CN114629686A

CN114629686A - Vulnerability attack detection method and device

Info

Publication number: CN114629686A
Application number: CN202210158834.XA
Authority: CN
Inventors: 沈子力; 艾美珍; 杨德运; 王斌; 谈文彬
Original assignee: Qax Technology Group Inc; Secworld Information Technology Beijing Co Ltd
Current assignee: Qax Technology Group Inc; Secworld Information Technology Beijing Co Ltd
Priority date: 2022-02-21
Filing date: 2022-02-21
Publication date: 2022-06-14

Abstract

The invention discloses a vulnerability attack detection method and a vulnerability attack detection device, which relate to the technical field of vulnerability detection and mainly aim to flexibly use the attack flow of a vulnerability attack provider; the main technical scheme comprises: acquiring vulnerability attack data packets of N attack flows sent to a first target drone, wherein the N attack flows are from at least one vulnerability attack provider, and N is a positive integer greater than or equal to 2; analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow; combining and processing each attack characteristic data to form an attack flow message aiming at a second target drone; and carrying out vulnerability attack on the second target drone based on the attack flow message.

Description

Vulnerability attack detection method and device

Technical Field

The invention relates to the technical field of vulnerability detection, in particular to a vulnerability attack detection method and device.

Background

With the continuous development of attack technology, vulnerabilities become the main factor affecting software security. The existence of the vulnerability provides an entrance and a way for malicious intrusion by an attacker to access or destroy the software system without authorization.

In order to reduce the possibility of malicious attack on the software system, vulnerability attack detection needs to be performed on the software system to detect vulnerabilities existing in the software system, and the result of vulnerability attack detection performed by the software system is an important basis for subsequently repairing vulnerabilities in the software system.

At present, when vulnerability attack detection is performed on a software system, a security vulnerability scanning tool provided by a security mechanism is generally used as a vulnerability attack provider to perform vulnerability attack detection on the software system. Security vulnerability scanning tools are typically manufactured by a collection of security mechanisms that include attack traffic that is pre-packaged. When the security vulnerability scanning tool is used, even if the software system only needs part of attack traffic in the security vulnerability scanning tool, the software system must be subjected to vulnerability attack by using the security vulnerability scanning tool as a whole, including all attack traffic. In addition, when a plurality of security vulnerability scanning tools are required to be used, attack flow in each security vulnerability scanning tool cannot be uniformly called to carry out vulnerability attack detection on the software system.

Therefore, a vulnerability attack detection method and device are urgently needed to flexibly use the attack traffic of the vulnerability attack provider.

Disclosure of Invention

In view of this, the present invention provides a method and an apparatus for detecting a vulnerability attack, and mainly aims to flexibly use an attack traffic of a vulnerability attack provider.

In order to achieve the above purpose, the present invention mainly provides the following technical solutions:

in a first aspect, the present invention provides a vulnerability attack detection method, including:

acquiring vulnerability attack data packets of N attack flows sent to a first target drone, wherein the N attack flows are from at least one vulnerability attack provider, and N is a positive integer greater than or equal to 2;

analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow;

combining and processing each attack characteristic data to form an attack flow message aiming at a second target drone;

and carrying out vulnerability attack detection on the second target drone based on the attack flow message.

In a second aspect, the present invention provides a vulnerability attack detection apparatus, which includes:

the acquiring unit is used for acquiring vulnerability attack data packets of N attack flows sent to the first drone, wherein the N attack flows are from at least one vulnerability attack provider, and N is a positive integer greater than or equal to 2;

the analysis unit is used for analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow;

the combination unit is used for processing each attack characteristic data to form an attack flow message aiming at the second target drone;

and the detection unit is used for carrying out vulnerability attack detection on the second target drone based on the attack flow message.

In a third aspect, the present invention provides a computer-readable storage medium, where the storage medium includes a stored program, and when the program runs, the apparatus on which the storage medium is located is controlled to execute the vulnerability attack detection method according to the first aspect.

In a fourth aspect, the present invention provides an electronic device, comprising: a memory for storing a program; a processor, coupled to the memory, for executing the program to perform the vulnerability attack detection method of the first aspect.

By means of the technical scheme, the vulnerability attack detection method and the vulnerability attack detection device, when a vulnerability attack detection requirement exists, a vulnerability attack data packet of a plurality of attack flows sent to the first drone aircraft is obtained, and the obtained attack flows are from at least one vulnerability attack provider. And analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow. And then, combining and processing each attack characteristic data to form an attack flow message aiming at the second target drone, and finally, carrying out vulnerability attack detection on the second target drone based on the attack flow message. Therefore, the scheme provided by the invention can uniformly extract the attack characteristic data reflecting the vulnerability exploitation methods accumulated by the vulnerability attack providers, and obtain the attack flow messages aiming at the second drone aircraft in a mode of recombining the attack characteristic data, so that the attack flow messages meeting the vulnerability attack detection requirements of the second drone aircraft are used for carrying out vulnerability attack detection on the second drone aircraft. Therefore, the scheme provided by the invention can realize the flexible use of the attack flow of the vulnerability attack provider on the basis of utilizing the vulnerability exploitation methods accumulated by the vulnerability attack provider.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a flowchart illustrating a vulnerability attack detection method according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating a vulnerability attack detection method according to another embodiment of the present invention;

fig. 3 is a schematic structural diagram illustrating a vulnerability attack detection apparatus according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram illustrating a vulnerability attack detection apparatus according to another embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

The bugs are defects in the functional design and errors in the writing implementation of the software system. With the continuous development of attack technology, vulnerabilities become the main factor affecting software security. The existence of the vulnerability provides an entrance and a way for malicious intrusion by an attacker, so that the attacker can access or destroy the software system in an unauthorized manner.

In order to reduce the possibility of malicious attack on the software system, vulnerability attack detection needs to be performed on the software system to detect the vulnerability existing in the software system. The vulnerability attack detection is an important operation for correcting the vulnerability in the software system, and the result of vulnerability attack detection on the software system is an important basis for subsequently repairing the vulnerability in the software system.

At present, when vulnerability attack detection is performed on a software system, a security vulnerability scanning tool provided by a security mechanism is generally used as a vulnerability attack provider to perform vulnerability attack detection on the software system. The security vulnerability scanning tool is usually manufactured by a security mechanism collection, and attack traffic included in the security vulnerability scanning tool is packaged in advance. When the security vulnerability scanning tool is used, even if the software system only needs part of attack traffic in the security vulnerability scanning tool, the software system must be subjected to vulnerability attack detection by using the security vulnerability scanning tool as a whole, including all attack traffic. Illustratively, the security vulnerability scanning tool includes 100 attack traffic flows, the software system only needs 50 attack traffic flows of which the attacks in the security vulnerability scanning tool are classified as 1, but the security vulnerability scanning tool uses the security vulnerability scanning tool as a whole to detect the vulnerability attacks on the software system, wherein the security vulnerability scanning tool includes all 100 attack traffic flows. In addition, when a plurality of security vulnerability scanning tools need to be used, attack flow in each security vulnerability scanning tool cannot be uniformly called to carry out vulnerability attack detection on the software system. For example, a vulnerability scanning tool 1 and a vulnerability scanning tool 2 need to be used for carrying out vulnerability scanning on a software system, the vulnerability scanning tool 1 and the vulnerability scanning tool 2 cannot be called uniformly, and the vulnerability scanning tool 2 can be called only after the vulnerability scanning tool 1 is called completely.

Therefore, the existing vulnerability attack detection method cannot flexibly use the attack flow of the vulnerability attack provider, and in order to flexibly use the attack flow of the vulnerability attack provider, the embodiment of the invention provides a vulnerability attack detection method and a device. The vulnerability attack method and device provided by the embodiment of the invention are explained in detail below.

As shown in fig. 1, an embodiment of the present invention provides a vulnerability attack detection method, which mainly includes:

101. and acquiring vulnerability attack data packets of N attack flows sent to the first target drone, wherein the N attack flows are sourced from at least one vulnerability attack provider.

The vulnerability attack provider is an object which launches attack traffic to the first drone. The types of vulnerability attack providers include at least the following two: firstly, a vulnerability attack provider is a security vulnerability scanning tool, the security vulnerability scanning tool comprises a large number of attack flows, each attack flow has a virus code or a Trojan code, and can carry out attack detection on vulnerabilities in a software system, and the security vulnerability scanning tool is provided by a security mechanism. And secondly, the vulnerability attack provider provides an independent attack script, the attack script provides an attack flow, the attack flow comprises virus codes or Trojan horse codes, and the attack script is a script which is compiled according to vulnerability utilization framework rules after business personnel discover a new vulnerability attack mode and is independent.

When there is a need to flexibly apply attack traffic of vulnerability attack providers, the number and type of vulnerability attack providers are determined based on the need. The following illustrates the selection of vulnerability attack providers:

illustratively, when there is a need for flexibly applying the attack traffic of one vulnerability attack provider, one vulnerability attack provider is selected, and the selected vulnerability attack provider is a security vulnerability scanning tool provided by a security organization and comprises N attack traffic, wherein N is a positive integer greater than or equal to 2.

Illustratively, when the attack traffic of a plurality of vulnerability attack providers is required to be flexibly applied, the vulnerability attack providers are selected, the sum of the attack traffic of the vulnerability attack providers is N, and N is greater than or equal to the total number of the vulnerability attack providers. The situations of a plurality of vulnerability attack providers include the following: firstly, a plurality of vulnerability attack providers are security vulnerability scanning tools, and in such a case, the attack flow in the security vulnerability scanning tools can be flexibly used; secondly, a plurality of vulnerability attack providers are all independent attack scripts, and the attack flow provided by the independent attack scripts can be flexibly used under the condition; thirdly, a plurality of vulnerability attack providers comprise a security vulnerability scanning tool and an independently existing attack script, and in such a case, the attack flows of the security vulnerability scanning tool and the attack script can be integrated and flexibly used.

It should be noted that, for a vulnerability attack provider with an attack traffic, the attack traffic belongs to an attack classification. For a vulnerability attack provider with a plurality of attack traffics, the attack traffics included in the vulnerability attack provider can belong to the same attack classification or at least two attack classifications. For an attack classification, the attack classification corresponds to a software function, and attack traffic belonging to the attack classification performs vulnerability attack detection on codes of the corresponding software function.

The attack object of the vulnerability attack provider is the first target drone, and the selected vulnerability attack providers all attack the first target drone. The first target drone is a machine with a software system deployed, and the deployed software system is an attacked object. When the first drone is attacked, the attack traffic of the necessary vulnerability attack provider is sent to the first drone, so that the first drone aims to obtain vulnerability attack data packets of N attack traffic sent to the first drone by the selected vulnerability attacker. The obtained vulnerability attack data packet is a data base for flexibly using the attack flow of the selected vulnerability attacker.

The vulnerability attack data packet is acquired through a packet capturing tool, and the packet capturing tool captures data of attack flow sent to the first target drone. And starting a packet grabbing tool before the vulnerability attack providing direction attacks the first target drone. And then attacking the first drone by using a vulnerability attack provider, and intercepting and capturing data of each attack flow sent to the first drone by using a packet capturing tool. And after all the vulnerability attack providers finish the attack, closing the packet capturing tool. And a vulnerability attack data packet generated by the packet capturing tool, namely a process characteristic analysis software packet (pcap) data packet, which comprises attack traffic data of the attack traffic attacking the first target drone. And after the packet capturing tool obtains the vulnerability attack data packet, obtaining the vulnerability attack data packet from the packet capturing tool. The specific type of the bale plucking tool is not specifically limited in this embodiment, and optionally, the bale plucking tool is a wireshark bale plucking tool.

It should be noted that, in this embodiment, the number of the vulnerability attack data packets generated by the packet capturing tool is not specifically limited. For example, each attack traffic may have its own vulnerability attack packet. For example, all attack traffic corresponds to the same vulnerability attack packet. For example, there are multiple vulnerability attack packets, and each vulnerability attack packet corresponds to a part of attack traffic. For example, one vulnerability attack provider corresponds to one vulnerability attack data packet.

The vulnerability attack data packet is a data base for flexibly using the attack flow of the selected vulnerability attacker. The vulnerability attack data packet comprises attack flow data, and the attack flow data comprises initiator data and responder data, wherein the initiator data provides data for the vulnerability attack to initiate the attack to the first drone, and the responder data is data for the first drone to respond to the vulnerability attack provider. Attack characteristic data is contained in the initiator data, and the attack characteristic data is data carrying virus codes or Trojan horse codes.

Illustratively, the attack traffic data in the vulnerability attack packet includes: attack traffic name, attack traffic transmission time, source IP, source port, destination IP, destination port, HTTP method, URI, HTTP version, response code, response message, HTTP header, HTTP body. The source IP, the source port, the response code and the response message are all responder data, wherein the source IP is a vulnerability attack provider IP, and the source port is a port of the vulnerability attack provider. The attack traffic name, the attack traffic sending time, the destination IP, the destination port, the HTTP method, the URI, the HTTP version, the HTTP header, and the HTTP body are initiator data, where the destination IP is an IP of the first target aircraft, the destination port is a port of the first target aircraft, the HTTP method is a transport protocol method, the HTTP version is a transport protocol version, the HTTP header is a transport protocol header, the HTTP body is a transport protocol body, and the URI is a resource identifier of the attack traffic. HTTP method, URI, HTTP version, HTTP header, HTTP body are attack feature data, which are data that carry virus codes or trojan codes at a high probability.

102. And analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow.

Attack flow data in the vulnerability attack data packet consists of initiator data and responder data, wherein attack characteristic data is contained in the initiator data, the attack characteristic data is data carrying virus codes or Trojan horse codes, and the attack characteristic data is a data basis for flexibly using the attack flow of the selected vulnerability attacker.

The attack characteristic data exists in the vulnerability attack data packet and needs to be acquired by analyzing the vulnerability attack data packet. The following describes a process of analyzing a vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow, where the process includes the following steps:

analyzing the vulnerability attack data packet to obtain attack flow data corresponding to each attack flow.

The vulnerability attack data packet includes attack flow data, so that when the vulnerability attack data packet is analyzed, the vulnerability attack data packet can be directly decomposed into a transmission protocol log, such as an HTTP log. And storing the transmission protocol log in a preset format, wherein the preset format can be but is not limited to a JSON format.

The decomposed transmission protocol log comprises attack traffic data, and the attack traffic data consists of initiator data and responder data. Illustratively, the transmission protocol log includes attack traffic data of a plurality of attack traffic, and for an attack traffic, the corresponding attack traffic data includes: the attack traffic name, the attack traffic sending time, the destination IP, the destination port, the HTTP method, the URI, the HTTP version, the HTTP header and the HTTP body are initiator data.

And step two, extracting the data with the target attribute in each attack flow data as corresponding attack characteristic data.

For one attack flow, the data which can carry out the vulnerability attack on the target drone is determined to be the data carrying the virus codes or the Trojan horse codes, so the data carrying the virus codes or the Trojan horse codes needs to be extracted as attack characteristic data, and the attack characteristic data is utilized to combine an attack flow message meeting the vulnerability attack detection requirement of a second target drone.

Data with target attributes in each attack traffic data is extracted as corresponding attack feature data, and the data with the target attributes is data with a large probability of carrying virus codes and/or Trojan horse codes, so that the data with the large probability of carrying the virus codes or the Trojan horse codes needs to be extracted as the attack feature data. Illustratively, the data with target attributes includes HTTP method, URI, HTTP version, HTTP header, HTTP body. Thus the attack signature data is: HTTP method, URI, HTTP version, HTTP header, HTTP body.

103. And combining and processing the attack characteristic data to form an attack flow message aiming at the second target drone.

The second target drone is a machine with a software system deployed, and the deployed software system is an attacked object. The second drone aircraft and the first drone aircraft may be the same or different, and the same here means that the first drone aircraft and the second drone aircraft are machines deploying the same software system, that is, the same software system or software systems with the same functions. The difference here means that the first drone and the second drone are machines that deploy different software systems, i.e. software systems that are partially or completely different in function. It should be noted that, no matter whether the first drone aircraft and the second drone aircraft are the same or different, the attack traffic sent to the first drone aircraft by the vulnerability attack provider has the attack traffic for the second drone aircraft to use flexibly.

The attack traffic message is formed for the second drone aircraft, and the attack traffic included in the attack traffic message needs to meet the vulnerability attack detection requirement of the second drone aircraft. Therefore, when an attack traffic packet for the second drone is formed, each attack feature data needs to be combined based on the vulnerability attack detection requirement of the second drone. The following describes a specific process for processing each attack feature data in a combined manner to form an attack traffic message for a second drone, where the process includes the following first to second steps:

step one, M target attack characteristic data are selected from the N attack characteristic data.

The target attack characteristic data is the attack characteristic data meeting the vulnerability attack detection requirement of the second drone, and is selected from all attack characteristic data. The method for selecting M target attack characteristic data from all attack characteristic data comprises the following steps:

firstly, attack characteristic data corresponding to one or more vulnerability attack providers in vulnerability attack providers which initiate attacks to a first target drone are selected as target attack characteristic data.

The method is suitable for the following scenes: and intensively using the attack traffic of one or more vulnerability attack providers to detect the vulnerability attack of the second drone aircraft. That is, the vulnerability attack detection requirement of the second drone is to centrally use the attack traffic of one or more vulnerability attack providers to perform vulnerability attack detection thereon.

The vulnerability attack providers involved in the target attack characteristic data have the following situations: the first is that the vulnerability attack providers are one or more, and each vulnerability attack provider corresponds to one or more attack classifications. For an attack classification, the attack classification corresponds to a software function, and attack traffic belonging to the attack classification performs vulnerability attack detection on codes of the corresponding software function. Secondly, a plurality of vulnerability attack providers are provided, one vulnerability attack provider only corresponds to one attack classification, and different vulnerability attack providers correspond to different attack classifications. And for a vulnerability attack provider, the vulnerability attack provider can only use the attack flow included by the vulnerability attack provider to detect the vulnerability attack of the codes of the software functions corresponding to the attack classification in the software system. And thirdly, a plurality of vulnerability attack providers are provided, one vulnerability attack provider corresponds to only one attack classification, different vulnerability attack providers correspond to the same attack classification, and all vulnerability attack providers use the attack flow included by the vulnerability attack providers to carry out vulnerability attack detection on codes of the same software function in the software system. For a vulnerability in a software system, there may be a possibility of false alarm when attack detection is performed only by using the attack traffic in one vulnerability attack provider, so that it is necessary to perform attack detection on the vulnerability attack provider by using a plurality of vulnerability attack providers to reduce the possibility of false alarm. And fourthly, combining the situations of the second step and the third step, wherein the vulnerability attack providing directions are multiple, one vulnerability attack providing party only corresponds to one attack classification, and vulnerability attack providing parties with the same attack classification and vulnerability attack providing parties with different attack classifications exist in the vulnerability attack providing parties.

It should be noted that, in order to save the collection time of the attack techniques in the vulnerability attack process and increase the accumulation amount of the attack techniques, the attack characteristic data corresponding to all vulnerability attack providers that launch attacks on the first drone may be selected as the target attack characteristic data.

Secondly, determining repeated attack characteristic data and independent attack characteristic data in the N attack characteristic data; selecting one attack characteristic data for retaining for the repeated attack characteristic data, and removing the unselected attack characteristic data; and selecting the separately existing attack characteristic data and the reserved attack characteristic data as the target attack characteristic data.

The method is suitable for the following scenes: and repeated attack detection on the same vulnerability is avoided. That is, the vulnerability attack detection of the second drone requires that repeated attack detection on the same vulnerability be avoided.

The repeated attack characteristic data may cause the same bug repeated attack detection in the second drone aircraft, which may increase the bug attack detection time cost and the attack operation cost. Therefore, in order to avoid repeated attack detection on the same vulnerability, the repeated attack characteristic data in all the attack characteristic data needs to be determined.

After the repeated attack characteristic data are determined, one attack characteristic data is selected for reservation for the repeated attack characteristic data, and the unselected attack characteristic data is subjected to elimination processing. The method for selecting attack characteristic data can comprise the following two methods: firstly, randomly selecting attack characteristic data to be reserved; and secondly, displaying the repeated attack characteristic data in the form of an interactive window for the selection of service personnel, selecting the reserved attack characteristic data by the service personnel based on the service experience of the service personnel, reserving any attack characteristic data after the attack characteristic data is selected, and removing the rest unselected attack characteristic data.

After processing the repeated attack characteristic data, selecting the separately existing attack characteristic data and the reserved attack characteristic data as target attack characteristic data. Because the separately existing attack characteristic data and the reserved attack characteristic data are not repeated, when an attack flow message is formed according to the attack data and the second target drone is subjected to attack detection based on the attack flow message, the situation that the same vulnerability in the second target drone is repeatedly attacked and detected can be avoided.

Thirdly, determining attack classifications corresponding to the attack characteristic data; and selecting attack characteristic data corresponding to at least one attack classification as target attack characteristic data, wherein the at least one attack classification is determined based on the vulnerability attack detection requirement of the second drone aircraft.

The method is suitable for the following scenes: and detecting the vulnerability attack of the code with the specified function in the second drone. That is, the vulnerability attack detection requirement of the second drone is vulnerability attack detection on code of a specified function.

In some specific scenes, the second drone has a need to perform vulnerability attack detection on codes of one or more specific functions, and therefore, in order to improve the pertinence of vulnerability attack detection, an attack traffic message for the second drone needs to be formed by using attack characteristic data corresponding to the specific functions. The specific scenario described herein may be: the software system of the second drone has a certain development sequence for function development, and in the process of developing one function, the software system or the code of the function whose development sequence is before the software system needs to be subjected to vulnerability attack detection.

The attack classification corresponding to each attack characteristic data can be determined based on the attack traffic corresponding to the attack characteristic data, and under a general condition, the vulnerability attack provider can identify the attack classification corresponding to the attack traffic, so that the attack classification of each attack characteristic data can be determined based on the attack classification corresponding to the attack traffic. For an attack classification, the attack classification corresponds to a software function, and attack traffic belonging to the attack classification performs vulnerability attack detection on codes of the corresponding software function. And after determining the attack classification corresponding to each attack characteristic data, selecting the attack characteristic data of the attack classification belonging to the vulnerability attack detection requirement of the second drone as target attack characteristic data.

Fourthly, removing attack characteristic data corresponding to first attack traffic, wherein the first attack traffic is marked as abnormal attack traffic; and selecting the attack characteristic data which is not removed as the target attack characteristic data.

The vulnerability attack provider is provided by a security mechanism or written by service personnel, so the vulnerability attack provider is limited by the capability limits of the security mechanism and the service personnel, some attack flows of the vulnerability attack provider may have some quality problems, the quality problems may cause the situation that the vulnerability is misreported or the vulnerability is not detected, the target drone is attacked by using the attack flows with quality, the security of a software system can be threatened, and the attack flows need to be avoided.

In order to avoid using the attack traffic with the quality problem, a service person can summarize the attack traffic with the quality problem according to the project experience of the previous vulnerability attack project and fill the summarized attack traffic into a preset document, and the preset document records the attack traffic with the quality problem as first attack traffic, that is, the first attack traffic is marked as abnormal attack traffic. When an attack flow message aiming at a second target drone needs to be generated, the preset document can be read, attack characteristic data corresponding to the first attack flow are eliminated, and the attack characteristic data which are not eliminated are selected as target attack characteristic data, so that attack detection on the second target drone by using attack flow with quality is avoided.

And step two, integrating the attack characteristic data of each target to form the attack flow message.

And the integrated attack characteristic data of each target is used as attack traffic and exists in an attack traffic message. The attack flow message is equivalent to a new vulnerability attack provider, the attack flow included in the attack flow message is formed by flexibly using the attack flow of one or more vulnerability attack providers based on the vulnerability attack detection requirement of the second target drone, the attack flow message can initiate an attack to the second target drone, and the vulnerability attack detection requirement of the second target drone is met.

The following describes a process of integrating attack characteristic data of each target to form an attack traffic message, where the process includes: processing each target attack characteristic data into a preset format respectively to form attack flow corresponding to each target attack characteristic data; and integrating the formed attack traffic to obtain an attack traffic message.

The preset format is used for limiting the position relation among the data in the target attack characteristic data, and after the position relation among the data in the target attack characteristic data is determined, the attack flow corresponding to the target attack characteristic data is formed. The preset format is not specifically limited in the embodiments, and for example, the preset format is as follows: HTTP method + URI + HTTP version + HTTP header + HTTP body.

And after determining the respective attack flow of each target attack characteristic data, adding the formed attack flow into a preset document to form an attack flow message. In the attack traffic message, a serial number is set for the formed attack traffic, and the corresponding relation between the serial number and the attack traffic corresponding to the serial number is established.

104. And carrying out vulnerability attack detection on the second target drone based on the attack flow message.

The attack flow message is obtained by flexibly using the attack flow combination of one or more vulnerability attack providers aiming at the second target drone, and can meet the vulnerability attack detection requirement of the second target drone to the maximum extent.

The attack traffic message includes one or more attack traffic, and when performing vulnerability attack on the second drone aircraft, vulnerability attack detection needs to be performed on the second drone aircraft based on the attack traffic message. Before detecting the vulnerability attack of the second target drone based on the attack traffic message, the address and the port of the second target drone need to be acquired, and then the attack traffic in the attack traffic message is called to detect the vulnerability attack of the second target drone based on the address and the port of the second target drone.

The purpose of obtaining the address and the port of the second target drone is to set an attack path for attacking the traffic message, and after the address and the port of the second target drone are obtained, the attack path for attacking the traffic message is set, and the attack traffic in the attack traffic message is called to be sent to the second target drone based on the attack path, so that the attack traffic in the attack traffic message performs vulnerability attack detection on the second target drone.

The purpose of detecting the vulnerability attack on the second drone aircraft based on the attack traffic message is mainly to discover the vulnerability existing in the second drone aircraft. Therefore, the specific process of detecting the vulnerability attack of the second drone aircraft based on the attack traffic message is as follows: and judging whether a second attack flow exists in the attack flows sent to the second target drone, wherein the second attack flow is the attack flow detected by the threat detection equipment in the attack flow message. And when judging that a second attack flow exists in the attack flows sent to the second drone, sending a vulnerability prompt based on the second attack flow. And sending a prompt that the second drone is free of loopholes when judging that the second attack flow does not exist in the attack flow sent to the second drone.

And when judging that the second attack flow exists in the attack flow sent to the second drone aircraft, indicating that a leak exists in the second drone aircraft, and successfully attacking the second attack flow into the second drone aircraft. In order to timely repair the bugs in the software system of the second drone aircraft, a bug prompt needs to be sent based on the second attack flow, so that business personnel can know which bugs need to be repaired, and further can repair the bugs as soon as possible in a targeted manner.

And when judging that the second attack traffic does not exist in the attack traffic sent to the second target drone, indicating that the second target drone does not have a vulnerability corresponding to the attack traffic in the attack traffic message. And sending out a prompt that the second drone is free of the loophole in order to enable service personnel to know that the second drone is not provided with the loophole corresponding to the attack traffic in the attack traffic message.

According to the vulnerability attack detection method provided by the embodiment of the invention, when a vulnerability attack detection requirement exists, a vulnerability attack data packet of a plurality of attack flows sent to the first drone is obtained, and the obtained attack flows are from at least one vulnerability attack provider. And analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow. And then, combining and processing each attack characteristic data to form an attack flow message aiming at the second target drone, and finally, carrying out vulnerability attack detection on the second target drone based on the attack flow message. Therefore, the attack characteristic data reflecting the vulnerability exploitation methods accumulated by the vulnerability attack providers can be uniformly extracted in the scheme provided by the embodiment of the invention, and the attack flow messages aiming at the second drone aircraft are obtained by recombining the attack characteristic data, so that the vulnerability attack detection is carried out on the second drone aircraft by using the attack flow messages meeting the vulnerability attack detection requirements of the second drone aircraft. Therefore, the scheme provided by the embodiment of the invention can realize the flexible use of the attack flow of the vulnerability attack provider on the basis of utilizing the vulnerability exploitation methods accumulated by the vulnerability attack provider.

Further, according to the method shown in fig. 1, another embodiment of the present invention further provides a vulnerability attack detection method, as shown in fig. 2, the method mainly includes:

201. and starting a bale plucking tool.

The vulnerability attack data packet is obtained through a packet capturing tool, and the packet capturing tool captures data of attack flow sent to the first drone. The specific type of the bale plucking tool is not specifically limited in this embodiment, and optionally, the bale plucking tool is a wireshark bale plucking tool.

202. And opening at least one vulnerability attack providing direction to send vulnerability attack data packets of N attack flows to the first target drone.

When there is a need to flexibly apply attack traffic of vulnerability attack providers, the number and type of vulnerability attack providers are determined based on the need. It should be noted that, no matter what number and type of vulnerability attack providers are selected, it should be ensured that attack traffic satisfying the second drone aircraft vulnerability attack detection requirement exists in the attack traffic of the vulnerability attack providers.

When the attack traffic is sent to the first target drone, the packet capturing tool captures the data of the attack traffic sent to the first target drone.

203. And when the attack of at least one vulnerability attack provider on the first drone is finished, closing the packet capturing tool and acquiring vulnerability attack data packets of N attack flows sent to the first drone.

And after all vulnerability attack providers finish attacking, closing the packet capturing tool. The packet capturing tool can generate a vulnerability attack data packet based on the intercepted data, namely a process characteristic analysis software packet (pcap) data packet which comprises attack flow data of attack flow attacking a first target drone.

204. And analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow.

205. And combining and processing the attack characteristic data to form an attack flow message aiming at the second target drone.

The attack flow message can be stored in a preset position after the attack flow message is attacked, so that when a target drone with the same vulnerability attack detection requirement as the second target drone exists, the attack flow message can be directly called for use.

206. And acquiring the address and the port of the second target drone, and calling the attack flow in the attack flow message to carry out vulnerability attack detection on the second target drone based on the address and the port of the second target drone.

207. Judging whether a second attack flow exists in the attack flows sent to the second drone aircraft, if so, executing step 208; otherwise, step 209 is performed.

The specific method for judging whether the second attack traffic exists in the attack traffic sent to the second drone is as follows: and acquiring a threat detection file, and detecting whether a second attack flow is recorded in the threat detection file. And if the second attack flow is recorded, the second attack flow exists in the attack flows sent to the second target drone. And if the second attack flow is not recorded, the second attack flow does not exist in the attack flow sent to the second target drone.

The threat detection file is obtained by detecting the vulnerability attack condition of the second target drone by the threat detection device, once the danger detection device detects second attack flow, the second attack flow is recorded into the threat detection file, and the second attack flow is the attack flow detected by the threat detection device in the attack flow message.

208. And sending a vulnerability prompt based on the second attack flow.

209. And sending out a prompt that the second drone aircraft has no leak.

When it is determined that the second attack traffic does not exist in the attack traffic sent to the second drone aircraft, if it is indicated that the attack traffic in the attack traffic message for the second drone aircraft does not attack the second drone aircraft successfully, a prompt that the second drone aircraft has no loophole is sent, and service personnel are informed that the second drone aircraft does not have a loophole corresponding to the attack traffic message.

Further, according to the above method embodiment, another embodiment of the present invention further provides a vulnerability attack detection apparatus, as shown in fig. 3, the apparatus includes:

an obtaining unit 31, configured to obtain vulnerability attack data packets of N attack flows sent to a first drone, where the N attack flows are from at least one vulnerability attack provider, and N is a positive integer greater than or equal to 2;

the analysis unit 32 is configured to analyze the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack traffic;

the combination unit 33 is configured to process each attack characteristic data to form an attack traffic packet for the second drone aircraft;

and the detection unit 34 is configured to perform vulnerability attack detection on the second drone aircraft based on the attack traffic packet.

According to the vulnerability attack detection device provided by the embodiment of the invention, when a vulnerability attack detection requirement exists, a vulnerability attack data packet of a plurality of attack flows sent to the first drone aircraft is obtained, and the obtained attack flows are from at least one vulnerability attack provider. And analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack flow. And then, combining and processing each attack characteristic data to form an attack flow message aiming at the second target drone, and finally, carrying out vulnerability attack detection on the second target drone based on the attack flow message. Therefore, the scheme provided by the embodiment of the invention can uniformly extract the attack characteristic data reflecting the vulnerability exploitation methods accumulated by the vulnerability attack providers, and obtain the attack flow messages aiming at the second drone aircraft in a mode of recombining the attack characteristic data, so that the attack flow messages meeting the vulnerability attack detection requirements of the second drone aircraft are used for carrying out vulnerability attack detection on the second drone aircraft. Therefore, the scheme provided by the embodiment of the invention can realize the flexible use of the attack flow of the vulnerability attack provider on the basis of utilizing the vulnerability exploitation methods accumulated by the vulnerability attack provider.

Alternatively, as shown in fig. 4, the combining unit 33 includes:

a selecting module 331, configured to select M target attack characteristic data from the N attack characteristic data, where the target attack characteristic data meets a vulnerability attack detection requirement of the second drone, and M is a positive integer less than or equal to N;

an integrating module 332, configured to integrate each target attack characteristic data to form the attack traffic packet.

Optionally, as shown in fig. 4, the selecting module 331 includes:

a first selecting submodule 3311 configured to determine attack characteristic data existing repeatedly and attack characteristic data existing separately in the N attack characteristic data; selecting one attack characteristic data for retaining for the repeated attack characteristic data, and removing the unselected attack characteristic data; and selecting the separately existing attack characteristic data and the reserved attack characteristic data as the target attack characteristic data.

Optionally, as shown in fig. 4, the selecting module 331 includes:

a second selecting submodule 3312, configured to determine an attack classification corresponding to each attack feature data; and selecting attack characteristic data corresponding to at least one attack classification as the target attack characteristic data, wherein the at least one attack classification is determined based on the vulnerability attack detection requirement of the second drone aircraft.

Optionally, as shown in fig. 4, the selecting module 331 includes:

the third selecting sub-module 3313 is configured to eliminate attack characteristic data corresponding to the first attack traffic, where the first attack traffic is an attack traffic marked as abnormal; and selecting the attack characteristic data which is not removed as the target attack characteristic data.

Optionally, as shown in fig. 4, the integration module 332 includes:

the processing submodule 3321 is configured to process each target attack characteristic data into a preset format, so as to form an attack traffic corresponding to each target attack characteristic data;

and the integrating sub-module 3322 is configured to integrate the formed attack traffic to obtain the attack traffic message.

Optionally, as shown in fig. 4, the detecting unit 34 is specifically configured to, when it is determined that a second attack traffic exists in the attack traffic sent to the second drone, send a vulnerability notification based on the second attack traffic, where the second attack traffic is the attack traffic detected by the threat detection device in the attack traffic message.

Optionally, as shown in fig. 4, the apparatus further includes:

a calling unit 35, configured to obtain an address and a port of the second drone aircraft; and calling the attack traffic in the attack traffic message to carry out vulnerability attack on the second target drone based on the address and the port of the second target drone.

Optionally, as shown in fig. 4, the parsing unit 32 includes:

the analysis module 321 is configured to analyze the vulnerability attack data packet to obtain attack traffic data corresponding to each attack traffic;

an extracting module 322, configured to extract data with a target attribute in each attack traffic data as corresponding attack feature data, where the data with the target attribute is data carrying a virus code and/or a trojan code.

In the vulnerability attack detection apparatus provided in the embodiment of the present invention, for a detailed description of the method adopted in the operation process of each functional module, reference may be made to the corresponding method in the method embodiments of fig. 1 to fig. 2 for a detailed description, and details are not repeated here.

Further, according to the foregoing embodiment, another embodiment of the present invention further provides a computer-readable storage medium, where the storage medium includes a stored program, and when the program runs, the apparatus where the storage medium is located is controlled to execute the vulnerability attack detection method described in the method embodiments in fig. 1-2.

Further, according to the above embodiment, another embodiment of the present invention also provides an electronic device, including:

a memory for storing a program;

and the processor is coupled to the memory and used for operating the program to execute the vulnerability attack detection method in the embodiment of the method in the figures 1-2.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.

It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.

It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the method, apparatus and framework for operation of a deep neural network model in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims

1. A vulnerability attack detection method, the method comprising:

2. The method of claim 1, wherein the combining processing of the attack signature data to form an attack traffic message for the second drone includes:

m target attack characteristic data are selected from the N attack characteristic data, wherein the target attack characteristic data meet the vulnerability attack detection requirement of the second drone aircraft, and M is a positive integer less than or equal to N;

and integrating the attack characteristic data of each target to form the attack flow message.

3. The method of claim 2, wherein selecting M target attack signature data from the N attack signature data comprises:

determining attack characteristic data which repeatedly exists and attack characteristic data which exists independently in the N attack characteristic data;

selecting one attack characteristic data for retaining for the repeated attack characteristic data, and removing the unselected attack characteristic data;

and selecting the separately existing attack characteristic data and the reserved attack characteristic data as the target attack characteristic data.

4. The method of claim 2, wherein selecting M target attack signature data from the N attack signature data comprises:

determining an attack classification corresponding to each attack characteristic data;

and selecting attack characteristic data corresponding to at least one attack classification as the target attack characteristic data, wherein the at least one attack classification is determined based on the vulnerability attack detection requirement of the second drone aircraft.

5. The method of claim 2, wherein selecting M target attack signature data from the N attack signature data comprises:

removing attack characteristic data corresponding to first attack traffic, wherein the first attack traffic is marked as abnormal attack traffic;

and selecting the attack characteristic data which is not removed as the target attack characteristic data.

6. The method according to claim 2, wherein integrating each of the target attack characteristic data to form the attack traffic packet comprises:

processing each target attack characteristic data into a preset format respectively to form attack flow corresponding to each target attack characteristic data;

and integrating the formed attack traffic to obtain the attack traffic message.

7. The method according to any of claims 1-6, wherein detecting the second drone aircraft for vulnerability attacks based on the attack traffic packet comprises:

and when judging that second attack flow exists in the attack flow sent to the second target drone, sending a vulnerability prompt based on the second attack flow, wherein the second attack flow is the attack flow detected by the threat detection equipment in the attack flow message.

8. The method of any of claims 1-6, wherein prior to detecting the second drone for vulnerability attacks based on the attack traffic packet, the method further comprises:

acquiring an address and a port of the second drone aircraft;

and calling the attack flow in the attack flow message to carry out vulnerability attack detection on the second target drone based on the address and the port of the second target drone.

9. The method according to any one of claims 1 to 6, wherein analyzing the vulnerability attack data packet to obtain attack characteristic data corresponding to each attack traffic comprises:

analyzing the vulnerability attack data packet to obtain attack flow data corresponding to each attack flow;

and extracting data with target attributes in each attack flow data into corresponding attack characteristic data, wherein the data with the target attributes are data carrying virus codes and/or Trojan horse codes.

10. An apparatus for vulnerability attack detection, the apparatus comprising:

the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring vulnerability attack data packets of N attack flows sent to a first target drone, wherein the N attack flows are from at least one vulnerability attack provider, and N is a positive integer greater than or equal to 2;

11. A computer-readable storage medium, wherein the storage medium includes a stored program, and wherein when the program runs, the apparatus on which the storage medium is located is controlled to execute the vulnerability attack detection method according to any one of claims 1 to 9.

12. An electronic device, characterized in that the electronic device comprises:

a memory for storing a program;

a processor, coupled to the memory, for executing the program to perform the vulnerability attack detection method of any of claims 1-9.