TWI726455B - Penetration test case suggestion method and system - Google Patents

Penetration test case suggestion method and system Download PDF

Info

Publication number
TWI726455B
TWI726455B TW108138229A TW108138229A TWI726455B TW I726455 B TWI726455 B TW I726455B TW 108138229 A TW108138229 A TW 108138229A TW 108138229 A TW108138229 A TW 108138229A TW I726455 B TWI726455 B TW I726455B
Authority
TW
Taiwan
Prior art keywords
filtered
attack
log file
attack information
module
Prior art date
Application number
TW108138229A
Other languages
Chinese (zh)
Other versions
TW202117620A (en
Inventor
陳文婷
黃秋樺
陳俊廷
洪琳美
廖秋銘
Original Assignee
臺灣銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣銀行股份有限公司 filed Critical 臺灣銀行股份有限公司
Priority to TW108138229A priority Critical patent/TWI726455B/en
Application granted granted Critical
Publication of TW202117620A publication Critical patent/TW202117620A/en
Publication of TWI726455B publication Critical patent/TWI726455B/en

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

一種滲透測試個案建議系統,一網路資訊收集模組從至少一伺服端獲得並儲存多筆線上攻擊資訊,一資料預處理模組將多筆記錄檔進行濾除處理,以獲得多筆濾除後記錄檔,且該資料預處理模組將該等線上攻擊資訊進行濾除處理,以獲得多筆濾除後線上攻擊資訊,一資料分析模組利用資料探勘演算法分析該等濾除後記錄檔的關聯性,獲得並儲存一記錄檔分析結果,一推薦模組根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔,及該等濾除後線上攻擊資訊,產生一推薦測試攻擊資訊。此外,本發明還提供一種滲透測試個案建議方法。A penetration test case suggestion system. A network information collection module obtains and stores multiple online attack information from at least one server, and a data preprocessing module filters multiple log files to obtain multiple filters. After the log file, and the data preprocessing module filters the online attack information to obtain multiple filtered online attack information. A data analysis module analyzes the filtered records using a data mining algorithm The relevance of files, obtain and store a log file analysis result, a recommendation module generates based on the log file analysis result, the predetermined attack information, the filtered log files, and the filtered online attack information A recommended test attack information. In addition, the present invention also provides a penetration test case suggestion method.

Description

滲透測試個案建議方法及系統Penetration test case suggestion method and system

本發明是有關於一種滲透測試服務,特別是指一種滲透測試個案建議方法及系統。 The present invention relates to a penetration testing service, in particular to a penetration testing case suggestion method and system.

伴隨著網際網路系統的蓬勃發展,網路安全機制逐漸成為重要一環,不論大型或小型企業,都願意花費時間及金錢建立完善的網路安全機制,以防止企業本身的資訊遭到他人的侵害。影響資訊安全的因素包含:未經授權侵入系統,竊取或更改資料甚至更動原系統設定;資料在傳輸過程中被攔截或變更內容;散播惡意程式等。面對各種影響資訊安全的因素,網站管理者通常會採取滲透測試(Penetration Test)。 With the vigorous development of Internet systems, network security mechanisms have gradually become an important part. Both large and small companies are willing to spend time and money to establish a complete network security mechanism to prevent the company’s own information from being infringed by others. . Factors affecting information security include: unauthorized intrusion into the system, stealing or changing data or even changing the original system settings; data being intercepted or changed during transmission; spreading malicious programs, etc. Faced with various factors that affect information security, website administrators usually adopt a penetration test (Penetration Test).

滲透測試是指一個具備資安知識與經驗、技術人員受僱主所託,為僱主的網路裝置、主機,類比駭客的手法對網路或主機進行攻擊測試,為的是發掘系統漏洞、並提出改善方法。 Penetration testing refers to a technical staff with information security knowledge and experience entrusted by the employer to perform attack tests on the network or the host for the employer’s network devices and hosts, analogous to hackers, in order to discover system vulnerabilities and Propose ways to improve.

然而,滲透測試的測試過程耗費人力及時間,目前,執行一次標準的滲透測試專案大約需要1個月,包括收集需求、進行 測試與報告撰寫,有些大型專案可能需要2~3個月的時間,非常耗時且需要大量的人力成本。 However, the testing process of penetration testing consumes manpower and time. At present, it takes about 1 month to execute a standard penetration testing project, including collecting requirements and conducting Testing and report writing, some large projects may take 2 to 3 months, which is very time-consuming and requires a lot of labor costs.

因此,本發明的目的,即在提供一種縮短滲透測試時間降低人力成本的滲透測試個案建議方法。 Therefore, the purpose of the present invention is to provide a penetration test case suggestion method that shortens the penetration test time and reduces the labor cost.

於是,本發明滲透測試個案建議方法,由一滲透測試個案建議系統來實施,該滲透測試個案建議系統儲存多筆相關於多個攻擊事件的預定攻擊資訊及多筆相關於在執行網頁所發生事件的記錄檔,該滲透測試個案建議方法包含一步驟(A)、一步驟(B)、一步驟(C)、一步驟(D),及一步驟(E)。 Therefore, the penetration test case suggestion method of the present invention is implemented by a penetration test case suggestion system. The penetration test case suggestion system stores multiple predetermined attack information related to multiple attack events and multiple events related to the execution of the webpage. The log file of the penetration test case suggestion method includes one step (A), one step (B), one step (C), one step (D), and one step (E).

在該步驟(A)中,該滲透測試個案建議系統經由一通訊網路從至少一對應至少一紀錄攻擊行為的網站的伺服端獲得並儲存多筆相關於多個攻擊行為的線上攻擊資訊。 In the step (A), the penetration test case suggestion system obtains and stores multiple pieces of online attack information related to multiple attack actions from at least one server corresponding to at least one website that records attack actions via a communication network.

在該步驟(B)中,該滲透測試個案建議系統將該等記錄檔進行濾除處理,以獲得多筆濾除後記錄檔,每一濾除後記錄檔至少包括多個具有多個存取點的存取路徑及多個語法參數。 In this step (B), the penetration test case suggests that the system filter these log files to obtain multiple filtered log files. Each filtered log file includes at least multiple files with multiple accesses. Point's access path and multiple syntax parameters.

在該步驟(C)中,該滲透測試個案建議系統將該等線上攻擊資訊進行濾除處理,以獲得多筆濾除後線上攻擊資訊。 In this step (C), the penetration test case suggests that the system filter out the online attack information to obtain multiple filtered online attack information.

在該步驟(D)中,該滲透測試個案建議系統利用資料探勘 演算法分析該等濾除後記錄檔的關聯性,對於每一濾除後記錄檔,獲得並儲存一包括該濾除後記錄檔所包括的存取點的關聯性及多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法的關聯性的記錄檔分析結果。 In this step (D), the penetration test case suggests that the system use data exploration The algorithm analyzes the relevance of the filtered log files, and for each filtered log file, obtains and stores a relevance including the access points included in the filtered log file and multiple related to the filtered log file. The log file analysis result of the relevance of the attack feature grammar of the grammatical parameters included in the log file is removed.

在該步驟(E)中,該滲透測試個案建議系統根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔,及該等濾除後線上攻擊資訊,產生一包括該等預定攻擊資訊及該等濾除後線上攻擊資訊之其中至少一者的推薦測試攻擊資訊。 In this step (E), the penetration test case proposal system generates a report that includes the analysis results of the log file, the predetermined attack information, the filtered log files, and the filtered online attack information. The predetermined attack information and the recommended test attack information of at least one of the filtered online attack information.

本發明的另一目的,即在提供一種縮短滲透測試時間降低人力成本的滲透測試個案建議系統。 Another object of the present invention is to provide a penetration test case suggestion system that shortens the penetration test time and reduces labor costs.

於是,本發明滲透測試個案建議系統包含一儲存模組、一網路資訊收集模組、一資料預處理模組、一資料分析模組,及一推薦模組。 Therefore, the penetration test case suggestion system of the present invention includes a storage module, a network information collection module, a data preprocessing module, a data analysis module, and a recommendation module.

該儲存模組儲存多筆相關於多個攻擊事件的預定攻擊資訊及多筆相關於在執行網頁所發生事件的記錄檔。 The storage module stores a plurality of predetermined attack information related to a plurality of attack events and a plurality of log files related to an event occurring in the execution of the webpage.

該網路資訊收集模組電連接該儲存模組,用以經由一通訊網路從至少一對應至少一紀錄攻擊行為的網站的伺服端獲得並儲存多筆相關於多個攻擊行為的線上攻擊資訊至該儲存模組。 The network information collection module is electrically connected to the storage module to obtain and store a plurality of online attack information related to a plurality of attack behaviors from at least one server corresponding to at least one website that records attack behaviors via a communication network The storage module.

該資料預處理模組電連接該儲存模組,用以將該等記錄檔進行濾除處理,以獲得多筆濾除後記錄檔,每一濾除後記錄檔至 少包括多個具有多個存取點的存取路徑及多個分別對應該等存取路徑的語法參數,且將該等線上攻擊資訊進行濾除處理,多筆濾除後線上攻擊資訊。 The data preprocessing module is electrically connected to the storage module for filtering the log files to obtain multiple filtered log files, and each filtered log file is sent to At least include multiple access paths with multiple access points and multiple grammatical parameters corresponding to the access paths, and filter the online attack information. After filtering, multiple pieces of online attack information are filtered.

該資料分析模組電連接該儲存模組,用以利用資料探勘演算法分析該等濾除後記錄檔的關聯性,對於每一濾除後記錄檔,獲得並儲存一包括該濾除後記錄檔所包括的存取點的關聯性及多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法的關聯性的記錄檔分析結果至該儲存模組。 The data analysis module is electrically connected to the storage module to analyze the relevance of the filtered log files using data mining algorithms, and for each filtered log file, obtain and store a log file that includes the filtered log file The relevance of the access points included in the file and a plurality of log file analysis results related to the relevance of the attack feature grammar of the grammatical parameters included in the filtered log file are sent to the storage module.

該推薦模組電連接該儲存模組,用以根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔,及該等濾除後線上攻擊資訊,產生一包括該等預定攻擊資訊及該等濾除後線上攻擊資訊之其中至少一者的推薦測試攻擊資訊。 The recommendation module is electrically connected to the storage module to generate a report including the predetermined attack information based on the log file analysis result, the predetermined attack information, the filtered log files, and the filtered online attack information Attack information and recommended test attack information for at least one of the filtered online attack information.

本發明之功效在於:該資料分析模組利用資料探勘演算法分析該等濾除後記錄檔的關聯性,使該推薦模組推薦具有關聯性的該推薦測試攻擊資訊,以提高滲透測試的效率。 The effect of the present invention is that the data analysis module uses a data mining algorithm to analyze the relevance of the filtered log files, so that the recommendation module recommends the relevance of the recommended test attack information, so as to improve the efficiency of penetration testing .

11:資料輸入模組 11: Data input module

12:儲存模組 12: Storage module

13:網路資訊收集模組 13: Network information collection module

14:資料預處理模組 14: Data preprocessing module

15:資料分析模組 15: Data analysis module

16:推薦模組 16: recommended module

17:回饋模組 17: Feedback module

100:通訊網路 100: Communication network

101:伺服端 101: server

21~28:步驟 21~28: Steps

221~225:步驟 221~225: Steps

241~244:步驟 241~244: Steps

271~273:步驟 271~273: Steps

本發明的其他的特徵及功效,將於參照圖式的實施方式中清楚地呈現,其中:圖1是一方塊圖,說明本發明滲透測試個案建議系統的一實施 例;圖2是一流程圖,說明是本發明滲透測試個案建議方法的一實施例;圖3是一流程圖,輔助說明圖2步驟23的子步驟;圖4是一流程圖,輔助說明圖2步驟25的子步驟;及圖5是一流程圖,輔助說明圖2步驟28的子步驟。 The other features and effects of the present invention will be clearly presented in the embodiments with reference to the drawings, in which: Figure 1 is a block diagram illustrating an implementation of the penetration test case suggestion system of the present invention Example; Figure 2 is a flowchart illustrating an embodiment of the penetration test case suggestion method of the present invention; Figure 3 is a flowchart to assist in explaining the sub-steps of step 23 in Figure 2; Figure 4 is a flowchart to assist in explanatory diagrams 2 sub-steps of step 25; and FIG. 5 is a flowchart to assist in explaining the sub-steps of step 28 in FIG. 2.

參閱圖1,本發明滲透測試個案建議系統的一實施例,包含一資料輸入模組11、一儲存模組12、一網路資訊收集模組13、一資料預處理模組14、一資料分析模組15、一推薦模組16,及一回饋模組17。 Referring to Figure 1, an embodiment of the penetration test case suggestion system of the present invention includes a data input module 11, a storage module 12, a network information collection module 13, a data preprocessing module 14, and a data analysis module. Module 15, a recommendation module 16, and a feedback module 17.

該資料輸入模組11電連接該儲存模組12及該回饋模組17。 The data input module 11 is electrically connected to the storage module 12 and the feedback module 17.

該儲存模組12電連接該網路資訊收集模組13、該資料預處理模組14、該資料分析模組15、該推薦模組16,及該回饋模組17,該儲存模組12儲存多個網站路徑、多筆相關於多個攻擊事件的預定攻擊資訊,及多筆相關於在執行網頁所發生事件的記錄檔。值得注意的是,在本實施例中,該等預定攻擊資訊及該等記錄檔係由一使用者經由該資料輸入模組11輸入,每一預定攻擊資訊包括一 日期時間、多個語法參數、一使用的工具,及一攻擊所屬類別,每一記錄檔包括一使用者名稱、一通信期(Session)、一交易(Transaction)、多個具有多個存取點的存取路徑、多個語法參數、多個分別對應該等存取路徑的來源位址、多個分別對應該等存取路徑的目的位址,及多個分別對應該等存取路徑的日期時間。 The storage module 12 is electrically connected to the network information collection module 13, the data preprocessing module 14, the data analysis module 15, the recommendation module 16, and the feedback module 17. The storage module 12 stores Multiple website paths, multiple predetermined attack information related to multiple attack events, and multiple log files related to events that occurred during the execution of the webpage. It is worth noting that in this embodiment, the predetermined attack information and the log files are input by a user through the data input module 11, and each predetermined attack information includes a Date and time, multiple grammatical parameters, a tool used, and a category to which the attack belongs. Each log file includes a user name, a session (Session), a transaction (Transaction), and multiple access points. Multiple access paths, multiple syntax parameters, multiple source addresses corresponding to the access paths, multiple destination addresses corresponding to the access paths, and multiple dates corresponding to the access paths time.

該網路資訊收集模組13經由一通訊網路100連接一對應一紀錄攻擊行為的網站的伺服端101。值得注意的是,該通訊網路100例如為網際網路(Internet),在其他實施方式中,該網路資訊收集模組13亦可連接多個伺服端。 The network information collection module 13 is connected via a communication network 100 to a server 101 corresponding to a website that records attack behaviors. It is worth noting that the communication network 100 is, for example, the Internet. In other embodiments, the network information collection module 13 may also be connected to multiple servers.

參閱圖1、2,本發明滲透測試個案建議方法的一實施例是由圖1所示的本發明滲透測試個案建議系統的該實施例來實現。以下詳述該滲透測試個案建議方法的該實施例的各個步驟。 Referring to FIGS. 1 and 2, an embodiment of the penetration test case suggestion method of the present invention is implemented by the embodiment of the penetration test case suggestion system of the present invention shown in FIG. 1. The steps of this embodiment of the proposed method of the penetration test case are described in detail below.

在步驟21中,該網路資訊收集模組13經由該通訊網路從該伺服端獲得並儲存多筆相關於多個攻擊行為的線上攻擊資訊至該儲存模組12。值得注意的是,該網路資訊收集模組13係利用例如網路爬蟲(Web Crawler)或應用程式介面(Application Programming Interface,API)技術從該伺服端獲得該等線上攻擊資訊,每一線上攻擊資訊包括一資料來源位址、一日期時間、多個語法參數、一擷圖、一攻擊所屬類別、一修補建議,及一事件敘述。 In step 21, the network information collection module 13 obtains and stores multiple pieces of online attack information related to multiple attack behaviors to the storage module 12 from the server via the communication network. It is worth noting that the network information collection module 13 uses technologies such as Web Crawler or Application Programming Interface (API) to obtain the online attack information from the server. Each online attack The information includes a data source address, a date and time, multiple grammatical parameters, a screenshot, a type of attack, a repair suggestion, and an event description.

在步驟22中,該資料預處理模組14將該等記錄檔進行濾 除處理,以獲得多筆濾除後記錄檔。搭配參閱圖3,步驟22包括子步驟221~224,以下說明步驟22所包括的子步驟。 In step 22, the data preprocessing module 14 filters the log files Remove processing to obtain multiple filtered log files. Referring to FIG. 3 in conjunction, step 22 includes sub-steps 221 to 224. The sub-steps included in step 22 are described below.

在步驟221中,該資料預處理模組14從該等記錄檔中,去除符合一預定條件的記錄檔,以獲得多筆候選記錄檔。值得注意的是,在本實施例中,該預定條件例如為所包括的存取路徑具有以多媒體檔案(例如.jpg、.gif、.png)為結尾的存取點。 In step 221, the data preprocessing module 14 removes the log files that meet a predetermined condition from the log files to obtain multiple candidate log files. It is worth noting that, in this embodiment, the predetermined condition is, for example, that the included access path has an access point ending in a multimedia file (such as .jpg, .gif, and .png).

在步驟222中,該資料預處理模組14根據該等候選記錄檔所包括的使用者名稱、通信期,交易進行分群,將同一使用者的候選記錄檔分成同一群。 In step 222, the data preprocessing module 14 groups the candidate log files of the same user into the same group according to the user name, communication period, and transaction included in the candidate log files.

在步驟223中,該資料預處理模組14根據該等候選記錄檔及該等網站路徑,從該等候選記錄檔中,獲得多筆目標記錄檔。值得注意的是,在本實施例中,該等目標記錄檔的存取路徑與該等網站路徑存在一匹配。 In step 223, the data preprocessing module 14 obtains multiple target log files from the candidate log files according to the candidate log files and the website paths. It is worth noting that in this embodiment, there is a match between the access paths of the target log files and the paths of the websites.

在步驟224中,對於每一目標記錄檔,該資料預處理模組14從該目標記錄檔擷取多個具有多個存取點的存取路徑、多個語法參數、多個分別對應該等存取路徑的來源位址、多個分別對應該等存取路徑的目的位址,及多個分別對應該等存取路徑的日期時間,以獲得一截取後目標記錄檔。 In step 224, for each target log file, the data preprocessing module 14 retrieves a plurality of access paths with a plurality of access points, a plurality of grammatical parameters, and a plurality of corresponding to the target log file. Source addresses of the access paths, multiple destination addresses respectively corresponding to the access paths, and multiple dates and times respectively corresponding to the access paths to obtain an intercepted target log file.

在步驟225中,該資料預處理模組14將該等截取後目標記錄檔的存取路徑進行編碼轉換,以獲得該等濾除後記錄檔。值得 注意的是,在本實施例中,該資料預處理模組14係將存取路徑中屬於統一資源定位符(Uniform Resource Locator,URL)編碼百分比表示的部分轉換為ASCII編碼。 In step 225, the data preprocessing module 14 performs encoding conversion on the access paths of the intercepted target log files to obtain the filtered log files. worth it Note that, in this embodiment, the data preprocessing module 14 converts the portion of the access path that belongs to the uniform resource locator (URL) encoding percentage representation into ASCII encoding.

在步驟23中,該資料預處理模組14將該等線上攻擊資訊進行濾除處理,以獲得多筆濾除後線上攻擊資訊。值得注意的是,在本實施例中,對於每一線上攻擊資訊,該資料預處理模組14係從該線上攻擊資訊擷取一資料來源位址、一日期時間、多個語法參數、一擷圖,及一攻擊所屬類別,以進行濾除處理。 In step 23, the data preprocessing module 14 performs filtering processing on the online attack information to obtain multiple pieces of filtered online attack information. It is worth noting that, in this embodiment, for each online attack information, the data preprocessing module 14 extracts a data source address, a date and time, a plurality of syntax parameters, and a capture from the online attack information. Figure, and a category to which an attack belongs for filtering.

在步驟24中,該資料分析模組15利用資料探勘(Data Mining)演算法分析該等濾除後記錄檔的關聯性,對於每一濾除後記錄檔,該資料分析模組15獲得並儲存一包括該濾除後記錄檔所包括的存取點的關聯性及多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法的關聯性的記錄檔分析結果至該儲存模組12。搭配參閱圖4,步驟24包括子步驟241~244,以下說明步驟24所包括的子步驟。 In step 24, the data analysis module 15 uses a data mining algorithm to analyze the relevance of the filtered log files. For each filtered log file, the data analysis module 15 obtains and stores A log file analysis result including the relevance of the access points included in the filtered log file and the relevance of a plurality of attack feature grammars related to the grammatical parameters included in the filtered log file to the storage module 12. Referring to FIG. 4 in conjunction, step 24 includes sub-steps 241 to 244. The sub-steps included in step 24 are described below.

在步驟241中,對於每一濾除後記錄檔,該資料分析模組15根據該濾除後記錄檔所包括的存取點,利用一關聯規則探勘(association-rule-miming-based)演算法,獲得該濾除後記錄檔所包括的存取點的關聯性。值得注意的是,在本實施例中,該資料分析模組15係將每一存取點給予不重複的編碼,例如product給予 代碼A,car為代碼B,則/product/car得到代碼AB。接著,該資料分析模組15利用該關聯規則探勘演算法找出符合最小支持度(min support)與最小可信度(min confidance)要求的關聯性。舉例來說,由於在步驟22中獲得分成多群的濾除後記錄檔,每一群的濾除後記錄檔對應一使用者,從該等濾除後記錄檔例如可分析出60%使用者的記錄檔存取/product(代碼A)也會存取/product/car(代碼AB)。 In step 241, for each filtered log file, the data analysis module 15 uses an association-rule-miming-based algorithm according to the access points included in the filtered log file To obtain the relevance of the access points included in the filtered log file. It is worth noting that, in this embodiment, the data analysis module 15 gives each access point a unique code, for example, product gives Code A, car is code B, then /product/car gets code AB. Then, the data analysis module 15 uses the association rule mining algorithm to find the association that meets the requirements of the minimum support (min support) and the minimum confidence (min confidance). For example, since the filtered log files divided into multiple groups are obtained in step 22, the filtered log files of each group correspond to a user. From the filtered log files, for example, 60% of the users' records can be analyzed. Log file access /product (code A) will also access /product/car (code AB).

在步驟242中,對於每一濾除後記錄檔,該資料分析模組15根據該濾除後記錄檔所包括的語法參數,利用一循序樣本探勘(Sequential-pattern-miming-based)演算法,獲得多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法。舉例來說,對於apache平臺的記錄檔分析出<(a),(c)>字串,a代表select,c代表@ @ version,表示select之後會出現@ @ version的攻擊特徵語法。 In step 242, for each filtered log file, the data analysis module 15 uses a sequential-pattern-miming-based algorithm according to the syntax parameters included in the filtered log file. Obtain a plurality of attack characteristic grammars related to the grammatical parameters included in the filtered log file. For example, analyzing the <(a),(c)> string from the log file of the Apache platform, a represents select, and c represents @ @ version, which means that the attack signature syntax of @ @ version will appear after select.

在步驟243中,該資料分析模組15根據該等攻擊特徵語法,利用該關聯規則探勘演算法,獲得該等攻擊特徵語法的關聯性。舉例來說,「../」語法後會出現「select,@ @ version」語法。 In step 243, the data analysis module 15 uses the association rule exploration algorithm according to the attack characteristic syntax to obtain the relevance of the attack characteristic syntax. For example, after the "../" syntax, the "select,@ @ version" syntax will appear.

在步驟244中,該資料分析模組15產生該記錄檔分析結果。 In step 244, the data analysis module 15 generates the log file analysis result.

在步驟25中,該回饋模組17在接收到經由該使用者的利用該資料輸入模組11所產生的一相關於該等預定攻擊資訊及該等 濾除後線上攻擊資訊的初始評分的初始評分訊號後,產生並儲存多個對應該等預定攻擊資訊及該等濾除後線上攻擊資訊的初始分數至該儲存模組12。值得注意的是,在本實施例中,該使用者係參考最新版本的OWASP十大網站安全風險排名(OWASP TOP TEN)、CVSS弱點風險等級進行評分。 In step 25, the feedback module 17 receives a piece of information related to the predetermined attacks and the information generated by the user using the data input module 11 After filtering the initial score signal of the initial score of the online attack information after filtering, a plurality of initial scores corresponding to the predetermined attack information and the filtered online attack information are generated and stored in the storage module 12. It is worth noting that, in this embodiment, the user refers to the latest version of the OWASP Top Ten Website Security Risk Ranking (OWASP TOP TEN) and CVSS vulnerability risk level for scoring.

在步驟26中,對於每一濾除後記錄檔,該推薦模組16根據該濾除後記錄檔的語法參數、該等預定攻擊資訊的語法參數、該等濾除後線上攻擊資訊的語法參數,及該等初始分數至少進行關鍵字分析,獲得一對應該濾除後記錄檔對應的攻擊所屬類別。舉例來說,含有alert、<script>關鍵字者在該等預定攻擊資訊的語法參數及該等濾除後線上攻擊資訊的語法參數中屬於A3.XSS類別。值得注意的是,在本實施例中,若該推薦模組16無法以進行關鍵字分析出該濾除後記錄檔對應的攻擊所屬類別,則會進行相似度計算,該濾除後記錄檔的語法參數與該等預定攻擊資訊的語法參數及該等濾除後線上攻擊資訊的語法參數相似度高於一預定門檻值時(例如70%),則決定出該濾除後記錄檔對應的攻擊所屬類別,相似度不高於該預定門檻值時,則該濾除後記錄檔對應的攻擊所屬類別為空值(null)。要再注意的是,在本實施例中,該推薦模組16根據該等初始分數決定所對應的該等預定攻擊資訊的語法參數及該等濾除後線上攻擊資訊的語法參數關鍵字分析及相似度計算的優先順 序。 In step 26, for each filtered log file, the recommendation module 16 according to the grammatical parameters of the filtered log file, the grammatical parameters of the predetermined attack information, and the grammatical parameters of the filtered online attack information , And at least perform keyword analysis on these initial scores to obtain a pair of attack categories that should be filtered out. For example, those with alert and <script> keywords belong to the A3.XSS category in the grammatical parameters of the predetermined attack information and the grammatical parameters of the filtered online attack information. It is worth noting that, in this embodiment, if the recommendation module 16 is unable to perform keyword analysis to find out the attack category corresponding to the filtered log file, it will perform similarity calculation. When the similarity between the grammatical parameters and the grammatical parameters of the predetermined attack information and the grammatical parameters of the filtered online attack information is higher than a predetermined threshold (for example, 70%), the attack corresponding to the filtered log file is determined If the category belongs to, and the similarity is not higher than the predetermined threshold, the category of the attack corresponding to the filtered log file is null. It should be noted again that in this embodiment, the recommendation module 16 determines the corresponding grammatical parameters of the predetermined attack information and the grammatical parameters of the filtered online attack information based on the initial scores. Keyword analysis and keyword analysis Priority order for similarity calculation sequence.

在步驟27中,該推薦模組16根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔、該等濾除後記錄檔對應的攻擊所屬類別,及該等濾除後線上攻擊資訊,產生一包括該等預定攻擊資訊及該等濾除後線上攻擊資訊之其中至少一者的推薦測試攻擊資訊。搭配參閱圖5,步驟27包括子步驟271~273,以下說明步驟28所包括的子步驟。 In step 27, the recommendation module 16 is based on the analysis result of the log file, the predetermined attack information, the filtered log files, the attack category corresponding to the filtered log files, and the filtered log files. The online attack information generates a recommended test attack information including at least one of the predetermined attack information and the filtered online attack information. With reference to FIG. 5, step 27 includes sub-steps 271 to 273, and the sub-steps included in step 28 are described below.

在步驟271中,該推薦模組16根據該等濾除後記錄檔、該等濾除後記錄檔對應的攻擊所屬類別、該記錄檔分析結果的該等濾除後記錄檔所包括的存取點的關聯性及一篩選條件,獲得多個推薦存取路徑。該篩選條件例如為時間區間、網站、平臺、語言類型,及需要的資料筆數。 In step 271, the recommendation module 16 is based on the filtered log files, the attack category corresponding to the filtered log files, and the accesses included in the filtered log files of the log file analysis result. The relevance of points and a screening condition obtain multiple recommended access paths. The filtering conditions are, for example, time interval, website, platform, language type, and the number of required data.

在步驟272中,該推薦模組16對該等推薦存取路徑對應的語法參數進行關鍵字分析及相似度計算,並根據該記錄檔分析結果的該等攻擊特徵語法的關聯性,以獲得多個對應該等推薦存取路徑的歷史攻擊特徵語法。舉例來說,一推薦存取路徑對應的語法參數「../../../../etc/passwd」,由關鍵字分析及相似度計算可知屬於「../」類的攻擊,再由該記錄檔分析結果的該等攻擊特徵語法的關聯性可知歷史攻擊特徵語法為「../」及「select @ @ version」。 In step 272, the recommendation module 16 performs keyword analysis and similarity calculations on the grammatical parameters corresponding to the recommended access paths, and obtains more information based on the relevance of the attack feature grammars of the log file analysis result. A historical attack feature syntax corresponding to the recommended access paths. For example, the syntax parameter "../../../../etc/passwd" corresponding to a recommended access path can be known from the keyword analysis and similarity calculation that belongs to the "../" type of attack. From the relevance of the attack feature syntax of the log file analysis result, it can be seen that the historical attack feature syntax is "../" and "select @ @ version".

在步驟273中,該推薦模組16根據該等歷史攻擊特徵語 法、該等預定攻擊資訊,及該等濾除後線上攻擊資訊,產生該推薦測試攻擊資訊。舉例來說,若歷史攻擊特徵語法為「../」及「select @ @ version」,則該推薦模組16從該等預定攻擊資訊及該等濾除後線上攻擊資訊找出符合「../」及「select @ @ version」的資訊。 In step 273, the recommendation module 16 is based on the historical attack characteristic words Method, the predetermined attack information, and the filtered online attack information to generate the recommended test attack information. For example, if the historical attack feature syntax is "../" and "select @ @ version", the recommendation module 16 finds out the match from the predetermined attack information and the filtered online attack information. /" and "select @ @ version" information.

在步驟28中,該回饋模組17在接收到經由該使用者的利用該資料輸入模組11所產生的一相關該推薦測試攻擊資訊的回饋分數的回饋評分訊號後,根據該回饋評分訊號更新該等初始分數。值得注意的是,在本實施例中,更新後的初始分數為初始分數與回饋分數的平均,在其他實施方式中,可以依據權重調整,不以此為限。 In step 28, after the feedback module 17 receives a feedback score signal related to the feedback score of the recommended test attack information generated by the user using the data input module 11, it updates according to the feedback score signal These initial scores. It is worth noting that in this embodiment, the updated initial score is the average of the initial score and the feedback score. In other implementations, it can be adjusted according to the weight, and is not limited to this.

綜上所述,本發明滲透測試個案建議方法及系統,藉由該網路資訊收集模組13從該伺服端獲得該等線上攻擊資訊,以自動蒐集資料,該資料預處理模組14該等預定攻擊資訊、該等記錄檔,及該等線上攻擊資訊進行濾除處理,以濾除非必要的內容,該資料分析模組15利用資料探勘演算法分析該等濾除後記錄檔的關聯性,使該推薦模組16推薦具有關聯性的該推薦測試攻擊資訊,以提高滲透測試的效率,此外,該回饋模組17根據該使用者的回饋更新該等初始分數,使該推薦模組16提高產生該推薦測試攻擊資訊的效率,故確實能達成本發明的目的。 In summary, the penetration test case suggestion method and system of the present invention uses the network information collection module 13 to obtain the online attack information from the server to automatically collect data. The data preprocessing module 14 The predetermined attack information, the log files, and the online attack information are filtered to filter out non-essential content. The data analysis module 15 uses data mining algorithms to analyze the relevance of the filtered log files. The recommendation module 16 recommends the recommended test attack information with relevance to improve the efficiency of penetration testing. In addition, the feedback module 17 updates the initial scores according to the user's feedback, so that the recommendation module 16 improves The efficiency of generating the recommended test attack information can indeed achieve the purpose of the invention.

惟以上所述者,僅為本發明的實施例而已,當不能以此 限定本發明實施的範圍,凡是依本發明申請專利範圍及專利說明書內容所作的簡單的等效變化與修飾,皆仍屬本發明專利涵蓋的範圍內。 However, the above are only examples of the present invention. To limit the scope of implementation of the present invention, all simple equivalent changes and modifications made according to the scope of the patent application of the present invention and the content of the patent specification are still within the scope of the patent of the present invention.

11 11 資料輸入模組 Data input module 16 16 推薦模組 Recommended module 12 12 儲存模組 Storage module 17 17 回饋模組 Feedback module 13 13 網路資訊收集模組 Network Information Collection Module 100 100 通訊網路 Communication network 14 14 資料預處理模組 Data preprocessing module 101 101 伺服端 Server side 15 15 資料分析模組 Data analysis module

Claims (14)

一種滲透測試個案建議方法,由一滲透測試個案建議系統來實施,該滲透測試個案建議系統儲存多筆相關於多個攻擊事件的預定攻擊資訊及多筆相關於在執行網頁所發生事件的記錄檔,該滲透測試個案建議方法包含以下步驟:(A)經由一通訊網路從至少一對應至少一紀錄攻擊行為的網站的伺服端獲得並儲存多筆相關於多個攻擊行為的線上攻擊資訊;(B)將該等記錄檔進行濾除處理,以獲得多筆濾除後記錄檔,每一濾除後記錄檔至少包括多個具有多個存取點的存取路徑及多個語法參數;(C)將該等線上攻擊資訊進行濾除處理,以獲得多筆濾除後線上攻擊資訊;(D)利用資料探勘演算法分析該等濾除後記錄檔的關聯性,對於每一濾除後記錄檔,獲得並儲存一包括該濾除後記錄檔所包括的存取點的關聯性及多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法的關聯性的記錄檔分析結果;及(E)根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔,及該等濾除後線上攻擊資訊,產生一包括該等預定攻擊資訊及該等濾除後線上攻擊資訊之其中至少一者的推薦測試攻擊資訊。 A penetration test case suggestion method implemented by a penetration test case suggestion system. The penetration test case suggestion system stores multiple scheduled attack information related to multiple attack events and multiple log files related to events that occur on the execution webpage The proposed method of the penetration test case includes the following steps: (A) Obtain and store multiple online attack information related to multiple attack behaviors from at least one server corresponding to at least one website that records the attack behavior via a communication network; (B) ) Perform filtering processing on these log files to obtain multiple filtered log files, each filtered log file including at least multiple access paths with multiple access points and multiple grammatical parameters; (C) ) Filter the online attack information to obtain multiple pieces of filtered online attack information; (D) Use a data mining algorithm to analyze the relevance of the filtered log files, and for each filtered record File to obtain and store a log file analysis result including the relevance of the access points included in the filtered log file and the relevance of a plurality of attack feature grammars related to the grammatical parameters included in the filtered log file ; And (E) According to the analysis result of the log file, the scheduled attack information, the filtered log files, and the filtered online attack information, generate a report that includes the scheduled attack information and the filtered ones Recommended test attack information for at least one of the online attack information. 如請求項1所述的滲透測試個案建議方法,該滲透測試個案建議系統還儲存多個網站路徑,其中,步驟(B)包括以 下子步驟:(B-1)從該等記錄檔中,去除符合一預定條件的記錄檔,以獲得多筆候選記錄檔;(B-2)將該等候選記錄檔進行分群;(B-3)根據該等候選記錄檔及該等網站路徑,從該等候選記錄檔中,獲得多筆目標記錄檔;(B-4)對於每一目標記錄檔,從該目標記錄檔擷取該等存取路徑、該等語法參數、多個分別對應該等存取路徑的來源位址、多個分別對應該等存取路徑的目的位址,及多個分別對應該等存取路徑的日期時間,以獲得一截取後目標記錄檔;及(B-5)將該等截取後目標記錄檔的存取路徑進行編碼轉換,以獲得該等濾除後記錄檔。 For the penetration test case suggestion method described in claim 1, the penetration test case suggestion system also stores multiple website paths, where step (B) includes The following sub-steps: (B-1) from the log files, remove the log files that meet a predetermined condition to obtain multiple candidate log files; (B-2) group the candidate log files into groups; (B-3) ) According to the candidate log files and the website paths, obtain multiple target log files from the candidate log files; (B-4) For each target log file, retrieve the target log files from the target log file Take the path, the grammatical parameters, multiple source addresses corresponding to the access paths, multiple destination addresses corresponding to the access paths, and multiple dates and times corresponding to the access paths, To obtain an intercepted target log file; and (B-5) perform code conversion on the access path of the intercepted target log file to obtain the filtered log file. 如請求項1所述的滲透測試個案建議方法,其中,在步驟(C)中對於每一線上攻擊資訊,從該線上攻擊資訊擷取一資料來源位址、一日期時間、多個語法參數、一擷圖,及一攻擊所屬類別,以獲得一濾除後線上攻擊資訊。 The penetration test case suggestion method according to claim 1, wherein, for each online attack information in step (C), a data source address, a date and time, a plurality of grammatical parameters, A screenshot and a category of the attack to obtain a filtered online attack information. 如請求項1所述的滲透測試個案建議方法,其中,步驟(D)包括以下子步驟:(D-1)對於每一濾除後記錄檔,根據該濾除後記錄檔所包括的存取點,利用一關聯規則探勘演算法,獲得該濾除後記錄檔所包括的存取點的關聯性;(D-2)對於每一濾除後記錄檔,根據該濾除後記錄檔所包括的語法參數,利用一循序樣本探勘演算法,獲得多 個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法;(D-3)根據該等攻擊特徵語法,利用該關聯規則探勘演算法,獲得該等攻擊特徵語法的關聯性;及(D-4)產生該記錄檔分析結果。 The penetration test case suggestion method according to claim 1, wherein step (D) includes the following sub-steps: (D-1) for each filtered log file, according to the access included in the filtered log file Point, using an association rule exploration algorithm to obtain the relevance of the access points included in the filtered log file; (D-2) For each filtered log file, according to the filtered log file Grammatical parameters, using a sequential sample exploration algorithm to obtain more An attack feature grammar related to the grammatical parameters included in the filtered log file; (D-3) According to the attack feature grammar, the association rule exploration algorithm is used to obtain the relevance of the attack feature grammar; and (D-4) Generate the analysis result of the log file. 如請求項1所述的滲透測試個案建議方法,其中,步驟(E)包括以下子步驟:(E-1)根據該等濾除後記錄檔、該記錄檔分析結果的該等濾除後記錄檔所包括的存取點的關聯性及一篩選條件,獲得多個推薦存取路徑;(E-2)對該等推薦存取路徑對應的語法參數進行關鍵字分析及相似度計算,並根據該記錄檔分析結果的該等攻擊特徵語法的關聯性,獲得多個對應該等推薦存取路徑的歷史攻擊特徵語法;(E-3)根據該等歷史攻擊特徵語法、該等預定攻擊資訊,及該等濾除後線上攻擊資訊,產生該推薦測試攻擊資訊。 The penetration test case suggestion method according to claim 1, wherein step (E) includes the following sub-steps: (E-1) the filtered records based on the filtered log files and the log file analysis results The relevance of the access points included in the file and a filter condition are used to obtain multiple recommended access paths; (E-2) Keyword analysis and similarity calculations are performed on the grammatical parameters corresponding to these recommended access paths, and based on The relevance of the attack feature grammars of the log file analysis result obtains a plurality of historical attack feature grammars corresponding to the recommended access paths; (E-3) According to the historical attack feature grammar and the predetermined attack information, And the online attack information after filtering to generate the recommended test attack information. 如請求項1所述的滲透測試個案建議方法,在步驟(E)之前還包含以下步驟:(F)對於每一濾除後記錄檔,根據該濾除後記錄檔的語法參數、該等預定攻擊資訊的語法參數,及該等濾除後線上攻擊資訊的語法參數至少進行關鍵字分析,獲得一對應該濾除後記錄檔的攻擊所屬類別;其中,在步驟(E)中,還根據該等濾除後記錄檔對應的攻 擊所屬類別產生該推薦測試攻擊資訊。 The penetration test case suggestion method described in claim 1, before step (E), further includes the following steps: (F) for each filtered log file, according to the grammatical parameters of the filtered log file and the predetermined The grammatical parameters of the attack information and the grammatical parameters of the filtered online attack information are at least keyword analyzed to obtain a pair of attack categories that should be filtered out; among them, in step (E), according to the After filtering, the corresponding attack of the log file Click the category to generate the recommended test attack information. 如請求項6所述的滲透測試個案建議方法,在步驟(F)之前還包含以下步驟:(G)在接收到經由一使用者的一輸入操作所產生的一相關於該等預定攻擊資訊及該等濾除後線上攻擊資訊的初始評分訊號後,產生並儲存多個對應該等預定攻擊資訊及該等濾除後線上攻擊資訊的初始分數;其中,在步驟(F)中還根據該等初始分數獲得該攻擊所屬類別,在步驟(E)後還包含以下步驟:(H)在接收到經由該使用者的一輸入操作所產生的一相關該推薦測試攻擊資訊的回饋評分訊號後,根據該回饋評分訊號更新該等初始分數。 The penetration test case suggestion method described in claim 6, before step (F), further includes the following steps: (G) receiving information related to the predetermined attacks and generated by an input operation of a user After the initial scoring signal of the filtered online attack information, a plurality of initial scores corresponding to the predetermined attack information and the filtered online attack information are generated and stored; wherein, in step (F), the The initial score obtains the category of the attack. After step (E), it also includes the following steps: (H) After receiving a feedback score signal related to the recommended test attack information generated by an input operation of the user, according to The feedback score signal updates the initial scores. 一種滲透測試個案建議系統,包含:一儲存模組,儲存多筆相關於多個攻擊事件的預定攻擊資訊及多筆相關於在執行網頁所發生事件的記錄檔;一網路資訊收集模組,電連接該儲存模組,用以經由一通訊網路從至少一對應至少一紀錄攻擊行為的網站的伺服端獲得並儲存多筆相關於多個攻擊行為的線上攻擊資訊至該儲存模組;一資料預處理模組,電連接該儲存模組,用以將該等記錄檔進行濾除處理,以獲得多筆濾除後記錄檔,每一濾除後記錄檔至少包括多個具有多個存取點的存取路徑及多個分別對應該等存取路徑的語法參數,且將該等線上攻擊資訊進行濾除處理,多筆濾除後線上攻擊資訊; 一資料分析模組,電連接該儲存模組,用以利用資料探勘演算法分析該等濾除後記錄檔的關聯性,對於每一濾除後記錄檔,獲得並儲存一包括該濾除後記錄檔所包括的存取點的關聯性及多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法的關聯性的記錄檔分析結果至該儲存模組;及一推薦模組,電連接該儲存模組,用以根據該記錄檔分析結果、該等預定攻擊資訊、該等濾除後記錄檔,及該等濾除後線上攻擊資訊,產生一包括該等預定攻擊資訊及該等濾除後線上攻擊資訊之其中至少一者的推薦測試攻擊資訊。 A penetration test case suggestion system, including: a storage module that stores multiple predetermined attack information related to multiple attack events and multiple log files related to events that occur in the execution of webpages; a network information collection module, The storage module is electrically connected to obtain and store a plurality of online attack information related to a plurality of attack behaviors to the storage module from at least one server corresponding to at least one website that records attack behaviors via a communication network; The preprocessing module is electrically connected to the storage module for filtering the log files to obtain multiple filtered log files. Each filtered log file includes at least multiple files with multiple accesses. The access path of the point and multiple grammatical parameters corresponding to the access path respectively, and the online attack information is filtered out, and the online attack information after multiple filtering is filtered; A data analysis module, electrically connected to the storage module, is used to analyze the relevance of the filtered log files using a data mining algorithm, and for each filtered log file, obtain and store a data including the filtered log file The relevance of the access points included in the log file and the log file analysis results of the relevance of the attack feature grammar related to the syntax parameters included in the filtered log file to the storage module; and a recommendation module , Electrically connected to the storage module, and used to generate a report including the predetermined attack information and information based on the analysis result of the log file, the predetermined attack information, the filtered log files, and the filtered online attack information Recommended test attack information for at least one of the filtered online attack information. 如請求項8所述的滲透測試個案建議系統,其中,該儲存模組還儲存多個網站路徑,該資料預處理模組從該等記錄檔中,去除符合一預定條件的記錄檔,以獲得多筆候選記錄檔,並根據該等候選記錄檔及該等網站路徑,從該等候選記錄檔中,獲得多筆目標記錄檔,對於每一目標記錄檔,該資料預處理模組從該目標記錄檔擷取該等存取路徑、該等語法參數、多個分別對應該等存取路徑的來源位址、多個分別對應該等存取路徑的目的位址,及多個分別對應該等存取路徑的日期時間,以獲得一截取後目標記錄檔,且將該等截取後目標記錄檔的存取路徑進行編碼轉換,以獲得該等濾除後記錄檔。 The penetration test case suggestion system according to claim 8, wherein the storage module also stores a plurality of website paths, and the data preprocessing module removes the log files that meet a predetermined condition from the log files to obtain Multiple candidate log files, and according to the candidate log files and the website paths, obtain multiple target log files from the candidate log files. For each target log file, the data preprocessing module obtains multiple target log files from the target log file. The log file captures the access paths, the grammatical parameters, multiple source addresses corresponding to the access paths, multiple destination addresses corresponding to the access paths, and multiple corresponding to the The date and time of the access path are used to obtain an intercepted target log file, and the access paths of the intercepted target log file are encoded and converted to obtain the filtered log files. 如請求項8所述的滲透測試個案建議系統,其中,對於每一線上攻擊資訊,該資料預處理模組從該線上攻擊資訊擷 取一資料來源位址、一日期時間、多個語法參數、一擷圖,及一攻擊所屬類別,以獲得一濾除後線上攻擊資訊。 The penetration test case suggestion system according to claim 8, wherein, for each online attack information, the data preprocessing module extracts from the online attack information Take a data source address, a date and time, multiple grammatical parameters, a screenshot, and an attack category to obtain a filtered online attack information. 如請求項8所述的滲透測試個案建議系統,其中,對於每一濾除後記錄檔,該資料分析模組根據該濾除後記錄檔所包括的存取點,利用一關聯規則探勘演算法,獲得該濾除後記錄檔所包括的存取點的關聯性,且對於每一濾除後記錄檔,該資料分析模組根據該濾除後記錄檔所包括的語法參數,利用一循序樣本探勘演算法,獲得多個相關於該濾除後記錄檔所包括的語法參數的攻擊特徵語法,再根據該等攻擊特徵語法,利用該關聯規則探勘演算法,獲得該等攻擊特徵語法的關聯性,以產生該記錄檔分析結果。 The penetration test case suggestion system according to claim 8, wherein, for each filtered log file, the data analysis module uses an association rule exploration algorithm according to the access points included in the filtered log file , Obtain the relevance of the access points included in the filtered log file, and for each filtered log file, the data analysis module uses a sequential sample based on the syntax parameters included in the filtered log file The exploration algorithm obtains a plurality of attack characteristic grammars related to the grammatical parameters included in the filtered log file, and then according to the attack characteristic grammar, the association rule exploration algorithm is used to obtain the relevance of the attack characteristic grammar , To generate the log analysis result. 如請求項8所述的滲透測試個案建議系統,其中,該推薦模組根據該等濾除後記錄檔、該記錄檔分析結果的該等濾除後記錄檔所包括的存取點的關聯性及一篩選條件,獲得多個推薦存取路徑,且該推薦模組對該等推薦存取路徑對應的語法參數進行關鍵字分析及相似度計算,並根據該記錄檔分析結果的該等攻擊特徵語法的關聯性,獲得多個對應該等推薦存取路徑的歷史攻擊特徵語法,再根據該等歷史攻擊特徵語法、該等預定攻擊資訊,及該等濾除後線上攻擊資訊,產生該推薦測試攻擊資訊。 The penetration test case suggestion system according to claim 8, wherein the recommendation module is based on the filtered log files and the relevance of the access points included in the filtered log files based on the log file analysis results And a filter condition to obtain a plurality of recommended access paths, and the recommendation module performs keyword analysis and similarity calculation on the syntax parameters corresponding to the recommended access paths, and the attack characteristics according to the log file analysis result Based on the correlation of the grammar, multiple historical attack characteristic grammars corresponding to the recommended access paths are obtained, and then the recommended test is generated based on the historical attack characteristic grammar, the predetermined attack information, and the filtered online attack information Attack information. 如請求項8所述的滲透測試個案建議系統,其中,對於每一濾除後記錄檔,該推薦模組根據該濾除後記錄檔的語法參數、該等預定攻擊資訊的語法參數,及該等濾除後線上攻擊資訊的語法參數至少進行關鍵字分析,獲得一對應該 濾除後記錄檔的攻擊所屬類別,還根據該等濾除後記錄檔對應的攻擊所屬類別產生該推薦測試攻擊資訊。 The penetration test case suggestion system according to claim 8, wherein, for each filtered log file, the recommendation module is based on the grammatical parameters of the filtered log file, the grammatical parameters of the predetermined attack information, and the After filtering the grammatical parameters of the online attack information, at least perform keyword analysis to obtain a corresponding response The attack category of the filtered log file is also generated according to the category of the attack corresponding to the filtered log file to generate the recommended test attack information. 如請求項13所述的滲透測試個案建議系統,還包含一電連接該資料輸入模組的回饋模組,其中,該回饋模組在接收到經由一使用者的利用該資料輸入模組所產生的一相關於該等預定攻擊資訊及該等濾除後線上攻擊資訊的初始評分訊號後,產生並儲存多個對應該等預定攻擊資訊及該等濾除後線上攻擊資訊的初始分數至該儲存模組,且在該回饋模組接收到經由該使用者的一輸入操作所產生的一相關該推薦測試攻擊資訊的回饋評分訊號後,根據該回饋評分訊號更新該等初始分數。 The penetration test case suggestion system according to claim 13, further comprising a feedback module electrically connected to the data input module, wherein the feedback module is generated by a user using the data input module after receiving After an initial score signal related to the predetermined attack information and the filtered online attack information, a plurality of initial scores corresponding to the predetermined attack information and the filtered online attack information are generated and stored to the storage Module, and after the feedback module receives a feedback score signal related to the recommended test attack information generated by an input operation of the user, the initial scores are updated according to the feedback score signal.
TW108138229A 2019-10-23 2019-10-23 Penetration test case suggestion method and system TWI726455B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108138229A TWI726455B (en) 2019-10-23 2019-10-23 Penetration test case suggestion method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108138229A TWI726455B (en) 2019-10-23 2019-10-23 Penetration test case suggestion method and system

Publications (2)

Publication Number Publication Date
TW202117620A TW202117620A (en) 2021-05-01
TWI726455B true TWI726455B (en) 2021-05-01

Family

ID=77020574

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108138229A TWI726455B (en) 2019-10-23 2019-10-23 Penetration test case suggestion method and system

Country Status (1)

Country Link
TW (1) TWI726455B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136051A (en) * 2011-05-06 2011-07-27 南开大学 Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model
US8356353B2 (en) * 2007-06-26 2013-01-15 Core Sdi, Incorporated System and method for simulating computer network attacks
US8464346B2 (en) * 2007-05-24 2013-06-11 Iviz Techno Solutions Pvt. Ltd Method and system simulating a hacking attack on a network
TW201426578A (en) * 2012-12-27 2014-07-01 Ind Tech Res Inst Generation method and device and risk assessment method and device for anonymous dataset
US9298913B2 (en) * 2013-11-12 2016-03-29 Macau University Of Science And Technology Method of detecting intrusion based on improved support vector machine
TW201627906A (en) * 2015-01-27 2016-08-01 中華電信股份有限公司 Auxiliary devices and methods for information security tests
WO2019079621A1 (en) * 2017-10-19 2019-04-25 Circadence Corporation Method and system for penetration testing classification based on captured log data
EP3331210B1 (en) * 2016-12-05 2019-07-17 Institute for Imformation Industry Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
TW201931189A (en) * 2018-01-12 2019-08-01 日商三菱電機股份有限公司 Countermeasure formulation assistance device, countermeasure formulation assistance method, and countermeasure formulation assistance program
US10387657B2 (en) * 2016-11-22 2019-08-20 Aon Global Operations Ltd (Singapore Branch) Systems and methods for cybersecurity risk assessment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8464346B2 (en) * 2007-05-24 2013-06-11 Iviz Techno Solutions Pvt. Ltd Method and system simulating a hacking attack on a network
US8356353B2 (en) * 2007-06-26 2013-01-15 Core Sdi, Incorporated System and method for simulating computer network attacks
CN102136051A (en) * 2011-05-06 2011-07-27 南开大学 Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model
TW201426578A (en) * 2012-12-27 2014-07-01 Ind Tech Res Inst Generation method and device and risk assessment method and device for anonymous dataset
US9298913B2 (en) * 2013-11-12 2016-03-29 Macau University Of Science And Technology Method of detecting intrusion based on improved support vector machine
TW201627906A (en) * 2015-01-27 2016-08-01 中華電信股份有限公司 Auxiliary devices and methods for information security tests
US10387657B2 (en) * 2016-11-22 2019-08-20 Aon Global Operations Ltd (Singapore Branch) Systems and methods for cybersecurity risk assessment
EP3331210B1 (en) * 2016-12-05 2019-07-17 Institute for Imformation Industry Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
WO2019079621A1 (en) * 2017-10-19 2019-04-25 Circadence Corporation Method and system for penetration testing classification based on captured log data
TW201931189A (en) * 2018-01-12 2019-08-01 日商三菱電機股份有限公司 Countermeasure formulation assistance device, countermeasure formulation assistance method, and countermeasure formulation assistance program

Also Published As

Publication number Publication date
TW202117620A (en) 2021-05-01

Similar Documents

Publication Publication Date Title
US20210382949A1 (en) Systems and methods for web content inspection
US11012472B2 (en) Security rule generation based on cognitive and industry analysis
JP7073343B2 (en) Security vulnerabilities and intrusion detection and repair in obfuscated website content
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
JP6397932B2 (en) A system for identifying machines infected with malware that applies language analysis to network requests from endpoints
CN111104579A (en) Identification method and device for public network assets and storage medium
CN107547490B (en) Scanner identification method, device and system
CN109905276B (en) Cloud service quality monitoring method and system
CN112887341B (en) External threat monitoring method
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
CN114915479A (en) Web attack phase analysis method and system based on Web log
CN113987504A (en) Vulnerability detection method for network asset management
Burda et al. Characterizing the redundancy of DarkWeb. onion services
JP2016192185A (en) Spoofing detection system and spoofing detection method
Feng et al. Automated detection of password leakage from public github repositories
US20210092144A1 (en) Http log integration to web application testing
Ben Jaballah et al. A grey-box approach for detecting malicious user interactions in web applications
CN108804501B (en) Method and device for detecting effective information
CN110598397A (en) Deep learning-based Unix system user malicious operation detection method
Alghamdi Effective penetration testing report writing
Roy et al. A large-scale analysis of phishing websites hosted on free web hosting domains
TWI726455B (en) Penetration test case suggestion method and system
Abdalla et al. Log File Analysis Based on Machine Learning: A Survey: Survey
CN112199573B (en) Illegal transaction active detection method and system
Lazarine et al. Exploring the Propagation of Vulnerabilities from GitHub Repositories Hosted by Major Technology Organizations