Application of Timed Petri Net in Penetration Testing

Abstract

Abstract: As an important part of penetration testing, the penetration test attack model has attracted the common attention of academia and industry. Existing penetration test attack models do not take into account the dynamic parameters in the penetration test attack process, and cannot describe when the vulnerability occurred. Taking the vulnerability as the basic unit, and the time interval of the place in the timed Petri net representing the occurrence interval of the vulnerability, this paper builds a penetration test attack model based on the timed Petri net. First, the vulnerability list is used as input to build a single vulnerability model. Then, the single vulnerability model collection is used to form a complete penetration test attack model through a model integration algorithm. Finally, the algorithm of penetration attack path selection is given, and the effectiveness of the algorithm of penetration attack path selection proposed in this paper is verified by simulation experiments.

Key words: timed Petri net, penetration test, vulnerability model

LI Hai-hao, WU Ya-feng, WANG Xiao-qiang. Application of Timed Petri Net in Penetration Testing[J]. Computer and Modernization, 2020, 0(10): 110-115.

References ［25］

［1］	KENNEDY D, O’GORMAN J, KEAMS D,等. Metasploit渗透测试指南［M］. 诸葛建伟,等译. 北京:电子工业出版社, 2012:1-25.
［2］	ENGEBRETSON P. 渗透测试实践指南:必知必会的工具与方法［M］. 缪纶,等译. 北京:机械工业出版社, 2013:22-35.
［3］	WEISS J D. A system security engineering process［C］// Proceedings of the 14th National Computer Security Conference. 1991:572-581.
［4］	SCHNEIER B. Attack trees: Modeling security threats［J］. Dr. Dobb’s Journal of Software Tools, 1999,24(12):21-29.
［5］	LV W P, LI W M. Space based information system security risk evaluation based on improved attack trees［C］// Proceedings of the 2011 3rd International Conference on Multimedia Information Networking and Security. 2011:480-483.
［6］	罗森林,张蕾,郭亮,等. 一种高效的攻击树串行建模方法［J］. 北京理工大学学报, 2013,33(5):500-504.
［7］	孙卓,刘东,肖安洪,等. 基于攻击树模型的数字化控制系统信息安全分析［J］. 上海交通大学学报, 2019,53(S1):68-73.
［8］	PHILLIPS C A, SWILER L P. A graph-based system for network-vulnerability analysis［C］// Proceedings of the 1998 Workshop on New Security Paradigms. 1998:71-79.
［9］	KOTENKO I, STEPASHKIN M. Attack graph based evaluation of network security［C］// Proceedings of the 10th IFIP TC-6 TC-11 International Conference on Communications and Multimedia Security. 2006:216-227.
［10］	崔颖,章丽娟,吴灏. 基于攻击图的渗透测试方案自动生成方法［J］. 计算机应用, 2010,30(8):2146-2150.
［11］	刘渊,李群,王晓锋. 基于攻击图和改进粒子群算法的网络防御策略［J］. 计算机工程与应用, 2016,52(8):120-124.
［12］	陈锋. 基于多目标攻击图的层次化网络安全风险评估方法研究［D］. 长沙:国防科技大学, 2009.
［13］	赵超,王慧强,林俊宇,等. 面向大规模网络安全加固的攻击图分析方法［J］. 计算机科学与探索, 2018,12(2):263-273.
［14］	曾赛文,文中华,戴良伟,等. 基于不确定攻击图的攻击路径的网络安全分析［J］. 计算机科学, 2017,44(S1):351-355.
［15］	何江湖,潘晓中. 基于漏洞关联攻击代价的攻击图生成算法［J］. 计算机应用研究, 2012,29(5):1907-1909.
［16］	谢冬青,李贵城. 基于最小化攻击图的自动化渗透测试模型［J］. 广州大学学报(自然科学版), 2012,11(3):70-74.
［17］	孙彦臣. 基于低代价攻击图的渗透测试方法研究［D］. 哈尔滨:哈尔滨工程大学, 2019.
［18］	徐丙凤,何高峰. 基于攻击图的信息物理融合系统渗透测试方法［J］. 计算机科学, 2018,45(11):143-148.
［19］	刘龙,陈秀真,李建华. 基于攻击模式的完备攻击图自动生成方法［J］. 计算机工程, 2013,39(10):127-132.
［20］	付亮. 基于概率攻击图模型的渗透测试方法研究［D］. 南昌:东华理工大学, 2019.
［21］	杨涛,郭义喜,张弘. 有色Petri网在渗透测试中的应用［J］. 计算机工程, 2009,35(1):156-158.
［22］	罗森林,张驰,周梦婷,等. 基于时间Petri网的渗透测试攻击模型研究［J］. 北京理工大学学报, 2015,35(1):92-96.
［23］	韩璐璐. 基于缺陷假设和有色Petri 网的网络渗透测试方法［D］. 沈阳:东北大学, 2011.
［24］	杜镇宇,刘方正,李翼宏. 基于Petri网的APT攻击模型生成方法［J］. 计算机应用研究, 2019,36(7):2134-2142.
［25］	栾俊超. 面向渗透测试的漏洞检测与攻击方法［D］. 南京:南京航空航天大学, 2017.

[1]	WEI Xing-shen1, SU Da-wei2, TU Zheng-wei1, LIU Wei1, QI Long-yun1, LYU Xiao-liang1, YANG Bin1. SecDr：A Content Safe Docker Registry [J]. Computer and Modernization, 2018, 0(05): 70-.
[2]	LIU Hai-yan， HUANG Rui， HUANG Xuan. Vulnerability Database Maintenance System Based on Topic Web Crawler [J]. Computer and Modernization, 2014, 0(8): 67-70+80.