CN107547546B - Lightweight height interaction honey network data transmission method, system based on card computer - Google Patents
Lightweight height interaction honey network data transmission method, system based on card computer Download PDFInfo
- Publication number
- CN107547546B CN107547546B CN201710792134.5A CN201710792134A CN107547546B CN 107547546 B CN107547546 B CN 107547546B CN 201710792134 A CN201710792134 A CN 201710792134A CN 107547546 B CN107547546 B CN 107547546B
- Authority
- CN
- China
- Prior art keywords
- card
- intrusion behavior
- computer
- card computer
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to a kind of, and the lightweight height based on card computer interacts honey network data transmission method, system, and system is made of several card computers, wireless network card is connected on card computer, card computer sets up WiFi network by wireless network card;Several target drones are accessed in the WiFi network, different security breaches are arranged in each target drone, for the invader that disguises oneself as, attack card computer;For each card computer burning manufacturing system mirror image, and the system of each card computer includes high interaction monitoring modular, and card computer finds by interacting with the target drone with different operating system and analyzes intrusion behavior.
Description
Technical field
The present invention relates to a kind of, and the lightweight height based on card computer interacts honey network data transmission method, system.
Background technique
As WiFi technology is fast-developing and application, wireless network greatly facilitate the work and life demand of people,
Improve social work efficiency.However, for ordinary user, due to lacking security protection consciousness and measure, and wireless biography
The broadcast of defeated medium, WiFi user are often subject to the fraud of fake user, or even by malicious attack.On the other hand, WiFi
Etc. the development of wireless interconnection technologys bring unprecedented convenience to enterprise customer, enterprise customer not only can be interior employee
Any wireless network services are provided, any wireless network services can also be provided to other clients, tourist etc..However Intranet access authority is mixed
Disorderly, the enterprise of access boundary demarcation confusion, is faced with huge security risk.Although most of enterprise suffers from respective protection
Measure, but after weak safeguard procedures failure caused by loss be that enterprise is unaffordable.
Honey jar is the security context strictly monitored by deployment for attack detecting, analysis and the safe practice of research, can
Effectively to capture unknown attack pattern and method, there is extremely superior performance.Compared to the Passive Defence of conventional tool,
The maximum feature of honey jar is can initiatively to detect to invade and attack with response to network, is carried out for the behavior pattern of attacker
Analysis.And compared to the low interactive honey jar of simple discovery attack, the sweet net of height interaction can dramatically mould true to nature
Quasi- true environment effectively confuses attacker and is sticked with attacker.
In wireless security field, the deployment about the wireless honey net of high interaction and design scheme are almost blank at present, related
Product personnel do not know select as core equipment for what kind of equipment, how to go deployment facility that can more effectively capture and attack
The behavioural characteristic for the person of hitting, current existing related invention are only capable of providing a kind of design scheme of low interactive honey jar, are merely able to find
Attack, but after attacker breaks through wireless system, it can find to enter honey pot system easily, and at data and log message
Reason lacks in ability, therefore is not able to satisfy current demand.
Summary of the invention
For the deficiencies in the prior art, the present invention provides the lightweight height interaction WIFI honey net based on card computer
System captures the attack means and attack mode of invader by the honeynet system of rapid deployment height interaction in time.
The technical solution of the present invention is as follows:
A kind of lightweight height interaction WIFI honeynet system based on card computer, comprising:
Several card computers, are connected with wireless network card on card computer, and the card computer is set up by wireless network card
WiFi network;Several target drones are accessed in the WiFi network, different security breaches are arranged in each target drone, for disguise oneself as into
The person of invading attacks card computer;
For each card computer burning manufacturing system mirror image, and the system of each card computer includes high interaction monitoring mould
Block, card computer find by interacting with the target drone with different operating system and analyze intrusion behavior.
Further, the high interaction monitoring modular includes at least:
Traffic monitoring module, for monitoring all flows flowed through inside WiFi network;
Target drone interactive module, for so that several target drones of access WiFi network are communicated with card computer;
Attack detection module extracts the feature of intrusion behavior for periodically detecting intrusion behavior;
Matching module, intrusion behavior feature and known intrusion behavior sample for will be detected carry out matching mapping,
Determined whether according to matching mapping result for unknown invasion.
Suspicious traffic memory module individually extracts storage for carrying out the mutation data on flows in traffic monitoring module;
Flow empties module, for periodically emptying traffic monitoring module and suspicious traffic memory module.
Further, the quantity of the card computer is greater than or equal to target drone quantity.
Further, the target drone at least while includes IOS system type mobile terminal, android system type mobile terminal
With Windows system type mobile terminal.
Further, the high interaction monitoring modular further includes that a wireless network card monitors module, for obtaining without nothing
The attack of line access point, the data for honey net capture make effectively supplement.
The present invention also provides a kind of lightweight height interaction honey network data transmission methods, comprising:
Using card computer, wireless network card component WiFi network, access several target drones in WiFi network, target drone with it is described
Card computer is communicated, and Content of Communication includes at least: being initiated Wed request, is opened mail service, instant messaging, SSH connection;
Height interaction monitoring modular in card computer stores all flows flowed through inside WiFi network, detects WiFi network
Whether by unknown invasion, if discovery intrusion behavior, lays equal stress on using the intrusion behavior as sample input database for analyzing
New burning mirror image;If emptying database there is no intrusion behavior, the moment keeps the surplus of memory space.
Further, the flow inside WiFi network is flowed through described in analysis, when flow generates mutation, label is invaded at this time
Behavior;Detection is timed to the intrusion behavior, extracts the feature of intrusion behavior, which is generated using matching mapping algorithm
For mapping result, judge whether the intrusion behavior is unknown invasion according to mapping result.
Further, the listening mode of wireless network card is opened, the listening mode of wireless network card is not necessarily to connect with wireless access point
It connects, for obtaining the attack without wireless access point, the data for honey net capture make effectively supplement.
Further, for obtaining the attack without wireless access point using Aircrack-ng technology or cracking
Wireless attack method.
Further, distributed cryptographic storage is carried out to the Content of Communication, using symmetric encipherment algorithm to the communication
Content is encrypted.
Beneficial effects of the present invention:
(1) sweet net building method proposed by the invention, it is cheap, it is convenient for any wide-area deployment, while burning mirror image is pacified
Dress and reduction are extremely convenient and efficient, while can be realized rapid deployment.Meanwhile the data packet storage and processing of the inventive method are to divide
Cloth is characterized, and is given full play to the storage and processing ability of microcard computer, is only reported and store suspected attack data, do not account for
It is used, and is disposed conveniently with network bandwidth, lightweight advantage can be fully demonstrated.
(2) framework proposed by the present invention can capture nearby all outside in either routing node or wireless network
Related data packets, it can be found that whole attack operations of the invader to smart machine.Because wireless network and cable network are not
Together, invasion mode in part does not need to be connected into WiFi network at all, will not have data on flows in network internal, and other are similar wireless
Honey jar is only capable of capturing the changes in flow rate in network, can not capture the attack means outside wireless network.
(3) compared to the low interactive Wireless Honeypot of simple discovery attack, invader easily has found the network without friendship
Mutual situation, it can be determined that entered honey pot system, invader will clear up the invasion trace of oneself and the behavior that halts attacks.And it is high
Interactive honey net design is general complex, but this invention greatly reduces the deployment difficulty of high interaction honey net, Ke Yiji
Big degree ground realistic simulation true environment, effectively confuses attacker and is sticked with attacker, capture attack sample.
Detailed description of the invention
Fig. 1 is the lightweight height interaction WIFI honeynet system schematic diagram of the invention based on card computer
Specific embodiment:
The invention will be further described with embodiment with reference to the accompanying drawing:
It is noted that following detailed description is all illustrative, it is intended to provide further instruction to the application.Unless another
It indicates, all technical and scientific terms used herein has usual with the application person of an ordinary skill in the technical field
The identical meanings of understanding.
It should be noted that term used herein above is merely to describe specific embodiment, and be not intended to restricted root
According to the illustrative embodiments of the application.As used herein, unless the context clearly indicates otherwise, otherwise singular
Also it is intended to include plural form, additionally, it should be understood that, when in the present specification using term "comprising" and/or " packet
Include " when, indicate existing characteristics, step, operation, device, component and/or their combination.
A kind of exemplary embodiments of the invention are the lightweight height interaction WIFI honeynet system based on card computer, such as Fig. 1
Shown, in order to analyze intrusion behavior, we build honeynet system first, that is, interaction camouflage layer, packet include several miniature cards
Piece computer, the target drone of several users that disguise oneself as, several wireless network cards;Wireless network card is plugged on card computer, can open monitoring
Mode builds wireless aps, forms WiFi network.
Microcard computer and wireless network card build WiFi network jointly, provide the network of whole region as wireless aps
Covering, target drone can be connected into the wireless network, and realize analogue communication.
There is high interaction monitoring modular in microcard computer, for interacting with target drone equipment, it includes flow prison again
Module is controlled, for monitoring all flows flowed through inside WiFi network;It is monitored including local flow and wireless flow is monitored;
Target drone interactive module, for so that access WiFi network several target drones communicated with card computer, target is provided
Machine network service;
Card computer further includes each level router simultaneously, for providing the network service of card computer, and stores flow
Flow.
In data analysis layer, card computer has attack detection module, for periodically detecting intrusion behavior, extracts invasion row
For feature;Attack detection module combines the method that detects automatically using manual analysis, automatic to detect breathing arm matching module, will be by
The intrusion behavior feature of detection and known intrusion behavior sample carry out matching mapping, according to matching mapping result determine whether for
Unknown invasion obtains whether access abnormal detection.
Manual analysis is analyzed intrusion behavior and the judgement of flow using manual method.
In addition high interactive monitoring modular also has suspicious traffic memory module, for by the mutation stream in traffic monitoring module
Data are measured to carry out individually extracting storage;Flow empties module, stores mould for periodically emptying traffic monitoring module and suspicious traffic
Block;Wireless network card monitors module, for obtaining the attack without wireless access point, makees for the data that honey net captures effective
Supplement.
We return on interaction camouflage layer, and target drone has the system of a few types in experiment, and should have in every kind of system
It can be with all kinds of infrastructure service modules of microcard compunlcation;And there are the security breaches disposed in advance in target drone.
Several raspberry pie card computers are selected to build the sweet net of lightweight height interaction in the present embodiment, wherein mac OS system
The Android phone of mobile phone and different editions is seen below as target drone, specific steps:
(1) the sweet net rapid deployment of lightweight height interaction;
(1) mirror-image system file has been configured for raspberry pie microcomputer (5) burning, has included in mirror-image system file:
Wi-Fi hotspot builds module, WiFi monitors module, target drone interactive module, attack detection module, matching module, suspicious traffic storage
Module and flow empty module;
(2) starting Wi-Fi hotspot builds module, and raspberry pie microcomputer calls wireless network card, builds WiFi network, provide
The WiFi network service on basis;
(3) raspberry pie microcomputer stores all flows for flowing through inside;
(4) target drone of homologous ray (each 3 of every kind of system) is connected into the sweet net built, and starts infrastructure service, with tree
The certain kind of berries group in target drone interactive module realize interaction, realize interactive method including but not limited to: timing initiate Web request, open postal
Part service, instant communication software, SSH connection etc.;
Step (2) finds intrusion behavior;
(5) start attack detection module in raspberry pie microcomputer, whether detection WiFi network is by unknown invasion, detection
The method of attack includes but is not limited to: flow analysis, feature detection, the connection of strange equipment etc.;
(6) the wireless monitor network interface card in microcard computer is opened, monitors the entire packet transmitted in air, analysis is not
By the attack and method of wireless aps, the data for honey net capture make effective supplement, the method packet of monitoring wireless network
Include but be not limited to: Aircrack-ng captures the wireless data packet in air, matches wireless attack tool method;
Step (3) is directed to the response of intrusion behavior;
(7) distributed cryptographic memory technology is used, to the data packet for flowing through local raspberry pie microcomputer and by wireless
The data packet that network interface card monitors the not connected WiFi of capture carries out encryption storage, and the method for encryption includes but is not limited to: file hiding
Technology, file ciphering technology, symmetric encipherment algorithm etc., memory technology include but is not limited to: uploading cloud storage, be locally stored
Deng;
(8) after invader terminates invasion, burning mirror image again, preventing invader, there are back doors.
(9) it by intrusion behavior sample input database, is analyzed for Security Officer and scientific research personnel.
(10) if not invading, all data packets is periodically emptied, memory space is prevented to be occupied full.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random
AccessMemory, RAM) etc..
The sweet net set up the scheme of honey network data transmission method proposed by the invention based on limit, it is cheap, convenient for big
Scale deployments, while the installation of burning mirror image and reduction are extremely convenient and efficient, while can be realized rapid deployment.Meanwhile the invented party
Method data packet storage and processing be characterized in a distributed manner, give full play to the storage and processing ability of microcard computer, only on
Report and storage suspected attack data, are not take up network bandwidth use, and dispose conveniently, can fully demonstrate lightweight advantage.
On the other hand, the framework for inventing proposition can capture nearby outside in either routing node or wireless network
All related data packets, compared with the low interactive Wireless Honeypot of simple discovery attack, invader easily has found the network
No interactions situation, it can be determined that entered honey pot system, invader will clear up the invasion trace of oneself and the behavior that halts attacks.
And the honey net design of high interaction is general complex, but this invention greatly reduces the deployment difficulty of high interaction honey net, it can
With dramatically realistic simulation true environment, effectively confuses attacker and be sticked with attacker, capture attack sample.
The foregoing is merely preferred embodiment of the present application, are not intended to limit this application, for the skill of this field
For art personnel, various changes and changes are possible in this application.Within the spirit and principles of this application, made any to repair
Change, equivalent replacement, improvement etc., should be included within the scope of protection of this application.
Claims (7)
1. a kind of lightweight height interaction WiFi honeynet system based on card computer characterized by comprising
Several card computers, are connected with wireless network card on card computer, and the card computer sets up WiFi by wireless network card
Network;Several target drones are accessed in the WiFi network, different security breaches are arranged in each target drone, for the invasion that disguises oneself as
Person attacks card computer;
For each card computer burning manufacturing system mirror image, and the system of each card computer includes high interaction monitoring modular,
Card computer finds and analyzes intrusion behavior by interacting with the target drone with different operating system, invader terminate into
After invading, burning mirror image again, preventing invader, there are back doors;
The high interaction monitoring modular includes at least:
Traffic monitoring module, for monitoring all flows flowed through inside WiFi network;
Target drone interactive module, for so that several target drones of access WiFi network are communicated with card computer;
Attack detection module extracts the feature of intrusion behavior for periodically detecting intrusion behavior;
Matching module, intrusion behavior feature and known intrusion behavior sample for will be detected carry out matching mapping, according to
Matching mapping result determines whether for unknown invasion;
Suspicious traffic memory module individually extracts storage for carrying out the mutation data on flows in traffic monitoring module;
Flow empties module, for periodically emptying traffic monitoring module and suspicious traffic memory module;
The high interaction monitoring modular further includes that a wireless network card monitors module, for obtaining the attack without wireless access point
Behavior, the data for honey net capture make effectively supplement.
2. system according to claim 1, which is characterized in that the quantity of the card computer is greater than or equal to target drone number
Amount.
3. system according to claim 1, which is characterized in that the target drone at least while includes that IOS system type is mobile eventually
End, android system type mobile terminal and Windows system type mobile terminal.
4. a kind of lightweight height interaction honey network data transmission method based on claim 1 characterized by comprising
Using card computer, wireless network card component WiFi network, several target drones, target drone and the card are accessed in WiFi network
Computer is communicated, and Content of Communication includes at least: being initiated Wed request, is opened mail service, instant messaging, SSH connection;
Height interaction monitoring modular in card computer stores all flows flowed through inside WiFi network, and whether detection WiFi network
By unknown invasion, if discovery intrusion behavior is burnt using the intrusion behavior as sample input database for analyzing, and again
Record mirror image;If emptying database there is no intrusion behavior, the moment keeps the surplus of memory space;
The listening mode of wireless network card is opened, the listening mode of wireless network card with wireless access point without connecting, for obtaining not
By the attack of wireless access point, the data for honey net capture make effectively supplement.
5. according to the method described in claim 4, working as stream it is characterized in that, flow through flow inside WiFi network described in analysis
When amount generates mutation, intrusion behavior at this time is marked;Detection is timed to the intrusion behavior, the feature of intrusion behavior is extracted, adopts
The mapping result that the intrusion behavior is generated with matching mapping algorithm, according to mapping result judge the intrusion behavior whether be it is unknown enter
It invades.
6. according to the method described in claim 4, it is characterized in that, being adopted for obtaining without the attack of wireless access point
With Aircrack-ng technology or crack wireless attack method.
7. according to the method described in claim 4, it is characterized in that, being adopted to Content of Communication progress distributed cryptographic storage
The Content of Communication is encrypted with symmetric encipherment algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710792134.5A CN107547546B (en) | 2017-09-05 | 2017-09-05 | Lightweight height interaction honey network data transmission method, system based on card computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710792134.5A CN107547546B (en) | 2017-09-05 | 2017-09-05 | Lightweight height interaction honey network data transmission method, system based on card computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547546A CN107547546A (en) | 2018-01-05 |
| CN107547546B true CN107547546B (en) | 2019-11-12 |
Family
ID=60958190
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710792134.5A Active CN107547546B (en) | 2017-09-05 | 2017-09-05 | Lightweight height interaction honey network data transmission method, system based on card computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547546B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112447076A (en) * | 2020-11-05 | 2021-03-05 | 贵州数安汇大数据产业发展有限公司 | Real-network attack and defense drilling system with controllable risk |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| US9495188B1 (en) * | 2014-09-30 | 2016-11-15 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
-
2017
- 2017-09-05 CN CN201710792134.5A patent/CN107547546B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN102790778A (en) * | 2012-08-22 | 2012-11-21 | 常州大学 | DDos (distributed denial of service) attack defensive system based on network trap |
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| US9495188B1 (en) * | 2014-09-30 | 2016-11-15 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547546A (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| CN106464577B (en) | Network system, control device, communication device and communication control method | |
| CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| CN105227383B (en) | A kind of device of network topology investigation | |
| CN106657025A (en) | Network attack behavior detection method and device | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| CN106131023A (en) | A kind of Information Security Risk strength identifies system | |
| CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
| CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN106034056A (en) | Service safety analysis method and system thereof | |
| CN102857388A (en) | Cloud detection safety management auditing system | |
| CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN105049232B (en) | Network information Log Audit System | |
| CN102594620A (en) | Linkable distributed network intrusion detection method based on behavior description | |
| CN108965349A (en) | A kind of method and system monitoring advanced duration network attack | |
| CN101854275A (en) | Method and device for detecting Trojans by analyzing network behaviors | |
| CN107911244A (en) | The multi-user's honey jar terminal system and its implementation that a kind of cloud net combines | |
| CN113098906B (en) | Application method of micro honeypots in modern families | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN104009870A (en) | WLAN wireless intrusion alarm aggregation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |