Disclosure of Invention
The invention aims to overcome the defects and problems of hysteresis and insufficient safety in the prior art and provides an active simulation intrusion evaluation and full-link visual protection system, method and equipment capable of actively protecting to improve communication safety.
In order to achieve the above purpose, the technical solution of the present invention is an active simulation intrusion assessment and full link visualization protection system, the system comprising:
the test module is used for analyzing the internal structure and logic of the protection system and constructing a prediction model;
the simulation module is used for simulating various network attacks according to predefined attack scenes and strategies;
The central control module is used for connecting each module, and coordinating and managing the operation of each module;
the attack display module is used for comparing and displaying network attacks;
the monitoring module is used for continuously monitoring network activities;
the analysis module is used for collecting and analyzing network activity data, and identifying potential threats and weak points of the protection system, wherein the network activity data comprises a network configuration file, a log file and a code base;
the scheme generation module is used for generating a solution to the network problem according to the analysis result of the analysis module and providing a repair suggestion and a network security improvement strategy;
The defending module is used for actively simulating network attack and converting the network attack into a security defending strategy so as to prevent potential threats;
And the adaptation module is used for dynamically adjusting the test scene and the analysis strategy of the prediction model according to the network activity change.
The operation logic of the test module is as follows:
Firstly, adopting a support vector machine algorithm to analyze and extract characteristics which are helpful for identifying security vulnerabilities from network configuration files, log files and code libraries of a protection system, then establishing a prediction model for identifying potential security vulnerabilities and weak points based on the characteristics, and continuously learning and updating the prediction model to adapt to changes of network environments and emerging threats, wherein the characteristics comprise unsafe function call, unexpected port opening or wrong authority setting.
The operation logic of the central control module is as follows:
The central control module monitors the overall state of the system in real time, coordinates and manages each module in the protection system by using an optimization algorithm based on a neural network, intelligently distributes system resources and priorities by evaluating the performance and response time of each module, and processes network environment changes and emerging threats by dynamically adjusting algorithm parameters.
The operation logic of the attack demonstration module is as follows:
Firstly, based on an ATT & CK framework, comparing an on-going attack behavior structure with an attack behavior structure in the ATT & CK framework to determine attack types and strategies, and then displaying attack sources, attack paths and weak points of attack behaviors in a visual mode.
The operation logic of the analysis module is as follows:
s1, acquiring target network related data, carrying out integration processing by utilizing a data integration algorithm to acquire target network data, and then carrying out noise reduction processing on the target network data by utilizing a target network noise reduction algorithm to acquire target network noise reduction data, wherein the target network related data comprises a log file, communication data and API data;
S2, performing feature extraction processing on the target network noise reduction data by using a feature extraction technology to obtain target network data features, and performing data semanteme processing on the target network data features by using a semanteme conversion algorithm to obtain target network semanteme data;
S3, carrying out data preprocessing on the target network semanteme data to obtain a target network semanteme specific data set, and then carrying out target network threat analysis on the target network semanteme specific data set according to a preset large language model to obtain a target network threat reasoning result;
s4, performing fine tuning training processing on the target network threat reasoning result by utilizing a target network fine tuning technology to obtain a target network threat reasoning optimization result, and then performing autonomous adaptation processing on the target network threat reasoning optimization result by utilizing a self-adaptation technology to obtain a target network threat adaptation result;
S5, performing vulnerability correlation analysis on the target network threat adaptation result by utilizing a vulnerability detection analysis algorithm to obtain a target network threat vulnerability detection result, and then formulating a target network threat detection analysis report according to the target network threat vulnerability detection result so as to execute a corresponding target network threat analysis management strategy.
The step of obtaining the target network data in the step S1 includes:
s11, performing behavior data acquisition processing on the log file through a behavior acquisition technology to obtain target network user behavior data, performing communication data acquisition processing on communication data through a data acquisition tool to obtain target network communication data, performing decryption analysis processing on the communication data through a multi-server API interface by using a multi-server API key to obtain target network API decryption data;
and S12, integrating the target network user behavior data, the target network communication data and the target network API decryption data by using a data integration algorithm to obtain target network data.
The operation logic of the scheme generating module is as follows:
the scheme generation module automatically marks and records detailed data when the protection system discovers potential threats and vulnerabilities, and generates specific security reinforcement and repair schemes based on the identified potential threats and vulnerabilities.
An active simulation intrusion assessment and full link visualization protection method, which is applied to the system, comprises the following steps:
testing the internal structure and logic of a protection system based on a white box test method, and simulating various network attacks according to predefined attack scenes and strategies;
step two, comparing attack structures of various network attacks, displaying all links, and continuously monitoring and analyzing network activities;
analyzing and collecting network activity data and a network attack mode, and identifying weak points of potential threats and protection systems;
Generating a problem solution based on the potential threat and the weak point, actively simulating network attack, and converting a security defense strategy to prevent the potential threat;
and fifthly, repeating the first to fifth steps, and dynamically adjusting the test scene, the analysis strategy and the security defense strategy according to the environmental change of network activities or new potential threats.
An active analog intrusion assessment and full link visualization protective device, the device comprising a processor and a memory;
The memory is used for storing computer program codes and transmitting the computer program codes to the processor;
The processor is configured to execute the active simulated intrusion assessment and full link visual protection method according to instructions in the computer program code.
A computer storage medium having stored thereon a computer program which when executed by a processor implements the active simulated intrusion assessment and full link visual protection method described above.
Compared with the prior art, the invention has the beneficial effects that:
The invention relates to an active simulation intrusion evaluation and full-link visual protection system, which comprises a test module, a simulation module, a central control module, an attack display module, a monitoring module, an analysis module, a scheme generation module, a defense module and an adaptation module, wherein the test module is used for simulating an attack of a user; in the application, the attack is actively simulated through the mutual cooperation of the modules, so that potential safety risks and business influences can be timely found and evaluated, an enterprise is helped to take measures in advance, potential losses are reduced, the initiative of safety defense is improved, and relevant personnel can intuitively know the attack process and recognize weak links by adopting the characteristics of a full-link visual attack path, so that the quick response and problem solving are performed, the window period of system maintenance is shortened, and the safety protection is firmer, more durable and effective.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings and detailed description.
Example 1:
Referring to fig. 1, an active simulated intrusion assessment and full link visualization protection system, the system comprising:
the test module 1 is used for automatically analyzing the internal structure and logic of the protection system and constructing a prediction model;
Further, the operation logic of the test module 1 is as follows:
Firstly, adopting a support vector machine algorithm, analyzing and extracting characteristics which are helpful for identifying security vulnerabilities from a network configuration file, a log file and a code library of a protection system through a white box test method, then establishing a prediction model for identifying potential security vulnerabilities and weak points based on the characteristics, continuously learning and updating the prediction model to adapt to changes of network environments and emerging threats, wherein the characteristics comprise unsafe function call, unexpected port opening or wrong authority setting.
Further, the implementation of the corresponding function by using the support vector machine algorithm comprises the following steps:
1. Data collection and preprocessing;
(1) Collecting data, namely firstly, collecting data from network configuration files, log files, code libraries and other related documents;
(2) Feature extraction, namely analyzing the collected data, and extracting features which are helpful for identifying security holes, such as unsafe function calls, unexpected port opening, wrong authority setting and the like;
(3) Feature selection, selecting the most significant features by technical Principal Component Analysis (PCA) or by knowledge of domain experts;
(4) Data cleaning, namely processing missing values, abnormal values and noise, and normalizing or normalizing characteristic values so as to facilitate SVM processing;
2. Training a model;
(1) Selecting SVM kernel functions, namely selecting proper kernel functions such as linear kernels, polynomial kernels, radial Basis Function (RBF) kernels and the like according to the characteristics of data;
(2) Training the SVM model by using a training data set, wherein the process comprises the steps of selecting optimal super parameters such as penalty parameters C, kernel function parameters and the like;
(3) Cross-validation using k-fold cross-validation to evaluate the performance of the model and select the best parameters;
3. Evaluating a model;
(1) And evaluating the performance of the SVM model by using the test set. Common evaluation indexes comprise accuracy, recall rate, F1 score and the like;
(2) Error analysis, namely analyzing samples with classification errors to understand the deficiency of the model;
4. Deploying a model;
(1) Deploying the model, namely deploying the trained model into an actual environment so as to monitor the safety state of the network system in real time;
(2) Real-time monitoring, namely, after the model is deployed, real-time analysis can be carried out on network flow and configuration change so as to identify security threat;
5. model updating and learning;
(1) Continuously learning, namely periodically updating a model by newly collected data along with the change of network environment and attack means so as to maintain the accuracy of the model;
(2) Adaptive mechanisms-online learning or incremental learning strategies can be introduced to enable models to adapt to new data without requiring retraining.
During the encoding and implementation phase, the SVM may be implemented using a library such as scikit-learn using a programming language such as Python.
The simulation module 2 is used for simulating the anti-attack capability of various network attack test protection systems according to predefined attack scenes and strategies;
The central control module 3 is used for connecting each module and coordinating and managing the operation of each module by utilizing an optimization algorithm based on a neural network, and the working principle comprises monitoring network activity, formulating a defending strategy according to information and analysis results, and controlling the operation of attack display, monitoring, analysis, scheme generation, defending and adaptation modules so as to protect the network safety.
Further, the operation logic of the central control module 3 is as follows:
The central control module 3 monitors the overall state of the system in real time, coordinates and manages each module in the protection system by using an optimization algorithm based on a neural network, intelligently distributes system resources and priorities by evaluating the performance and response time of each module, and processes network environment changes and emerging threats by dynamically adjusting algorithm parameters.
The attack display module 4 is used for comparing and displaying network attacks;
further, the operation logic of the attack presentation module 4 is as follows:
Firstly, based on an ATT & CK framework, comparing an on-going attack behavior structure with an attack behavior structure in the ATT & CK framework to determine attack types and strategies, and then displaying attack sources, attack paths and weak points of attack behaviors in a visual mode.
And the monitoring module 5 is used for continuously monitoring and analyzing the network activities, timely discovering potential threats and vulnerabilities and identifying anomalies and potential threats by monitoring the network traffic and behaviors.
An analysis module 6 for collecting network activity data, analyzing the network attack, identifying potential threats and weak points of the protection system, and using an analysis algorithm to detect the threats and generate reports.
Further, the operation logic of the analysis module 6 is as follows:
s1, acquiring target network related data, carrying out integration processing by utilizing a data integration algorithm to acquire target network data, and then carrying out noise reduction processing on the target network data by utilizing a target network noise reduction algorithm (such as a filter and an outlier detection method) to acquire target network noise reduction data, wherein the target network related data comprises a log file, communication data and API data;
Further, the step of obtaining the target network data in step S1 includes:
S11, performing behavior data acquisition processing on a log file through a behavior acquisition technology (such as a network monitoring tool and a log management system) to obtain target network user behavior data, performing communication data acquisition processing on communication data through a data acquisition tool (such as WIRESHARK, TCPDUMP) to obtain target network communication data, performing decryption analysis processing on the target network API decryption data through a multi-service API interface (such as an AWS API, a Google Cloud API and the like) by utilizing a multi-service API key, and obtaining target network API decryption data;
s12, integrating the target network user behavior data, the target network communication data and the target network API decryption data by using a data integration algorithm (such as a data fusion technology) to obtain the target network data.
S2, performing feature extraction processing on the target network noise reduction data by using a feature extraction technology (such as a feature selection technology in a machine learning algorithm) to obtain target network data features, and performing data semantication processing on the target network data features by using a semantication conversion algorithm to obtain target network semantication data;
s3, carrying out data preprocessing on the target network semanteme data to obtain a target network semanteme specific data set, and then carrying out target network threat analysis on the target network semanteme specific data set according to a preset large language model (such as GPT and BERT) to obtain a target network threat reasoning result;
S4, performing fine tuning training processing on the target network threat reasoning result by utilizing a target network fine tuning technology to obtain a target network threat reasoning optimization result, and then performing autonomous adaptation processing on the target network threat reasoning optimization result by utilizing an adaptive adaptation technology (such as online learning and incremental learning) to obtain a target network threat adaptation result;
S5, performing vulnerability association analysis on the target network threat adaptation result by utilizing a vulnerability detection analysis algorithm (such as signature-based detection and behavior analysis) to obtain a target network threat vulnerability detection result, and then formulating a target network threat detection analysis report according to the target network threat vulnerability detection result so as to execute a corresponding target network threat analysis management strategy. The report should include vulnerability details, affected systems, recommended security reinforcement, etc.
A solution generating module 7, configured to generate a solution to the network problem according to the analysis result of the analyzing module 6, and provide a repair suggestion and a network security improvement policy;
further, the operation logic of the scheme generating module 7 is as follows:
The scheme generation module 7 automatically marks and records detailed data when the protection system discovers potential threats and vulnerabilities, and generates specific security reinforcement and repair schemes based on the identified potential threats and vulnerabilities.
The defending module 8 is used for actively simulating network attack and continuously monitoring, and changing the security defending strategy from passive to active to prevent potential threat, and can automatically respond to the attack and take necessary measures to protect the network.
And the adaptation module 9 is used for dynamically adjusting the test scene and the analysis strategy of the prediction model according to the change of the network environment and the new threat mode, so that the system can adapt to the continuously-changed threat and maintain high alertness and response capability.
Example 2:
referring to fig. 2, an active simulated intrusion assessment and full link visual protection method is applied to the system described in embodiment 1, and the method includes:
testing the internal structure and logic of a protection system based on a white box test method, and simulating various network attacks according to predefined attack scenes and strategies;
step two, comparing attack structures of various network attacks, displaying all links, and continuously monitoring and analyzing network activities;
analyzing and collecting network activity data and a network attack mode, and identifying weak points of potential threats and protection systems;
Generating a problem solution based on the potential threat and the weak point, actively simulating network attack, and converting a security defense strategy to prevent the potential threat;
And fifthly, repeating the first to fifth steps, and dynamically adjusting the test scene, the analysis strategy and the security defense strategy according to the environmental change of the network activity or the newly-appearing potential threat.
Example 3:
referring to fig. 3, an active analog intrusion assessment and full link visualization protective device comprises a processor 10 and a memory 11;
the memory 11 is used for storing computer program code 110 and for transmitting the computer program code 110 to the processor 10;
The processor 10 is configured to perform the active simulated intrusion assessment and full link visual protection method of embodiment 2 according to instructions in the computer program code 110.
Example 4:
A computer storage medium having stored thereon a computer program which when executed by a processor implements the active simulated intrusion assessment and full link visual protection method of embodiment 2.
In general, the computer instructions to implement the methods of the present invention may be carried in any combination of one or more computer-readable storage media. The non-transitory computer-readable storage medium may include any computer-readable medium, except the signal itself in temporary propagation.
The computer readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EKROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Computer program code for carrying out operations of the present invention may be written in one or more programming languages, or combinations thereof, including an object oriented programming language such as Java, SMalltalk, C ++ and conventional procedural programming languages, such as the "C" language or similar programming languages, particularly Python languages suitable for neural network computing and TensorFlow, pyTorch-based platform frameworks may be used. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any number of types of networks, including a Local Area Network (LAN) or a Wide Area Network (WAN), or be connected to an external computer (for example, through the Internet using an Internet service provider).
The above-mentioned devices and non-transitory computer readable storage medium may refer to specific descriptions of active analog intrusion assessment and full-link visual protection systems and beneficial effects, and are not described herein.
While embodiments of the present invention have been shown and described above, it should be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.