A network security defense effectiveness verification system and method

By using lightweight client proxies and a central control platform to simulate attacks without targets and to render malicious samples harmless, combined with closed-loop data verification, the security risks and distortion of verification results in network security verification are resolved, achieving low-cost and highly accurate verification of the effectiveness of network security defenses.

CN122160112APending Publication Date: 2026-06-05CSG EHV POWER TRANSMISSION

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CSG EHV POWER TRANSMISSION
Filing Date
2026-02-28
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing network security verification technologies rely on real vulnerable target machines or malware samples, which poses a risk to business security. Furthermore, traditional traffic replay technology lacks two-way interactive capabilities, resulting in distorted verification results.

Method used

By employing a lightweight client agent and a central control platform, and through targetless attack simulation and malicious sample neutralization, combined with a data closed-loop verification mechanism, the effectiveness of network security defenses is verified.

Benefits of technology

This method enables low-resource-consumption simulation of asset behavior in production networks, avoiding security risks, improving the accuracy and objectivity of verification results, and solving the cost and security risks associated with traditional methods.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160112A_ABST
    Figure CN122160112A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security and discloses a network security defense effectiveness verification system and method, which comprises a central control platform and a plurality of light-weight client agents arranged in a network environment to be measured. The central control platform is used for issuing instructions, the light-weight client agent is used for sending simulated attack traffic for an attack source end or receiving traffic based on a deterministic finite state machine for an attack target end and feeding back simulation response data, and the light-weight client agent realizes targetless attack simulation without running a real business process. The central control platform generates inactivated samples retaining communication logic by using a binary patching technology, and compares the five-tuple and receiving state of the network security defense equipment detection log and the light-weight client agent execution log through a data closed-loop verification mechanism to identify blocking failure conditions. The application solves the problem of high risk in actual combat and improves the accuracy of defense effectiveness evaluation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security technology, specifically to a network security defense effectiveness verification system and method. Background Technology

[0002] As cyberattack methods continue to evolve, various organizations have deployed a variety of network security defense devices in their network environments, such as firewalls, intrusion detection systems, and endpoint detection and response systems. In order to ensure continuous security, network security defense effectiveness verification technology has become a key link in evaluating the configuration strategies and interception capabilities of these network security defense devices. Existing network security defense effectiveness verification technologies rely on manual penetration testing or automated intrusion and attack simulation systems.

[0003] However, manual penetration testing relies on the tester's personal experience, making it difficult to achieve standardized and high-frequency continuous verification. Traditional automated verification systems based on traffic replay technology lack the bidirectional interaction capabilities of the network protocol stack and cannot adjust the packet sending logic according to the target's response, leading to distorted verification results. Furthermore, to build a highly realistic verification environment, existing technologies require deploying operating system target machines containing real vulnerabilities or running real malware samples in the production network. However, this introduces uncontrollable security risks into the tested network environment, easily leading to business system interruptions or sensitive data leaks. Therefore, this invention proposes a network security defense effectiveness verification system and method to address the shortcomings of existing technologies. Summary of the Invention

[0004] To address the shortcomings of existing technologies, this invention provides a network security defense effectiveness verification system and method. It solves the problems of existing network security verification technologies relying on deploying real vulnerability target machines or running destructive malware samples in production network environments, which leads to business security risks, and traditional traffic replay technology being unable to simulate complex attack scenarios due to the lack of bidirectional interactive protocol stack logic, resulting in distorted verification results.

[0005] To achieve the above objectives, the present invention provides the following technical solution: The first aspect of the present invention provides a network security defense effectiveness verification system, including a central control platform and multiple lightweight client proxies deployed in the network environment under test;

[0006] The central control platform establishes a connection with the lightweight client agent, and the central control platform is used to issue instructions and receive status reports.

[0007] The lightweight client agent is used to perform targetless attack simulation operations. It can launch simulated attacks as an attack source or simulate the behavior of attacked assets as an attack target according to the instructions issued by the central control platform.

[0008] The central control platform includes a data closed-loop verification mechanism, which is used to collect network security defense device detection logs and compare the network security defense device detection logs with the execution logs of the lightweight client agent to generate a defense effectiveness assessment result.

[0009] The targetless attack simulation module is used to generate simulated attack traffic data based on preset rules and send execution instructions to the lightweight client agent.

[0010] A second aspect of the present invention provides a method for verifying the effectiveness of network security defenses, applied to a network security defense effectiveness verification system as described in the first aspect of the present invention, comprising the following steps:

[0011] Based on the attack chain rule base, the central control platform generates attack execution instructions for the lightweight client agent at the attack source end and defense response instructions for the lightweight client agent at the attack target end.

[0012] The central control platform instructs the lightweight client agent at the target end to enter a listening state based on a deterministic finite state machine, and then instructs the lightweight client agent configured as the attack source end to send simulated attack traffic.

[0013] The lightweight client proxy at the target end parses the received traffic characteristics and completes the targetless attack simulation based on the simulation response data fed back by the deterministic finite state machine.

[0014] The central control platform compares the network security defense device detection logs with the lightweight client agent execution logs, and generates a defense effectiveness assessment result based on the log timestamp, five-tuple information, and data packet reception status.

[0015] This invention provides a network security defense effectiveness verification system and method. It has the following beneficial effects:

[0016] 1. This invention deploys a lightweight client agent based on a deterministic finite state machine. The lightweight client agent parses traffic characteristics and feeds back simulation response data, realizing low-resource-consumption asset behavior simulation in a production network environment. This avoids the cost burden of deploying resource-intensive virtual machine testbeds required by traditional verification methods and eliminates the security risks caused by running real vulnerability environments in business networks.

[0017] 2. This invention utilizes a malicious sample harmless processing module to perform binary patching technology on real malware samples, replacing destructive interface call instructions with no-operation instructions, while completely preserving the network communication code logic of the real malware sample, and generating highly realistic network traffic containing the characteristics of real malware. This solves the technical problem that traditional traffic replay technology is unable to reproduce complex malware communication behavior due to the lack of dynamic interactive logic.

[0018] 3. This invention applies a data closed-loop verification mechanism to perform bidirectional verification and judgment of execution logs. The data closed-loop verification mechanism compares the collected network security defense device detection logs with the execution logs of the lightweight client agent using a five-tuple and data packet reception status. This can identify situations where the network security defense device's action shows as blocking, but the lightweight client agent at the attack target end actually receives the attack payload, thus improving the accuracy and objectivity of the network security defense system effectiveness evaluation results. Attached Figure Description

[0019] Figure 1 This is a schematic diagram of the overall system architecture of the present invention;

[0020] Figure 2 This is a schematic diagram of the overall method flow of the present invention. Detailed Implementation

[0021] The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0022] Please see Figure 1 This invention provides a network security defense effectiveness verification system and method, including a central control platform and multiple lightweight client agents deployed in the network environment under test. The system is used for centralized management and control of a threat-oriented, persistent network security defense effectiveness verification system. The central control platform establishes a network connection with the multiple lightweight client agents deployed in the network environment under test, and is used to issue instructions and receive status reports. The lightweight client agents are configured to perform targetless attack simulation operations in the network environment under test. Based on the received instructions, the lightweight client agents can generate and send simulated attack traffic as an attack source, and can also receive simulated attack traffic as an attack target and respond according to preset logic.

[0023] Targetless attack simulation refers to the process of reproducing attack and response behaviors at the network layer using protocol stack simulation technology without deploying real business servers or virtual machine testbeds. Specifically, when acting as the attack source, the lightweight client agent directly constructs network packets containing customized protocol headers by calling the original network interface, or generates traffic by running deactivated samples that retain communication logic in a controlled environment. When acting as the attack target, the lightweight client agent intercepts network packets and does not forward them to the operating system kernel. Instead, it drives the transition of a deterministic finite state machine by parsing payload characteristics. If the state transition conditions are met, it constructs and sends a simulated response message containing simulated application data, thereby completing bidirectional interactive verification.

[0024] The central control platform comprises several core functional modules that work collaboratively: a targetless attack simulation module manages agents and generates simulated attack traffic and application-layer interaction data based on preset rules; a malicious sample deactivation module receives real malware samples, strips away their destructive code logic, and retains network communication and file operation characteristics to generate inactivated samples; an asset behavior simulation module constructs target asset behavior models based on state machines or behavioral characteristics, providing response logic for target agents; an attack evasion technology module injects evasion features such as code obfuscation, protocol tunneling encapsulation, or HTTP header modification during traffic generation; and an attack chain orchestration and simulation module stores rule data aligned with the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Sense) framework and is configured to orchestrate logically related multi-stage attack paths. Furthermore, the platform includes a data closed-loop verification mechanism, configured to collect logs and alarm information from the security operations platform via data interfaces, compare them with attack simulation data, and generate defense effectiveness assessment results.

[0025] See attached document Figure 2 The asset behavior simulation mechanism based on finite state machines is implemented through the collaborative work of the asset behavior simulation module and the lightweight client agent. The asset behavior simulation module is configured to build and maintain the asset behavior model library. The asset behavior model library stores various types of network asset behavior description files, which are constructed based on deterministic finite state machine theory.

[0026] The asset behavior simulation module sends predefined asset behavior model data to the lightweight client agent designated as the attack target. The lightweight client agent is configured with a protocol stack simulation engine and an application layer interaction simulation engine. The protocol stack simulation engine is used to simulate the network layer behavior of the Transmission Control Protocol / Internet Protocol stack, and the application layer interaction simulation engine is used to simulate the application layer service behavior of Hypertext Transfer Protocol, File Transfer Protocol or Server Message Block Protocol.

[0027] When the lightweight client agent receives a network packet from the attack source, it does not forward the network packet to the real operating system kernel or the real application service process. Instead, it first parses the header information and payload content of the network packet and uses the parsed feature data as input events to input the currently loaded asset behavior finite state machine.

[0028] The lightweight client agent queries the state transition table based on the current state node and the input event. If the input event meets the preset state transition conditions, the lightweight client agent executes the corresponding output response action and updates the current state to the next state node. The output response action includes constructing and sending a response data packet, disconnecting the network connection, or recording an internal log.

[0029] In the application layer vulnerability exploitation simulation scenario, the lightweight client agent simulates the behavior of a specific version of the web server. When the lightweight client agent is in the service running state and receives a Hypertext Transfer Protocol request containing Structured Query Language injection feature code, the lightweight client agent does not perform a real database query operation. Instead, the lightweight client agent constructs a Hypertext Transfer Protocol response message containing specific database error information according to the preset rules in the asset behavior model and sends it back to the attack source.

[0030] In a remote command execution vulnerability simulation scenario, when the lightweight client agent receives a simulated remote code execution attack payload, it identifies the attack payload type through pattern matching. Based on the asset behavior model, the lightweight client agent constructs response data and encapsulates the response data in a network data packet before sending it. This deceives the security detection devices at the attack source and path at the network traffic level, causing them to determine that the attack has been successfully executed.

[0031] See attached document Figure 2 The malicious sample deactivation module is configured to perform static analysis and code refactoring operations on real malware samples to generate inactivated samples. The malicious sample deactivation module first loads the real malware sample to be processed. The file format of the real malware sample includes portable executable file format of Windows operating system, executable and linkable format of Linux operating system or script language file. The malicious sample deactivation module uses disassembler engine to disassemble the real malware sample, convert binary machine code into assembly instruction sequence and build control flow graph.

[0032] The malicious sample harmless processing module scans the import address table and string constants of real malware samples, and based on a pre-built dangerous behavior feature rule base, identifies the key application programming interface functions called in the real malware samples. The key application programming interface functions are classified into destructive interfaces and communication interfaces. Destructive interfaces include functions used to perform file encryption operations, file deletion operations, disk sector write operations, and process injection operations. Communication interfaces include functions used to establish transmission control protocol connections, send hypertext transfer protocol requests, and resolve domain name system responses.

[0033] The malicious sample deactivation module locates the offset address of the code segment calling destructive interfaces in the real malware sample. This module uses binary patching technology to modify the instructions for calling destructive interfaces. Simultaneously, it fully preserves the network communication and environment detection code logic from the real malware sample. Preserving the network communication code logic allows the deactivated sample to initiate connections to a specified simulated command and control server during runtime, generating network traffic containing specific user agent strings, Uniform Resource Locator (URL) path characteristics, and private encryption protocol payloads. Preserving the environment detection code logic allows the deactivated sample to perform process list enumeration, registry reading, or file directory traversal operations, triggering behavior-based detection rules in the endpoint detection and response system.

[0034] For real malware samples of the ransomware type, the malicious sample harmless processing module implements specific behavior replacement strategies. The module identifies the file read and write loop logic within the ransomware sample and replaces the instructions for writing encrypted data with harmless data read instructions or temporary log file write instructions.

[0035] The processed inactivated samples are imported into an isolated sandbox environment for pre-run testing. The malicious sample deactivation module monitors the running status of the inactivated samples, verifies whether the inactivated samples have successfully established a network connection and have not damaged the sandbox environment. The verified inactivated samples are stored in the simulation sample library for the lightweight client agent to download and execute in subsequent attack simulation tasks.

[0036] See attached document Figure 2The attack chain orchestration and simulation module works in conjunction with the attack evasion technology module to logically construct and process traffic distortion for complex attack scenarios within a central control platform. The attack chain orchestration and simulation module connects to an attack chain rule base, which stores data covering tactical stages and technical means throughout the entire attack lifecycle within a framework of adversarial tactics, techniques, and common sense. The attack chain orchestration and simulation module utilizes a task scheduling engine based on a directed acyclic graph (DAG) to construct attack paths according to the dependencies between atomic attack tasks. During the traffic generation phase, the attack evasion technology module performs feature transformations on the payload based on preset strategies: in terms of traffic encoding obfuscation, it performs Base64, URL encoding, hexadecimal encoding, XOR encryption, or random garbage byte padding operations on the application layer payload to change the original binary sequence characteristics and evade signature detection; in terms of network protocol tunnel encapsulation, the module is configured to encapsulate leaked data traffic or control commands within the data segments of DNS queries (subdomain encoding) or ICMP echo requests, bypassing firewall policies.

[0037] Regarding network protocol tunneling encapsulation, the attack evasion module is configured to encapsulate application-layer control commands or leaked data traffic within non-standard protocol data fields. The module generates Domain Name System (DNS) tunnel traffic, segmenting and encoding the binary data to be transmitted into a series of subdomain strings, and transmitting data by constructing resolution requests for these subdomains. It also generates Internet Control Message Protocol (ICP) tunnel traffic, filling the data payload into the data segments of echo request messages to bypass firewall policies that only inspect Transmission Control Protocol (TCP / User Datagram Protocol) ports.

[0038] Regarding network layer fragmentation and reassembly, the attack evasion module instructs the lightweight client agent to perform Transmission Control Protocol (TCP) fragmentation or Internet Protocol (IP) fragmentation when sending attack packets. The lightweight client agent breaks down a complete malicious application layer request into multiple tiny TCP segments, each containing only one or a few bytes of payload, and sends these segments out of order.

[0039] See attached document Figure 2The verification task definition and instruction issuance process is initiated by the central control platform, which interacts with lightweight client agents distributed across the network via an encrypted communication channel. The verification task definition process begins when the central control platform receives a configuration request from the operator, providing a visual human-computer interaction interface. The operator specifies the source and target lightweight client agents participating in the verification task through this interface. The source lightweight client agent is configured as the simulated attack initiator, and the target lightweight client agent is configured as the simulated victim asset holder. The operator selects the attack chain template to be executed through the interface, or manually selects atomic attack nodes from the attack chain rule base for combination. The operator can also set the task execution time window, the number of concurrent threads, and whether to enable the attack evasion technology module.

[0040] After receiving the configuration request, the central control platform instantiates the verification task through the attack chain orchestration and simulation module. The attack chain orchestration and simulation module decomposes the high-level attack chain description into a series of ordered atomic execution steps. For each atomic execution step, the attack chain orchestration and simulation module generates attack execution instructions for the source lightweight client agent and defense response instructions for the target lightweight client agent.

[0041] The attack execution instructions targeting the source-side lightweight client agent include: the target network's Internet Protocol address, the target port number, the transport layer protocol type, the identifier of the inactivation sample data to be sent or the network traffic payload data, and the attack evasion strategy parameters. The defense response instructions targeting the target-side lightweight client agent include: the asset behavior model type identifier to be loaded, the listening port number, the expected input traffic feature matching rules, and the output response action data upon successful matching.

[0042] The central control platform establishes a communication connection with the lightweight client agent through a secure encrypted channel at the Secure Sockets Layer or Transport Layer. In order to penetrate firewalls and network address translation devices in the network environment under test, the communication connection adopts a mechanism in which the lightweight client agent actively initiates a long polling or heartbeat request for Hypertext Transfer Protocol to the central control platform.

[0043] During the command issuance phase, the central control platform first performs clock synchronization calibration on all connected lightweight client agents. The central control platform calculates and records the clock offset of each lightweight client agent relative to standard time, or issues a Network Time Protocol (NTP) synchronization command to eliminate system time errors in a distributed environment. Based on this, the central control platform executes strict timing synchronization control logic to ensure the effectiveness of the attack simulation. The central control platform first encapsulates the defense response command in a heartbeat response message and sends it to the target lightweight client agent, which receives and parses the defense response command.

[0044] Only after receiving a readiness confirmation message from the target lightweight client agent will the central control platform send the attack execution command to the source lightweight client agent. After receiving the attack execution command, the source lightweight client agent will download an inactivation sample from the simulation sample library or construct an attack traffic packet locally according to the command content, and initiate a network connection to the target lightweight client agent at a specified time.

[0045] See attached document Figure 2 The end-to-end collaborative attack simulation is completed collaboratively by a lightweight client agent designated as the attack source and a lightweight client agent designated as the attack target.

[0046] The lightweight client agent at the attack source initiates the attack simulation process. In an attack scenario based on network traffic replay, the lightweight client agent at the attack source invokes the operating system's raw socket interface. Based on the packet capture file or traffic characteristic description contained in the attack execution instructions, the lightweight client agent at the attack source constructs network packets byte by byte. The lightweight client agent at the attack source modifies the Internet Protocol (IP) header and Transmission Control Protocol / User Datagram Protocol (TDP) header of the network packets, setting the source IIP address to its own address and the destination IIP address to the address of the target lightweight client agent. The lightweight client agent at the attack source then sends the constructed network packets to the physical network interface card according to a preset packet sending rate and time interval.

[0047] In attack scenarios based on inactivated samples, the lightweight client agent at the attack source loads the inactivated sample in an independent sandbox process or restricted thread. The inactivated sample runs and attempts to initiate a network connection request to the lightweight client agent at the attack target. Since the inactivated sample retains the original network communication logic, it generates application layer request data that conforms to the characteristics of real malware.

[0048] Simulated attack traffic passes through switches, routers, and various network security defense devices in the network environment under test. These network security defense devices include firewalls, intrusion prevention systems, and full traffic analysis systems. If the network security defense devices identify the characteristics in the simulated attack traffic and implement blocking policies, the simulated attack traffic will be discarded or reset, preventing it from reaching the target lightweight client proxy.

[0049] The target lightweight client agent runs in passive listening mode or port emulation mode. In port emulation mode, the target lightweight client agent binds to a specific Transmission Control Protocol (TCP) port or User Datagram Protocol (UDP) port according to the defense response instructions.

[0050] When the simulated attack traffic successfully penetrates the network security defense device and reaches the target lightweight client agent, the target lightweight client agent receives network data packets. The target lightweight client agent performs deep packet inspection on the payload content of the network data packets. The target lightweight client agent matches the extracted payload features with the trigger conditions in the locally loaded asset behavior model. If the match is successful, the target lightweight client agent triggers a state machine transition and generates the corresponding simulation response data.

[0051] The attack source's lightweight client agent receives simulated response data from the target's lightweight client agent. The attack source's lightweight client agent records the received timestamp and size of the response data. This interaction logically constitutes a complete attack session.

[0052] See attached document Figure 2 The data closed-loop collection and effectiveness quantification analysis process is executed by the data closed-loop verification mechanism in the central control platform. This mechanism aims to correlate and analyze security detection data from the network side with attack execution data from the endpoint side to generate objective defense effectiveness assessment results. The data closed-loop verification mechanism is equipped with a log collection adapter. This adapter connects to an external security operations platform via a data interface. The data interface supports a representational state transfer application programming interface, a system log forwarding protocol, or a direct database read protocol. The data closed-loop verification mechanism retrieves raw security logs generated within the verification task execution time window from the security operations platform according to a preset polling cycle. These raw security logs include firewall logs, intrusion detection system logs, web application firewall logs, and endpoint response system logs.

[0053] The data closed-loop verification mechanism utilizes a built-in field mapping rule base to parse raw security logs from different vendors into intermediate format data containing standard 5-tuples, timestamps, and unified action status. Based on this, the mechanism performs bidirectional verification: first, using the attack source's sending timestamp as a benchmark, it matches security logs with consistent 5-tuples within an allowable time deviation range; then, it compares the action status with the target's receiving status. If the security log shows a block, but the attack target's proxy's execution log clearly records that a valid attack payload was still fully received and the preset response logic was triggered, then the current attack step is determined to be either a block failure or a successful strategy evasion, and it is marked as a defense penetration.

[0054] The data closed-loop verification mechanism calculates defense effectiveness indicators based on the judgment results. It calculates the percentage of successfully intercepted atomic attack steps in the attack chain out of the total number of attack steps, generating a blocking rate indicator. It also calculates the number of detected but not blocked attack steps, generating an alarm coverage indicator.

[0055] In addition, the data closed-loop verification mechanism analyzes the breakpoints of the attack chain according to the temporal logic of the attack chain, identifies the first atomic attack step that is successfully intercepted, and marks the kill chain blockage point of the defense system in the current attack scenario. If all steps in the attack chain are not intercepted, the data closed-loop verification mechanism determines that the current defense system has a complete defense penetration risk when facing this specific attack scenario, and generates a high-priority rectification suggestion report. The rectification suggestion report includes the identifiers of the undetected attack techniques and the recommended defense rule numbers.

Claims

1. A network security defense effectiveness verification system, characterized in that, This includes a central control platform and multiple lightweight client agents deployed in the network environment under test. The central control platform establishes a connection with the lightweight client agent, and the central control platform is used to issue instructions and receive status reports. The lightweight client agent is used to perform targetless attack simulation operations. It can launch simulated attacks as an attack source or simulate the behavior of attacked assets as an attack target according to the instructions issued by the central control platform. The central control platform includes a data closed-loop verification mechanism, which is used to collect network security defense device detection logs and compare the network security defense device detection logs with the execution logs of the lightweight client agent to generate a defense effectiveness assessment result. The targetless attack simulation module is used to generate simulated attack traffic data based on preset rules and send execution instructions to the lightweight client agent.

2. The network security defense effectiveness verification system according to claim 1, characterized in that, The central control platform also includes a malicious sample deactivation module, which is used to receive real malware samples and generate inactivated samples. The malicious sample de-inactivation module is also used to identify destructive interface call instructions in the real malware sample, use binary patching technology to replace the destructive interface call instructions with no-operation instructions or modify jump instructions to skip destructive logic blocks, and retain the network communication code logic of the real malware sample so that the deactivated sample can generate network traffic when it runs.

3. The network security defense effectiveness verification system according to claim 1, characterized in that, The central control platform also includes an asset behavior simulation module, which is used to construct a target asset behavior model based on a deterministic finite state machine and distribute it to the lightweight client agent configured as the attack target. The lightweight client proxy configured as the target of the attack is used to: parse the characteristics of received network packets as input events without forwarding packets to the real operating system kernel; If the input event satisfies the preset state transition conditions of the deterministic finite state machine, then simulation response data containing a simulated command-line interface prompt or execution result is constructed and sent.

4. The network security defense effectiveness verification system according to claim 1, characterized in that, The central control platform also includes an attack chain orchestration and simulation module, which is equipped with a task scheduling engine based on a directed acyclic graph. The task scheduling engine is used to combine multiple atomic attack behaviors into a multi-stage attack path with dependencies, and issues instructions to subsequent nodes only after the atomic attack behavior of the preceding node is marked as successful.

5. The network security defense effectiveness verification system according to claim 1, characterized in that, The central control platform is configured to execute timing synchronization control logic, which includes: First, a defense response command is sent to the lightweight client agent configured as the attack target, and the lightweight client agent is instructed to enter a listening state. Upon receiving a readiness confirmation message from the lightweight client agent configured as the attack target, the attack execution command is sent to the lightweight client agent configured as the attack source.

6. The network security defense effectiveness verification system according to claim 1, characterized in that, The central control platform also includes an attack evasion technology module, which is used to inject attack evasion features when generating simulated attack traffic; The attack evasion features include: encoding and obfuscating the payload data, generating network protocol tunneling encapsulated traffic, or instructing the lightweight client agent to perform Transmission Control Protocol segmentation operations.

7. The network security defense effectiveness verification system according to claim 1, characterized in that, The data closed-loop verification mechanism is configured to parse the collected raw security logs into intermediate format data containing five-tuple information in a unified format and the status of the action. The action identifier is a predefined finite set of states, including: release, alarm, block or reset.

8. The network security defense effectiveness verification system according to claim 7, characterized in that, The data closed-loop verification mechanism is configured to perform two-way verification judgment: Based on the matching of timestamps and 5-tuple information between the network security defense device detection log and the lightweight client agent execution log; If the action status is displayed as blocked, but the execution log of the lightweight client agent on the attacked target end records that the attack payload was fully received and the response logic was triggered, then the current attack step is determined to be a blocked failure.

9. A network security defense effectiveness verification system according to claim 2, characterized in that, The lightweight client proxy, which is configured as the attack source, generates simulated attack traffic in the following manner: Construct network data packets containing custom protocol headers based on the original network interface; Alternatively, the inactivated sample issued by the central control platform can be loaded and run in a controlled environment.

10. A method for verifying the effectiveness of network security defenses, characterized in that, The system applied to the network security defense effectiveness verification system as described in any one of claims 1-9 includes the following steps: S1. The central control platform generates attack execution instructions for the lightweight client agent at the attack source end and defense response instructions for the lightweight client agent at the attack target end, based on the attack chain rule base. S2. The central control platform instructs the lightweight client agent at the target end to enter a listening state based on a deterministic finite state machine, and then instructs the lightweight client agent configured as the source end to send simulated attack traffic. S3. The lightweight client proxy at the target end parses the received traffic characteristics and completes the targetless attack simulation based on the simulation response data fed back by the deterministic finite state machine. S4. The central control platform compares the network security defense device detection log with the lightweight client agent execution log, and generates a defense effectiveness assessment result based on the log timestamp, five-tuple information and data packet reception status.