CN117676586A - Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test - Google Patents
Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test Download PDFInfo
- Publication number
- CN117676586A CN117676586A CN202311641156.3A CN202311641156A CN117676586A CN 117676586 A CN117676586 A CN 117676586A CN 202311641156 A CN202311641156 A CN 202311641156A CN 117676586 A CN117676586 A CN 117676586A
- Authority
- CN
- China
- Prior art keywords
- attack
- model
- network
- penetration test
- knowledge graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 130
- 230000035515 penetration Effects 0.000 title claims abstract description 117
- 238000000034 method Methods 0.000 title claims abstract description 83
- 238000010276 construction Methods 0.000 title claims description 25
- 238000013439 planning Methods 0.000 claims abstract description 44
- 230000007704 transition Effects 0.000 claims abstract description 30
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 239000002131 composite material Substances 0.000 claims abstract description 11
- 238000004088 simulation Methods 0.000 claims description 37
- 230000006870 function Effects 0.000 claims description 33
- 230000006854 communication Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 21
- 238000007726 management method Methods 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 16
- 230000006399 behavior Effects 0.000 claims description 14
- 230000000694 effects Effects 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 12
- 230000003068 static effect Effects 0.000 claims description 10
- 238000012546 transfer Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 230000007123 defense Effects 0.000 claims description 7
- 239000010931 gold Substances 0.000 claims description 4
- 229910052737 gold Inorganic materials 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 238000010998 test method Methods 0.000 abstract description 6
- 230000009897 systematic effect Effects 0.000 abstract description 5
- 230000005540 biological transmission Effects 0.000 description 26
- 241001397173 Kali <angiosperm> Species 0.000 description 21
- 238000004891 communication Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 9
- 238000013461 design Methods 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000007547 defect Effects 0.000 description 4
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 238000005065 mining Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 241001463014 Chazara briseis Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000005520 cutting process Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- PPDBOQMNKNNODG-NTEUORMPSA-N (5E)-5-(4-chlorobenzylidene)-2,2-dimethyl-1-(1,2,4-triazol-1-ylmethyl)cyclopentanol Chemical compound C1=NC=NN1CC1(O)C(C)(C)CC\C1=C/C1=CC=C(Cl)C=C1 PPDBOQMNKNNODG-NTEUORMPSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000003416 augmentation Effects 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000008451 emotion Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000012812 general test Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003340 mental effect Effects 0.000 description 1
- 230000006996 mental state Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a system, a method and equipment for constructing a knowledge graph of a 5GC penetration test adversary model, and belongs to the technical field of 5G network security. The method of the invention comprises the following steps: defining an adversary model of a 5GC penetration test, wherein the adversary model comprises an attack decision sub-model and an attack transition sub-model; constructing an adversary model based on a knowledge graph by adopting a modeling language and an integrated modeling environment, wherein the knowledge graph comprises an entity body, an operation body and a situation body; and taking the initial attack planning model as input, calling and running an inference engine, automatically generating a composite attack model, realizing the inference from atomic attack to composite attack, and realizing the penetration test modeling and analysis aiming at key network elements in 5 GC. The invention can complete the generation of a systematic and formalized 5GC penetration test method and simulate the platform structure.
Description
Technical Field
The invention belongs to the technical field of 5G network security, and particularly relates to a knowledge graph construction system, method and equipment for a 5GC penetration test adversary model.
Background
The current 5G security requirements defined by the 3GPP of the International standards organization are mainly applicable to 3 application scenarios, namely enhanced mobile broadband (eMBB, enhanced Mobile Broadband), mass machine type communication (mMTC, massive Machine Type Communication) and ultra-reliable low-latency communication (uRLLC, ultra-Reliable Low Latency Communication); in addition to carrying traditional voice and data traffic, a number of vertical industry applications, such as internet of things, internet of vehicles, remote data services, virtual reality, reality augmentation applications, etc., will also be implemented and popular over 5G networks. To increase the flexibility and efficiency of the system and reduce the cost, 5G network architectures will introduce new IT technologies such as virtualization and software defined networks (Software Defined Network, SDN)/network function virtualization (NetworkFunction Virtualization, NFV). In conventional communication networks, protection of functional network elements in the system is largely dependent on security isolation of physical devices. However, due to the application of SDN and NFV technologies, part of functional network elements are deployed on a clouded infrastructure in the form of virtual functional network elements, and in this case, the security requirement of a 5G network system faces a greater challenge, which is mainly expressed in that: the SDN and NFV technology creates favorable conditions for establishing a novel device trust relationship based on a multi-manufacturer general IT hardware platform on a control plane and a data plane of decoupling devices, but brings a plurality of problems to the safety aspect: firstly, the security boundary and the guarantee mode in the traditional closed management mode are deeply changed, and the security credibility of the cloud platform is challenged by the openness of the service, the user definition and the visual application of the resources; secondly, the problems of virtual machine safety, virtualized software safety, data safety and the like are introduced in the calculation, storage and network resource sharing; finally, deployment is centralized, and general hardware can cause viruses to rapidly spread in a centralized deployment area, so that hardware vulnerabilities are easier to discover and utilize by attackers. Therefore, analysis is required for the 5G network structure and the security requirement thereof, and a method for realizing the endophytic security of the 5G architecture is explored.
At present, the conventional security test of the 5GC system still uses the conventional communication network detection method, and uses the network element in the 5GC as a common network node to carry out security detection, however, under the trend of network element software, message standardization and equipment virtualization, the attack to the communication network increasingly shows the trend of converging with the attack to the conventional Internet, namely the attack to the network element shows the characteristics of systemization, dispersion and randomization. In this case, conventional means of security detection for communication networks are increasingly not adapted to the defensive requirements, in particular of the core network in which all messages run on the carrier network.
In contrast, for the safety protection of the internet, a penetration test method is mainly adopted at present. Penetration Testing (Penetration Testing), also known as Pen Testing, is the practice of Testing computer systems, networks, or Web applications to discover security vulnerabilities that an attacker may exploit. Penetration testing may be automated through a software application or performed manually. In either case, the process includes collecting information about the target prior to testing, identifying possible entry points, attempting to intrude (virtual or real) and reporting the results.
The national center for network security (National Cyber Security Center) describes penetration testing as follows: "a method, by attempting to break some or all of the security of an IT system, uses the same tools and techniques as an adversary to obtain a guarantee of the security of the IT system. The goal of the "penetration test" varies depending on the type of approved activity for any given engagement, with the primary goal being to discover vulnerabilities that can be exploited by an attacker and notify the customer of these vulnerabilities along with the proposed mitigation strategy. Penetration testing is a defensive action against vulnerabilities (vulnerabilities), which are defects in a system that may expose the system to security threats. Vulnerability scanning is a detection control method that proposes a method to improve security procedures and ensure that known defects do not reoccur, while penetration testing is a preventive control method that gives an overall view of the existing security layers of the system. Currently, penetration tests are mainly penetration tests for Web systems and penetration tests for hosts/servers. The scenarios include cross site scripting (CSS, cross Site Scripting), SQL Injection (SQL Injection), broken authentication and session management (Broken authentication and session management), file upload defects (File Upload flaws), cache server attacks (Caching Servers Attacks), security error configuration (Security Misconfigurations), cross site request forgery (Cross Site Request Forgery), password cracking (Password Cracking), and the like.
For the 5G communication network, especially the core network, since it runs on the bearer network and uses the internet communication protocol (https\sctp\tcp\ip) to complete the message transmission, it is vulnerable to various attacks simulated by the penetration test, as in the conventional internet structure. However, since different network elements in the core network structure have different roles and weights, the severity of the effect generated after the core network structure is attacked and destroyed is also different, which cannot be described by the penetration test facing the internet. Accordingly, it is necessary to analyze the characteristics and limitations of the existing penetration test technology and propose a formalized penetration test method for a 5G core network (5 GC).
According to the multi-level requirement of the current industry on the 5G security capability, the requirement of the 5G security capability faces various tests, and the following two aspects are highlighted:
1. in the aspect of management security, the field model and the credibility requirement design of 5G security are designed:
2. in terms of protocol security and device security, the existing protocol security techniques and logical security of protocols are verified in 5G networks.
At present, the industry and research industry both put forward the definition of 'endogenous safety' for 5G safety requirements, and various different design schemes exist for realizing endogenous safety. But the implementation of endogenous security needs to analyze the internal architecture of the 5GC communication system so as to give an effective defending strategy, which is a common knowledge of various schemes.
1. Application of existing internet penetration test
In terms of penetration testing, china patent application (application number: 202210091327.9) proposes an automatic penetration testing method and system based on a network target range, wherein the method comprises the following steps: acquiring operation configuration information of a service to be tested, classifying by using an identification decision tree, sending the operation configuration information of different categories to a corresponding vulnerability mining module for processing according to an identification result, mining potential vulnerabilities and constructing a basic target range; constructing a test scheme based on the mined potential loopholes and the acquired operation configuration information; executing the test scheme and judging whether the test is passed or not. The "basic target range" refers to an environment to be tested generated based on operation configuration information, and the "decision recognition tree" is a tool for classifying the operation configuration information of the service to be tested. According to the invention, through automatic excavation of the loopholes and a network shooting range technology, the time for repeatedly excavating the repeated loopholes is saved, and multiple groups of tests in different environments can be performed in parallel, uninterruptedly and for a long time, so that the safety problem can be found rapidly. The system of the invention is directed to network services to be tested. The construction of the penetration test target is achieved by analyzing service configuration information, file paths, middleware, etc.
However, in the invention, all services are regarded as uniform interfaces and uniformly configured entities, specific features and different functions of the services and internal links between the services are not considered before the penetration test is executed, which is insufficient for a software system running in a service set form, especially for a 5G core network system, the network elements of which all have logic relations, the functions of the network elements are provided externally in a service form, and communication between the network elements is performed through HTTPS/TLS/SCTP/IP protocols, so that penetration attacks on the services of each network element can cause chain reactions. Accordingly, the penetration test for automating the discovery of vulnerabilities of the target also requires the design and operation results to conform to the logical relationships between network elements and between protocols.
Chinese patent application (application number 202210495634.3) proposes an API penetration test method, system, electronic device and storage medium. The invention is designed aiming at the data stability and safety of task planning software, and aims at solving the problem that the general test method cannot meet the requirement of guaranteeing the software of preventing data leakage or loss and bringing serious consequences. The invention comprises the following steps:
1) Acquiring the well-arranged business logic data;
2) Acquiring the well-arranged interface document data;
3) Checking and acquiring logic loopholes existing on service logic according to service logic data;
4) Checking and acquiring interface loopholes existing in the interface document according to the interface document data;
5) And performing penetration test according to the acquired logic loopholes and the interface loopholes.
Wherein, the business logic data and the interface document data are the custom data in the invention. The step of judging the logic loophole comprises the following steps: and executing the business logic under the extreme condition through multiple times of data, and if the data still remain stable and have no errors after multiple times of execution, considering that the business logic has no logic loopholes. The step of judging the interface loophole comprises the following steps: setting a plurality of groups of data to be transmitted through interfaces, and checking whether data leakage or data loss exists in the data transmission process; and if the data is not leaked or lost after the plurality of times of transmission, the interface is considered to have no interface loophole. According to the method, session attacks with different layers are carried out according to the obtained logic loopholes and the interface loopholes, whether overtime is set in the logic loopholes or the interface loopholes is obtained, and if not, penetration test is carried out.
The method has the main defects that for the business flow of the tested task software, only the vulnerability inspection in the logic flow and the data inspection in the interface transmission process are carried out through manual analysis, and then the penetration test is carried out according to the inspection result. The inspection lacks systematic and formal analysis, so that the problems of incomplete leak discovery, incomplete test or repeated test and redundancy can occur in the penetration test process.
According to analysis of the invention, it can be seen that, aiming at the characteristics of 5GC system network element software, equipment virtualization and centralized control, formalized modeling and verification methods are required to be adopted to realize the coverage of the system penetration test and adapt to the requirement of continuous evolution of the 5GC system, and meanwhile, the selected formalization method is required to simulate and simulate the actual operation logic of the current 5GC system to the maximum extent, including data flow and control flow, so as to meet the actual 5GC safety requirement and the corresponding penetration test design. But what formalization method is chosen to achieve this goal is also what needs to be analyzed.
In the field of network security test, chinese patent application (application number: 202210461327.3) discloses a method for generating a network security test based on a knowledge graph, wherein an interrelated ontology framework of an asset model, a fragile point model and an attack technical model in the field of security test is designed; then, extracting network security historical data, and constructing a network security test knowledge graph by using a graph database; and finally, generating a network security test based on the knowledge graph. The method aims at general 'network assets' and available 'loopholes', a framework is constructed by using an ontology method, a knowledge graph used for penetration test is constructed by matching rules of entities and relations, and a penetration test scheme is derived by using the knowledge graph.
The problem with this approach is that while formal modeling and analysis is employed for network assets, it is aimed at building a set of penetration test frameworks and methods for general-purpose network assets. No analysis is performed for a particular class of network systems under test, in which method all attacked nodes are equivalent, and losses incurred after attack are also equivalent. However, in the 5GC system, different network elements and different services thereof have unique functions, and the damage generated after the vulnerability contained in each type of service is attacked is not equivalent, and the vulnerability has different weights in the 5GC operation process. The method does not address these features, giving different semantics to the ontology-based penetration test framework, and thus cannot reflect the actual needs of 5GC penetration testing.
Disclosure of Invention
Aiming at the current situation that a systematic and formalized penetration test method and equipment aiming at 5GC are lacking, the invention provides a knowledge graph construction system, method and equipment for a 5GC penetration test adversary model, which adopts an ontology model as a means for constructing the knowledge graph, takes a current universal Open5GS+UERANSIM system as a 5G system to be analyzed, takes a Kali Linux system most commonly used in the field of Internet as an attack system for executing the penetration test, and uses a cut adversary model as a tool for analyzing interaction of the two systems to finish systematic and formalized 5GC penetration test method generation and equipment design.
Specifically, on one hand, the invention provides a knowledge graph construction system of a 5GC penetration test enemy model, which is used for constructing the knowledge graph of the 5GC penetration test enemy model and is characterized by comprising an interconnection and intercommunication distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system;
the distributed 5GC simulation software system consists of distributed 5G core network simulation network elements, each distributed 5G core network simulation network element simulates the function of the 5G core network element, a group of operation interfaces are provided for the outside, each operation interface corresponds to a configuration item operated in the background, namely, one function of the network element, and one group of configuration items form one distributed 5G core network simulation network element;
the UERANSIM system comprises a terminal simulator and an access network simulator, which respectively simulate the operation flow of a terminal and an access network in the 5G data communication process;
the attacker simulation system is used as an attacker in the 5GC penetration test and comprises a group of attack subsystems of different types; each attack subsystem comprises a plurality of CSCI, each CSCI comprises a group of interfaces for executing attacks and attack components corresponding to the interfaces, and malicious HTA files are generated by being called by the subsystem, so that the target Windows host is attacked.
Further, the deployment and operation of the distributed 5GC simulation software system are realized by adopting a virtual machine installed in a virtual machine management system, the terminal simulator and the access network simulator are realized by adopting a virtual machine installed in the virtual machine management system, and the attacker simulation system is realized by adopting a virtual machine independently installed in the virtual machine management system; and each virtual machine is interconnected with other virtual machines in the same network segment of the local area network through IP address configuration, so that interconnection and intercommunication of a distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system are realized.
On the other hand, the invention also provides a 5GC penetration test enemy model knowledge graph construction method, which is realized by the 5GC penetration test enemy model knowledge graph construction system and comprises the following steps:
defining an adversary model of a 5GC penetration test, and analyzing conventional operation, attack or defense scenes of key network elements in a typical flow in a 5G data communication process through the adversary model of the 5GC penetration test; the adversary model comprises an attack decision sub-model and an attack transition sub-model;
constructing a knowledge graph of the enemy model by using a modeling language and an integrated modeling environment, wherein the knowledge graph comprises an entity body, an operation body and a situation body; the entity body comprises all core network elements and is defined as a role; the operation body consists of a process, a service and a target; wherein the procedure is an operation that is not subdivided in a network element, a set of procedures constituting the service; the service is a functional component with specific semantics in the network element, and the collection of the service forms an operation body; the objective is the effect achieved after the service is completed, determined by a security detection rule constructed for a specific attack; the situation ontology is used for modeling the contextual environment in which the entity ontology and the operation ontology operate, and the service calling relationship between network elements is defined through object attributes; the attack decision sub-model is defined by the context ontology and the security detection rules constructed for a particular attack;
And taking the initial attack planning model as input, calling and running an inference engine, automatically generating a composite attack planning set, realizing the inference from atomic attack to composite attack, and realizing the penetration test modeling and analysis aiming at key network elements in 5 GC.
Further, in the entity body and operation body definitions, a protocol stack called by each distributed 5G core network emulation network element under a static condition and a protocol stack called by each attack component of the attacker emulation system under a dynamic condition are described.
Further, each distributed 5G core network analog network element is given a corresponding weight, and each operation interface provided outside the distributed 5G core network analog network element is given a corresponding weight according to a function corresponding to the operation interface; the network nodes in each 5G core network are given corresponding weights;
in the process of constructing the knowledge graph of the enemy model by adopting modeling language and integrated modeling environment, the weight is converted into the semantics of the corresponding operation ontology, and the specific method comprises the following steps:
1) Constructing a situation ontology based on a core network operation flow;
2) Constructing a situation ontology of the attack behavior;
3) And designing a production rule conforming to the SWRL language grammar specification, and presenting the security level in the security detection in different semantics.
Further, the modeling language is an OWL-S language, and the description language of the safety detection rule is an SWRL language.
Further, the attack decision sub-model adopts an attack planning model conforming to the definition of the running state of the attacker simulation system; the attack planning model is defined as a quadruple:
attack_plan=〈plan_goal,plan_premise,plan_body,plan_result〉
the attack_plan is an attack planning model; the element plan_gold is the information of the attack target; the element plan_body is information of an attack planning body and is used for describing an executed attack action sequence or an attack script; the element plan_premise is a planning precondition; the element plan_result is a planning execution expected result, namely a new adversary state set and attack effect which can be generated after the planning body is executed under the condition that the planning premise is met.
Further, the attack transition sub-model is defined as the following five-tuple:
BM=<Q,∑,δ,q 0 ,F>;
wherein, BM is an attack transition sub-model; q is a set of all attack states, q=a, a is an attack action set applied by a network adversary to an attack object; sigma is the input set, sigma=m S XP S ,M S An operation ontology set executed for an attacker and/or defender, P S The element of sigma, which is a finite input alphabet, is formed by the cartesian product of the attack and/or defending operation ontology set and the service and/or protocol operation ontology set; delta is a transfer function, namely a behavior function of an output network adversary; q 0 Is in an initial state, i.e. attack enemyAn initial set of operations of the hand; f is a final state set, namely a final attack behavior set of the network adversary;
two final states before and after the state transition are defined, and a state transfer function delta and an input set sigma are defined by combining an entity body, an operation body and a situation body.
In still another aspect, the present invention further provides a knowledge graph construction device for a 5GC penetration test enemy model, the device including a memory and a processor; the memory stores a computer program for realizing the method for constructing the knowledge graph of the 5GC penetration test enemy model, and the processor executes the computer program to realize the steps of the method.
In yet another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method.
The knowledge graph construction system, method and equipment for the 5GC penetration test enemy model have the following beneficial effects:
aiming at the problem of lacking a systematic and formalized 5G penetration test simulation platform, the system, the method and the equipment for constructing the knowledge graph of the 5GC penetration test enemy model are used for constructing a unified 5G formalized penetration test simulation platform, and the platform comprises three subsystems: the system comprises a 5G subsystem, a penetration test subsystem and a formalized modeling and knowledge graph construction subsystem. The 5G subsystem is realized by using Opne5GS+UERANSIM software, the penetration test subsystem is realized by using Kali Linux, and the formal modeling and knowledge graph construction subsystem is realized by using a prot G integrated modeling environment integrated with OWL, SWRL modeling language and HerMiT inference engine. By integrating subsystems with different characteristics, formal modeling and reasoning of the running logic flow of the existing 5G system, the attack process aiming at network elements and corresponding defense strategies can be realized to the maximum extent.
Aiming at the problem that the design and the operation result of the penetration test should accord with the logical relationship between 5G network elements and between protocols, the system, the method and the equipment for constructing the knowledge graph of the 5GC penetration test adversary model are used for completing two typical attacks in a typical flow for 5GC operation-UE registration flow by analyzing the 5G operation flow and the attack flow and adopting a formal analysis method based on the adversary model and the knowledge graph on the basis of constructing a unified 5G formal penetration test simulation platform: knowledge graph construction of data stealing attacks and identity imitation attacks.
Aiming at the problems of incomplete leak discovery, incomplete test or repeated test and redundancy in the penetration test process, the knowledge graph construction system, method and equipment for the 5GC penetration test enemy model select proper formal modeling and verification methods, and fulfill the aims of leak mining and penetration test completeness by performing formal and automatic system analysis on the operation logic of a tested system (service). On the basis of completing the knowledge graph construction of typical attack aiming at 5GC operation, the instruction of a formal adversary model on the penetration test operation process is realized through a proper reasoning process, so that a defense method aiming at the attack means is deduced, and a closed loop for generating an endogenous safety solution based on the knowledge graph and the adversary model is realized. And meanwhile, recording the loophole mining result in a logic rule base, and realizing self-learning and reasoning of the rule base through continuous automatic penetration test so as to adapt to the requirements of continuous evolving 5GC system penetration test coverage.
Drawings
FIG. 1 is a schematic diagram of a 5GC system configuration according to an embodiment of the invention.
FIG. 2 is a schematic diagram of a data storage architecture of a UDM-UDR of an embodiment of the present invention.
FIG. 3 is a schematic diagram of the system components of an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an Open5GS system according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of attack rule definition according to an embodiment of the present invention.
FIG. 6 is a schematic diagram of a plan body for an attack_dataramp according to an embodiment of the present invention.
FIG. 7 is a schematic diagram of a plan_premise definition of an attack_datatag according to an embodiment of the present invention.
FIG. 8 is a schematic diagram of a plan_result definition of an attack_dataramp according to an embodiment of the present invention.
FIG. 9 is a schematic diagram of an HTTPS_Service protocol stack operation ontology definition according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the examples and with reference to the accompanying drawings.
Example 1:
the embodiment of the invention discloses a knowledge graph construction system and a knowledge graph construction method for a 5GC penetration test enemy model.
Characteristics of 5GC System
The 5GC (i.e. 5G core network) system structure is shown in figure 1, and the system is characterized in that:
1) The system uses internet protocol as bearing protocol, including HTTP/2, TLS (HTTP/2 running on TLS is called HTTPS), SCTP, TCP/UDP, IP/IPv6, message transmission between network elements adopts format conforming to HTTP standard.
2) The network element is a software collection deployed on a Linux system and a general server. In the research object of the invention, each network element of the 5GC is deployed on a general server to form a deployment scheme of the general server+5GC core network software. Each network element is a set of software collections based on the Linux operating system.
Each network element provides a group of interfaces which can be called outwards during operation, the interfaces are open to the outside, and message transmission between the interfaces operates on a standard internet protocol. The network elements have operation dependency relationship, and the service calling relationship between the network elements jointly forms the operation flow of the 5 GC.
3) The number of network elements is limited, but the key network elements have the characteristics of a Safety-Critical System (Safety-Critical System), namely the Safety operation of the network elements has important influence on the aspects of economy, society and the like.
Taking UDM as an example: according to the 3 GPP-TS 29.503 definition, UDM implements unified management of user subscription data, which uses data stored in UDR to perform application logic such as access authorization, registration management. When the UE registers with the system, the UDM will complete the radio access authorization, checking supported functions, barred services, and other restrictions. In the aspect of identity authentication, the UDM completes the conversion from SUCI to SUPI and the generation of AUSF authentication credentials. The network element information stored in the UDM includes AMF instance information providing services to the UE and SMF instance information providing PDU session management to the UE. UDM needs to register with NRF before starting.
According to the definition of 3 GPP-TS 29.504, UDR is a background database of UDM, stores various types of data including subscription data, network type definition and user policy, and deployment among UDM-UDRs adopts a distributed form, and data access functions to the UDRs are provided for other NF (user interface) in a form of UDR Service, in particular, UDM (subscription data), PCF and NEF. The 5G user database adopts a front-end and back-end separated architecture. The front end is universal data management (Unified Data Management, UDM), PCF, and the back end is UDR. Although UDR is unified in the standard, in the implementation process, especially after HSS is integrated, fields, formats and the like of user data storage are different, and for convenience of implementation, different backend is often adopted. For convenience of distinction, UDM FE, PCF FE, HSS FE are usually denoted front end, UDM BE, PCF BE, HSS BE are denoted back end. The front end is responsible for processing service logic, signaling processing with other core network elements, and storing dynamic data of users and services. The backend is responsible for interfacing with the operator's IT system (e.g., CRM) for user account opening, sales, etc. operations. The back end stores static user data and policy data. In the FE and BE architectures of the UDM, the FE processes dynamic data of a user, that is, the number of users registered in the mobile network, and needs to operate frequently, at present, generally, the capacity of a single device is in millions, the BE is responsible for storing static user data of the user, and the FE has relatively fewer read-write operations on the user data, and the capacity of the single device is in millions. So for larger provinces of user scale, the UDM usually set in a centralized way will consist of one or two pairs of BE, and the FE will have multiple pairs.
Therefore, it is easy to see that the number of UDM-UDRs in 5GC deployment is not large, but as long as the UDMs are attacked, the influence on the whole 5GC system is huge when the UDMs cause abnormal service operation, and the information loss of massive users is caused. Thus, the security detection of UDM-UDR should have a certain "weight" in the whole core network. Similarly, each network element and its externally provided services should be given a corresponding "weight" according to their function. This feature is clearly different from the common network penetration test.
In the existing internet penetration test technology (for example, chinese patent application nos. 202210091327.9 and 202210495634.3), the network system under test is as a whole, and all hosts or servers interconnected on the network system are nodes with the same weight. This is not necessarily the case, and in actual operation, different network nodes are also weighted differently, e.g. servers storing important data, routers of backbone/central nodes, etc., which cause more losses once they are attacked or data compromised. The data storage architecture of UDM-UDR is shown in fig. 2.
The knowledge graph construction system of the 5GC penetration test enemy model of the embodiment is used for constructing the knowledge graph of the 5GC penetration test enemy model, and comprises an interconnection distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system, as shown in fig. 3.
Distributed 5GC simulation software system
The distributed 5GC simulation software system in this embodiment is composed of distributed 5G core network simulation network elements, each distributed 5G core network simulation network element simulates a function of a 5G core network element, a set of operation interfaces are provided for the outside, each operation interface corresponds to a configuration item operated in the background, that is, a function of the network element, and a set of configuration items form a distributed 5G core network simulation network element.
The Open5GS system and the Free5GC system are two currently mainstream 5G core network simulation systems. The Open5GS system is derived from the GitHub and is a distributed 5GC simulation software system. The advantages of the Open5GS system compared to the Free5GC system are mainly represented by:
1) The compiling and the operation are convenient: the operation of Open5GS is independent of source code, and a user can choose to compile and operate based on the source code or directly pull down the latest branches of the project from the GitHub and operate according to experimental requirements.
2) Multi-platform support: open5GS supports a variety of operating platforms including Ubuntu, centOS, fedora, freeBSD and MacOS. Meanwhile, open5GS also supports distributed deployment based on a Kubernetes system, so that the data communication condition in the actual running process of 5GC can be more realistically embodied.
3) Multi-terminal support: compared with Free5GC, the number of concurrent users, the number of activated users and the number of activated sessions which can be supported by Opte 5GS all reach 10000, and the test can be performed closer to the actual running condition of the 5G core network.
As shown in fig. 4, the whole Open5GS system is composed of distributed different network elements, each network element provides a series of interfaces (APIs) capable of operating, and each interface corresponds to a computer configuration item (CSCI) running in the background, that is, a function of the network element. A group of such CSCIs constitutes a subsystem (Sub System), i.e. a network element. The collection of network elements constitutes a System. The architecture lays a foundation for modeling and analyzing the network element operation flow by using a formalization method.
Preferably, in another embodiment, the deployment and operation of the distributed 5GC simulation software system is implemented using a virtual machine installed in a virtual machine management system. For example, deployment and operation of Open5GS is implemented using a VMWare Workstation virtual machine management system on a Windows platform. For example, in the same local area network, a virtual machine with a ubuntu20.04Linux system is set as a deployment environment of Open5GS, and the virtual machine can implement interconnection and intercommunication with an attacker simulation system (Kali Linux) and a UERANSIM system through an IP address configured by the local area network.
UERANSIM system
The UERANSIM system in this embodiment includes a terminal simulator and an access network simulator, which simulate the operation flows of the terminal and the access network in the 5G data communication process, respectively.
The UERANSIM system is also an open source item of software from GitHub that simulates the operation of a terminal (UE) and an access network (RAN) during 5G data communications.
Preferably, in another embodiment, the terminal simulator and the access network simulator are implemented by using a virtual machine installed in a virtual machine management system. For example, in the invention, the two simulators are also deployed on a virtual machine provided with the Ubuntu20.04Linux system, and interconnection and intercommunication are realized between the two simulators and the Open5GS and Kali systems in the same network segment of the local area network through IP address configuration.
Attacker simulation system
Kali Linux2 is the mainstream penetration test and security audit system currently facing professionals, and is developed by the penetration test operating system BackTrack. The system (Kali Linux 2) is a Linux distribution plate based on Debian, as described above, because the Open5GS can be deployed on a Linux system such as Ubuntu, debian, a unified penetration test environment is realized, and the Open5GS can be directly deployed in the Kali Linux2 system or an attacker simulation system Kali Linux2 can be independently used for better designing and running the penetration test.
The latter is used in this embodiment. In this embodiment, the attacker simulation system, which acts as an attacker in the 5GC penetration test, includes a set of different types of attack subsystems; each attack subsystem comprises a plurality of CSCI, each CSCI comprises a group of interfaces for executing attacks and attack components corresponding to the interfaces, and malicious HTA files are generated by being called by the subsystem, so that the target Windows host is attacked.
Preferably, in another embodiment, the attacker simulation system is implemented by a virtual machine independently installed in a virtual machine management system; and each virtual machine is interconnected with other virtual machines in the same network segment of the local area network through IP address configuration, so that interconnection and intercommunication of a distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system are realized. For example, in the VMware Workstation management system on the Windows platform, a Kali Linux virtual machine is installed separately, and the virtual machine plays an attacker, i.e., a penetration test executor role, in the penetration test system. The virtual machine can be interconnected and communicated with the Open5GS system and the UERANSIM simulation system through IP address configuration.
In another embodiment, the architecture of the Kali Linux2 System is similar to that of Open5GS and is also composed of a set of different types of attack subsystems (Sub systems), such as: vulnerability analysis, cryptographic attacks, wireless attacks, sniffing/spoofing, etc., each attack subsystem is made up of several CSCI's, each CSCI including a set of interface APIs that provide "services" to the outside (execution attacks are also referred to herein as a service), and the running entities to which the APIs correspond. For example, the component Wireshark that intercepts/replays messages on the internet belongs to CSCI in Kali Linux2, which can perform attack externally by one of the subsystem "sniffing/spoofing", and its callable interface that provides attack functions externally is its API. For another example, by utilizing the function of the HTA file for performing penetration attack on Windows, the CSCI belonging to the subsystem 'Metasplot' in Kali Linux2 is 'office_word_hta', and the API provided by the CSCI can be called by the subsystem to generate a malicious HTA file, so that the target Windows host is attacked, and the effect of the attack is to acquire the control authority of the attacked.
By the system, a complete 5G simulation system (comprising UE, RAN and core network) and a Kali Linux2 system serving as an attacker are integrated in a virtual machine management platform.
Cutting and introduction of enemy models
A general network adversary model is proposed in "study of network adversary model" (Jiang Jianchun), which comprises three parts: the basic concepts of the mental model, the attack decision model and the behavior transition model are defined as follows:
definition 1, network adversary: refers to a member or organization of an attacking network, including individuals, organizations, countries, etc., such as a community of hackers. Indicated by the lower case letter S, and the upper case letter S indicates the set of adversaries.
Definition 2, attack intent: the network adversary hopes to attack the aim,Such as economic benefits, returns, etc. Denoted by the symbol I, uppercase letters denote the I-meaning set.
Definition 3, attack object: an attacker's operation object, such as a file, a host, or a router. Denoted by the symbol O, the capital letter O denotes the attack object set.
Definition 4, network attack operation: the action applied by the network adversary to the attack object is represented by the symbol a, and the capital letter a represents the attack action set.
Definition 5, attack target: what is expected when an attacker realizes the attack intention. For example, an attacker obtains a password file. A single attack target is denoted by the symbol G, and the set of attack targets is denoted by the capital letter G.
Definition 6 the attack environment in which the external environment network adversary is located is dynamic, and the adversary will make relevant decisions or actions based on the information obtained from the external environment. The network adversary external environment is abstracted herein into a set of message queues, with the symbol M representing the collection of messages and M representing the elements in the collection of messages.
Definition 7, network attack adversary belief: the belief of a network attack adversary is that the attacker has information about the target network, which may be incomplete or even incorrect. Such information can be divided into objective facts (knowledge) whose correctness is determined, e.g. "target network provides WEB services", and subjective attitudes, whose correctness is uncertain, e.g. "i believe unauthorized access to WEB servers". The network attack adversary belief set is denoted by symbol B, and B denotes an element in the belief set.
Definition 8, network attack adversary wish: the network attack adversary is used for describing the preference of network attack adversaries to unknown network system conditions and possible action routes, and belongs to emotion aspects of thinking states. One of the important wish characteristics of an adversary is to have mutually incompatible wishes, nor does the adversary have to trust whether his wishes can be fulfilled. The network attack adversary wish set is denoted by the symbol D, D representing the elements of the wish set.
Definition 9, network attack adversary knowledge: the network attack adversary has the precondition of having corresponding knowledge, such as communication protocol loopholes of a target network, system operation and the like. The adversary knows how much to decide if he can achieve his goal of attack. But the knowledge of the offender may be changed, for example, an offender needs to acquire a system exploit, he can learn by himself or gather from the web. Adversary knowledge is also a dynamic evolution process. The network attack adversary knowledge set is denoted by the symbol K, K representing the elements in the knowledge set.
Definition 10, network attack cost: with respect to the operational overhead in the process of an attack, such as the computing resources of the attack adversary, the attack cost is denoted by the symbol C, and the capital letter C denotes the set of attack costs.
Because the meaning of the word "mind" belongs to subjective category, in the 5G core network penetration test, the attack behavior of Kali Linux2 and the state change of each network element of the Open5GS system after being influenced by the attack behavior cannot be visually described, therefore, the adversary model comprises an attack decision sub-model and an attack transition sub-model, and the definition refers to the step one, and the mind sub-model is not adopted.
On the basis of analyzing the logical structural characteristics of the system, the method for constructing the knowledge graph of the 5GC penetration test adversary model comprises the following steps:
step one, defining an adversary model of a 5GC penetration test, and analyzing conventional operation, attack or defense scenes of key network elements (such as UDM and UDR) in a typical flow (such as UE registration) in the 5G data communication process through the adversary model of the 5GC penetration test.
The adversary model comprises an attack decision sub-model and an attack transition sub-model. Adopting a planning model conforming to the definition of an attacker model (dynamic and static) of the attacker simulation system as an attack decision sub-model of a 5GC penetration test enemy model; the attack transition sub-model is a dynamic model generated in the simulation attack execution process through system reasoning and is used for describing external attack expression of the intention of a network adversary in a 5GC penetration test flow. The attack transition sub-model includes entity, operation, and context ontology. Wherein the context ontology describes the transition conditions. The attack transition sub-model (initial) is a dynamic part of the attack planning model, which has a specific meaning, namely the context model of the attacker.
Defining an attack decision sub-model:
instead of generating the evidence, the network adversary attack decision makes a proper attack plan according to the mental state of the network adversary and the mastered resource and attack cost. The network adversary makes a plan to find an attack operation chain. The network attack operation chain is triggered by an attacker, the attacker applies a certain attack tool (comprising an attack strategy and a method) to access the target network and the system (legal and illegal) to achieve a certain attack effect, realize the attack target predefined by the attacker and finally attack the intention of the adversary. All the network attack chains form a set of network attack plan libraries.
Defining the attack planning model as a quadruple:
attack_plan=〈plan_goal,plan_premise,plan_body,plan_result〉
the attack_plan is an attack planning model; the element plan_gold is the information of the attack target; the element plan_body is information of an attack planning body and is used for describing an executed attack action sequence or an attack script; the element plan_premis is a planning precondition, and the planning precondition is a precondition set which is required to be met by the operation of an attack planning body, namely attack resources; the element plan_result is a planning execution expected result, namely a new adversary state set and attack effect which can be generated after the planning body is executed under the condition that the planning premise is met.
In the definition of the attack (adversary) decision planning model, "< a > +" represents one or more occurrences of item a, "; "," | ", and" × "are sequential, parallel, and iterative coincidence action synthesis symbols, respectively, the gold_list represents the target description table, the cost_list represents the cost description table, the resource_list represents the resource description table, the capability_list represents the capability description table, the attack_list represents the network attack operation description table, and the result_list represents the network attack operation result description table. event_list represents an abnormal event description table.
The definition of the attack planning model is consistent with the definition of the running state of the attacker simulation system used in the invention, so the invention adopts the attack planning model as an attack decision sub-model of the 5GC penetration test adversary model. The specific definition is realized by the situation ontology in the ontology model and the attack rule defined by SWRL language, and the detailed description is seen in the step two.
Defining an attack transition sub-model:
the attack transition sub-model is defined as the following quintuple:
BM=<Q,∑,δ,q 0 ,F>
wherein, BM is an attack transition sub-model; q is a set of all attack states, q=a, a is an attack action set applied by a network adversary to an attack object; (see definition 4 above); sigma is an input set, and the input set refers to all external input data sets allowed to be received by the attack transition sub-model, including all data sequences transmitted between network elements and between the network elements and an attacker, wherein the data sequences are caused by the operation behavior of the attacker body. Since the network adversary heart intelligence set is not considered in the invention, the element of sigma=msxps, i.e. the element of sigma is formed by the cartesian product of the network attack adversary heart intelligence set and the attack planning set, and sigma is a finite input alphabet. The MS performs operation ontology set for attacker and/or defender, P S The element of sigma is formed by the Cartesian product of attack operation body and/or defending operation body set and service and/or protocol operation body set; delta is a transfer function, namely a behavior function of an output network adversary; q 0 Is an initial state, i.e., an initial set of operations that attack the adversary; f is a final state set, namely a final attack behavior set of the network adversary;
Defining two final states before and after attack state transition, and defining a state transfer function delta and an input set sigma by combining an entity body, an operation body and a situation body.
According to the invention, the closed loop programming of the penetration test based on the protocol stack is completed by realizing the attack decision sub-model and the attack transition sub-model defined in the first step, and the distributed network penetration test behavior is systemized and formalized based on the operation characteristics of the Open5GS and the Kali Linux 2.
And secondly, constructing a knowledge graph of the enemy model by adopting modeling language and an integrated modeling environment.
The knowledge graph comprises an entity body, an operation body and a situation body; the entity body comprises all core network elements and is defined as a role; the operation body consists of a process, a service and a target; wherein the procedure is an operation that is not subdivided in a network element, a set of procedures constituting the service; the service is a functional component with specific semantics in the network element, and the collection of the service forms an operation body; the objective is the effect achieved after the service is completed, determined by a security detection rule constructed for a specific attack; the context ontology is used for modeling the context environment in which the entity ontology and the operation ontology operate, and service calling relations between network elements are defined through object attributes.
The attack decision sub-model is defined by the context ontology and the security detection rules constructed for a particular attack.
Preferably, in another embodiment, in the entity body and the operation body definitions, a protocol stack called by each distributed 5G core network emulation network element under a static condition and a protocol stack called by each attack component of the attacker emulation system under a dynamic condition are described.
Preferably, in another embodiment, each distributed 5G core network analog network element is given a corresponding weight, and each operation interface provided outside the distributed 5G core network analog network element is given a corresponding weight according to a function corresponding to the operation interface; network nodes in each 5G core network are given corresponding weights.
In the process of constructing the knowledge graph of the enemy model by adopting modeling language and integrated modeling environment, the weight is converted into the semantics of the corresponding operation ontology, and the specific method comprises the following steps:
1) Constructing a situation ontology based on a core network operation flow;
2) Constructing a situation ontology of the attack behavior;
3) And designing a production rule conforming to the SWRL language grammar specification, and presenting the security level in the security detection in different semantics.
Preferably, the modeling language is an OWL-S language, and the description language of the safety detection rule is an SWRL language.
Preferably, the knowledge graph is constructed by adopting an OWL modeling language and a prot g integration modeling environment.
The invention can realize top-down penetration test design by the knowledge graph defined by the invention, and cover the whole penetration test process of specific network elements.
And thirdly, taking the initial attack planning model as input, calling and running an inference engine, automatically generating a composite attack planning set, realizing the inference from atomic attack to composite attack, and realizing the penetration test modeling and analysis aiming at key network elements in 5GC so as to guide engineers in the field to execute complete penetration test.
The initial attack planning model refers to an attacker (for the Kali system in the invention) ontology model initially input by a penetration test designer, and comprises a static model (entity ontology and operation ontology) and a dynamic model (situation ontology). After the model is inferred, a composite attack model aiming at different network element operation scenes can be generated.
In the entity body and operation body definition of the invention, the protocol stack called by each network element of the Open5GS under static condition is described, and the protocol stack called by each attack service of the Kali Linux2 under steady state condition is also described, so when a designer of the penetration test inputs an initial attack planning model, a system inference engine HerMiT is loaded, and the integration environment automatically generates a composite attack planning set, namely the effect generated by the initial attack in the network element system. Taking HttpS service as an example, the protocol stack is defined as shown in fig. 9.
Preferably, in another embodiment, the UE registration procedure is taken as an example for analysis of penetration test for the data transmission procedure between UDM-UDR.
2-1) define two end states of the transmission process, issafety (indicating that the 5GC system is in a safe state in the data transmission process) and IsUnsafety (indicating that the data transmission process is in an unsafe state). In the definition of the attack transition sub-model, f= { IsSafety, isUnSafety }. F is the final state of the attacked system, and is defined as the final state of the attacked system within { }, wherein IsSafty represents a safe state and IsUnSafty represents an unsafe state.
2-2) after the final state definition is completed, delta (state transfer function) and sigma (input set) can be defined in combination with entity ontology and operation ontology (implemented with classes) and context ontology (implemented with object peoperities).
During data transmission, a state transfer function δ (nudm_sdm_get (.
Wherein the symbol "≡" represents an "AND" relationship. The meaning of this function is: when HTTP/2 is used as a transmission protocol for data transmission between UDM and UDR, the transmission process may cause the Open5GS system to migrate to a secure state if and only if the md5 value of the transmission data x initiated by the UDM end coincides with the md5 value of the transmission data y received by the UDR end.
Similarly, the following state transfer function δ can be obtained:
1)δ(Https_Service(?x)^Nudm_SDM_Get(?x)^Nudr_DM_Query(?y)^using_calcu latemd5(?x,?x_md5)^using_calculatemd5(?y,?y_md5)^sameAs(?x_md5,?y_md5))=IsSafety(?x,?y)
description when HTTPS is used as the transmission protocol for data transmission between UDM-UDR, this transmission procedure will cause the Open5GS system to migrate to a secure state if and only if the md5 value of the transmission data x initiated at the UDM end coincides with the md5 value of the transmission data y received at the UDR end.
2)δ(Http_Get(?x)^Nudr_DM_Query(?x)^Http_Poisoning(?x)^Nudm_SDM_Get(?x)^attack_datatamper(?x,?y)^attack_datareplay(?x,?y))=ISNudm_sdm_get_datatamp er(?x,?y)^IsUnSafety(?x,?y)
Describing that when the HTTP/2 protocol is adopted for data transmission between UDM-UDR, the 5G core network is in an unsafe state under the condition of data tampering if and only if the data transmission is attacked by HTTP spoofing, data tampering and data replay;
3)δ(Https_Service(?x)^Https_MidProxy(?x)^Nudr_DM_Query(?x)^Nudm_SDM_Get(?x)^attack_datatamper(?x,?y)^attack_datareplay(?x,?y))=ISNudm_sdm_ge t_datatamper(?x,?y)^IsUnSafety(?x,?y)
description when HTTPS protocol is adopted for data transmission between UDM-UDR, the 5G core network is in an unsafe state under data tampering conditions if and only if subjected to https_midproxy (man-in-the-middle attack for HTTPS), data tampering and data replay attack;
the set of the UDM-UDR data transmission state, the Kali Linux2 attack state and the Open5GS defense state defined in the state transition function is the definition of Sigma in the state transition model.
The set of attack states q= { https_midproxy (,
attack_datatamper(?x.?y),attack_datareplay(?x,?y)};
initial attack state set q 0 ={Https_MidProxy(?x),Http_Poisoning(?x)};
Similarly, the attack state transition model definition of the whole UDM-UDR data transmission process can be obtained, and the attack state transition model definition is realized by adopting the attack/defense rule defined by SWRL language in the invention, as shown in figure 5.
The attack planning sub-model includes attack decisions (static: ontology and operation) and attack transitions (dynamic: context model). The attack planning sub-model is realized by the definition of the class of OWL-S and Object Properties in the invention, wherein the definition of the class is the four-tuple of the plane_body and the plane_body in the plane_result > and the definition of the plane_body and the plane_result is the class of data tampering, which is the example of the attack attack_datamaker described in the attack transition sub-model. When an attack_dataheader attack occurs, the entity ontology that performs the attack is shown in fig. 6. The plan_body is composed of an operation ontology set which can be executed by an entity ontology N5gcattacker_service machine, wherein the operation ontology set comprises https_midproxy (httttps man-in-the-middle attack), nf_addre sslabel (NF address spoofing), datalabel (data tampering) and the like.
Object Properities defines the plan_preset and plan_result in the quadruple. The plan_premi se is the precondition that the attack execution needs to satisfy and the actual result of the attack, and the plan_result is the expected effect after the attack execution. In this example of attock_datatable, the inference can be obtained by loading the inference engine: plan_premise=attack_httpxoring, i.e. only when httpxoring attack externally provided by Kali Linux2 can be normally invoked, the attack_dataloader can normally run; when an attack_datatemplate attack occurs, the attack ontology that is expected to be invoked, i.e. the context ontology corresponding to the entity ontology, is shown in fig. 7. Plan_result= { Equivalent of attack _datamaker }, i.e. a series of attack results with red mark "Equipment of" will result when the attack_datamaker attack is executed; when an attack_datatemplate attack occurs, the attack ontology that will actually run is shown in fig. 8. Wherein, plan_gold represents the atomic target definition of the attack, i.e. the effect that the attack will produce in the original knowledge graph. And the plan_result represents the composite target definition of the attack, namely the possible effect of the attack is obtained through inference calculation, namely in the actual running process, the execution of which attacks can be completed by calling the attack.
Summarizing, the invention adopts a method of cutting network adversary models to define and realize attack planning sub-models and attack transition sub-models for generating complete penetration test plans by analyzing the operation characteristics and the architecture of Open5GS, UERANSIM and Kali Linux2, wherein the models are constructed by adopting a method of knowledge maps, the model construction and the directed penetration test form a dynamic closed loop, a horizontal network element logic relationship and a longitudinal protocol stack calling relationship in the model form a static closed loop, and the Open5GS, the UERANSIM and the Kali Linux2 are integrated in VMware WorkStation in a virtual machine mode to form a complete experiment platform closed loop.
In some embodiments, certain aspects of the techniques described above may be implemented by one or more processors of a processing system executing software. The software includes one or more sets of executable instructions stored or otherwise tangibly embodied on a non-transitory computer-readable storage medium. The software may include instructions and certain data that, when executed by one or more processors, operate the one or more processors to perform one or more aspects of the techniques described above. The non-transitory computer readable storage medium may include, for example, a magnetic or optical disk storage device, a solid state storage device such as flash memory, cache, random Access Memory (RAM), or other non-volatile memory device. Executable instructions stored on a non-transitory computer-readable storage medium may be in source code, assembly language code, object code, or other instruction format that is interpreted or otherwise executed by one or more processors.
A computer-readable storage medium may include any storage medium or combination of storage media that can be accessed by a computer system during use to provide instructions and/or data to the computer system. Such storage media may include, but is not limited to, optical media (e.g., compact Disc (CD), digital Versatile Disc (DVD), blu-ray disc), magnetic media (e.g., floppy disk, magnetic tape, or magnetic hard drive), volatile memory (e.g., random Access Memory (RAM) or cache), non-volatile memory (e.g., read Only Memory (ROM) or flash memory), or microelectromechanical system (MEMS) based storage media. The computer-readable storage medium may be embedded in a computing system (e.g., system RAM or ROM), fixedly attached to the computing system (e.g., a magnetic hard drive), removably attached to the computing system (e.g., an optical disk or Universal Serial Bus (USB) based flash memory), or coupled to the computer system via a wired or wireless network (e.g., network-accessible storage (NAS)).
While the invention has been disclosed in terms of preferred embodiments, the embodiments are not intended to limit the invention. Any equivalent changes or modifications can be made without departing from the spirit and scope of the present invention, and are intended to be within the scope of the present invention. The scope of the invention should therefore be determined by the following claims.
Claims (10)
1. The knowledge graph construction system for the 5GC penetration test enemy model is used for constructing the knowledge graph of the 5GC penetration test enemy model and is characterized by comprising an interconnection distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system;
the distributed 5GC simulation software system consists of distributed 5G core network simulation network elements, each distributed 5G core network simulation network element simulates the function of the 5G core network element, a group of operation interfaces are provided for the outside, each operation interface corresponds to a configuration item operated in the background, namely, one function of the network element, and one group of configuration items form one distributed 5G core network simulation network element;
the UERANSIM system comprises a terminal simulator and an access network simulator, which respectively simulate the operation flow of a terminal and an access network in the 5G data communication process;
the attacker simulation system is used as an attacker in the 5GC penetration test and comprises a group of attack subsystems of different types; each attack subsystem comprises a plurality of CSCI, each CSCI comprises a group of interfaces for executing attacks and attack components corresponding to the interfaces, and malicious HTA files are generated by being called by the subsystem, so that the target Windows host is attacked.
2. The knowledge graph construction system of a 5GC penetration test enemy model according to claim 1, wherein the deployment and operation of the distributed 5GC simulation software system are implemented by using a virtual machine installed in a virtual machine management system, the terminal simulator and the access network simulator are implemented by using a virtual machine installed in the virtual machine management system, and the attacker simulation system is implemented by using a virtual machine independently installed in the virtual machine management system; and each virtual machine is interconnected with other virtual machines in the same network segment of the local area network through IP address configuration, so that interconnection and intercommunication of a distributed 5GC simulation software system, a UERANSIM system and an attacker simulation system are realized.
3. A 5GC penetration test enemy model knowledge graph construction method implemented by the 5GC penetration test enemy model knowledge graph construction system according to any one of claims 1 to 2, comprising:
defining an adversary model of a 5GC penetration test, and analyzing conventional operation, attack or defense scenes of key network elements in a typical flow in a 5G data communication process through the adversary model of the 5GC penetration test; the adversary model comprises an attack decision sub-model and an attack transition sub-model;
Constructing a knowledge graph of the enemy model by using a modeling language and an integrated modeling environment, wherein the knowledge graph comprises an entity body, an operation body and a situation body; the entity body comprises all core network elements and is defined as a role; the operation body consists of a process, a service and a target; wherein the procedure is an operation that is not subdivided in a network element, a set of procedures constituting the service; the service is a functional component with specific semantics in the network element, and the collection of the service forms an operation body; the objective is the effect achieved after the service is completed, determined by a security detection rule constructed for a specific attack; the situation ontology is used for modeling the contextual environment in which the entity ontology and the operation ontology operate, and the service calling relationship between network elements is defined through object attributes; the attack decision sub-model is defined by the context ontology and the security detection rules constructed for a particular attack;
and taking the initial attack planning model as input, calling and running an inference engine, automatically generating a composite attack planning set, realizing the inference from atomic attack to composite attack, and realizing the penetration test modeling and analysis aiming at key network elements in 5 GC.
4. A method of constructing a knowledge graph of a 5GC penetration test adversary model according to claim 3, wherein in the entity body and operation body definitions, a protocol stack called by each distributed 5G core network simulation network element under static conditions and a protocol stack called by each attack component of the attacker simulation system under dynamic conditions are described.
5. The method for constructing a knowledge graph of a 5GC penetration test enemy model according to claim 3, wherein each of the distributed 5G core network analog network elements is given a corresponding weight, and each of the operation interfaces provided outside the distributed 5G core network analog network elements is given a corresponding weight according to a function corresponding to the operation interface; the network nodes in each 5G core network are given corresponding weights;
in the process of constructing the knowledge graph of the enemy model by adopting modeling language and integrated modeling environment, the weight is converted into the semantics of the corresponding operation ontology, and the specific method comprises the following steps:
1) Constructing a situation ontology based on a core network operation flow;
2) Constructing a situation ontology of the attack behavior;
3) And designing a production rule conforming to the SWRL language grammar specification, and presenting the security level in the security detection in different semantics.
6. The method for constructing a knowledge graph of a 5GC penetration test enemy model according to claim 3, wherein the modeling language is OWL-S language, and the description language of the security detection rule is SWRL language.
7. The method for constructing a knowledge graph of a 5GC penetration test enemy model according to claim 3, wherein the attack decision sub-model adopts an attack planning model conforming to the definition of the running state of the attacker simulation system; the attack planning model is defined as a quadruple:
attack_plan=〈plan_goal,plan_premise,plan_body,plan_result〉
the attack_plan is an attack planning model; the element plan_gold is the information of the attack target; the element plan_body is information of an attack planning body and is used for describing an executed attack action sequence or an attack script; the element plan_premise is a planning precondition; the element plan_result is a planning execution expected result, namely a new adversary state set and attack effect which can be generated after the planning body is executed under the condition that the planning premise is met.
8. The method for constructing a knowledge graph of a 5GC penetration test enemy model according to claim 3, wherein the attack transition sub-model is defined as five-tuple:
BM=<Q,∑,δ,q 0 ,F>;
wherein, BM is an attack transition sub-model; q is a set of all attack states, q=a, a is an attack action set applied by a network adversary to an attack object; sigma is the input set, sigma=m S XP S ,M S An operation ontology set executed for an attacker and/or defender, P S The element of sigma, which is a finite input alphabet, is formed by the cartesian product of the attack and/or defending operation ontology set and the service and/or protocol operation ontology set; delta is a transfer function, namely a behavior function of an output network adversary; q 0 Is an initial state, i.e., an initial set of operations that attack the adversary; f is a final state set, namely a final attack behavior set of the network adversary;
two final states before and after the state transition are defined, and a state transfer function delta and an input set sigma are defined by combining an entity body, an operation body and a situation body.
9. A 5GC penetration test enemy model knowledge graph construction apparatus, characterized in that the apparatus comprises a memory and a processor; the memory stores a computer program implementing a 5GC penetration test enemy model knowledge graph construction method, the processor executing the computer program to implement the steps of the method according to any of claims 1-8.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311641156.3A CN117676586A (en) | 2023-12-04 | 2023-12-04 | Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311641156.3A CN117676586A (en) | 2023-12-04 | 2023-12-04 | Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117676586A true CN117676586A (en) | 2024-03-08 |
Family
ID=90063553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311641156.3A Pending CN117676586A (en) | 2023-12-04 | 2023-12-04 | Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117676586A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114363903A (en) * | 2022-01-06 | 2022-04-15 | 中科南京信息高铁研究院 | Core network security penetration testing method, system and equipment based on ontology rule |
| CN115883180A (en) * | 2022-11-28 | 2023-03-31 | 中京天裕科技(杭州)有限公司 | Automatic penetration testing method based on knowledge graph |
| CN117061202A (en) * | 2023-08-31 | 2023-11-14 | 西安电子科技大学 | Attack link generation method based on knowledge graph of multi-source vulnerability data |
-
2023
- 2023-12-04 CN CN202311641156.3A patent/CN117676586A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114363903A (en) * | 2022-01-06 | 2022-04-15 | 中科南京信息高铁研究院 | Core network security penetration testing method, system and equipment based on ontology rule |
| CN115883180A (en) * | 2022-11-28 | 2023-03-31 | 中京天裕科技(杭州)有限公司 | Automatic penetration testing method based on knowledge graph |
| CN117061202A (en) * | 2023-08-31 | 2023-11-14 | 西安电子科技大学 | Attack link generation method based on knowledge graph of multi-source vulnerability data |
Non-Patent Citations (3)
| Title |
|---|
| 21计算机网络技术2班许智秀: "KaLi Linux渗透攻击", pages 1 - 41, Retrieved from the Internet <URL:《https://blog.csdn.net/weixin_64531675/article/details/131112834》> * |
| FILIPPO GIAMBARTOLOMEI: "Penetration testing applied to 5G Core Network", 《HTTPS://HDL.HANDLE.NET/20.500.12608/43119》, 28 February 2023 (2023-02-28), pages 2 - 4 * |
| 蒋建春等: "网络敌手模型研究", 《信息网络安全》, 10 September 2008 (2008-09-10), pages 15 - 18 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200410399A1 (en) | Method and system for determining policies, rules, and agent characteristics, for automating agents, and protection | |
| Katsikeas et al. | An attack simulation language for the IT domain | |
| Sachidananda et al. | Let the cat out of the bag: A holistic approach towards security analysis of the internet of things | |
| WO2011017566A1 (en) | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy | |
| Kotenko et al. | The CAPEC based generator of attack scenarios for network security evaluation | |
| CN114363903B (en) | Method, system and equipment for testing security penetration of core network based on ontology rule | |
| CN114398643A (en) | Penetration path planning method, device, computer and storage medium | |
| CN117610026B (en) | Honey point vulnerability generation method based on large language model | |
| CN112104514A (en) | Multi-view network attack and defense simulation system | |
| KR102578421B1 (en) | Method And System for managing of attack equipment of Cyber Attack Simulation Platform | |
| Ashtiani et al. | A distributed simulation framework for modeling cyber attacks and the evaluation of security measures | |
| Alhassan et al. | A fuzzy classifier-based penetration testing for web applications | |
| Zhao et al. | An invocation chain test and evaluation method for fog computing | |
| Mariotti et al. | Extending a security ontology framework to model CAPEC attack paths and TAL adversary profiles | |
| Tang et al. | Ssldetecter: detecting SSL security vulnerabilities of android applications based on a novel automatic traversal method | |
| Nguyen et al. | PenGym: Pentesting Training Framework for Reinforcement Learning Agents. | |
| CN110177113A (en) | Internet guard system and access request processing method | |
| CN117676586A (en) | Knowledge graph construction system, method and equipment for enemy model through 5GC penetration test | |
| Li | An approach to graph-based modeling of network exploitations | |
| Omotunde et al. | Mitigating sql injection attacks via hybrid threat modelling | |
| Christensen | Validating petri net models of cyberattacks | |
| Haseeb | Deception-based security framework for iot: An empirical study | |
| Magnusson | Cyber Threat Emulation | |
| Haiba et al. | Build a malware detection software for IoT network using machine learning | |
| Katsikeas et al. | Development and Validation of Corelang: A Threat Modeling Language for the ICT Domain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |