A network security defense decision deduction teaching method based on attack chain simulation
By employing a teaching method based on attack chain simulation for network security defense decision-making, this approach utilizes a hardware-in-the-loop (HIL) system to simulate attack chains in stages. Combined with decision-making interaction and evaluation modules, it addresses the disconnect between practical application and theory in traditional network security education, thereby enhancing students' defense decision-making capabilities.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- YANGZHOU POLYTECHNIC INST
- Filing Date
- 2025-12-18
- Publication Date
- 2026-07-03
AI Technical Summary
Traditional cybersecurity education lacks a highly realistic, practical training environment, making it difficult to effectively transform theoretical knowledge into practical defense decision-making capabilities. Furthermore, the absence of a dedicated student decision-making interaction and feedback module leads to difficulties in evaluating students' defense operations, resulting in a disconnect between practical training and theory.
This teaching method employs attack chain simulation-based network security defense decision-making simulation. It simulates the attack chain in stages through a semi-physical simulation system, and combines decision interaction and teaching evaluation modules to provide real-time feedback and targeted guidance, thereby improving students' defense decision-making capabilities.
It achieves a close integration of teaching and practice, enhances students' defensive decision-making ability and practical skills, and meets the needs of teaching assessment and ability enhancement through phased simulation and quantitative evaluation.
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security defense technology, specifically to a teaching method for network security defense decision deduction based on attack chain simulation. Background Technology
[0002] As cybersecurity threats become increasingly complex, the demand for cybersecurity professionals from enterprises and related organizations continues to grow, highlighting the growing importance of cybersecurity education. Traditional cybersecurity education primarily focuses on theoretical explanations and case studies, lacking highly realistic, hands-on training environments for students. This makes it difficult to effectively translate theoretical knowledge such as firewall configuration, vulnerability patching, and attack identification into defensive decision-making capabilities to address real-world attack scenarios, resulting in graduates who often struggle to quickly adapt to actual work requirements.
[0003] Existing cybersecurity simulation technologies are primarily geared towards enterprise security testing. While some employ hardware-in-the-loop (HIL) simulations to improve accuracy, these technologies lack specific adaptation for teaching scenarios and fail to meet the core demands of cybersecurity education. They exhibit the following significant shortcomings: First, they lack a phased attack chain guidance mechanism. Simulations are often conducted in a single, all-in-one manner, failing to align with the gradual and progressive nature of teaching activities and hindering students' understanding of the key defense points at each stage of the attack chain. Second, they lack dedicated student decision-making interaction and targeted feedback modules, focusing solely on outputting simulation results. This prevents real-time evaluation of students' defensive actions and offers limited, precise guidance to reinforce knowledge points, thus failing to meet the core needs of teaching assessment and skills enhancement. Third, the simulation process has extremely low relevance to teaching objectives and cybersecurity knowledge points. Simulation scenarios and training sessions are not designed around key teaching points, resulting in a severe disconnect between practical training and theoretical instruction. Summary of the Invention
[0004] The purpose of this invention is to provide a teaching method for network security defense decision-making simulation based on attack chain simulation, so as to solve the above-mentioned problems existing in the prior art.
[0005] To achieve the above objectives, the present invention provides the following technical solution:
[0006] A teaching method for network security defense decision-making simulation based on attack chain simulation includes:
[0007] Based on the teaching objectives and network security protection knowledge points, the attack chain to be simulated and the corresponding teaching network to be simulated are determined. The attack chain to be simulated includes at least three consecutive stages: reconnaissance, weaponization, delivery, utilization, installation, command and control, and goal achievement.
[0008] The network components are linked to the network to be simulated and connected to the hardware-in-the-loop simulation teaching system, which includes an attack chain stage simulation module, a decision interaction module, a teaching evaluation module, and an attack and defense strategy teaching library.
[0009] The attributes of the nodes, communication links, and networks corresponding to the teaching network to be simulated in the hardware-in-the-loop simulation teaching system are set, and decision nodes are set in combination with the characteristics of each stage of the attack chain to be simulated, so as to obtain the network simulation teaching topology containing decision nodes.
[0010] On the network simulation teaching topology, network attack events are simulated in stages through the attack chain stage simulation module, and students are guided to make defense decisions for each stage of the attack event through the decision interaction module.
[0011] The teaching evaluation module evaluates the effectiveness of students' defense decisions based on the defense quantification teaching system, and generates evaluation feedback results including decision accuracy, response timeliness, and defense vulnerabilities.
[0012] If the assessment feedback does not meet the preset teaching standards, targeted guidance will be provided based on the attack and defense strategy teaching library, and the corresponding attack chain stage will be re-deduced and taught until the student's assessment feedback meets the standards.
[0013] In one embodiment, the access to the hardware-in-the-loop simulation teaching system includes:
[0014] Simulate the physical attributes and operating status of at least one network element using a virtual machine;
[0015] At least one physical teaching device is connected, the physical teaching device including an attack and defense training terminal, a decision input device and a real-time feedback display, for students to practice defense configuration and decision input;
[0016] The attack chain stage simulation module pre-stores attack chain stage process libraries corresponding to different attack types and supports custom attack chain stage parameters.
[0017] In one embodiment, setting decision nodes based on the characteristics of each stage of the attack chain to be simulated includes:
[0018] During the reconnaissance phase, decision-making nodes are set up for attack source identification and reconnaissance behavior interception;
[0019] During the delivery phase, decision-making nodes for malicious code detection and transmission link protection are set up;
[0020] During the exploitation phase, decision-making nodes for vulnerability patching and access control are set up;
[0021] During the command and control phase, decision nodes for communication blocking and attack source tracing are set up;
[0022] During the goal achievement phase, decision-making nodes for data protection and system recovery are set.
[0023] Each decision node is associated with at least two optional defense strategies for trainees to choose from and execute.
[0024] In one embodiment, the step of simulating network attack events in stages using the attack chain stage simulation module includes:
[0025] Based on a preset attack type, the corresponding attack chain template is called from the attack chain stage process library. The attack type includes at least one of ransomware attack, DDoS attack, and SQL injection attack.
[0026] The attack simulation proceeds in stages, following the sequence of reconnaissance → weaponization → delivery → utilization → installation → command and control → target achievement. After each stage of the simulation is completed, it is paused to allow trainees to input defense decisions through the decision interaction module.
[0027] The attack intensity and method for the next stage will be dynamically adjusted based on the student's decision. If the student's decision is effective, the attack effect of the corresponding stage will be weakened; if the decision is ineffective, the attack will be intensified.
[0028] In one embodiment, the defense quantification teaching system includes:
[0029] The quantitative indicator set includes decision response time, strategy selection accuracy, defense effectiveness achievement rate, and number of vulnerabilities missed.
[0030] The weighting rules for indicators are as follows: weights are assigned to each quantitative indicator based on the teaching focus, with the defense effectiveness achievement rate having a weight of no less than 30%.
[0031] The evaluation grading standards include three levels: excellent, qualified, and unqualified, with each level corresponding to a comprehensive score range of quantitative indicators.
[0032] The feedback generation rules generate feedback reports based on the trainees' performance at each decision-making node, including error decision analysis, optimal strategy recommendations, and knowledge point correlation analysis.
[0033] In one embodiment, the method further includes a group adversarial teaching mode, the process of which is as follows:
[0034] Trainees are divided into an attack group and a defense group. The attack group customizes attack parameters through the attack chain stage simulation module, while the defense group executes defense decisions. The teaching evaluation module evaluates the performance of the two groups respectively.
[0035] The attack and defense strategy teaching library is updated in real time with the latest defense technologies and strategy cases corresponding to each stage of the attack chain, which students can consult and learn during breaks in the simulation.
[0036] In one embodiment, the re-training of the corresponding attack chain stage includes:
[0037] Identify the attack chain stages and corresponding decision nodes where trainees have not met the standards;
[0038] The knowledge points and typical cases for this stage are retrieved from the attack and defense strategy teaching library and displayed through the display terminal of the semi-physical simulation teaching system.
[0039] The instructors provide targeted explanations through the teaching management module, followed by a re-simulation of the attack scenario for this phase, allowing trainees to execute defensive decisions again until the phase assessment is passed.
[0040] Compared with existing technologies, the beneficial effects of this invention are: this invention constructs a practical environment that fits teaching by simulating the attack chain in stages, combines a semi-physical simulation system to ensure the authenticity of training, and achieves targeted teaching through decision node setting and quantitative evaluation system, effectively solving the problem of the disconnect between traditional network security teaching theory and practice, and improving students' defense decision-making capabilities. Detailed Implementation
[0041] The technical solutions in the embodiments of the present invention will be clearly and completely described below. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0042] In the description of this invention, it should be noted that the terms "upper," "lower," "inner," "outer," "front end," "rear end," "both ends," "one end," and "the other end," etc., indicate the orientation or positional relationship based on the orientation or positional relationship shown in the device, and are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of this invention. Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance.
[0043] In the description of this invention, it should be noted that, unless otherwise explicitly specified and limited, the terms "installed," "equipped with," "connected," etc., should be interpreted broadly. For example, "connection" can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection or an indirect connection through an intermediate medium; it can be a connection within two components. Those skilled in the art can understand the specific meaning of the above terms in this invention based on the specific circumstances.
[0044] Example 1
[0045] The network security defense decision-making simulation teaching method disclosed in this embodiment includes the following steps:
[0046] S101. Based on the teaching objectives and network security protection knowledge points, determine the attack chain to be simulated and the corresponding teaching network to be simulated.
[0047] The teaching objectives may include the application of basic defense strategies, identification of attack chain stages, and emergency response and handling. Network security protection knowledge points may cover firewall configuration, vulnerability patching, and attack source tracing. The attack chain to be simulated should be selected according to the teaching focus. For example, for the knowledge point of malicious code defense, the attack chain segment of weaponization → delivery → exploitation → installation should be selected; for the teaching objective of complete defense process, the full attack chain should be selected.
[0048] The simulated teaching network needs to be adapted to the real business network environment and simplify non-core components to reduce the difficulty of teaching. It includes core network components such as hosts, servers, routers, firewalls, and vulnerability simulation devices. The combination of these network components simulates typical network architectures, such as enterprise intranets and campus networks.
[0049] S102 connects network components based on the network to be simulated for teaching and integrates with a hardware-in-the-loop (HIL) simulation teaching system. The HIL simulation teaching system includes an attack chain stage simulation module, a decision interaction module, a teaching evaluation module, and an attack and defense strategy teaching library. The integration process includes:
[0050] The physical attributes and operating status of network components are simulated by virtual machines. For example, the number of CPU cores, memory size, and operating system type of the host can be set, and the open status of server service ports and the existence of vulnerabilities can be simulated.
[0051] Connect to physical teaching equipment, including attack and defense training terminals for students to operate, decision input devices (such as keyboards and touch screens), and real-time feedback displays. Students can perform practical operations such as configuring defense strategies and identifying attack features through physical equipment.
[0052] The attack chain stage simulation module pre-stores attack chain stage process libraries corresponding to various attack types such as ransomware attacks, DDoS attacks, and SQL injection attacks. It supports instructors to customize attack chain stage parameters, such as attack intensity, triggering conditions, and duration.
[0053] S103, set the nodes, communication links and network attributes of the teaching network to be simulated in the hardware-in-the-loop simulation teaching system, set decision nodes in combination with the characteristics of each stage of the attack chain to be simulated, and obtain the network simulation teaching topology containing decision nodes.
[0054] Among them, node attributes include node type (such as attacking node, defending node, target node), hardware configuration, software environment, vulnerability information, etc.; communication link attributes include data transmission rate, latency, encryption status, etc.; network attributes include network topology (such as star topology, bus topology), routing protocol, security policy, etc.
[0055] The decision-making node settings need to be associated with each stage of the attack chain, specifically:
[0056] Reconnaissance phase: Set up decision nodes for attack source IP identification, port scanning behavior detection, and sensitive information leakage protection. Trainees can choose to enable traffic monitoring, configure access control lists, and other policies.
[0057] Delivery stage: Set up decision nodes for email attachment detection, malicious link blocking, and file transfer filtering. Optional strategies include enabling antivirus software and configuring email gateway rules.
[0058] Exploitation phase: Decision points for setting up vulnerability patch installation, minimum privilege configuration, and intrusion detection rule adjustment. Trainees can choose to patch vulnerabilities in a timely manner and disable unnecessary services, etc.
[0059] Command and control phase: Set up decision nodes for C2 communication blocking, domain name resolution interception, and attack source location. Optional strategies include configuring firewalls to block suspicious IPs and enabling DNS filtering.
[0060] Goal Achievement Phase: Set decision nodes for data backup and recovery, system image restoration, and log audit analysis. Trainees can choose to initiate emergency backup, investigate malicious programs, etc.
[0061] Each decision node is associated with at least two optional defense strategies, including the optimal strategy, the suboptimal strategy, and the error strategy, which are used to test the trainees' mastery of the knowledge points.
[0062] S104, in the network simulation teaching topology, simulates network attack events in stages through the attack chain stage simulation module, guiding students to make defense decisions for each stage of the attack event through the decision interaction module. The specific process is as follows:
[0063] The instructor selects a preset attack type (such as ransomware attack) through the teaching configuration module, and the system calls the corresponding attack chain template from the attack chain stage process library;
[0064] The attack simulation proceeds in stages in the order of reconnaissance → weaponization → delivery → utilization → installation → command and control → target achievement. The simulation is automatically paused after each stage is completed. For example, in the reconnaissance stage, the system simulates the attacker scanning the target network ports. The system pauses and displays port scan logs, abnormal traffic prompts and other information to the trainees through the decision interaction module.
[0065] Trainees can view attack characteristic information through the attack and defense exercise terminal, select corresponding defense measures from the optional strategies of the decision node and input them, such as selecting to configure access control lists to block suspicious IP scans during the reconnaissance phase;
[0066] The system dynamically adjusts the attack intensity and method for the next stage based on the student's decision: if the student chooses the optimal strategy, the attack chain is hindered and the attack effect in the next stage is weakened (e.g., 80% of malicious emails are blocked in the delivery stage); if the student chooses the suboptimal strategy, the attack is partially hindered (e.g., 50% of malicious emails are blocked); if the student chooses the wrong strategy, the attack proceeds smoothly (e.g., all malicious emails are successfully delivered).
[0067] S105, through the teaching evaluation module, evaluates the effectiveness of students' defense decisions based on the defense quantitative teaching system, and generates evaluation feedback results including decision accuracy, response timeliness, and defense vulnerabilities.
[0068] The defensive quantitative teaching system includes:
[0069] The quantitative metrics set includes decision response time (the time from the pause of the attack phase to the student submitting the decision), strategy selection accuracy (number of times the optimal strategy was selected / total number of decisions), defense effectiveness achievement rate (number of successfully blocked attack phases / total number of attack phases), and number of missed vulnerabilities (number of unidentified attack vulnerabilities).
[0070] Indicator weighting rules: Weights are allocated based on teaching priorities. For example, in the basic teaching stage, the weight of strategy selection accuracy is set at 40%, decision response time at 20%, defense effectiveness achievement rate at 30%, and the number of vulnerabilities missed at 10%. In the advanced teaching stage, the weight of defense effectiveness achievement rate can be increased to 40%.
[0071] Evaluation grading standards: Excellent (overall score ≥ 85 points), Pass (60 points ≤ overall score < 85 points), Fail (overall score < 60 points);
[0072] Feedback generation rules: The system automatically records the student's actions at each decision node, analyzes the reasons for incorrect decisions (such as confusion of knowledge points or improper application of strategies), associates the corresponding knowledge point analysis and typical cases in the attack and defense strategy teaching library, and generates personalized feedback reports. For example, if the student chooses to rely solely on the antivirus software detection strategy during the delivery stage and does not enable the email gateway rule, resulting in 30% of malicious emails being successfully delivered, it is recommended to learn the knowledge points of the multi-level malicious code defense system.
[0073] S106. If the evaluation feedback results do not meet the preset teaching standards, targeted guidance will be provided based on the attack and defense strategy teaching library, and the corresponding attack chain stage will be re-deduced and taught until the student's evaluation feedback results meet the standards.
[0074] The preset teaching achievement standards can be adjusted according to the teaching stage. The basic stage is set to the pass level, and the advanced stage is set to the excellent level. If the student's assessment result does not meet the standard, the system will perform the following operations:
[0075] Locate the unqualified attack chain stages and corresponding decision nodes, such as the failure to select a vulnerability patching strategy during the exploit stage, which led to the successful exploitation of vulnerabilities for intrusion.
[0076] The system retrieves video explanations, text tutorials, and typical defense cases for this stage from the attack and defense strategy teaching library and displays them on a real-time feedback monitor.
[0077] Instructors can view students' operation records through the teaching management module and provide one-on-one targeted explanations, focusing on the harm of wrong decisions and the principles of optimal strategies;
[0078] After the explanation is completed, the system re-simulates the attack event in the stage where the standard was not met, and asks the trainees to make defense decisions again until the assessment of this stage is met;
[0079] If a student repeatedly makes the same mistake, the system can lock the error policy and force the student to relearn the corresponding knowledge points before proceeding with the deduction.
[0080] Example 2
[0081] This embodiment, based on embodiment 1, adds a group-based adversarial teaching mode to further enhance the interactivity and practicality of the teaching. The specific process of the group-based adversarial teaching mode is as follows:
[0082] The trainees are divided into an attack group and a defense group, with 3-5 people in each group. The attack group is responsible for simulating the attacker, and the defense group is responsible for executing the defense decision.
[0083] The instructor sets up adversarial scenarios and objectives through the teaching configuration module. For example, if the attack group uses SQL injection attacks to obtain data from the target server, the defense group needs to block the attack and locate the source of the attack before the attack chain is completed.
[0084] The attack group can customize attack parameters through the attack chain simulation module, such as selecting reconnaissance → exploitation → command control → target to achieve the attack chain, and setting the payload type and attack frequency of SQL injection attacks.
[0085] The defense team monitors the network status in real time through the decision interaction module and makes defense decisions for each stage of the attack initiated by the attack team.
[0086] The teaching evaluation module assesses the performance of the two groups separately: the attack group's evaluation indicators include attack progress efficiency (actual number of attack stages completed / preset number of attack stages × 100%), strategy innovation (difference between custom parameters and attack chain template), and goal achievement (actual alignment with preset attack goals); the weighting of the attack group's evaluation indicators is: goal achievement 40%, attack progress efficiency 35%, and strategy innovation 25%; the evaluation level standards and feedback generation rules for the attack group are consistent with those in Example 1, and the evaluation indicators for the defense group use the quantitative indicator set in Example 1;
[0087] After the group competition, the system generates two sets of evaluation reports. The instructors organize the students to review the reports, analyze the attack path design of the attacking group and the decision-making loopholes of the defending group, and strengthen both sides' understanding of the attack chain and defense strategy.
[0088] Any aspects of this invention not described in detail are well-known to those skilled in the art.
[0089] Finally, it should be noted that the above specific embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit it. Although the present invention has been described in detail with reference to the embodiments, those skilled in the art should understand that modifications and equivalent substitutions can be made to the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, and all such modifications and substitutions should be covered within the scope of the claims of the present invention.
Claims
1. A network security defense decision deduction teaching method based on attack chain simulation, characterized in that, include: Based on the teaching objectives and network security protection knowledge points, the attack chain to be simulated and the corresponding teaching network to be simulated are determined. The attack chain to be simulated includes at least three consecutive stages: reconnaissance, weaponization, delivery, utilization, installation, command and control, and goal achievement. The network components are linked to the network to be simulated and connected to the hardware-in-the-loop simulation teaching system, which includes an attack chain stage simulation module, a decision interaction module, a teaching evaluation module, and an attack and defense strategy teaching library. The attributes of the nodes, communication links, and networks corresponding to the teaching network to be simulated in the hardware-in-the-loop simulation teaching system are set, and decision nodes are set in combination with the characteristics of each stage of the attack chain to be simulated, so as to obtain the network simulation teaching topology containing decision nodes. On the network simulation teaching topology, network attack events are simulated in stages through the attack chain stage simulation module, and students are guided to make defense decisions for each stage of the attack event through the decision interaction module. The teaching evaluation module evaluates the effectiveness of students' defense decisions based on the defense quantification teaching system, and generates evaluation feedback results including decision accuracy, response timeliness, and defense vulnerabilities. If the assessment feedback does not meet the preset teaching standards, targeted guidance will be provided based on the attack and defense strategy teaching library, and the corresponding attack chain stage will be re-deduced and taught until the student's assessment feedback meets the standards.
2. The method of claim 1, wherein, The access to the semi-physical simulation teaching system includes: Simulate the physical attributes and operating status of at least one network element using a virtual machine; At least one physical teaching device is connected, the physical teaching device including an attack and defense training terminal, a decision input device and a real-time feedback display, for students to practice defense configuration and decision input; The attack chain stage simulation module pre-stores attack chain stage process libraries corresponding to different attack types and supports custom attack chain stage parameters.
3. The method of claim 1, wherein, The decision-making nodes are set by combining the characteristics of each stage of the attack chain to be simulated, including: During the reconnaissance phase, decision-making nodes are set up for attack source identification and reconnaissance behavior interception; During the delivery phase, decision-making nodes for malicious code detection and transmission link protection are set up; During the exploitation phase, decision-making nodes for vulnerability patching and access control are set up; During the command and control phase, decision nodes for communication blocking and attack source tracing are set up; During the goal achievement phase, decision-making nodes for data protection and system recovery are set. Each decision node is associated with at least two optional defense strategies for trainees to choose from and execute.
4. The method of claim 1, wherein, The phased simulation of network attack events through the attack chain phase simulation module includes: Based on a preset attack type, the corresponding attack chain template is called from the attack chain stage process library. The attack type includes at least one of ransomware attack, DDoS attack, and SQL injection attack. The attack simulation proceeds in stages, following the sequence of reconnaissance → weaponization → delivery → utilization → installation → command and control → target achievement. After each stage of the simulation is completed, it is paused to allow trainees to input defense decisions through the decision interaction module. The attack intensity and method for the next stage will be dynamically adjusted based on the student's decision. If the student's decision is effective, the attack effect of the corresponding stage will be weakened; if the decision is ineffective, the attack will be intensified.
5. The method of claim 1, wherein, The defense quantification teaching system includes: The quantitative indicator set includes decision response time, strategy selection accuracy, defense effectiveness achievement rate, and number of vulnerabilities missed. The weighting rules for indicators are as follows: weights are assigned to each quantitative indicator based on the teaching focus, with the defense effectiveness achievement rate having a weight of no less than 30%. The evaluation grading standards include three levels: excellent, qualified, and unqualified, with each level corresponding to a comprehensive score range of quantitative indicators. The feedback generation rules generate feedback reports based on the trainees' performance at each decision-making node, including error decision analysis, optimal strategy recommendations, and knowledge point correlation analysis.
6. The method of claim 1, wherein, The method also includes a group-based adversarial teaching mode, the process of which is as follows: Trainees are divided into an attack group and a defense group. The attack group customizes attack parameters through the attack chain stage simulation module, while the defense group executes defense decisions. The teaching evaluation module evaluates the performance of the two groups respectively. The attack and defense strategy teaching library is updated in real time with the latest defense technologies and strategy cases corresponding to each stage of the attack chain, which students can consult and learn during breaks in the simulation.
7. The method of claim 6, wherein, The re-teaching of the corresponding attack chain stages includes: Identify the attack chain stages and corresponding decision nodes where trainees have not met the standards; The knowledge points and typical cases for this stage are retrieved from the attack and defense strategy teaching library and displayed through the display terminal of the semi-physical simulation teaching system. The instructors provide targeted explanations through the teaching management module, and then re-simulate the attack event for this stage, allowing students to make defensive decisions again until the assessment for this stage is met.