| Penetration testing is a simulation of malicious attackers attacking. Under theauthorization of administrators, penetration testers attack the target and acquire the controlof it. Finally, the tester should submit the penetration report to the customers. Penetrationtesting has become an important research branch of information security. Because of itscomplexity, big dataand difficulty, penetration testing need efficient models for guidance aswell as the reliable and extensible penetration testing system for the use of penetrationtesters.In terms of penetration testing modeling, existing penetration testing modelingmethods, however, is too abstract to be directly used in penetration testing. Some dynamicparameters of attacking are not easy to be described. This paper puts forward a kind ofpenetration testing attack model based on time Petri net. The building method of the modelis described below. Firstly, researchers use the list of known vulnerabilities to build singleexploiting models. Secondly by integrating these single models, researchers can format apenetration testing model. Then researchers will obtain the attack scenarios and the shortesttime that spend on a penetration attack. The penetration testing model provides a quick andstable exploiting scheme selection algorithm.We use this model to simulate a penetrationtesting and compare with other penetration testing model.The experimental result showsthat the proposed model and algorithm has the ability of descriptingthe penetration time andexploiting stability. This model has important theoretical significance.In terms of penetration testing framework, existing penetration testing systems are notcombined with efficient penetration testing model. They have difficulty describing attackprocess, and have poor performance on automation and poor expansibility. Webuild a kindof automated penetration testing framework merged time Petri net. The principle of theframework is described below.Firstly, researchers use the framework clear the exploitingtargets. Secondly, the framework makes network scan against the targets. Thirdly, accordingto the results of the scan, the framework generatesthe penetration testing model based ontime Petri net. Fourthly the framework matchesthe vulnerabilities and the exploiting code, and uses the model previously generated to guide the exploiting code attack.Finally, theframework makes the penetration testing report in which shows the detailed attackprocess.All the above steps realize automatically.Based on the framework, we implementBFS automated penetration testing system.We use this system to make a reliability test.Theexperimental result shows that the system performs well in automatic performance,reliability and scalability.Itcan describe the attack process.The penetration testingframework has practical value and can be applied to penetration testing directly. |
PDF Full Text Request