The Method Of Network Penetration Testing Based On Flaw Hyothesis And Colored Petri Net

Penetration testing is security practice that with the help of the trusted organization to detect and develop the vulnerabilities in the information systems. Penetration test has been developed from different stages of system development to production application testing system for network security testing. At the same time, there is a wide range of tools can be used in penetration testing and their performance varied. And for the complex attack scenarios, the manual testing is not only error-prone but also consume too many resources. Therefore, there is need of a scientific and rational way to regulate the penetration testing process.Flaw hypothesis is a systematic and detailed penetration testing method. And the colored Petri nets is a standard method of graphic design, specification, simulation and verification attack system. With a depth research of the common system model, flaw hypothesis and colored Petri nets, this thesis propose a method of modeling based on flaw hypothesis and colored Petri nets. The depth study on the common system will help penetration tester to establish some attack modeling which is hard to be assumed. This penetration test model can also build a customer scene graph before the attack, which is good for the designers to design and draw the hypothesis in a real system attack.This innovative approach will combine the flaw hypothesis with the colored Petri nets, and use the colored Petri nets to describe and analyze the case. Meanwhile, in order to verify the correctness and effectiveness of the modeling method, the paper also propose a SQL injection penetration testing program, which is the use of colored Petri nets modeling and methods of using flawed assumptions as penetration testing methods. The validation test is under the controlled environments of MWare workstataion, using the CPN tool to design and simulate the input validation vulnerabilities model, and using Nessus, SARA and SALNT tools to scan vulnerabilities, and comparative analysis of experimental results. Experiments show that the use of colored Petri nets can efficiently and accurately describe the model, local analysis, and automated process of the penetration attack based on flaw hypothesis.