[go: up one dir, main page]

CN118300906B - Normalized attack path automatic generation and verification method, device and system - Google Patents

Normalized attack path automatic generation and verification method, device and system Download PDF

Info

Publication number
CN118300906B
CN118300906B CN202410728009.8A CN202410728009A CN118300906B CN 118300906 B CN118300906 B CN 118300906B CN 202410728009 A CN202410728009 A CN 202410728009A CN 118300906 B CN118300906 B CN 118300906B
Authority
CN
China
Prior art keywords
attack
path
module
attack path
task
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410728009.8A
Other languages
Chinese (zh)
Other versions
CN118300906A (en
Inventor
顾显俊
邢骏
黄梦琦
田聪
邹子旭
李威
魏朝
陈俊龙
郭政
付忠祥
覃思航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Power Supply Co of State Grid Hubei Electric Power Co Ltd
Original Assignee
Wuhan Power Supply Co of State Grid Hubei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Power Supply Co of State Grid Hubei Electric Power Co Ltd filed Critical Wuhan Power Supply Co of State Grid Hubei Electric Power Co Ltd
Priority to CN202410728009.8A priority Critical patent/CN118300906B/en
Publication of CN118300906A publication Critical patent/CN118300906A/en
Application granted granted Critical
Publication of CN118300906B publication Critical patent/CN118300906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Devices For Executing Special Programs (AREA)

Abstract

The application relates to a normalized attack path automatic generation and verification method, a normalized attack path automatic generation and verification device and a normalized attack path automatic generation and verification system, wherein the normalized attack path automatic generation and verification method comprises the following specific steps: task management and scheduling, obtaining scene formal description, converting the scene formal description into a programming language through a translator, generating standardized attack paths, filling and evaluating the attack paths, automatically attacking and verifying, storing and visually displaying results, collecting and updating data, and perfecting and updating evaluation indexes of related tools and vulnerabilities according to iterative updating of attack tools, vulnerability patches and defense means by the outside; and correcting the specific evaluation results of the related tools and the loopholes according to feedback obtained in the attack execution process. The method realizes full automation of the attack penetration flow based on formal language, and solves the problem that the modeling of the penetration flow is difficult to be applied to pain points in automatic execution of attack penetration.

Description

Normalized attack path automatic generation and verification method, device and system
Technical Field
The application relates to the technical field of network attack and defense, in particular to a method, a device and a system for automatically generating and verifying a normalized attack path.
Background
With rapid development of information technology and expansion of application range, networks and systems of enterprises and organizations become more complex and huge. The internal and external network systems are huge, even if the internal network of each city company is a huge network system, the traditional manual penetration test method cannot meet the rapidly-changing safety protection requirement and the test requirement of a complex system, so that automatic attack penetration becomes a necessary choice. Automated penetration testing can save a lot of time and labor costs compared to traditional manual penetration testing.
The penetration test comprises a plurality of steps of information collection, vulnerability attack, result analysis and the like, and relates to a plurality of attack elements such as an attack method, tool selection and use, attack decision and the like. And attack path generation is the most important part of the penetration test process. However, the current research on attack behaviors and attack element association mapping has some defects, so that the information descriptions of the technical method, the attack tool, the attack interaction means, the attack support dependence and the like used in the attack are not clear enough, and the whole flow is difficult to be standardized and automatically verified; the modeling mode and the specific implementation have a certain distance, and although some models are used for modeling permeation flows and the like in a comparatively standard manner, only a description of a theoretical level is often provided, and the modeling mode and the specific implementation are difficult to be directly used for implementing the permeation of the automated attack; in addition, the traditional attack success rate and attack income research are mainly researches aiming at vulnerability attack, the success rate and importance degree of the vulnerability attack are measured through vulnerability scores, and as the research of the attack tools on the success rate and income of the attack tools by the multi-source isomerism of the attack tools is less, in the aspect of evaluating the vulnerability and the attack path, the evaluation indexes of the existing method are single, and the evaluation indexes are usually highly dependent on CVSS scores, so that the deviation of the scores from the actual situation is ignored, and the influence of other factors such as time lapse, the attack tools, the target environment and the like is ignored.
In order to solve the pain point, each attack step and the dependency relationship thereof need to be described in a standardized way, and the attack steps are converted into a code language which can be understood and executed by a machine through a simple method, so that a standardized attack path is generated, and the automatic attack path assessment, execution and verification are facilitated based on the standardized attack path.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device and a system for automatically generating and verifying a standardized attack path, which solve the problems of unclear attack modeling, high knowledge dependence degree, inaccurate path evaluation, high path execution customization degree and the like.
In order to achieve the above purpose, the present application provides the following technical solutions:
in a first aspect, an embodiment of the present application provides a method for automatically generating and verifying a normalized attack path, including the following specific steps:
step S1: task management and scheduling
After the task is established, firstly adding the task into a task queue, and processing according to a first-in first-out principle;
step S2: acquiring scene formal descriptions
When a user submits a task, the user shall submit the specification description file of the network scene at the same time, and describe the connection between network entities in the scene through a formal language;
Step S3: conversion to a programming language by a translator
Uniformly translating the formal language description acquired in the step S2 into a programming language to realize the conversion of the attack scene from abstract symbol description to specific executable codes;
Step S4: normalized attack path generation
Analyzing attack logic contained in an attack scene in the result of the step S3, wherein the attack logic is a normalized attack path as a result;
Step S5: attack path population and evaluation
According to the standard attack path obtained in the step S4, a preferred attack implementation unit is matched from an attack penetration knowledge base to carry out filling, a standard attack path capable of guiding the penetration flow is generated, and evaluation is carried out from a plurality of indexes so as to select an optimal penetration scheme;
Step S6: automated attack and verification
According to the penetration scheme selected in the step S5, carrying out automatic attack according to the arrangement of attack implementation units in the standard attack path, and taking the information generated in the process of storing the attack as a verification result of the scheme;
step S7: results storage and visual presentation
Storing the attack paths into a graph database, wherein one attack path clearly and intuitively shows the transfer relation of the attribute, and an attack implementation unit in the path contains rich information and attack results;
step S8: data collection and update
According to the iterative updating of the attack tool, the vulnerability patch and the defense means, the evaluation indexes of relevant tools and vulnerabilities are perfected and updated; and correcting the specific evaluation results of the related tools and the loopholes according to feedback obtained in the attack execution process.
The translation is performed into a programming language by using a translator, namely, the abstract entity description in the specification description obtained in the step S2 is translated into a specific class by using the translator, the attributes of the entity are converted into the attributes of the class, the transfer relation among the attributes is obtained by using a class method, and then the attributes of the entity are obtained in a programming mode, and the attribute transfer diagram is traversed according to the association relation among the attributes.
The normalized attack path is generated by acquiring reachable target attributes from an attack starting point, repeating the process until all possible attribute transfer paths are traversed after the target attributes are reached, and replacing corresponding edges according to matching of the starting point and the end point of an attack implementation unit with the attributes in the attribute transfer paths to obtain the normalized attack path.
The attack path filling and evaluating method specifically comprises the steps that an attack penetration knowledge base comprises applicable scenes, implementation effects, calling modes and parameter requirement information of various attack tools; for coupling with the canonical attack path, the same canonical description as the scene canonical description submitted in step S2 is used for description, and each attack implementation unit in the knowledge base corresponds to an attack tool;
the implementation units in the attack penetration knowledge base not only have the requirement description on the scene, but also have the evaluation quantization indexes about the implementation effect of the tool obtained through expert knowledge; when filling an attack path, the attack decision module always selects an implementation unit with the optimal comprehensive effect applicable to the current scene for filling;
the attack path evaluation indexes evaluate the filled normalized attack path from three evaluation indexes, namely the attack success rate, the attack income and the time required by the attack, wherein the three indexes can be calculated through the accumulation of an attack implementation unit on the traversal path.
The automatic attack and verification is specifically that a task execution module extracts relevant information from the context of an attack path according to parameter requirement information of an attack implementation unit to be filled, and then automatically invokes according to an invoking mode of the implementation unit in a knowledge base, and the task execution module provides two schemes for automatic execution of the attack path: the first is a serial task, and the topology ordering can ensure that each attack implementation unit depends on the attack implementation unit to be executed when the attack implementation unit executes the serial task; and secondly, the task arrangement is performed automatically by utilizing the dependency relationship of the attack implementation unit for parallel tasks, and the blocking of the attack implementation unit before all the dependencies of the attack implementation unit are completed is ensured on the basis of parallelizing the execution task.
In a second aspect, an embodiment of the present application provides an apparatus for automatically generating and verifying a normalized attack path, including a task scheduling subsystem, an attack penetration subsystem, and a data storage and display subsystem, where the task scheduling subsystem is responsible for receiving and distributing tasks submitted by a user, the attack penetration subsystem is responsible for executing specific tasks, and the data storage and display subsystem is responsible for supporting a knowledge base, storing attack paths and task processing results, and processing user query requests.
The task scheduling subsystem consists of a task queue and a task scheduling module, wherein the task queue is used for storing tasks submitted by users, and the task scheduling module is responsible for acquiring the tasks from the task queue and distributing the tasks to the attack penetration subsystem.
The attack penetration subsystem consists of a formal language translation module, an attack path generation module, an attack decision module, an attack path evaluation module and a task execution module, wherein the formal language translation module is responsible for translation of formal language description, the attack path generation module is responsible for generation of normalized attack paths, the attack decision module is responsible for filling of an attack implementation unit, the attack path evaluation module is responsible for evaluation of paths, and the task execution module is responsible for automatic execution and verification of the attack paths.
The data storage and display subsystem is composed of a supporting knowledge base, an attack path storage module, a data acquisition and update module and a display module, wherein the supporting knowledge base provides data and technical support for the whole process, the attack path storage module stores the verified attack path and verification result, the data acquisition and update module is responsible for updating the supporting knowledge base, and the display module is responsible for visual display of the attack path.
In a third aspect, an embodiment of the present application provides a normalized attack path automatic generation and verification system, including: a computer readable storage medium and a processor;
the computer-readable storage medium is for storing executable instructions;
The processor is configured to read executable instructions stored in the computer readable storage medium and perform the method as described above.
Compared with the prior art, the invention has the beneficial effects that:
Completeness and scalability: the attack scene is described through the formal language, so that the network entity and the attack dependency relationship can be effectively modeled. The formal language has strong abstract description capability, can effectively model various and whole processes such as network entities, attack elements, permeation processes and the like, and on the other hand, the formal language description can be conveniently expanded, and further new elements and dependency relationships can be added into a language system, so that the attack permeation method based on the formal language description has completeness and strong expandability.
Low coupling and portability: the abstract non-executable formal language is converted into a specific executable callable programming language based on the translator, so that a foundation is laid for the automation of the whole flow; the translated language already contains information such as node attribute, dependency relationship and the like, a large amount of logic judgment and information extraction are not needed to be performed by writing codes, only the realization of path decision, generation and evaluation algorithm is needed to be focused, and the system coupling degree is low; in contrast, the existing automatic attack execution algorithm has very high customization degree, the processing of attack elements is highly coupled with the generation of paths, and the expansion difficulty is high. On the other hand, the formal language can be translated into any programming language, and the portability is high.
Complete and objective evaluation system: the evaluation of attack benefits considers not only confidentiality and integrity damage caused by attack in a broad sense, but also the attention degree of a target system to different security indexes, so that a benefit score for the target system is given; in addition, some defenses that take into account the existence of the target system can affect attack complexity, and factors that vary over time, such as the maturity of the attack tool, can also affect attack success rate. Finally, considering the limitation of the static scoring system, the deviation between the static scoring system and the real scene is unavoidable, so that historical attack data are collected and analyzed, and the scoring system is regularly corrected.
Flexible attack mission arrangement: non-blocking implementation under serialization tasks is achieved based on topological ordering; parallelized execution of attack paths is achieved based on task orchestration techniques, and blocking can be effective at critical nodes. The time cost of the attack path can be effectively evaluated in both modes.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an input-output diagram of a method for automatically generating and verifying a planned attack path according to an embodiment of the present invention.
Fig. 2 is a flowchart of a normalized attack path automatic generation and verification method according to an embodiment of the present invention.
FIG. 3 is a diagram illustrating translation of port entities into a programming language according to an embodiment of the present invention.
Fig. 4 is a block diagram of a normalized attack path automatic generation and verification device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The terms "first," "second," and the like, are used merely to distinguish one entity or action from another entity or action, and are not to be construed as indicating or implying any actual such relationship or order between such entities or actions.
The embodiment of the invention provides a normalized attack path automatic generation and verification method, as shown in fig. 2, comprising the following steps:
Step S1, task management and scheduling
The user submits the task through the API interface of the task scheduling subsystem, the task scheduling subsystem stores the task in the task message queue after receiving the task, the task scheduling module performs task scheduling and dispatching, and the attack penetration subsystem executes specific task after the task dispatching.
Step S2, acquiring scene formal description
When a user submits a task, the user shall submit the specification description file of the network scene at the same time, and describe the connection between network entities in the scene through a formal language;
Specifically, the normalized attack path is not separated from normalized description of a target scene, and the target scene refers to a graph formed by associating all entities in a target environment with each other; thus, the canonical description of an attack scenario primarily contains descriptions of entities and associations between entities. For example, a port entity has a requestable attribute and a service entity has an attribute of a service barnner, and the two attributes have an association of "construct request sent to the port can acquire the barnner of the service carried on the port".
More specifically, the association between entities is divided into three cases of "and", "or" not ", which correspond to three kinds of logic in the attack process, that is, the step can be executed as long as any one of the pre-steps is satisfied, the step needs all the pre-steps to be completed to be executed, and the step can prevent the execution of another step.
Step S3, converting into programming language through translator
Uniformly translating the formal language description acquired in the step S2 into a programming language to realize the conversion of the attack scene from abstract symbol description to specific executable codes;
Specifically, the abstract entity description is translated into a specific class by using a translator, the attributes of the entity are converted into the attributes of the class, the transfer relationship among the attributes is obtained by a class method, and then the attributes can be obtained in a programming way and the attribute transfer graph can be traversed according to the association relationship among the attributes.
More specifically, as shown in fig. 3, a port entity is translated and then converted into a port class, where category represents a category of the entity, index_attribute is an inherent attribute of the entity class, that is, a determined attribute of the entity of the same type, and accidental _attribute is an occasional attribute of the entity class, that is, an attribute that has a change in values of different examples of the entity of the same category; the traversal of the attribute transfer graph depends on the attribute and the method call of the entity, the previous node transfers the attribute to the complex method of the target node after completing the attribute transfer, the completed previous attribute is recorded in completed _attr, and then the node can judge that the currently completed attribute supports the entity attribute transferred to by the transfer method.
Step S4, normalized attack path generation
And (3) analyzing attack logic contained in the attack scene in the result of the step S3 by calling a path generation algorithm, and taking the normalized attack path as a result.
Specifically, the reachable target attribute is obtained from the attack starting point, the process is repeated until all possible attribute transfer paths are traversed after the target attribute is reached, and then the corresponding edges are replaced according to the matching of the starting point and the end point of the attack implementation unit and the attribute in the attribute transfer paths, so that the normalized attack path is obtained.
More specifically, in the process of traversing the attribute transfer graph, the dependency relationship of attribute transfer needs to be considered, for an attribute with a transfer condition of "or", after any one of the pre-attributes is completed, the transfer can be completed by a transfer method, and for an attribute with a transfer condition of "and", when the transfer method is invoked before all the pre-conditions are not completed, since completed _attr cannot pass through logic inspection, the transfer to the target attribute cannot be successfully completed; for the attribute with the transition condition of "#", namely, the defense means equipped in the target environment, the transition condition after the attribute is considered to be unsatisfied, so the attribute is the end point of the transition path.
Step S5, attack Path filling and evaluation
And (3) according to the standard attack path obtained in the step (S4), the attack decision module is used for filling the optimal attack implementation unit in the attack penetration knowledge base, generating a standard attack path capable of guiding the penetration flow and evaluating the standard attack path from a plurality of indexes through the attack path evaluation module so as to select an optimal penetration scheme.
Specifically, the canonical attack path describes an attack transition logic that exists depending on entity-to-entity connection in the target scenario, and in order to implement specific penetration operation, it is further required to determine which attack tools specifically perform the corresponding attack step, for example, service identification has nmap, whatsoever, and other tools available, and one of them needs to be selected according to the specific scenario.
More specifically, the attack penetration knowledge base comprises information such as applicable scenes, implementation effects, calling modes, parameter requirements and the like of various attack tools; for coupling with the canonical attack path, the same canonical description as the scenario canonical description submitted in step S2 is used for description, and each attack implementation unit in the knowledge base corresponds to an attack tool.
More specifically, the implementation units in the attack penetration knowledge base not only have the requirement description on the scene, but also have the evaluation quantization indexes about the implementation effect of the tool obtained through expert knowledge; and when filling the attack path, the attack decision module always selects an implementation unit with the optimal comprehensive effect, which is applicable to the current scene, to fill.
More specifically, the attack path evaluation index evaluates the filled normalized attack path from the three evaluation indexes, which are respectively the attack success rate, the attack benefit and the time required by the attack. All three indexes can be calculated cumulatively through the attack implementation units on the traversal path, for example, the attack success rate can be obtained by calculating the success rate product of all attack implementation units on the path.
Step S6, automated attack and verification
And (3) according to the penetration scheme selected in the step (S5), the task execution module carries out automatic attack according to the arrangement of attack implementation units in the standard attack path, and takes the information generated in the process of storing the attack as the verification result of the scheme.
More specifically, the task execution module extracts relevant information from the context of the attack path according to information such as parameter requirements of the attack implementation unit, loads the relevant information, and then automatically invokes the relevant information according to the invoking mode of the implementation unit in the knowledge base.
More specifically, the task execution module provides two schemes for automated execution of the attack path: the first is a serial task, and the topology ordering can ensure that each attack implementation unit depends on the attack implementation unit to be executed when the attack implementation unit executes the serial task; and secondly, the task arrangement is performed automatically by utilizing the dependency relationship of the attack implementation unit for parallel tasks, and the blocking of the attack implementation unit before all the dependencies of the attack implementation unit are completed is ensured on the basis of parallelizing the execution task.
Step S7, result storage and visual display
And (3) storing the execution results of the attack path and each attack implementation unit thereof into a database for persistence according to the attack verification result in the step S6, and storing the attack path by using a graph database for visual display.
Step S8: data collection and update
And periodically collecting the latest knowledge, updating and correcting the knowledge base, and collecting data generated in attack path verification, such as attack results, utilization time and the like, and analyzing the data for dynamically adjusting the information in the knowledge base.
The embodiment of the invention provides a normalized attack path generation and verification device, as shown in fig. 4, which comprises a task scheduling subsystem 300, an attack penetration subsystem 400 and a data storage and display subsystem 500, wherein the three subsystems mutually interact and cooperate to complete tasks, and a user 100 interacts with the subsystems through an application interface module 200.
The working mechanism is as follows:
The user 100 submits tasks through the application interface module 200, meanwhile provides formal description of attack scenarios, the task scheduling subsystem 300 completes management and scheduling of tasks, and the task scheduling subsystem 300 supports concurrent execution of multiple tasks, the newly built tasks are firstly stored in the task queue 320, then wait for system resource allocation to be carried out by the attack penetration subsystem 400, the data storage and display subsystem 500 provides attack support for the tasks in the task execution process, the data storage and display subsystem 500 stores the results after the task execution is completed, and finally the user 100 invokes the application interface module 200 to acquire the attack path and visual display of the verification results.
Application interface module 200
The application interface module is used for providing a transfer function between the user and the system function module, the application interface module provides the function externally, and the system module is called internally to complete the corresponding function.
Task scheduling subsystem 300
Task scheduling module 310
The task management and scheduling module is used for managing and scheduling tasks, interacting with the task queue, acquiring the tasks and then delivering the tasks to the designated module for execution.
Task queue 320
And the task scheduling module is used for storing tasks created by users and waiting for the task scheduling execution.
The working mechanism is as follows:
the subsystem is composed of a task scheduling module 310 and a task queue 320, wherein the task queue 320 is a carrier of tasks and is used for temporarily buffering tasks submitted by users, the task scheduling module 310 waits for the task scheduling module 310 to schedule and execute the tasks, and the task scheduling module 310 takes out data from the head of the task queue 320 each time and then gives the data to the attack penetration subsystem 400 for execution.
Attack penetration subsystem 400
Formal language translation module 410
The module receives the formalized description file of the attack scene, reads and analyzes the language, and converts the abstract formal language into a specific programming language.
Attack path generation module 420
The module is responsible for further processing on the already instantiated attack scenario, looking for all feasible normalized attack paths.
Attack decision Module 430
The primarily generated attack path also lacks some attribute filling, is an attack path of a higher tactical level, and therefore needs the attack decision module to select proper tools, attack loads and other information to generate the available attack path.
Attack path assessment Module 440
Because of the differences of a series of attack elements such as entities, tools and the like related to the attack path, the different paths have different degrees of merit, and the module is responsible for screening the high-quality paths and delivering the high-quality paths to the task execution module 450 for execution verification.
Task execution module 450
The module is responsible for specific execution and verification of the attack path, and supports two automated attack verification methods, serialization and parallelization, after which the attack path and results are stored to the data storage and presentation subsystem 500.
The working mechanism is as follows:
Firstly, the formal description of the attack scenario is translated by the formal language translation module 410, at this time, the information described by the formal language such as the attribute, the dependency relationship of the attribute and the like of the entity is converted into a class which can be executed and invoked, but the attack implementation unit is also lacking to push the transfer of the attribute, so that the attack path generation module 420 searches for a possible attack path, adds the attack implementation unit according to the dependency relationship, then the attack decision module 430 selects the appropriate information such as an attack tool, an attack load and the like for the attack implementation unit, the information is provided by the supporting knowledge base 510, at this time, the executable attack path is acquired, but the advantages and disadvantages of the attack path are different, the attack path evaluation module 440 is required to screen out the excellent path, then the task execution module 450 is required to execute the attack verification, then the attack implementation unit is executed along the attack path, and finally the data is stored in the data storage and display subsystem 500.
Data storage and presentation subsystem 500
Support knowledge base 510
This section provides support for the overall process, scoring information to aid in its decision and evaluation for the attack decision module 430 and attack path evaluation module 440, and tool support for the task execution module 450.
Weapon store 511
And providing various tools required by attack implementation, different grading indexes of the tools and other information.
Fingerprint library 512
A set of more accurate application fingerprints, equipment fingerprints and the like are provided, and support is provided for attack steps such as service identification and the like.
Technical library 513
Various technical strategies in the attack process are provided, and different technical strategies have corresponding implementation methods and relate to different attack weapons.
Vulnerability library 514
And providing information such as the type, success rate, score, attack income and the like of the loopholes, and providing support for attack decision and path evaluation.
Attack path storage module 520
The obtained attack path can be stored and then can be given to the display module for visual display, so that the attack path can be observed more intuitively.
Data acquisition and update module 530
And periodically collecting new information to expand the support knowledge base, collecting the result of the attack path verification process in real time, and correcting the information of the support knowledge base through analysis.
Display module 540
The module provides visual display of attack paths and various support libraries, and provides an intuitive display form.
The working mechanism is as follows:
The supporting knowledge base 510 provides numerous knowledge bases, provides data and technical support for the attack decision module 430 and the attack path evaluation module 440, and the attack path storage module 520 is responsible for receiving the verified attack path, storing the attack path by means of a graph database, and then providing the attack path to the display module 540 for visual display; in addition, the data collection and update module 530 extends the support knowledge base 510, ensuring that up-to-date data and technical support can be provided, and historical attack verification information is collected and analyzed, so that a certain correction capability is provided for supporting data deviation in a knowledge base.
The embodiment of the invention provides a normalized attack path automatic generation and verification system, which comprises the following steps: a computer readable storage medium and a processor;
the computer-readable storage medium is for storing executable instructions;
The processor is configured to read executable instructions stored in the computer readable storage medium, and execute the normalized attack path automatic generation and evaluation method according to any of the foregoing embodiments.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (10)

1.一种规范化攻击路径自动生成与验证方法,其特征在于,包括以下具体步骤:1. A method for automatically generating and verifying a standardized attack path, characterized by comprising the following specific steps: 步骤S1:任务管理与调度Step S1: Task management and scheduling 任务创建后,首先加入到任务队列中,并按照先入先出原则进行处理;After a task is created, it is first added to the task queue and processed according to the first-in-first-out principle; 步骤S2:获取场景形式化描述Step S2: Obtain a formal description of the scene 用户提交任务时需同时提交网络场景的规范描述文件,通过形式语言描述场景内网络实体与实体间的联系;When users submit tasks, they need to submit a specification description file of the network scenario at the same time, describing the connections between network entities in the scenario through formal language; 步骤S3:通过翻译器转换为编程语言Step S3: Convert to programming language through a translator 将步骤S2中获取的形式语言描述统一翻译成编程语言,实现攻击场景从抽象符号描述到具体可执行代码的转换;The formal language description obtained in step S2 is uniformly translated into a programming language to achieve the conversion of the attack scenario from an abstract symbol description to a specific executable code; 步骤S4:规范化攻击路径生成Step S4: Normalized attack path generation 解析步骤S3结果中攻击场景中内含的攻击逻辑,并具象为规范化的攻击路径作为结果;Analyze the attack logic contained in the attack scenario in the result of step S3, and visualize it as a standardized attack path as a result; 步骤S5:攻击路径填充与评估Step S5: Attack path filling and evaluation 根据步骤S4获取的规范攻击路径,从攻击渗透知识库中匹配优选的攻击实施单元进行填充,生成一条可指导渗透流程的规范攻击路径并从多个指标进行评估,以选出最优的渗透方案;According to the standard attack path obtained in step S4, the preferred attack implementation unit is matched from the attack penetration knowledge base for filling, a standard attack path that can guide the penetration process is generated and evaluated from multiple indicators to select the optimal penetration plan; 步骤S6:自动化攻击与验证Step S6: Automated Attack and Verification 根据S5选出的渗透方案,按照规范攻击路径中攻击实施单元的排布进行自动化攻击,并将储存攻击过程中生成的信息作为方案的验证结果;According to the penetration scheme selected by S5, an automated attack is performed according to the arrangement of the attack implementation units in the standard attack path, and the information generated during the attack is stored as the verification result of the scheme; 步骤S7:结果存储与可视化展示Step S7: Result storage and visualization 将攻击路径存储到图数据库中,一条攻击路径清晰直观的展示了属性的转移关系,路径中的攻击实施单元包含丰富的信息和攻击的结果;The attack path is stored in the graph database. An attack path clearly and intuitively shows the transfer relationship of attributes. The attack implementation unit in the path contains rich information and attack results. 步骤S8:数据收集与更新Step S8: Data collection and update 根据外界对攻击工具、漏洞补丁与防御手段的迭代更新,完善与更新相关工具与漏洞的评估指标;根据攻击执行过程得到的反馈,修正相关工具与漏洞的具体评估结果。According to the iterative updates of attack tools, vulnerability patches and defense measures by the outside world, the evaluation indicators of relevant tools and vulnerabilities are improved and updated; according to the feedback obtained during the attack execution process, the specific evaluation results of relevant tools and vulnerabilities are corrected. 2.根据权利要求1所述的一种规范化攻击路径自动生成与验证方法,其特征在于,通过翻译器转换为编程语言具体为,利用翻译器将步骤S2获取的规范描述中抽象的实体描述翻译为具体的类,实体的属性转换为类的属性,而属性之间的转移关系则通过类的方法来获取,之后便可以编程式的获取其属性以及按照属性之间的关联关系遍历属性转移图。2. According to the method for automatic generation and verification of a standardized attack path as described in claim 1, it is characterized in that the conversion into a programming language through a translator is specifically to use a translator to translate the abstract entity description in the specification description obtained in step S2 into a specific class, and the attributes of the entity are converted into the attributes of the class, and the transfer relationship between the attributes is obtained through the class method, and then the attributes can be obtained programmatically and the attribute transfer graph can be traversed according to the association relationship between the attributes. 3.根据权利要求1所述的一种规范化攻击路径自动生成与验证方法,其特征在于,所述规范化攻击路径生成具体为,从攻击起点开始获取可以到达的目标属性,到达目标属性之后重复上述过程,直到遍历所有可能的属性转移路径,然后按照攻击实施单元的起点和终点与属性转移路径中的属性匹配,替换相应的边,得到规范化的攻击路径。3. According to the method for automatic generation and verification of a normalized attack path as described in claim 1, the normalized attack path generation is specifically to obtain the target attribute that can be reached from the attack starting point, and repeat the above process after reaching the target attribute until all possible attribute transfer paths are traversed, and then the starting point and end point of the attack implementation unit are matched with the attributes in the attribute transfer path, and the corresponding edges are replaced to obtain a normalized attack path. 4.根据权利要求1所述的一种规范化攻击路径自动生成与验证方法,其特征在于,攻击路径填充与评估具体为,攻击渗透知识库包括各种攻击工具的适用场景、实施效果、调用方式以及参数要求信息;为了与规范攻击路径耦合,使用了与步骤S2提交的场景规范描述相同的规范进行描述,知识库中的每个攻击实施单元都对应一个攻击工具;4. According to claim 1, a method for automatically generating and verifying a standardized attack path is characterized in that the attack path filling and evaluation are specifically that the attack penetration knowledge base includes applicable scenarios, implementation effects, calling methods, and parameter requirement information of various attack tools; in order to couple with the standardized attack path, the same specification as the scenario specification description submitted in step S2 is used for description, and each attack implementation unit in the knowledge base corresponds to an attack tool; 攻击渗透知识库中的实施单元不仅有场景上的要求描述,还有经过专家知识得到的关于工具实施效果的评估量化指标;在填充攻击路径时攻击决策模块总是挑选适用于当前场景的综合效果最优的实施单元进行填充;The implementation units in the attack penetration knowledge base not only have descriptions of the scenario requirements, but also quantitative evaluation indicators of the tool implementation effect obtained through expert knowledge. When filling in the attack path, the attack decision module always selects the implementation unit with the best comprehensive effect suitable for the current scenario to fill in. 攻击路径评估指标从三个评估指标进行评估填充后的规范化攻击路径,分别为攻击成功率、攻击收益和攻击所需时间,所述三个指标都通过遍历路径上的攻击实施单元累积计算而来。The attack path evaluation index is a normalized attack path filled with three evaluation indicators, namely, attack success rate, attack benefit and time required for attack. The three indicators are accumulated and calculated by traversing the attack implementation units on the path. 5.根据权利要求1所述的一种规范化攻击路径自动生成与验证方法,其特征在于,自动化攻击与验证具体为,任务执行模块按照攻击实施单元的参数要求信息从攻击路径的上下文中提取相关信息进行填装,再根据知识库中实施单元的调用方式进行自动化调用,任务执行模块对攻击路径的自动化执行提供两种方案:第一种为串行任务,通过拓扑排序可以确保每个攻击实施单元执行的时候其依赖的攻击实施单元已经执行;第二种为并行任务,利用攻击实施单元的依赖关系进行自动化的任务编排,在并行化执行任务的基础上,保证攻击实施单元依赖全部完成之前会进行阻塞。5. According to the method for automatic generation and verification of a standardized attack path as described in claim 1, it is characterized in that the automated attack and verification specifically comprises that the task execution module extracts relevant information from the context of the attack path according to the parameter requirement information of the attack implementation unit and fills it, and then automatically calls it according to the calling method of the implementation unit in the knowledge base. The task execution module provides two schemes for the automated execution of the attack path: the first is a serial task, which ensures that the attack implementation unit on which it depends has been executed when each attack implementation unit is executed through topological sorting; the second is a parallel task, which uses the dependency relationship of the attack implementation unit to perform automated task scheduling, and on the basis of parallel execution of tasks, ensures that the attack implementation unit will be blocked before all its dependencies are completed. 6.一种规范化攻击路径自动生成与验证装置,用以实现如权利要求1-5任一所述的方法,其特征在于,包括任务调度子系统、攻击渗透子系统和数据存储与展示子系统,任务调度子系统负责接收用户提交的任务并进行分配,攻击渗透子系统负责具体任务的执行,数据存储与展示子系统负责支撑知识库、攻击路径、任务处理结果的存储和处理用户查询请求。6. A standardized attack path automatic generation and verification device, used to implement the method described in any one of claims 1-5, characterized in that it includes a task scheduling subsystem, an attack penetration subsystem and a data storage and display subsystem, the task scheduling subsystem is responsible for receiving tasks submitted by users and assigning them, the attack penetration subsystem is responsible for the execution of specific tasks, and the data storage and display subsystem is responsible for supporting the storage of knowledge bases, attack paths, and task processing results and processing user query requests. 7.根据权利要求6所述的一种规范化攻击路径自动生成与验证装置,其特征在于,所述任务调度子系统由任务队列和任务调度模块组成,任务队列用来保存用户提交的任务,任务调度模块负责从任务队列中获取任务并派发给攻击渗透子系统。7. According to claim 6, a standardized attack path automatic generation and verification device is characterized in that the task scheduling subsystem is composed of a task queue and a task scheduling module, the task queue is used to save tasks submitted by users, and the task scheduling module is responsible for obtaining tasks from the task queue and distributing them to the attack penetration subsystem. 8.根据权利要求6所述的一种规范化攻击路径自动生成与验证装置,其特征在于,所述攻击渗透子系统由形式语言翻译模块、攻击路径生成模块、攻击决策模块、攻击路径评估模块和任务执行模块组成,形式语言翻译模块负责形式语言描述的翻译,攻击路径生成模块负责规范化攻击路径的生成,攻击决策模块负责攻击实施单元的填充,攻击路径评估模块负责路径的评估,任务执行模块负责攻击路径的自动化执行与验证。8. According to claim 6, a standardized attack path automatic generation and verification device is characterized in that the attack penetration subsystem is composed of a formal language translation module, an attack path generation module, an attack decision module, an attack path evaluation module and a task execution module, the formal language translation module is responsible for the translation of the formal language description, the attack path generation module is responsible for the generation of the standardized attack path, the attack decision module is responsible for the filling of the attack implementation unit, the attack path evaluation module is responsible for the evaluation of the path, and the task execution module is responsible for the automatic execution and verification of the attack path. 9.根据权利要求6所述的一种规范化攻击路径自动生成与验证装置,其特征在于,所述数据存储与展示子系统由支撑知识库、攻击路径存储模块、数据采集与更新模块、展示模块组成,支撑知识库为整体流程提供数据和技术支撑,攻击路径存储模块将验证后的攻击路径和验证结果进行存储,数据采集与更新模块负责支撑知识库的更新,展示模块负责攻击路径的可视化展示。9. According to claim 6, a standardized attack path automatic generation and verification device is characterized in that the data storage and display subsystem is composed of a supporting knowledge base, an attack path storage module, a data acquisition and update module, and a display module. The supporting knowledge base provides data and technical support for the overall process, the attack path storage module stores the verified attack path and verification results, the data acquisition and update module is responsible for the update of the supporting knowledge base, and the display module is responsible for the visual display of the attack path. 10.一种规范化攻击路径自动生成与验证系统,其特征在于,包括:计算机可读存储介质和处理器;10. A normalized attack path automatic generation and verification system, characterized by comprising: a computer-readable storage medium and a processor; 所述计算机可读存储介质用于存储可执行指令;The computer-readable storage medium is used to store executable instructions; 所述处理器用于读取所述计算机可读存储介质中存储的可执行指令,执行如权利要求1-5任一项所述的方法。The processor is used to read the executable instructions stored in the computer-readable storage medium and execute the method according to any one of claims 1 to 5.
CN202410728009.8A 2024-06-06 2024-06-06 Normalized attack path automatic generation and verification method, device and system Active CN118300906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410728009.8A CN118300906B (en) 2024-06-06 2024-06-06 Normalized attack path automatic generation and verification method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410728009.8A CN118300906B (en) 2024-06-06 2024-06-06 Normalized attack path automatic generation and verification method, device and system

Publications (2)

Publication Number Publication Date
CN118300906A CN118300906A (en) 2024-07-05
CN118300906B true CN118300906B (en) 2024-08-02

Family

ID=91684864

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410728009.8A Active CN118300906B (en) 2024-06-06 2024-06-06 Normalized attack path automatic generation and verification method, device and system

Country Status (1)

Country Link
CN (1) CN118300906B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119996232B (en) * 2025-04-15 2025-07-08 浙江工业大学 A large-scale penetration testing agent based on ATT and CK attack knowledge enhancement

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112052607A (en) * 2020-09-29 2020-12-08 国网青海省电力公司电力科学研究院 An intelligent penetration testing method and device for power grid equipment and systems
CN113949570A (en) * 2021-10-18 2022-01-18 北京航空航天大学 Penetration test attack path selection method and system based on attack graph

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6952779B1 (en) * 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US8490196B2 (en) * 2009-08-05 2013-07-16 Core Security Technologies System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy
JP2020160611A (en) * 2019-03-25 2020-10-01 クラリオン株式会社 Test scenario generation device and test scenario generation method and test scenario generation program
CN114915475B (en) * 2022-05-18 2023-06-27 中国联合网络通信集团有限公司 Method, device, equipment and storage medium for determining attack path
KR102578421B1 (en) * 2022-12-21 2023-09-18 주식회사 알파인랩 Method And System for managing of attack equipment of Cyber Attack Simulation Platform
CN116301799A (en) * 2023-02-13 2023-06-23 中国工商银行股份有限公司 Code generation method, device, computer equipment, storage medium and product
CN117691733A (en) * 2023-10-23 2024-03-12 国网浙江省电力有限公司宁波供电公司 An assessment method and device for information security protection of distribution automation system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112052607A (en) * 2020-09-29 2020-12-08 国网青海省电力公司电力科学研究院 An intelligent penetration testing method and device for power grid equipment and systems
CN113949570A (en) * 2021-10-18 2022-01-18 北京航空航天大学 Penetration test attack path selection method and system based on attack graph

Also Published As

Publication number Publication date
CN118300906A (en) 2024-07-05

Similar Documents

Publication Publication Date Title
Holm et al. Automatic data collection for enterprise architecture models
Li et al. Architectural technical debt identification based on architecture decisions and change scenarios
EP2572294B1 (en) System and method for sql performance assurance services
US8869111B2 (en) Method and system for generating test cases for a software application
US11695798B2 (en) Cybersecurity incident response and security operation system employing playbook generation and parent matching through custom machine learning
CN108509339A (en) Method for generating test case, device based on browser and mind map and equipment
Bianchi et al. An exploratory case study of the maintenance effectiveness of traceability models
US20230281468A1 (en) Systems and methods for building a unified asset graph
US20050166115A1 (en) Method for performing software stress test
US20230281467A1 (en) Systems and methods for building an architecture knowledge graph
CN118300906B (en) Normalized attack path automatic generation and verification method, device and system
CN110674231A (en) Data lake-oriented user ID integration method and system
CN108459949A (en) A kind of test method and terminal
Hajlaoui et al. QoS based framework for configurable IaaS cloud services discovery
CN119397073A (en) A visual data platform full-link data flow tracing method, system, device and medium
Palma et al. It is time to steer: A scalable framework for analysis-driven attack graph generation
CN112200459A (en) Power distribution network data quality analysis and evaluation method and system
Pourbafrani et al. Steady state estimation for business process simulations
CN111699472A (en) Method and computer program product for determining measures for developing, designing and/or deploying complex embedded or cyber-physical systems of different technical areas, in particular complex software architectures used therein
WO2025130478A1 (en) Intelligent evaluation method and apparatus for mobile phone applications
CN119440993A (en) Software system dependency defect tracking method and system based on graph database
CN104391782A (en) Network-equipment managing-software client-end simulating method on basis of XML (X Extensive Markup Language) script
Thangaraj et al. State of art in testing for big data
Leida et al. Facing big data variety in a model driven approach
US12499138B1 (en) Traversing a multi-tier architecture distributed across a network topology for interface construction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant