CN104219221A - Network security flow generating method and network security flow generating system - Google Patents
Network security flow generating method and network security flow generating system Download PDFInfo
- Publication number
- CN104219221A CN104219221A CN201410238904.8A CN201410238904A CN104219221A CN 104219221 A CN104219221 A CN 104219221A CN 201410238904 A CN201410238904 A CN 201410238904A CN 104219221 A CN104219221 A CN 104219221A
- Authority
- CN
- China
- Prior art keywords
- attack
- security
- network
- action
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a network security flow generating method and a network security flow generating system based on vector of attack. A network solid body which is required to be simulated and attack steps are determined according to an objective network attack scene to be simulated, a safe attack state sequence is established for the attack steps, and the vector of attack is formed by the complete safe attack state sequence. A flow extracting method based on contents and states is used for constructing the vector of attack for an unknown attack type with uncertain attack steps. On the basis of the vector of attack, an attack engine creates a multi-process instance or a multi-thread instance, and the multi-process instance or the multi-thread instance is executed so that network security flow data are generated. By the network security flow generating method, a client side, a server side and a client side and server side interaction process are simulated in a safe attack process, real security flow with a complete state is generated automatically, new attack and unknown security flow are supported by analyzing and extracting the existing attack flow, and the expandability and the practicality are high. Moreover, the network security flow generating method and the network security flow generating system based on the vector of attack are easy to implement and high in feasibility.
Description
Technical field
The present invention relates to network test field, in particular to a kind of network security flow generation method and system.
Background technology
Network security test checks and the important means of fail safe of checking network system, in the exploitation being widely applied to network system and maintenance work.The core of network security test is exactly produce by the mode of automation the malicious traffic stream data meeting true Attack Scenarios as far as possible, system under test (SUT) is allowed to process, thus detect the performance of tested network system in the safe traffic data procedures of these automations of process generation, carry out the security verification of network system.
Current network security flow generation method mainly contains:
1) based on daily record playback: these class methods, by the data on flows of catching in real network environment being reset, realize the reproduction of cyber attack scenarios.There is following limitation in the method: (1) prerequisite to get Attack Scenarios flow; (2) flow of playback often comprises semantic grouping of violating the agreement in a large number, affects DPI equipment and filters accuracy; (3) due to changes such as network configuration, flow often cannot be played back in live network, and the scene be suitable for is little; (4) flow playback is difficult to cover various security attack type, is also difficult to carry out controlled mixing and generates, cannot comprehensive assessment security threat.(5) flow of playback also can only detect the safe traffic that DPI equipment filters out, and cannot find successfully or failure filter reason.(1) and (2) illustrate and lack state, authenticity is poor; (3) and (4) very flexible is described.
2) based on safety regulation: according to firewall configuration policing rule, automatically generate the data on flows of the rule of correspondence, fire compartment wall is carried out to the test of automation, these class methods are limited to very much, can only test the validity of firewall rule.There is following limitation in the method: (1) lacks attack semantic state, often causes failing to report and reporting by mistake; (2) a lot of security attack relates to complicated attack process, and safety regulation is beyond expression whole attack process; (3) careful reverse-engineering is needed to new attack, analytical attack feature, to the extraction of up-to-date attack signature and structure more difficult, very flexible.(1) and (2) illustrate and lack state, authenticity is poor; (3) very flexible is described.
3) based on controlled network: this method utilizes virtual machine etc., in controlled/isolation environment, the experiment of authentic security attack, testing and analysis is carried out.There is following limitation in the method: (1) cannot be applied in real system and find and assessment security threat; (2) usually based on real attack tool, environmental structure is complicated, and security attack kind is very limited.Therefore the flexibility of this method is very poor.
Summary of the invention
The invention provides a kind of network security flow generation method for network security test and system, the various security attack flow with good working condition can be generated neatly.
For achieving the above object, the invention provides a kind of network security flow generation method for network security test, comprising:
For the attack of known type, comprise the following steps:
Step 1) traffic classification, classify according to safe traffic building method, network security flow is divided into malicious packets, application attack and DoS attack, and take out corresponding safe traffic generation action respectively;
Step 2) attack and decompose, attack is decomposed into some attack steps, for each step defines a corresponding security attack state, the security attack state corresponding respectively to described some attack steps combines, obtain one group of security attack state transition sequence of corresponding attack, and be expressed as vector of attack, wherein, described security attack state comprises safe traffic and generates action and optionally respond judgement;
Step 3) attack structure, generate security attack script according to described vector of attack;
Step 4) traffic generating, perform described security attack script, generating network safe traffic by attacking engine.
Further, for attack or the novel attack of UNKNOWN TYPE, under the prerequisite obtaining data on flows, adopt the vector of attack in following step generation above-mentioned steps:
Step 21) flow decomposition, safe traffic is decomposed into some network traffics sequences;
Step 22) data identification, the behavioural characteristic corresponding to every bar network traffics sequential extraction procedures, structure security attack state;
Step 23) attack structure, according to the timestamp sequence of flow and the security attack state structure security attack state transition sequence of described some network traffics sequences difference correspondence, and be expressed as vector of attack;
And then perform above-mentioned steps 3) attack structure and step 4) attack execution.
Further, described safe traffic generates action support and constructs the attack data of any form and complete attack logic, comprises the action of following classes: flow action, data configuration and parsing action, computing and control action; Described response judges the response comprising collection and processing target entity, judges the result that traffic generating action is successful/failed.
Further, according to the protocol specification of the application protocol that each network attack adopts, according to the message interaction process of application or according to by the reciprocal process between the network entity of simulating, decomposite bare flow action.
Further, according to the message format of defined in the protocol specification that the network attack that will simulate adopts, and the special data grouping that may occur in this network attack decomposites message constructing and resolves action.
Further, described computing and control action are used for carrying out data operation and logic control, comprise elementary arithmetic, logical operation and logic control action.
Further, described behavioural characteristic is extracted according to the status flag of the finite state transfer automaton of the protocol type identified, and behavioural characteristic is expressed as traffic generating action, the vector of attack of the corresponding flow of finite state transfer automaton of corresponding agreement.
Further, if attack as time multiple, when performing described security attack script by attack engine, create multiple process or each security attack script attacking correspondence of thread concurrence performance.
Further, in described flow decomposition step, according to data traffic feature, obtained data on flows is decomposed.
For achieving the above object, present invention also offers a kind of network security traffic generating system, for the attack of known type, described system comprises:
Traffic classification module, for classifying according to safe traffic building method, is divided into malicious packets, application attack and DoS attack by network security flow, and takes out corresponding safe traffic generation action respectively;
Attack decomposing module, for attack is decomposed into some attack steps, for each step defines a corresponding security attack state, the security attack state corresponding respectively to described some attack steps combines, obtain one group of security attack state transition sequence of corresponding attack, and be expressed as vector of attack, wherein, described security attack state comprises safe traffic and generates action and optionally respond judgement;
Attack constructing module, for generating security attack script according to described vector of attack;
Traffic generating module, for performing described security attack script, generating network safe traffic by attacking engine.
Compared with prior art, the invention has the advantages that:
The present invention is by simulating client, service end and client in security attack process and service end reciprocal process, realize automation and generate the authentic security flow with various good working condition, and by extracting existing attack stream quantitative analysis, support new attack and unknown safe traffic, be with good expansibility and practicality, and realizing simple, feasibility is high.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the network security flow generation method flow chart based on vector of attack of one embodiment of the invention;
Fig. 2 is the typical attack process schematic utilizing Remote Code Execution Vulnerability of one embodiment of the invention;
Fig. 3 is the TCP finite state machine schematic diagram of one embodiment of the invention;
Fig. 4 is other protocol finite state machine schematic diagrames of one embodiment of the invention;
Fig. 5 is the schematic diagram of the network scenarios of one embodiment of the invention;
Fig. 6 is can the schematic diagram of network scenarios of another embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not paying the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the network security flow generation method flow chart based on vector of attack of one embodiment of the invention.As shown in the figure, the method comprises: step 1) traffic classification, classify according to safe traffic building method, be divided into malicious packets, application is attacked and DoS attack, takes out safe traffic and generates action.Step 2) to attack and decompose, attack is decomposed into some attack steps, and for each step defines a security attack state, attack is one group of security attack state transition sequence, is expressed as vector of attack.Step 3) attack structure, generate security attack script by vector of attack.Step 4) safe traffic generation, perform security attack script, generating network safe traffic by attacking engine.
In said method, described security attack state generates assessment in order to carry out safe traffic, thus realizes the analysis of complete attack process, show that security attack success and failure deep layer is reported.Security attack state comprises safe traffic and generates action and optionally respond judgement.Response judges the response that comprise collection and processing target entity, judges the result that traffic generating action is successful/failed.
More specifically, in step 1) traffic classification in, classify according to safe traffic building method, be divided into malicious packets to attack, application attack and DoS attack, take out safe traffic generate action.
Table 1
TCP SYN Flood is one of current most popular DoS (Denial of Service attack) mode, this is that one utilizes Transmission Control Protocol defect, send a large amount of TCP connection request forged, thus make by the attack pattern of attacker's resource exhaustion (CPU at full capacity or low memory).
UDP (User Datagram Protocol, User Datagram Protoco (UDP)) Flood is the flow type DoS attack day by day run wild, principle utilizes a large amount of UDP parcel to impact DNS (Domain Name System, domain name system) server or Radius (remote authentication Dial-In User Service) certificate server, streaming media video server.
The method that DNS Query Flood (DNS query attack) adopts sends a large amount of domain name mapping requests to by the server attacked, the domain name of usual request analysis is non-existent domain name at all on stochastic generation or network, first can be searched whether there is corresponding buffer memory on the server when receiving domain name mapping request by the dns server attacked, if search less than and this domain name cannot directly by server parses time, dns server can to its upper strata dns server recursive query domain-name information.The process of domain name mapping brings very large load to server, and domain name mapping request each second exceedes certain quantity and dns server will be caused to resolve domain name time-out.
HTTP Get Flood, HTTP request is attacked.
Table 1 shows some typical attack types classification, and usually, the data on flows that malicious packets is attacked, by distorting some packet content, generates some malformed packet etc. and to violate the agreement semantic grouping; Application is attacked and is normally met protocol semantics but construct some special application layer protocol loads to reach the object of attack; The feature of Denial of Service attack is in packet except some dynamic fields, and other fields are identical substantially.Therefore take out safe traffic according to the feature of attack type and generate action.Safe traffic generation action should be supported to construct the attack data of any form and complete attack logic, can comprise: flow action, data configuration and parsing action, computing and control action.Wherein, the message interaction process that can adopt according to network attack to be simulated arranges flow action; The message that can adopt according to network attack to be simulated and data format carry out setting data structure and resolve action; Computing and control action can be set according to the attack step of network attack to be simulated.
Wherein, for flow action, the protocol specification of the application protocol that can adopt according to each network attack, according to the message interaction process of application or according to by the reciprocal process between the network entity of simulating, decomposite bare flow action, such as connect, send message, accept message, close connection etc., these flow actions composition flow set of actions S1.To utilize the typical apply of Remote Code Execution Vulnerability to attack, Fig. 2 gives the attack process that utilizes phpMyAdmin Remote Code Execution Vulnerability.Wherein DUT (Device Under Test) represents tested equipment.NUT (Network Under Test) represents tested network.If tested is Web server, then Web server is exactly DUT, and be the intermediate network node (or go-between) between assailant and Web server if tested, this node (centre) network becomes NUT.The process of the attack shown in Fig. 2 mainly comprises sets up TCP connection, transmission HTTP GET message, reception HTTP200OK message, transmission HTTP POST message, reception HTTP200OK message, disconnection TCP connection.Determined flow set of actions S1 can comprise following action: CONNET (connection), DISCONNECT (disconnecting), SEND (transmission), RECV (reception).It should be noted that set up flow behavior aggregate can comprise the everything comprised in protocol specification, also only can relate to reception and send the relevant action of data traffic, this application protocol that can generate safe traffic as required is freely determined.For application protocol, mainly comprise two parts: a part is data format, another part is protocol logic.Flow action is generally used for generating data format, both an action can generate and send whole data on flows, and also can generate data on flows by several actions, then send data by sending action.In this concrete traffic generating action that limit movement is unconcentrated, as long as all can realize target effect according to the action of inventive concept design.For protocol logic, realized by computing hereafter and control action.
For data configuration and parsing action, according to the message format of defined in the protocol specification that the network attack that will simulate adopts, and the special data grouping etc. that may occur in this network attack decomposites message constructing and resolves action.For the scene that above-mentioned typical application is attacked, construct according to http protocol specification and resolve the message traffic data occurred in this scene:
* HTTP message: some system is for identifying user identity, carrying out session (session) tracking and storing cookie information in user this locality, according to the cookie information returned after connection establishment, need the cookie field constructing HTTP data packet head, then need matching regular expressions action REGEXP and message formatting action FORMAT.Wherein REGEXP refer to from server response extract data, FORMAT represents the data configuration with taking out.Structure access url often needs the string operation of some classics, and the splicing of character string is carried out in such as APPEND action.Like this, determined data configuration and parsing set of actions S2 can comprise giving an order: REGEXP, FORMAT, APPEND.
For computing and control action, it comprises elementary arithmetic, logical operation and logic control action, such as addition subtraction multiplication and division, AOI, compare, the action such as conditional jump, unconditional jump.Computing and control action are basic actions, are used for carrying out data operation and logic control.Such as, still for the typical scene that above-mentioned application is attacked, need basis whether correctly to return token and sessionid and determine next attack state.Need condition judgment and redirect, condition judgment and redirect are the key operations realizing traffic generating logic.If target scene does not need traffic generating logic certainly, namely traffic generating is order, then can not setting model and branch operation.Therefore computing and logic control set of actions S3 can comprise giving an order: CMP (compare operation), JZ (unconditional jump), JMP (conditional jump).Usually, traffic generating process all needs to use computing and control command flexibly.
Like this, the traffic generating action taken out for the network attack type (namely typical application mentioned above is attacked) that will simulate is as shown in table 2:
Table 2
| Action | Type | Function |
| CMP | S3 | Relatively |
| JZ | S3 | Conditional jump |
| JMP | S3 | Unconditional jump |
| APPEND | S2 | String-concatenation |
| REGEXP | S2 | Canonical is mated |
| FORMAT | S2 | Formatting messages |
| CONNECT | S1 | Connect |
| SEND | S1 | Send message |
| RECV | S1 | Receipt message |
| DISCONNECT | S1 | Close and connect |
In step 2) attack decompose in, attack is decomposed into some attack steps, for each step defines a security attack state, security attack state comprises traffic generating action and optionally responds judgement, and security attack state generates assessment in order to carry out safe traffic.Attack is one group of security attack state transition sequence, is expressed as vector of attack.
For each step in vector of attack, response judgement is optional, and response judges the response for receiving and process from target of attack.Such as data configuration and resolve action do not need response judge, directly as required form structure data on flows, setting up data cube computation action then needs to judge connection establishment success or not, then need respond judgement.
Wherein, vector of attack contains complete security attack state transition sequence, and complete safe condition and really attack data and complete attack logic ensure that integrality and the authenticity of safe traffic.
In step 3) attack structure in, generate security attack script by vector of attack.
Security attack script is not limited to the programming languages of particular form, can flexible design form of scripts as required.In a specific embodiment, we adopt the attack script of the XML format embedding Perl, and script is responsible for according to global configuration and code logic structure and is generated safe traffic data.
In step 4) during safe traffic generates, perform security attack script, generating network safe traffic by attacking engine.Wherein, attack engine also can be responsible for creating multi-process or multithreading, scheduled for executing security attack script in multinuclear, multi-CPU and distributed system.In instantiation, the quantity of attacking thread or process can be determined according to the cyber attack scenarios demand that will simulate.
In another embodiment of the present invention, additionally provide a kind of flow extracting method that is content-based and state and generate vector of attack.Summarize, the method comprises: step 21) flow decomposition, safe traffic is decomposed into some network traffics sequences.Step 22) data identification, to each network traffics sequential extraction procedures behavioural characteristic, structure security attack state.Step 23) attack structure, according to the timestamp sequence structure security attack status switch of flow, be expressed as vector of attack.
According to one embodiment of present invention, more specifically, in step 21) flow decomposition, safe traffic is decomposed into some network traffics sequences.Flow decomposition can be carried out according to the feature of each network traffics, to catch the daily record of mixing application attack traffic and background traffic, adopt session structure to represent object mutual in cyber attack scenarios, as TCP connection, UDP session etc.Session adopts standard quintuple <dstIP, srcIP, dstPort, srcPort, protocol> uniquely to represent.Mixed traffic data just can be decomposed into some flow sequences according to session five-tuple, find particular attack stream by known applications target of attack port and network configuration information.For the attack type of non-session, can by other attack signatures as the features such as the grouping of regular length or special grouping field value carry out flow decomposition.
In step 22) to flow recognition sequence protocol type and interaction data, according to the status flag extracting attack behavioural characteristic of the finite-state automata of the protocol type identified, the corresponding safe traffic of attack feature generates action, and therefore security attack state corresponds to the state of the finite-state automata of protocol conversation.According to the RFC standard of agreement each in ICP/IP protocol stack, protocol state machine can be divided into two large classes: the tcp state machine of the reliable connection of a class complexity, another kind of right and wrong reliably connect as state machines such as UDP, IP.Wherein tcp state machine adopts the standard state machine that RFC standard specifies, as shown in Figure 3, ensures the authenticity of TCP flow amount, and other agreements are not owing to relating to complicated State Transferring, and therefore state machine is fairly simple, may be summarized to be shown in Fig. 4.Still with above-mentioned isolated application attack traffic data instance, suppose to apply the TCP session of attacking as comparatively complicated, the session characteristics of TCP is protocol fields is 6, and set up the session connection stage, send data phase, disconnect the session connection stage corresponding TCP head field information can be set, therefore according to protocol status feature and the state transitions automaton of TCP, concrete traffic generating action can be extracted, such as setting up the session connection stage, in ESTABLISHED state as shown in Figure 3, the traffic generating action of CONNECT can be generated.
In step 23) attack structure, according to the timestamp sequence structure security attack status switch of flow, be expressed as vector of attack.Just can obtain the good working condition sequence of attacking according to the timestamp of flow, namely can be expressed as vector of attack, and then automatically generate security attack script.
In said method, described behavioural characteristic can be extracted according to the status flag of the finite state transfer automaton of the protocol type identified.Behavioural characteristic is expressed as traffic generating action, the vector of attack of the corresponding flow of finite state transfer automaton of agreement.The data on flows of such generation can have identical attack effect with real Network Attack.
In yet another embodiment of the present invention, a kind of network security traffic generating system is additionally provided.Summarize, this system comprises: traffic classification module, for classifying according to safe traffic building method, network security flow is divided into malicious packets, application attack and DoS attack, and takes out corresponding safe traffic generation action respectively; Attack decomposing module, for attack is decomposed into some attack steps, for each step defines a corresponding security attack state, the security attack state corresponding respectively to described some attack steps combines, obtain one group of security attack state transition sequence of corresponding attack, and be expressed as vector of attack, wherein, described security attack state comprises safe traffic and generates action and optionally respond judgement; Attack constructing module, for generating security attack script according to described vector of attack; Traffic generating module, for performing described security attack script, generating network safe traffic by attacking engine.
In addition, said system can also comprise: attack storehouse, for preserving the security attack script generating security attack flow; Attacking engine modules, for creating multi-process or multi-thread concurrent execution attack script, generating the security attack flow of mixing; User space protocol stack, for ensureing the generation of True Data flow.
This network security traffic generating system is simulated by attacking reciprocal process to client, service end and client in security attack process and service end, realize automation and generate the various authentic security flow with good working condition, and by extracting existing attack stream quantitative analysis, support new attack and unknown safe traffic.Such as, network scenarios as shown in Figure 5 can be simulated.Under this network traffics scene, safe traffic generation system connects system under test (SUT) by a paths, and entity is attacked in traffic generating system simulation, generates the attack traffic that same system under test (SUT) is mutual.
Again such as, network scenarios as shown in Figure 6 can also be simulated.Under this network traffics scene, traffic generating system connects system under test (SUT) by two paths, and traffic generating system simulates attack entity and the target entity of tested network system both sides simultaneously, generates the mutual flow between the network entity of system under test (SUT) both sides.Certainly, the flow scene obtained through compound by the flow scene of Fig. 5 and Fig. 6 can equally also be simulated.
In sum, the present invention, according to the objective network Attack Scenarios that will simulate, determines the network entity and the attack step that need simulation, for attack step sets up security attack status switch, and complete security attack status switch composition vector of attack.For the unknown attack type of uncertain attack step, adopt content-based and flow extracting method that is state, structure vector of attack.Based on vector of attack, performed to produce network security data on flows by the establishment multi-process of attack engine or thread instance.The method is by simulating client, service end and client in security attack process and service end reciprocal process, realize automation and generate the authentic security flow with good working condition, and by extracting existing attack stream quantitative analysis, support new attack and unknown safe traffic, be with good expansibility and practicality, and realizing simple, feasibility is high.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
One of ordinary skill in the art will appreciate that: the module in the device in embodiment can describe according to embodiment and be distributed in the device of embodiment, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in previous embodiment, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of embodiment of the present invention technical scheme.
Claims (10)
1., for a network security flow generation method for network security test, it is characterized in that, comprising:
For the attack of known type, comprise the following steps:
Step 1) traffic classification, classify according to safe traffic building method, network security flow is divided into malicious packets, application attack and DoS attack, and take out corresponding safe traffic generation action respectively;
Step 2) attack and decompose, attack is decomposed into some attack steps, for each step defines a corresponding security attack state, the security attack state corresponding respectively to described some attack steps combines, obtain one group of security attack state transition sequence of corresponding attack, and be expressed as vector of attack, wherein, described security attack state comprises safe traffic and generates action and optionally respond judgement;
Step 3) attack structure, generate security attack script according to described vector of attack;
Step 4) traffic generating, perform described security attack script, generating network safe traffic by attacking engine.
2. method according to claim 1, is characterized in that, also comprises:
For attack or the novel attack of UNKNOWN TYPE, under the prerequisite obtaining data on flows, adopt the vector of attack in following step generation above-mentioned steps:
Step 21) flow decomposition, safe traffic is decomposed into some network traffics sequences;
Step 22) data identification, the behavioural characteristic corresponding to every bar network traffics sequential extraction procedures, structure security attack state;
Step 23) attack structure, according to the timestamp sequence of flow and the security attack state structure security attack state transition sequence of described some network traffics sequences difference correspondence, and be expressed as vector of attack;
And then perform above-mentioned steps 3) attack structure and step 4) attack execution.
3. method according to claim 1, it is characterized in that, described safe traffic generates action support and constructs the attack data of any form and complete attack logic, comprises the action of following classes: flow action, data configuration and parsing action, computing and control action; Described response judges the response comprising collection and processing target entity, judges the result that traffic generating action is successful/failed.
4. method according to claim 3, it is characterized in that, according to the protocol specification of the application protocol that each network attack adopts, according to the message interaction process of application or according to by the reciprocal process between the network entity of simulating, decomposite bare flow action.
5. method according to claim 3, is characterized in that, according to the message format of defined in the protocol specification that the network attack that will simulate adopts, and the special data grouping that may occur in this network attack decomposites message constructing and resolves action.
6. method according to claim 3, is characterized in that, described computing and control action are used for carrying out data operation and logic control, comprises elementary arithmetic, logical operation and logic control action.
7. method according to claim 2, it is characterized in that, described behavioural characteristic is extracted according to the status flag of the finite state transfer automaton of the protocol type identified, behavioural characteristic is expressed as traffic generating action, the vector of attack of the corresponding flow of finite state transfer automaton of corresponding agreement.
8. method according to claim 1, is characterized in that, if attack as time multiple, when performing described security attack script by attack engine, creates multiple process or each security attack script attacking correspondence of thread concurrence performance.
9. method according to claim 2, is characterized in that, in described flow decomposition step, decomposes obtained data on flows according to data traffic feature.
10. a network security traffic generating system, is characterized in that, for the attack of known type, described system comprises:
Traffic classification module, for classifying according to safe traffic building method, is divided into malicious packets, application attack and DoS attack by network security flow, and takes out corresponding safe traffic generation action respectively;
Attack decomposing module, for attack is decomposed into some attack steps, for each step defines a corresponding security attack state, the security attack state corresponding respectively to described some attack steps combines, obtain one group of security attack state transition sequence of corresponding attack, and be expressed as vector of attack, wherein, described security attack state comprises safe traffic and generates action and optionally respond judgement;
Attack constructing module, for generating security attack script according to described vector of attack;
Traffic generating module, for performing described security attack script, generating network safe traffic by attacking engine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410238904.8A CN104219221A (en) | 2014-05-30 | 2014-05-30 | Network security flow generating method and network security flow generating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410238904.8A CN104219221A (en) | 2014-05-30 | 2014-05-30 | Network security flow generating method and network security flow generating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104219221A true CN104219221A (en) | 2014-12-17 |
Family
ID=52100357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410238904.8A Pending CN104219221A (en) | 2014-05-30 | 2014-05-30 | Network security flow generating method and network security flow generating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104219221A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161446A (en) * | 2016-07-12 | 2016-11-23 | 天脉聚源(北京)传媒科技有限公司 | The login method of a kind of phpMyAdmin database management tools and device |
| CN107426053A (en) * | 2017-07-26 | 2017-12-01 | 成都科来软件有限公司 | A kind of automation building method of packet load |
| CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN109547405A (en) * | 2018-10-11 | 2019-03-29 | 上海交通大学 | Automated network attack traffic acquisition methods and system based on Python |
| CN111930078A (en) * | 2020-06-21 | 2020-11-13 | 中国舰船研究设计中心 | Network testing device for core control system |
| CN112804220A (en) * | 2020-12-31 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall testing method and device, electronic equipment and storage medium |
| CN115022036A (en) * | 2022-06-01 | 2022-09-06 | 中国科学院计算技术研究所 | Attack traffic generation method and system and network security test system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| US7620989B1 (en) * | 2004-02-19 | 2009-11-17 | Spirent Communications Inc. | Network testing methods and systems |
| CN101699815A (en) * | 2009-10-30 | 2010-04-28 | 华南师范大学 | Network attack automatic execution/exhibition system and method |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
-
2014
- 2014-05-30 CN CN201410238904.8A patent/CN104219221A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7620989B1 (en) * | 2004-02-19 | 2009-11-17 | Spirent Communications Inc. | Network testing methods and systems |
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| CN101699815A (en) * | 2009-10-30 | 2010-04-28 | 华南师范大学 | Network attack automatic execution/exhibition system and method |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161446B (en) * | 2016-07-12 | 2019-12-31 | 天脉聚源(北京)传媒科技有限公司 | Login method and device of phpMyAdmin database management tool |
| CN106161446A (en) * | 2016-07-12 | 2016-11-23 | 天脉聚源(北京)传媒科技有限公司 | The login method of a kind of phpMyAdmin database management tools and device |
| CN107426053B (en) * | 2017-07-26 | 2021-01-05 | 成都科来软件有限公司 | Automatic construction method for data packet load |
| CN107426053A (en) * | 2017-07-26 | 2017-12-01 | 成都科来软件有限公司 | A kind of automation building method of packet load |
| CN109547405A (en) * | 2018-10-11 | 2019-03-29 | 上海交通大学 | Automated network attack traffic acquisition methods and system based on Python |
| CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN109040141B (en) * | 2018-10-17 | 2019-11-12 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN111930078A (en) * | 2020-06-21 | 2020-11-13 | 中国舰船研究设计中心 | Network testing device for core control system |
| CN111930078B (en) * | 2020-06-21 | 2024-04-19 | 中国舰船研究设计中心 | Network testing device for nuclear control system |
| CN112804220A (en) * | 2020-12-31 | 2021-05-14 | 北京天融信网络安全技术有限公司 | Firewall testing method and device, electronic equipment and storage medium |
| CN112804220B (en) * | 2020-12-31 | 2023-05-02 | 北京天融信网络安全技术有限公司 | Firewall testing method and device, electronic equipment and storage medium |
| CN115022036A (en) * | 2022-06-01 | 2022-09-06 | 中国科学院计算技术研究所 | Attack traffic generation method and system and network security test system |
| CN115022036B (en) * | 2022-06-01 | 2023-04-07 | 中国科学院计算技术研究所 | Attack traffic generation method and system and network security test system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lima Filho et al. | Smart detection: an online approach for DoS/DDoS attack detection using machine learning | |
| CN104219221A (en) | Network security flow generating method and network security flow generating system | |
| CN102087631B (en) | Method for realizing fuzzing of software on the basis of state protocol | |
| Gascon et al. | Pulsar: Stateful black-box fuzzing of proprietary network protocols | |
| Sija et al. | A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view | |
| CN102724317B (en) | A kind of network traffic data sorting technique and device | |
| Abdelnur et al. | KiF: a stateful SIP fuzzer | |
| Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
| Radoglou-Grammatikis et al. | Implementation and detection of modbus cyberattacks | |
| Bermudez et al. | Towards automatic protocol field inference | |
| Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
| Garasia et al. | HTTP botnet detection using frequent patternset mining | |
| Blumbergs et al. | Bbuzz: A bit-aware fuzzing framework for network protocol systematic reverse engineering and analysis | |
| CN107070851B (en) | System and method for connecting fingerprint generation and stepping stone tracing based on network flow | |
| CN113722717B (en) | Security vulnerability testing method, device, equipment and readable storage medium | |
| Kotenko et al. | Generation of source data for experiments with network attack detection software | |
| KR101073402B1 (en) | Method for simulating and examining traffic and network traffic analysis system | |
| Li et al. | Remote NAT detect algorithm based on support vector machine | |
| Li et al. | Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks | |
| CN101453454A (en) | Internal tracking method and network attack detection | |
| Atkison et al. | Feature Extraction Optimization for Network Intrusion Detection in Control System Networks. | |
| CN113596037A (en) | APT attack detection method based on event relation directed graph in network full flow | |
| Colajanni et al. | Enhancing interoperability and stateful analysis of cooperative network intrusion detection systems | |
| Oujezsky et al. | Modeling botnet C&C traffic lifespans from NetFlow using survival analysis | |
| CN114760216B (en) | Method and device for determining scanning detection event and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141217 |