suitability corresponding to the related value;
determining a second attack strategy corresponding to the maximum suitability and taking the second attack strategy as a third attack anomaly management strategy of the attack anomaly type corresponding to the attack anomaly group;
and inputting a third attack anomaly management strategy corresponding to the attack anomaly type as training data into a preset neural network model for model training to obtain a trained target attack anomaly management strategy determination model.
The working principle of the technical scheme is as follows: extracting abnormal characteristic values of attack abnormal information based on a preset attack abnormal characteristic extraction template (the abnormal characteristic values are characteristic values which are extracted from data such as a system log, network traffic and the like and are related to attack abnormality, such as an abnormal IP address and an abnormal request frequency and are used for identifying abnormal behaviors through the attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model, and training the model to determine a proper management strategy according to a known attack anomaly sample and a corresponding management strategy by using machine learning or other algorithms;
Inputting the attack abnormal characteristic value into a target attack abnormal management strategy determination model (the target attack abnormal management strategy determination model is used for determining a proper abnormal management strategy model according to the input abnormal characteristic value through a trained model) to obtain a target attack abnormal management strategy output by the model, and outputting the proper abnormal management strategy, such as preventing abnormal IP addresses, limiting abnormal request frequencies and the like, according to the input abnormal characteristic value; and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy, and processing abnormal behaviors, such as blocking abnormal IP addresses, increasing access limits and the like, according to the management strategy output by the model so as to ensure the safe and stable operation of the system.
Assuming that an abnormal characteristic value is extracted based on a preset attack abnormal characteristic extraction template, if the abnormal IP address is 192.168.1.100, the abnormal request frequency is 100 times per second; extracting an abnormal characteristic value based on a preset attack abnormal characteristic extraction template; training a target attack anomaly management strategy determination model, and training by using a known attack anomaly sample and a corresponding management strategy; inputting the abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the model, and judging that the abnormal behavior needs to block an abnormal IP address according to the input abnormal characteristic value; and according to the target attack exception management strategy, performing corresponding exception management measures, and according to the management strategy output by the model, blocking the exception IP address so as to ensure the safe and stable operation of the system.
Acquiring a plurality of history attack anomaly management records, wherein the records comprise information such as a managed system, an attack item, a management strategy and the like; determining a corresponding system managed in the history attack anomaly management record as an observation target system; acquiring a subsequent security representation value (the subsequent security representation value: the security representation condition of the system, such as attack times, abnormal behavior frequency, etc., within a period of time after the observation target system is managed) after a preset third time period after the observation target system is managed, for evaluating the effect of the management policy;
if the subsequent security representation value is greater than or equal to a preset first threshold value, acquiring an attack item corresponding to the historical attack anomaly management record and a first attack anomaly management strategy; obtaining the attack exception type of the attack item, and dividing the attack item belonging to the same attack exception type into the same attack exception group; determining a first attack anomaly management strategy corresponding to the attack anomaly group and taking the first attack anomaly management strategy as a second attack anomaly management strategy;
based on a preset correlation analysis model, carrying out correlation analysis (correlation analysis, namely analyzing the correlation degree between two variables by a statistical method and evaluating the correlation degree between the management strategy and the subsequent safety representation value) on the second attack abnormal management strategy and the subsequent safety representation value of the corresponding observation target system to obtain a correlation value;
Inquiring a preset related value-suitability library, and determining the suitability corresponding to the related value (suitability assessment: assessing the suitability between different management strategies and subsequent safety representation values according to the result of the correlation analysis, for selecting the most suitable management strategy); determining a second attack strategy corresponding to the maximum suitability and taking the second attack strategy as a third attack anomaly management strategy of the attack anomaly type corresponding to the attack anomaly group; and inputting a third attack anomaly management strategy corresponding to the attack anomaly type as training data into a preset neural network model for model training to obtain a trained target attack anomaly management strategy determination model.
Assuming that one record exists in the history attack anomaly management records, observing that the target system is a Web server, wherein the preset third time length after being managed is 1 week, and the subsequent safety representation value is that the average attack times are 10 times per day; acquiring a plurality of history attack anomaly management records, wherein one record is a management record of a Web server; determining that the observation target system is a Web server; acquiring a subsequent security representation value after 1 week after the Web server is managed, for example, the average attack frequency per day is 10 times; if the subsequent security representation value is greater than or equal to a preset first threshold value, acquiring an attack item and a first attack abnormal management strategy of the history management record; dividing the attack items belonging to the same attack exception type into the same attack exception group according to the attack exception type of the attack item; determining a first attack anomaly management strategy corresponding to the attack anomaly group and taking the first attack anomaly management strategy as a second attack anomaly management strategy; based on a correlation analysis model, carrying out correlation analysis on the second attack abnormal management strategy and the subsequent safety representation value to obtain a correlation value; inquiring a preset related value-suitability library, and determining the suitability corresponding to the related value; determining a second attack strategy corresponding to the maximum suitability and taking the second attack strategy as a third attack anomaly management strategy of the attack anomaly type corresponding to the attack anomaly group; and inputting the attack anomaly type and the third attack anomaly management strategy as training data into a preset neural network model for model training to obtain a trained target attack anomaly management strategy determination model.
The beneficial effects of the technical scheme are as follows: by extracting the abnormal characteristic value, the attack abnormality in the system can be timely identified, and the perception capability of abnormal behaviors is improved; based on the trained target attack abnormal management strategy determining model, a proper abnormal management strategy can be determined according to the abnormal characteristic value, so that the safety and stability of the system are improved; corresponding abnormal management measures are carried out according to the target attack abnormal management strategy, so that attack behaviors can be effectively resisted, and the normal operation of the system is ensured.
Based on the historical data and the subsequent security representation values, a proper attack anomaly management strategy can be determined, and the security and stability of the system are improved; through correlation analysis and suitability evaluation, the most suitable management strategy can be selected, and the accuracy and adaptability of the management strategy are improved; by training the neural network model, a proper management strategy can be determined according to the attack anomaly type, and the accuracy and adaptability of the management strategy are improved.
In another embodiment, a vulnerability simulator includes:
the vulnerability information collection module is used for collecting known vulnerability information, wherein the vulnerability information comprises a vulnerability type, a vulnerability description and a vulnerability utilization mode;
The vulnerability simulation configuration module is used for configuring a vulnerability simulation environment according to the characteristics and the requirements of the system, wherein the vulnerability simulation environment comprises system configuration and network configuration;
the vulnerability simulation execution module is used for executing simulation attacks of known vulnerabilities in a vulnerability simulation environment, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability utilization modes;
the vulnerability assessment analysis module is used for assessing the security of the system according to the vulnerability simulation result, analyzing the damage degree and possible attack path of the vulnerability and obtaining a vulnerability assessment result;
and the repair suggestion module is used for providing corresponding bug repair suggestions and measures for the staff according to the bug evaluation result.
The working principle of the technical scheme is as follows: the vulnerability information collection module establishes a vulnerability information base by collecting known vulnerability information, including vulnerability types, vulnerability descriptions and vulnerability utilization modes; the vulnerability simulation configuration module configures a vulnerability simulation environment according to the characteristics and the requirements of the system, including system configuration and network configuration, so as to perform vulnerability simulation attack; the vulnerability simulation execution module executes simulation attacks of known vulnerabilities in a vulnerability simulation environment, and simulates real attack behaviors by adopting different attack modes such as code injection, buffer overflow and the like; the vulnerability assessment analysis module assesses the security of the system according to the vulnerability simulation result, analyzes the hazard degree and possible attack path of the vulnerability, and generates a vulnerability assessment result report; the repair suggestion module provides corresponding bug repair suggestions and measures for staff according to the bug evaluation result, including bug repair, patch updating, access control strengthening and the like.
The method for providing the corresponding bug fix suggestions and measures for the staff comprises the following steps:
based on a preset vulnerability assessment model, carrying out result assessment on a first vulnerability item (the first vulnerability item comprises specific characteristics and severity of a vulnerability according to a vulnerability assessment result, and obtaining an assessment result;
analyzing the evaluation result to obtain a vulnerability severity value;
if the vulnerability severity value is greater than or equal to a preset severity threshold value, the corresponding first vulnerability item is used as a second vulnerability item; ( A second vulnerability item: according to the vulnerability severity value and a preset severity threshold value, determining vulnerability items to be repaired )
Acquiring a repair basis acquisition strategy corresponding to the second vulnerability item;
acquiring repair basis information (repair basis information: related information for repairing the vulnerability, such as patches, software version updates, access control policies, etc., acquired according to the repair basis acquisition policy) based on the repair basis acquisition policy;
formulating a model based on a preset repair strategy, and formulating a plurality of alternative repair strategies according to the second vulnerability item and the repair basis information (the alternative repair strategies comprise formulating a model according to the preset repair strategy, formulating a plurality of alternative repair compound schemes according to the second vulnerability item and the repair basis information), including patching the repair vulnerability, updating a software version, enhancing access control and correlating with the corresponding second vulnerability item;
Based on a preset strategy collocation model, carrying out strategy collocation according to the vulnerability severity value corresponding to each second vulnerability item and a plurality of associated alternative repairing strategies to obtain a repairing total strategy;
and based on the total repairing strategy, performing corresponding repairing on the system.
The beneficial effects of the technical scheme are as follows: the known vulnerability information can be timely obtained through the vulnerability information collection module, so that cognition and understanding of system vulnerabilities are improved; the attack of known vulnerabilities can be simulated under the security control through the vulnerability simulation configuration module and the vulnerability simulation execution module, the security of the system is evaluated, and potential security risks are found; the vulnerability assessment analysis module can analyze and evaluate the vulnerability of the system according to the result of the simulation attack, provides a basis for repairing and helps to improve the security of the system; the repair suggestion module can provide corresponding repair suggestions and measures for staff according to the vulnerability assessment result, guide vulnerability repair work and improve the safety and stability of the system.
In another embodiment, the vulnerability information collection module comprises:
the first sub-module for collecting vulnerability information is used for obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
The second sub-module is used for collecting the vulnerability information, and takes the corresponding first vulnerability node as a second vulnerability node if the matching degree of the vulnerability description and the preset vulnerability description is higher than a preset matching degree threshold;
and the third sub-module is used for acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to acquire complete vulnerability information, and completing the collection.
The working principle of the technical scheme is as follows: the method comprises the steps that a first vulnerability information collecting sub-module is used for establishing a vulnerability information base by acquiring a preset vulnerability information source node set which comprises a plurality of first vulnerability nodes, extracting vulnerability types, vulnerability descriptions and vulnerability utilization modes from the first vulnerability nodes; the vulnerability information collection second submodule takes a first vulnerability node with the matching degree higher than a preset threshold value as a second vulnerability node according to the preset vulnerability description and the matching degree threshold value; the vulnerability information collection third submodule obtains at least one first vulnerability information item corresponding to the vulnerability, such as a vulnerability type, a vulnerability description and a vulnerability utilization mode, through the second vulnerability node; integrating the first vulnerability information items to obtain complete vulnerability information, wherein the complete vulnerability information comprises a vulnerability type, a vulnerability description and a vulnerability utilization mode, and collecting the vulnerability information is completed.
The beneficial effects of the technical scheme are as follows: the first sub-module for collecting the vulnerability information can acquire a preset vulnerability information source node set, so that the collecting efficiency and accuracy of the vulnerability information are improved; through the second sub-module for collecting the vulnerability information, vulnerability nodes conforming to the preset vulnerability description can be screened out according to the preset vulnerability description and the matching degree threshold, and accuracy of the vulnerability information is improved; the third sub-module is used for collecting the vulnerability information, at least one first vulnerability information item corresponding to the vulnerability can be obtained through the second vulnerability node, the first vulnerability information items are integrated, complete vulnerability information is obtained, and basic data are provided for subsequent vulnerability simulation and evaluation; the integrated vulnerability information can be used for subsequent vulnerability simulation and evaluation, so that potential safety risks in the system can be found, and the safety and stability of the system are improved.
In another embodiment, configuring the vulnerability simulation environment according to the characteristics and requirements of the system comprises:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
Acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
The working principle of the technical scheme is as follows: system configuration (operating system version, software version) of configuration vulnerability simulation environment: acquiring a preset system characteristic experience library, wherein the system characteristic experience library comprises characteristics and requirements of the system, and randomly selecting initial configuration parameters from the system characteristic experience library, wherein the initial configuration parameters comprise a certain characteristic or requirement of the system; acquiring an initial matching index value corresponding to the initial configuration parameter, wherein the value represents the matching degree of the initial configuration parameter and an actual system; if the initial matching index value is greater than or equal to a preset initial matching threshold value, taking the corresponding initial configuration parameter as a key configuration parameter; determining system configurations such as an operating system version, a software version and the like based on the key configuration parameters;
Network configuration (network topology, firewall settings) to configure vulnerability simulation environment: acquiring a preset network demand experience library, wherein the network demand experience library comprises network demands and configuration demands; randomly selecting network configuration parameters from a network demand experience library, wherein the network configuration parameters comprise a certain demand or configuration requirement of a network; acquiring a key matching index value corresponding to the key configuration parameter, wherein the value represents the matching degree of the key configuration parameter and the actual network; if the key matching index value is greater than or equal to a preset key matching threshold value, taking the corresponding network configuration parameter as an optimized network configuration parameter; determining network configuration such as network topology, firewall setting and the like based on the optimized network configuration parameters;
configuration of a vulnerability simulation environment: all the key configuration parameters and the optimized network configuration parameters are used as configuration samples, input into a preset vulnerability simulation environment configuration model for environment configuration, and the configuration of the vulnerability simulation environment is completed according to rules and algorithms of the configuration model, including system configuration and network configuration; and finally, obtaining a complete vulnerability simulation environment for subsequent simulation attack and vulnerability assessment.
The beneficial effects of the technical scheme are as follows: the system configuration and the network configuration of the vulnerability simulation environment can be flexibly configured according to the characteristics and the requirements of the system, the configuration information items are randomly selected, and the configuration accuracy and the rationality can be ensured by screening according to the matching values and the matching threshold values, the requirements of the vulnerability simulation environment can be met by determining the specific system configuration and the specific network configuration based on the configuration information items, the finally obtained complete vulnerability simulation environment can be used for simulating attacks and vulnerability assessment, the organization or individuals can be helped to know the security of the system, corresponding vulnerability restoration measures can be formulated, and the security of the system can be improved; meanwhile, the configuration and adjustment can be flexibly carried out according to actual requirements through preset rules and algorithms for matching the threshold and the configuration model, so that the flexibility and adaptability of the configuration are improved.
In another embodiment, in a vulnerability simulation environment, a simulation attack of a known vulnerability is performed, comprising:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
if the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
if the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
and determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
The working principle of the technical scheme is as follows: acquiring a current moment for judging whether the attack reminding moment is reached; acquiring a first time length preset before the start time of the simulation attack (the first time length refers to a time period preset before the start time of the simulation attack and is used for calculating attack reminding time) and calculating attack reminding time; generating corresponding attack reminding information according to a preset attack reminding information generation rule; acquiring a second preset time length after the attacker receives the attack reminding information (the second time length refers to a preset time period after the attacker receives the attack reminding information and is used for calculating the time range of the actual attack information), and calculating the time range of the actual attack information; and generating a corresponding actual attack mode and actual attack time according to a preset actual attack information generation rule.
The beneficial effects of the technical scheme are as follows: potential loopholes in the system can be found in time through loophole simulation execution, and the safety of the system is improved; by generating attack reminding and actual attack information, the behavior of an attacker can be timely warned, and corresponding protective measures can be adopted; through exception management, a corresponding management strategy can be formulated according to the attack exception information, attack exceptions can be handled in time, and loss and risk are reduced.
In another embodiment, determining a target anomaly management policy based on attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
The working principle of the technical scheme is as follows: extracting abnormal characteristic values of attack abnormal information based on a preset attack abnormal characteristic extraction template (the abnormal characteristic values are characteristic values which are extracted from data such as a system log, network traffic and the like and are related to attack abnormality, such as an abnormal IP address and an abnormal request frequency and are used for identifying abnormal behaviors through the attack abnormal characteristic extraction template;
Training a target attack anomaly management strategy determination model, and training the model to determine a proper management strategy according to a known attack anomaly sample and a corresponding management strategy by using machine learning or other algorithms;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determination model (the target attack abnormal management strategy determination model is used for determining a proper abnormal management strategy model according to the input abnormal characteristic value through a trained model) to obtain a target attack abnormal management strategy output by the model, and outputting the proper abnormal management strategy, such as preventing abnormal IP addresses, limiting abnormal request frequencies and the like, according to the input abnormal characteristic value; and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy, and processing abnormal behaviors, such as blocking abnormal IP addresses, increasing access limits and the like, according to the management strategy output by the model so as to ensure the safe and stable operation of the system.
The beneficial effects of the technical scheme are as follows: by extracting the abnormal characteristic value, the attack abnormality in the system can be timely identified, and the perception capability of abnormal behaviors is improved; based on the trained target attack abnormal management strategy determining model, a proper abnormal management strategy can be determined according to the abnormal characteristic value, so that the safety and stability of the system are improved; corresponding abnormal management measures are carried out according to the target attack abnormal management strategy, so that attack behaviors can be effectively resisted, and the normal operation of the system is ensured.
Based on the historical data and the subsequent security representation values, a proper attack anomaly management strategy can be determined, and the security and stability of the system are improved; through correlation analysis and suitability evaluation, the most suitable management strategy can be selected, and the accuracy and adaptability of the management strategy are improved; by training the neural network model, a proper management strategy can be determined according to the attack anomaly type, and the accuracy and adaptability of the management strategy are improved.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. The vulnerability simulation method is characterized by comprising the following steps:
s101: collecting known vulnerability information, wherein the vulnerability information comprises vulnerability types, vulnerability descriptions and vulnerability utilization modes;
s102: according to the characteristics and the requirements of the system, configuring a vulnerability simulation environment, wherein the vulnerability simulation environment comprises system configuration and network configuration;
s103: in a vulnerability simulation environment, executing simulation attacks of known vulnerabilities, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability exploitation modes;
S104: according to the result of the vulnerability simulation, the security of the system is evaluated, the hazard degree of the vulnerability and the possible attack path are analyzed, and a vulnerability evaluation result is obtained;
s105: and providing corresponding bug repair suggestions and measures for staff according to the bug evaluation result.
2. The vulnerability simulation method of claim 1, wherein the step S101 comprises:
s1011: obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
s1012: if the matching degree of the vulnerability descriptions and the preset vulnerability descriptions is higher than a preset matching degree threshold, taking the corresponding first vulnerability node as a second vulnerability node;
s1013: and acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to obtain complete vulnerability information, and completing collection.
3. The vulnerability simulation method of claim 1, wherein configuring the vulnerability simulation environment according to the characteristics and requirements of the system comprises:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
Acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
4. The vulnerability simulation method of claim 1, wherein executing a simulation attack of a known vulnerability in a vulnerability simulation environment comprises:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
If the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
if the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
and determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
5. The vulnerability simulation method of claim 4, wherein determining a target anomaly management policy based on attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
And carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
6. The vulnerability simulation device is characterized by comprising:
the vulnerability information collection module is used for collecting known vulnerability information, wherein the vulnerability information comprises a vulnerability type, a vulnerability description and a vulnerability utilization mode;
the vulnerability simulation configuration module is used for configuring a vulnerability simulation environment according to the characteristics and the requirements of the system, wherein the vulnerability simulation environment comprises system configuration and network configuration;
the vulnerability simulation execution module is used for executing simulation attacks of known vulnerabilities in a vulnerability simulation environment, wherein the simulation attacks comprise code injection, buffer overflow or other known vulnerability utilization modes;
the vulnerability assessment analysis module is used for assessing the security of the system according to the vulnerability simulation result, analyzing the damage degree and possible attack path of the vulnerability and obtaining a vulnerability assessment result;
and the repair suggestion module is used for providing corresponding bug repair suggestions and measures for the staff according to the bug evaluation result.
7. The vulnerability simulator of claim 6, wherein the vulnerability information collection module comprises:
The first sub-module for collecting vulnerability information is used for obtaining a preset vulnerability information source node set, wherein the vulnerability information source node set comprises: the system comprises a plurality of first vulnerability nodes, a vulnerability type, vulnerability descriptions and a vulnerability utilization mode, wherein the vulnerability types, the vulnerability descriptions and the vulnerability utilization modes are extracted from the first vulnerability nodes;
the second sub-module is used for collecting the vulnerability information, and takes the corresponding first vulnerability node as a second vulnerability node if the matching degree of the vulnerability description and the preset vulnerability description is higher than a preset matching degree threshold;
and the third sub-module is used for acquiring at least one first vulnerability information item corresponding to the vulnerability through the second vulnerability node, integrating the first vulnerability information items to acquire complete vulnerability information, and completing the collection.
8. The vulnerability simulation device of claim 6, wherein configuring the vulnerability simulation environment according to the characteristics and requirements of the system comprises:
acquiring a preset system characteristic experience library, and randomly selecting initial configuration parameters from the system characteristic experience library;
acquiring an initial matching index value corresponding to the initial configuration parameter, and taking the corresponding initial configuration parameter as a key configuration parameter if the initial matching index value is greater than or equal to a preset initial matching threshold value;
acquiring a preset network demand experience library, and randomly selecting network configuration parameters from the network demand experience library;
Acquiring a key matching index value corresponding to the key configuration parameter, and taking the corresponding network configuration parameter as an optimized network configuration parameter if the key matching index value is greater than or equal to a preset key matching threshold value;
determining the system configuration of an operating system version and a software version based on the key configuration parameters;
determining network topology and network configuration set by a firewall based on the optimized network configuration parameters;
and taking all the key configuration parameters and the optimized network configuration parameters as configuration samples, and inputting the configuration samples into a preset vulnerability simulation environment configuration model for environment configuration to obtain a complete vulnerability simulation environment.
9. The vulnerability simulation apparatus of claim 6, wherein executing a simulation attack of a known vulnerability in a vulnerability simulation environment comprises:
acquiring a current moment and simultaneously acquiring an attack reminding moment corresponding to a first time length preset before a simulated attack starting time;
if the current moment reaches the attack reminding moment, generating attack reminding information corresponding to the vulnerability simulation attack based on a preset attack reminding information generation rule;
acquiring actual attack information corresponding to a second time length preset after an attacker receives the attack reminding information, wherein the actual attack information comprises: actual attack mode and actual attack time;
If the actual attack mode comprises a simulation attack mode of known loopholes of code injection and buffer overflow, the attack execution is successful;
otherwise, obtaining attack abnormal information of the corresponding attacker;
and determining a target abnormality management strategy based on the attack abnormality information, and carrying out corresponding abnormality management.
10. The vulnerability simulator of claim 9, wherein determining a target anomaly management policy based on attack anomaly information comprises:
extracting an abnormal characteristic value of the attack abnormal information based on a preset attack abnormal characteristic extraction template;
training a target attack anomaly management strategy determination model;
inputting the attack abnormal characteristic value into a target attack abnormal management strategy determining model to obtain a target attack abnormal management strategy output by the target attack abnormal management strategy determining model;
and carrying out corresponding abnormal management measures according to the target attack abnormal management strategy so as to ensure the safe and stable operation of the system.
CN202311643712.0A 2023-12-01 2023-12-01 Vulnerability simulation method and device Active CN117610018B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311643712.0A CN117610018B (en) 2023-12-01 2023-12-01 Vulnerability simulation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311643712.0A CN117610018B (en) 2023-12-01 2023-12-01 Vulnerability simulation method and device

Publications (2)

Publication Number Publication Date
CN117610018A true CN117610018A (en) 2024-02-27
CN117610018B CN117610018B (en) 2024-06-25

Family

ID=89954518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311643712.0A Active CN117610018B (en) 2023-12-01 2023-12-01 Vulnerability simulation method and device

Country Status (1)

Country Link
CN (1) CN117610018B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150074810A1 (en) * 2013-09-11 2015-03-12 NSS Labs, Inc. Malware and exploit campaign detection system and method
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN106888210A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The alarming method for power and device of a kind of network attack
CN111741023A (en) * 2020-08-03 2020-10-02 中国人民解放军国防科技大学 Attack studying and judging method, system and medium for network attack and defense test platform
CN112311780A (en) * 2020-10-23 2021-02-02 国网吉林省电力有限公司电力科学研究院 Method for generating multi-dimensional attack path and attack graph
CN113672929A (en) * 2020-05-14 2021-11-19 阿波罗智联(北京)科技有限公司 Vulnerability characteristic obtaining method and device and electronic equipment
CA3154249A1 (en) * 2021-04-08 2022-10-08 Nozomi Networks Sagl Method for automatic derivation of attack paths in a network
CN115457449A (en) * 2022-11-11 2022-12-09 深圳市马博士网络科技有限公司 Early warning system based on AI video analysis and monitoring security protection
CN116074052A (en) * 2022-12-23 2023-05-05 奇安信网神信息技术(北京)股份有限公司 Vulnerability simulation method and device
CN116318983A (en) * 2023-03-10 2023-06-23 北京奇艺世纪科技有限公司 Network attack simulation method, system, electronic equipment and readable storage medium
CN116846619A (en) * 2023-06-25 2023-10-03 零束科技有限公司 Automatic network security risk assessment method, system and readable storage medium
CN117040871A (en) * 2023-08-18 2023-11-10 广州唐邦信息科技有限公司 Network security operation service method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150074810A1 (en) * 2013-09-11 2015-03-12 NSS Labs, Inc. Malware and exploit campaign detection system and method
CN106888211A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The detection method and device of a kind of network attack
CN106888210A (en) * 2017-03-10 2017-06-23 北京安赛创想科技有限公司 The alarming method for power and device of a kind of network attack
CN113672929A (en) * 2020-05-14 2021-11-19 阿波罗智联(北京)科技有限公司 Vulnerability characteristic obtaining method and device and electronic equipment
CN111741023A (en) * 2020-08-03 2020-10-02 中国人民解放军国防科技大学 Attack studying and judging method, system and medium for network attack and defense test platform
CN112311780A (en) * 2020-10-23 2021-02-02 国网吉林省电力有限公司电力科学研究院 Method for generating multi-dimensional attack path and attack graph
CA3154249A1 (en) * 2021-04-08 2022-10-08 Nozomi Networks Sagl Method for automatic derivation of attack paths in a network
CN115457449A (en) * 2022-11-11 2022-12-09 深圳市马博士网络科技有限公司 Early warning system based on AI video analysis and monitoring security protection
CN116074052A (en) * 2022-12-23 2023-05-05 奇安信网神信息技术(北京)股份有限公司 Vulnerability simulation method and device
CN116318983A (en) * 2023-03-10 2023-06-23 北京奇艺世纪科技有限公司 Network attack simulation method, system, electronic equipment and readable storage medium
CN116846619A (en) * 2023-06-25 2023-10-03 零束科技有限公司 Automatic network security risk assessment method, system and readable storage medium
CN117040871A (en) * 2023-08-18 2023-11-10 广州唐邦信息科技有限公司 Network security operation service method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
沈国良;: "网络系统资源数据的脆弱性漏洞防御控制仿真", 计算机仿真, no. 04, 15 April 2020 (2020-04-15), pages 313 - 316 *

Also Published As

Publication number Publication date
CN117610018B (en) 2024-06-25

Similar Documents

Publication Publication Date Title
CN107368417B (en) Testing method of vulnerability mining technology testing model
CN110417772B (en) Method and device for analyzing attack behavior, storage medium and electronic device
CN111881452B (en) Safety test system for industrial control equipment and working method thereof
CN112182588B (en) Threat information-based operating system vulnerability analysis and detection method and system
Dashevskyi et al. A screening test for disclosed vulnerabilities in foss components
Chalvatzis et al. Evaluation of security vulnerability scanners for small and medium enterprises business networks resilience towards risk assessment
CN116846619A (en) Automatic network security risk assessment method, system and readable storage medium
CN116383833A (en) Method and device for testing software program code, electronic equipment and storage medium
CN115952081A (en) Software testing method, device, storage medium and equipment
CN117349843B (en) Management software safety maintenance method and system based on internet information technology
CN117034299B (en) Intelligent contract safety detection system based on block chain
CN117610018B (en) Vulnerability simulation method and device
Kersten et al. 'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center
KR102590081B1 (en) Security compliance automation method
CN116248393A (en) Intranet data transmission loophole scanning device and system
Kai et al. Development of qualification of security status suitable for cloud computing system
Alexopoulos New Approaches to Software Security Metrics and Measurements
CN117596041B (en) Method and device for detecting validity of security rule
KR102330404B1 (en) Method And Apparatus for Diagnosing Integrated Security
CN117421761B (en) Database data information security monitoring method
CN118036019B (en) Vulnerability positioning method and system based on code automatic detection
TWI726455B (en) Penetration test case suggestion method and system
Beramendi Higueras Detection of cryptocurrency mining malware from network measurements
CN117349490A (en) Solution recommendation method, device and equipment for reporting problems and storage medium
Jabr et al. Simulated Penetration Testing And Attack Automation Using Deep Reinforcement Learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant