CN110035079B

CN110035079B - Honeypot generation method, device and equipment

Info

Publication number: CN110035079B
Application number: CN201910282730.8A
Authority: CN
Inventors: 宫汝林
Original assignee: Advanced New Technologies Co Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2019-04-10
Filing date: 2019-04-10
Publication date: 2021-10-29
Anticipated expiration: 2039-04-10
Also published as: CN110035079A

Abstract

The embodiment of the specification discloses a honeypot generation method, a honeypot generation device and honeypot generation equipment. The scheme comprises the following steps: acquiring a honeypot mirror image file generated according to a mirror image file of a service server, wherein the honeypot mirror image file is a file which is obtained based on the mirror image file of the service server and contains honeypot elements, and the honeypot elements are used for inducing an attacker to attack; and generating a honeypot container according to the honeypot mirror image file.

Description

Honeypot generation method, device and equipment

The present application relates to the field of computer data processing technologies, and in particular, to a honeypot generation method, apparatus, and device.

Background

Honeypots are a secure resource that is valued for being scanned, attacked, and compromised. Agent refers to a computing entity which is resident in a certain environment, can continuously and autonomously play a role, and has the characteristics of residence, reactivity, sociality, initiative and the like. At present, based on honeypot technology (honeypot technology), an attacker who illegally invades a network or a computer can be induced to attack a honeypot agent by deploying the honeypot agent containing or simulating various bugs and false information on a service server so as to identify the identity, attack mode and attack intention of the attacker, and relevant information is provided for security management of a real network and a host. Because the difference between the honeypot agents on the market and the business servers of each enterprise is large in aspects of system environment, network configuration, service content and the like, the deployed honeypot agents are easy to identify by attackers.

Based on this, there is a need to provide honeypot deployment schemes that are less diverse from the business servers.

Disclosure of Invention

In view of this, embodiments of the present application provide a honeypot generation method, apparatus, and device, which are used to solve the problem that a honeypot deployment scheme with smaller difference from a service server needs to be provided.

In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:

the honey pot generation method provided by the embodiment of the specification comprises the following steps:

acquiring a honeypot mirror image file, wherein the honeypot mirror image file is a file which is obtained based on a mirror image file of a service server and contains honeypot elements, and the honeypot elements are used for inducing an attacker to attack;

and generating a honeypot container according to the honeypot mirror image file.

The honeypot generation device that this specification embodiment provided includes:

the system comprises a first acquisition module, a first storage module and a second acquisition module, wherein the first acquisition module is used for acquiring a honeypot mirror image file, the honeypot mirror image file is a file which is obtained based on a mirror image file of a service server and contains honeypot elements, and the honeypot elements are used for inducing an attacker to attack;

and the honeypot container generation module is used for generating honeypot containers according to the honeypot mirror image files.

The honeypot container that this specification embodiment provided includes:

the honeypot container is generated by adopting the honeypot generation method.

The honeypot generation device provided by the embodiment of the specification comprises:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:

and adopting a file containing honeypot elements obtained from the mirror image file based on the service server as a honeypot mirror image file, and generating a honeypot container according to the honeypot mirror image file. Because the similarity between the honeypot mirror image file and the real mirror image file of the service server is higher, the difference between the generated honeypot container and the service server can be reduced, an attacker cannot discriminate the deployed honeypot container, and the simulation, concealment and practicability of the honeypot container are improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic flow chart of a honey pot generation method provided in an embodiment of the present specification;

fig. 2 is a schematic diagram of a mapping relationship established between a honeypot container and a service server according to an embodiment of the present disclosure;

fig. 3 is a schematic diagram of a mapping relationship established between a honeypot container and a service server according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of a honey pot generating device provided in an embodiment of the present specification;

fig. 5 is a schematic structural diagram of a honey pot generating device provided in an embodiment of the present specification.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Before describing the present invention, a brief explanation of the concept involved in the present invention will be given.

Container virtualization technology (Containervirtualization technology): the method is a kernel lightweight operating system layer virtualization technology and a widely accepted container-based server resource sharing mode, and can provide great flexibility for a system administrator in the process of building a server instance as required.

Mirroring: is a type of information redundancy, where data on one disk has an identical copy on another disk, i.e., a mirror. The server image refers to a copy which is identical to data of a designated server, and includes information such as a program, an operating environment, configuration information, a database, log information, an operating system and the like of the designated server.

A Docker container (hereinafter referred to simply as a container) is a mirrored runtime instance that has the features of fast deployment, portability, and environmental isolation. When a developer owns an image file of a server (or an application), the developer may use a container virtualization technology to create a container generated according to the image file on a machine or a server, so that the server (or the application) corresponding to the image file runs on the machine or the server. The containers can almost run on any platform, such as a physical machine, a virtual machine, a public cloud, a private cloud, a personal computer, a server and the like, the containers run on the same platform are mutually isolated, one container is a complete execution environment, a carrier-dependent system environment is not needed, and the system overhead is low during the running of the containers, so that a user can efficiently and conveniently migrate an application program from one platform to another platform through the containers.

A honeypot container: the method comprises the steps of containing or simulating a running instance of a server (or application) image with various vulnerabilities and false information, and inducing an attacker to attack the server (or application) image, so that attack behaviors can be captured and analyzed.

Security vulnerabilities: an unprotected entry point in a restricted computer, server, component, application, or other online resource is a flaw in the server hardware, software, or usage policy that may enable an attacker to access or destroy the server without authorization.

As described in the background section, when honeypots of real business servers are constructed by using agent technologies, the deployed honeypot agents are easily identified by attackers due to the large difference between the honeypot agents and the real business servers in the aspects of system environment, network configuration, service content and the like, and the safety of real networks or servers cannot be protected, so that the effectiveness and the practicability of honeypot deployment schemes are poor. Since a single honeypot agent cannot effectively cover the entire network area, a large number of honeypot agents need to be deployed in the enterprise server. However, the honeypot agents occupy a large amount of system resources, and the enterprise server usually cannot bear the system overhead of the deployed honeypot agents.

In view of such problems, the inventor has noticed that, based on the container virtualization technology, a container generated according to an image file of a real service server has a very high similarity with the real service server, and the container occupies a small amount of system resources, which provides a realization basis for deploying a large number of honeypots with high fidelity.

In view of the above, the present invention provides a container virtualization technology-based honeypot deployment method, wherein a honeypot image file generated according to an image file of a service server is acquired when a honeypot is deployed for the service server, the honeypot container generated according to the honeypot image file has higher similarity to a real service server in aspects of a system operating environment, an operating system, service contents, and the like, and the generated honeypot container occupies a small amount of system resources, so that a large number of honeypots with higher simulation can be deployed conveniently.

Now that the concepts related to the present invention and the basic principles of the embodiments of the present invention are briefly described, the following will further describe in detail the implementation process of the present invention with reference to fig. 1 to 5.

Fig. 1 is a honey pot generating method provided in an embodiment of the present specification. From a procedural perspective, the execution subject of the flow may be, but is not limited to, a physical machine, a virtual machine, a cloud server, or a server. The method can be applied to scenes in which honeypots need to be generated for hosts, networks, applications, servers or the like.

For convenience of description, the following description will be made of an embodiment of the method, taking as an example a scenario in which the method is applied to generate honeypots for a service server. It is to be understood that the method of generating honeypot containers for business servers is only an exemplary illustration and should not be construed as a limitation of the method.

As shown in fig. 1, the process may include the following steps:

s101: acquiring a honeypot mirror image file, wherein the honeypot mirror image file is a file which is obtained based on a mirror image file of a service server and contains honeypot elements, and the honeypot elements are used for inducing an attacker to attack.

The honeypot image file is an image required for generating a container of a honeypot serving as a business server. The service server refers to a real server in the server, which can be used for processing the service submitted by the client. The business server can be any one of a physical machine, a virtual machine, a server or a cloud server. For example, a business server may include a website (web) server, a file transfer (ftp) server or a database server, and so forth.

The mirror image file of the service server refers to all files corresponding to the mirror image of the service server. Specifically, the image file of the service server may include operating environment configuration information, a preinstalled program, and operating history data of the service server. For example, the image file of the service server may include information such as a preinstalled program, operating environment configuration information, a database, log information, an enabled port, an installed plug-in, and an operating system of the service server.

The honeypot mirror image file can be obtained by processing the mirror image file of the service server. The honeypot mirror image file comprises honeypot elements, and the honeypot elements can comprise security holes and false information. Honeypot image files can be pre-generated and stored in an image repository or database. When the step S101 is executed, the prestored honeypot image file can be conveniently and quickly acquired from the image warehouse or the database.

S102: and generating a honeypot container according to the honeypot mirror image file.

The honeypot container is used for inducing an attacker to attack the honeypot container, so that the attack behavior is conveniently captured and analyzed. The honeypot container can be deployed in a physical machine, a virtual machine, a cloud server or a server, and the honeypot container can receive a service request initiated by an attacker to the service server and can monitor attack information of the attacker.

In the embodiment of the specification, a file containing honeypot elements, which is obtained based on an image file of a service server, is used as a honeypot image file, and a honeypot container is generated according to the honeypot image file. Because the similarity between the honeypot mirror image file and the real mirror image file of the service server is higher, the difference between the generated honeypot container and the service server can be reduced, an attacker cannot discriminate the deployed honeypot container, and the simulation, concealment and practicability of the honeypot container are improved. Because the generation and operation container occupies small amount of server resources, and the container has the characteristics of portability and environmental isolation, a large amount of honeypots can be efficiently and conveniently deployed in each server by adopting the honeypot generation method in the embodiment of the specification.

In one implementation of the embodiments of the present description, an implementation of generating a honeypot image file is provided. Specifically, before executing step S101, the following steps may also be executed:

and processing the mirror image file of the service server to obtain the honeypot mirror image file.

The processing the mirror image file of the service server to obtain the honeypot mirror image file may specifically include:

and acquiring a mirror image file of the service server. And processing the mirror image file of the service server according to a security vulnerability setting rule to obtain a honeypot mirror image file.

The mirror image file of the service server is data corresponding to the mirror image of the real service server. When the mirror image of the service server can be collected in real time, the mirror image file of the service server may specifically refer to data corresponding to the mirror image of the service server collected in real time.

In practical applications, because different types of service servers process different services, security holes that may exist in the different types of service servers are different. The security vulnerability setting rule can be determined according to actual requirements by combining with functions and types of the service server, and data in a mirror image file of the service server can be edited according to the security vulnerability setting rule to generate a security vulnerability; and false data can be added into the image file of the service server according to the security vulnerability setting rule. For example, when the service server is a database server, the account login password of a part of database users in the desensitized image file may be modified to a password with poor security, such as "123" according to the security vulnerability setting rule; partial false user identity information can be added so as to attract attackers to attack. Or, when the service server is a web server that only opens an access function to hosts in a certain local area network, a port of the web server may be opened for public network access, and the like.

In the embodiment of the description, the mirror image file of the service server is processed according to the security vulnerability setting rule to obtain the honeypot mirror image file. The honeypot mirror image file obtained by the implementation mode has more vivid security loopholes, and when the honeypot mirror image file is used for generating honeypot containers, attackers are attracted to the honeypot containers more easily.

Since the honeypot image file in the above embodiment may contain the real privacy data of the user, after the honeypot container is generated, it is easier for an attacker to attack, and if the attacker attacks the honeypot container, the problem of revealing the privacy of the user exists. Since the service server needs to respond to the service request of the client, in order to meet the user's requirement, the service server should generally have the capability of undertaking and guaranteeing the service, e.g., the service server should have high availability. During the continuous operation of the service server, the function, program or configuration information of the service server may change, and a large amount of data may be generated during the operation of the service server, so that there is difference data that can be further eliminated between the pre-stored honeypot image and the image of the service server when step S101 is executed. And the image file of the service server is generally varied from several Gigabytes (GB) to several Gigabytes (GB), wherein a large amount of information unrelated to the container that generated the service server is contained. Since the size of the mirror image file directly affects the amount of server resources occupied when the container is generated, it is necessary to provide a honeypot mirror image file which is high in security, small in data volume, and small in difference with the real-time mirror image file of the service server.

In one implementation of the embodiments of the present description, an implementation of generating a honeypot image file is provided.

Specifically, after acquiring the image file of the service server, the method may further include:

and determining the file type of each first subfile in the mirror image file of the service server, wherein the file type is a deletion type or a reservation type.

The first subfile refers to any one of files contained in the mirror image file of the business service. A first subfile type determination rule may be set in advance according to file content, size of occupied storage space, storage area, file format, and the like that may exist in the image file, and according to the rule, a file type of each first subfile in the image file of the business service is determined. For example, the first subfile type determination rule may include: when the storage space occupied by the file is larger than or equal to a first threshold value, determining the file type of the file as a deletion type; and when the storage space occupied by the file is less than a first threshold value, determining the file type of the file as a reserved type. Or, the file type of the Plug-in (Plug-in) incompatible with the service server is determined as a deletion type, the file type of the Plug-in compatible with the service server but not commonly used is determined as a deletion type, and the like. In practical applications, the file type of the file unrelated to the running environment of the service server, the program required for running and the corresponding operating system can be determined as the deletion type.

And deleting the first subfile with the file type being the deletion type to obtain the compressed mirror image file.

And deleting the first subfile with the file type being the deletion type in the mirror image file of the service server to obtain the compressed mirror image file. The compressed image file comprises files related to the running environment, the program required by running and the corresponding operating system of the business server, and the like, and the similarity between the container generated according to the compressed image file and the business server in the aspects of the running environment, the service content, the operating system and the like is extremely high. However, the data size of the compressed image file is small, and can be generally controlled to be within a range from several MB (megabyte) to several hundred MB, and compared with the original image file of the service server, the data storage space required by the compressed image file is negligible, so that a very good resource compression ratio is realized, and the server resource consumption of the generated honeypot container can be reduced.

And desensitizing the compressed mirror image file to obtain a desensitized mirror image file.

In the embodiment of the present specification, desensitization processing may be performed on the compressed image file in the following manner: determining a second subfile with a sensitive file type identifier in the compressed image file; and desensitizing each second subfile according to the sensitive file type identifier of each second subfile. The second subfile is any one of the compressed mirror image files.

Specifically, the service server may be set in advance, and the service server may set a corresponding sensitive file type identifier for a file of a specified type or specified content. At this time, it may be determined whether the second subfile of the compressed image file has the sensitive file type identifier by determining whether the second subfile of the compressed image file has the sensitive file type identifier.

Or, the second subfile with the sensitive file type identifier in the compressed image file may also be determined according to a preset rule. The preset rule may include: and determining the files stored in the designated area and/or the files in the designated file format as a second subfile with the sensitive file type identification in the compressed image file.

The sensitive file type identification may include: delete class, modify class, and hide class. Performing desensitization processing on each second subfile according to the sensitive file type identifier of each second subfile, which may specifically include: and when the sensitive file type of the second subfile is identified as a deletion class, deleting the second subfile. And when the sensitive file type of the second subfile is identified as the modification class, modifying the second subfile. And hiding the second subfile when the sensitive file type of the second subfile is identified as the hidden type. Of course, the same desensitization method may be used for the second subfile with different types of sensitive file type identifiers.

In the embodiment of the present specification, a compressed mirror image file is obtained by deleting a first subfile whose file type is a deletion type in a mirror image file of a service server, and desensitization processing is performed on the compressed mirror image file to obtain a desensitization mirror image file of the service server. As the data storage space required by the compressed image file is greatly reduced compared with the original image file, the storage space of the desensitization image file of the service server can be reduced, and the server resources required when the desensitization image file based on the service server generates the honeypot container are reduced.

Processing the mirror image file of the service server according to the security vulnerability setting rule to obtain a honeypot mirror image file, which specifically includes:

and processing the desensitization mirror image file according to a security vulnerability setting rule to obtain a honeypot mirror image file.

In this embodiment, "the desensitization image file is processed according to the security vulnerability setting rule" and "the image file of the service server is processed according to the security vulnerability setting rule" in the previous embodiment may be implemented based on the same method, and the desensitization image file and the image file may adopt the same security vulnerability setting rule, which is not described herein again.

In the embodiment, the honey pot image file generated according to the compressed image file has a very good resource compression ratio, the server resource consumption of the generated honey pot container can be reduced, the desensitization image file is processed according to the security vulnerability setting rule, and the honey pot image file with more vivid security vulnerability can be obtained. The honeypot mirror image file obtained by the embodiment is easier to attract attackers to attack honeypot containers. Since the sensitive or private data in the desensitization image file of the service server is protected, even if an attacker acquires the data of the service server in the desensitization image file through the set security holes, no adverse effect is generated on the service server and related users thereof.

In practical application, in order to realize monitoring on the honeypot container, a monitoring program and related files can be added to the honeypot mirror image file. The honeypot image file in step S101 includes a file related to the function of implementing the monitoring of the attacker. In the embodiment of the specification, the container generated according to the honeypot image file can monitor the attack behavior of an attacker.

The honeypot container can be generated by a physical machine, a cloud server or a server, and the honeypot container has the characteristic of environmental isolation, so that when the honeypot container is deployed, the honeypot container can be deployed on a business server, or can be deployed on a physical machine, a cloud server or a server corresponding to any non-business server. At present, the utilization rate of a CPU of most physical machines, cloud servers or servers after the containers are used is less than 30%, so that the honeypot containers can be generated by utilizing the sum of available resources on different containers in the physical machines, the cloud servers or the servers of non-business services, the resource utilization rate of the servers is improved, and the honeypot deployment cost is reduced.

In an implementation manner of the embodiment of the present specification, step S102 may further include:

determining an available cloud server, wherein the available cloud server is a user cloud server with available server resources larger than a first preset threshold, and the user cloud server is a cloud server for allocating the use authority to the user.

Step S102 may specifically include: and generating at least one honeypot container in the available cloud server according to the honeypot image file.

An executing body (hereinafter referred to as a honeypot deployment server) of the method in fig. 1 has the authority to manage, allocate and use the resources of at least one cloud server, and the honeypot deployment server can configure the use authority of the resources of the cloud server to allocate the use authority of part of the resources of the cloud server to a user, that is, the use authority of the user cloud server is allocated to the user, and the user can acquire the use authority of the user cloud server by purchasing or accepting a gift. At this time, the honeypot deployment server is a manager of the user cloud server corresponding to the cloud server, and the user is a user of the corresponding user cloud server. Because the user cloud server is not usually in a state of 100% resource utilization rate when the user uses the user cloud server, the honeypot deployment server can create a honeypot container on the user cloud server with the server available resources, so as to improve the resource utilization rate of the cloud server.

The server available resource refers to a storage space and a CPU resource in the user cloud server that can be used by a non-user (e.g., a manager). The server available resource may also refer to a storage space and a CPU resource that are not used by a user to whom the usage right of the user cloud server is assigned in the user cloud server. The first threshold may be set according to actual requirements. In general, when the available resource of the server is greater than the first preset threshold, it may be considered that when the administrator uses the available cloud server to generate the container, the administrator does not affect the use of the user corresponding to the available cloud server. The honeypot image file can be stored in a certain physical machine or a server, a corresponding honeypot container can be generated in an available cloud server in a network loading mode, and the honeypot image file does not need to be stored in the available cloud server.

In the embodiment, the normal use of the user cloud server by the user can be ensured, the idle resource of the user cloud server can be used for generating the container, the effective utilization rate of the resource of the cloud server is improved, a server specially used for generating the honeypot container does not need to be configured, and the cost of the honeypot generation method during use can be reduced.

The determining an available cloud server may specifically include: and determining the user cloud server with the server resource utilization rate smaller than a second preset threshold value in the monitoring period.

The server resource utilization may include memory and CPU usage. When the available cloud server is determined, a port of the user cloud server can be specified in advance, historical resource utilization rate information of the user cloud server in the monitoring period reported by the script is obtained by monitoring the port, and the user cloud server with the server resource utilization rate smaller than a second preset threshold in the monitoring period is determined as the available cloud server according to the reported historical resource utilization rate information. The number of the determined available cloud servers can be multiple. The second preset threshold may be set according to actual requirements. In general, when the honeypot deployment server uses the user cloud server generation container whose server resource utilization rate is less than the second preset threshold value in the monitoring period, the use of the user with the user cloud server usage right is not affected. For example, the second preset threshold may be that the CPU utilization rate is 30%, and at this time, a user cloud server with a server resource utilization rate of less than 30% in the monitoring period may be determined as an available cloud server. The second preset threshold may also be that the CPU utilization rate is 30% and the memory utilization rate is 90%, at this time, a user cloud server with a server resource utilization rate of less than 30% and a memory utilization rate of less than 90% in the monitoring period may be determined as an available cloud server.

The available cloud server determined by the embodiment has more and more stable available resources, and the operation stability of the honeypot container can be improved when the honeypot container is deployed in the available cloud server.

After determining the user cloud server with the server resource utilization rate smaller than the second preset threshold in the monitoring period, the method may further include: and determining at least one user cloud server with the current server available resource larger than a third preset threshold from the user cloud servers with the server resource utilization rate smaller than the second preset threshold in the monitoring period.

The resources available to the current server refer to storage space and CPU resources available to unspecified users (such as managers) in the user cloud server at the current time. The resources available to the current server may also refer to a storage space and CPU resources that are not used by the user to whom the usage right of the user cloud server is assigned in the user cloud server at the current time. For example, the third preset threshold may refer to that the CPU unutilized rate (i.e., the difference between 1 and the CPU utilization rate) is 40% and the available memory space is 1G, at this time, the user cloud server whose current CPU unutilized rate is greater than 40% and the available memory space is greater than 1G may be determined as an available cloud server.

The available cloud server determined by the embodiment can be used for generating the container at the current moment without waiting, the available resources of the server are more and more stable, and when the honeypot container is deployed in the available cloud server, the operation efficiency of the honeypot generation method and the operation stability of the deployed container can be improved.

Since the honeypot container needs to have the function of receiving a service request initiated by an attacker to the service server, when at least one honeypot container is generated in the available cloud server according to the honeypot image file, at least the following embodiments may be included:

implementation mode one

Generating at least one honeypot container carrying a mapping relation between a honeypot container internet protocol address and a business server internet protocol address in the available cloud server; each honeypot container is configured with a plurality of honeypot container internet protocol addresses.

The available cloud server, when generating the honeypot containers, assigns a honeypot container internet protocol address (i.e., honeypot container IP) to each honeypot container. By setting the routing configuration of the cloud server and the honeypot mirror image file, a plurality of honeypot container internet protocol addresses can be distributed to each generated honeypot container. For any honeypot container, the internet protocol address of each honeypot container of the honeypot container can be mapped with the same internet protocol address of the service server (i.e. the IP address of the service server), or can be mapped with different internet protocol addresses of the service servers. In practical applications, one service server may be matched with multiple IP addresses (i.e., service server internet protocol addresses) based on a routing configuration scheme.

When the internet protocol address of the service server is a public network address, if an attacker sends a service request to the public network IP, the honeypot container can receive attack information. When the internet protocol address of the service server is an intranet address, after an attacker breaks an extranet corresponding to the service server, if the attacker sends a service request to the intranet IP, the honeypot container can receive attack information.

In order to facilitate understanding of the present embodiment, the method in the present embodiment is exemplified here. Fig. 2 is a schematic diagram of a mapping relationship established between a honeypot container and a service server according to an embodiment of the present disclosure. As shown in fig. 2, two honeypot containers generated for the same honeypot image file, namely, a first honeypot container 21 and a second honeypot container 22 are generated in the available cloud server 201, the first honeypot container is assigned with a first IP address and a second IP address, and the second honeypot container is assigned with a third IP address and a fourth IP address. The web server 202 has a fifth IP address and a sixth IP address, and the user can send a service request to the web server by accessing the fifth IP address or the sixth IP address. The mapping relation exists between the first IP address of the first honeypot container and the fifth IP address of the web server, the mapping relation exists between the second IP address of the first honeypot container and the sixth IP address of the web server, the mapping relation exists between the third IP address of the second honeypot container and the sixth IP address of the web server, and the mapping relation exists between the fourth IP address of the second honeypot container and the sixth IP address of the web server.

Second embodiment

The honey pot generating method in fig. 1 may further include: and determining an internet protocol address corresponding to the domain name of the service server.

Domain name (DomainName), which is the name of a server, computer or group of computers on the Internet that consists of a string of names separated by dots, is used to identify the electronic orientation of a computer during data transmission. One domain name has and corresponds to only one IP address. For example, www.A.B is a domain name that corresponds to IP address 208.80. c.d. According to a domain name of a service server, a unique internet protocol address corresponding to the domain name can be determined, and a user can send a service request to the service server by accessing the domain name.

At this time, generating at least one honeypot container in the available cloud server may specifically include:

generating at least one honeypot container carrying a mapping relationship between a honeypot container internet protocol address and the internet protocol address in the available cloud server; each honeypot container is configured with a plurality of honeypot container internet protocol addresses.

In this embodiment, the mapping relationship between the honeypot internet protocol address of the honeypot container and the internet protocol address may have the same characteristics as the mapping relationship between the honeypot internet protocol address and the service server internet protocol address in the first embodiment, and details are not described here.

Third embodiment

When a plurality of the service servers are deployed in a local area network, the honeypot generation method in fig. 1 may further include: and determining the network segment to which the Internet protocol address of each service server belongs.

A Local Area Network (LAN) refers to a computer group formed by connecting a plurality of computers in a certain area, and a network segment generally refers to a part of a computer network that can directly communicate using the same physical layer device (transmission medium, repeater, hub, etc.). In this embodiment, the local area network includes a plurality of IP addresses, the plurality of IP addresses are distributed in at least one network segment, and the IP address of the service server is also an IP address included in the local area network. The network segment to which the internet protocol address of each service server belongs can be determined according to a network segment division method.

generating at least one honeypot container in the available cloud server, wherein each honeypot container is configured with a plurality of honeypot container internet protocol addresses, and each network segment comprises an internet protocol address which has a mapping relation with at least one honeypot container internet protocol address.

In order to facilitate understanding of the present embodiment, the method in the present embodiment is exemplified here. Fig. 3 is a schematic diagram of a mapping relationship established between a honeypot container and a service server according to an embodiment of the present disclosure. As shown in fig. 3, the local area network 301 has a first network segment, a second network segment and a third network segment, the first network segment includes the IP from the first IP address to the IP address X, the second network segment includes the IP from the second IP address to the IP address Y, and the third network segment includes the IP from the IP address Z to the IP address W. Assuming that a first IP address in the first network segment and a second IP address in the second network segment respectively have a corresponding relation with the web server, a host in the local area network can send a service request to the web server by accessing the first IP address or the second IP address. When each honeypot is configured with two honeypot internet protocol addresses, in this embodiment, only one honeypot 31 may be generated in the available cloud server 302, and a mapping relationship exists between one IP address (i.e., the third IP address in fig. 3) of the honeypot and the first IP address, and a mapping relationship exists between the other IP address (i.e., the fourth IP address in fig. 3) of the honeypot and the second IP address, so that honeypot deployment in a network segment in which a web server exists in the local area network may be implemented. Certainly, at this time, a plurality of honeypot containers may also be generated, and an association relationship between a honeypot container internet protocol address of the honeypot container and other IP addresses in the local area network except for the first and second IP addresses is established, so as to improve the probability of touching the honeypot container when an attacker uses a cross-network-segment transverse mobile attack based on a Remote Desktop Protocol (RDP), thereby improving the effectiveness and the practicability of the honeypot generation method.

In the three embodiments, because the honeypot container is configured with a plurality of honeypot container internet protocol addresses, one honeypot container can be used to monitor the service servers corresponding to a plurality of IP addresses, thereby improving the efficiency of honeypot deployment and the network coverage rate.

In the embodiment of the specification, the honeypot deployment server can control the available cloud servers to generate honeypot containers, so that the honeypot deployment server also has the capability of determining the honeypot deployment current situation of each business server, and therefore functions of networking, monitoring, isolating, continuously inducing and the like of the honeypot containers can be achieved based on the honeypot deployment server. The honeypot deployment server is used as a honeypot deployment sand table which is dynamically updated, so that honeypot containers can be jointly networked, and the availability and controllability of a honeypot generation method are improved.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method. Fig. 4 is a schematic structural diagram of a honey pot generating device corresponding to fig. 1 provided in an embodiment of the present specification. As shown in fig. 4, the apparatus may include:

the first obtaining module 401 is configured to obtain a honeypot image file, where the honeypot image file is a file that is obtained based on an image file of a service server and contains honeypot elements, and the honeypot elements are used to induce an attacker to attack.

And a honeypot container generation module 402, configured to generate a honeypot container according to the honeypot mirror image file.

In an embodiment of the present specification, a file containing honeypot elements obtained based on an image file of a service server is used as a honeypot image file, and a honeypot container generation module is configured to generate a honeypot container according to the honeypot image file. Because the similarity between the honeypot mirror image file and the real mirror image file of the service server is higher, the difference between the generated honeypot container and the service server can be reduced, an attacker cannot discriminate the deployed honeypot container, and the simulation, concealment and practicability of the honeypot container are improved. Because the generation and operation container occupies small amount of server resources, and the container has the characteristics of portability and environmental isolation, by adopting the honeypot generation device in the embodiment of the specification, a large batch of honeypots can be efficiently and conveniently deployed in each server, and no adverse effect is generated on a business server.

In an implementation manner of the embodiments of the present specification, the honey pot generation apparatus may further include:

the honeypot mirror image file generation module is used for: acquiring a mirror image file of a service server; determining the file type of each first subfile in the mirror image file of the service server, wherein the file type is a deletion type or a retention type; deleting the first subfile with the file type being the deletion type to obtain a compressed mirror image file; desensitizing the compressed mirror image file to obtain a desensitized mirror image file; and processing the desensitization mirror image file according to a security vulnerability setting rule to obtain a honeypot mirror image file.

In an implementation manner of the embodiments of the present specification, the honey pot generating apparatus may further include: the module may be determined with a cloud server.

The available cloud server determining module may be configured to determine an available cloud server, where the available cloud server is a user cloud server for which server available resources are greater than a first preset threshold, and the user cloud server is a cloud server for allocating usage rights to users.

In an embodiment of the present specification, the available cloud server determining module may specifically be configured to: and determining the user cloud server with the server resource utilization rate smaller than a second preset threshold value in the monitoring period. And determining at least one user cloud server with the current server available resources larger than a third preset threshold from the user cloud servers with the server resource utilization rate smaller than the second preset threshold in the monitoring period.

In an implementation manner of the embodiment of the present specification, the honeypot container generation module in the honeypot generation apparatus may be specifically configured to generate at least one honeypot container in the available cloud server according to the honeypot image file.

The honeypot container generation module generates at least one honeypot container in the available cloud server, and may include three implementations.

The first method is as follows: the honeypot vessel generation module may be specifically configured to: generating at least one honeypot container carrying a mapping relation between a honeypot container internet protocol address and a business server internet protocol address in the available cloud server; each honeypot container is configured with a plurality of honeypot container internet protocol addresses.

The second method comprises the following steps: the honeypot generation apparatus may further include an internet protocol address determination module corresponding to the domain name. The internet protocol address determining module corresponding to the domain name may be configured to determine an internet protocol address corresponding to the domain name of the service server.

The honeypot vessel generation module may be specifically configured to: generating at least one honeypot container carrying a mapping relationship between a honeypot container internet protocol address and the internet protocol address in the available cloud server; each honeypot container is configured with a plurality of honeypot container internet protocol addresses.

The third method comprises the following steps: when a plurality of the service servers are deployed in the local area network, the honeypot generation device can further comprise a network segment determination module. The network segment determining module may be configured to determine a network segment to which an internet protocol address of each service server belongs.

The honeypot vessel generation module may be specifically configured to: generating at least one honeypot container in the available cloud server, wherein each honeypot container is configured with a plurality of honeypot container internet protocol addresses, and each network segment comprises an internet protocol address which has a mapping relation with at least one honeypot container internet protocol address.

Based on the same idea, the embodiment of this specification further provides a honeypot container, including: the honeypot container may be generated by any honeypot generation method in the above embodiments, and for a specific honeypot generation method, reference is made to the description in the method embodiment, which is not described herein again.

In the embodiment of the present specification, the honeypot vessel generated by using the honeypot generation method in the above embodiment has high simulation, concealment, and practicability. Because the generation and operation container occupies small amount of server resources, and the container has the characteristics of portability and environmental isolation, the honeypot container provided in the embodiment of the specification can be efficiently and conveniently deployed in large quantities in each server.

Based on the same idea, the embodiment of the present specification further provides a device corresponding to the above method. Fig. 5 is a schematic structural diagram of a honey pot generating device provided in an embodiment of the present specification. As shown in fig. 5, the apparatus 500 may include:

at least one processor 510; and the number of the first and second groups,

a memory 530 communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions 520 executable by the at least one processor 510 to enable the at least one processor 510 to:

In an embodiment of the present specification, a file containing honeypot elements obtained based on an image file of a service server is used as a honeypot image file, and a processor of a honeypot generation device may generate a honeypot container according to the honeypot image file. Because the similarity between the honeypot mirror image file and the real mirror image file of the service server is higher, the difference between the generated honeypot container and the service server can be reduced, an attacker cannot discriminate the deployed honeypot container, and the simulation, concealment and practicability of the honeypot container are improved. Because the generation and operation container occupies small amount of server resources, and the container has the characteristics of portability and environmental isolation, by adopting the honeypot generation equipment in the embodiment of the specification, a large batch of honeypots can be efficiently and conveniently deployed in each server, and no adverse effect is caused on a business server.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, AtmelAT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A honeypot generation method, comprising:

acquiring a mirror image file of a service server, and determining the file type of each first subfile in the mirror image file of the service server, wherein the file type is a deletion type or a retention type;

deleting the first subfile with the file type being the deletion type to obtain a compressed mirror image file;

desensitizing the compressed mirror image file to obtain a desensitized mirror image file;

processing the desensitization mirror image file according to a security vulnerability setting rule to obtain a honeypot mirror image file;

2. The method of claim 1, prior to the generating the honeypot vessel, further comprising:

determining an available cloud server, wherein the available cloud server is a user cloud server with available server resources larger than a first preset threshold value, and the user cloud server is a cloud server for allocating usage rights to users;

generating a honeypot container according to the honeypot mirror image file, which specifically comprises the following steps:

and generating at least one honeypot container in the available cloud server according to the honeypot image file.

3. The method according to claim 2, wherein the determining the available cloud server specifically comprises:

and determining the user cloud server with the server resource utilization rate smaller than a second preset threshold value in the monitoring period.

4. The method of claim 3, after determining the user cloud servers for which the server resource utilization is less than the second preset threshold within the monitoring period, further comprising:

and determining at least one user cloud server with the current server available resource larger than a third preset threshold from the user cloud servers with the server resource utilization rate smaller than the second preset threshold in the monitoring period.

5. The method according to claim 2, wherein the generating at least one honeypot container in the available cloud server specifically comprises:

6. The method of claim 2, further comprising:

determining an internet protocol address corresponding to the domain name of the service server;

the generating at least one honeypot container in the available cloud server specifically includes:

7. The method of claim 2, when a plurality of the service servers are deployed in a local area network, the method further comprising:

determining the network segment of the Internet protocol address of each service server;

8. A honeypot generation apparatus, comprising:

the honeypot mirror image file generation module is used for:

acquiring a mirror image file of a service server;

determining the file type of each first subfile in the mirror image file of the service server, wherein the file type is a deletion type or a retention type;

9. The apparatus of claim 8, further comprising:

the available cloud server determining module is used for determining an available cloud server, wherein the available cloud server is a user cloud server with available server resources larger than a first preset threshold, and the user cloud server is a cloud server for allocating the use authority to the user;

the honeypot container generation module is specifically configured to:

10. The apparatus of claim 9, wherein the available cloud server determination module is specifically configured to:

11. The apparatus of claim 10, the available cloud server determination module further to:

12. The apparatus of claim 9, the honeypot vessel generation module to be specifically configured to:

13. The apparatus of claim 9, further comprising:

the Internet protocol address determining module corresponding to the domain name is used for determining the Internet protocol address corresponding to the domain name of the service server;

the honeypot container generation module is specifically configured to:

14. The apparatus of claim 9, when a plurality of the service servers are deployed in a local area network, the apparatus further comprising:

the network segment determining module is used for determining the network segment of the Internet protocol address of each service server;

the honeypot container generation module is specifically configured to:

15. A honeypot vessel comprising: the honeypot vessel is produced using the method of any of claims 1-7.

16. A honeypot generation apparatus comprising:

at least one processor; and the number of the first and second groups,