A distributed attack framework technology based on RPC and virtualization technology

By using a distributed attack framework based on RPC and virtualization technologies, the limitations of existing penetration testing frameworks in terms of diversity and compatibility are overcome, enabling efficient and flexible automated penetration testing, expanding the types of attacks and improving efficiency.

CN116389053BActive Publication Date: 2026-06-23GUANGZHOU UNIVERSITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
GUANGZHOU UNIVERSITY
Filing Date
2023-02-24
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing penetration testing frameworks such as Metasploit and Pocsuite3 have limitations in attack diversity and runtime environment compatibility, making it impossible to achieve efficient and flexible automated penetration testing, and difficult to integrate with self-developed attack weapons.

Method used

A distributed attack framework based on RPC and virtualization technology is adopted. The virtualization technology is used to build the runtime environment of the attack weapon, and communication is carried out through the HTTP protocol. The attack atoms are encapsulated and run in the Docker virtual environment. Combined with distributed scheduling and centralized service management, the attack program can be flexibly invoked and efficiently scheduled.

Benefits of technology

It resolves the conflict issues between multiple platform operating environments, expands the types of attacks, improves attack efficiency and framework scalability, reduces maintenance costs, and achieves efficient automated penetration testing.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116389053B_ABST
    Figure CN116389053B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of automatic penetration analysis, and discloses a distributed attack framework technology based on RPC and virtualization technology, which comprises the following steps: S1: using a virtualization technology to construct an operation environment of an attack weapon, assembling a single atomic weapon, using an HTTP protocol to communicate between the atomic weapon and a calling party, transmitting attack parameters and attack loads, realizing RPC calling of the atomic weapon, and based on the architecture, the whole system will be a distributed attack system; and S2: adopting an atomic weapon type, adopting a mode based on attack record utilization, based on a historical hacking behavior, analyzing attack methods and attack tools used according to the behavior, and encapsulating the attack as an attack atomic weapon. Through the virtualization operation environment, the application solves the operation environment conflict problem of multiple different atomic weapons under different operation platforms, and expands the attack types.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of automated penetration analysis technology, specifically a distributed attack framework technology based on RPC and virtualization technology. Background Technology

[0002] With the widespread integration of network technology into social life, cyberattacks are frequent, resulting in increasing economic losses and social impact. Incidents of using cyberattacks to spread ransomware, steal confidential documents, and conduct denial-of-service attacks are rampant. In 2022, the global cybersecurity landscape remained high-risk. NETSCOUT reported that cybercriminals launched 6,019,888 distributed denial-of-service attacks in the first half of 2022, with the largest attack bandwidth reaching 957.9 Gbps. The China Information Security Evaluation Center's "2022 First Half-Year Cybersecurity Vulnerability Situation Observation" indicated that the number of vulnerabilities grew at a record high rate, the situation regarding the exploitation of vulnerabilities in the wild was severe, the trend of vulnerabilities being used in real-world applications was obvious, and cybersecurity threats continued to escalate. To promptly discover and patch vulnerabilities and weaknesses in target network systems and prevent future attacks, penetration testing techniques have emerged. Penetration testing is an important means of preventing cyberattacks by proactively probing network vulnerabilities. Attack testers develop attack plans, proactively discover and exploit vulnerabilities in networks and applications, assess the potential damage, and then perform security hardening, thereby achieving a proactive defense approach and improving network security. Currently, penetration testing is primarily conducted manually, which is extremely costly, demands highly skilled testers, and prevents continuous, time-limited testing to avoid disrupting normal business operations. To address these issues, automated penetration testing has become a popular option. Automated penetration testing technology combines artificial intelligence and other related technologies to design automated attack frameworks, significantly reducing repetitive manual labor and improving testing efficiency.

[0003] The evolution of intelligent technologies will make automated attack techniques play an increasingly important role in penetration testing. Early automated penetration testing was rule-based. Penetration testing experts would use code to generate rules based on their attack experience for a particular tactic and write them into an attack tool. This would automate a series of actions related to a specific tactic. Common attack tools include Nmap and Nessus. These attack tools dealt with relatively simple scenarios, did not require models to achieve universal attacks, and used attack rules to match the encountered attack problems to determine subsequent attack behaviors, thereby simulating automated hacker attacks.

[0004] The most well-known existing attack framework is the Metasploit framework, a toolkit for developing and executing "exploit code" against remote hosts. Other important sub-projects include the Opcode database, shellcode files, and security research, making it popular among security testers and hackers. This framework uses a single vulnerability as its basic unit, allowing for modular and arbitrary combinations of any attack code and any payload. Users can import different payloads from a limited set of vulnerabilities through different combinations, offering excellent extensibility and allowing users to focus on writing the required functionality without dealing with other issues. The problem with the Metasploit framework is that it limits the diversity of attacks; all attack methods are confined to the Metasploit framework, making it difficult to integrate self-developed attack weapons with it.

[0005] Pocsuite3 is an open-source remote vulnerability testing framework written in Python. It features a powerful proof-of-concept engine. Compared to Metasploit, Pocsuite3 is more focused on exploiting vulnerabilities in individual web services. In penetration testing, it's generally used from an attack perspective and lacks scanning capabilities. Its functionality is limited, unable to perform most scanning tasks, and it may experience runtime environment conflicts. However, Pocsuite3 offers good extensibility, but requires using its built-in API to write test scripts and attack modules.

[0006] Another simple, comprehensive framework is Kaboom, a multi-faceted penetration testing framework that incorporates multiple attack tools such as Nmap, Dirb, and Hydra. Its advantage lies in its ability to integrate existing, high-performing attack tools, maximizing its offensive capabilities and maintaining the sophistication of its attacks. Rule-based attack decisions can be implemented in simple network environments. Summary of the Invention

[0007] The purpose of this invention is to provide a distributed attack framework technology based on RPC and virtualization technology, which solves the problems mentioned in the background technology.

[0008] To achieve the above objectives, the present invention provides the following technical solution: a distributed attack framework technology based on RPC and virtualization technology, comprising the following steps:

[0009] S1: The operating environment of the attack weapon is constructed using virtualization technology, and a single atomic weapon is assembled. The atomic weapon communicates with the caller using the HTTP protocol to transmit attack parameters and attack payloads, realizing the RPC call of the atomic weapon. Based on this architecture, the entire system will eventually be a distributed attack system.

[0010] S2: It adopts atomic weapon types and uses the method of exploiting attack records. Based on a certain historical hacker attack behavior, it analyzes the attack methods and tools used in the attack behavior and encapsulates the attack as an attack weapon into attack atoms.

[0011] S3: To realize a virtualized atomic weapon, it is required to have an open atomic interface, weapon registration, and weapon status monitoring module. The entire atomic weapon runs in a Docker virtual environment isolated from the physical machine.

[0012] S4: The remote caller design of the attack invocation framework is based on a task invocation queue to call distributed services for attacks. Distributed scheduling technology is introduced, mainly to prevent attack program from failing due to attack scheduling chaos during the attack process. Taking an attack against a multi-layer network as an example, when an attack begins, an attack queue needs to be created first. The system will convert the attack text into feasible call APIs through functions, and select available attack atoms according to the type of target and put them into the attack queue. As the attack progresses, the attack framework will add new atomic weapons to the queue and delete invalid attack behaviors based on attack feedback. This invocation queue will be dynamically maintained.

[0013] Preferably, the virtual environment in step S3 needs to have the required runtime environment installed, and a certain interface of Docker needs to be mapped to the physical host for receiving information from the outside.

[0014] Preferably, the specific steps in step S3 are detailed as follows:

[0015] S31: The attack module inside the atomic weapon first needs to build a web service to receive attack parameters. Using the Flask framework, it listens on a port. After receiving the attack parameters sent by the caller, the Flask framework parses the received parameters, performs preliminary parsing and transformation, and assembles them into attack behavior according to the unique calling method of the atomic weapon. It then generates a unique result ID and returns this ID to the caller. The caller requests the call result based on this ID. During the attack, the probe collects log information in real time for subsequent analysis.

[0016] S32: The atomic weapon contains a registration module. After the atomic weapon is packaged, it will register as a service. After registration, there is a service health check function. The central server will send a request every 30 seconds to check the service status and decide on the loading and unloading of services based on the service status. It also has a built-in monitor to collect log information of the attacking atomic weapon in real time.

[0017] Preferably, the registration module in step S32 is used for service registration and management. It uses Consul for centralized service registration and management, and sends a registration request to the centralized management server, which includes information such as the service's IP and port. The caller can obtain the calling interface and parameters based on the central server.

[0018] This invention provides a distributed attack framework technology based on RPC and virtualization technologies. This distributed attack framework technology based on RPC and virtualization technologies has the following beneficial effects:

[0019] 1. This invention solves the problem of conflicting operating environments for multiple different atomic weapons on different operating platforms by using a virtualized operating environment, thereby expanding the types of attacks.

[0020] 2. This invention constructs a unified calling interface to meet the needs of automated penetration testing to transform logical attack behaviors into actual attack behaviors.

[0021] 3. This invention utilizes RPC to implement remote call, which solves the problem of runtime load between attack programs and greatly improves attack efficiency.

[0022] 4. This invention utilizes distributed control technology to enable the flexible addition and uninstallation of attack programs from the system, achieving high scalability of the attack framework and greatly reducing maintenance costs.

[0023] 5. This invention is equipped with an automatic health detection function to promptly reproduce and process errors, thereby improving the program's fault tolerance. Attached Figure Description

[0024] Figure 1 This is a schematic diagram of the framework structure of a distributed attack framework technology based on RPC and virtualization technology according to the present invention;

[0025] Figure 2 This is a schematic diagram of the framework atomic weapon selection structure of a distributed attack framework technology based on RPC and virtualization technology according to the present invention;

[0026] Figure 3 This is a schematic diagram illustrating the internal attack structure of an atomic weapon based on a distributed attack framework technology using RPC and virtualization, as described in this invention.

[0027] Figure 4 This is a schematic diagram of a distributed atomic weapon arsenal structure based on RPC and virtualization technology, a distributed attack framework technology of the present invention.

[0028] Figure 5 This is a schematic diagram of the atomic weapon invocation structure of a distributed attack framework technology based on RPC and virtualization technology according to the present invention. Detailed Implementation

[0029] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments.

[0030] Examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and intended to explain the invention, and should not be construed as limiting the invention.

[0031] This invention provides a technical solution: a distributed attack framework technology based on RPC and virtualization technology, comprising the following steps:

[0032] S1: Virtualization technology is used to construct the runtime environment for the attack weapon, assembling it into a single atomic weapon. The atomic weapon communicates with the caller using the HTTP protocol to transmit attack parameters and payloads, enabling RPC calls to the atomic weapon. Based on this architecture, the entire system will ultimately be a distributed attack system, such as... Figure 1 As shown;

[0033] S2: Employs atomic weapon types and methods based on exploiting attack records, such as... Figure 2 As shown, based on a certain historical hacker attack, the attack methods and tools used in the attack are analyzed, and the attack is encapsulated as an attack atom as an attack weapon.

[0034] S3: Implementing a virtualized atomic weapon requires an open atomic interface, weapon registration, and a weapon status monitoring module. The entire atomic weapon runs in a Docker virtual environment isolated from the physical machine. The virtual environment needs to have the necessary runtime environment installed, and a specific Docker interface needs to be mapped to the physical host for receiving information. The specific steps in this step are detailed as follows:

[0035] S31: The attack module inside an atomic weapon first needs to build a web service to receive attack parameters, such as... Figure 3 As shown, using the Flask framework, a listening port is used. After receiving the attack parameters sent by the caller, the Flask framework parses the received parameters, performs preliminary parsing and transformation, assembles them into an attack behavior based on the unique calling method of this atomic weapon, and performs the attack. A unique result ID is generated and returned to the caller. The caller requests the call result based on this ID. During the attack, the probe collects log information in real time for subsequent analysis.

[0036] S32: An internal registration module exists within atomic weapons. This module is used for service registration and management, utilizing Consul for centralized service registration and management. Figure 4 As shown, a registration request is sent to the centrally managed server, including the service's IP address, port, and other information. The caller can obtain the calling interface and parameters from the central server. After the atomic weapon is packaged, it will register the service. After registration, there is a service health check function. The central server will send a request every 30 seconds to check the service status and decide on the loading and unloading of the service based on the service status. It also has a built-in monitor to collect log information of the attack atom in real time.

[0037] S4: The remote caller design of the attack invocation framework is based on a task invocation queue that calls distributed services to launch the attack. Distributed scheduling technology is introduced primarily to prevent attack program failure due to scheduling chaos during the attack process. Figure 5 As shown, taking an attack on a multi-layer network as an example, when an attack begins, an attack queue needs to be created first. The system will convert the attack message into a feasible API call through a function, and select available attack atoms according to the type of target and put them into the attack queue. As the attack progresses, the attack framework will add new atomic weapons to the queue and delete invalid attack behaviors based on attack feedback. The call queue will be dynamically maintained.

[0038] In summary, this method employs Docker as the virtualization solution for atomic weapons, and includes an internal information monitoring module within Docker to collect log information of tool operation. Based on Consul's centralized management technology, the attack program registers its services with the central server upon startup, and the central server checks the service availability. This method uses RPC service calls, transmits attack parameters via HTTP, and determines the attack tool using port and IP address. It uses polling requests to obtain the attack structure and employs mutex locks to maintain the attack queue.

[0039] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

[0040] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.

Claims

1. A distributed attack framework method based on RPC and virtualization technology, characterized in that: Includes the following steps: S1: The operating environment of the attack weapon is constructed using virtualization technology, and a single atomic weapon is assembled. The atomic weapon communicates with the caller using the HTTP protocol to transmit attack parameters and attack payloads, realizing the RPC call of the atomic weapon. Based on this architecture, the entire system will eventually be a distributed attack system. S2: It adopts atomic weapon types and uses the method of exploiting attack records. Based on a certain historical hacker attack behavior, it analyzes the attack methods and tools used in the attack behavior and encapsulates the attack as an attack weapon into attack atoms. S3: To realize a virtualized atomic weapon, it is required to have an open atomic interface, weapon registration, and weapon status monitoring module. The entire atomic weapon runs in a Docker virtual environment isolated from the physical machine. S4: The remote caller design of the attack invocation framework is based on a task invocation queue to call distributed services for attacks. Distributed scheduling technology is introduced, mainly to prevent attack program from failing due to attack scheduling chaos during the attack process. Taking an attack against a multi-layer network as an example, when an attack begins, an attack queue needs to be created first. The system will convert the attack text into feasible call APIs through functions, and select available attack atoms according to the type of target and put them into the attack queue. As the attack progresses, the attack framework will add new atomic weapons to the queue and delete invalid attack behaviors based on attack feedback. The invocation queue will be dynamically maintained. In step S3, the virtual environment needs to have the required runtime environment installed, and a specific Docker interface needs to be mapped to the physical host for receiving information from the outside. The specific steps in step S3 are detailed as follows: S31: The attack module inside the atomic weapon first needs to build a web service to receive attack parameters. Using the Flask framework, it listens on a port. After receiving the attack parameters sent by the caller, the Flask framework parses the received parameters, performs preliminary parsing and transformation, and assembles them into attack behavior according to the unique calling method of the atomic weapon. It then generates a unique result ID and returns this ID to the caller. The caller requests the call result based on this ID. During the attack, the probe collects log information in real time for subsequent analysis. S32: The atomic weapon contains a registration module. After the atomic weapon is packaged, it will register as a service. After registration, there is a service health check function. The central server will send a request every 30 seconds to check the service status and decide on the loading and unloading of services based on the service status. It also has a built-in monitor to collect log information of attacking the atomic weapon in real time. The registration module in step S32 is used for service registration and management. It uses Consul for centralized service registration and management, sending a registration request to the centralized management server, which includes information such as the service's IP and port. The caller can obtain the calling interface and parameters from the central server.