CN103561004B - Cooperating type Active Defending System Against based on honey net - Google Patents
Cooperating type Active Defending System Against based on honey net Download PDFInfo
- Publication number
- CN103561004B CN103561004B CN201310500444.7A CN201310500444A CN103561004B CN 103561004 B CN103561004 B CN 103561004B CN 201310500444 A CN201310500444 A CN 201310500444A CN 103561004 B CN103561004 B CN 103561004B
- Authority
- CN
- China
- Prior art keywords
- server
- data
- attack
- honey
- overall situation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention proposes a kind of cooperating type Active Defending System Against based on honey net, including data capture module, data analysis module and data control block, it is characterised in that: described data capture module, data analysis module and data control block are present in a Ge Miwang center and multiple subnet in a distributed manner.The present invention relies on honey network technology, uses cooperating type Initiative Defense thought, assailant's information that Real-Time Sharing difference honey net captures, it is achieved the Initiative Defense of Internet, improves initiative and the real-time of defence, it is adaptable to large scale business enterprise's net.The system that this method builds has the highest fielding percentage, hit rate and robustness, is greatly reduced and finds the time delay that assailant deploys to ensure effective monitoring and control of illegal activities to the whole network from for the first time.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of cooperating type Active Defending System Against based on honey net.
Background technology
Along with the development of the Internet, network security is faced with increasingly severe threat.Current several main network security threats:
Wooden horse, anthelmintic, Botnet, network intercepting, IPv6 threatens, spyware and ad ware, zero-day vulnerability, DDoS (point
Cloth refusal service) attack.Effectively defend network security threats to have become the task of top priority.
The type of network security defence can be divided into Intrusion Detection based on host layer and defence based on Internet by the difference of defence position;By anti-
The opportunity of driving, difference can be divided into Passive Defence and Initiative Defense.The Passive Defence method of traditional Intrusion Detection based on host layer has been difficult to protect
The safety of existing network, the concept of to produced Initiative Defense, it is common that refer to the user characteristics independently found by program, make
Assailant cannot complete the attack to target of attack.
The representative of Initiative Defense is intruding detection system IDS (Intrusion Detect ion System), i.e. according to certain safe plan
Slightly, the operation conditions of network, system is monitored, finds various attack attempt, aggressive behavior or attack result as far as possible,
To ensure the confidentiality, integrity, and availability of network system resources, its real-time, initiative are that conventional security measures difficulty is reached
, also compensate for the shortcoming that Passive Defence system can not protect UNKNOWN TYPE to attack simultaneously.But traditional intruding detection system is still deposited
In defect, owing to intrusion detection quantity of information to be processed is very big, the quality for aggressive behavior disaggregated model will directly influence
The efficiency of detection.Setting up an effective intruding detection system is a huge knowledge engineering, owing to development process is manual,
The extensibility and the adaptability that cause current intruding detection system are all restricted.IDS Framework in actual application is only capable of place
Managing a kind of special Audit data source, update cost is higher, and speed is the slowest.
In order to overcome the limitation of tradition intruding detection system, it should use one more automatically and efficient mechanism, honey jar
(Honeypot) it is such a system.The founder Lance of " Mi Wang project team " (The Honeynet Project)
Spitzner gives the authority's definition to honey jar: honey jar is a kind of secure resources, and its value is to be scanned, attack and capture.
All inflows, flow out honey jar network traffics all may predictive of scanning, attack and capture.Honey jar can be divided into product by disposing purpose
Product type honey jar and research honey jar two class.Honey jar can be divided into low mutual honey jar and height mutual honey jar two class by the grade of its interactive degree.
The advantage of Honeypot Techniques includes: the fidelity collecting data is high, it is possible to collect new attack instrument and attack method, it is not necessary to
Powerful resource support, fund input, be easier to grasp.
One sweet net comprises one or more honey jar, ensure network highly controllable while, it is provided that multiple types of tools is with side
Just collection and the analysis to the information of attack.Honey net is utilized can effectively to change the information asymmetry between defender and assailant.
At present, high mutual honey net is mainly used in the extraction of the attack data of data, analyzes and study, the sea mainly extracted honey net
Amount data carry out manual analysis, excavate the relevant informations such as the attack strategies of assailant, attack code and attack position.Although it is final
The purpose of defence can be reached, but belong to Passive Defence, need substantial amounts of artificial participation, and there is serious hysteresis quality, be difficult to
Systematization and commercialization.
Summary of the invention
For the deficiencies in the prior art, the purpose of the present invention is to propose to a kind of cooperating type Active Defending System Against based on honey net, it depends on
Torr honey network technology, uses cooperating type defence thought, it is possible to realize the Initiative Defense of Internet, it is adaptable to large scale business enterprise's net.
In order to realize above goal of the invention, the present invention by the following technical solutions:
A kind of cooperating type Active Defending System Against based on honey net, including data capture module, data analysis module and Data Control mould
Block, it is characterised in that:
Described data capture module, data analysis module and data control block are present in a Ge Miwang center and multiple in a distributed manner
In subnet, wherein,
Sweet wall in overall log recording data base that described data capture module includes being positioned at Mi Wang center and each subnet, multiple stage honey
Tank main frame, remote journal record server, intrusion detection server;
Described data analysis module includes being positioned at the statistical server at Mi Wang center, attack mode extracts server, overall situation malice generation
Code Analysis server, comprehensive calculation server, global visualization server, global statistics data base and global characteristics data base,
And the local on-line data analysis server in each subnet;
Described data control block includes that the overall situation being positioned at Mi Wang center controls server, the overall situation is controlled database and overall situation invasion row
For the retargetable router in rule database, and each subnet, fire wall.
The method have the advantages that
1, honey network technology is combined with initiative type safeguard technology, improve the hysteresis quality of tradition honey network technology Passive Defence, reduce
The workload of manual analysis, improves real-time and the accuracy of defence.
2, the composite defense between multiple subnets, compensate for the deficiencies such as the sweet net small scale of single subnet, simple in construction, information is single,
Further increase initiative and the real-time of defence.
3, have employed data analysis algorithm simple, efficient, the defence policies of formulation has the highest fielding percentage, hit rate and very
The anti-rate of low leakage and hit rate.
4, the data that honey net is collected have high reliability and controllability, low cost.Need not reporting of user, do not interfere with user's
Proper communication, more will not reveal privacy of user.
5, realize defence in Internet, alleviate the load of fire wall and use the subscriber's main station of Intrusion Detection based on host layer anti-virus software
Burden.
6, deception module adds the robustness of system.
Accompanying drawing explanation
Fig. 1 is the main module frame figure of Autonomous Defense subsystem based on honey net
Fig. 2 is the network design figure of Autonomous Defense subsystem based on honey net
Fig. 3 is the main module frame figure of cooperating type Active Defending System Against based on honey net
Fig. 4 is the network design figure of cooperating type Active Defending System Against based on honey net
Fig. 5 is the module frame figure of the Autonomous Defense subsystem based on honey net adding deception module
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and exemplary embodiment,
The present invention is further elaborated.Should be appreciated that exemplary embodiment described herein only in order to explain the present invention,
The scope of application being not intended to limit the present invention.
Before introducing the cooperating type Active Defending System Against of the present invention, it is necessary first to Autonomous Defense subsystem based on honey net is described
Working mechanism.Enterprise network can be divided into multiple subnet, typically divides according to each network segment in C class net, at A, B class net
Interior according to subnet mask division.Autonomous type based on honey net defence subsystem is just arranged in single subnet, and it has three mainly
Module and an add-on module.As shown in Figure 1,5, three main modular are data capture module, data analysis module and data
Control module, add-on module is invasion deception module.
Autonomous Defense subsystem based on honey net is deployed in single subnet, i.e. honey net and user network is positioned in the same network segment, as
Shown in Fig. 2, the most not only mark main hardware, and marked module distribution and data flow direction.Wherein, data are caught
Obtain module include honey wall (honeywall), multiple stage honey jar main frame, remote journal record server, log recording data base and enter
Invade detection server.Data analysis module includes off line data analysis server, on-line data analysis server, Visualization Service
Device, malicious code analysis server, staqtistical data base and property data base.Data control block includes controlling server, control
Data base, router, honey wall, fire wall and intrusion behavior rule database.
1, data capture module
Data capture module belongs to input module, including honey wall, multiple stage honey jar main frame, remote journal record server, daily record note
Record data base and intrusion detection server.
(1) honey wall (honey net gateway)
Honey net can be arranged in the outside, internal of fire wall or DMZ (demilitarized zone), is usually placed in user network with outer
In the DMZ of net, i.e. region between trusted users Intranet and insincere outer net.For user network, honey net is a danger
The region of danger, because honey jar is the main frame being the most easily hacked, once assailant utilizes honey jar to start to attack to user network for springboard
Hit, then Active Defending System Against will lose more than gain.And honey wall is exactly unique barrier between honey net and user network.Honey wall includes three
Individual network interface, eth0 accessing external network, eth1 connects honey net, and eth2 is as a cryptochannel, is connected to a monitoring
Network.Honey wall is a link layer bridging device sightless to hacker, as the uniquely coupled point of honey net with other networks, institute
The network traffics having inflow and outflow honey net all by honey wall, and will be controlled and audit.Simultaneously as honey wall is a job
At the bridging device of link layer, network packet will not be carried out TTL and successively decrease and network route, the MAC of itself also will not be provided
Address, therefore for assailant, honey wall is the most sightless.
(2) honey jar main frame
Three honey jar main frames are provided with the malicious code prize procedure operating in ring0 level, owing to running on ring0 level, no
Being prone to the person of being hacked find, the malicious code automatic or manual being hacked on honey jar main frame can be transmitted extremely by it through cryptochannel
Malicious code analysis server.The virtual machine of this server runs and has sandbox (sandbox) program, analyze in sandbox and dislike
Meaning code, analysis result can be applied in data control block.All honey jar main frames need to carry out one after a period of time
Secondary maintenance.
(3) client honeypot instrument
In order to increase the initiative of honey net, the client honeypot instrument with spiders function can be run on part honey jar,
Such as capture-HPC, it can realize automatically searching for malicious server, it is achieved the detection to web page horse hanging, strengthens data capture
The function of module.
(4) remote journal record server and log recording data base
The data real-time storage that remote journal record server is responsible for carrying out the transmission of honey net is in log recording data base, and periodicity
Data in log recording data base are transmitted to data analysis module by ground.
(5) intrusion detection server
The most directly or first invade user network in view of assailant, in order to increase the robustness of system, by honey net with based on
The intruding detection system of behavior characteristics combines, and at one intrusion detection server of user network arranged in front, it passes through router
Port Mirroring Function detection by all flows of user network, once have matched the rule in intrusion behavior rule database,
Then it is judged to intrusion behavior, is sent to result of determination control server, directly revised firewall rule by controlling server, with
Make up Initiative Defense when honey net lost efficacy.It addition, give honey jar host assignment domain name, will make the honey jar more attacks of attraction, but this meeting
Increase the potentially danger of user network.
2, data analysis module
The information of different data capture module captures is carried out merging, excavates, analyzes by data analysis module, finds network in time
In dangerous information that may be present, control strategy is transferred in time the data analysis module of each subnet, with realize give warning in advance,
Real-time servicing, periodically revises.As example, this module can be applied the information fusion of maturation, data mining, honey
The technology such as net attack analysis.Such as, use the mathematical methods such as cluster, matrixing, produce defence blacklist and be used for changing
Firewall rule, extracting attack pattern, malicious code are used for changing intrusion behavior rule.This module is the nucleus module of native system.
Data analysis module include off-line analysis server, on-line analysis server, visualization server, malicious code analysis server,
Staqtistical data base and property data base.
(1) on-line analysis server
All datas on flows of honey net are from remote journal record server transport to on-line analysis server, and on-line analysis server is real
Time ground data packet header information is mated with the attack signature in property data base, formulate some simple defence policies, need to
Blacklist to be defendd transmits in real time to controlling server.
(2) off-line analysis server
Honey net all datas on flows from remote journal record server transport to off-line analysis server, off-line analysis server
Feature is accuracy and complexity, the index of its one cycle of statistics (hour, day, week) interior data, updates staqtistical data base,
Extracting attack feature and pattern, update property data base, and attack trend according to the data prediction in cycle before, formulate defence plan
Slightly, it would be desirable to the blacklist of defence periodically transmits to controlling server.
(3) malicious code analysis server
The malicious code of honey jar capture either automatically or manually transmits to malicious code analysis server, runs malice in its sandbox
Code, extracts its feature, updates property data base.
(4) visualization server
Visualization server reads data from staqtistical data base and property data base, and data are plotted chart, make manager can and
Time must understand the operation conditions of whole system.
3, data control block
Data control block be Initiative Defense finally perform module, be the output module of system, including control server, control
Data base, router, honey wall, fire wall and intrusion behavior rule database.Data Control can be divided into two aspects, on the one hand
It is internally to control, including router and honey wall;On the other hand it is to outer control, including fire wall and intrusion behavior rule database.
(1) internally control
Internally control to refer to prevent the attack of internal host, mainly prevent the attack of honey jar main frame, including router and honey wall.Road
Routing rule auxiliary honey wall can be revised by device and carry out Data Control.Honey wall does not carry out any restriction to the network packet flowed into so that
Hacker can shoot honey net, but the springboard that hacker uses honey net externally initiate is attacked and strictly controlled.Control method includes attacking
Bag suppression and externally connection number limit two kinds of means.
(2) to outer control
Outer control refers to prevent the attack of external host, including fire wall and intrusion behavior rule database.Fire wall can lead to
Cross defence blacklist defence known attack person position and the attack of attack mode, the main frame of trust can be ensured by protection white list
Address is not defendd by mistake, and fire wall retains the methods such as IP by reverse query router and filtration can intercept what spoofed IP sent
Packet.Intrusion behavior rule database can be that the intrusion detection server of data capture module provides defence known attack pattern.
(3) server is controlled
Control the core that server is data control block, its order of comprehensive on-line analysis server, off-line analysis server life
Data modification honey wall in making and controlling database, fire wall, the rule of intrusion behavior data base, it is achieved all attacks are prevented
Imperial, especially for emerging attack, even unknown attack.
(4) control database
The all orders receiving and sending of middle storage control server of controlling database, once fault occur can carry out checking and
Recover.
4, invasion deception module
In order to strengthen the robustness of system, it is contemplated that assailant can attack remaining main frame in subnet with honey jar main frame as springboard,
And honey jar is mail to the Data Packet Seize in user network by the fire wall in data control block, the secondary of assailant is attacked and is not rung
Should, it is likely that can find that invaded main frame is honey jar main frame.It is not once hacked person and finds that real property, honey jar main frame just lose
Effect.
As in figure 2 it is shown, invasion deception module includes honey field (honeyfarm) main frame, honey wall server and redirects router,
Honey field is the mirror image of user network, simulates the IP of user network, port, operating system etc., can use Virtual honeypot technology
The caching of a main frame realizes.Using redirecting technique on the router, the packet mail to by honey jar in user network is sent out
Toward honey field main frame, honey field is issued the data of honey jar and can be sent to assailant by honey wall, and then assailant thinks success attack,
System has then reached the purpose of defence, and makes honey net not be hacked person and found, has reached the purpose cheated.Add into
Invade the module frame figure of Autonomous Defense subsystem based on honey net of deception module as shown in Figure 5.
More than primary concern is that the logic realization of system, the physics realization of system is considered below, still consider that user network is same
Situation in the individual network segment.In one embodiment, honey net can use 3 high interactive server end honey jar main frame (operating systems
It is respectively Linux, win2k, winxp).Owing to the scale of user network is not very big, computational burden is not very big, can be by
Multiple service merging complete on one host.IDS uses snort software to realize, and malicious code catches and uses Peking University
HoneyBow software or Xi'an hand over big malbox software to realize, and honey wall and data analysis module can be both mounted at a master
On machine, the sweet wall software of honeynet tissue has graphic user interface, can be directly used for system configuration, management, data analysis,
Or using Xi'an to hand over big botwall software, the pcap document analysis that will intercept, therefrom read and attack data, statistics is every
Attack the distributed intelligence of main frame, the distributed intelligence of port of being injured in the individual cycle, attack distributed intelligence of agreement etc., according to attack
Host number, attack agreement, attacked port, packet mean size etc. cluster out attack mode, can be drawn by these data
Trendgram, and suitably predict, blacklist finally mailing to fire wall and controls rule, blacklist includes source IP address and target
Port.
On the basis of Autonomous Defense subsystem based on honey net described above, the following detailed description of the association based on honey net of the present invention
With formula Active Defending System Against.
Along with the expansion of user network, the burden of above-mentioned Autonomous Defense subsystem will constantly expand, and performance will be severely impacted,
Performance issue can be solved by constantly separating server.But, along with user network not in a network segment, user network
Complexity increases, and the vulnerability of user network also increases, and defence difficulty adds.No matter increase how many honey jar main frames, all difficult
With the different characteristic of the user network in the dissimilar different segment of reflection, the defence policies that thus honey net is made is for other network segments
Interior user is the most inapplicable.Therefore, it is necessary to employing distributed honeynet, in each subnet, i.e. arrange several honey jar main frames,
Here, regard a network segment as a subnet.The Initiative Defense carrying out cooperating type is cooperated, it is possible to effective gram between multiple subnets
Take the vulnerability of user network, more preferable Initiative Defense effect can be obtained.It addition, use centralized analysis and control, structure
Simply, it is easy to disposing, reduce the workload of system, improve efficiency, what is more important achieves the number of many height honey net
According to sharing, mutual, coordinate, synchronize, improve the initiative of defence.The cooperating type herein realized be for each subnet for
, it is emphasised that the most collaborative method of each subnet, for whole user network, remain the Initiative Defense of autonomous type.
Specifically, the module frame chart of cooperating type Active Defending System Against based on honey net is as shown in Figure 3.Separate from each subnet
The data analysis module integrated is the nucleus module of whole system, it addition, some data bases also concentrate in together.By this
Individual reinforced data analysis module is referred to as Mi Wang center (honeycenter), including arithmetic element, data cell, control unit
And visualization.Arithmetic element include statistical server, attack mode extract server, the overall situation malicious code analysis server,
Comprehensive calculation server, data cell include overall situation log recording data base, global statistics data base, global characteristics data base,
The overall situation is controlled database and overall situation intrusion behavior rule database, and control unit includes that the overall situation controls server, visualization bag
Include global visualization server.
It addition, the real-time of the vigorousness and system in order to ensure subnet, this locality still remaining with oneself in each subnet exists
Line analysis server, formulates simple egodefense strategy in real time mainly for subnet.System deployment as shown in Figure 4, marks
Subnet and honey net central distribution and data flow direction, omit the mark of each module distribution.Cooperating type Active Defending System Against is wrapped equally
Include data capture module, data analysis module and data control block, but, compared with Autonomous Defense subsystem, cooperating type master
Each building block of the dynamic data capture module of system of defense, data analysis module and data control block is present in a distributed manner
In Mi Wang center and multiple subnet.
Data capture module includes the sweet wall in overall situation log recording data base and each subnet, multiple stage honey jar main frame, remote journal note
Record server, intrusion detection server.
Data analysis module includes that statistical server, attack mode extract server, overall situation malicious code analysis server, comprehensive
Local online in calculation server, global visualization server, global statistics data base and global characteristics data base and each subnet
Data analytics server.
Data control block include the overall situation control server, the overall situation control database, overall situation intrusion behavior rule database and each son
Retargetable router in net, fire wall.
Mainly introduce the modules function at Mi Wang center.
(1) remote journal record server
The attack data that the sub-network data capture systems at place captures are transferred to overall situation log recording by remote journal record server
Data base.
(2) overall situation log recording data base
Overall situation log recording data base preserves the attack that the next sub-network data capture systems of remote journal record server transport captures
Data, extract server, comprehensive calculation server for statistical server, attack mode.
(3) statistical server
Statistical server extracts all data from overall situation log recording data base, and the project that can add up includes: data pack protocol
Distribution, the distribution of data package size, the distribution of port, the distribution of persistent period, the distribution of IP region, the distribution of flow,
The under fire distribution of port, the distribution of the distribution of attack source, under fire honey jar, the distribution attacking the period etc., all of statistics
Project can be for global statistics, it is also possible to add up for part subnet.The information of all statistics is stored in global statistics number
According to storehouse, according to changing over statistical distribution information, can effectively Forecast attack occur trend, can as formulate defence
The foundation of strategy, and all statistical information can be processed as various icon, reflects the variation tendency of network security and whole intuitively
Individual system operation situation.
(4) attack mode extracts server
Attack mode extracts server and mainly uses data mining and information fusion method to extract the attack mould of the unknown from daily record data
Formula, attack pattern, to restore Attack Scenarios.First, all data extracted in overall situation log recording data base are carried out by it
Attack filters, and only retains the packet representing attack.Then, it passes through clustering algorithm to attacking time data packet header
Data process, and these data include average bag size, attack persistent period, attacked port, attack quantity, subnet of being injured
Quantity etc., thus extract various attacks pattern, can cluster further from attack mode and obtain attack pattern, such as DDOS
Attack, vulnerability scanning attack, leak injection attacks, worm attack etc..Finally, it restores according to time series analysis and attacks
Hitting scene, the result obtained is stored into global characteristics data base, as comprehensive calculation server and the defence of on-line analysis server
Policy development foundation, and showed intuitively by visualization server.Finally, attack mode extracts server and will attack mould
The attack signatures such as formula control service transmission to overall situation intrusion behavior rule database, the attack to direct aggression user network by the overall situation
Carry out Initiative Defense.
(5) comprehensive calculation server
Data in comprehensive calculation server comprehensive utilization data cell, are respectively directed to each subnet and produce corresponding defence policies.
First, it carries out attack filtration to all data extracted in overall situation log recording data base.Then, it uses some to calculate
Method, as used the blacklist generating algorithm of high predictability, determines relevant parameter by staqtistical data base and property data base,
By sub network correlation degree analysis of being injured, Threat analysis and assailant's correlation analysis of aggressive behavior determine final defence policies,
Modified as needed to fire wall blacklist and the high-risk subnet list that need to notify, the intranet and extranet that need to report to the police attack main frame list etc..?
After, operation result transmission is controlled server to the overall situation by comprehensive calculation server.
Additionally, as in aforementioned Autonomous Defense subsystem, in order to strengthen the robustness of system, cooperating type Active Defending System Against
Invasion deception module can also be included.This invasion deception module includes honey field (honeyfarm) main frame, honey wall server and resets
To router, for spoofing attack person, protection honey net.
Thus, integrated data analysis module, cooperating type Active Defending System Against is utilized to have all functions of autonomous type Initiative Defense.
For whole network:
If assailant is positioned at outer net, the attack of a known attack position directly will be intercepted by fire wall, a known attack mould
If user network is first attacked in the attack of formula, then will be found by intrusion detection server, by controlling server amendment firewall rule,
Stop the packet of this assailant position.If it is known that the attack of attack mode first attack honey net, on-line analysis server analysis its
Assailant position, is stopped by controlling server amendment firewall rule.If honey net is first attacked in the attack of unknown attack pattern, logical
Cross the analysis of arithmetic element, extracting attack feature and attack mode from traffic characteristic and malicious code analysis, update characteristic
Storehouse, and by controlling fire prevention rule and the intrusion behavior rule base by force of server update all or part subnet, when same class is attacked
Hit and again attack these honey nets or during user network, fire wall intercepted and captured, the whole Initiative Defense achieving user network.
For single subnet:
If assailant is Intranet user, if other users in subnet are first attacked in the attack of a known attack pattern, then will be by
Intrusion detection server finds, is notified it by controlling server and reports to the police subnet, if it is known that the attack of attack mode
First attack honey net, local its assailant position of on-line analysis server analysis, this locality control server and it is notified and right
Subnet is reported to the police.If honey net is first attacked in the attack of unknown attack pattern, by the analysis at Mi Wang center, from traffic characteristic and malice
Extracting attack feature and attack mode in code analysis, update property data base, and notified it and right by controlling server
Subnet report to the police, and update intrusion behavior rule base achieve to Intranet attack Initiative Defense.
If assailant is user in other subnets, if other users in this subnet are first attacked in the attack of a known attack pattern,
Then will be found by intrusion detection server, this locality control server amendment firewall rule, stop the data of this assailant position
Bag, is controlled server by the overall situation and notifies and it to whole network alarming.If it is known that honey is first attacked in the attack of attack mode
Net, its assailant position of on-line analysis server analysis, this locality control server amendment firewall rule and it is stopped,
Controlled server by the overall situation to notify and it to whole network alarming.If honey net is first attacked in the attack of unknown attack pattern,
By the analysis at Mi Wang center, extracting attack feature and attack mode from traffic characteristic and malicious code analysis, update characteristic number
According to storehouse, and by this locality control server amendment firewall rule, it is stopped, the overall situation control server and it is notified
And to subnet report to the police, and update intrusion behavior rule base achieve to Intranet attack Initiative Defense.
Due to information sharing, single subnet can utilize in other subnets honey net capture data be on the defensive, initiative and
Predictability significantly must improve, and is unknown attack originally, the most all becomes known attack, probability under fire for it
Significantly reduce.It addition, this system is in order to improve interception success rate, fully takes into account the complexity of each subnet, i.e. given each son
Different defence policies formulated by net, and the subnet that similarity is the highest, defence policies is the most similar.Once honey jar is captured, and honey wall stops
Honey jar attacks user, and attack data stream gravity is directed to honey field, to prevent the honey jar person of being hacked from finding by router.Defence effect
Fruit becomes positive correlation with the analysis speed of data cell, becomes inversely related with analytical cycle, and off-line analysis is the fastest, the effect of Initiative Defense
The best.It addition, protection effect also becomes positive correlation, the i.e. distribution of honey net the most more scattered with the Distribution Breadth of honey net, the effect of Initiative Defense
Fruit is the best.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all spirit in the present invention and former
Any amendment, equivalent and the improvement etc. made within then, should be included within the scope of the present invention.
Claims (5)
1. a cooperating type Active Defending System Against based on honey net, including data capture module, data analysis module
And data control block, it is characterised in that:
Described data capture module, data analysis module and data control block are present in a sweet net in a distributed manner
In center and multiple subnet, wherein,
In overall log recording data base that described data capture module includes being positioned at Mi Wang center and each subnet
Honey wall, multiple stage honey jar main frame, remote journal record server, intrusion detection server;
Described data analysis module includes being positioned at the statistical server at Mi Wang center, attack mode extracts server,
The overall situation malicious code analysis server, comprehensive calculation server, global visualization server, global statistics data
Local on-line data analysis server in storehouse and global characteristics data base, and each subnet;
Described data control block include being positioned at the overall situation at Mi Wang center control server, the overall situation control database and
Retargetable router in the overall situation intrusion behavior rule database, and each subnet, fire wall;
Wherein, the attack data that place subnet is captured by described remote journal record server are transferred to overall situation day
Will database of record, overall situation log recording data base preserves the attack data that remote journal record server transport comes,
Server and comprehensive calculation server is extracted for statistical server, attack mode;
Described statistical server extracts all data from overall situation log recording data base, is deposited by all statistical information
Enter global statistics data base, as the foundation formulating defence policies;
Described attack mode extraction server, based on the data extracted from overall situation log recording data base, extracts
Various attacks pattern, controls server transport to overall situation invasion by the attack signature including attack mode by the overall situation
Rule of conduct data base, the attack to direct aggression user network carries out Initiative Defense;
The all data extracted from overall situation log recording data base are attacked by described comprehensive calculation server
Event filtering, then uses the blacklist generating algorithm of high predictability, by global statistics data base and the overall situation
Property data base determines relevant parameter, by be injured sub network correlation degree analyze, the Threat analysis of aggressive behavior and
Assailant's correlation analysis determines final defence policies, and transmits the result to overall situation control server.
Cooperating type Active Defending System Against based on honey net the most according to claim 1, wherein, described statistics
The project of server statistics includes: the distribution of data pack protocol, the distribution of data package size, the distribution of port,
The distribution of persistent period, the distribution of IP region, the distribution of the distribution of flow, under fire port, attack source
The distribution of distribution, under fire honey jar, the distribution of attack period.
Cooperating type Active Defending System Against based on honey net the most according to claim 1, wherein, described attack
Schema extraction server specifically for:
First, all data extracted from overall situation log recording data base are carried out attack filtration, only protects
Stay the packet representing attack;
Then, utilize clustering algorithm to process attacking time data header data, extract various attacks mould
Formula, restores Attack Scenarios according to time series analysis, and the result obtained is stored in global characteristics data base, makees
The foundation of defence policies is formulated for the local on-line data analysis server in comprehensive calculation server and each subnet,
And shown intuitively by global visualization server;
Finally, the attack signature including attack mode is controlled server transport to overall situation intrusion behavior by the overall situation
Rule database, the attack to direct aggression user network carries out Initiative Defense.
Cooperating type Active Defending System Against based on honey net the most according to claim 3, wherein, described data
Header data includes average bag size, attacks persistent period, attacked port, attack quantity, subnet quantity of being injured.
Cooperating type Active Defending System Against based on honey net the most according to claim 1, also includes for cheating
The invasion deception module of assailant, described invasion deception module includes honey field main frame, honey wall server and redirection
Router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103561004A CN103561004A (en) | 2014-02-05 |
| CN103561004B true CN103561004B (en) | 2016-10-12 |
Family
ID=50015154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310500444.7A Active CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103561004B (en) |
Families Citing this family (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410617B (en) * | 2014-11-21 | 2018-04-17 | 西安邮电大学 | A kind of information security attacking & defending department framework of cloud platform |
| CN104486320B (en) * | 2014-12-10 | 2018-10-26 | 国家电网公司 | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology |
| CN104579841B (en) * | 2015-01-09 | 2018-09-14 | 北京京东尚科信息技术有限公司 | The system to the statistical result of certain statistical data item is generated according to the UDP messages of reception |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN104967628B (en) * | 2015-07-16 | 2017-12-26 | 浙江大学 | A kind of decoy method of protection web applications safety |
| CN106506435B (en) * | 2015-09-08 | 2019-08-06 | 中国电信股份有限公司 | For detecting the method and firewall system of network attack |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN105718801A (en) * | 2016-01-26 | 2016-06-29 | 国家信息技术安全研究中心 | Loophole clustering method based on programming mode and mode matching |
| CN107404465B (en) * | 2016-05-20 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| RU2634173C1 (en) * | 2016-06-24 | 2017-10-24 | Акционерное общество "Лаборатория Касперского" | System and detecting method of remote administration application |
| CN106209867B (en) * | 2016-07-15 | 2020-09-01 | 北京元支点信息安全技术有限公司 | Advanced threat defense method and system |
| CN106375384B (en) * | 2016-08-28 | 2019-06-18 | 北京瑞和云图科技有限公司 | The management system and control method of image network flow in a kind of virtual network environment |
| CN106911662B (en) * | 2016-10-12 | 2020-11-03 | 深圳市安之天信息技术有限公司 | System and method for high-interaction to low-interaction conversion of malicious sample culture |
| CN106330964B (en) * | 2016-10-14 | 2019-10-11 | 成都信息工程大学 | A kind of network intrusion detection and Initiative Defense linkage control device |
| CN106534114B (en) * | 2016-11-10 | 2020-10-02 | 北京红马传媒文化发展有限公司 | Malicious attack prevention system based on big data analysis |
| CN106878438A (en) * | 2017-03-03 | 2017-06-20 | 久远谦长(北京)技术服务有限公司 | The method and system of user behavior analysis under a kind of https environment |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
| CN107360145B (en) * | 2017-06-30 | 2020-12-25 | 北京航空航天大学 | Multi-node honeypot system and data analysis method thereof |
| CN107277039B (en) * | 2017-07-18 | 2020-01-14 | 河北省科学院应用数学研究所 | Network attack data analysis and intelligent processing method |
| CN107547546B (en) * | 2017-09-05 | 2019-11-12 | 山东师范大学 | Lightweight height interaction honey network data transmission method, system based on card computer |
| CN108366088A (en) * | 2017-12-28 | 2018-08-03 | 广州华夏职业学院 | A kind of information security early warning system for Instructing network |
| CN108183916B (en) * | 2018-01-15 | 2020-08-14 | 华北电力科学研究院有限责任公司 | Network attack detection method and device based on log analysis |
| CN110290098B (en) | 2018-03-19 | 2020-12-25 | 华为技术有限公司 | Method and device for defending network attack |
| CN109033825B (en) * | 2018-06-04 | 2021-07-30 | 温州市图盛科技有限公司 | Anti-attack power network system based on block chain |
| CN108769071B (en) * | 2018-07-02 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Attack information processing method and device and Internet of things honeypot system |
| CN109255243B (en) * | 2018-09-28 | 2022-06-21 | 深信服科技股份有限公司 | Method, system, device and storage medium for repairing potential threats in terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| TWI682644B (en) * | 2019-01-07 | 2020-01-11 | 中華電信股份有限公司 | Dynamic protection method for network node and network protection server |
| CN110011982B (en) * | 2019-03-19 | 2020-08-25 | 西安交通大学 | Intelligent attack decoy system and method based on virtualization |
| CN110035429B (en) * | 2019-04-09 | 2021-11-09 | 重庆邮电大学 | Anti-interference minimum redundancy method in WiFi and ZigBee coexistence mode |
| CN109818985B (en) * | 2019-04-11 | 2021-06-22 | 江苏亨通工控安全研究院有限公司 | Industrial control system vulnerability trend analysis and early warning method and system |
| CN110505195A (en) * | 2019-06-26 | 2019-11-26 | 中电万维信息技术有限责任公司 | The dispositions method and system of fictitious host computer |
| CN110516444B (en) * | 2019-07-23 | 2023-04-07 | 成都理工大学 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
| CN113079124B (en) * | 2020-01-03 | 2023-04-07 | 中国移动通信集团广东有限公司 | Intrusion behavior detection method and system and electronic equipment |
| CN111416810B (en) * | 2020-03-16 | 2022-03-08 | 北京计算机技术及应用研究所 | Multi-security-component cooperative response method based on group intelligence |
| CN111478912A (en) * | 2020-04-10 | 2020-07-31 | 厦门慢雾科技有限公司 | Block chain intrusion detection system and method |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN111756742B (en) * | 2020-06-24 | 2021-07-13 | 广州锦行网络科技有限公司 | Honeypot deception defense system and deception defense method thereof |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN112187825B (en) * | 2020-10-13 | 2022-08-02 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112788008B (en) * | 2020-12-30 | 2022-04-26 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN112910917B (en) * | 2021-02-25 | 2023-04-07 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
| CN112995187B (en) * | 2021-03-09 | 2022-12-06 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN113395288B (en) * | 2021-06-24 | 2022-06-24 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN114866326A (en) * | 2022-05-16 | 2022-08-05 | 上海磐御网络科技有限公司 | Camera honeypot construction method based on linux system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Method for controlling reverse data connection based on honeynet |
-
2013
- 2013-10-22 CN CN201310500444.7A patent/CN103561004B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Method for controlling reverse data connection based on honeynet |
Non-Patent Citations (3)
| Title |
|---|
| Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm;xiaobo Ma etc;《IEEE》;20100731;第1283-1288页 * |
| 基于主动安全策略的蜜网系统的设计与实现;熊明辉等;《计算机工程与设计》;20050930;第26卷(第9期);第2470-2472页 * |
| 基于协同的虚拟蜜网实现与分析;董国锋;《华东师范大学硕士学位论文》;20101222;第13-60页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103561004A (en) | 2014-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103561004B (en) | Cooperating type Active Defending System Against based on honey net | |
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| Loukas et al. | Protection against denial of service attacks: A survey | |
| CN103428224B (en) | A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks | |
| CN102882884B (en) | Honeynet-based risk prewarning system and method in information production environment | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| CN106657025A (en) | Network attack behavior detection method and device | |
| CN102790778A (en) | DDos (distributed denial of service) attack defensive system based on network trap | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| CN106992955A (en) | APT fire walls | |
| CN108768917A (en) | A kind of Botnet detection method and system based on network log | |
| CN109347847A (en) | A kind of smart city security assurance information system | |
| CN106209814A (en) | A kind of distributed network intrusion prevention system | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| CN105227559A (en) | The information security management framework that a kind of automatic detection HTTP actively attacks | |
| Sharma et al. | Attack prevention methods for DDOS attacks in MANETs | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Wang et al. | Distributed denial of service attack defence simulation based on honeynet technology | |
| Fuertes et al. | Alternative engine to detect and block port scan attacks using virtual network environments | |
| CN111478912A (en) | Block chain intrusion detection system and method | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| Li-Juan | Honeypot-based defense system research and design | |
| Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
| Luo et al. | DDOS Defense Strategy in Software Definition Networks | |
| Singhrova | A host based intrusion detection system for DDoS attack in WLAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |