| Today, various fields have been inextricably linked with the network. While networkdevelopment has brought us convenience,"hacker" who walking in the Internet space hasbecome a serious threat to network security issues, penetration testing technique is theability that "hacker" survives. As early as Kevin Mitnick who are the first batch of"hackers", now there are a large number of "black hat hackers" that they reap the illegalbenefit through underground black chain. They usually are tight-lipped about penetrationtesting techniques, or just learned and communicated with a community of interest.However,"white hat hackers" break down the old pattern. They can make penetrationtesting to system or network of target under the premise of authority. With some enterprisesof the high security needs beginning to adopt this approach to evaluate their own businessand system, penetration testing assessment methods evolve into a popular area now.In this paper, we research this field of penetration testing technology and securityassessment method. Penetration testing is an attack simulate in a real environment, it canfind security risks of affecting the business. The safety assessment is a security risk analysismethod, it can assess the business’s security risks, and give the appropriate strategy ofupgrading. Through researching, we found that there are many similarities between the twomethods, such as the system analysis in vulnerability, system threats model. But there areproblems in the following areas:(1) Penetration testing is high requirements in confrontational and customization.Penetration testing team needs to analyze in the constant penetrating operation. Onlycommercial products have automated penetration testing function.(2) There are many uncertain parameters in safety assessment methods. Ifvulnerabilities are found in a particular enterprise network or systems, it will not bedetermined whether the attack can use this vulnerability, or it will not be sure whether theenterprise defensive measures can against for this vulnerabilities.(3) There is a big gap with foreign countries in the field of penetration testing andsecurity assessment areas.Based on several questions above, we realize penetration testing process automaticallyby building the knowledge database and increase the accuracy of safety assessment by theresult of penetration testing. We research Penetration Testing Evaluation Method Based onKnowledge Database through combining with the two aspects. Firstly, we study the process of penetration testing in-depth, and built knowledgedatabase combined with the tree method. Each chain of the knowledge database stores acomplete penetration attack process. We use pre-determined goals and vulnerability tocalling knowledge library content, and make automated execution of penetration testing.Secondly, we study the safety assessment method in-depth, and design of the newsafety assessment process based on the results of a penetration test that meets the NISTguidelines. It makes certain vulnerability assessment affirmation of the value of the safetyassessment. While applying the vulnerability life cycle thinking, the validity of the assessedvalue is strengthen theoretically. And the correctness of the safety assessment will bestrengthen with the continued expansion of the knowledge database in the future. |
PDF Full Text Request