Network attack simulation method and device, computer device, readable storage medium and program product

By constructing a network attack simulation system, setting a set of atomic attack behaviors and a behavior semantic mapping graph, and dynamically adjusting the attack path, the static and linear structure problems of traditional systems are solved, and efficient attack simulation effects are achieved.

CN122394905APending Publication Date: 2026-07-14ELECTRIC POWER RES INST CHINA SOUTHERN POWER GRID CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ELECTRIC POWER RES INST CHINA SOUTHERN POWER GRID CO LTD
Filing Date
2026-04-24
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Traditional network attack simulation systems lack dynamic adaptability and are unable to meet the needs of realistically reproducing and dynamically simulating complex and advanced attack behaviors.

Method used

By setting a set of atomic attack behaviors, constructing a behavior semantic mapping graph, dividing the attack phases, and introducing a path evaluation function and a path reconstruction mechanism, the optimal attack path is generated, the behavior direction is dynamically adjusted, and the simulation realism and target orientation are improved.

Benefits of technology

It achieves realism and accuracy in network attack simulation, can dynamically adjust attack paths, avoid invalid paths, and improve the rationality and effectiveness of simulation.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394905A_ABST
    Figure CN122394905A_ABST
Patent Text Reader

Abstract

The application relates to a network attack simulation method and device, computer equipment, a computer readable storage medium and a computer program product. The method comprises the following steps: setting an atomic attack behavior set, constructing a behavior semantic mapping graph in a graph structure; dividing an attack process into multiple attack stages, and defining an attack target state set and a preset attack intention corresponding to each attack stage; scoring all nodes in the behavior semantic mapping graph through a stage intention function; setting a state transition condition function to indicate attack stage jumping; generating an attack path and screening an optimal attack path through a path evaluation function; controlling a target environment to transit from a current state to a state after behavior execution through an environment state transition function; calling a behavior effect feedback evaluation function to trigger a path reconstruction mechanism; and splicing optimal attack paths of all attack stages to obtain a final simulation behavior chain. The method can improve the authenticity of network attack simulation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to a network attack simulation method, apparatus, computer equipment, computer-readable storage medium, and computer program product. Background Technology

[0002] With the development of computer network technology, network attack simulation systems have emerged. These systems can simulate various network attack behaviors by constructing a virtual network environment, thereby reproducing known or potential attack paths.

[0003] Traditional network attack simulation systems often use static attack process libraries or specific attack templates to execute predefined attack behaviors. Their basic structure mainly relies on predefined attack behavior scripts, attack path models, and behavior triggering mechanisms under fixed rules. In actual execution, the attack simulation is usually triggered by the attack engine, which loads the preset scripts and injects attack instructions into the target environment, controlling the controlled nodes to complete a series of attack steps.

[0004] However, while traditional network attack simulation systems can recreate attack scenarios to some extent, their structures are highly templated and static. Attack paths lack dynamic adaptability, and attack behaviors often exhibit a linear structure that ends as soon as they are executed. This makes it difficult to meet the needs for realistic reproduction and dynamic evolution simulation of complex and advanced attack behaviors. Summary of the Invention

[0005] Therefore, it is necessary to provide a network attack simulation method, apparatus, computer equipment, computer-readable storage medium, and computer program product that can improve the realism, dynamism, and intelligence of network attack simulation in order to address the above-mentioned technical problems.

[0006] Firstly, this application provides a network attack simulation method, including:

[0007] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0008] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0009] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0010] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0011] In one embodiment, atomic attack behavior includes scanning ports, extracting credentials, and establishing a C2 channel;

[0012] Among them, the attack action in the triplet corresponding to the scanned port is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible.

[0013] The attack action in the triplet corresponding to the extracted credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is to have read permissions.

[0014] The attack action in the triplet corresponding to the C2 channel is to initiate a connection, the affected resources are the target IP and the control IP, and the execution environment condition is that the target system has been initially controlled.

[0015] In one embodiment, the attack phase includes information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target states in the attack target state set corresponding to each attack phase include obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0016] In one embodiment, the path evaluation function includes a balance factor for balancing target motive and execution cost. The balance factor has a value range of greater than 0 and less than or equal to 1. The smaller the balance factor, the more the path selection prioritizes ensuring the matching degree between the atomic attack behavior and the attack target state. The larger the balance factor, the more the path selection prioritizes controlling the execution cost of the attack path.

[0017] In one embodiment, before executing the atomic attack behavior nodes sequentially according to the optimal attack path, the method further includes:

[0018] A path perturbation mechanism is introduced. By using a preset path perturbation probability, at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, alternative nodes that meet the preset threshold edge weight between the current atomic attack behavior and are not included in the optimal attack path are randomly introduced into the behavior semantic map to form behavior branches, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

[0019] In one embodiment, a staged intent function is used to score all nodes in the behavioral semantic mapping graph, including:

[0020] For the current atomic attack behavior corresponding to the current node in the behavioral semantic mapping graph, the number of attack target states in the attack target state set corresponding to the attack stage that the current atomic attack behavior satisfies is counted. The ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage is calculated, and the ratio is the matching degree score of the current atomic attack behavior.

[0021] Secondly, this application also provides a network attack simulation device, comprising:

[0022] The module is used to define a set of atomic attack behaviors. Each atomic attack behavior is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behavior is constructed using a graph structure. The nodes of the graph structure are atomic attack behaviors, and the edges are the semantic dependencies and causal relationships between atomic attack behaviors. The edge weights are determined by the semantic matching degree and the execution cost function.

[0023] The comparison module is used to divide the attack process into multiple attack stages and define the attack target state set corresponding to each attack stage. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the attack target state within the attack target state set of the corresponding attack stage achieved by the current atomic attack behavior. A state transition condition function is set, and the score of the stage intent function is used to compare with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0024] The generation module is used to generate attack paths based on the current attack stage, the behavioral semantic map, and the stage intent function, with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0025] The judgment module is used to set the state space of the target environment, execute atomic attack behavior nodes sequentially according to the optimal attack path, and control the transition of the target environment from the current state to the state after the behavior execution through the environment state transition function; it calls the behavior effect feedback evaluation function to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal; if the evaluation result is not achieved, the path reconstruction mechanism is triggered, using the current environment state as a new starting point, and regenerating the optimal attack behavior sequence by combining the behavior semantic mapping graph and the stage intent function; the above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed, and the optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0026] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0027] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0028] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0029] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0030] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0031] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:

[0032] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0033] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0034] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0035] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0036] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:

[0037] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0038] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0039] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0040] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0041] The aforementioned network attack simulation methods, devices, computer equipment, computer-readable storage media, and computer program products, by setting a set of atomic attack behaviors and constructing a behavior semantic mapping graph with a graph structure, can express the evolutionary logic and contextual relationships between atomic attack behaviors, and provide a structural foundation for subsequent stage division and path generation. By dividing the attack process into multiple attack stages, defining the attack target state set corresponding to each attack stage, and scoring all nodes in the behavior semantic mapping graph through a stage intent function, the matching degree of the current atomic attack behavior to the attack target state is characterized. This enables the attack behavior to have context awareness, dynamically adjust the behavior direction, and avoid executing invalid paths, thereby improving the realism and target orientation of the attack simulation. Based on the current attack stage, the behavior semantic mapping graph, and the stage intent function, an attack path is generated, and the optimal attack path is selected through a path evaluation function, improving the rationality and effectiveness of the attack path. By setting the state space of the target environment and using the environment state transition function and the behavior effect feedback evaluation function, a path reconstruction mechanism is introduced to ensure the continuity and accuracy of the attack simulation. Attached Figure Description

[0042] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0043] Figure 1 This is a diagram illustrating the application environment of a network attack simulation method in one embodiment.

[0044] Figure 2 This is a flowchart illustrating a network attack simulation method in one embodiment;

[0045] Figure 3 This is a flowchart illustrating a network attack simulation method in another embodiment;

[0046] Figure 4 This is a structural block diagram of a network attack simulation device in one embodiment;

[0047] Figure 5 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation

[0048] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0049] It should be noted that the terms "first," "second," etc., used in this application can be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish the first element from the second element. The terms "comprising" and "having," and any variations thereof, used in this application, are intended to cover non-exclusive inclusion. The term "multiple" used in this application refers to two or more. The term "and / or" used in this application refers to one of the embodiments, or any combination of multiple embodiments.

[0050] The network attack simulation method provided in this application can be applied to, for example... Figure 1 In the application environment shown, terminal 102 communicates with server 104 via a network. A data storage system can store the data that server 104 needs to process. The data storage system can be integrated onto server 104 or located on a cloud or other network server. Specifically, terminal 102 or server 104 performs a network attack simulation method, which includes:

[0051] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0052] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0053] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0054] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0055] Terminal 102 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, drones, low-altitude aircraft, IoT devices, and portable wearable devices. IoT devices can include smart speakers, smart TVs, smart air conditioners, smart in-vehicle devices, and projection equipment. Portable wearable devices can include smartwatches, smart bracelets, and head-mounted displays. Head-mounted displays can be virtual reality (VR) devices, augmented reality (AR) devices, and smart glasses. Server 104 can be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing cloud computing services.

[0056] In one exemplary embodiment, such as Figure 2 As shown, a network attack simulation method is provided, which can be applied to... Figure 1 Taking the server in the example, the explanation includes the following steps 202 to 208. Wherein:

[0057] Step 202: Define a set of atomic attack behaviors. Each atomic attack behavior is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. Construct a semantic mapping graph of behavior using a graph structure. The nodes of the graph structure are atomic attack behaviors, and the edges are the semantic dependencies and causal relationships between atomic attack behaviors. The edge weights are determined by the semantic matching degree and the execution cost function.

[0058] Atomic attacks include actions such as port scanning, credential extraction, and C2 tunnel establishment. Attack actions include command execution and connection initiation; affected resources include target IPs and service ports; and execution environment conditions include privilege levels and target status.

[0059] Among them, the attack action in the triplet corresponding to the scanning port is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible; the attack action in the triplet corresponding to extracting credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is that read permission is available; the attack action in the triplet corresponding to establishing a C2 channel is to initiate a connection, the affected resources are the target IP and the control terminal IP, and the execution environment condition is that the target system has been initially controlled.

[0060] For example, a set of atomic attack behaviors is defined. , can be represented as:

[0061]

[0062] in, This represents an atomic attack action, such as "scanning ports," "extracting credentials," or "establishing a C2 channel." Each atomic attack action is defined by a triple, namely:

[0063]

[0064] in, This indicates an attack action, such as executing a command or initiating a connection. This indicates the affected resource, such as the target IP address or service port. This indicates the execution environment conditions, such as permission level and target status.

[0065] For example, constructing a behavior semantic mapping graph using a graph structure can be represented as follows:

[0066]

[0067] in, Nodes representing a graph structure Represents the edges of a graph structure. And the nodes... , representing all executable atomic attack behaviors; edge , representing the semantic dependencies and causal relationships between atomic attack behaviors; edge weights Indicates atomic attack behavior Switch to The strategy cost or stage credibility is determined by the semantic matching degree. and execution cost function "Confirmed" can be expressed as:

[0068]

[0069] Step 204: Divide the attack process into multiple attack stages and define the attack target state set corresponding to each attack stage. Each attack stage corresponds to a preset attack intent. Through the stage intent function, score all nodes in the behavior semantic mapping graph to represent the matching degree of the attack target state within the attack target state set corresponding to the current atomic attack behavior. Set a state transition condition function. The score of the stage intent function is used to compare with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0070] The attack phases include information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction. The attack target state set corresponding to each attack phase includes the following: obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0071] For example, the attack process is divided into Each attack phase can be represented as:

[0072]

[0073] Each attack phase This corresponds to a preset attack intent, such as information gathering, initial intrusion, privilege escalation, lateral movement, or target destruction. A stage intent function is defined for each attack stage, which can be expressed as:

[0074]

[0075] Furthermore, a set of attack target states is defined for each attack phase, which can be represented as:

[0076]

[0077] in, Indicates the first Phase 1 Target states, such as obtaining system credentials, controlling a specific host, or triggering defense bypass, etc.

[0078] Based on the defined stage intention function For behavioral semantic mapping graph All nodes are scored to represent the current atomic attack behavior. Achieve the attack target state at the corresponding attack stage Matching degree .

[0079] For example, a state transition condition function is set such that the current attack phase The jump is performed based on the state transition condition function, which can be expressed as:

[0080]

[0081] in, To determine the threshold for the attack phase, during the current attack phase... The state transition condition function must be satisfied, i.e. In this case, it will automatically jump to the next attack phase. .

[0082] Step 206: Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0083] For example, based on the current attack phase Behavioral semantic mapping graph and stage intention function Set the current attack phase The starting node is Choose a sequence of atomic attack behaviors, namely:

[0084]

[0085] Among them, targeting the current attack phase The sequence of atomic attack behaviors Each atomic attack behavior This will correspond to a stage intention function value. This yields multiple stage intent function values, consistent with the number of atomic attack actions. These multiple stage intent function values ​​are then summed. To generate an attack path, the sum of the stage intent functions for this action sequence needs to be maximized, while also satisfying the graph connectivity constraints between actions, i.e.:

[0086]

[0087] For example, the optimal attack path is selected based on the path evaluation function, which can be expressed as:

[0088]

[0089] in, Indicates the current attack phase Next The target matching score of each atomic behavior attack node; Indicates from attack behavior To attack behavior Graph edge weights (i.e., policy costs); This is the path penalty factor, used to balance target motive and path cost. The optimization objective of the attack path is expressed as:

[0090]

[0091] After obtaining the optimal attack path Then, each atomic attack behavior node in the attack path is executed sequentially. And after each attack node has been executed, a reassessment is performed. Function. In the current attack phase. Complete the state transition condition function In this case, proceed to the next attack phase. and for the next attack phase Regenerate the attack path.

[0092] Step 208: Set the state space of the target environment, execute atomic attack behavior nodes sequentially according to the optimal attack path, and control the target environment to transition from the current state to the state after the behavior execution through the environment state transition function; call the behavior effect feedback evaluation function to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal; if the evaluation result is not achieved, trigger the path reconstruction mechanism, take the current environment state as the new starting point, and regenerate the optimal attack behavior sequence by combining the behavior semantic mapping graph and the stage intent function; repeat the above process of attack path generation, behavior execution, feedback evaluation and path reconstruction until all attack stages are completed, and splice the optimal attack paths of all attack stages to obtain the final simulation behavior chain, and record the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events.

[0093] For example, in generating the optimal attack path Then, each atomic attack behavior node in the attack path is executed sequentially. It records all execution state transitions and sets the target environment state space as follows:

[0094]

[0095] After executing each atomic attack behavior node Then, the target environment is controlled to transition from the current state through a state transition function. Transition to the next state The transfer process can be represented as:

[0096]

[0097] in, is the state transition function, representing the effect and result of atomic attack behavior on the target environment state.

[0098] For example, after each state transition is completed, the behavior effect feedback evaluation function is called. Determine the currently executing atomic attack behavior. Whether the expected semantic goal has been achieved, and the feedback evaluation function for the effect of this behavior. It can be represented as:

[0099]

[0100] If the evaluation result indicates that the expected semantic objective has not been achieved, the attack path reconstruction mechanism is triggered, and the system reverts to the current stage. The path optimization process is then re-executed, and this triggering mechanism can be represented as:

[0101]

[0102] Each path reconstruction will retain the sequence of previously successfully executed atomic attack behaviors and will be based on the current environment state. As a new starting point, combining behavioral semantic mapping graphs and stage intention function Regenerate the optimal attack behavior sequence.

[0103] For example, the process of attack path generation, atomic attack execution, feedback evaluation, and attack path reconstruction described above is repeated until the phase completion function is executed. or the final stage Achieved. After completing all attack phases, the optimal attack paths for all attack phases are concatenated to obtain the final simulated behavior chain, namely:

[0104]

[0105] in, This indicates the path concatenation operation. Simulation logs, behavior state transition diagrams, attack phase target achievement rates, and abnormal events are recorded for subsequent analysis and evaluation.

[0106] In the aforementioned network attack simulation method, by setting a set of atomic attack behaviors and constructing a behavior semantic mapping graph with a graph structure, the evolutionary logic and contextual relationships between atomic attack behaviors can be expressed, providing a structural foundation for subsequent stage division and path generation. By dividing the attack process into multiple attack stages, defining the attack target state set corresponding to each attack stage, and scoring all nodes in the behavior semantic mapping graph through a stage intent function, the matching degree of the current atomic attack behavior to the attack target state can be characterized. This enables the attack behavior to have context awareness, dynamically adjust the behavior direction, and avoid executing invalid paths, thereby improving the realism and target orientation of the attack simulation. Attack paths are generated based on the current attack stage, the behavior semantic mapping graph, and the stage intent function, and the optimal attack path is selected through a path evaluation function, improving the rationality and effectiveness of the attack path. By setting the state space of the target environment and using the environment state transition function and the behavior effect feedback evaluation function, a path reconstruction mechanism is introduced to ensure the continuity and accuracy of the attack simulation.

[0107] In one embodiment, the path evaluation function includes a balance factor for balancing target motive and execution cost. The balance factor has a value range of greater than 0 and less than or equal to 1. The smaller the balance factor, the more the path selection prioritizes ensuring the matching degree between the atomic attack behavior and the attack target state. The larger the balance factor, the more the path selection prioritizes controlling the execution cost of the attack path.

[0108] The balance factor is the path penalty factor. .

[0109] For example, based on the path evaluation function The optimal attack path is selected, and its evaluation function is used. Includes path penalty factor ,and Must meet .

[0110] When path penalty factor The smaller the value, the better the path evaluation function. Mainly with This relates to the path selection process, which prioritizes ensuring the match between atomic attack behavior and the state of the attack target. When the path penalty factor... When the value is larger, the path evaluation function... Mainly with This relates to the cost of prioritizing attack path selection.

[0111] In this embodiment, by introducing a balancing factor into the path evaluation function, the target matching degree and execution cost can be balanced during path selection. This reduces the overall execution cost of the attack path and improves the accuracy and effectiveness of attack simulation while ensuring a certain degree of target achievement.

[0112] In one embodiment, before executing atomic attack behavior nodes sequentially according to the optimal attack path, the method further includes: introducing a path perturbation mechanism, which, through a preset path perturbation probability, randomly introduces candidate nodes in the behavior semantic mapping graph whose edge weights with the current atomic attack behavior meet a preset threshold and are not included in the optimal attack path at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, thereby forming a behavior branch to simulate the nonlinear and nondeterministic behavior of the attacker.

[0113] For example, based on the obtained optimal attack path Before executing atomic attack nodes sequentially according to the optimal attack path, a perturbation mechanism is introduced during the path selection process, by introducing a preset path perturbation probability. Targeting the optimal attack path The decision points connecting adjacent atomic attack behaviors are used to randomly introduce high-potential candidate nodes at some of these decision points, forming behavior branches. These candidate nodes are part of a behavior semantic mapping graph. The node that is not included in the optimal attack path, and the edge weight between the candidate node and the current atomic attack behavior meets the preset threshold.

[0114] By introducing alternative nodes to form behavioral branches, the nonlinear and nondeterministic behavior of an attacker can be simulated, and this behavioral branch can be represented as:

[0115]

[0116] In this embodiment, by introducing path perturbation probability, alternative nodes are introduced at some decision points to form behavioral branches, which makes the simulated behavior more diverse and closely resembles real attacks, further improving the simulation accuracy and complex simulation capabilities of the simulation system, and enhancing the system's adversarial and evolutionary capabilities.

[0117] In one embodiment, a stage intent function is used to score all nodes in the behavior semantic map, including: for the current atomic attack behavior corresponding to the current node in the behavior semantic map, counting the number of attack target states in the attack target state set corresponding to the attack stage that the current atomic attack behavior satisfies, calculating the ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage, and the resulting ratio is the matching degree score of the current atomic attack behavior.

[0118] For example, for behavior semantic mapping graph The current atomic attack behavior corresponding to the current node. Based on the current attack phase The corresponding attack target state set This atomic attack behavior Each with the target state set Each target state Perform a match and determine the match result.

[0119] If a match is successful, it indicates that the atomic attack behavior has occurred. Satisfy the target state If a match fails, it indicates that the atomic attack behavior has occurred. The target state is not met. Count the number of successfully matched target states and sum this number with the set of attack target states. Total number of target states Perform a ratio calculation, and then use this ratio as the current atomic attack behavior. The matching score can be expressed as:

[0120]

[0121] in, Indicates the current atomic attack behavior Satisfying the target state If not satisfied, then And the stage intention function value The higher the value, the more likely it is to indicate an atomic attack behavior. The more it matches the current attack phase The target of the attack.

[0122] In this embodiment, by scoring all nodes in the behavior semantic mapping graph using a stage intent function, the matching degree between each atomic attack behavior and the target of the current attack stage can be accurately quantified, effectively improving the target orientation of the attack simulation.

[0123] like Figure 3 As shown, a specific embodiment illustrates a network attack simulation method, including steps 302 to 308. Wherein,

[0124] Step 302: Define the set of atomic attack behaviors and construct a behavior semantic mapping graph using a graph structure.

[0125] Specifically, define a set of atomic attack behaviors. And construct a behavior semantic mapping graph using a graph structure. .in, Nodes representing a graph structure Represents the edges of a graph structure. This represents the edge weight.

[0126] Step 304: Define the attack target state and construct the phase intent function.

[0127] Specifically, the attack process is divided into: Each attack phase, namely And each attack phase This corresponds to a preset attack intent, and defines a stage intent function for each attack stage. Then, define a set of attack target states for each attack phase. .

[0128] Based on the defined stage intention function For behavioral semantic mapping graph All nodes are scored to represent the current atomic attack behavior. Achieve the corresponding attack phase Attack target status Matching degree .

[0129] Set state transition condition function During the current attack phase The state transition condition function must be satisfied, i.e. In this case, it will automatically jump to the next attack phase. .

[0130] Step 306: Based on the current attack stage, the behavioral semantic mapping graph, and the stage intent function, generate an attack path and select the optimal attack path.

[0131] Specifically, based on the current attack phase Behavioral semantic mapping graph and stage intention function Set the current attack phase The starting node is Select a sequence of atomic attack behaviors In this sequence of actions The atomic attack behaviors satisfy the graph connectivity constraints between behaviors, and the sequence of behaviors... The attack path is generated when the sum of the stage intent functions is maximized.

[0132] Based on path evaluation function Select the optimal attack path And this optimal attack path The optimization objective is:

[0133]

[0134] Furthermore, based on the obtained optimal attack path A perturbation mechanism is introduced during the path selection process, by introducing a preset path perturbation probability. Targeting the optimal attack path The decision points connecting adjacent atomic attack behaviors are used to randomly introduce high-potential candidate nodes at some of these decision points, forming behavioral branches. This allows for the simulation of the attacker's nonlinear and nondeterministic behavior.

[0135] Step 308: Execute atomic attack behavior nodes sequentially according to the optimal attack path, and call the behavior effect feedback evaluation function to trigger the path reconstruction mechanism.

[0136] Specifically, in generating the optimal attack path Then, each atomic attack behavior node in the attack path is executed sequentially. And record all executed state transitions. Define the target environment state space. After executing each atomic attack behavior node Then, through the state transition function Control the target environment from its current state Transition to the next state .

[0137] After each state transition is completed, the behavior effect feedback evaluation function is called. Determine the currently executing atomic attack behavior. If the expected semantic objective has not been achieved, the attack path reconstruction mechanism is triggered, and the system reverts to the current stage. Then re-execute the path optimization process.

[0138] Repeat the above process of attack path generation, atomic attack execution, feedback evaluation, and attack path reconstruction. After completing all attack stages, the optimal attack paths from all attack stages are concatenated to obtain the final simulated behavior chain. It also records simulation logs, behavior state transition diagrams, attack phase target achievement rates, and abnormal events for subsequent analysis and evaluation.

[0139] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps. It is understood that the steps in different embodiments can be freely combined as needed, and all non-contradictory solutions formed by such combinations are within the scope of protection of this application.

[0140] Based on the same inventive concept, this application also provides a network attack simulation apparatus for implementing the network attack simulation method described above. The solution provided by this apparatus is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more network attack simulation apparatus embodiments provided below can be found in the limitations of the network attack simulation method described above, and will not be repeated here.

[0141] In one exemplary embodiment, such as Figure 4 As shown, a network attack simulation device 400 is provided, including: a construction module 402, a comparison module 404, a generation module 406, and a judgment module 408, wherein:

[0142] Module 402 is used to define a set of atomic attack behaviors. Each atomic attack behavior is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behavior is constructed using a graph structure. The nodes of the graph structure are atomic attack behaviors, and the edges are the semantic dependencies and causal relationships between atomic attack behaviors. The edge weights are determined by the semantic matching degree and the execution cost function.

[0143] The comparison module 404 is used to divide the attack process into multiple attack stages and define the attack target state set corresponding to each attack stage. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the attack target state within the attack target state set of the corresponding attack stage achieved by the current atomic attack behavior. A state transition condition function is set, and the score of the stage intent function is used to compare with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0144] The generation module 406 is used to generate an attack path based on the current attack stage, the behavioral semantic map, and the stage intent function, with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map; and to select the optimal attack path through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0145] The judgment module 408 is used to set the state space of the target environment, execute atomic attack behavior nodes sequentially according to the optimal attack path, and control the transition of the target environment from the current state to the state after the behavior execution through the environment state transition function; it calls the behavior effect feedback evaluation function to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal; if the evaluation result is not achieved, the path reconstruction mechanism is triggered, and the optimal attack behavior sequence is regenerated with the current environment state as the new starting point, combined with the behavior semantic mapping graph and the stage intent function; the above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed, and the optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0146] In one embodiment, the construction module is also used for atomic attack behaviors including scanning ports, extracting credentials, and establishing a C2 channel; wherein, the attack action in the triple corresponding to scanning ports is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible; the attack action in the triple corresponding to extracting credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is that read permission is available; the attack action in the triple corresponding to establishing a C2 channel is to initiate a connection, the affected resources are the target IP and the control terminal IP, and the execution environment condition is that the target system has been initially controlled.

[0147] In one embodiment, the comparison module is also used for attack phases including information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target state in the attack target state set corresponding to each attack phase includes obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0148] In one embodiment, the generation module is further configured to include a balance factor in the path evaluation function to balance the target drive and the execution cost. The balance factor has a value range of greater than 0 and less than or equal to 1. The smaller the balance factor, the more likely the path selection will prioritize ensuring the matching degree between the atomic attack behavior and the attack target state. The larger the balance factor, the more likely the path selection will prioritize controlling the execution cost of the attack path.

[0149] In one embodiment, the judgment module is further configured to, before executing the atomic attack behavior nodes sequentially according to the optimal attack path, include: introducing a path perturbation mechanism, by using a preset path perturbation probability, randomly introducing candidate nodes in the behavior semantic mapping graph whose edge weights with the current atomic attack behavior meet a preset threshold and are not included in the optimal attack path at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, to form a behavior branch, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

[0150] In one embodiment, the comparison module is further configured to score all nodes in the behavior semantic map using a stage intent function, including: for the current atomic attack behavior corresponding to the current node in the behavior semantic map, counting the number of attack target states in the attack target state set corresponding to the current attack stage that the current atomic attack behavior satisfies, calculating the ratio between the number and the total number of attack target states in the attack target state set corresponding to the attack stage, and obtaining the ratio as the matching score of the current atomic attack behavior.

[0151] The modules in the aforementioned network attack simulation device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of a computer device in hardware form or independent of it, or stored in the memory of the computer device in software form, so that the processor can call and execute the operations corresponding to each module.

[0152] In one exemplary embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 5 As shown, the computer device includes a processor, memory, input / output interfaces, a communication interface, a display unit, and an input device. The processor, memory, and input / output interfaces are connected via a system bus, and the communication interface, display unit, and input device are also connected to the system bus via the input / output interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The input / output interfaces are used for exchanging information between the processor and external devices. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, Near Field Communication (NFC), or other technologies. When the computer program is executed by the processor, it implements a network attack simulation method.

[0153] Those skilled in the art will understand that Figure 5The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0154] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0155] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0156] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0157] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0158] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0159] In one embodiment, when the processor executes the computer program, it further performs the following steps: the atomic attack behavior includes scanning ports, extracting credentials, and establishing a C2 channel; wherein, the attack action in the triplet corresponding to scanning ports is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible; the attack action in the triplet corresponding to extracting credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is that read permission is available; the attack action in the triplet corresponding to establishing a C2 channel is to initiate a connection, the affected resources are the target IP and the control terminal IP, and the execution environment condition is that the target system has been initially controlled.

[0160] In one embodiment, when the processor executes the computer program, it also performs the following steps: the attack phase includes information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target states in the attack target state set corresponding to each attack phase include obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0161] In one embodiment, when the processor executes the computer program, it further implements the following steps: the path evaluation function includes a balance factor for balancing target motive and execution cost, the balance factor being greater than 0 and less than or equal to 1; the smaller the balance factor, the more the path filtering prioritizes ensuring the matching degree between the atomic attack behavior and the attack target state; the larger the balance factor, the more the path filtering prioritizes controlling the execution cost of the attack path.

[0162] In one embodiment, when the processor executes the computer program, it further implements the following steps: before executing the atomic attack behavior nodes sequentially according to the optimal attack path, it further includes: introducing a path perturbation mechanism, and through a preset path perturbation probability, randomly introducing candidate nodes in the behavior semantic mapping graph whose edge weights with the current atomic attack behavior meet a preset threshold and are not included in the optimal attack path at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, to form a behavior branch, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

[0163] In one embodiment, when the processor executes the computer program, it further implements the following steps: scoring all nodes in the behavior semantic map through the stage intent function, including: for the current atomic attack behavior corresponding to the current node in the behavior semantic map, counting the number of attack target states in the attack target state set corresponding to the current attack stage that the current atomic attack behavior satisfies, calculating the ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage, and obtaining the ratio as the matching degree score of the current atomic attack behavior.

[0164] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.

[0165] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:

[0166] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0167] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0168] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0169] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0170] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: the atomic attack behavior includes scanning ports, extracting credentials, and establishing a C2 channel; wherein, the attack action in the triple corresponding to scanning ports is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible; the attack action in the triple corresponding to extracting credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is that read permission is available; the attack action in the triple corresponding to establishing a C2 channel is to initiate a connection, the affected resources are the target IP and the control terminal IP, and the execution environment condition is that the target system has been initially controlled.

[0171] In one embodiment, when the computer program is executed by the processor, it also performs the following steps: the attack phase includes information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target states in the attack target state set corresponding to each attack phase include obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0172] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: the path evaluation function includes a balance factor for balancing target motive and execution cost, the balance factor being greater than 0 and less than or equal to 1; the smaller the balance factor, the more the path filtering prioritizes ensuring the matching degree between the atomic attack behavior and the attack target state; the larger the balance factor, the more the path filtering prioritizes controlling the execution cost of the attack path.

[0173] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: before executing the atomic attack behavior nodes sequentially according to the optimal attack path, it further includes: introducing a path perturbation mechanism, and through a preset path perturbation probability, randomly introducing candidate nodes in the behavior semantic mapping graph whose edge weights with the current atomic attack behavior meet a preset threshold and are not included in the optimal attack path at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, to form a behavior branch, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

[0174] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: scoring all nodes in the behavior semantic map through the stage intent function, including: for the current atomic attack behavior corresponding to the current node in the behavior semantic map, counting the number of attack target states in the attack target state set corresponding to the current attack stage that the current atomic attack behavior satisfies, calculating the ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage, and obtaining the ratio as the matching degree score of the current atomic attack behavior.

[0175] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.

[0176] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:

[0177] A set of atomic attack behaviors is defined, each of which is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behaviors is constructed using a graph structure, where nodes of the graph structure are atomic attack behaviors, edges are semantic dependencies and causal relationships between atomic attack behaviors, and edge weights are determined by semantic matching degree and execution cost function.

[0178] The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the current atomic attack behavior to the attack target state set within the corresponding attack stage. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump.

[0179] Based on the current attack stage, the behavioral semantic map, and the stage intent function, an attack path is generated with the goal of maximizing the sum of the stage intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path.

[0180] The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, the path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated from the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

[0181] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: the atomic attack behavior includes scanning ports, extracting credentials, and establishing a C2 channel; wherein, the attack action in the triple corresponding to scanning ports is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible; the attack action in the triple corresponding to extracting credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is that read permission is available; the attack action in the triple corresponding to establishing a C2 channel is to initiate a connection, the affected resources are the target IP and the control terminal IP, and the execution environment condition is that the target system has been initially controlled.

[0182] In one embodiment, when the computer program is executed by the processor, it also performs the following steps: the attack phase includes information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target states in the attack target state set corresponding to each attack phase include obtaining system credentials, controlling a specific host, and triggering defense bypass.

[0183] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: the path evaluation function includes a balance factor for balancing target motive and execution cost, the balance factor being greater than 0 and less than or equal to 1; the smaller the balance factor, the more the path filtering prioritizes ensuring the matching degree between the atomic attack behavior and the attack target state; the larger the balance factor, the more the path filtering prioritizes controlling the execution cost of the attack path.

[0184] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: before executing the atomic attack behavior nodes sequentially according to the optimal attack path, it further includes: introducing a path perturbation mechanism, and through a preset path perturbation probability, randomly introducing candidate nodes in the behavior semantic mapping graph whose edge weights with the current atomic attack behavior meet a preset threshold and are not included in the optimal attack path at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, to form a behavior branch, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

[0185] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: scoring all nodes in the behavior semantic map through the stage intent function, including: for the current atomic attack behavior corresponding to the current node in the behavior semantic map, counting the number of attack target states in the attack target state set corresponding to the current attack stage that the current atomic attack behavior satisfies, calculating the ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage, and obtaining the ratio as the matching degree score of the current atomic attack behavior.

[0186] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.

[0187] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.

[0188] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.

[0189] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.

[0190] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A network attack simulation method, characterized in that, The method includes: A set of atomic attack behaviors is defined, each atomic attack behavior is defined by a triple consisting of an attack action, affected resources, and execution environment conditions; a behavior semantic mapping graph is constructed using a graph structure, where the nodes of the graph structure are the atomic attack behaviors, the edges are the semantic dependencies and causal relationships between atomic attack behaviors, and the edge weights are determined by the semantic matching degree and the execution cost function; The attack process is divided into multiple attack stages, and a set of attack target states corresponding to each attack stage is defined. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the attack target states within the set of attack target states corresponding to the current atomic attack behavior. A state transition condition function is set, and the score of the stage intent function is compared with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump. Based on the current attack phase, the behavioral semantic map, and the phase intent function, an attack path is generated with the goal of maximizing the sum of the phase intent functions and satisfying the connectivity constraints of the behavioral semantic map. The optimal attack path is then selected through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path. The target environment's state space is defined, and atomic attack behavior nodes are executed sequentially according to the optimal attack path. The environment state transition function controls the transition of the target environment from the current state to the state after the behavior execution. The behavior effect feedback evaluation function is called to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal. If the evaluation result is not achieved, a path reconstruction mechanism is triggered. The optimal attack behavior sequence is regenerated using the current environment state as a new starting point, combined with the behavior semantic mapping graph and the stage intent function. The above process of attack path generation, behavior execution, feedback evaluation, and path reconstruction is repeated until all attack stages are completed. The optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and simulation logs, behavior state transition graphs, attack stage goal achievement degrees, and abnormal events are recorded.

2. The method according to claim 1, characterized in that, The atomic attack behaviors include scanning ports, extracting credentials, and establishing C2 channels; Among them, the attack action in the triplet corresponding to the scanned port is to initiate a connection, the affected resource is the service port, and the execution environment condition is that the target is accessible. The attack action in the triplet corresponding to the extracted credentials is to execute a command, the affected resource is the system storage resource corresponding to the target IP, and the execution environment condition is to have read permissions. The attack action in the triplet corresponding to the C2 channel is to initiate a connection, the affected resources are the target IP and the control IP, and the execution environment condition is that the target system has been initially controlled.

3. The method according to claim 1, characterized in that, The attack phases include information gathering, initial intrusion, privilege escalation, lateral movement, and target destruction; the attack target states in the attack target state set corresponding to each attack phase include obtaining system credentials, controlling a specific host, and triggering defense bypass.

4. The method according to claim 1, characterized in that, The path evaluation function includes a balance factor for balancing target motive and execution cost. The value of the balance factor is greater than 0 and less than or equal to 1. The smaller the balance factor, the more the path selection prioritizes ensuring the matching degree between atomic attack behavior and attack target state. The larger the balance factor, the more the path selection prioritizes controlling the execution cost of attack path.

5. The method according to claim 1, characterized in that, Before executing the atomic attack behavior nodes sequentially according to the optimal attack path, the method further includes: A path perturbation mechanism is introduced. By using a preset path perturbation probability, at the connection decision point between each adjacent atomic attack behavior in the optimal attack path, a candidate node whose edge weight between the current atomic attack behavior and the behavior semantic map satisfies a preset threshold and is not included in the optimal attack path is randomly introduced to form a behavior branch, so as to simulate the nonlinear and nondeterministic behavior of the attacker.

6. The method according to claim 1, characterized in that, The step of scoring all nodes in the behavioral semantic mapping graph using a stage intent function includes: For the current atomic attack behavior corresponding to the current node in the behavior semantic mapping graph, the number of attack target states in the attack target state set corresponding to the attack stage that the current atomic attack behavior satisfies is counted. The ratio of the number to the total number of attack target states in the attack target state set corresponding to the attack stage is calculated, and the ratio is the matching degree score of the current atomic attack behavior.

7. A network attack simulation device, characterized in that, The device includes: The module is used to define a set of atomic attack behaviors. Each atomic attack behavior is defined by a triple consisting of an attack action, affected resources, and execution environment conditions. A semantic mapping graph of behavior is constructed using a graph structure. The nodes of the graph structure are the atomic attack behaviors, and the edges are the semantic dependencies and causal relationships between atomic attack behaviors. The edge weights are determined by the semantic matching degree and the execution cost function. The comparison module is used to divide the attack process into multiple attack stages and define the attack target state set corresponding to each attack stage. Each attack stage corresponds to a preset attack intent. Through the stage intent function, all nodes in the behavior semantic mapping graph are scored to represent the matching degree of the attack target state within the attack target state set corresponding to the current atomic attack behavior. A state transition condition function is set, and the score of the stage intent function is used to compare with the attack stage completion judgment threshold. The corresponding comparison result is used to indicate the attack stage jump. The generation module is used to generate an attack path based on the current attack stage, the behavior semantic map, and the stage intent function, with the goal of maximizing the sum of the stage intent function and satisfying the connectivity constraints of the behavior semantic map; and to select the optimal attack path through a path evaluation function, which is used to balance the goal-driven nature and execution cost of the attack path. The judgment module is used to set the state space of the target environment, execute atomic attack behavior nodes sequentially according to the optimal attack path, and control the transition of the target environment from the current state to the state after the behavior execution through the environment state transition function; call the behavior effect feedback evaluation function to determine whether the currently executed atomic attack behavior has achieved the expected semantic goal; if the evaluation result is not achieved, the path reconstruction mechanism is triggered, and the optimal attack behavior sequence is regenerated with the current environment state as the new starting point, combined with the behavior semantic mapping graph and the stage intent function; repeat the above process of attack path generation, behavior execution, feedback evaluation and path reconstruction until all attack stages are completed, and the optimal attack paths of all attack stages are spliced ​​together to obtain the final simulation behavior chain, and the simulation log, behavior state transition graph, attack stage goal achievement degree and abnormal events are recorded.

8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.