[go: up one dir, main page]

CN118540124A - Attack simulation system deployment method, device, equipment and storage medium - Google Patents

Attack simulation system deployment method, device, equipment and storage medium Download PDF

Info

Publication number
CN118540124A
CN118540124A CN202410635184.2A CN202410635184A CN118540124A CN 118540124 A CN118540124 A CN 118540124A CN 202410635184 A CN202410635184 A CN 202410635184A CN 118540124 A CN118540124 A CN 118540124A
Authority
CN
China
Prior art keywords
node
verification
subnet
nodes
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410635184.2A
Other languages
Chinese (zh)
Inventor
李长连
高贯银
赵通
徐宝辰
刘果
杨飞
郭翔乾
王新
杨丽丽
张彬
蔺旋
郝晓飞
陈晨
刘青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
China Information Technology Designing and Consulting Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, China Information Technology Designing and Consulting Institute Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202410635184.2A priority Critical patent/CN118540124A/en
Publication of CN118540124A publication Critical patent/CN118540124A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提供一种攻击模拟系统部署方法、装置、设备及存储介质,涉及通信领域。该方法包括:获取目标网络的网络拓扑结构;目标网络包括多个子网;根据网络拓扑结构,在目标网络的出口处部署攻击模拟系统的服务器端;出口处为目标网络连接到其他网络的物理位置或逻辑位置;根据网络拓扑结构,确定全量验证子网;全量验证子网为多个子网中,与出口处之间的路由包括网络安全设备的子网;在全量验证子网内部署攻击模拟系统的全量验证客户端;全量验证客户端用于和服务器端相互收发全量验证报文。该方法适用于攻击模拟过程中。用于解决对服务器端的性能要求较高的问题。

The present application provides an attack simulation system deployment method, device, equipment and storage medium, which relate to the field of communications. The method includes: obtaining the network topology of the target network; the target network includes multiple subnets; according to the network topology, deploying the server side of the attack simulation system at the exit of the target network; the exit is the physical location or logical location where the target network is connected to other networks; according to the network topology, determining the full verification subnet; the full verification subnet is a subnet of network security equipment in multiple subnets, and the route between the exit and the network security equipment includes; deploying the full verification client of the attack simulation system in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server. The method is applicable to the attack simulation process. It is used to solve the problem of high performance requirements on the server side.

Description

攻击模拟系统部署方法、装置、设备及存储介质Attack simulation system deployment method, device, equipment and storage medium

技术领域Technical Field

本申请涉及通信领域,尤其涉及一种攻击模拟系统部署方法、装置、设备及存储介质。The present application relates to the field of communications, and in particular to an attack simulation system deployment method, device, equipment and storage medium.

背景技术Background Art

网络攻击技术日趋复杂化,企业安全运营中心面临巨大压力。攻击模拟(或者说入侵和攻击模拟,breach and attack s i mu l at i on,BAS)系统可以自动化、持续不断地对目标网络进行验证,及时发现网络中潜在的安全风险,受到了越来越多的关注。As cyberattack techniques become increasingly sophisticated, enterprise security operations centers are facing tremendous pressure. Attack simulation (or BAS) systems can automatically and continuously verify target networks and promptly detect potential security risks in the network, which has attracted more and more attention.

攻击模拟系统由服务器端和客户端两部分构成,服务端部署在需要验证的目标网络出口处,目标网络的每一个子网对应的链路中部署一个客户端。服务端会持续向所有的客户端发送全量的验证数据,并根据客户端的反馈判断此链路中的安防策略是否正确。The attack simulation system consists of two parts: the server and the client. The server is deployed at the exit of the target network that needs to be verified, and a client is deployed in the link corresponding to each subnet of the target network. The server will continue to send full verification data to all clients, and judge whether the security strategy in this link is correct based on the feedback from the client.

但是,目前的攻击模拟系统需要在每个子网中部署一个客户端,服务器端向所有的客户端发送全量验证报文,对服务器端的性能要求较高。However, the current attack simulation system requires a client to be deployed in each subnet, and the server sends full verification messages to all clients, which places high performance requirements on the server.

发明内容Summary of the invention

基于上述技术问题,本申请提供一种攻击模拟系统部署方法、装置、设备及存储介质,可以通过仅在与网络出口处之间的路由存在网络安全设备的子网中部署客户端,减少在子网中部署的客户端的数量,从而降低对服务器端的要求。Based on the above technical problems, the present application provides an attack simulation system deployment method, device, equipment and storage medium, which can reduce the number of clients deployed in the subnet by deploying clients only in the subnet where the route between the network exit and the network security device exists, thereby reducing the requirements on the server side.

第一方面,本申请提供一种攻击模拟系统部署方法,该方法包括:获取目标网络的网络拓扑结构;目标网络包括多个子网;根据网络拓扑结构,在目标网络的出口处部署攻击模拟系统的服务器端;出口处为目标网络连接到其他网络的物理位置或逻辑位置;根据网络拓扑结构,确定全量验证子网;全量验证子网为多个子网中,与出口处之间的路由包括网络安全设备的子网;在全量验证子网内部署攻击模拟系统的全量验证客户端;全量验证客户端用于和服务器端相互收发全量验证报文。In the first aspect, the present application provides an attack simulation system deployment method, the method comprising: obtaining the network topology structure of the target network; the target network includes multiple subnets; according to the network topology structure, deploying the server side of the attack simulation system at the exit of the target network; the exit is the physical location or logical location where the target network is connected to other networks; according to the network topology structure, determining the full verification subnet; the full verification subnet is a subnet of multiple subnets, and the route between the exit and the subnet includes a network security device; deploying a full verification client of the attack simulation system in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server side.

应理解,目前的攻击模拟系统需要在每个子网中均部署一个客户端来收发全量验证报文,对服务器端的性能要求较高。本申请提供的攻击模拟系统部署方法,可以根据目标网络的网络拓扑结构,从目标网络中确定出与目标网络出口处之间的路由存在网络安全设备的全量验证子网,仅在全量验证子网中部署全量验证客户端,无需在目标网络出口处之间的路由不存在网络安全设备的子网中部署全量验证客户端,减少了在子网中部署的客户端的数量,减少了服务器端收发全量验证报文的数量,从而降低了对服务器端的要求。It should be understood that the current attack simulation system needs to deploy a client in each subnet to send and receive full verification messages, and has high performance requirements on the server side. The attack simulation system deployment method provided in this application can determine the full verification subnet where the route between the target network and the target network exit has a network security device from the target network according to the network topology of the target network, and only deploy the full verification client in the full verification subnet, without the need to deploy the full verification client in the subnet where the route between the target network exit does not have a network security device, thereby reducing the number of clients deployed in the subnet and the number of full verification messages sent and received by the server side, thereby reducing the requirements on the server side.

此外,本申请提供的攻击模拟系统部署方法所部署的客户端均是部署在子网中,不会直接连接到网络安全设备,无需占用网络安全设备额外的端口。In addition, the clients deployed by the attack simulation system deployment method provided in the present application are all deployed in the subnet and will not be directly connected to the network security device, so there is no need to occupy additional ports of the network security device.

可选地,该方法还包括:根据网络拓扑结构,确定联通性验证子网;联通性验证子网为多个子网中,与出口处之间的路由未包括网络安全设备,且路由中不全是交换机的子网;在联通性验证子网内部署攻击模拟系统的联通性验证客户端;联通性验证客户端用于和服务器端相互收发联通性验证报文。Optionally, the method also includes: determining a connectivity verification subnet according to the network topology; the connectivity verification subnet is a subnet among multiple subnets, the route between the subnet and the exit does not include a network security device, and the route is not entirely a subnet of switches; deploying a connectivity verification client of the attack simulation system in the connectivity verification subnet; the connectivity verification client is used to send and receive connectivity verification messages to and from the server.

应理解,目前攻击模拟系统中的每个客户端都与服务器端之间收发全量验证报文,收发验证报文时对目标网络的带宽占用较大,可能影响用户正常开展业务。本申请提供的攻击模拟系统部署方法,还可以针对根据网络拓扑结构,确定与出口处之间的路由未包括所述网络安全设备的联通性验证子网,在联通性验证子网中部署仅需与服务器端收发联通性验证报文的联通性验证客户端,联通性验证客户端无需和服务器端收发全量验证报文,减少了客户端与服务器端之间收发报文的数据量,可以缓解攻击模拟时带来的带宽占用较大的问题。It should be understood that each client in the current attack simulation system sends and receives full verification messages with the server, and the bandwidth of the target network is occupied when sending and receiving verification messages, which may affect the normal business of users. The attack simulation system deployment method provided in the present application can also be used to determine that the route between the exit and the network security device does not include the connectivity verification subnet according to the network topology structure, and deploy a connectivity verification client that only needs to send and receive connectivity verification messages with the server in the connectivity verification subnet. The connectivity verification client does not need to send and receive full verification messages with the server, which reduces the amount of data sent and received between the client and the server, and can alleviate the problem of large bandwidth occupancy caused by attack simulation.

可选地,根据网络拓扑结构,确定全量验证子网,包括:以服务器端为根节点,遍历网络拓扑结构,得到网络拓扑结构对应的树状结构;其中,树状结构包括根节点、安全节点、以及终端节点;安全节点对应网络拓扑结构中的网络安全设备,终端节点对应网络拓扑结构中的终端设备;若某个节点的子节点均为终端节点,则将该节点确定为子网节点;遍历树状结构中的每个安全节点,对每个安全节点进行第一操作;第一操作包括:若该安全节点的子节点为子网节点,则将该子网节点对应的子网确定为全量验证子网。Optionally, according to the network topology structure, a full verification subnet is determined, including: taking the server end as the root node, traversing the network topology structure, and obtaining a tree structure corresponding to the network topology structure; wherein the tree structure includes a root node, a security node, and a terminal node; the security node corresponds to a network security device in the network topology structure, and the terminal node corresponds to a terminal device in the network topology structure; if all the child nodes of a node are terminal nodes, then the node is determined as a subnet node; traverse each security node in the tree structure, and perform a first operation on each security node; the first operation includes: if the child node of the security node is a subnet node, then the subnet corresponding to the subnet node is determined as a full verification subnet.

可选地,第一操作还包括:若该安全节点的子节点不是子网节点,则将该子节点从树状结构中删除。Optionally, the first operation further includes: if the child node of the security node is not a subnet node, deleting the child node from the tree structure.

应理解,攻击模拟主要是针对子网进行的。本申请提供攻击模拟系统部署方法,还可以将父节点为安全节点,但是自身不是子网节点的子节点从树状结构删除,从而实现对树状结构的精简,避免不是子网节点的子节点干扰部署。It should be understood that the attack simulation is mainly performed on the subnet. The present application provides an attack simulation system deployment method, and can also delete the child nodes whose parent nodes are security nodes but are not subnet nodes from the tree structure, thereby streamlining the tree structure and avoiding the child nodes that are not subnet nodes from interfering with the deployment.

可选地,该方法还包括:在树状结构中所有安全节点均完成第一操作的情况下,从树状结构中删除安全节点,并将每个安全节点子节点的父节点设置为该安全节点的父节点。Optionally, the method further includes: when all safety nodes in the tree structure complete the first operation, deleting the safety node from the tree structure, and setting the parent node of each safety node child node as the parent node of the safety node.

可选地,树状结构还包括路由节点;路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;该方法还包括:遍历树状结构中的每个安全节点,若该安全节点的子节点为子网节点,则将该子网节点的验证属性设置为全量验证,该子网节点对应的子网为全量验证子网;将父节点为非安全节点,且与根节点之间的路由中不全是交换机路由节点的子网节点的验证属性设置为联通性验证,该子网节点对应的子网为联通性验证子网;将父节点为非安全节点,且自身也不是子网节点的节点的验证属性设置为无需验证;遍历所有叶子节点的父节点,若某个父节点的子节点数量大于1,则对该父节点进行如下操作:若所有子节点的验证属性均为无需验证,则随机保留一个子节点,删除其余子节点;若所有子节点的验证属性均为无需验证或联通性验证,则随机保留一个验证属性为联通性验证的子节点,删除其余子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为交换机路由节点,则删除所有验证属性为无需验证和联通性验证的子节点,保留验证属性为全量验证的子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为路由器路由节点,则删除所有验证属性为无需验证的子节点。Optionally, the tree structure also includes routing nodes; the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology; the router routing nodes correspond to routers in the network topology; the method also includes: traversing each security node in the tree structure, if the child node of the security node is a subnet node, setting the verification attribute of the subnet node to full verification, and the subnet corresponding to the subnet node is a full verification subnet; setting the verification attribute of the subnet node whose parent node is a non-security node and whose routes with the root node are not all switch routing nodes to connectivity verification, and the subnet corresponding to the subnet node is a connectivity verification subnet; setting the verification attribute of the node whose parent node is a non-security node and is not a subnet node itself to no verification; traversing all For a parent node with leaf nodes, if the number of child nodes of a parent node is greater than 1, the following operations are performed on the parent node: if the verification attributes of all child nodes are "no verification required", a child node is randomly retained and the remaining child nodes are deleted; if the verification attributes of all child nodes are "no verification required" or "connectivity verification", a child node with a verification attribute of "connectivity verification" is randomly retained and the remaining child nodes are deleted; if the verification attributes of some child nodes are "no verification required" or "connectivity verification", and the parent node is a switch routing node, all child nodes with verification attributes of "no verification required" and "connectivity verification" are deleted, and child nodes with verification attributes of "full verification" are retained; if the verification attributes of some child nodes are "no verification required" or "connectivity verification", and the parent node is a router routing node, all child nodes with a verification attribute of "no verification required" are deleted.

可选地,路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;该方法还包括:遍历树状结构中每个叶子节点的父节点,若该父节点为交换机路由节点,则将交换机路由节点的所有子节点的父节点设置为交换机路由节点的父节点,并将交换机路由节点从树状结构中删除,循环处理直至树状结构不再发生变化。Optionally, the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology; the router routing nodes correspond to routers in the network topology; the method further includes: traversing the parent node of each leaf node in the tree structure, if the parent node is a switch routing node, setting the parent node of all child nodes of the switch routing node to the parent node of the switch routing node, and deleting the switch routing node from the tree structure, and looping until the tree structure no longer changes.

第二方面,本申请提供一种攻击模拟系统部署装置,该装置包括获取模块和处理模块。In a second aspect, the present application provides an attack simulation system deployment device, which includes an acquisition module and a processing module.

获取模块,用于获取目标网络的网络拓扑结构;目标网络包括多个子网。The acquisition module is used to acquire the network topology structure of the target network; the target network includes multiple subnets.

处理模块,用于根据网络拓扑结构,在目标网络的出口处部署攻击模拟系统的服务器端;出口处为目标网络连接到其他网络的物理位置或逻辑位置;根据网络拓扑结构,确定全量验证子网;全量验证子网为多个子网中,与出口处之间的路由包括网络安全设备的子网;在全量验证子网内部署攻击模拟系统的全量验证客户端;全量验证客户端用于和服务器端相互收发全量验证报文。A processing module is used to deploy the server side of the attack simulation system at the exit of the target network according to the network topology; the exit is the physical location or logical location where the target network is connected to other networks; a full verification subnet is determined according to the network topology; the full verification subnet is a subnet of multiple subnets, and the route between the exit and the network security device includes the subnet; a full verification client of the attack simulation system is deployed in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server.

可选地,处理模块,还用于根据网络拓扑结构,确定联通性验证子网;联通性验证子网为多个子网中,与出口处之间的路由未包括网络安全设备,且路由中不全是交换机的子网;在联通性验证子网内部署攻击模拟系统的联通性验证客户端;联通性验证客户端用于和服务器端相互收发联通性验证报文。Optionally, the processing module is also used to determine a connectivity verification subnet based on the network topology; the connectivity verification subnet is a subnet among multiple subnets, and the route between the outlet does not include a network security device, and the route is not entirely a subnet of switches; a connectivity verification client of the attack simulation system is deployed in the connectivity verification subnet; the connectivity verification client is used to send and receive connectivity verification messages to and from the server.

可选地,处理模块,具体用于以服务器端为根节点,遍历网络拓扑结构,得到网络拓扑结构对应的树状结构;其中,树状结构包括根节点、安全节点、以及终端节点;安全节点对应网络拓扑结构中的网络安全设备,终端节点对应网络拓扑结构中的终端设备;若某个节点的子节点均为终端节点,则将该节点确定为子网节点;遍历树状结构中的每个安全节点,对每个安全节点进行第一操作;第一操作包括:若该安全节点的子节点为子网节点,则将该子网节点对应的子网确定为全量验证子网。Optionally, the processing module is specifically used to traverse the network topology structure with the server side as the root node to obtain a tree structure corresponding to the network topology structure; wherein the tree structure includes a root node, a security node, and a terminal node; the security node corresponds to a network security device in the network topology structure, and the terminal node corresponds to a terminal device in the network topology structure; if all the child nodes of a node are terminal nodes, the node is determined as a subnet node; traverse each security node in the tree structure and perform a first operation on each security node; the first operation includes: if the child node of the security node is a subnet node, the subnet corresponding to the subnet node is determined as a full verification subnet.

可选地,第一操作还包括:若该安全节点的子节点不是子网节点,则将该子节点从树状结构中删除。Optionally, the first operation further includes: if the child node of the security node is not a subnet node, deleting the child node from the tree structure.

可选地,处理模块,还用于在树状结构中所有安全节点均完成第一操作的情况下,从树状结构中删除安全节点,并将每个安全节点子节点的父节点设置为该安全节点的父节点。Optionally, the processing module is further configured to, when all safety nodes in the tree structure have completed the first operation, delete the safety node from the tree structure, and set the parent node of each safety node child node as the parent node of the safety node.

可选地,树状结构还包括路由节点;路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;处理模块,还用于遍历树状结构中的每个安全节点,若该安全节点的子节点为子网节点,则将该子网节点的验证属性设置为全量验证,该子网节点对应的子网为全量验证子网;将父节点为非安全节点,且与根节点之间的路由中不全是交换机路由节点的子网节点的验证属性设置为联通性验证,该子网节点对应的子网为联通性验证子网;将父节点为非安全节点,且自身也不是子网节点的节点的验证属性设置为无需验证;遍历所有叶子节点的父节点,若某个父节点的子节点数量大于1,则对该父节点进行如下操作:若所有子节点的验证属性均为无需验证,则随机保留一个子节点,删除其余子节点;若所有子节点的验证属性均为无需验证或联通性验证,则随机保留一个验证属性为联通性验证的子节点,删除其余子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为交换机路由节点,则删除所有验证属性为无需验证和联通性验证的子节点,保留验证属性为全量验证的子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为路由器路由节点,则删除所有验证属性为无需验证的子节点。Optionally, the tree structure also includes routing nodes; the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology structure; the router routing nodes correspond to routers in the network topology structure; the processing module is also used to traverse each security node in the tree structure, if the child node of the security node is a subnet node, then the verification attribute of the subnet node is set to full verification, and the subnet corresponding to the subnet node is a full verification subnet; the verification attribute of the subnet node whose parent node is a non-security node and whose routes with the root node are not all switch routing nodes is set to connectivity verification, and the subnet corresponding to the subnet node is a connectivity verification subnet; the verification attribute of the node whose parent node is a non-security node and which is not a subnet node itself is set to no verification required; traverse For the parent node of all leaf nodes, if the number of child nodes of a parent node is greater than 1, the following operations are performed on the parent node: if the verification attributes of all child nodes are "no verification required", one child node is randomly retained and the remaining child nodes are deleted; if the verification attributes of all child nodes are "no verification required" or "connectivity verification", one child node with the verification attribute of "connectivity verification" is randomly retained and the remaining child nodes are deleted; if the verification attributes of some child nodes are "no verification required" or "connectivity verification", and the parent node is a switch routing node, all child nodes with the verification attributes of "no verification required" and "connectivity verification" are deleted, and the child nodes with the verification attribute of "full verification" are retained; if the verification attributes of some child nodes are "no verification required" or "connectivity verification", and the parent node is a router routing node, all child nodes with the verification attribute of "no verification required" are deleted.

可选地,树状结构还包括路由节点;路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;处理模块,还用于遍历树状结构中每个叶子节点的父节点,若该父节点为交换机路由节点,则将交换机路由节点的所有子节点的父节点设置为交换机路由节点的父节点,并将交换机路由节点从树状结构中删除,循环处理直至树状结构不再发生变化。Optionally, the tree structure also includes routing nodes; the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology structure; the router routing nodes correspond to routers in the network topology structure; the processing module is further used to traverse the parent node of each leaf node in the tree structure, if the parent node is a switch routing node, then the parent node of all child nodes of the switch routing node is set to the parent node of the switch routing node, and the switch routing node is deleted from the tree structure, and the processing is cyclically processed until the tree structure no longer changes.

第三方面,本申请提供一种计算机程序产品,当该计算机程序产品在电子设备上运行时,使得电子设备实现上述第一方面所述的方法。In a third aspect, the present application provides a computer program product. When the computer program product is executed on an electronic device, the electronic device implements the method described in the first aspect.

第四方面,本申请提供一种电子设备,该电子设备包括:处理器和存储器;存储器存储有处理器可执行的指令;处理器被配置为执行指令时,使得电子设备实现上述第一方面所述的方法。In a fourth aspect, the present application provides an electronic device, comprising: a processor and a memory; the memory stores instructions executable by the processor; when the processor is configured to execute the instructions, the electronic device implements the method described in the first aspect above.

第五方面,本申请提供一种计算机可读存储介质,该计算机可读存储介质包括:计算机软件指令;当计算机软件指令在电子设备中运行时,使得电子设备实现上述第一方面所述的方法。In a fifth aspect, the present application provides a computer-readable storage medium, which includes: computer software instructions; when the computer software instructions are executed in an electronic device, the electronic device implements the method described in the first aspect above.

上述第二方面至第五方面的有益效果可以参考第一方面所述,不再赘述。The beneficial effects of the second to fifth aspects mentioned above can be referred to the first aspect and will not be elaborated on again.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例提供的攻击模拟系统部署方法的流程示意图;FIG1 is a schematic diagram of a flow chart of an attack simulation system deployment method provided in an embodiment of the present application;

图2为本申请实施例提供的网络拓扑结构示意图;FIG2 is a schematic diagram of a network topology structure provided in an embodiment of the present application;

图3为本申请实施例提供的攻击模拟系统部署方法的另一种流程示意图;FIG3 is another schematic diagram of a flow chart of an attack simulation system deployment method provided in an embodiment of the present application;

图4为本申请实施例提供的攻击模拟系统部署方法的又一种流程示意图;FIG4 is another schematic diagram of a flow chart of an attack simulation system deployment method provided in an embodiment of the present application;

图5为本申请实施例提供的另一种网络拓扑结构示意图;FIG5 is a schematic diagram of another network topology structure provided in an embodiment of the present application;

图6为本申请实施例提供的树状结构示意图;FIG6 is a schematic diagram of a tree structure provided in an embodiment of the present application;

图7为本申请实施例提供的安全节点精简示意图;FIG7 is a simplified schematic diagram of a security node provided in an embodiment of the present application;

图8为本申请实施例提供的攻击模拟系统部署方法的又一种流程示意图;FIG8 is another schematic flow chart of the attack simulation system deployment method provided in an embodiment of the present application;

图9为本申请实施例提供的归并示意图;FIG9 is a schematic diagram of merging provided in an embodiment of the present application;

图10为本申请实施例提供的交换机路由节点精简示意图;FIG10 is a simplified schematic diagram of a switch routing node provided in an embodiment of the present application;

图11为本申请实施例提供的攻击模拟系统部署装置的组成示意图;FIG11 is a schematic diagram of the composition of an attack simulation system deployment device provided in an embodiment of the present application;

图12为本申请实施例提供的电子设备的组成示意图。FIG. 12 is a schematic diagram of the composition of an electronic device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

需要说明的是,本申请实施例中,“示例性地”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性地”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性地”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in the embodiments of the present application, words such as "exemplarily" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplarily" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplarily" or "for example" is intended to present related concepts in a specific way.

为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分,本领域技术人员可以理解“第一”、“第二”等字样并不是在对数量和执行次序进行限定。In order to facilitate the clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish between identical items or similar items with basically the same functions and effects. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and execution order.

网络攻击技术日趋复杂化,企业安全运营中心面临巨大压力。攻击模拟(或者说入侵和攻击模拟,breach and attack s i mu l at i on,BAS)系统可以自动化、持续不断地对目标网络进行验证,及时发现网络中潜在的安全风险,受到了越来越多的关注。As cyberattack techniques become increasingly sophisticated, enterprise security operations centers are facing tremendous pressure. Attack simulation (or BAS) systems can automatically and continuously verify target networks and promptly detect potential security risks in the network, which has attracted more and more attention.

攻击模拟系统由服务器端和客户端两部分构成,服务端部署在需要验证的目标网络出口处,目标网络的每一个子网对应的链路中部署一个客户端。服务端会持续向所有的客户端发送全量的验证数据,并根据客户端的反馈判断此链路中的安防策略是否正确。The attack simulation system consists of two parts: the server and the client. The server is deployed at the exit of the target network that needs to be verified, and a client is deployed in the link corresponding to each subnet of the target network. The server will continue to send full verification data to all clients, and judge whether the security strategy in this link is correct based on the feedback from the client.

服务器端可以运行在一台或多台服务器上,这些服务器可以是物理服务器,或者,也可以是虚拟机或容器化环境。The server side can run on one or more servers, which can be physical servers, virtual machines, or containerized environments.

客户端可以是专门用于BAS测试的硬件设备,或者,也可以是安装了特定软件或插件的普通计算机。The client can be a hardware device dedicated to BAS testing, or it can be an ordinary computer with specific software or plug-ins installed.

BAS系统中的服务器端和客户端可以由管理人员人工部署,也可以由自动化工具或平台自动部署。The server and client in the BAS system can be deployed manually by managers or automatically by automation tools or platforms.

这些自动化工具或平台可以是专门的部署管理系统(例如Ans i b l e、Chef、或者Puppet等),或者,也可以是BAS系统自带的自动化部署功能。它们通过预定义的脚本、配置文件或末班来执行部署任务(例如安装和配置已操作系统、部署应用程序、以及配置网络环境等)。These automation tools or platforms can be specialized deployment management systems (such as Ansible, Chef, or Puppet), or they can be the automated deployment functions that come with the BAS system. They perform deployment tasks (such as installing and configuring operating systems, deploying applications, and configuring network environments) through predefined scripts, configuration files, or scripts.

但是,目前的攻击模拟系统需要在每个子网中部署一个客户端,服务器端向所有的客户端发送全量验证报文,对服务器端的性能要求较高。However, the current attack simulation system requires a client to be deployed in each subnet, and the server sends full verification messages to all clients, which places high performance requirements on the server.

基于此,本申请实施例提供一种攻击模拟系统部署方法、装置、设备及存储介质,可以通过仅在与网络出口处之间的路由存在网络安全设备的子网中部署客户端,减少在子网中部署的客户端的数量,从而降低对服务器端的要求。Based on this, the embodiments of the present application provide an attack simulation system deployment method, apparatus, device and storage medium, which can reduce the number of clients deployed in the subnet by deploying the client only in the subnet where the network security device has a route between the network exit, thereby reducing the requirements on the server side.

本申请实施例提供的攻击模拟系统部署方法的执行主体为攻击模拟系统部署装置,该攻击模拟系统部署装置可以是部署有上述自动化工具或平台的电子设备(例如服务器或计算机等具有计算处理的计算设备);或者,该攻击模拟系统部署装置也可以是前述电子设备中的处理器(例如中央处理器(centra l process i ng un i t,CPU));再或者,该攻击模拟系统部署装置还可以是前述电子设备中用于执行攻击模拟系统部署方法的功能模块等。本申请实施例对此不作限制。The execution subject of the attack simulation system deployment method provided in the embodiment of the present application is an attack simulation system deployment device, which can be an electronic device (such as a server or computer, etc.) with the above-mentioned automation tool or platform deployed thereon; or, the attack simulation system deployment device can also be a processor (such as a central processing unit (CPU)) in the aforementioned electronic device; or, the attack simulation system deployment device can also be a functional module in the aforementioned electronic device for executing the attack simulation system deployment method, etc. The embodiment of the present application does not limit this.

以下结合附图对本申请实施例提供的攻击模拟系统部署方法进行介绍。The following is an introduction to the attack simulation system deployment method provided in the embodiment of the present application in conjunction with the accompanying drawings.

图1为本申请实施例提供的攻击模拟系统部署方法的流程示意图。如图1所示,该方法可以包括S101至S104。Fig. 1 is a schematic diagram of a flow chart of an attack simulation system deployment method provided in an embodiment of the present application. As shown in Fig. 1, the method may include S101 to S104.

S101、获取目标网络的网络拓扑结构。S101: Obtain the network topology structure of the target network.

其中,目标网络包括多个子网。The target network includes multiple subnets.

可选地,目标网络中可以配置有网管设备,攻击模拟系统部署装置可以从网管设备中获取目标网络的网络拓扑结构。Optionally, a network management device may be configured in the target network, and the attack simulation system deployment device may obtain the network topology structure of the target network from the network management device.

例如,目标网络中的网管设备中可以安装有简单网络管理协议(s i mp lenetwork management protoco l,SNMP)监控软件,网管设备可以通过SNMP监控软件查询目标网络中设备的配置和状态信息,从而构建出目标网络的网络拓扑结构。For example, a network management device in the target network may be installed with simple network management protocol (SNMP) monitoring software, and the network management device may query the configuration and status information of the devices in the target network through the SNMP monitoring software, thereby constructing the network topology of the target network.

再例如,网管设备中还可以安装有专门的网络拓扑发现工具,例如Network Topol ogy Mapper或者PRTG等,网管设备可以通过这些网络拓扑发现工具自动扫描目标网络,发现目标网络中的网络设备并构建目标网络的网络拓扑结构。For another example, a special network topology discovery tool, such as Network Topology Mapper or PRTG, may be installed in the network management device. The network management device may use these network topology discovery tools to automatically scan the target network, discover the network devices in the target network, and build the network topology structure of the target network.

示例性地,图2为本申请实施例提供的网络拓扑结构示意图。如图2所示,目标网络可以包括路由器、防火墙、交换机1、交换机2、终端1、终端2、终端3、终端4。交换机1、终端1、以及终端2可以组成目标网络中的子网1,交换机2、终端3、以及终端4可以组成目标网络中的子网2。Exemplarily, Figure 2 is a schematic diagram of a network topology structure provided in an embodiment of the present application. As shown in Figure 2, the target network may include a router, a firewall, a switch 1, a switch 2, a terminal 1, a terminal 2, a terminal 3, and a terminal 4. The switch 1, the terminal 1, and the terminal 2 may constitute a subnet 1 in the target network, and the switch 2, the terminal 3, and the terminal 4 may constitute a subnet 2 in the target network.

S102、根据网络拓扑结构,在目标网络的出口处部署攻击模拟系统的服务器端。S102. Deploy the server side of the attack simulation system at the exit of the target network according to the network topology.

其中,出口处为目标网络连接到其他网络的物理位置或逻辑位置。The egress is the physical or logical location where the target network connects to other networks.

示例性地,请继续参照上述图2,如图2所示,子网1中的终端1和终端2可以通过交换机1、防火墙、以及路由器与其他网络进行数据传输。子网2中的终端3和终端4可以通过交换机2、防火墙、以及路由器与其他网络进行数据传输。在这种情况下,路由器(或者路由器之后的链路)就可以理解为目标网络的出口处。For example, please continue to refer to the above FIG. 2. As shown in FIG. 2, terminal 1 and terminal 2 in subnet 1 can transmit data with other networks through switch 1, firewall, and router. Terminal 3 and terminal 4 in subnet 2 can transmit data with other networks through switch 2, firewall, and router. In this case, the router (or the link after the router) can be understood as the exit of the target network.

S103、根据网络拓扑结构,确定全量验证子网。S103. Determine a full verification subnet based on the network topology.

其中,全量验证子网为多个子网中,与出口处之间的路由包括网络安全设备的子网。网络安全设备是指用于保护网络免受各种安全威胁和攻击的网络设备。例如,网络安全设备可以包括防火墙、入侵防御系统(i ntrus i on prevent i on system,IPS)、安全路由器、统一威胁管理(un i f i ed threat management,UTM)设备、或者虚拟私人网络(v irtua lpr i vate network,VPN)网关等。本申请实施例对网络安全设备的具体种类不作限制。Among them, the full verification subnet is a subnet of a plurality of subnets, and the route between the exit includes a network security device. Network security equipment refers to a network device used to protect the network from various security threats and attacks. For example, network security equipment may include a firewall, an intrusion prevention system (IPS), a security router, a unified threat management (UTM) device, or a virtual private network (VPN) gateway, etc. The embodiments of the present application do not limit the specific types of network security equipment.

示例性地,请继续参照上述图2,如图2所示,子网1与出口处(路由器)之间的路由包括防火墙,则子网1可以确定为全量验证子网。子网2与出口处(路由器)之间的路由包括防火墙,则子网2也可以确定为全量验证子网。For example, please continue to refer to Figure 2 above. As shown in Figure 2, if the route between subnet 1 and the exit (router) includes a firewall, then subnet 1 can be determined as a full verification subnet. If the route between subnet 2 and the exit (router) includes a firewall, then subnet 2 can also be determined as a full verification subnet.

S103的具体过程可以参照下述实施例中所述,此处不再赘述。The specific process of S103 can be referred to the description in the following embodiment, which will not be repeated here.

S104、在全量验证子网内部署攻击模拟系统的全量验证客户端。S104. Deploy a full verification client of the attack simulation system in the full verification subnet.

其中,全量验证客户端用于和服务器端相互收发全量验证报文。全量验证报文是指全部种类的验证报文。The full verification client is used to send and receive full verification messages with the server. Full verification messages refer to all types of verification messages.

例如,验证报文可以包括认证报文、联通性验证报文、以及模拟任务报文等。本申请实施例对验证报文的具体种类不作限制。For example, the verification message may include an authentication message, a connectivity verification message, and a simulation task message, etc. The embodiment of the present application does not limit the specific type of the verification message.

应理解,目前的攻击模拟系统需要在每个子网中均部署一个客户端来收发全量验证报文,对服务器端的性能要求较高。本申请实施例提供的攻击模拟系统部署方法,可以根据目标网络的网络拓扑结构,从目标网络中确定出与目标网络出口处之间的路由存在网络安全设备的全量验证子网,仅在全量验证子网中部署全量验证客户端,无需在目标网络出口处之间的路由不存在网络安全设备的子网中部署全量验证客户端,减少了在子网中部署的客户端的数量,减少了服务器端收发全量验证报文的数量,从而降低了对服务器端的要求。It should be understood that the current attack simulation system needs to deploy a client in each subnet to send and receive full verification messages, which places high performance requirements on the server side. The attack simulation system deployment method provided in the embodiment of the present application can determine the full verification subnet where the route between the target network and the target network exit has a network security device from the target network according to the network topology of the target network, and only deploy the full verification client in the full verification subnet, without the need to deploy the full verification client in the subnet where the route between the target network exit does not have a network security device, thereby reducing the number of clients deployed in the subnet, reducing the number of full verification messages sent and received by the server side, and thus reducing the requirements on the server side.

此外,本申请实施例提供的攻击模拟系统部署方法所部署的客户端均是部署在子网中,不会直接连接到网络安全设备,无需占用网络安全设备额外的端口。In addition, the clients deployed by the attack simulation system deployment method provided in the embodiment of the present application are all deployed in the subnet and will not be directly connected to the network security device, so there is no need to occupy additional ports of the network security device.

一些可能的实施例中,攻击模拟系统部署装置还可以在目标网络出口处之间的路由不存在网络安全设备的子网中部署联通性验证客户端。在这种情况下,图3为本申请实施例提供的攻击模拟系统部署方法的另一种流程示意图。如图3所示,该方法还可以包括S201至S202。In some possible embodiments, the attack simulation system deployment device may also deploy a connectivity verification client in a subnet where a network security device does not exist in a route between the target network exits. In this case, FIG3 is another flow diagram of the attack simulation system deployment method provided by an embodiment of the present application. As shown in FIG3, the method may also include S201 to S202.

S201、根据网络拓扑结构,确定联通性验证子网。S201. Determine a connectivity verification subnet according to the network topology.

其中,联通性验证子网为多个子网中,与出口处之间的路由未包括网络安全设备,且该路由中不全是交换机的子网。Among them, the connectivity verification subnet is one of multiple subnets, the route between the exit does not include the network security device, and the route is not entirely the subnet of the switch.

S202、在联通性验证子网内部署攻击模拟系统的联通性验证客户端。S202. Deploy a connectivity verification client of the attack simulation system in the connectivity verification subnet.

其中,联通性验证客户端用于和服务器端相互收发联通性验证报文。The connectivity verification client is used to send and receive connectivity verification messages to and from the server.

例如,服务器端可以生成p i ng命令,服务器端可以根据该p i ng命令中指定的一个联通性验证客户端的网际协议(i nternet protoco l,IP)地址,向该IP地址对应的联通性验证客户端发送I CMP Echo请求报文,联通性验证客户端收到I CMO Echo请求报文后,可以根据I CMO Echo请求报文中服务器端的IP地址向服务器端发送I CMP Echo回复报文。I CMP Echo请求报文和I CMP Echo回复报文理解为上述联通性验证报文。For example, the server may generate a ping command, and the server may send an ICMP Echo request message to a connectivity verification client corresponding to the IP address of a connectivity verification client specified in the ping command. After receiving the ICMO Echo request message, the connectivity verification client may send an ICMP Echo reply message to the server according to the IP address of the server in the ICMO Echo request message. The ICMP Echo request message and the ICMP Echo reply message are understood to be the above-mentioned connectivity verification message.

应理解,目前攻击模拟系统中的每个客户端都与服务器端之间收发全量验证报文,收发验证报文时对目标网络的带宽占用较大,可能影响用户正常开展业务。本申请实施例提供的攻击模拟系统部署方法,还可以针对根据网络拓扑结构,确定与出口处之间的路由未包括所述网络安全设备的联通性验证子网,在联通性验证子网中部署仅需与服务器端收发联通性验证报文的联通性验证客户端,联通性验证客户端无需和服务器端收发全量验证报文,减少了客户端与服务器端之间收发报文的数据量,可以缓解攻击模拟时带来的带宽占用较大的问题。It should be understood that each client in the current attack simulation system sends and receives full verification messages with the server, and the bandwidth of the target network is occupied relatively large when sending and receiving verification messages, which may affect the normal business of users. The attack simulation system deployment method provided in the embodiment of the present application can also be used to determine that the route between the exit and the network security device does not include the connectivity verification subnet according to the network topology structure, and deploy a connectivity verification client that only needs to send and receive connectivity verification messages with the server in the connectivity verification subnet. The connectivity verification client does not need to send and receive full verification messages with the server, which reduces the amount of data sent and received between the client and the server, and can alleviate the problem of large bandwidth occupancy caused by attack simulation.

以下对上述S103的具体过程进行介绍。The specific process of the above S103 is introduced below.

一些可能的实施例中,全量验证子网可以由攻击模拟系统部署装置将目标网络的网络拓扑结构转换为树状结构之后,从树状结构中的节点所确定。在这种情况下,图4为本申请实施例提供的攻击模拟系统部署方法的又一种流程示意图。如图4所示,上述S103可以具体包括S1031至S1033。In some possible embodiments, the full verification subnet can be determined from the nodes in the tree structure after the attack simulation system deployment device converts the network topology of the target network into a tree structure. In this case, FIG. 4 is another flow chart of the attack simulation system deployment method provided in an embodiment of the present application. As shown in FIG. 4, the above S103 can specifically include S1031 to S1033.

S1031、以服务器端为根节点,遍历网络拓扑结构,得到网络拓扑结构对应的树状结构。S1031. Taking the server end as the root node, traverse the network topology structure to obtain a tree structure corresponding to the network topology structure.

其中,树状结构包括根节点、安全节点、以及终端节点。安全节点对应网络拓扑结构中的网络安全设备,终端节点对应网络拓扑结构中的终端设备。网络安全设备的种类可以参照上述实施例中所述,此处不再赘述。终端设备例如可以是桌面电脑、笔记本电脑、平板电脑、存储设备、打印设备、入侵检测系统(i ntrus i on detect i on system,IDS)设备、或者具有监听功能的终端(例如端点检测与响应(endpo i nt detect i on andresponse,EDR)设备)。本申请实施例对终端设备的具体种类不作限制。Among them, the tree structure includes a root node, a security node, and a terminal node. The security node corresponds to a network security device in the network topology, and the terminal node corresponds to a terminal device in the network topology. The types of network security devices can refer to those described in the above embodiments and will not be repeated here. The terminal device can be, for example, a desktop computer, a laptop computer, a tablet computer, a storage device, a printing device, an intrusion detection system (IDS) device, or a terminal with a monitoring function (such as an endpoint detection and response (EDR) device). The embodiments of the present application do not limit the specific types of terminal devices.

可选地,树状结构还可以包括路由节点。路由节点包括交换机路由节点和路由器路由节点,交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器。Optionally, the tree structure may further include routing nodes. The routing nodes include switch routing nodes and router routing nodes. The switch routing nodes correspond to switches in the network topology structure; and the router routing nodes correspond to routers in the network topology structure.

可选地,攻击模拟系统部署装置具体可以使用广度优先的方式遍历网络拓扑结构。Optionally, the attack simulation system deployment device may specifically traverse the network topology structure using a breadth-first approach.

示例性地,图5为本申请实施例提供的另一种网络拓扑结构示意图。如图5所示,目标网络可以包括路由器1、防火墙1、IPS1、IPS2、交换机1、交换机2、交换机3、交换机4、交换机5、交换机6、交换机7、交换机8、交换机9、终端1、终端2、终端3、终端4、终端5、终端6、终端7、终端8、终端9、终端10、终端11、终端12、以及IDS1。For example, Fig. 5 is another schematic diagram of a network topology structure provided by an embodiment of the present application. As shown in Fig. 5, the target network may include router 1, firewall 1, IPS1, IPS2, switch 1, switch 2, switch 3, switch 4, switch 5, switch 6, switch 7, switch 8, switch 9, terminal 1, terminal 2, terminal 3, terminal 4, terminal 5, terminal 6, terminal 7, terminal 8, terminal 9, terminal 10, terminal 11, terminal 12, and IDS1.

同一子网内的终端1和终端2可以依次通过交换机1、防火墙1、以及路由器1与其他网络进行数据传输(以终端1和终端2向其他网络发送数据的方向为例)。同一子网内的终端3和终端4可以依次通过交换机2、IPS1、以及路由器1与其他网络进行数据传输(以终端3和终端4向其他网络发送数据的方向为例)。同一子网内的终端5和终端6可以依次通过交换机3和路由器1与其他网络进行数据传输(以终端5和终端6向其他网络发送数据的方向为例)。同一子网内的终端7和终端8可以依次通过交换机8、IPS2、交换机7、以及路由器1与其他网络进行数据传输(以终端7和终端8向其他网络发送数据的方向为例)。同一子网内的终端9和终端10可以依次通过交换机6、交换机7、以及路由器1与其他网络进行数据传输(以终端9和终端10向其他网络发送数据的方向为例)。同一子网内的终端12和IDS1可以依次通过交换机9和路由器1与其他网络进行数据传输(以终端12和IDS1向其他网络发送数据的方向为例)。Terminals 1 and 2 in the same subnet can sequentially transmit data to other networks through switch 1, firewall 1, and router 1 (taking the direction of terminal 1 and terminal 2 sending data to other networks as an example). Terminals 3 and 4 in the same subnet can sequentially transmit data to other networks through switch 2, IPS1, and router 1 (taking the direction of terminal 3 and terminal 4 sending data to other networks as an example). Terminals 5 and 6 in the same subnet can sequentially transmit data to other networks through switch 3 and router 1 (taking the direction of terminal 5 and terminal 6 sending data to other networks as an example). Terminals 7 and 8 in the same subnet can sequentially transmit data to other networks through switch 8, IPS2, switch 7, and router 1 (taking the direction of terminal 7 and terminal 8 sending data to other networks as an example). Terminals 9 and 10 in the same subnet can sequentially transmit data to other networks through switch 6, switch 7, and router 1 (taking the direction of terminal 9 and terminal 10 sending data to other networks as an example). The terminal 12 and IDS1 in the same subnet can transmit data to other networks through the switch 9 and the router 1 in turn (taking the direction in which the terminal 12 and IDS1 send data to other networks as an example).

S1032、若某个节点的子节点均为终端节点,则将该节点确定为子网节点。S1032: If all child nodes of a certain node are terminal nodes, determine the node as a subnet node.

示例性地,图6为本申请实施例提供的树状结构示意图。如图6所示,在上述图5所示的网络拓扑结构的基础上,将目标网络的网络拓扑结构转换为树状结构之后,根节点为服务器端(图6中以server 1为例示出),根节点的子节点为路由器1对应的路由器路由节点(图6中以R1为例示出),R1的子节点包括交换机3和交换机9各自对应的交换机路由节点,由于交换机3和交换机9各自对应的交换机路由节点的子节点均为终端节点,所以交换机3和交换机9各自对应的交换机路由节点可以理解为子网节点(图6中分别以Net3和Net9为例示出)。Exemplarily, Figure 6 is a schematic diagram of a tree structure provided by an embodiment of the present application. As shown in Figure 6, based on the network topology structure shown in Figure 5 above, after the network topology structure of the target network is converted into a tree structure, the root node is the server end (shown as an example in Figure 6 using server 1), the child nodes of the root node are the router routing nodes corresponding to router 1 (shown as an example in Figure 6 using R1), and the child nodes of R1 include the switch routing nodes corresponding to switch 3 and switch 9, respectively. Since the child nodes of the switch routing nodes corresponding to switch 3 and switch 9 are all terminal nodes, the switch routing nodes corresponding to switch 3 and switch 9 can be understood as subnet nodes (shown as examples in Figure 6 using Net3 and Net9, respectively).

类似地,子网节点还包括IPS1(IPS1对应的安全节点)的子节点Net2(交换机2对应的交换机路由节点)、F1(防火墙1对应的安全节点)的子节点Net1(交换机1对应的交换机路由节点)和Net5(交换机5对应的交换机路由节点)、S7(交换机7对应的交换机路由节点)的子节点Net6(交换机6对应的交换机路由节点)、IPS2(IPS2对应的安全节点)的子节点Net8(交换机8对应的交换机路由节点)。Similarly, the subnet nodes also include the child node Net2 (the switch routing node corresponding to switch 2) of IPS1 (the security node corresponding to IPS1), the child nodes Net1 (the switch routing node corresponding to switch 1) and Net5 (the switch routing node corresponding to switch 5) of F1 (the security node corresponding to firewall 1), the child node Net6 (the switch routing node corresponding to switch 6) of S7 (the switch routing node corresponding to switch 7), and the child node Net8 (the switch routing node corresponding to switch 8) of IPS2 (the security node corresponding to IPS2).

S1033、遍历树状结构中的每个安全节点,对每个安全节点进行第一操作。S1033. Traverse each security node in the tree structure, and perform a first operation on each security node.

其中,第一操作包括:若该安全节点的子节点为子网节点,则将该子网节点对应的子网确定为全量验证子网。Among them, the first operation includes: if the child node of the security node is a subnet node, then the subnet corresponding to the subnet node is determined as a full verification subnet.

示例性地,请继续参照上述图6,以上述图6中的子网节点为例,则攻击模拟系统部署装置可以将Net1、Net2、Net5、以及Net8各自对应的子网确定为全量验证子网。Exemplarily, please continue to refer to FIG. 6 . Taking the subnet nodes in FIG. 6 as an example, the attack simulation system deployment device can determine the subnets corresponding to Net1, Net2, Net5, and Net8 as full verification subnets.

可选地,第一操作还可以包括:若该安全节点的子节点不是子网节点,则将该子节点从树状结构中删除。Optionally, the first operation may further include: if the child node of the security node is not a subnet node, deleting the child node from the tree structure.

应理解,攻击模拟主要是针对子网进行的。本申请实施例提供攻击模拟系统部署方法中,攻击模拟系统部署装置还可以将父节点为安全节点,但是自身不是子网节点的子节点从树状结构删除,从而实现对树状结构的精简,避免不是子网节点的子节点干扰部署。It should be understood that the attack simulation is mainly performed on the subnet. In the attack simulation system deployment method provided in the embodiment of the present application, the attack simulation system deployment device can also delete the child nodes whose parent nodes are security nodes but are not subnet nodes from the tree structure, thereby streamlining the tree structure and avoiding the child nodes that are not subnet nodes from interfering with the deployment.

一些可能的实施例中,在执行完第一操作确定出全量验证子网之后,攻击模拟系统部署装置还可以将遍历完的安全节点进一步进行精简。在这种情况下,该方法还可以包括以下步骤:In some possible embodiments, after performing the first operation to determine the full verification subnet, the attack simulation system deployment device may further streamline the traversed security nodes. In this case, the method may further include the following steps:

步骤1a、在树状结构中所有安全节点均完成第一操作的情况下,从树状结构中删除安全节点,并将每个安全节点子节点的父节点设置为该安全节点的父节点。Step 1a: When all safety nodes in the tree structure have completed the first operation, the safety nodes are deleted from the tree structure, and the parent node of each safety node child node is set as the parent node of the safety node.

示例性地,图7为本申请实施例提供的安全节点精简示意图。如图7所示,在上述图6的基础上,攻击模拟系统部署装置在对每个安全节点执行第一操作,将Net1、Net2、Net5、以及Net8各自对应的子网确定为全量验证子网之后,还可以将Net1和Net5的父节点(安全节点F1)删除,并将Net1和Net5的父节点重新设置为安全节点F1的父节点R1,将Net2的父节点(安全节点IPS1)删除,并将Net2的父节点重新设置为安全节点IPS1的父节点R1,将Net8的父节点(安全节点IPS2)删除,并将Net8的父节点重新设置为安全节点IPS2的父节点S7。Exemplarily, Figure 7 is a simplified schematic diagram of the security nodes provided by the embodiment of the present application. As shown in Figure 7, based on Figure 6 above, after the attack simulation system deployment device performs the first operation on each security node and determines the subnets corresponding to Net1, Net2, Net5, and Net8 as full verification subnets, it can also delete the parent node (security node F1) of Net1 and Net5, and reset the parent nodes of Net1 and Net5 to the parent node R1 of security node F1, delete the parent node (security node IPS1) of Net2, and reset the parent node of Net2 to the parent node R1 of security node IPS1, delete the parent node (security node IPS2) of Net8, and reset the parent node of Net8 to the parent node S7 of security node IPS2.

这样一来,精简过安全节点后的树状结构就剩下了根节点(server1)、根节点(server1)的子节点R1、R1的子节点Net1、Net2、Net3、Net5、Net9、S7、以及S7的子节点Net6和Net8。In this way, the tree structure after streamlining the security nodes is left with the root node (server1), the child node R1 of the root node (server1), the child nodes Net1, Net2, Net3, Net5, Net9, S7 of R1, and the child nodes Net6 and Net8 of S7.

一些可能的实施例中,攻击模拟系统部署装置还可以根据不同的验证属性对同一节点下的子节点进行归并。在这种情况下,图8为本申请实施例提供的攻击模拟系统部署方法的又一种流程示意图。如图8所示,该方法还可以包括S301至S308。In some possible embodiments, the attack simulation system deployment device can also merge subnodes under the same node according to different verification attributes. In this case, FIG. 8 is another flow chart of the attack simulation system deployment method provided by the embodiment of the present application. As shown in FIG. 8, the method can also include S301 to S308.

S301、遍历树状结构中的每个安全节点,若该安全节点的子节点为子网节点,则将该子网节点的验证属性设置为全量验证,该子网节点对应的子网为全量验证子网。S301. Traverse each security node in the tree structure. If the child node of the security node is a subnet node, set the verification attribute of the subnet node to full verification, and the subnet corresponding to the subnet node is a full verification subnet.

S302、将父节点为非安全节点,且与根节点之间的路由中不全是交换机路由节点的子网节点的验证属性设置为联通性验证,该子网节点对应的子网为联通性验证子网。S302: Set the verification attribute of a subnet node whose parent node is a non-safe node and whose routes to the root node are not all switch routing nodes to connectivity verification, and the subnet corresponding to the subnet node is a connectivity verification subnet.

S303、将父节点为非安全节点,且自身也不是子网节点的节点的验证属性设置为无需验证。S303: Set the verification attribute of a node whose parent node is a non-safe node and which is not a subnet node to "no verification required".

S304、遍历所有叶子节点的父节点,若某个父节点的子节点数量大于1,则对该父节点进行如下操作:S304: traverse the parent nodes of all leaf nodes. If the number of child nodes of a parent node is greater than 1, perform the following operations on the parent node:

S305、若所有子节点的验证属性均为无需验证,则随机保留一个子节点,删除其余子节点。S305: If the verification attributes of all child nodes are that verification is not required, a child node is randomly retained and the remaining child nodes are deleted.

S306、若所有子节点的验证属性均为无需验证或联通性验证,则随机保留一个验证属性为联通性验证的子节点,删除其余子节点。S306: If the verification attributes of all child nodes are "no verification required" or "connectivity verification", a child node whose verification attribute is "connectivity verification" is randomly retained, and the remaining child nodes are deleted.

S307、若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为交换机路由节点,则删除所有验证属性为无需验证和联通性验证的子节点,保留验证属性为全量验证的子节点。S307. If the verification attribute of some child nodes is no verification required or connectivity verification, and the parent node is a switch routing node, delete all child nodes whose verification attributes are no verification required and connectivity verification, and retain the child nodes whose verification attribute is full verification.

S308、若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为路由器路由节点,则删除所有验证属性为无需验证的子节点。S308: If the verification attribute of some child nodes is no verification required or connectivity verification, and the parent node is a router routing node, then delete all child nodes whose verification attribute is no verification required.

示例性地,图9为本申请实施例提供的归并示意图。如图9所示,在上述7的基础上,交换机7对应的交换机路由节点S7的子节点数量为两个(Net6和Net8),大于1。For example, Fig. 9 is a schematic diagram of merging provided by an embodiment of the present application. As shown in Fig. 9, based on the above 7, the number of child nodes of the switch routing node S7 corresponding to the switch 7 is two (Net6 and Net8), which is greater than 1.

由于Net6的父节点S7不是安全节点,且Net6到server 1之间的路由中包括交换机路由节点和路由器路由节点,不全是交换机路由节点,因此Net6的验证属性即可设置为联通性验证,也即Net6对应的子网为联通性验证子网。Since Net6's parent node S7 is not a secure node, and the route from Net6 to server 1 includes switch routing nodes and router routing nodes, not all switch routing nodes, the verification attribute of Net6 can be set to connectivity verification, that is, the subnet corresponding to Net6 is a connectivity verification subnet.

由于Net8的(未精简前的)父节点为IPS2,IPS2为安全节点,因此,Net8的验证属性即可设置为全量验证,也即Net8对应的子网为全量验证子网。Since the parent node of Net8 (before streamlining) is IPS2, and IPS2 is a security node, the verification attribute of Net8 can be set to full verification, that is, the subnet corresponding to Net8 is a full verification subnet.

在这种情况下,图9中S7的示例满足上述S307的情况,因此攻击模拟系统部署装置可以删除所有验证属性为无需验证和联通性验证的子节点(也即删除Net6),保留验证属性为全量验证的子节点(也即Net8),这样一来,精简后的树状结构就剩下根节点server 1;server1的子节点R1;R1的子节点S7、Net5、Net1、Net2、Net3、以及Net9;S7的子节点Net8。In this case, the example of S7 in Figure 9 meets the situation of S307 above, so the attack simulation system deployment device can delete all child nodes whose verification attributes are no need for verification and connectivity verification (that is, delete Net6), and retain the child nodes whose verification attributes are full verification (that is, Net8). In this way, the streamlined tree structure only has the root node server 1; the child node R1 of server1; the child nodes S7, Net5, Net1, Net2, Net3, and Net9 of R1; and the child node Net8 of S7.

一些可能的实施例中,攻击模拟系统部署装置还可以进一步针对交换机路由节点对树状结构再次精简。在这种情况下,该方法还可以包括以下步骤:In some possible embodiments, the attack simulation system deployment device can further simplify the tree structure for the switch routing node. In this case, the method can also include the following steps:

步骤1b、遍历树状结构中每个叶子节点的父节点,若该父节点为交换机路由节点,则将交换机路由节点的所有子节点的父节点设置为交换机路由节点的父节点,并将交换机路由节点从树状结构中删除,循环处理直至树状结构不再发生变化。Step 1b, traverse the parent node of each leaf node in the tree structure. If the parent node is a switch routing node, set the parent node of all child nodes of the switch routing node to the parent node of the switch routing node, and delete the switch routing node from the tree structure. Repeat the process until the tree structure no longer changes.

示例性地,图10为本申请实施例提供的交换机路由节点精简示意图。如图10所示,在上述图9的基础上,叶子节点包括Net8、Net5、Net1、Net2、Net3、以及Net9。其中,Net8的父节点为交换机7对应的交换机路由节点S7,S7的父节点为R1。因此,攻击模拟系统部署装置可以将Net8的父节点设置为S7的父节点R1,并将S7删除。Exemplarily, FIG10 is a simplified schematic diagram of a switch routing node provided in an embodiment of the present application. As shown in FIG10, based on FIG9 above, the leaf nodes include Net8, Net5, Net1, Net2, Net3, and Net9. Among them, the parent node of Net8 is the switch routing node S7 corresponding to switch 7, and the parent node of S7 is R1. Therefore, the attack simulation system deployment device can set the parent node of Net8 to the parent node R1 of S7, and delete S7.

这样一来,再次精简后的树状图就剩下了根节点server1;server1的子节点R1;R1的子节点Net8、Net5、Net1、Net2、Net3、以及Net9。In this way, the simplified tree diagram only has the root node server1; the child node R1 of server1; and the child nodes Net8, Net5, Net1, Net2, Net3, and Net9 of R1.

一些可能的实施例中,服务器端和客户端(全量验证客户端和联通性验证客户端)被攻击模拟系统部署装置部署完成之后,服务器端可以综合每个客户端的反馈信息,得到攻击模拟系统针对目标网络的验证结果。In some possible embodiments, after the server and client (full verification client and connectivity verification client) are deployed by the attack simulation system deployment device, the server can integrate the feedback information of each client to obtain the verification result of the attack simulation system for the target network.

上述主要从方法的角度对本申请实施例提供的方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术目标应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术目标可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The above mainly introduces the solution provided by the embodiment of the present application from the perspective of the method. In order to achieve the above functions, it includes hardware structures and/or software modules corresponding to the execution of each function. It should be easy to realize that the technical goals in this field are combined with the units and algorithm steps of each example described in the embodiments disclosed in this article, and the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Professional and technical goals can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

在示例性的实施例中,本申请实施例还提供了一种攻击模拟系统部署装置。图11为本申请实施例提供的攻击模拟系统部署装置的组成示意图。如图11所示,该装置包括:获取模块1101和处理模块1102。In an exemplary embodiment, the present application also provides an attack simulation system deployment device. FIG11 is a schematic diagram of the composition of the attack simulation system deployment device provided in the present application. As shown in FIG11 , the device includes: an acquisition module 1101 and a processing module 1102.

获取模块1101,用于获取目标网络的网络拓扑结构;目标网络包括多个子网。The acquisition module 1101 is used to acquire the network topology structure of the target network; the target network includes multiple subnets.

处理模块1102,用于根据网络拓扑结构,在目标网络的出口处部署攻击模拟系统的服务器端;出口处为目标网络连接到其他网络的物理位置或逻辑位置;根据网络拓扑结构,确定全量验证子网;全量验证子网为多个子网中,与出口处之间的路由包括网络安全设备的子网;在全量验证子网内部署攻击模拟系统的全量验证客户端;全量验证客户端用于和服务器端相互收发全量验证报文。Processing module 1102 is used to deploy the server side of the attack simulation system at the exit of the target network according to the network topology; the exit is the physical location or logical location where the target network is connected to other networks; the full verification subnet is determined according to the network topology; the full verification subnet is a subnet of multiple subnets, and the route between the exit and the network security device includes the subnet; the full verification client of the attack simulation system is deployed in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server.

一些可能的实施例中,处理模块1102,还用于根据网络拓扑结构,确定联通性验证子网;联通性验证子网为多个子网中,与出口处之间的路由未包括网络安全设备,且路由中不全是交换机的子网;在联通性验证子网内部署攻击模拟系统的联通性验证客户端;联通性验证客户端用于和服务器端相互收发联通性验证报文。In some possible embodiments, the processing module 1102 is further used to determine a connectivity verification subnet based on a network topology; the connectivity verification subnet is a subnet in which the route between the multiple subnets and the exit does not include a network security device, and the route is not entirely a switch subnet; a connectivity verification client of the attack simulation system is deployed in the connectivity verification subnet; the connectivity verification client is used to send and receive connectivity verification messages to and from the server.

另一些可能的实施例中,处理模块1102,具体用于以服务器端为根节点,遍历网络拓扑结构,得到网络拓扑结构对应的树状结构;其中,树状结构包括根节点、安全节点、以及终端节点;安全节点对应网络拓扑结构中的网络安全设备,终端节点对应网络拓扑结构中的终端设备;若某个节点的子节点均为终端节点,则将该节点确定为子网节点;遍历树状结构中的每个安全节点,对每个安全节点进行第一操作;第一操作包括:若该安全节点的子节点为子网节点,则将该子网节点对应的子网确定为全量验证子网。In some other possible embodiments, the processing module 1102 is specifically used to traverse the network topology structure with the server side as the root node to obtain a tree structure corresponding to the network topology structure; wherein the tree structure includes a root node, a security node, and a terminal node; the security node corresponds to a network security device in the network topology structure, and the terminal node corresponds to a terminal device in the network topology structure; if all the child nodes of a node are terminal nodes, the node is determined to be a subnet node; each security node in the tree structure is traversed, and a first operation is performed on each security node; the first operation includes: if the child node of the security node is a subnet node, the subnet corresponding to the subnet node is determined to be a full verification subnet.

又一些可能的实施例中,第一操作还包括:若该安全节点的子节点不是子网节点,则将该子节点从树状结构中删除。In some other possible embodiments, the first operation further includes: if the child node of the security node is not a subnet node, deleting the child node from the tree structure.

又一些可能的实施例中,处理模块1102,还用于在树状结构中所有安全节点均完成第一操作的情况下,从树状结构中删除安全节点,并将每个安全节点子节点的父节点设置为该安全节点的父节点。In some other possible embodiments, the processing module 1102 is further used to delete the safety node from the tree structure when all safety nodes in the tree structure complete the first operation, and set the parent node of each safety node child node as the parent node of the safety node.

又一些可能的实施例中,树状结构还包括路由节点;路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;处理模块1102,还用于遍历树状结构中的每个安全节点,若该安全节点的子节点为子网节点,则将该子网节点的验证属性设置为全量验证,该子网节点对应的子网为全量验证子网;将父节点为非安全节点,且与根节点之间的路由中不全是交换机路由节点的子网节点的验证属性设置为联通性验证,该子网节点对应的子网为联通性验证子网;将父节点为非安全节点,且自身也不是子网节点的节点的验证属性设置为无需验证;遍历所有叶子节点的父节点,若某个父节点的子节点数量大于1,则对该父节点进行如下操作:若所有子节点的验证属性均为无需验证,则随机保留一个子节点,删除其余子节点;若所有子节点的验证属性均为无需验证或联通性验证,则随机保留一个验证属性为联通性验证的子节点,删除其余子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为交换机路由节点,则删除所有验证属性为无需验证和联通性验证的子节点,保留验证属性为全量验证的子节点;若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为路由器路由节点,则删除所有验证属性为无需验证的子节点。In some other possible embodiments, the tree structure also includes routing nodes; the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology structure; the router routing nodes correspond to routers in the network topology structure; the processing module 1102 is also used to traverse each security node in the tree structure, and if the child node of the security node is a subnet node, the verification attribute of the subnet node is set to full verification, and the subnet corresponding to the subnet node is a full verification subnet; the verification attribute of the subnet node whose parent node is a non-security node and whose routes with the root node are not all switch routing nodes is set to connectivity verification, and the subnet corresponding to the subnet node is a connectivity verification subnet; the verification attribute of the node whose parent node is a non-security node and which is not a subnet node itself is set to no verification required Verification; traverse the parent nodes of all leaf nodes. If the number of child nodes of a parent node is greater than 1, perform the following operations on the parent node: If the verification attributes of all child nodes are no verification required, randomly retain a child node and delete the remaining child nodes; If the verification attributes of all child nodes are no verification required or connectivity verification, randomly retain a child node with a connectivity verification attribute and delete the remaining child nodes; If the verification attributes of some child nodes are no verification required or connectivity verification, and the parent node is a switch routing node, delete all child nodes with verification attributes of no verification and connectivity verification, and retain child nodes with full verification attributes; If the verification attributes of some child nodes are no verification required or connectivity verification, and the parent node is a router routing node, delete all child nodes with verification attributes of no verification required.

又一些可能的实施例中,树状结构还包括路由节点;路由节点包括交换机路由节点和路由器路由节点;交换机路由节点对应网络拓扑结构中的交换机;路由器路由节点对应网络拓扑结构中的路由器;处理模块1102,还用于遍历树状结构中每个叶子节点的父节点,若该父节点为交换机路由节点,则将交换机路由节点的所有子节点的父节点设置为交换机路由节点的父节点,并将交换机路由节点从树状结构中删除,循环处理直至树状结构不再发生变化。In some other possible embodiments, the tree structure also includes routing nodes; the routing nodes include switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology structure; the router routing nodes correspond to routers in the network topology structure; the processing module 1102 is further used to traverse the parent node of each leaf node in the tree structure, and if the parent node is a switch routing node, the parent node of all child nodes of the switch routing node is set to the parent node of the switch routing node, and the switch routing node is deleted from the tree structure, and the processing is cyclically performed until the tree structure no longer changes.

在示例性的实施例中,本申请实施例还提供一种电子设备,该电子设备可以应用于上述攻击模拟系统部署装置。图12为本申请实施例提供的电子设备的组成示意图。如图12所示,该电子设备可以包括:处理器1201和存储器1202;存储器1202存储有处理器1201可执行的指令;处理器1201被配置为执行指令时,使得电子设备实现如前述方法实施例中所述的方法。In an exemplary embodiment, the embodiment of the present application further provides an electronic device, which can be applied to the above-mentioned attack simulation system deployment device. Figure 12 is a schematic diagram of the composition of the electronic device provided in the embodiment of the present application. As shown in Figure 12, the electronic device may include: a processor 1201 and a memory 1202; the memory 1202 stores instructions executable by the processor 1201; when the processor 1201 is configured to execute instructions, the electronic device implements the method described in the above-mentioned method embodiment.

在示例性的实施例中,本申请实施例还提供了一种计算机程序产品,当该计算机程序产品在电子设备中运行时,使得电子设备实现前述方法实施例中的方法。In an exemplary embodiment, the embodiment of the present application further provides a computer program product, which, when executed in an electronic device, enables the electronic device to implement the method in the aforementioned method embodiment.

在示例性的实施例中,本申请实施例还提供一种计算机可读存储介质,其上存储有计算机程序指令;当所述计算机程序指令被电子设备执行时,使得电子设备实现如前述实施例中所述的方法。计算机可读存储介质可以是非临时性计算机可读存储介质,例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。In an exemplary embodiment, the present application also provides a computer-readable storage medium on which computer program instructions are stored; when the computer program instructions are executed by an electronic device, the electronic device implements the method described in the aforementioned embodiment. The computer-readable storage medium may be a non-temporary computer-readable storage medium, for example, the non-temporary computer-readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机执行指令。在计算机上加载和执行计算机执行指令时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机执行指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机执行指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(d i g i ta l subscr i ber l i ne,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer-executable instructions. When loading and executing the computer-executable instructions on a computer, the process or function according to the embodiment of the present application is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network or other programmable devices. The computer-executable instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer-executable instructions can be transmitted from a website site, a computer, a server or a data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.

尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请过程中,本领域技术人员通过查看附图、公开内容、以及所附权利要求书,可理解并实现公开实施例的其他变化。在权利要求中,“包括”(Compr i s i ng)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the present application is described herein in conjunction with various embodiments, in the process of implementing the present application for which protection is claimed, those skilled in the art may understand and implement other variations of the disclosed embodiments by viewing the drawings, the disclosure, and the appended claims. In the claims, the term "comprising" does not exclude other components or steps, and "one" or "an" does not exclude multiple components. A single processor or other unit may implement several functions listed in the claims. Certain measures are recorded in different dependent claims, but this does not mean that these measures cannot be combined to produce good results.

尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the present application has been described in conjunction with specific features and embodiments thereof, it is obvious that various modifications and combinations may be made thereto without departing from the spirit and scope of the present application. Accordingly, this specification and the drawings are merely exemplary illustrations of the present application as defined by the appended claims, and are deemed to have covered any and all modifications, variations, combinations or equivalents within the scope of the present application. Obviously, those skilled in the art may make various modifications and variations to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应该以权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (11)

1.一种攻击模拟系统部署方法,其特征在于,所述方法包括:1. A method for deploying an attack simulation system, characterized in that the method comprises: 获取目标网络的网络拓扑结构;所述目标网络包括多个子网;Acquire a network topology structure of a target network; the target network includes a plurality of subnets; 根据所述网络拓扑结构,在所述目标网络的出口处部署攻击模拟系统的服务器端;所述出口处为所述目标网络连接到其他网络的物理位置或逻辑位置;According to the network topology, deploying a server end of the attack simulation system at the exit of the target network; the exit is the physical location or logical location where the target network is connected to other networks; 根据所述网络拓扑结构,确定全量验证子网;所述全量验证子网为所述多个子网中,与所述出口处之间的路由包括网络安全设备的子网;Determine a full verification subnet according to the network topology; the full verification subnet is a subnet of the multiple subnets, the route between which and the exit includes a network security device; 在所述全量验证子网内部署所述攻击模拟系统的全量验证客户端;所述全量验证客户端用于和所述服务器端相互收发全量验证报文。A full verification client of the attack simulation system is deployed in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server. 2.根据权利要求1所述的方法,其特征在于,所述方法还包括:2. The method according to claim 1, characterized in that the method further comprises: 根据所述网络拓扑结构,确定联通性验证子网;所述联通性验证子网为所述多个子网中,与所述出口处之间的路由未包括所述网络安全设备,且所述路由中不全是交换机的子网;Determine a connectivity verification subnet according to the network topology; the connectivity verification subnet is a subnet in the multiple subnets, the route between the subnet and the exit does not include the network security device, and the route is not entirely a subnet of switches; 在所述联通性验证子网内部署所述攻击模拟系统的联通性验证客户端;所述联通性验证客户端用于和所述服务器端相互收发联通性验证报文。A connectivity verification client of the attack simulation system is deployed in the connectivity verification subnet; the connectivity verification client is used to send and receive connectivity verification messages with the server. 3.根据权利要求1所述的方法,其特征在于,所述根据所述网络拓扑结构,确定全量验证子网,包括:3. The method according to claim 1, characterized in that the determining of the full verification subnet according to the network topology structure comprises: 以所述服务器端为根节点,遍历所述网络拓扑结构,得到所述网络拓扑结构对应的树状结构;Taking the server end as a root node, traversing the network topology structure to obtain a tree structure corresponding to the network topology structure; 其中,所述树状结构包括所述根节点、安全节点、以及终端节点;所述安全节点对应所述网络拓扑结构中的网络安全设备,所述终端节点对应所述网络拓扑结构中的终端设备;The tree structure includes the root node, the security node, and the terminal node; the security node corresponds to the network security device in the network topology structure, and the terminal node corresponds to the terminal device in the network topology structure; 若某个节点的子节点均为所述终端节点,则将该节点确定为子网节点;If all the child nodes of a certain node are the terminal nodes, the node is determined as a subnet node; 遍历所述树状结构中的每个安全节点,对每个安全节点进行第一操作;Traversing each security node in the tree structure, and performing a first operation on each security node; 所述第一操作包括:若该安全节点的子节点为所述子网节点,则将该子网节点对应的子网确定为所述全量验证子网。The first operation includes: if the child node of the security node is the subnet node, determining the subnet corresponding to the subnet node as the full verification subnet. 4.根据权利要求3所述的方法,其特征在于,所述第一操作还包括:4. The method according to claim 3, characterized in that the first operation further comprises: 若该安全节点的子节点不是所述子网节点,则将该子节点从所述树状结构中删除。If the child node of the safety node is not the subnet node, the child node is deleted from the tree structure. 5.根据权利要求4所述的方法,其特征在于,所述方法还包括:5. The method according to claim 4, characterized in that the method further comprises: 在所述树状结构中所有安全节点均完成所述第一操作的情况下,从所述树状结构中删除安全节点,并将每个安全节点子节点的父节点设置为该安全节点的父节点。When all safety nodes in the tree structure complete the first operation, the safety nodes are deleted from the tree structure, and the parent node of each safety node child node is set as the parent node of the safety node. 6.根据权利要求3-5任一项所述的方法,其特征在于,所述树状结构还包括路由节点;所述路由节点包括交换机路由节点和路由器路由节点;所述交换机路由节点对应所述网络拓扑结构中的交换机;所述路由器路由节点对应所述网络拓扑结构中的路由器;所述方法还包括:6. The method according to any one of claims 3 to 5, characterized in that the tree structure further comprises routing nodes; the routing nodes comprise switch routing nodes and router routing nodes; the switch routing nodes correspond to switches in the network topology structure; the router routing nodes correspond to routers in the network topology structure; the method further comprises: 遍历所述树状结构中的每个安全节点,若该安全节点的子节点为子网节点,则将该子网节点的验证属性设置为全量验证,该子网节点对应的子网为所述全量验证子网;Traversing each security node in the tree structure, if the child node of the security node is a subnet node, setting the verification attribute of the subnet node to full verification, and the subnet corresponding to the subnet node is the full verification subnet; 将父节点为非安全节点,且与所述根节点之间的路由中不全是所述交换机路由节点的子网节点的验证属性设置为联通性验证,该子网节点对应的子网为联通性验证子网;The verification attribute of a subnet node whose parent node is a non-safe node and whose routes to the root node are not all the switch routing nodes is set to connectivity verification, and the subnet corresponding to the subnet node is a connectivity verification subnet; 将父节点为非安全节点,且自身也不是所述子网节点的节点的验证属性设置为无需验证;Setting the verification attribute of a node whose parent node is a non-safe node and which is not a subnet node to not requiring verification; 遍历所有叶子节点的父节点,若某个父节点的子节点数量大于1,则对该父节点进行如下操作:Traverse the parent nodes of all leaf nodes. If the number of child nodes of a parent node is greater than 1, perform the following operations on the parent node: 若所有子节点的验证属性均为无需验证,则随机保留一个子节点,删除其余子节点;If the verification attributes of all child nodes are not required to be verified, a child node is randomly retained and the rest are deleted; 若所有子节点的验证属性均为无需验证或联通性验证,则随机保留一个验证属性为联通性验证的子节点,删除其余子节点;If the verification attributes of all child nodes are no verification or connectivity verification, then a child node with the verification attribute of connectivity verification is randomly retained and the remaining child nodes are deleted; 若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为交换机路由节点,则删除所有验证属性为无需验证和联通性验证的子节点,保留验证属性为全量验证的子节点;If the verification attribute of some child nodes is "no verification required" or "connectivity verification", and the parent node is a switch routing node, delete all child nodes whose verification attributes are "no verification required" and "connectivity verification", and keep the child nodes whose verification attributes are "full verification"; 若部分子节点的验证属性为无需验证或者联通性验证,且该父节点为路由器路由节点,则删除所有验证属性为无需验证的子节点。If the verification attributes of some child nodes are "no verification required" or "connectivity verification required", and the parent node is a router routing node, then all child nodes whose verification attributes are "no verification required" will be deleted. 7.根据权利要求3-5任一项所述的方法,其特征在于,所述路由节点包括交换机路由节点和路由器路由节点;所述交换机路由节点对应所述网络拓扑结构中的交换机;所述路由器路由节点对应所述网络拓扑结构中的路由器;所述方法还包括:7. The method according to any one of claims 3 to 5, characterized in that the routing node comprises a switch routing node and a router routing node; the switch routing node corresponds to a switch in the network topology structure; the router routing node corresponds to a router in the network topology structure; the method further comprises: 遍历所述树状结构中每个叶子节点的父节点,若该父节点为交换机路由节点,则将所述交换机路由节点的所有子节点的父节点设置为所述交换机路由节点的父节点,并将所述交换机路由节点从所述树状结构中删除,循环处理直至所述树状结构不再发生变化。Traverse the parent node of each leaf node in the tree structure. If the parent node is a switch routing node, set the parent node of all child nodes of the switch routing node as the parent node of the switch routing node, and delete the switch routing node from the tree structure. Repeat the process until the tree structure does not change any more. 8.一种攻击模拟系统部署装置,其特征在于,所述装置包括获取模块和处理模块;8. An attack simulation system deployment device, characterized in that the device includes an acquisition module and a processing module; 所述获取模块,用于获取目标网络的网络拓扑结构;所述目标网络包括多个子网;The acquisition module is used to acquire the network topology of the target network; the target network includes multiple subnets; 所述处理模块,用于根据所述网络拓扑结构,在所述目标网络的出口处部署攻击模拟系统的服务器端;所述出口处为所述目标网络连接到其他网络的物理位置或逻辑位置;根据所述网络拓扑结构,确定全量验证子网;所述全量验证子网为所述多个子网中,与所述出口处之间的路由包括网络安全设备的子网;在所述全量验证子网内部署所述攻击模拟系统的全量验证客户端;所述全量验证客户端用于和所述服务器端相互收发全量验证报文。The processing module is used to deploy the server side of the attack simulation system at the exit of the target network according to the network topology; the exit is the physical location or logical location where the target network is connected to other networks; determine the full verification subnet according to the network topology; the full verification subnet is a subnet among the multiple subnets, and the route between the exit and the subnet includes a network security device; deploy the full verification client of the attack simulation system in the full verification subnet; the full verification client is used to send and receive full verification messages to and from the server. 9.一种电子设备,其特征在于,所述电子设备包括:处理器和存储器;9. An electronic device, characterized in that the electronic device comprises: a processor and a memory; 所述存储器存储有所述处理器可执行的指令;The memory stores instructions executable by the processor; 所述处理器被配置为执行所述指令时,使得所述电子设备实现如权利要求1-7任一项所述的方法。When the processor is configured to execute the instructions, the electronic device implements the method according to any one of claims 1 to 7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质包括:计算机软件指令;10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises: computer software instructions; 当所述计算机软件指令在电子设备中运行时,使得所述电子设备实现如权利要求1-7任一项所述的方法。When the computer software instructions are executed in an electronic device, the electronic device implements the method according to any one of claims 1 to 7. 11.一种计算机程序产品,其特征在于,当所述计算机程序产品在电子设备中运行时,使得所述电子设备实现如权利要求1-7任一项所述的方法。11. A computer program product, characterized in that when the computer program product is run in an electronic device, the electronic device is enabled to implement the method according to any one of claims 1 to 7.
CN202410635184.2A 2024-05-21 2024-05-21 Attack simulation system deployment method, device, equipment and storage medium Pending CN118540124A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410635184.2A CN118540124A (en) 2024-05-21 2024-05-21 Attack simulation system deployment method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410635184.2A CN118540124A (en) 2024-05-21 2024-05-21 Attack simulation system deployment method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118540124A true CN118540124A (en) 2024-08-23

Family

ID=92383942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410635184.2A Pending CN118540124A (en) 2024-05-21 2024-05-21 Attack simulation system deployment method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118540124A (en)

Similar Documents

Publication Publication Date Title
US11019029B2 (en) Building a cooperative security fabric of hierarchically interconnected network security devices
CN107026835B (en) Integrated security system with rule optimization
US8495200B2 (en) Computerized system and method for handling network traffic
JP5846221B2 (en) Network system and topology management method
CN102291455B (en) Distributed cluster processing system and message processing method thereof
US9935848B2 (en) System and method for supporting subnet manager (SM) level robust handling of unkown management key in an infiniband (IB) network
US20190297055A1 (en) Automated learning of externally defined network assets by a network security device
JP2010541441A (en) Computer-implemented method, data processing system, and computer program (router detection) for detecting unauthorized routers in a distributed network
CN110213214B (en) Attack protection method, system, device and storage medium
JP2002507295A (en) Multi-layer firewall system
US20070101422A1 (en) Automated network blocking method and system
CN111698110B (en) Network equipment performance analysis method, system, equipment and computer medium
CN103959712A (en) Timing Management in Large Firewall Clusters
US11805011B2 (en) Bulk discovery of devices behind a network address translation device
US8788639B2 (en) Method and apparatus for centrally configuring network devices
CN117643035A (en) Network graph model
JP4620070B2 (en) Traffic control system and traffic control method
CN112217680B (en) Controller capability benchmark test method and device based on software-defined wide area network
CN112751701B (en) System, method and computer readable medium for managing network devices
CN118540124A (en) Attack simulation system deployment method, device, equipment and storage medium
JP4302004B2 (en) Packet filter setting method and packet filter setting system
CN112565203B (en) Centralized management platform
Visoottiviseth et al. REFLO: Reactive firewall system with OpenFlow and flow monitoring system
Almohaimeed et al. Incorporating monitoring points in SDN to ensure trusted links against misbehaving traffic flows
Nagy Automation of DDoS Attack Mitigation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination