CN117155597A - A system that implements penetration testing processing based on data security supervision - Google Patents

Abstract

The invention relates to a system for realizing penetration test processing based on data security supervision, wherein the system comprises: a control plane is provided, and the control plane comprises: the safety event management module is used for collecting and analyzing safety event information, checking and alarming with the penetration test result, and ensuring that the safety information alarming is consistent with the penetration result filling; the identity authentication module is used for authenticating the identity of the penetration tester so as to ensure that only authorized personnel can access the target network; the behavior monitoring module is used for monitoring the operation behaviors of the penetration tester in real time so as to ensure that the behaviors are visible, controllable, auditable and traceable; and a data plane is also provided, and the data plane comprises: and the data security guarantee module is used for encrypting and storing the penetration test result and preventing data leakage. By adopting the system, a zero trust concept is introduced to design the whole architecture of the system.

Description

A system that implements penetration testing processing based on data security supervision

Technical field

The present invention relates to the technical field of computer network security, in particular to the technical field of data security supervision, and specifically refers to a system for realizing penetration testing processing based on data security supervision.

Background technique

With the development of the Internet, network security problems are becoming increasingly serious. Penetration testing has been widely used as a method to proactively discover system vulnerabilities. For example:

1) Penetration testing tools: Metasploit, Nessus, OpenVAS, Kali Linux, etc. These tools can perform vulnerability scanning and penetration testing on the network, but they lack the supervision and management functions for data security.

2) Data security management technology: including data backup, encryption, rights management, auditing and other technologies. These technologies can provide data protection and management functions, but lack active vulnerability discovery and penetration testing functions.

It can be seen that traditional open penetration testing services have many problems. During the penetration testing process, there are often hidden dangers such as data leakage, malicious residence, link hijacking, and other violations of penetration testing rules and dispute resolutions. The existence of these hidden dangers further makes it impossible to trace the source of security incidents, and security information alarms and penetration results are inconsistently reported. Problems such as incomplete review, unclear causes, and inadequate rectifications. Therefore, there is an urgent need to research a penetration testing system based on data security supervision, which can integrate these technologies and have the functions of active vulnerability scanning and penetration testing supervision at the same time to provide more comprehensive data security protection and management. This is penetration testing A new technological development direction in the field.

Contents of the invention

The purpose of the present invention is to overcome the above-mentioned shortcomings of the prior art and provide a system for realizing penetration testing processing based on data security supervision that solves the problem of inconsistencies between security event information and penetration results.

In order to achieve the above objectives, the system of the present invention for realizing penetration testing processing based on data security supervision is as follows:

The main features of this system for realizing penetration testing processing based on data security supervision are that the system includes:

A control plane is provided, and the control plane includes:

The security event management module is responsible for collecting and analyzing security event information, and verifying security alarms with penetration test results to ensure that security information alarms are consistent with penetration results;

Identity authentication module, used to authenticate penetration testers to ensure that only authorized personnel can access the target network;

Behavior monitoring module, used to monitor the operational behavior of penetration testers in real time to ensure that their behavior is visible, controllable, auditable and traceable; and

A data plane is also provided, and the data plane includes:

The data security module is used to encrypt and store penetration test results to prevent data leakage.

Preferably, the control plane is also provided with an access control module. The access control module is connected to the security event management module and the identity authentication module, and is used to grant access rights to the penetration tester. Managed to prevent the intersection of the data plane and the control plane.

Preferably, the control plane and the data plane are separated using a software-defined network, wherein the control plane designs the egress architecture as follows based on the software-defined network:

A data layer is set up, which contains several business services;

A control layer, which is equipped with a business chain and a controller, is connected to the data layer through the northbound interface, and is connected to the control plane through the management interface and the east-west interface;

The infrastructure layer is equipped with a behavior management unit, an intrusion detection unit, a firewall, a router, a switch, and a Web application firewall WAF, and is connected to the control layer through the southbound interface.

Preferably, the controller uses the OpenFlow protocol to communicate with the switch, controls the flow table in the switch, defines and creates traffic paths according to actual usage requirements, and plans the business chain;

And the controller is connected to each device, the security channel of the controller, and the OpenFlow table entry through an OpenFlow component, and the OpenFlow component includes an OpenFlow switch and an OpenFlow controller.

Preferably, the OpenFlow switch is composed of OpenFlow entries on the hardware plane and secure channels on the software plane, and includes several OpenFlow instances, each of which is individually connected to the controller. , and guide traffic forwarding according to the flow table items issued by the controller.

Preferably, the security event management module also includes setting a security log alarm unit to perform traffic log audit processing, specifically as follows:

Log aggregation and analysis is performed on external log abnormal alarms, unauthorized log security alarms and host crash log alarms through virtual network export mirror traffic analysis technology, and relies on user entity behavior analysis to identify abnormalities and dangers on users, machines and network links based on UEBA security device identification. Behavior, model the standard behavior of users and entities, build behavioral portraits, and finally find out through technical identification and comparison with traffic baselines to form effective identification of attack behaviors.

Preferably, the security event management module is also provided with an achievement registration and reporting unit, and the achievement registration and reporting unit constructs a penetration achievement database through threat type description, attack means classification, detailed explanation of the attack process, and privacy de-identification;

And the security event management module associates and matches the log alarm content aggregated by the security log alarm unit and the penetration test results reported by the penetration result library to achieve security supervision processing.

Preferably, the security event management module also includes monitoring attack behavior in the following manner, specifically:

Keyboard monitoring technology, screen watermark and recording technology, and traffic mirroring monitoring are used for timestamp synchronization and record linkage processing to provide full-process linkage traceability of security events and attack behaviors, and to implement the security supervision process in the penetration testing site.

Preferably, the keyboard monitoring technology is specifically:

By extracting specific system functions and library functions and using their return values to obtain keyboard status information, we scan the user's keystrokes and obtain the user's keystroke information.

Preferably, the screen watermark and recording technology is specifically:

Based on DXGI technology, the terminal screen is recorded and collected, and the Desktop Duplication API is used to provide desktop images through DXGI. The processing flow is as follows:

(1)Create D3D Device;

(2) Obtain the path through the interface and obtain the IDXGIOutputDuplication interface pointer;

(3) Intercept the current desktop data through the AcquireNextFrame API and save it to IDXGIResource;

(4) Map the acquired data from the GPU to the memory;

(5) Copy the required data to the local buffer.

Preferably, the data plane is also provided with a network resource domain, and the network resource domain is connected to the data security module. The network resource domain specifically performs the following processing:

Network egress proxy, network traffic management, network policy management and network routing management.

The system of the present invention that implements penetration testing based on data security supervision has the following beneficial effects:

1) Supervise the penetration testing process. Provide enterprises and organizations with a comprehensive data security protection and penetration testing supervision solution to make the entire penetration testing process controllable, checkable, and auditable.

2) Control penetration testing behavior. Effectively solve various security risks that penetration team members may have when using their own equipment, including: missed results, looking for foreign aid, risks in their own equipment, link hijacking and other risks, and control the entire process of penetration test result data to prevent risks. Not yet.

3) Evaluate penetration testing quality. Establish a penetration testing quality assessment mechanism and standardize the results reporting format to objectively quantify the penetration testing team members' abilities. Comprehensive evaluation and ranking based on dimensions such as the time window for penetration team members to invade the system, the number of assets acquired, and the quality of the vulnerabilities discovered, effectively ensures the overall quality of penetration testing through team ranking.

Description of the drawings

Figure 1 is a schematic diagram of the system plane separation for realizing penetration testing processing based on data security supervision according to the present invention.

Figure 2 is a schematic diagram of the present invention's software-defined network egress architecture design.

Figure 3 is a schematic diagram of the workflow of the present invention based on a software-defined network controller.

Figure 4 is a flow chart of screen recording processing according to the present invention.

Figure 5 is a schematic structural diagram of the security event management module of the present invention in a penetration testing scenario.

Detailed ways

In order to describe the technical content of the present invention more clearly, further description is provided below in conjunction with specific embodiments.

Before describing embodiments according to the present invention in detail, it should be noted that in the following the terms "comprises", "comprising" or any other variations are intended to cover a non-exclusive inclusion, thereby making a process including a series of elements A process, method, article or apparatus contains not only these elements, but also other elements not expressly listed or inherent to such process, method, article or apparatus.

Please refer to Figure 1, which shows a system for implementing penetration testing based on data security supervision. The system includes:

A control plane is provided, and the control plane includes:

The security event management module is responsible for collecting and analyzing security event information, and verifying security alarms with penetration test results to ensure that security information alarms are consistent with penetration results;

Identity authentication module, used to authenticate penetration testers to ensure that only authorized personnel can access the target network;

Behavior monitoring module, used to monitor the operational behavior of penetration testers in real time to ensure that their behavior is visible, controllable, auditable and traceable; and

A data plane is also provided, and the data plane includes:

The data security module is used to encrypt and store penetration test results to prevent data leakage.

As a preferred embodiment of the present invention, the control plane is also provided with an access control module. The access control module is connected to the security event management module and the identity authentication module for conducting penetration testing. Personnel access rights are managed, thereby preventing the intersection of the data plane and the control plane.

Please refer to Figure 2. As a preferred embodiment of the present invention, the control plane and the data plane are separated using a software-defined network. The control plane designs the egress architecture as follows based on the software-defined network:

A data layer is set up, which contains several business services;

A control layer, which is equipped with a business chain and a controller, is connected to the data layer through the northbound interface, and is connected to the control plane through the management interface and the east-west interface;

The infrastructure layer is equipped with a behavior management unit, an intrusion detection unit, a firewall, a router, a switch, and a Web application firewall WAF, and is connected to the control layer through the southbound interface.

Please refer to Figure 3. As a preferred embodiment of the present invention, the controller uses the OpenFlow protocol to communicate with the switch, controls the flow table in the switch, and defines and creates traffic paths according to actual usage requirements. Plan the business chain described;

And the controller is connected to each device, the security channel of the controller, and the OpenFlow table entry through an OpenFlow component, and the OpenFlow component includes an OpenFlow switch and an OpenFlow controller.

As a preferred embodiment of the present invention, the OpenFlow switch is composed of OpenFlow entries on the hardware plane and secure channels on the software plane, and includes several OpenFlow instances, each of which is independently connected to the The controller is connected and directs traffic forwarding based on the flow table items issued by the controller.

Please refer to Figure 5. As a preferred embodiment of the present invention, the security event management module also includes setting a security log alarm unit to perform traffic log audit processing, specifically as follows:

Log aggregation and analysis is performed on external log abnormal alarms, unauthorized log security alarms and host crash log alarms through virtual network export mirror traffic analysis technology, and relies on user entity behavior analysis to identify abnormalities and dangers on users, machines and network links based on UEBA security device identification. Behavior, model the standard behavior of users and entities, build behavioral portraits, and finally find out through technical identification and comparison with traffic baselines to form effective identification of attack behaviors.

As a preferred embodiment of the present invention, the security event management module is also provided with a result registration and reporting unit. The result registration and reporting unit constructs penetration results through threat type description, attack means classification, detailed explanation of the attack process, and privacy de-identification. library;

And the security event management module associates and matches the log alarm content aggregated by the security log alarm unit and the penetration test results reported by the penetration result library to achieve security supervision processing.

As a preferred embodiment of the present invention, the security event management module also includes monitoring attack behavior in the following manner, specifically:

Keyboard monitoring technology, screen watermark and recording technology, and traffic mirroring monitoring are used for timestamp synchronization and record linkage processing to provide full-process linkage traceability of security events and attack behaviors, and to implement the security supervision process in the penetration testing site.

As a preferred embodiment of the present invention, the keyboard monitoring technology is specifically:

By extracting specific system functions and library functions and using their return values to obtain keyboard status information, we scan the user's keystrokes and obtain the user's keystroke information.

Please refer to Figure 4. As a preferred embodiment of the present invention, the screen watermark and recording technology is specifically:

Based on DXGI technology, the terminal screen is recorded and collected, and the Desktop Duplication API is used to provide desktop images through DXGI. The processing flow is as follows:

(1)Create D3D Device;

(2) Obtain the path through the interface and obtain the IDXGIOutputDuplication interface pointer;

(3) Intercept the current desktop data through the AcquireNextFrame API and save it to IDXGIResource;

(4) Map the acquired data from the GPU to the memory;

(5) Copy the required data to the local buffer.

As a preferred embodiment of the present invention, a network resource domain is also provided on the data plane. The network resource domain is connected to the data security module. The network resource domain specifically performs the following processing:

Network egress proxy, network traffic management, network policy management and network routing management.

In practical applications, the system of this technical solution that implements penetration testing processing based on data security supervision is mainly to provide a comprehensive, effective, and reliable data security protection and management solution to help enterprises and organizations do a good job in data security protection. Respond to increasing security threats and risks. The system mainly includes the following five modules:

1) Identity authentication module: This module is responsible for identity authentication of penetration testers to ensure that only authorized personnel can access the target network.

2) Access control module: This module is responsible for managing the access rights of penetration testers, preventing the intersection of the data plane and the control plane, and reducing security risks.

3) Behavior monitoring module: This module monitors the operational behavior of penetration testers in real time to ensure that their behavior is visible, controllable, auditable and traceable. All monitoring data is stored in a centralized server to facilitate later auditing and supervision.

4) Data security module: This module encrypts and stores penetration test results to prevent data leakage. At the same time, the operations of penetration testers can be restricted to avoid bad behaviors such as leaving backdoors.

5) Security event management module: This module is responsible for collecting and analyzing security event information, verifying it with penetration test results, and ensuring that security information alarms and penetration results are consistent, which facilitates review, traceability, and rectification. Centrally manage the operational data of penetration testers to facilitate later auditing and supervision and reduce risks caused by human factors.

This technical solution is oriented to the penetration testing business, providing full-process security supervision capabilities in local and remote penetration testing scenarios to meet test subjects' requirements for access security, operational compliance, and process controllability in penetration testing. The system adopts the concept of security supervision and builds a supervision platform through technical models, which can achieve effective supervision of the penetration testing process, effectively control the penetration testing behavior, and objectively evaluate the quality of the penetration testing. The core implementation steps of the supervision system are mainly divided into the following two steps, with asynchronous operations between the two steps:

Step one: Automatic attack egress orchestration and traffic convergence. In order to meet the needs of multiple security teams for simultaneous penetration testing services and to flexibly configure different exit IPs, software-defined network technology is used to build a dynamic network environment. In this process, the identity authentication and access control modules play an important role. First, the system connects different virtual cloud desktops to their respective virtual switches, and then connects to the Internet through the virtual router. In the virtual router, a traffic forwarding service is configured to monitor and manage attack traffic. All traffic will eventually be transferred to the egress VPS through the router to achieve IP egress diversity and effective division of network boundaries. Compared with the traditional open traffic attack mode, the attack traffic can be converged more effectively. In the identity authentication module, each penetration testing team member is assigned unique cloud desktop resources, and configures their identity authentication and exit IP. When only authorized personnel can access the target network through the specified egress IP. At the same time, the access control module will further manage and control the access rights of penetration testers. In this way, we can better control and manage penetration testing behaviors and improve the security and controllability of the testing process.

Step 2: Correlation and behavior monitoring of multi-source audit logs. First of all, the behavior monitoring module uses three methods of recording keyboard input, recording the entire terminal screen, and collecting network traffic logs to effectively monitor terminal operating behavior and network traffic. Together, these functions ensure all-round recording and tracking of terminal operations, thereby ensuring that penetration testing behaviors are auditable, reviewable, and traceable. Next, the data security assurance module is implemented using VDI cloud desktop management technology, using encryption means to store penetration test results and strictly restricting the export of data to prevent data leakage and ensure data security. Finally, the security incident management module sorts out and implements a set of security inspection technical specifications based on results verification based on in-depth research on penetration testing scenarios. This set of specifications clearly stipulates the workflow of penetration testing service providers or testers, the scope of testing vulnerabilities, penetration goals and reporting behaviors to achieve a comprehensive audit of the penetration testing process. The combination of these three modules forms a comprehensive and effective supervision mechanism, which ensures the behavioral compliance of the penetration testing team, ensures data security, and provides strong support for the management of security incidents.

There are two key technical points involved in carrying out the above research steps:

1) Based on the design concept of separation of control plane and data plane, research software-defined network and boundary technology to achieve secure access control throughout the entire process of penetration testing. Support the custom development of traffic transfer services in virtual routers to provide basic conditions for subsequent traceability analysis. At the same time, all traffic under the router is transferred to the egress VPS, forming a linkage between cloud desktop, VPC network, and cloud VPS, and ultimately realizing a software-defined virtual ring. Links between VPC networks and public IP exports.

2) Research the traceability analysis technology related to terminal audit and network attack traffic, and realize the security supervision audit of the whole process of penetration testing results verification and retrospective review. Through correlation analysis of log analysis results such as screen recording, keyboard operations, and traffic analysis of controllable terminals, the security supervision workflow in penetration testing and attack and defense drill scenarios is realized.

The entire system will implement security supervision of the penetration testing process based on the concept of data security assurance. Through control plane scheduling and data plane linkage, testers' safe access, access control, network and data isolation and supervision will be achieved.

1) Research the software-defined network approach to separate the control plane and data plane and open programmability to achieve comprehensive convergence of attack traffic and network chain troubleshooting capabilities in complex scenarios.

The software-defined network method is used to separate the control plane and data plane and open programmability. By separating the control plane and data plane and using open communication protocols, it breaks the closed nature of traditional network equipment. In addition, the open interfaces and programmability in the north-south and east-west directions also make network management simpler, dynamic and flexible. The configuration on the business chain can then be distributed to the corresponding network and security devices to achieve security, Flexible traffic orchestration.

Compared with traditional networks, software-defined networks are flow rule-driven networks. Whether and when information flows through a security device are determined by flow rules issued by the controller. Physical security devices It does not have the right to decide itself. This gives the controller strong control over business flows and has great advantages in fine-grained, dynamic adjustment and push of various security policies. This solution adopts a unified physical architecture design and is divided into application layer, control layer and infrastructure layer. The design of the software-defined Internet egress architecture is shown in Figure 2.

Please refer to Figure 3. The controller uses the OpenFlow protocol to communicate with the switch, controls the flow table in the switch, defines and creates traffic paths according to actual usage requirements, that is, plans the business chain; and includes it through the OpenFlow component It includes OpenFlow switches, OpenFlow controllers, secure channels (SecureChannel) used to connect devices and controllers, and OpenFlow entries. OpenFlow switch devices and OpenFlow controllers are entities that make up an OpenFlow network and are required to support secure channels and OpenFlow entries.

OpenFlow switches are composed of OpenFlow entries on hardware devices and secure channels on system software. OpenFlow entries are a key component of OpenFlow and are issued by the Controller to implement control plane offloading and forwarding control. An OpenFlow switch can have several OpenFlow instances. Each OpenFlow instance can be connected to the controller independently, which is equivalent to an independent switch. It guides traffic forwarding according to the flow table items issued by the controller. OpenFlow instances make it possible for an OpenFlow switch to be controlled by multiple sets of controllers at the same time.

2) Research terminal auditing and traceability analysis technology related to network attack traffic to achieve security supervision linkage capabilities in penetration testing and attack and defense drill scenarios.

In order to strengthen the supervision of penetration testing team members, traditional penetration testing services often take the form of offline organizations and monitor through external cameras. However, screen recording monitoring and audit files need to be manually reviewed one by one for identification, which is not only inefficient but also has problems such as missing key frames for review. The penetration testing process in this project involves user data security, so the control of operator behavior is particularly important. This project will use three technologies: terminal input recording, screen recording, and traffic logs to ensure that terminal network event correlations can be viewed and traced.

Terminal keystroke record capture: We use a unique keyboard monitoring technology for the Windows terminal platform, which can monitor the keyboard operations of users and programs. This is mainly done by extracting specific system functions and library functions and using their return values to obtain keyboard status information. For example, GetAsyncKeyState(x) can return to whether the key with virtual keyboard code x has been pressed when the function was last called. Pressed. On this basis, you can write a program to use these functions to scan the user's keystrokes to obtain the user's keystroke information.

Screen watermark and recording: Screen recording of the terminal screen will be captured based on DXGI technology, and the Desktop Duplication API will be used to provide desktop images through DirectX Graphics Infrastructure (hereinafter referred to as DXGI). The competition is for GPU pipeline resources, so the CPU usage is very high. Low, the collection performance is very high. Since this set of capabilities is integrated and provided in DirextX, it is basically consistent with the use of most DirectX interfaces. The process is summarized in Figure 4. Using DXGI to query various DirectX COM interfaces, the IDXGIOutputDuplication interface pointer is finally obtained. When taking a screenshot Use the core AcquireNextFrame API to obtain the current desktop image.

Traffic log audit: Through virtual network egress mirror traffic analysis technology, relying on UEBA security device identification to discover abnormal and dangerous behaviors on users, machines, and network links, and modeling the standard behaviors of users and entities, building behavioral portraits, and finally Through technical identification and traffic baseline comparison, we can effectively identify attack behaviors.

Through the above three technical means, the behaviors on the terminal side and the network side can be effectively linked through timestamps, providing full-process linkage traceability of security events and attack behaviors on the platform, and ultimately realizing the security supervision process in the penetration testing field.

Please refer to Figure 5. The above figure is the security event management process in a penetration testing scenario. The system comprehensively supervises the penetration testing attack chain through functional processes such as security log alarms, attack behavior monitoring, and result registration to achieve penetration testing supervision. The platform has controllable and checkable requirements. The setting of the above supervision process constitutes the core function of the security event management module.

Security event management module: Responsible for processing the log alarm content of the platform and the reported content of penetration test results, performing correlation matching, and alerting on abnormal information. This method can not only detect and deal with possible security threats in a timely manner, but also ensure the correctness and completeness of penetration testing results.

The overall architecture of this system is designed around the ultimate goal of data security and the requirements for security supervision in penetration testing scenarios. Logical components use a separate control plane to communicate, while application data communicates on the data plane. The "identity authentication module", "access control module", "behavior monitoring module", "data security assurance module", and "security event management module" shown in Figure 1 constitute a complete set of penetration testing based on data security supervision. Compared with traditional open penetration testing scenarios, the system can effectively ensure security requirements such as the uniqueness of user identities, network isolation between work domains, and dynamic forwarding of exits during the penetration testing process, meeting the security and reliability of the penetration testing supervision platform.

In a specific implementation mode of the present invention, the overall implementation process of this system includes several stages such as demand analysis and research, key technology research, system outline design, system detailed design, functional development, functional testing, project acceptance, etc., and finally builds a "data-based Penetration testing system for security supervision”.

After the system is built, the penetration test team members pass the identity authentication service and use the cloud desktop login link to complete resource utilization. Each cloud desktop supports custom settings of the cloud Internet exit IP through the virtual gateway. At the same time, the supervision platform will conduct SDM screen recording audits of controllable cloud terminals, collect terminal typing content, configure traffic forwarding services on the cloud desktop virtual routing side to audit attack traffic, and finally send all audit results back to the supervision platform business as events. Unified management of the plane.

Compared with the existing technology, the innovation of this technical solution lies in the in-depth application exploration and practice of data security supervision requirements, which can improve the security performance of the system and protect the security of supervision data. Its main innovation points include the following:

First, with supervision as the core, the zero-trust concept was introduced to design the overall architecture of the system. Through the unified cloud desktop login portal provided by the system, terminal desktop screen recording, keyboard operation records, and attack traffic during the penetration testing process can be targeted. Monitoring is associated with timestamp dimensions to form a linked audit plan;

The second is to use control as a means. The system as a whole uses a VDI cloud desktop to provide individual penetration testing dedicated terminals to penetration team members, which can effectively solve various security risks that penetration team members may have when using their own equipment, including: missed results, search results, etc. There are risks in foreign aid, own equipment, link hijacking, etc. to ensure that the entire penetration testing process is controllable;

The third is to use evaluation as a mechanism. The system's security event management module can objectively quantify the penetration test team members' abilities and support online rankings. It conducts comprehensive evaluations around the time window for penetration team members to invade the system, the number of assets acquired, and the quality of the vulnerabilities discovered. A post-development evaluation mechanism effectively ensures the overall quality of penetration testing. For example: Select 5 teams at the same time to meet customer needs, and only take the top 3 scoring scenarios.

Any process or method descriptions in flowcharts or otherwise described herein may be understood to represent modules, segments, or portions of code that include one or more executable instructions for implementing the specified logical functions or steps of the process. , and the scope of the preferred embodiments of the invention includes additional implementations in which functions may be performed out of the order shown or discussed, including in a substantially simultaneous manner or in the reverse order, depending on the functionality involved, which shall It should be understood by those skilled in the art to which embodiments of the present invention belong.

It should be understood that various parts of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution device.

Those of ordinary skill in the art can understand that all or part of the steps involved in implementing the methods of the above embodiments can be completed by instructing relevant hardware through a program. The program can be stored in a computer-readable storage medium. When the program is executed, , including one of the steps of the method embodiment or a combination thereof.

The storage media mentioned above can be read-only memory, magnetic disks or optical disks, etc.

In the description of this specification, references to the terms "one embodiment," "some embodiments," "examples," "specific examples," or "embodiments" or the like are intended to mean that specific features are described in connection with the embodiment or example. , structures, materials or features are included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although the embodiments of the present invention have been shown and described above, it can be understood that the above-mentioned embodiments are illustrative and should not be construed as limitations of the present invention. Those of ordinary skill in the art can make modifications to the above-mentioned embodiments within the scope of the present invention. The embodiments are subject to changes, modifications, substitutions and variations.

In practical applications, the system of this technical solution that implements penetration testing based on data security supervision has the following social and economic benefits:

1)Social benefits

Through the implementation of the present invention, a penetration testing system based on data security supervision can be formed to address business pain points such as data leakage risks, malicious residence risks, and other violations of penetration testing rules, dispute adjudication, etc. during the penetration testing process, and provide customers with standardized penetration testing Testing services enable the entire penetration testing process to be traceable and reviewable. This ensures that the business of key units can carry out penetration testing within a controllable range and improves the security and robustness of the systems of key units.

2) Economic benefits

The penetration testing system formed by this invention for data security supervision can be promoted to key units and corresponding supervision units across the country. It is estimated that within three years of the system being implemented, it can assist security service personnel in completing a market of 3 million yuan in penetration testing related services. Results transformation.

In this specification, the invention has been described with reference to specific embodiments thereof. However, it is apparent that various modifications and changes can be made without departing from the spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded as illustrative rather than restrictive.

Claims (11)

1. A system for implementing a penetration test process based on data security supervision, the system comprising:

a control plane is provided, and the control plane comprises:

the safety event management module is used for collecting and analyzing safety event information, checking and alarming with the penetration test result, and ensuring that the safety information alarming is consistent with the penetration result filling;

the identity authentication module is used for authenticating the identity of the penetration tester so as to ensure that only authorized personnel can access the target network;

the behavior monitoring module is used for monitoring the operation behaviors of the penetration tester in real time so as to ensure that the behaviors are visible, controllable, auditable and traceable; and

a data plane is also provided, and the data plane comprises:

and the data security guarantee module is used for encrypting and storing the penetration test result and preventing data leakage.

2. The system for implementing penetration test based on data security supervision according to claim 1, wherein an access control module is further provided in the control plane, and the access control module is connected to the security event management module and the identity authentication module, and is configured to manage access rights of the penetration tester, so as to prevent intersection of the data plane and the control plane.

3. The system for implementing penetration test based on data security supervision according to claim 1, wherein the control plane and the data plane are separated by a software defined network, and the control plane designs the exit architecture based on the software defined network as follows:

the system is provided with a data layer which contains a plurality of business services;

the control layer is internally provided with a service chain and a controller, is connected with the data layer through a northbound interface and is connected with the control plane through a management interface and an east-west interface;

the infrastructure layer is provided with a behavior management unit, an intrusion detection unit, a firewall, a router, a switch and a Web application firewall WAF, and is connected with the control layer through a southbound interface.

4. The system for implementing penetration test based on data security supervision according to claim 3, wherein the controller uses OpenFlow protocol to communicate with the switch, controls a flow table in the switch, defines and creates a flow path according to actual use requirements, and plans the service chain;

the controller is connected with each device, the security channel of the controller and the OpenFlow table entry through an OpenFlow component, and the OpenFlow component comprises an OpenFlow switch and an OpenFlow controller.

5. The system for implementing penetration test based on data security supervision according to claim 4, wherein the OpenFlow switch is composed of OpenFlow entries on a hardware plane and security channels on a software plane, and includes a plurality of OpenFlow instances, each of which is individually connected to the controller and directs traffic forwarding according to a flow entry issued by the controller.

6. The system for implementing penetration test based on data security supervision according to claim 1, wherein the security event management module further comprises a security log alarm unit configured to perform flow log audit processing, and specifically comprises:

and carrying out log aggregation analysis on the external log abnormal alarm, the unauthorized log safety alarm and the host computer collapse log alarm through a virtual network outlet mirror image flow analysis technology, analyzing abnormal and dangerous behaviors on a user, a machine and a network link by means of user entity behavior analysis UEBA safety equipment, modeling standard behaviors of the user and the entity, constructing a behavior portrait, and finally carrying out technical identification and flow baseline comparison discovery to form effective identification of attack behaviors.

7. The system for implementing penetration test processing based on data security supervision according to claim 1, wherein the security event management module is further provided with a result registration reporting unit, and the result registration reporting unit constructs a penetration result library through threat type description, attack means classification, detailed attack process and privacy de-identification;

and the security event management module performs association matching on the log alarm content gathered by the security log alarm unit and the penetration test result reported by the penetration result library so as to realize security supervision processing.

8. The system for implementing penetration test processing based on data security supervision according to claim 1, wherein the security event management module further comprises attack behavior monitoring according to the following manner:

the key board monitoring technology, the screen watermarking and recording technology and the flow mirror image monitoring are adopted to carry out timestamp synchronization and recording linkage processing so as to provide the whole-process linkage traceability of security events and attack behaviors and realize the security supervision flow under the penetration test field.

9. The system for implementing penetration test based on data security supervision according to claim 8, wherein the keyboard monitoring technology specifically comprises:

the key information of the user is obtained by extracting specific system functions and library functions and utilizing the returned values of the specific system functions and library functions to obtain the state information of the keyboard so as to scan the key condition of the user.

10. The system for implementing penetration test based on data security supervision according to claim 8, wherein the screen watermarking and recording technology specifically comprises:

the method is characterized in that a screen recording acquisition is carried out on a terminal screen based on a DXGI technology, a Desktop Duplication API desktop image is provided through the DXGI, and the processing flow is as follows:

(1) Creating a D3D Device;

(2) Acquiring an IDXGIOutputDuplication interface pointer through an interface acquisition path;

(3) Intercepting current desktop data through AcquireNextFrame API and storing the current desktop data to IDXGIResource;

(4) Mapping the acquired data from the GPU to the memory;

(5) And copying the required data to a local buffer.

11. The system for realizing penetration test processing based on data security supervision as claimed in claim 1, wherein a network resource domain is further provided on the data plane, the network resource domain is connected with the data security assurance module, and the network resource domain specifically performs the following processes:

network egress agents, network traffic management, network policy management, and network routing management.