CN118890197A - A red team attack simulation software obfuscation method and system based on dynamic encryption and decryption - Google Patents

Abstract

The invention discloses a red team attack simulation software confusion method and system based on dynamic encryption and decryption, and belongs to the technical field of data analysis. The method aims at improving the analysis efficiency and the evaluation value of the red team attack simulation task through fine analysis and confusion operation. In detail, the method integrates various key information of the simulated task of the red team to be confused, utilizes an advanced data processing technology to locate frequent attack events, further carries out periodic disassembly and behavior detection on the simulated task, and finally generates a confused output report through a dynamic encryption and decryption confusion technology. Thus, the depth and the breadth of the simulated attack analysis are improved, and an entirely new and chaotic visual angle is provided for a security team to examine and evaluate the simulated attack process, so that potential security vulnerabilities and attack paths are effectively discovered.

Description

A red team attack simulation software obfuscation method and system based on dynamic encryption and decryption

Technical Field

The present invention belongs to the technical field of data analysis, and in particular relates to a red team attack simulation software obfuscation method and system based on dynamic encryption and decryption.

Background Art

In the field of network security, red team attack simulation tasks are an important means of security assessment, which tests the security defense capabilities of the system by simulating real-world attack scenarios. However, traditional simulated attack analysis methods often focus on simple recording and playback of the attack process, lacking the ability of in-depth analysis and obfuscation assessment. This makes it difficult for security teams to extract valuable security vulnerability information and attack paths from simulated attacks, which in turn affects the pertinence and effectiveness of security defense strategies.

Summary of the invention

The present invention provides a red team attack simulation software obfuscation method and system based on dynamic encryption and decryption, which can solve or partially solve the technical problems involved in the above-mentioned background technology.

The embodiment of the present invention provides a red team attack simulation software obfuscation method based on dynamic encryption and decryption, which is applied to a simulation software obfuscation system. The method comprises: obtaining vulnerability attack penetration information corresponding to each simulated attack event of a red team attack simulation task to be obfuscated, an attack event behavior log of the simulated attack event, and a simulation scenario sequence corresponding to the red team attack simulation task to be obfuscated, wherein the simulation scenario sequence comprises an attack scenario description text corresponding to each simulated attack event; locating frequent attack events of the red team attack simulation task to be obfuscated based on the attack event behavior log and the vulnerability attack penetration information, and obtaining frequent simulated attack events in each simulated attack event; locating frequent simulated attack events according to the frequent simulated attack events The red team attack simulation task to be confused is decomposed into a simulated attack cycle to obtain a plurality of simulated attack cycles; behavior detection is performed on the plurality of simulated attack cycles respectively to obtain target simulated attack events of the plurality of simulated attack cycles; according to the target simulated attack events and the target attack scenario description texts corresponding to the target simulated attack events in the simulation scenario sequence, dynamic encryption and decryption confusion is performed on the plurality of simulated attack cycles respectively to obtain a confusion output report between the red team attack simulation task to be confused and the simulation scenario sequence, wherein the confusion output report is used to indicate the disordered evaluation viewpoints between each simulated attack event of the red team attack simulation task to be confused and each attack scenario description text in the simulation scenario sequence.

An embodiment of the present invention provides a simulated software obfuscation system, comprising at least one processor and a memory; the memory stores computer-executable instructions; the at least one processor executes the computer-executable instructions stored in the memory, so that the at least one processor performs the above method.

An embodiment of the present invention provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, the steps of the above method are implemented.

The embodiment of the present invention aims to improve the analysis efficiency and evaluation value of the red team attack simulation task through refined analysis and obfuscation operations. In detail, by integrating various key information of the red team attack simulation task to be obfuscated, advanced data processing technology is used to locate frequent attack events, and then the simulated attack task is periodically disassembled and behavior detected, and finally an obfuscated output report is generated through dynamic encryption and decryption obfuscation technology. In this way, not only the depth and breadth of the simulated attack analysis are improved, but also a new and chaotic perspective is provided for the security team to review and evaluate the simulated attack process, thereby effectively discovering potential security vulnerabilities and attack paths.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a red team attack simulation software obfuscation method based on dynamic encryption and decryption provided by an embodiment of the present invention.

FIG. 2 is a schematic diagram of the structure of a simulated software obfuscation system provided by an embodiment of the present invention.

DETAILED DESCRIPTION

The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

The terms "first", "second", etc. in the present invention are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the data used in this way can be interchanged under appropriate circumstances, so that the embodiments of the present invention can be implemented in an order other than those illustrated or described herein, and the objects distinguished by "first", "second", etc. are generally of the same type, and the number of objects is not limited. For example, the first object can be one or more. In addition, in the present invention, "and/or" means at least one of the connected objects, and the character "/" generally indicates that the objects associated with each other are in an "or" relationship.

FIG1 shows a red team attack simulation software obfuscation method based on dynamic encryption and decryption, which is applied to a simulation software obfuscation system. The method includes the following steps 110 to 150 .

Step 110, obtaining vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused, the attack event behavior log of the simulated attack event, and the simulation scenario sequence corresponding to the red team attack simulation task to be confused, wherein the simulation scenario sequence includes the attack scenario description text corresponding to each simulated attack event.

Step 120: locate the frequent attack events of the red team attack simulation task to be confused based on the attack event behavior log and the vulnerability attack penetration information, and obtain the frequent simulated attack events in each simulated attack event.

Step 130: Decompose the red team attack simulation task to be confused into a simulated attack cycle according to the frequent simulated attack events to obtain multiple simulated attack cycles.

Step 140: Perform behavior detection on the multiple simulated attack cycles respectively to obtain target simulated attack events of the multiple simulated attack cycles.

Step 150: According to the target simulated attack event and the target attack scenario description text corresponding to the target simulated attack event in the simulated scenario sequence, the multiple simulated attack cycles are dynamically encrypted and decrypted to obtain a confusion output report between the red team attack simulation task to be confused and the simulated scenario sequence, wherein the confusion output report is used to indicate the disordered evaluation viewpoints between each simulated attack event of the red team attack simulation task to be confused and each attack scenario description text in the simulated scenario sequence.

In red team attack simulation tasks, obfuscation technology is a crucial strategy that aims to simulate real-world attack scenarios while helping security teams identify and fix potential security vulnerabilities. The following is a detailed explanation of the key terms and concepts involved in the above steps 110-150, as well as corresponding examples.

First, step 110 requires obtaining vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused, the attack event behavior log of the simulated attack event, and the simulation scene sequence corresponding to the red team attack simulation task to be confused. The simulation scene sequence in the embodiment of the present invention includes the attack scene description text corresponding to each simulated attack event.

(1) A red team attack simulation task is a task designed to test the security defense capabilities of a target system and simulates the behavior of an attacker. For example, a red team attack simulation task may include attempting to exploit known vulnerabilities in the target system to gain unauthorized access.

(2) A simulated attack event is a specific action or event in the simulated attack process, such as attempting to exploit a specific vulnerability.

(3) Vulnerability attack penetration information is information about how to exploit a specific vulnerability to launch an attack, including the type of vulnerability, exploitation method, required attack payload, etc.

(4) The attack event behavior log is a detailed log that records the simulated attack event behavior, including the time, method, and results of the attack.

(5) A simulation scenario sequence is a sequential list of simulated attack scenarios, each of which describes a specific attack environment and conditions.

(6) The attack scenario description text is a detailed description of the simulated attack scenario, including the attack target, method, expected results, etc.

Next, step 120 locates the frequent attack events of the red team attack simulation task to be confused based on the attack event behavior log and vulnerability attack penetration information. The purpose of this step is to find out the attack events that frequently occur during the simulated attack process.

(1) Frequent attack events are attack events that occur frequently during the simulated attack process and may pose a significant threat to the security of the target system. By locating these frequent events, the security team can focus on and strengthen defense in these areas.

Then, step 130 decomposes the simulated attack cycle of the obfuscated red team attack simulation task according to the frequent simulated attack events to obtain multiple simulated attack cycles.

(1) The simulated attack cycle is a period of time in the simulated attack process, which includes a series of actions from the beginning of the attack to the achievement of a specific goal. By breaking down the simulated attack cycle, the attack process can be analyzed in more detail and potential security vulnerabilities can be identified.

In step 140, behavior detection needs to be performed on multiple simulated attack cycles to determine the target simulated attack event in each cycle.

(1) Targeted simulated attack events are identified as critical or important attack events during the simulated attack cycle, which may have a serious impact on the security of the target system. By identifying these target events, the security team can prioritize and fix the related security vulnerabilities.

Finally, step 150 requires that multiple simulated attack cycles be dynamically encrypted and decrypted according to the target simulated attack events and the target attack scenario description texts corresponding to the target simulated attack events in the simulated scenario sequence. The purpose of this step is to generate an obfuscated output report, which is used to indicate the disordered evaluation viewpoints between each simulated attack event of the red team attack simulation task to be obfuscated and each attack scenario description text in the simulated scenario sequence.

(1) Dynamic encryption and decryption obfuscation is an obfuscation technology that confuses the characteristics of malware by dynamically encrypting and decrypting data during a simulated attack. This technology can make malware difficult to identify and analyze by security detection tools.

(2) The obfuscation output report is a detailed report on the obfuscation results, which indicates the confusion between the simulated attack events and the attack scenario description text. This report can help the security team evaluate the effectiveness of the obfuscation technology and identify security vulnerabilities that still need attention.

(3) Confused evaluation opinions refer to the evaluation opinions about the relationship between simulated attack events and attack scenario description text in the obfuscated output report. Due to the use of obfuscation technology, these opinions may be confused or inconsistent, thereby increasing the possibility of malware bypassing security detection.

In an exemplary application scenario, a red team attack simulation task is intended to test the security defense capabilities of a Web application. In step 110, the attacker (the simulation software obfuscation system in the embodiment of the present invention) collects vulnerability information about the Web application, attack event behavior logs, and simulation scenario sequences. Then, in step 120, the attacker analyzes these logs and information to determine the attack events that frequently occur during the simulated attack process, such as SQL injection or cross-site scripting attacks. Next, in step 130, the attacker will decompose the simulated attack process into multiple attack cycles based on these frequent attack events, each cycle targeting a specific attack target. Then, in step 140, the attacker will perform behavioral detection on each attack cycle to determine which attack events are critical or important. Finally, in step 150, the attacker will use dynamic encryption and decryption obfuscation technology to obfuscate these key attack events and simulation scenario description texts. The obfuscated output report will indicate which attack events and scenario description texts are successfully obfuscated and which may still be recognized by security detection tools. This report will help the security team evaluate the security defense capabilities of the Web application and identify security vulnerabilities that need to be further strengthened.

On the basis of the above contents, the embodiment of the present invention further introduces the technical solution recorded in step 110 to step 150 through an application scenario.

In step 110, the simulation software obfuscation system first obtains vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be obfuscated, the attack event behavior log of the simulated attack event, and the simulation scenario sequence corresponding to the red team attack simulation task to be obfuscated. The simulation scenario sequence here includes the attack scenario description text corresponding to each simulated attack event. Taking a red team attack simulation task for a bank system as an example, the simulation software obfuscation system will collect known vulnerability information about the bank system, such as SQL injection, cross-site scripting (XSS), etc. At the same time, the system will obtain the behavior logs generated during the simulated attack process, which record in detail the time, method, result, etc. of each simulated attack. In addition, the simulation software obfuscation system will also obtain the simulation scenario sequence, which describes a series of scenarios in the simulated attack process, including the attacker's initial access, exploitation of vulnerabilities for penetration, escalation of permissions, theft of data, etc.

Next, in step 120, the simulation software obfuscation system locates the frequent attack events of the red team attack simulation task to be obfuscated based on the attack event behavior log and vulnerability attack penetration information. The purpose of this step is to find out the attack events that frequently occur during the simulated attack process, which may pose a major threat to the security of the bank system. Through in-depth analysis of the attack event behavior log and vulnerability attack penetration information, the simulation software obfuscation system found that SQL injection and cross-site scripting attacks are frequent attack events during the simulated attack process. These two attack methods have been used many times by attackers and successfully penetrated multiple key components of the bank system.

Then in step 130, the simulation software obfuscation system will decompose the simulated attack cycle of the red team attack simulation task to be obfuscated based on the frequent simulated attack events to obtain multiple simulated attack cycles. Each simulated attack cycle includes a series of actions from starting the attack to achieving a specific goal. In this example, the simulation software obfuscation system decomposes the simulated attack process into multiple cycles, each of which targets a specific attack target. For example, in the first cycle, the attacker exploits a SQL injection vulnerability to obtain sensitive data, and in the second cycle, the attacker exploits a cross-site scripting attack to steal user sessions, etc. By disassembling the simulated attack cycle, the system can analyze the attack process in more detail and identify potential security vulnerabilities.

In step 140, after disassembling the simulated attack cycle, the simulated software obfuscation system performs behavioral detection on multiple simulated attack cycles to determine the target simulated attack events in each cycle. These target events may have a serious impact on the security of the bank system, so they are the focus of the security team. Through behavioral detection, the simulated software obfuscation system found that there are several key attack events in each simulated attack cycle. For example, in the first cycle, the attack event that exploited the SQL injection vulnerability to obtain sensitive data was identified as a key event; in the second cycle, the attack event that exploited the cross-site scripting attack to steal user sessions was identified as a key event. These key events are key steps for attackers to achieve their attack goals and are also weak links in the security defense of the bank system.

Finally, in step 150, the simulation software obfuscation system will perform dynamic encryption and decryption obfuscation on multiple simulated attack cycles according to the target simulated attack event and the target attack scenario description text corresponding to the target simulated attack event in the simulation scenario sequence. The purpose of this step is to generate an obfuscated output report, which is used to indicate the confused evaluation views between each simulated attack event of the red team attack simulation task to be confused and each attack scenario description text in the simulation scenario sequence. In this example, the simulation software obfuscation system will perform dynamic encryption and decryption obfuscation on the key attack events and the corresponding attack scenario description text in each simulated attack cycle. During the obfuscation process, the system will dynamically encrypt and decrypt data to obfuscate the characteristics of the malware. This obfuscation technology can make it difficult for malware to be identified and analyzed by security detection tools, thereby increasing the possibility of attackers bypassing the security defense of the bank system. After the obfuscation is completed, the simulation software obfuscation system will generate a detailed obfuscation output report. This report will indicate which simulated attack events and scenario description texts are successfully obfuscated and which may still be identified by security detection tools. For example, the report may show that SQL injection attack events are difficult to be identified by detection tools after obfuscation, but certain characteristics of cross-site scripting attack events may still be detected. This report is extremely valuable to the security team of the banking system, as it can help the team evaluate the current security defense capabilities and identify security vulnerabilities that need further strengthening.

In this way, the simulation software obfuscation system successfully simulates the red team attack process and obfuscates the simulated attack events by executing steps 110 to 150. This process not only helps the security team identify potential security vulnerabilities, but also provides valuable suggestions on how to strengthen security defense. By continuously conducting such simulation and obfuscation exercises, the security team of the banking system can continuously improve its ability to respond to real-world attacks and ensure the safe and stable operation of the system.

It is worth mentioning that step 120 to step 140 constitute one of the core invention points of the embodiment of the present invention, which aims to conduct in-depth analysis and processing of the red team attack simulation task through a series of refined operations, so as to more effectively identify and exploit potential security vulnerabilities.

First, in step 120, the simulation software obfuscation system locates the frequent attack events of the red team attack simulation task to be obfuscated based on the attack event behavior log and the vulnerability attack penetration information. The core goal of this step is to find out the attack events that frequently occur during the simulated attack process, which often pose a major threat to the security of the target system. In order to achieve this goal, the system will conduct an in-depth analysis of the attack event behavior log, identify which attack events are used multiple times during the simulated attack process, and key information such as the attack method, attack time, and attack results of these events. At the same time, the system will also combine the vulnerability attack penetration information to analyze which vulnerabilities these frequently occurring attack events exploit, as well as the exploitation methods and difficulty of these vulnerabilities. Through the analysis of this step, the simulation software obfuscation system can obtain the frequent simulated attack events in each simulated attack event, which events are the focus of subsequent analysis and processing.

Secondly, in step 130, the simulation software obfuscation system will decompose the simulated attack cycle of the obfuscated red team attack simulation task based on the frequent simulated attack events. The purpose of this step is to decompose the simulated attack process into multiple simulated attack cycles, each of which includes a series of actions from the start of the attack to the achievement of a specific goal. In order to achieve this goal, the system will first segment the simulated attack process according to the frequent simulated attack events, and each segment corresponds to a specific attack target or attack stage. Then, the system will further analyze and process each segment and decompose it into smaller attack cycles. Each simulated attack cycle includes all the actions taken by the attacker during that stage, as well as the impact of these actions on the target system. Through the decomposition of this step, the simulation software obfuscation system can understand the simulated attack process in more detail and identify potential security vulnerabilities and attack paths.

Then, in step 140, the simulation software obfuscation system will perform behavioral detection on multiple simulated attack cycles to determine the target simulated attack events in each cycle. The core goal of this step is to find out the key attack events that have a serious impact on the security of the target system in each simulated attack cycle. In order to achieve this goal, the system will perform a detailed behavioral analysis of each simulated attack cycle to identify all actions taken by the attacker during this stage and the impact of these actions on the target system. At the same time, the system will also combine the vulnerability attack penetration information and the analysis results of frequent simulated attack events to determine whether these actions exploit known vulnerabilities, as well as the methods and difficulty of exploiting these vulnerabilities. Through the analysis of this step, the simulation software obfuscation system can obtain the target simulated attack events in each simulated attack cycle, which are the focus of subsequent security defense and vulnerability repair.

In this way, through step 120-step 140, it is intended to more effectively identify and exploit potential security vulnerabilities in the red team attack simulation task through refined analysis and processing. This solution can not only help the security team to understand the simulated attack process more comprehensively, but also provide valuable suggestions on how to strengthen security defense and vulnerability repair. By continuously conducting such simulation and analysis exercises, the security team can continuously improve its ability to deal with real-world attacks and ensure the safe and stable operation of the system. In the specific implementation process, the simulation software obfuscation system will make full use of its powerful data processing and analysis capabilities to conduct in-depth analysis and processing of a large number of attack event behavior logs and vulnerability attack penetration information. The system will use advanced data mining and machine learning algorithms to automatically identify frequent simulated attack events and simulated attack cycles, and accurately locate the target simulated attack events in each cycle. At the same time, the system will also generate detailed reports and visual charts to help the security team understand the simulated attack process and potential security vulnerabilities more intuitively. In addition, the simulation software obfuscation system is also highly flexible and scalable. The system can customize the collection and processing methods of attack event behavior logs and vulnerability attack penetration information according to different simulated attack scenarios and the characteristics of the target system. At the same time, the system can also be integrated and linked with other security tools and platforms to achieve more comprehensive security analysis and defense capabilities.

In other words, the technical solution recorded in steps 120 to 140 helps the security team to more effectively identify and exploit potential security vulnerabilities in the red team attack simulation task through refined analysis and processing. In this way, it not only has high accuracy and reliability, but also has powerful data processing and analysis capabilities, as well as high flexibility and scalability. By continuously conducting such simulation and analysis exercises, the security team can continuously improve its ability to respond to real-world attacks and ensure the safe and stable operation of the system.

Furthermore, step 150 aims to deeply process multiple simulated attack cycles through dynamic encryption and decryption obfuscation methods, and then generate an obfuscated output report between the red team attack simulation task to be obfuscated and the simulation scenario sequence. The core value of this report is that it can reveal the confused evaluation viewpoints between each simulated attack event of the red team attack simulation task to be obfuscated and the description text of each attack scenario in the simulation scenario sequence, thereby providing the security team with a new, obfuscated perspective to review and evaluate the simulated attack process, and then discover potential security vulnerabilities and attack paths.

First, the implementation of step 150 needs to rely on the output results of the first two steps (i.e., step 120 and step 130), namely, the target simulated attack event and the simulated attack cycle. These results serve as the input of this step and provide basic data for the subsequent dynamic encryption and decryption obfuscation operation. At the same time, step 150 also needs to use the target attack scenario description text corresponding to the target simulated attack event in the simulation scenario sequence. These texts describe the specific circumstances and background information of each attack scenario during the simulation attack process, which is an important basis for the obfuscation operation.

Secondly, the core operation of step 150 is dynamic encryption and decryption obfuscation. The goal of this operation is to break the original connection and rules between the simulated attack cycle and the target attack scenario description text by encrypting and decrypting them, thereby generating a new and chaotic simulated attack process. Specifically, the system will use advanced encryption algorithms and key management mechanisms to encrypt each simulated attack cycle and target attack scenario description text to generate a series of seemingly unrelated ciphertext data. Then, the system will decrypt these ciphertext data, but the decryption process is not a simple reverse operation, but will introduce a certain degree of randomness and uncertainty, so that the decrypted data is different from the original data and there is a certain degree of confusion.

In the process of dynamic encryption and decryption obfuscation, the system will fully consider the characteristics and rules of the simulated attack cycle and the target attack scenario description text to ensure the effectiveness and credibility of the obfuscation operation. For example, the system will retain the key time nodes and attack event sequence in the simulated attack cycle to ensure that the simulated attack process after obfuscation still has a certain logic and coherence. At the same time, the system will also retain and deform the key information in the target attack scenario description text to ensure that the obfuscated text can still reflect the main content and intention of the original text.

Then, step 150 generates a confusion output report between the red team attack simulation task to be confused and the simulation scenario sequence. This report is the final output of step 150, which records in detail the process and results of the confusion operation, as well as the differences and confusion evaluation views between the simulated attack process after confusion and the original simulated attack process. Specifically, the confusion output report will include the following aspects:

1. The process and methods of obfuscation operation: The report will describe in detail the specific steps and methods of dynamic encryption and decryption obfuscation operation, including the selection of encryption algorithm, the design of key management mechanism, the implementation of encryption and decryption process, etc. This information helps the security team understand the principles and details of obfuscation operation, so as to correctly interpret and evaluate the obfuscation results;

2. Simulated attack process after obfuscation: The report will show the simulated attack process after obfuscation, including the time nodes of each simulated attack cycle, the sequence of attack events, attack means and methods, etc. This information helps the security team to review and evaluate the simulated attack process from the perspective of obfuscation and discover potential security vulnerabilities and attack paths;

3. Confusion Evaluation Point of View: The report will analyze the difference and degree of confusion between the simulated attack process after obfuscation and the original simulated attack process, and give corresponding evaluation points of view. These evaluation points of view help the security team understand the impact and degree of change of the obfuscation operation on the simulated attack process, so as to reasonably evaluate and utilize the obfuscation results.

Finally, it should be emphasized that the technical solution recorded in step 150 is highly innovative and practical. It provides the security team with a new, obfuscated perspective to review and evaluate the simulated attack process through the method of dynamic encryption and decryption obfuscation. This method can not only effectively discover potential security vulnerabilities and attack paths, but also improve the security team's ability to recognize and understand the simulated attack process. At the same time, since the obfuscation operation has a certain degree of randomness and uncertainty, the obfuscated output report generated each time is unique, which helps the security team to conduct multiple simulation and analysis exercises and continuously improve its ability to deal with real-world attacks.

In other words, through the method of dynamic encryption and decryption obfuscation, multiple simulated attack cycles are deeply processed to generate an obfuscated output report between the red team attack simulation task to be obfuscated and the simulation scenario sequence. This report can reveal the confused evaluation viewpoints between the simulated attack events of the red team attack simulation task to be obfuscated and the description texts of each attack scenario in the simulation scenario sequence, providing the security team with a new and obfuscated perspective to examine and evaluate the simulated attack process, which can effectively improve the security team's cognition and understanding of the simulated attack process, and thus enhance its ability to deal with real-world attacks.

In summary, the embodiments of the present invention greatly improve the analysis efficiency and obfuscation effect of the red team attack simulation task, thereby providing the security team with a more comprehensive and in-depth perspective on simulated attack evaluation. Specifically, the embodiments of the present invention first integrate various key information of the red team attack simulation task to be obfuscated, including vulnerability attack penetration information, attack event behavior logs, and simulation scenario sequences corresponding to the simulated attack events, laying a solid foundation for subsequent analysis and obfuscation operations. On this basis, the embodiments of the present invention use advanced data processing technology to accurately locate the frequent simulated attack events in the simulated attack tasks, which is crucial for identifying potential high-risk attack paths. Subsequently, by disassembling the cycle of the simulated attack task, the embodiments of the present invention refine the complex attack process into multiple easy-to-manage simulated attack cycles, allowing the security team to examine the attack behavior within each cycle more carefully. Furthermore, the embodiments of the present invention accurately extract the target simulated attack events within the cycle by performing behavioral detection on each simulated attack cycle, providing a clear guide for subsequent obfuscation operations. Finally, through dynamic encryption and decryption obfuscation technology, the embodiment of the present invention generates an obfuscated output report, which shows the relationship between the simulated attack events and the attack scenario description text from a new and chaotic perspective, thereby helping the security team to discover potential security vulnerabilities and attack paths, greatly improving the pertinence and effectiveness of security defense.

In some optional embodiments, the attack event behavior log includes the event priority status feature of the simulated attack event, and the multiple simulated attack cycles are dynamically encrypted and decrypted and confused according to the target simulated attack event and the target attack scenario description text corresponding to the target simulated attack event in the simulated scenario sequence to obtain the confusion output report between the red team attack simulation task to be confused and the simulated scenario sequence, including: obtaining the scenario priority status feature of the target attack scenario description text; determining the difference between each simulated attack cycle and the simulated attack cycle according to the difference between the event priority status feature of the target simulated attack event and the scenario priority status feature of the target attack scenario description text; dynamic encryption and decryption delay and priority error variables between the local attack scenario queues corresponding to the period, the local attack scenario queue belongs to the simulation scenario sequence; attack behavior pattern jump analysis is performed according to the priority error variable to obtain the target behavior pattern jump characteristics corresponding to each simulated attack cycle, and the target behavior pattern jump characteristics are used to indicate the behavior pattern jump record between the simulated attack cycle and the local attack scenario queue corresponding to the simulated attack cycle; according to the target behavior pattern jump characteristics and the dynamic encryption and decryption delay, confusion attack test processing is performed on the simulated attack cycle and the local attack scenario queue for each simulated attack cycle to obtain the confusion output report.

In this embodiment, the attack event behavior log plays a vital role. It not only records the details of the simulated attack events, but also contains the event priority status characteristics of these events. These characteristics are of great significance for understanding and analyzing attack behavior patterns and formulating effective defense strategies. The core goal of this embodiment is to dynamically encrypt and decrypt multiple simulated attack cycles based on the target simulated attack events and their corresponding target attack scenario description texts in the simulated scenario sequence, and finally generate a confused output report between the red team attack simulation tasks to be confused and the simulated scenario sequence.

First, the simulation software obfuscation system needs to obtain the scenario priority state features of the target attack scenario description text. This step is the basis for understanding the attack scenario context and determining the attack behavior pattern. The scenario priority state features may include multiple dimensions such as the type, complexity, required resources, and potential impact of the attack scenario. These features together constitute the unique "fingerprint" of the attack scenario.

Next, based on the difference between the event priority state characteristics of the target simulated attack event and the scenario priority state characteristics of the target attack scenario description text, the simulation software obfuscation system needs to determine the dynamic encryption and decryption delay and priority error variables between each simulated attack cycle and the local attack scenario queue corresponding to the simulated attack cycle. The local attack scenario queue is a component of the simulation scenario sequence, which represents a series of attack scenarios executed in sequence. The calculation of the dynamic encryption and decryption delay and priority error variables is based on the difference between the event and scenario state characteristics, which reflects the uncertainty and changes that the attack event may encounter in the actual execution.

Dynamic encryption and decryption delay is a key parameter that simulates the uncertainty of attack step execution time due to various reasons (such as network delay, system response time, etc.) in actual attacks. The priority error variable is used to simulate the change of priority between attack steps. This change may be due to the attacker adjusting the attack strategy according to the real-time situation, or the attack path adjustment caused by the triggering of the defense mechanism.

Subsequently, the simulation software obfuscation system performs attack behavior pattern jump analysis based on the priority error variable to obtain the target behavior pattern jump characteristics corresponding to each simulated attack cycle. The purpose of this step is to identify and record the behavior pattern jumps between the simulated attack cycle and its corresponding local attack scenario queue. Behavior pattern jumps refer to the phenomenon that the attacker temporarily changes the attack strategy or steps during the execution of the attack due to unexpected situations or in order to bypass the defense mechanism. The target behavior pattern jump characteristics are used to indicate the occurrence of such jumps, which are of great significance for evaluating the effectiveness of the defense mechanism and predicting the behavior pattern of the attacker.

Finally, according to the target behavior pattern jump characteristics and dynamic encryption and decryption delay, the simulation software obfuscation system performs obfuscation attack test processing for each simulated attack cycle and local attack scenario queue, and obtains an obfuscation output report. The obfuscation attack test processing is an enhancement of the simulated attack. It simulates the attack behavior in the real world by introducing uncertainty and variability. This test processing not only considers the state characteristics of the attack event and the attack scenario, but also combines the influence of the behavior pattern jump and the dynamic encryption and decryption delay, thereby generating a more realistic and comprehensive obfuscation output report.

The obfuscated output report is the final product of this embodiment. It records in detail the various changes, uncertainties, and behavioral pattern jumps during the simulated attack process. This report is of great value in evaluating the effectiveness of the red team attack simulation task, discovering potential security vulnerabilities, and formulating targeted defense strategies. By deeply analyzing the obfuscated output report, the security team can better understand the attacker's behavior pattern, improve defense capabilities, and ensure the security of the system.

In this way, by obtaining the scenario priority state characteristics of the target attack scenario description text, calculating the dynamic encryption and decryption delay and priority error variables, performing attack behavior pattern jump analysis, and finally generating an obfuscated output report, dynamic encryption and decryption obfuscation processing for the red team attack simulation task is achieved. This process not only improves the authenticity and complexity of the simulated attack, but also provides valuable data and insights for the security team, helping them to better prepare and respond to actual security threats.

In the next step, the attack behavior pattern jump analysis is performed based on the priority error variable to obtain the target behavior pattern jump characteristics corresponding to each simulated attack cycle, including: for each simulated attack cycle, multiple original behavior pattern jump characteristics are determined based on the priority error variable; the attack and defense process execution error corresponding to each original behavior pattern jump characteristic of the multiple original behavior pattern jump characteristics is determined respectively, the attack and defense process execution error characterizes the response delay state between the simulated attack cycle and the local attack update scenario queue corresponding to the simulated attack cycle after the confusion attack test is performed with the original behavior pattern jump characteristic; the original behavior pattern jump characteristic corresponding to the smallest attack and defense process execution error is determined as the target behavior pattern jump characteristic.

In the embodiment of the present invention, the analysis and identification of attack behavior patterns are key links in the formulation of defense strategies. In order to more effectively understand and predict the behavior of attackers, the analysis of the behavioral pattern jump characteristics of simulated attack cycles has become an important technology. The following will introduce in detail the technical solution of performing attack behavior pattern jump analysis based on priority error variables to obtain the target behavior pattern jump characteristics corresponding to each simulated attack cycle.

First, for each simulated attack cycle, the system will determine multiple original behavior pattern jump characteristics based on the priority error variable. These original behavior pattern jump characteristics are different changes and transfer modes that the attack behavior may present during the simulated attack process. The priority error variable plays a key role here. It reflects the degree of difference between the behavior pattern in the simulated attack and the actual attack behavior pattern. The higher the degree of difference, the less likely the current simulated attack behavior pattern is to match the actual attacker's behavior pattern. Therefore, it needs to be adjusted to approximate the real attack behavior.

Secondly, the system needs to determine the attack and defense process execution error corresponding to each of these original behavior pattern jump characteristics. The attack and defense process execution error is an important evaluation indicator, which characterizes the response delay between the simulated attack cycle and its corresponding local attack update scenario queue after a certain original behavior pattern jump characteristic is used for obfuscation attack testing. In other words, this indicator reflects the time delay or response lag caused by the jump of the behavior pattern during the execution of the simulated attack. This delay or lag may reveal the degree of mismatch between the simulated attack behavior and the actual attack scenario.

Then, by comparing the attack and defense process execution errors corresponding to different original behavior pattern jump features, the system determines the original behavior pattern jump feature with the smallest attack and defense process execution error as the target behavior pattern jump feature of the simulated attack cycle. The logic of this step is that the smallest attack and defense process execution error means that the original behavior pattern jump feature can best match the actual attack behavior pattern during the simulated attack process, so it is regarded as the target behavior pattern jump feature that best represents the simulated attack cycle.

Through the above steps, the system can effectively analyze and identify the target behavior pattern jump characteristics of each simulated attack cycle, which has important reference value for understanding and predicting the behavior patterns of actual attackers.

Next, in order to more specifically illustrate the target behavior pattern jump characteristics, an example can be introduced in the form of a numerical feature vector.

For example, in a certain simulated attack cycle, the system determines three original behavior pattern jump features through the priority error variable, namely, feature A, feature B, and feature C. For these three features, the system performs obfuscation attack test processing respectively and calculates their corresponding attack and defense process execution errors. Specifically, the attack and defense process execution error corresponding to feature A is 0.5 seconds, the attack and defense process execution error corresponding to feature B is 0.3 seconds, and the attack and defense process execution error corresponding to feature C is 0.4 seconds. According to the previous analysis, the system will determine the feature with the smallest attack and defense process execution error as the target behavior pattern jump feature. Therefore, in this example, feature B is determined as the target behavior pattern jump feature of the simulated attack cycle. Further, the simulation software obfuscation system can represent feature B in the form of a numerical feature vector. Assuming that feature B can be described by a four-dimensional numerical feature vector, namely [attack frequency, attack intensity, attack path complexity, attack target diversity], then the specific numerical feature vector of feature B may be [0.6, 0.8, 0.4, 0.7]. The numerical feature vector provides a detailed quantitative description of feature B, so that the simulated software obfuscation system can understand and analyze the target behavior pattern jump characteristics more specifically.

In this way, by analyzing the attack behavior pattern jump according to the priority error variable, the system can effectively obtain the target behavior pattern jump characteristics corresponding to each simulated attack cycle. These characteristics not only reveal the changes in behavior patterns during the simulated attack process, but also provide an important reference for understanding and predicting actual attack behaviors. And through the method of numerical feature vectors, the simulated software obfuscation system can more specifically describe and analyze these target behavior pattern jump characteristics, providing strong support for the formulation of network security defense strategies.

In some further optional embodiments, the frequent attack events of the red team attack simulation task to be confused are located based on the attack event behavior log and the vulnerability attack penetration information to obtain the frequent simulated attack events in each simulated attack event, including: determining an event impact coefficient of each simulated attack event in each simulated attack event based on the attack event behavior log and the vulnerability attack penetration information, the event impact coefficient being used to indicate the attack potential risk level of the simulated attack event in the red team attack simulation task to be confused; and determining the simulated attack event whose event impact coefficient meets the set coefficient requirement as the frequent simulated attack event.

In the field of network security, red team attack simulation tasks are an important means of security testing. They evaluate the security defense capabilities of the system by simulating real attack behaviors. However, due to the complexity and diversity of attack behaviors, how to locate those high-frequency and highly harmful attack events among numerous simulated attack events, namely frequent simulated attack events, has become a key issue in red team attack simulation tasks. In order to solve this problem, some optional embodiments propose a technical solution for locating frequent attack events based on attack event behavior logs and vulnerability attack penetration information.

First, the core of this technical solution is to use the attack event behavior log and vulnerability attack penetration information to determine the event impact coefficient of each simulated attack event. The attack event behavior log records various behavioral data during the simulated attack process, including the time, location, method, target, etc. of the attack, which is an important basis for analyzing the attack behavior pattern. The vulnerability attack penetration information reveals the vulnerabilities in the system and how these vulnerabilities may be exploited, which is a key reference for evaluating the level of attack risks.

After determining the event impact coefficient of each simulated attack event, you need to compare these coefficients with the set coefficient requirements to determine which simulated attack events meet the definition of frequent simulated attack events. Here, the set coefficient requirement is a threshold set according to actual needs and security policies, which is used to screen out simulated attack events with a sufficiently high attack risk level. Only when the event impact coefficient of a simulated attack event reaches or exceeds the threshold, it will be identified as a frequent simulated attack event.

Specifically, the calculation of the event impact coefficient may involve considerations of multiple dimensions, including the frequency of attack events, the success rate of attacks, the degree of damage caused by attacks to the system, the level of vulnerabilities exploited by attacks, etc. These dimensions together constitute an indicator system for evaluating the level of attack risks. For example, if a simulated attack event occurs frequently, has a high success rate, and can exploit high-risk vulnerabilities in the system to cause serious consequences, then its event impact coefficient will be correspondingly high.

In practical applications, in order to more accurately calculate the event impact coefficient, some advanced data analysis technologies and algorithms may need to be used, such as machine learning, data mining, etc. These technologies can extract useful features from a large number of attack event behavior logs and vulnerability attack penetration information, and build a model based on these features that can accurately predict the attack risk level.

Once the frequent simulated attack events are identified, more targeted defense strategies can be developed for these events. For example, the vulnerabilities exploited by these events can be patched and reinforced to improve the overall security of the system; special detection and response can also be carried out for the attack patterns of these events so that effective responses can be made quickly when real attacks occur.

In addition, this technical solution can also be combined with other security testing methods to form a more complete red team attack simulation task system. For example, frequent simulated attack events can be used as key test objects, and they can be tested and verified more deeply during the simulated attack process; the event impact coefficient can also be used as an important indicator for evaluating the security defense capability of the system, and together with other security indicators, it can form a comprehensive security assessment system.

In this way, by calculating the event impact coefficient of each simulated attack event and screening out frequent simulated attack events that meet the set coefficient requirements, a more accurate and targeted testing method is provided for the red team attack simulation task. The implementation of this technical solution can not only improve the effectiveness and accuracy of the red team attack simulation task, but also provide strong support for the formulation of more effective security defense strategies.

In a preferred embodiment, the attack event behavior log includes multiple modular attack and defense behavior records, and the vulnerability attack penetration information includes multiple vulnerability penetration trend features; the event impact coefficient of each simulated attack event in the simulated attack events based on the attack event behavior log and the vulnerability attack penetration information includes: projecting the multiple modular attack and defense behavior records and the multiple vulnerability penetration trend features to the same knowledge vector coordinate system respectively, and obtaining the modular attack and defense behavior vector corresponding to each modular attack and defense behavior record and the vulnerability attack penetration vector corresponding to each vulnerability penetration trend feature; using the modular attack and defense behavior vector and the vulnerability attack penetration vector corresponding to the simulated attack event as the influencing feature variables, respectively performing the impact coefficient calculation of each simulated attack event to obtain the event impact coefficient of each simulated attack event.

In the field of network security, red team attack simulation tasks are a crucial security testing method. The core of the task is to simulate real attack behaviors to evaluate and improve the security defense capabilities of the system. In order to more accurately locate frequent simulated attack events, that is, those with high frequency and high harm, the simulation software obfuscation system proposes a preferred embodiment. This embodiment is based on the attack event behavior log and vulnerability attack penetration information, and through a series of technical processing, determines the event impact coefficient of each simulated attack event in each simulated attack event.

First of all, the simulation software obfuscation system needs to make it clear that the attack event behavior log and vulnerability attack penetration information are the two core data sources of this embodiment. Among them, the attack event behavior log records in detail the various behavior data in the simulated attack process. These data exist in the form of multiple modular attack and defense behavior records, providing rich attack behavior pattern information for the simulation software obfuscation system. The vulnerability attack penetration information reveals the vulnerabilities in the system, as well as the ways and trends in which these vulnerabilities may be exploited. It is also presented in the form of multiple vulnerability penetration trend characteristics, which is an important basis for the simulation software obfuscation system to evaluate the level of attack risks.

Next, the key step of the embodiment is to fuse and process the information of these two data sources. Specifically, the simulation software obfuscation system projects multiple modular attack and defense behavior records and multiple vulnerability penetration trend features into the same knowledge vector coordinate system. The essence of this step is to convert the originally scattered and disordered behavior records and trend features into a vector form with a unified metric standard, so as to facilitate subsequent calculations and analysis. Through projection, the simulation software obfuscation system obtains the modular attack and defense behavior vector corresponding to each modular attack and defense behavior record, and the vulnerability attack penetration vector corresponding to each vulnerability penetration trend feature.

After obtaining these vectors, the simulation software obfuscation system can further perform the influence coefficient calculation. In this step, the simulation software obfuscation system uses the modular attack and defense behavior vector and vulnerability attack penetration vector corresponding to the simulated attack event as the influence characteristic variable, and calculates the event influence coefficient of each simulated attack event through a series of mathematical operations and model processing. This coefficient is an evaluation indicator that integrates multiple factors, which reflects the attack risk level of the simulated attack event in the red team attack simulation task to be obfuscated.

Specifically, the calculation of the event impact coefficient may involve considerations of multiple dimensions. In addition to the previously mentioned frequency of attack behaviors, success rate, degree of damage to the system, and level of exploited vulnerabilities, it may also include the complexity of the attack behavior, the persistence of the attack, and the impact of the attack on system availability. These dimensions together constitute an indicator system for evaluating the level of attack risks, and the event impact coefficient is a comprehensive reflection of this indicator system.

In practical applications, in order to more accurately calculate the event impact coefficient, the simulation software obfuscation system may also need to adopt some advanced data analysis technologies and algorithms. For example, the simulation software obfuscation system can use machine learning algorithms to train a model that can accurately predict the attack risk level. This model can be built based on a large amount of historical attack event behavior logs and vulnerability attack penetration information. Through continuous learning and optimization, it can gradually grasp the complex relationship between the attack risk level and various influencing factors.

Once the simulation software obfuscation system obtains the event impact coefficient of each simulated attack event, it can use this coefficient to screen out those frequent simulated attack events with high frequency and high harm. These events are the objects that the simulation software obfuscation system needs to pay special attention to and focus on testing in the red team attack simulation task. By formulating more targeted defense strategies for these events, the simulation software obfuscation system can more effectively improve the security defense capabilities of the system.

In addition, the technical solution of this embodiment can also be combined with other security testing methods to form a more complete red team attack simulation task system. For example, the simulation software obfuscation system can use frequent simulated attack events as key test objects, and conduct more in-depth testing and verification during the simulated attack process; the event impact coefficient can also be used as an important indicator for evaluating the security defense capability of the system, and together with other security indicators, it constitutes a comprehensive security assessment system. This can not only improve the effectiveness and accuracy of the red team attack simulation tasks, but also provide strong support for the formulation of more effective security defense strategies.

It can be seen that by integrating and processing the attack event behavior logs and vulnerability attack penetration information, an innovative method for calculating the event impact coefficient based on the knowledge vector coordinate system and the influencing characteristic variables is proposed. The implementation of this method can not only locate frequent simulated attack events more accurately, but also provide more comprehensive and in-depth security testing and analysis methods for red team attack simulation tasks. This is of great significance and value for improving the security defense capabilities of the system and ensuring network security.

In some other optional embodiments, the step of decomposing the red team attack simulation task to be confused into a simulated attack cycle based on the frequent item simulated attack event to obtain multiple simulated attack cycles includes: taking the frequent item simulated attack event as the simulated attack main event, decomposing multiple simulated attack events of the red team attack simulation task to be confused based on the timing cycle to obtain the multiple simulated attack cycles.

In this embodiment, the red team attack simulation task is a crucial security testing method, the core of which is to simulate real attack behaviors to evaluate and improve the security defense capabilities of the system. In order to perform this task more effectively, the simulation software obfuscation system needs to manage and control the simulated attack process in a refined manner. This leads to the technical solution that the simulation software obfuscation system will explore in depth next: according to the frequent simulated attack events, the obfuscated red team attack simulation task is decomposed into simulated attack cycles, thereby obtaining multiple simulated attack cycles.

First, in the red team attack simulation task, the simulated attack event is the basic unit of the entire attack process. Frequent simulated attack events refer to those events that occur frequently during the simulated attack process and have a greater impact on the attack results. These events are often key nodes in the attack process and are of great significance for understanding the entire attack process and evaluating the system security defense capabilities.

Next, simulate the attack cycle, which is to divide the red team attack simulation task in the time dimension, breaking down the entire attack process into multiple stages with a time sequence relationship. Each stage contains a series of interrelated simulated attack events, which together constitute the attack behavior pattern of that stage. By dividing the simulated attack cycle, the simulated software obfuscation system can more clearly grasp the rhythm and steps of the entire attack process, providing strong support for subsequent attack simulation and defense strategy formulation.

So, how to decompose the simulated attack cycle of the obfuscated red team attack simulation task based on the frequent simulated attack events? This requires the simulation software obfuscation system to adopt a series of technical means and methods.

First, the simulation software obfuscation system needs to use frequent simulated attack events as the main events of the simulated attack. This is because frequent simulated attack events play an important role in the attack process, and they are often turning points or key points in the attack process. Using these events as the main events can help the simulation software obfuscation system better grasp the rhythm and steps of the entire attack process, ensuring that the division of the simulated attack cycle is more reasonable and effective.

Secondly, the simulation software obfuscation system needs to disassemble the multiple simulated attack events of the obfuscated red team attack simulation task based on the time sequence cycle. The essence of this step is to divide the entire attack process in chronological order and classify the interrelated simulated attack events into the same simulated attack cycle. When disassembling, the simulation software obfuscation system needs to fully consider the time sequence relationship and dependency relationship between the simulated attack events to ensure that each simulated attack cycle contains a series of interrelated simulated attack events with a clear time sequence relationship.

During the disassembly process, the simulation software obfuscation system also needs to pay attention to some key technical details. For example, the simulation software obfuscation system needs to ensure that each simulated attack cycle has a clear start and end mark to facilitate subsequent attack simulation and defense strategy formulation. At the same time, the simulation software obfuscation system also needs to provide a detailed description and definition of each simulated attack cycle, including the main attack behavior, attack target, attack means, etc. of the cycle, to facilitate subsequent analysis and research.

Through the above steps, the simulation software obfuscation system can obtain multiple simulated attack cycles. These cycles together constitute the complete attack process of the red team attack simulation task to be obfuscated. Each cycle represents a specific stage in the attack process, with clear attack behavior and timing relationship. By dividing the simulated attack cycle, the simulation software obfuscation system can more clearly grasp the rhythm and steps of the entire attack process, providing strong support for subsequent attack simulation and defense strategy formulation.

In practical applications, this technical solution has a wide range of application scenarios and values. For example, in the field of network security, the simulation software obfuscation system can use this technical solution to finely manage and control complex red team attack simulation tasks. By dividing the simulated attack cycle, the simulation software obfuscation system can more clearly understand the various stages and steps of the attack process, providing strong support for the formulation of more effective defense strategies. At the same time, this technical solution can also be applied to the field of network security education and training, helping students better understand and master the execution process and skills of red team attack simulation tasks.

In addition, this technical solution has some significant advantages and characteristics. First, it uses frequent simulated attack events as the main events of simulated attacks, fully considering the key nodes and turning points in the attack process, making the division of simulated attack cycles more reasonable and effective. Second, it adopts a disassembly method based on timing cycles, fully considering the timing relationship and dependency between simulated attack events, so that each simulated attack cycle has a clear start and end mark and a detailed description and definition. These advantages and characteristics make this technical solution have broad application prospects and value in the field of network security.

In summary, by taking frequent simulated attack events as the main events of simulated attacks and decomposing multiple simulated attack events of the task of confusing red team attack simulation based on timing cycles, multiple simulated attack cycles with clear timing relationships and mutual correlations were obtained. These cycles together constitute the complete attack process of the task of confusing red team attack simulation, providing strong support for subsequent attack simulation and defense strategy formulation. This technical solution has broad application prospects and value in the field of network security, and provides powerful technical means and methods for improving the security defense capabilities of the system and ensuring network security.

In some other possible embodiments, the performing behavior detection on the multiple simulated attack cycles respectively to obtain the target simulated attack events of the multiple simulated attack cycles includes: if the number of simulated attack events in the simulated attack cycle is greater than or equal to a set number, performing jump behavior detection on the simulated attack cycle to obtain at least one simulated attack detection event; and determining the at least one simulated attack detection event and the frequent simulated attack events in the simulated attack cycle as the target simulated attack events of the simulated attack cycle.

In the field of network security, the red team attack simulation task is a crucial security testing method. Its core is to simulate real attack behaviors to evaluate and improve the security defense capabilities of the system. In order to perform this task more effectively and manage the simulated attack process in a refined manner, the simulated software obfuscation system needs to conduct in-depth behavioral detection of each simulated attack cycle to determine its target simulated attack event. The target simulated attack event represents the most representative and threatening attack behavior in the cycle, which is crucial for understanding attack patterns, evaluating system security, and formulating defense strategies.

In some other possible embodiments, a specific technical solution is used to perform behavior detection on multiple simulated attack cycles respectively and obtain the target simulated attack events of each cycle. The core of this solution is to make a comprehensive judgment by combining the number of simulated attack events and the frequent simulated attack events.

First, the simulation software obfuscation system needs to count the number of simulated attack events in each simulated attack cycle. This is because the number of simulated attack events reflects the complexity and diversity of the attack behavior in that cycle. If the number of simulated attack events is greater than or equal to the set number, it means that the attack behavior in that cycle is relatively complex and may include multiple attack modes and means.

In response to this situation, the simulated software obfuscation system performs jump behavior detection on the simulated attack cycle. Jump behavior detection is an advanced behavior analysis technology that can identify key attack steps and turning points in complex attack patterns. Through jump behavior detection, the simulated software obfuscation system can obtain at least one simulated attack detection event, which represents the most representative and threatening attack behavior in the cycle.

However, the results obtained by relying solely on jump behavior detection may not be comprehensive enough. Because frequent simulated attack events play an important role in the attack process, they are often the key points or turning points in the attack process. Therefore, after determining the simulated attack detection events, the simulated software obfuscation system also needs to comprehensively consider these events with the frequent simulated attack events in the simulated attack cycle.

Specifically, the simulation software obfuscation system determines at least one simulated attack detection event obtained by jump behavior detection and the frequent simulated attack events in the simulated attack cycle as the target simulated attack event of the simulated attack cycle. In this way, the simulation software obfuscation system not only considers the complexity and diversity of attack behaviors, but also fully considers the key points and turning points in the attack process, thereby obtaining more representative and threatening target simulated attack events.

In practical applications, this technical solution has significant advantages and value. First, by combining the number of simulated attack events and the frequent simulated attack events for comprehensive judgment, the simulated software obfuscation system can more accurately identify the target simulated attack events in each simulated attack cycle. This helps the simulated software obfuscation system to more deeply understand the attack mode, evaluate the system security, and formulate more effective defense strategies.

Secondly, the introduction of jump behavior detection technology enables the simulation software obfuscation system to better cope with complex attack patterns. In traditional behavior detection methods, it is often difficult to identify key attack steps and turning points from a large number of attack events. Jump behavior detection technology can effectively solve this problem and help the simulation software obfuscation system more accurately grasp the key nodes in the attack process.

In addition, the technical solution has good flexibility and scalability. In practical applications, the simulation software obfuscation system can adjust the definition of the number and frequent items of simulated attack events according to specific needs and scenarios. This enables the technical solution to better adapt to different network environments and attack modes, providing more comprehensive and effective support for network security protection.

In this way, by combining the number of simulated attack events, frequent simulated attack events, and jump behavior detection technology, the simulated software obfuscation system can more accurately identify the target simulated attack events in each cycle. This not only helps the simulated software obfuscation system to more deeply understand the attack mode and evaluate the system security, but also provides strong support for the formulation of more effective defense strategies. In the future network security field, this technical solution will continue to play an important role and contribute more to network security.

In an optional embodiment, the method further includes: if the number of simulated attack events in the simulated attack cycle is less than a set number, determining a frequent simulated attack event in the simulated attack cycle as a target simulated attack event of the simulated attack cycle.

In the field of network security, the red team attack simulation task is a crucial security testing method. Its core is to simulate real attack behaviors to evaluate and improve the security defense capabilities of the system. In order to perform this task more effectively and manage the simulated attack process in a refined manner, the simulated software obfuscation system needs to conduct in-depth behavioral detection of each simulated attack cycle to determine its target simulated attack event. The target simulated attack event represents the most representative and threatening attack behavior in the cycle, which is crucial for understanding attack patterns, evaluating system security, and formulating defense strategies.

In the previously discussed embodiments, a method for behavioral detection has been introduced for the case where the number of simulated attack events in a simulated attack cycle is greater than or equal to a set number. This method determines the target simulated attack event by combining jump behavior detection with frequent simulated attack events. However, in practical applications, the simulated software obfuscation system also needs to consider another case, that is, the case where the number of simulated attack events in a simulated attack cycle is less than the set number.

In this case, if the previous jump behavior detection method is still used, the key attack steps and turning points may not be accurately identified due to the insufficient number of attack events. Therefore, the simulation software obfuscation system needs to adopt a different strategy to determine the target simulation attack events.

First, even if the number of simulated attack events in a simulated attack cycle is less than the set number, it does not mean that the attack behaviors in that cycle are not threatening or representative. On the contrary, these small number of attack events may still contain key attack modes and means, but in relatively small numbers.

Therefore, for this situation, the simulated software obfuscation system will focus on the frequent simulated attack events in the simulated attack cycle. Frequent simulated attack events refer to events that occur frequently during the simulated attack process and have a greater impact on the attack results. These events are often key points or turning points in the attack process, and are of great significance for understanding the entire attack process and evaluating the system's security defense capabilities.

Specifically, if the number of simulated attack events in a simulated attack cycle is less than the set number, the simulated software obfuscation system will directly determine the frequent simulated attack events in the cycle as the target simulated attack events of the simulated attack cycle. The advantage of this is that the simulated software obfuscation system can still accurately identify key attack behaviors and patterns even when the number of attack events is small.

The implementation process of this strategy is relatively simple and efficient. The simulation software obfuscation system only needs to count the frequency of simulated attack events in the simulation attack cycle, find the frequent simulated attack events, and then identify them as target simulated attack events. In this way, the simulation software obfuscation system can quickly and accurately identify the target simulated attack events without the need for complex jump behavior detection.

Of course, this strategy also has its scope of application and limitations. It is mainly applicable to situations where the number of simulated attack events is small. When the number of attack events is large, the simulated software obfuscation system still needs to use the previous jump behavior detection method to determine the target simulated attack events. At the same time, the simulated software obfuscation system also needs to set appropriate definitions and thresholds for frequent simulated attack events based on actual conditions and specific needs to ensure that the simulated software obfuscation system can accurately identify key attack behaviors and patterns.

In practical applications, this strategy has a wide range of application scenarios and values. For example, in the field of cybersecurity education and training, the simulation software obfuscation system can use this strategy to help students better understand and master the execution process and skills of red team attack simulation tasks. By allowing students to focus on frequent simulated attack events in the simulated attack cycle, the simulation software obfuscation system can help them understand the key points and turning points in the attack process more quickly, thereby improving their cybersecurity skills and defense capabilities.

In addition, this strategy can also be applied to the actual attack detection and defense strategy formulation in the field of network security. By monitoring and analyzing simulated attack events in the system, the simulated software obfuscation system can use this strategy to quickly identify potential attack behaviors and patterns, so as to take corresponding defense measures in time to protect the security of the system.

In this way, when the number of simulated attack events in a simulated attack cycle is less than the set number, it is an effective strategy for the simulation software obfuscation system to determine the frequent simulated attack events as the target simulated attack events of the simulated attack cycle. This strategy can accurately identify key attack behaviors and patterns when the number of attack events is small, providing strong support for network security education and training as well as actual attack detection and defense strategy formulation. In the future network security field, this strategy will continue to play an important role and contribute more to ensuring network security.

In other preferred embodiments, the obtaining of vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused includes: performing randomized penetration behavior association on the red team attack simulation task to be confused to obtain a target penetration behavior simulation project, wherein the target penetration behavior simulation project includes multiple randomized penetration behavior commands; performing a wandering association between each simulated attack event of the red team attack simulation task to be confused and the multiple randomized penetration behavior commands based on the attack event behavior log to obtain a target randomized penetration behavior command corresponding to each simulated attack event; and determining the vulnerability attack penetration information of the target randomized penetration behavior command as the vulnerability attack penetration information corresponding to the simulated attack event.

In order to increase the authenticity and complexity of simulated attacks, simulation software obfuscation systems often need to confuse red team attack simulation tasks to make them more difficult to predict and defend. To achieve this goal, the simulation software obfuscation system needs to obtain the vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused, and perform randomization and wandering association processing on it.

In other preferred embodiments, the simulation software obfuscation system proposes a specific technical solution to obtain vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be obfuscated. The core of the solution is to combine the simulated attack event with the randomized penetration behavior command through randomized penetration behavior association and wandering association, so as to obtain the target randomized penetration behavior command corresponding to each simulated attack event, and then determine its vulnerability attack penetration information.

First, the simulation software obfuscation system performs randomized penetration behavior association on the red team attack simulation task to be obfuscated. The purpose of this step is to combine the simulated attack event with a series of randomized penetration behavior commands, thereby increasing the diversity and uncertainty of the attack behavior. Through the randomized penetration behavior association, the simulation software obfuscation system can obtain a target penetration behavior simulation project, which contains multiple randomized penetration behavior commands. These commands are various penetration behaviors that may be performed during the simulated attack process, such as vulnerability scanning, password cracking, and privilege escalation.

Secondly, the simulation software obfuscation system needs to perform wandering associations between each simulated attack event of the red team attack simulation task to be obfuscated and multiple randomized penetration behavior commands based on the attack event behavior log. Wandering association is a dynamic association method that can establish a flexible and variable association relationship between simulated attack events and randomized penetration behavior commands. Through wandering association, the simulation software obfuscation system can associate each simulated attack event with one or more target randomized penetration behavior commands, thereby simulating real and variable attack behaviors.

When performing wandering association, the simulation software obfuscation system makes full use of the information in the attack event behavior log. The attack event behavior log records the order of occurrence, execution results, and related system responses of each attack event during the simulated attack process. By analyzing this information, the simulation software obfuscation system can understand the dependencies, execution conditions, and possible penetration paths between attack events. Then, the simulation software obfuscation system can associate the simulated attack events with the randomized penetration behavior commands based on this information, so that each simulated attack event can correspond to one or more appropriate randomized penetration behavior commands.

Finally, the simulation software obfuscation system determines the vulnerability attack penetration information of the target randomized penetration behavior command as the vulnerability attack penetration information corresponding to the simulated attack event. Vulnerability attack penetration information is information about how to exploit a specific vulnerability to attack, which includes detailed information about the vulnerability, attack methods, attack tools, and possible defense measures. By determining the target randomized penetration behavior command corresponding to the simulated attack event, the simulation software obfuscation system can obtain the vulnerability attack penetration information contained in these commands, thereby understanding the vulnerabilities and attack methods that may be exploited during the simulated attack.

The advantage of this technical solution is that it combines the two methods of randomized penetration behavior association and wandering association, making the association between simulated attack events and randomized penetration behavior commands more flexible and changeable. Through this method, the simulated software obfuscation system can generate more realistic and complex simulated attack scenarios, thereby improving the effectiveness and practicality of red team attack simulation tasks.

At the same time, this technical solution also has good scalability and adaptability. In practical applications, the simulation software obfuscation system can adjust the generation method of randomized penetration behavior commands and the strategy of roaming association according to specific attack scenarios and requirements. For example, the simulation software obfuscation system can select appropriate vulnerabilities and attack methods according to the characteristics and security defense capabilities of the target system, and generate corresponding randomized penetration behavior commands. At the same time, the simulation software obfuscation system can also adjust the strategy and parameters of roaming association according to different simulated attack targets and task requirements to generate simulated attack scenarios that are more in line with actual needs.

In addition, this technical solution can also be combined with other security testing methods, such as vulnerability scanning, penetration testing, etc., to form a more complete and comprehensive security assessment system. By combining different security testing means and methods, the simulated software obfuscation system can more comprehensively understand the security status and potential threats of the target system, and formulate corresponding defense strategies and measures.

In this way, obtaining vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be obfuscated is a technical task of great significance. By combining the two methods of randomized penetration behavior association and wandering association, the simulation software obfuscation system can generate more realistic and complex simulated attack scenarios, thereby improving the effectiveness and practicality of the red team attack simulation task. In the future network security field, this technical solution will continue to play an important role and contribute more to ensuring network security. At the same time, the simulation software obfuscation system also expects that this technical solution can be further improved and developed in continuous application and practice, bringing more innovations and breakthroughs to the field of network security.

In some preferred embodiments, it is characterized in that, before obtaining the vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused, the attack event behavior log of the simulated attack event, and the simulation scenario sequence corresponding to the red team attack simulation task to be confused, the method also includes: obtaining multiple original simulated attack events with the same category label and the attack event behavior log of the original simulated attack event; combining the multiple original simulated attack events based on the simulation priority score to obtain the original simulation task; locating the noise event of the original simulation task according to the attack event behavior log to obtain the noise simulated attack event among the multiple original simulated attack events; filtering out the noise simulated attack event from the original simulation task to obtain the red team attack simulation task to be confused.

It can be understood that the core of this embodiment is to extract high-quality simulated attack tasks from multiple original simulated attack events through a series of processing steps, thereby providing a solid foundation for subsequent red team attack simulations.

First, the simulation software obfuscation system needs to obtain multiple original simulated attack events with the same category label and the attack event behavior logs of these events. These original simulated attack events are the basis for building red team attack simulation tasks, and they represent various possible attack scenarios and behaviors. At the same time, the attack event behavior log records various behavioral details of these simulated attack events during the occurrence process, including attack steps, system responses, execution results, etc. This information is crucial for subsequent analysis and processing.

Next, the simulation software obfuscation system combines multiple original simulated attack events based on the simulation priority score to form an original simulation task. The simulation priority score is derived from a comprehensive evaluation of factors such as the threat level, frequency of occurrence, and potential impact of the attack event. Through this scoring mechanism, the simulation software obfuscation system can ensure that the combined original simulation tasks are both representative and cover a variety of important attack scenarios.

However, the original simulation task may contain some noise simulation attack events, which may have a negative impact on the accuracy and effectiveness of the simulation task. Therefore, the simulation software obfuscation system needs to locate the noise events of the original simulation task based on the attack event behavior log. The purpose of this step is to identify those noise events that do not conform to the normal attack behavior pattern and may interfere with the simulation results.

During the process of locating noise events, the simulation software obfuscation system will conduct an in-depth analysis of the attack event behavior logs to find those abnormal or unexpected behavior records. For example, if an attack event is suddenly interrupted during execution, or the system response is inconsistent with expectations, it may indicate that this is a noise event. Through this step, the simulation software obfuscation system can effectively identify noise simulation attack events in the original simulation task.

Finally, the simulation software obfuscation system filters out the noise simulation attack events from the original simulation task to obtain the red team attack simulation task to be obfuscated. This step is a key link to ensure the quality of the simulation task. By filtering out the noise events, the simulation software obfuscation system can ensure that the red team attack simulation task to be obfuscated is purer and more effective, and can better simulate real attack scenarios and behaviors.

The advantage of this technical solution lies in its comprehensiveness and sophistication. It not only takes into account the threat level and frequency of simulated attack events, but also ensures the accuracy and effectiveness of simulation tasks by locating and processing noise events. At the same time, this solution also makes full use of the valuable resource of attack event behavior logs, providing strong support for the construction and analysis of simulation tasks.

In practical applications, this technical solution can be widely used in various network security testing, evaluation and defense strategy formulation. For example, in network security drills, the simulated software obfuscation system can use this solution to generate high-quality red team attack simulation tasks to test and improve the defense capabilities of the network security team. At the same time, in the security assessment of network systems, this solution can also help the simulated software obfuscation system more accurately identify potential vulnerabilities and weaknesses in the system, providing strong support for the formulation of effective defense strategies.

In addition, this technical solution has good scalability and adaptability. In practical applications, the simulation software obfuscation system can adjust the simulation priority scoring standards and noise event location strategies according to specific attack scenarios and needs. For example, for different types of network systems or different security threats, the simulation software obfuscation system can formulate different scoring standards and location strategies to generate simulation attack tasks that better meet actual needs.

In this way, the simulation software obfuscation system can extract high-quality simulation tasks from multiple original simulated attack events, providing a solid foundation for subsequent red team attack simulations. In the future field of network security, this technical solution will continue to play an important role and contribute more to ensuring network security. At the same time, the simulation software obfuscation system also expects that this technical solution can be further improved and developed in continuous application and practice, bringing more innovations and breakthroughs to the field of network security. For example, the simulation software obfuscation system can further explore how to use advanced technologies such as machine learning to optimize the process of simulation priority scoring and noise event location to improve the accuracy and effectiveness of simulation tasks. At the same time, the simulation software obfuscation system can also study how to combine this technical solution with other security testing methods to form a more complete and comprehensive security assessment system.

In some independent embodiments, the method further includes: performing text annotation processing on the obfuscated output report between the red team attack simulation task to be obfuscated and the simulation scenario sequence.

It can be understood that the core task of this embodiment is to perform text annotation processing on the "obfuscated output report" generated between the "red team attack simulation task to be obfuscated" and the "simulated scenario sequence". This processing is intended to improve the readability and comprehensibility of the report and facilitate subsequent automated analysis or manual review. In order to achieve this goal, the simulation software obfuscation system will adopt a series of text processing technologies and natural language processing methods to ensure the accuracy and effectiveness of the annotation.

First, the simulation tasks related to red team attack simulations usually involve complex attack scenarios and multi-step attack strategies, aiming to comprehensively evaluate the system's defense capabilities. However, due to the complexity and diversity of these tasks, the generated output reports often contain a lot of details and professional terms, which may be difficult for non-professionals to understand.

Next, the simulation software obfuscation system considers the "simulation scenario sequence". This refers to a series of simulated attack scenarios arranged in a specific order, each of which represents a step or stage in the attack process. The complexity of these scenario sequences is that they not only describe the specific actions of the attack, but may also contain information about the system response and the effectiveness of defensive measures. Therefore, when the simulation software obfuscation system integrates this information into the obfuscation output report, it needs to ensure that the report is both comprehensive and easy to understand.

Furthermore, the "obfuscated output report" is generated after the simulation task is executed, which records in detail all the key events and results during the attack. However, since the report may contain sensitive information or proper nouns, it may not be convenient to share or review it directly. Therefore, the simulation software obfuscation system needs to obfuscate the report to protect sensitive information while retaining enough information for analysis and review.

Based on this, first of all, the simulation software obfuscation system needs to preprocess the obfuscated output report. The purpose of this step is to clean the data, remove irrelevant information, and format the report into an easy-to-process format. Preprocessing may include removing blank characters in the report, standardizing date and time formats, extracting key fields, etc. Through these operations, the simulation software obfuscation system can ensure the accuracy and efficiency of subsequent processing.

Secondly, the simulated software obfuscation system will apply text annotation technology to enhance the readability of the report. This includes using natural language processing technology to identify entities in the report (such as attack type, affected system, defense measures, etc.) and adding appropriate labels or annotations to these entities. For example, the simulated software obfuscation system can use named entity recognition (NER) technology to automatically tag key terms in the report, such as "SQL injection", "firewall", etc. These labels not only help readers quickly understand the content of the report, but also provide useful information for subsequent automated analysis tools.

The simulated software obfuscation system will then use semantic analysis technology to further enrich the annotation information of the report. Semantic analysis aims to understand the meaning and context of the text, so as to more accurately annotate the key information in the report. For example, through semantic analysis, the simulated software obfuscation system can identify the cause and effect relationship in the report (such as "the system was attacked due to the failure to update the patch in time") and present this information in an easy-to-understand way. Such annotation helps readers better understand the development context and root cause of the attack incident.

In addition, the simulation software obfuscation system will also consider using visualization technology to enhance the readability of the annotated report. By presenting key information in the form of charts, timelines, or other visual elements, the simulation software obfuscation system can enable readers to more intuitively understand complex attack scenarios and simulation results. For example, the simulation software obfuscation system can create an attack timeline, arrange the various attack steps and defense responses in chronological order, and use different colors and icons to represent different attack types and defense measures. Such visual annotation not only improves the readability of the report, but also helps readers quickly locate key events and trends.

After the above text annotation processing, the simulation software obfuscation system also needs to perform quality checks and optimization on the annotation results. The purpose of this step is to ensure the accuracy and consistency of the annotations in order to provide a reliable data basis for subsequent automated analysis or manual review. Quality checks may include manually verifying the correctness of the annotation results, using automated tools to detect potential annotation errors, and iteratively optimizing the annotation rules based on feedback.

Finally, the simulated software obfuscation system will generate a final annotation report and apply it to the actual network security analysis and audit process. This report will contain all the annotated key information and present it to the reader in an easy-to-understand and easy-to-analyze way. By using this annotation report, the network security team can more effectively evaluate the results of the red team attack simulation task, identify potential vulnerabilities in the system, and develop corresponding defense strategies.

In this way, by performing text annotation processing on the "obfuscated output report" generated between the "red team attack simulation task to be obfuscated" and the "simulated scenario sequence", the readability and comprehensibility of the report are significantly improved. Through a series of steps such as preprocessing, text annotation, semantic analysis, visualization, quality inspection and optimization, the simulation software obfuscation system generates a final report containing rich annotation information, which provides strong support for network security analysis and auditing. The implementation of this technical solution will help improve network security defense capabilities and ensure that the system can be more robust and secure when facing real hacker attacks.

In other independent embodiments, the text annotation processing of the obfuscated output report between the red team attack simulation task to be confused and the simulation scenario sequence includes: performing associated report semantic mining on the obfuscated output report to obtain a task scenario associated semantic vector of the obfuscated output report; determining a knowledge annotation connection feature and an annotation depth quantization weight based on the task scenario associated semantic vector; determining a text annotation compliance condition of the NLP text annotation algorithm that has been debugged based on the annotation depth quantization weight and an algorithm configuration relationship network of the NLP text annotation algorithm that has been debugged; obtaining the output text of the NLP text annotation algorithm that has been debugged when the text annotation compliance condition is met based on the task scenario associated semantic vector and the knowledge annotation connection feature, the knowledge annotation connection feature being used to update the attention weight of the task scenario associated semantic vector during the text annotation process; and obtaining a obfuscated annotation report corresponding to the obfuscated output report based on the output text.

In an embodiment of the present invention, the core goal of the above-mentioned text annotation processing is to extract and clarify the key information in the report through in-depth analysis and annotation of the obfuscated output report, so as to more accurately understand and evaluate the effect of the red team attack simulation task and its relevance to the simulation scenario.

First, the semantic mining of the obfuscated output report is the key first step. This step aims to deeply understand the content of the report and extract the semantic vector associated with the task scenario in the report. This vector is the basis for subsequent text annotation processing. It contains the core semantic information related to the red team attack simulation task and simulation scenario sequence in the report. Through advanced natural language processing technology, the simulation software obfuscation system can effectively extract this key information from a large amount of text, providing strong data support for subsequent steps.

Secondly, based on the task scenario associated semantic vector, the simulation software obfuscation system needs to determine the knowledge annotation connection feature and the annotation depth quantization weight. The knowledge annotation connection feature is a key factor used to update the attention weight of the task scenario associated semantic vector during the text annotation process. It can help the annotation algorithm focus more accurately on the key information in the report, thereby improving the accuracy and efficiency of annotation. The annotation depth quantization weight is used to measure the depth and breadth of the annotation to ensure that the annotation process is both comprehensive and in-depth.

Then, the simulated software obfuscation system needs to determine the text annotation compliance conditions of the algorithm based on the annotation depth quantization weight and the algorithm configuration relationship network of the debugged NLP text annotation algorithm. This step is a key link to ensure the quality of text annotation. By setting clear compliance conditions, the simulated software obfuscation system can strictly control the output of the annotation algorithm to ensure that it meets the needs of the simulated software obfuscation system. At the same time, this also provides a clear guiding direction for subsequent text annotation work.

Next, based on the task scenario-associated semantic vectors and knowledge annotation connection features, the simulated software obfuscation system can obtain the output text of the debugged NLP text annotation algorithm when it meets the text annotation compliance conditions. This step is the core of text annotation work. By using advanced NLP technology, the simulated software obfuscation system can perform in-depth annotation processing on the obfuscated output report, extract key information from it, and present it in a structured form. This not only improves the readability of the information, but also facilitates subsequent analysis and evaluation work.

Finally, based on the output text, the simulation software obfuscation system can obtain the obfuscation annotation report corresponding to the obfuscated output report. This report is the final result of the text annotation work. It records the key information in the obfuscated output report in detail and presents it in a clear and structured form. Through this report, the simulation software obfuscation system can more accurately understand and evaluate the effect of the red team attack simulation task and its relevance to the simulation scenario, thereby providing strong support for subsequent network security protection work.

Thus, the technical solution of text annotation processing for the obfuscated output reports between the red team attack simulation task to be obfuscated and the simulation scenario sequence is a complex and meticulous process. It involves multiple key steps and technical means, including semantic mining of associated reports, determination of knowledge annotation connection features and annotation depth quantization weights, setting of text annotation compliance conditions, application of NLP text annotation algorithms, and generation of obfuscated annotation reports. Through the implementation of these steps, the simulation software obfuscation system can effectively extract and clarify the key information in the obfuscated output report, providing strong support for subsequent network security protection work.

Further, Fig. 2 is a schematic diagram of the structure of a simulation software obfuscation system 200 provided in an embodiment of the present invention. The simulation software obfuscation system 200 shown in Fig. 2 includes a processor 210, which can call and run a computer program from a memory to implement the method in the embodiment of the present invention.

Optionally, as shown in Fig. 2, the simulation software obfuscation system 200 may further include a memory 230. The processor 210 may call and run a computer program from the memory 230 to implement the method in the embodiment of the present invention.

The memory 230 may be a separate device independent of the processor 210 , or may be integrated into the processor 210 .

Optionally, as shown in FIG. 2 , the simulated software obfuscation system 200 may further include a transceiver 220 , and the processor 210 may control the transceiver 220 to interact with other devices, specifically, may send information or data to other devices, or receive information or data sent by other devices.

Optionally, the simulated software obfuscation system 200 may implement the corresponding processes corresponding to the storage engine or components in the storage engine (such as a processing module) or a device deployed with a storage engine in each method of the embodiments of the present invention, which will not be described in detail here for the sake of brevity.

It should be understood that the processor of the embodiment of the present invention may be an integrated circuit chip with signal processing capability.

It is understood that the memory in the embodiments of the present invention may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. It should be noted that the memory of the systems and methods described herein is intended to include but is not limited to suitable types of memory.

Based on the above, a readable storage medium is provided, on which a program or instruction is stored, and when the program or instruction is executed by a processor, the steps of the above method are implemented.

The embodiments of the present invention are described above in conjunction with the accompanying drawings, but the present invention is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present invention, ordinary technicians in this field can also make many forms without departing from the purpose of the present invention and the scope of protection of the present invention, all of which are within the protection of the present invention.

Claims (10)

1. A red team attack simulation software confusion method based on dynamic encryption and decryption is characterized by being applied to a simulation software confusion system, and comprising the following steps:

Obtaining vulnerability attack penetration information corresponding to each simulation attack event of a red team attack simulation task to be confused, an attack event behavior log of the simulation attack event and a simulation scene sequence corresponding to the red team attack simulation task to be confused, wherein the simulation scene sequence comprises attack scene description texts corresponding to the simulation attack events;

carrying out frequent item attack event positioning of the to-be-confused red team attack simulation task based on the attack event behavior log and the vulnerability attack penetration information to obtain frequent item simulation attack events in the simulation attack events;

according to the frequent item simulation attack event, performing simulation attack period disassembly on the to-be-confused red team attack simulation task to obtain a plurality of simulation attack periods;

performing behavior detection on the multiple simulated attack periods respectively to obtain respective target simulated attack events of the multiple simulated attack periods;

And respectively carrying out dynamic encryption and decryption confusion on the plurality of simulation attack periods according to the target simulation attack event and the target attack scene description text corresponding to the target simulation attack event in the simulation scene sequence to obtain a confusion output report between the to-be-confused red team attack simulation task and the simulation scene sequence, wherein the confusion output report is used for indicating a confusion evaluation view between each simulation attack event of the to-be-confused red team attack simulation task and each attack scene description text in the simulation scene sequence.

2. The method of claim 1, wherein the attack event behavior log includes an event priority status feature of the simulated attack event, and the obtaining the confusion output report between the to-be-confused red team attack simulation task and the simulated scene sequence by respectively dynamically encrypting, decrypting and confusing the plurality of simulated attack periods according to the target simulated attack event and the target attack scene description text corresponding to the target simulated attack event in the simulated scene sequence includes:

Acquiring scene priority state characteristics of the target attack scene description text;

Determining dynamic encryption and decryption delay and priority error variables between each simulation attack period and a local attack scene queue corresponding to the simulation attack period according to the difference between the event priority status characteristics of the target simulation attack event and the scene priority status characteristics of the target attack scene description text, wherein the local attack scene queue belongs to the simulation scene sequence;

Performing attack behavior mode jump analysis according to the priority error variable to obtain a target behavior mode jump characteristic corresponding to each simulated attack period, wherein the target behavior mode jump characteristic is used for indicating a behavior mode jump record between the simulated attack period and a local attack scene queue corresponding to the simulated attack period;

and according to the target behavior mode jump characteristic and the dynamic encryption and decryption delay, carrying out confusion attack test processing on the simulation attack period and the local attack scene queue respectively aiming at each simulation attack period to obtain the confusion output report.

3. The method of claim 2, wherein the performing the attack on the pattern hopping analysis according to the priority error variable to obtain the target pattern hopping feature corresponding to each simulated attack period comprises:

for each simulation attack period, determining a plurality of original behavior mode jump characteristics according to the priority error variable;

Determining an attack and defense process execution error corresponding to each original behavior mode jump feature in the plurality of original behavior mode jump features respectively, wherein after confusion attack test processing is carried out on the original behavior mode jump features by the attack and defense process execution error characterization, the response delay state between the simulated attack period and the local attack update scene queue corresponding to the simulated attack period is determined;

and determining the original behavior mode jump characteristic corresponding to the minimum attack and defense process execution error as the target behavior mode jump characteristic.

4. The method of any one of claims 1-3, wherein the performing frequent attack event localization of the to-be-confused red-team attack simulation task based on the attack event behavior log and the vulnerability attack penetration information, obtaining the frequent simulated attack event in each simulated attack event comprises:

Determining an event influence coefficient of each simulated attack event in the simulated attack events based on the attack event behavior log and the vulnerability attack penetration information, wherein the event influence coefficient is used for indicating the attack hidden danger level of the simulated attack event in the to-be-confused red team attack simulation task;

Determining the simulated attack event with the event influence coefficient meeting the requirement of the set coefficient as the frequent item simulated attack event;

The attack event behavior log comprises a plurality of modularized attack and defense behavior records, and the vulnerability attack penetration information comprises a plurality of vulnerability penetration trend characteristics; the determining the event influence coefficient of each simulated attack event in the simulated attack events based on the attack event behavior log and the vulnerability attack penetration information comprises the following steps:

projecting a plurality of modularized attack and defense behavior records and a plurality of vulnerability permeation trend features to the same knowledge vector coordinate system respectively to obtain modularized attack and defense behavior vectors corresponding to each modularized attack and defense behavior record and vulnerability permeation vectors corresponding to each vulnerability permeation trend feature;

And taking the modularized attack and defense behavior vector and the vulnerability attack penetration vector corresponding to the simulated attack event as influence characteristic variables, and respectively carrying out influence coefficient operation of each simulated attack event to obtain event influence coefficients of each simulated attack event.

5. The method of any one of claims 1-3, wherein the performing a simulated attack period disassembly on the to-be-confused red-team attack simulation task according to the frequent-item simulated attack event to obtain a plurality of simulated attack periods includes: and taking the frequent item simulation attack event as a simulation attack main event, and dismantling a plurality of simulation attack events based on a time sequence period to obtain a plurality of simulation attack periods.

6. A method according to any one of claims 1-3, wherein the performing behavior detection on the plurality of simulated attack periods, respectively, to obtain target simulated attack events for each of the plurality of simulated attack periods comprises:

If the number of the simulated attack events in the simulated attack period is greater than or equal to the set number, performing jump behavior detection on the simulated attack period to obtain at least one simulated attack detection event;

And determining the at least one simulated attack detection event and the frequent simulated attack event in the simulated attack period as target simulated attack events of the simulated attack period.

7. A method according to any one of claims 1-3, wherein the method further comprises: and if the number of the simulated attack events in the simulated attack period is smaller than the set number, determining frequent simulated attack events in the simulated attack period as target simulated attack events of the simulated attack period.

8. The method as claimed in any one of claims 1 to 3, wherein the obtaining vulnerability attack penetration information corresponding to each simulated attack event of the to-be-confused red-team attack simulation task includes:

Carrying out randomized permeation behavior association on the to-be-confused red team attack simulation task to obtain a target permeation behavior simulation project, wherein the target permeation behavior simulation project comprises a plurality of randomized permeation behavior commands;

performing migration association between each simulated attack event of the to-be-confused red-team attack simulation task and the plurality of randomized osmotic behavior commands according to the attack event behavior log to obtain target randomized osmotic behavior commands corresponding to each simulated attack event;

and determining vulnerability attack penetration information of the target randomized penetration behavior command as vulnerability attack penetration information corresponding to the simulated attack event.

9. The method of any one of claims 1-3, wherein before the obtaining vulnerability attack penetration information corresponding to each simulated attack event of the red team attack simulation task to be confused, an attack event behavior log of the simulated attack event, and a simulated scene sequence corresponding to the red team attack simulation task to be confused, the method further comprises:

acquiring a plurality of original simulated attack events with the same category labels and attack event behavior logs of the original simulated attack events;

Combining the plurality of original simulation attack events based on the simulation priority scores to obtain an original simulation task;

Carrying out noise event positioning on the original simulation task according to the attack event behavior log to obtain noise simulation attack events in the plurality of original simulation attack events;

And filtering the noise simulation attack event from the original simulation task to obtain the to-be-confused red team attack simulation task.

10. A simulation software obfuscation system, comprising at least one processor and a memory; the memory stores computer-executable instructions; the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the method of any one of claims 1-9.