CN111651757B - Method, device, equipment and storage medium for monitoring attack behaviors - Google Patents
Method, device, equipment and storage medium for monitoring attack behaviors Download PDFInfo
- Publication number
- CN111651757B CN111651757B CN202010510412.5A CN202010510412A CN111651757B CN 111651757 B CN111651757 B CN 111651757B CN 202010510412 A CN202010510412 A CN 202010510412A CN 111651757 B CN111651757 B CN 111651757B
- Authority
- CN
- China
- Prior art keywords
- attack
- honeypot
- data
- monitoring
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 title claims abstract description 72
- 230000006399 behavior Effects 0.000 title claims description 134
- 235000012907 honey Nutrition 0.000 claims abstract description 183
- 239000000523 sample Substances 0.000 claims abstract description 99
- 230000008569 process Effects 0.000 claims description 20
- 238000004088 simulation Methods 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 11
- 238000012806 monitoring device Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000005422 blasting Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Abstract
The invention discloses a method, a device, equipment and a storage medium for monitoring an attack behavior, which relate to the field of financial science and technology, wherein the method for monitoring the attack behavior comprises the following steps: acquiring honeypot data through a honeypot probe corresponding to a monitored host; determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; and monitoring the attack behavior of the monitored host according to the honey data through the target honey application. The invention realizes the lightweight setting of the system architecture between the front-end host and the back-end honeypot server, and improves the accuracy of monitoring the attack behavior of an attacker through honeypot application.
Description
Technical Field
The present invention relates to the field of computer technologies of financial technologies (Fintech), and in particular, to a method, an apparatus, a device, and a storage medium for monitoring an attack behavior.
Background
With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changed to financial technology (Fintech), so that the computer technology is not exceptional, but the computer technology is also required to be higher due to the requirements of safety and real-time performance of the financial industry.
Honeypot technology is essentially a technology for cheating an attacker, and by arranging a host, network service or information serving as a bait, the attacker is induced to attack the attacker, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, the attack intention and motivation are presumed, the defender can clearly know the faced security threat, and the security protection capability of an actual system is enhanced through technology and management means. The existing honeypot application needs to be deployed on each honeypot node, the honeypot application is directly deployed on a host computer which needs to be used for intrusion detection, at least one honeypot node exists in each host computer, each honeypot application occupies a large amount of hardware resources such as a CPU (Central Processing Unit ) and a hard disk space, but for the overall effect of honeypots, each host computer needs to deploy a large amount of honeypot applications, so that a large amount of hardware resources are occupied in IDCs (Internet Data Center, internet data centers), and the overall cost is high if the honeypot applications are changed and migrated.
Therefore, the existing honeypot application occupies more hardware resources of the host, and too many honeypot applications cannot be deployed in the host due to the limitation of hardware resources of each host, so that the accuracy of monitoring the attack behaviors of an attacker through the honeypot application is low.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for monitoring attack behaviors, and aims to solve the technical problems that the existing method, the device, the equipment and the storage medium for monitoring the attack behaviors of an attacker through a honeypot application are low in accuracy and the honeypot application is set to occupy more hardware resources of a host.
In order to achieve the above object, the present invention provides a method for monitoring an attack behavior, the method for monitoring an attack behavior comprising the steps of:
acquiring honeypot data through a honeypot probe corresponding to a monitored host;
determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
and monitoring the attack behavior of the monitored host according to the honey data through the target honey application.
Optionally, the step of monitoring, by the target honeypot application, an attack behavior of attacking the monitored host according to the honeypot data includes:
executing attack operation corresponding to the honeypot data through the target honeypot application;
and acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of the monitored host according to the attack data.
Optionally, after the step of monitoring the attack behavior of the monitored host according to the honey data by the target honey application, the method further includes:
and executing honeypot backtracking operation according to the attack data to determine the attack intention of an attacker corresponding to the monitored host.
Optionally, the step of executing a honeypot backtracking operation according to the attack data to determine an attack intention of an attacker corresponding to the monitored host includes:
executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker corresponding to the monitored host under attack in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker;
and determining the attack intention of the attacker according to the attack behavior information and the identity information.
Optionally, after the step of determining the attack intention of the attacker according to the attack behavior information and the identity information, the method further includes:
and outputting alarm information containing the attack intention so as to prompt a user of the attack intention corresponding to the monitored host through the alarm information.
Optionally, the method for monitoring the attack behavior further includes:
When a first control instruction for controlling the honey pot probe is detected, controlling the corresponding honey pot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following: and starting a probe starting instruction of the honey pot probe, closing an instruction of closing the honey pot probe and setting an instruction of setting the number of services of the honey pot probe corresponding to the simulation service.
Optionally, the method for monitoring the attack behavior further includes:
when a second control instruction for controlling the honeypot application is detected, controlling the honeypot application according to the second control instruction, wherein the second control instruction at least comprises one of the following: an increase instruction to increase the honeypot application, a decrease instruction to decrease the honeypot application, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application.
In addition, in order to achieve the above object, the present invention further provides an apparatus for monitoring an attack behavior, the apparatus for monitoring an attack behavior including:
the acquisition module is used for acquiring honeypot data through a honeypot probe corresponding to the monitored host;
the determining module is used for determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
And the monitoring module is used for monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application.
In addition, in order to achieve the above object, the present invention further provides an attack behavior monitoring device, where the attack behavior monitoring device includes a memory, a processor, and an attack behavior monitoring program stored in the memory and capable of running on the processor, where the attack behavior monitoring program, when executed by the processor, implements steps of an attack behavior monitoring method corresponding to a federal learning server.
In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon an attack behavior monitoring program which, when executed by a processor, implements the steps of the attack behavior monitoring method described above.
The method comprises the steps of obtaining honey data through honey probes corresponding to a monitored host, determining a service type corresponding to the honey data, and determining a target honey application corresponding to the monitored host according to the service type, wherein one honey application corresponds to a plurality of honey probes; and monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application. The honey pot probe is arranged in the monitored host computer at the front end, the honey pot application is arranged in the honey pot server at the rear end, the hardware resources of the front end host computer are prevented from being occupied by the honey pot application in a large amount, the lightweight setting of the system architecture between the front end host computer and the rear end honey pot server is realized, a plurality of honey pot applications are not required to be arranged in each host computer, honey pot data can be obtained through the honey pot probe, the situation that too many honey pot applications cannot be arranged in the host computer, the accuracy of the attack behavior of an attacker is monitored through the honey pot application is low is avoided, and the accuracy of the attack behavior of the attacker is monitored through the honey pot application is improved.
Drawings
FIG. 1 is a flow chart of a first embodiment of a method for monitoring an attack behavior according to the present invention;
FIG. 2 is a flow chart of a third embodiment of a method for monitoring an attack behavior according to the present invention;
FIG. 3 is a functional schematic block diagram of a preferred embodiment of the device for monitoring the behavior of an attack according to the present invention;
FIG. 4 is a schematic diagram of a hardware operating environment according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The invention provides a method for monitoring an attack behavior, referring to fig. 1, fig. 1 is a flow chart of a first embodiment of the method for monitoring an attack behavior of the invention.
The embodiments of the present invention provide embodiments of a method of monitoring for an attack, it being noted that although a logic sequence is shown in the flow diagram, in some cases the steps shown or described may be performed in a different order than that shown or described herein.
The method for monitoring the attack behavior comprises the following steps:
and step S10, acquiring honeypot data through a honeypot probe corresponding to the monitored host.
And step S20, determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes.
In the embodiment of the invention, at least one honey application is arranged in the honey server, each honey application corresponds to a plurality of honey probes, and each monitored host is provided with one honey probe. The honeypot server is the back end with respect to the monitored host, and the monitored host is the front end with respect to the honeypot server. The honey probes are used for simulating services of the honey application, and each honey probe is provided with a port corresponding to different services, so that the services corresponding to the honey application can be simulated through the ports. Such as simulating SSH (Secure Shell protocol) services by establishing 22 ports in the honey probes, i.e., sending the honey data corresponding to the SSH services to the honey application through 22 ports. SSH is a security protocol that is based on an application layer, and SSH is a protocol that is currently more reliable and that is specific to providing security for telnet sessions and other network services. In this embodiment, the service types corresponding to the honeypot application include, but are not limited to, SSH service, web service, database service, windows remote desktop service, and the like. It can be understood that, the service types corresponding to the honeypot application can be standardized services such as SSH service, web service, database service, windows remote desktop service, and the like, and the service types corresponding to the honeypot application can be customized by the corresponding user of the honeypot server according to the needs.
When the monitored host receives the access request, the honey pot probe in the monitored host can acquire honey pot data corresponding to the access request, and the honey pot data is sent to the honey pot server. The honeypot data includes, but is not limited to, probe information, an IP address corresponding to the access request, a traffic type corresponding to the access request, and a service type corresponding to the access request. The probe information comprises a probe identifier, a name of a monitored host corresponding to the probe, and the like, wherein the probe identifier can be a probe name, and the probe identifier can uniquely identify a honeypot probe. In this embodiment, the traffic types corresponding to the access request include, but are not limited to, HTTP (HyperText Transfer Protocol ) traffic, HTTPs (Hyper Text Transfer Protocol over SecureSocket Layer, hypertext transfer security protocol) traffic, TCP (Transmission Control Protocol ) traffic, and UDP (User Datagram Protocol, user datagram protocol) traffic. It can be understood that, because the honey probe is provided with the ports corresponding to different services, when the honey probe obtains the access request, the honey probe obtains the type identifier in the access request, determines the corresponding transmitting port according to the type identifier, and transmits the honey data to the honey server through the transmitting port. It should be noted that, the type identifiers corresponding to the different ports are different, and in this embodiment, the representation form of the type identifier is not limited, and the type identifier may be in the form of numbers and/or letters. The service type corresponding to the honeypot data can be known through the type identifier, namely the port in the embodiment corresponds to the service type.
After the honey pot server acquires the honey pot data through the honey pot probe corresponding to the monitored host computer, the honey pot server determines the service type corresponding to the honey pot data, and determines the target honey pot application corresponding to the monitored host computer according to the service type. It should be noted that, in this embodiment, the honeypot applications corresponding to different service types are different, and the mapping relationship between the service types and the honeypot applications is stored in advance, so that the honeypot application corresponding to the monitored host can be determined through the mapping relationship and the service type corresponding to the honeypot data, and the honeypot application corresponding to the monitored host is recorded as the target honeypot application.
And step S30, monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application.
After the honeypot server determines the target honeypot application, the honeypot server monitors the attack behavior of the monitored host according to the honeypot data through the target honeypot application, wherein the attack behavior is the attack behavior corresponding to the access request.
Further, after the honeypot server determines the target honeypot application, the honeypot server detects whether the target honeypot application is in an online state; if the target honey pot application is detected to be in an on-line state, the honey pot server monitors the attack behavior of the attack monitored host according to the honey pot data through the target honey pot application; and if the target honeypot application is detected not to be in the online state, namely the target honeypot application is in the offline state, the honeypot server controls the target honeypot application to be converted from the offline state to the online state.
Further, step S30 includes:
and a step a, executing attack operation corresponding to the honey data through the target honey application.
And b, acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of the monitored host according to the attack data.
Specifically, the honeypot server executes the attack operation corresponding to the honeypot data, namely, executes the access request through the target honeypot application, acquires the attack data corresponding to the attack operation, and monitors the attack behavior of the attack monitored host according to the acquired attack data. It can be understood that, in the process of monitoring the attack behavior of the monitored host according to the honey data by the honey server through the target honey application, the honey server can simulate the execution process of the access request, namely simulate the attack process of the attack operation, obtain an execution result, return the execution result to the terminal corresponding to the access request, namely return the execution result to the attacker, wherein the execution result is the access data corresponding to the access request. If the access request is to acquire the data in the database A, the honeypot server returns the preset number and false data in the database A to the terminal corresponding to the access request. In the process of the attack by the target honeypot application simulation attack operation, attack data are acquired and stored, wherein the attack data comprise, but are not limited to, source IP addresses (IP addresses corresponding to access requests), account numbers used by an attacker, passwords used by the attacker, attack codes, source ports (ports corresponding to terminals of the attacker), attack time, target IP addresses, target ports, files uploaded during attack, service types of the attack and traffic types of attack behaviors, the target IP addresses and the target ports are IP addresses and ports of equipment of an object to be attacked by the attack operation, if the attack operation is to attack equipment B, the target IP addresses are the IP addresses of the equipment B, and the target ports are the ports of the equipment B. After the honey server acquires the attack data, the honey server can monitor the attack behavior of the monitored host computer through the attack data, namely, the attack data can finally simulate and replay all the operation information and records of the attacker. It can be understood that the source of an attacker, the login information (account number and password) used, the attack code and the like can be determined through the attack data, so that the effect of monitoring the attack behavior is realized.
If the honeypot server determines that the target honeypot application is the honeypot application corresponding to the database service, namely, through the target honeypot application, the database connection behavior is identified based on honeypot data, the database connection behavior enters a database simulation sub-module, connection with an attacker is established, corresponding operation data is fed back according to an access request of the attacker, all link data such as a source IP address, an account number used for logging in the database, and a password and an attack code used for logging in the database are recorded. It should be noted that, the implementation logic corresponding to other types of services is consistent, so the monitoring process of the corresponding honeypot application such as SSH service, web service, windows remote desktop service and the like for the target honeypot application is not repeated.
An attacker identifies a request behavior of logging in different account passwords for a plurality of times by carrying out violent detection on a login system, namely, a single IP address is identified as a blasting attack behavior, and an unauthorized access-free page or data designed by a honeypot server is accessed by constructing a login request, and then the unauthorized access-free page or data is an unauthorized attack behavior, such as accessing an unauthorized access-free database; the behavior of acquiring data through the mode of injecting web malicious codes such as SQL (structured query language) (Structured Query Language) is classified as the injection attack behavior corresponding to web services, and the like.
When the honey server receives honey data through the honey application, normal application interaction functions are simulated according to the honey data, for example, an attacker detects or attacks through a honey probe at the front end, related traffic is sent to the honey application at the rear end through the honey probe, interactive operation of the attacker on an application layer on the honey is realized, for example, a hacker attacks web services simulated by the honey, the honey application is used for receiving web requests of a hacker forwarded by the honey probe, returning web pages simulated by the hacker and having loopholes, supporting the attack actions of the hacker on the web pages, for example, a management platform for the hacker to attack the web is simulated, logging in the management platform through blasting, allowing the hacker to simulate successful blasting, entering the simulated cracked management platform page, and providing false web page data.
According to the embodiment, honey pot data are acquired through honey pot probes corresponding to a monitored host, service types corresponding to the honey pot data are determined, and target honey pot applications corresponding to the monitored host are determined according to the service types, wherein one honey pot application corresponds to a plurality of honey pot probes; and monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application. The honey pot probe is arranged in the monitored host computer at the front end, the honey pot application is arranged in the honey pot server at the rear end, the hardware resources of the front end host computer are prevented from being occupied by the honey pot application in a large amount, the lightweight setting of the system architecture between the front end host computer and the rear end honey pot server is realized, a plurality of honey pot applications are not required to be arranged in each host computer, honey pot data can be obtained through the honey pot probe, the situation that too many honey pot applications cannot be arranged in the host computer, the accuracy of the attack behavior of an attacker is monitored through the honey pot application is low is avoided, and the accuracy of the attack behavior of the attacker is monitored through the honey pot application is improved.
Further, at present, the honey application can directly capture all traffic of the attack source, because the traffic is directly oriented to the attacker, the honey application can send the captured traffic of the attack source to the honey server at the back end, and at this time, the honey server distinguishes data sent by each honey application through the IP (Internet Protocol ) address of the honey application. When a plurality of attackers attack the same honeypot application, the information such as attack codes, attack frequencies and the like of the plurality of attackers are detected by the honeypot server, so that the attack behavior of one IP address is only shown, the conditions such as the plurality of external IP addresses, the plurality of attack codes, the attack frequencies and the like cannot be truly restored, and the conditions such as the plurality of external IP addresses, the plurality of attack codes, the attack frequencies and the like can only be monitored as one IP address, thus, honeypot data distortion can be caused, and the honeypot server cannot execute malicious modeling, alarming and the like according to normal logic. In the embodiment, the ports corresponding to different service types are arranged in the honey pot probes, and the honey pot data of different types are sent to the corresponding honey pot application through the ports, so that honey pot data distortion is avoided, and the accuracy of monitoring the attack behaviors of an attacker through the honey pot application is further improved.
Further, a second embodiment of the method for monitoring the attack behavior of the present invention is provided. The second embodiment of the method for monitoring an attack behavior is different from the first embodiment of the method for monitoring an attack behavior in that, referring to fig. 2, the method for monitoring an attack behavior further includes:
and step S40, executing honeypot backtracking operation according to the attack data to determine the attack intention of an attacker corresponding to the monitored host.
And after the honey server obtains the attack data, the honey server executes honey backtracking operation according to the attack data so as to determine the attack intention of the attacker corresponding to the monitored attack subject. The attack intention is used for representing the final purpose of an attacker, and the attack intention can include a source IP address, an attack type and an attack payload, for example, the attacker can forcedly log in a certain database, and at this time, the attack intention can be to acquire data stored in the database, or tamper with the data stored in the database. Specifically, the honeypot server can execute honeypot backtracking operation according to attack data when detecting a backtracking instruction, wherein the backtracking instruction can be triggered by the honeypot server at fixed time or by a user corresponding to the honeypot server as required.
For easy understanding, for example, the honey server at the back end uses the IP address as a unique key value, shows all traffic behaviors of the IP address corresponding to the time axis, classifies the traffic according to different service detection and attack traffic in the time axis, and is simple as an attack case: 1. the attacker scans and discovers the management platform of the site A, and the flow reflects the flow behavior of the attacker requesting A; 2. an attacker performs blasting behavior of the management platform aiming at A, the flow reflects a large number of account number code retry operations aiming at the management platform of A, blasting is successful, the attacker logs in the management platform of A, at the moment, the honeypot application can record and reflect that the attacker logs in the management platform of A by using an account number xx password xx, and records all page operation behaviors; 3. the attacker further attacks A, find other loopholes of A, such as SSRF (Server-Side Request Forgery, server side request forgery) loopholes, and attack other servers of intranet through SSRF loopholes, can record and see the flow of SSRF attack at this time, 4, the attacker further detects intranet Server through the loopholes in 3, intranet can simulate various business systems such as account management system, deposit system, etc., the attacker can obtain this part of service through the loopholes in 3, when the attacker detects and logs in the relevant system, various operations can be recorded, especially the data that the attacker derives, reads, modifies can be recorded in detail, is convenient for identifying the target data of his attack, 5, demonstrate through step 1-4, can discern all attack processes of attacker, and catch all attack codes of it, finally according to his operation behavior to system and data that specifically visit, can discern the intention of his attack finally.
It can be understood that the honeypot server can analyze, play back and the like the attack behaviors of the attacker through the attack data, so that the honeypot server can know the attack behaviors of the attacker conveniently.
Further, the step S40 includes:
and c, executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker corresponding to the monitored host under attack in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker.
And after the honeypot server detects the backtracking instruction, the honeypot server executes honeypot backtracking operation according to the attack data, and acquires identity information of an attacker corresponding to the attack monitored host in the process of executing the honeypot backtracking operation. It should be noted that, in the process of executing the backtracking operation, the honeypot server executes the identity information capturing logic, and obtains the identity information of the attacker through the capturing logic and obtains the attack behavior information of the attacker, where the capturing logic is stored in the honeypot server in advance. The identity information includes, but is not limited to, the identity of the attacker, the attacker's IP address and the social account number. An attacker can be uniquely determined by the identity of the attacker. It should be noted that, executing the backtracking operation process at the honeypot server may simulate the vulnerability detection or scanning detection operation performed by the attacker, and simulate the process of opening the target file in the honeypot by the attacker, so as to obtain the identity information of the attacker.
The attack behavior information includes, but is not limited to, an IP address corresponding to the access request, a traffic type corresponding to the access request, a service type corresponding to the access request, an account number used by an attacker, a password used by the attacker, an attack code, an attack time and a file uploaded during attack. It is understood that the IP address corresponding to the access request is the IP address of the attacker. It should be noted that, the attack behavior information may include honeypot data, but is not limited to honeypot data, and the attack behavior information may also include attack data, but is not limited to attack data.
And d, determining the attack intention of the attacker according to the attack behavior information and the identity information.
After the honey server acquires the attack behavior information and the identity information, the honey server correlates the attack behavior information and the identity information to obtain correlation information, and determines the attack intention of an attacker through the correlation information, wherein the attack intention can be what resource the attacker wants to attack. Specifically, the honeypot server may associate the identity information and the attack behavior information with an IP address of an attacker in the identity information and the attack behavior information as fingerprint information.
Further, the method for monitoring the attack behavior further comprises the following steps:
and e, outputting alarm information containing the attack intention, so as to prompt a user of the attack intention corresponding to the monitored host computer through the alarm information.
After the honey server determines the attack intention of the attacker, the honey server outputs alarm information containing the attack intention so as to prompt the monitored host to be invaded by the attacker through the alarm information and tell the user of the attack intention corresponding to the attacker through the alarm information. Specifically, the honeypot server may output the alert information in the form of voice and/or text, etc. Further, the honey server can also send the alarm information to the mobile terminal, so that after the mobile terminal receives the alarm information, the mobile terminal outputs the alarm information, and prompts a mobile terminal user to attack the attack intention corresponding to the monitored host through the alarm information.
According to the embodiment, the honeypot backtracking operation is executed according to the attack data, so that the attack intention of the attacker corresponding to the monitored host is determined, a user can know the attack behavior of the attacker according to the attack intention, an operation and maintenance person can conveniently prevent the attack behavior of the attacker according to the attack intention, and the security of the corresponding network is improved.
Further, a third embodiment of the method for monitoring the attack behavior of the present invention is provided. The third embodiment of the method for monitoring an attack behavior is different from the first and/or second embodiments of the method for monitoring an attack behavior in that the method for monitoring an attack behavior further includes:
f, after a first control instruction for controlling the honey pot probe is detected, controlling the corresponding honey pot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following: and starting a probe starting instruction of the honey pot probe, closing an instruction of closing the honey pot probe and setting an instruction of setting the number of services of the honey pot probe corresponding to the simulation service.
The honey pot server detects whether a first control instruction for controlling the honey pot probe is detected, wherein the first control instruction is triggered by a honey pot server corresponding to a user according to the need, or the honey pot server receives the first control instruction sent by other terminal equipment. When the honey pot server detects a first control instruction for controlling the honey pot probe, the honey pot server controls the corresponding honey pot probe according to the first control instruction. In the first control command, the probe identifier of the honey pot probe to be controlled is carried, and the specific honey pot probe to be controlled can be determined by the probe identifier. Wherein, the first control instruction at least comprises one of the following: a probe start instruction for starting the honey pot probe, a closing instruction for closing the honey pot probe and a setting instruction for setting the number of services of the honey pot probe corresponding to the simulation service. It can be understood that the honey pot server can start the honey pot probe in the closed state through the probe start command, so that the honey pot probe in the closed state is started, and only the honey pot probe in the started state can acquire honey pot data. The honey pot server can close the honey pot probe according to the closing instruction; the honey server can set the service quantity of the simulation service corresponding to each honey probe according to the setting instruction, for example, the service quantity of the simulation service corresponding to the honey probe A can be set to 2, namely SSH service and web service respectively, and the service quantity of the simulation service corresponding to the honey probe B can be set to 3, namely SSH service, web service and windows remote desktop service respectively.
Further, the method for monitoring the attack behavior further comprises the following steps:
and g, controlling the honey application according to a second control instruction after detecting the second control instruction for controlling the honey application, wherein the second control instruction at least comprises one of the following steps: an increase instruction to increase the honeypot application, a decrease instruction to decrease the honeypot application, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application.
Further, the honey server detects whether a second control instruction for controlling the honey application is detected, wherein the second control instruction is triggered by a honey server corresponding to a user according to needs, or the honey server receives the second control instruction sent by other terminal equipment. And after the honey pot server detects a second control instruction for controlling the honey pot application, the honey pot server controls the corresponding honey pot application according to the second control instruction. In the second control instruction, an application identifier of the honeypot application to be controlled is carried, and the application identifier can be used for determining which honeypot application to be controlled is specifically. Wherein the second control instruction at least comprises one of the following: an add honeypot application increase instruction, a reduce honeypot application decrease instruction, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application. Specifically, the honeypot server may increase the number of honeypot applications according to the increase instruction, such as increasing the number of honeypot applications from 2 to 4 according to the increase instruction; the honeypot server reduces the number of honeypot applications according to the reduction instruction, such as reducing the number of honeypot applications from 3 to 2 according to the reduction instruction; the honey pot server starts the honey pot application in a closed state according to the honey pot starting instruction, so that the honey pot application is in a starting state; the honeypot server pauses the honeypot application in the running state according to the pause instruction. Further, the honey server may also delete the honey application or uninstall the honey application.
According to the embodiment, the honey pot probe is controlled through the first control instruction, and the honey pot application is controlled through the second control instruction, so that the flexibility of honey pot probe and honey pot application setting is improved.
In addition, the invention also provides a device for monitoring the attack behavior, referring to fig. 3, the device for monitoring the attack behavior comprises:
an acquisition module 10, configured to acquire honeypot data through a honeypot probe corresponding to a monitored host;
a determining module 20, configured to determine a service type corresponding to the honeypot data, and determine a target honeypot application corresponding to the monitored host according to the service type, where one honeypot application corresponds to a plurality of honeypot probes;
and the monitoring module 30 is used for monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application.
Further, the monitoring module 30 includes:
the first execution unit is used for executing attack operation corresponding to the honey pot data through the target honey pot application;
and the first acquisition unit acquires attack data corresponding to the attack operation so as to monitor the attack behavior of the monitored host according to the attack data.
Further, the device for monitoring the attack behavior further comprises:
And the execution module is used for executing honeypot backtracking operation according to the attack data so as to determine the attack intention of an attacker corresponding to the monitored host.
Further, the execution module includes:
the second execution unit is used for executing honeypot backtracking operation according to the attack data;
the second acquisition unit is used for acquiring identity information of an attacker corresponding to the monitored host under attack in the honeypot backtracking operation process and acquiring attack behavior information of the attacker;
and the determining unit is used for determining the attack intention of the attacker according to the attack behavior information and the identity information.
Further, the device for monitoring the attack behavior further comprises:
and the output module is used for outputting alarm information containing the attack intention so as to prompt a user of the attack intention corresponding to the monitored host computer through the alarm information.
Further, the device for monitoring the attack behavior further comprises:
the first control module is used for controlling the corresponding honey pot probe according to the first control instruction after detecting the first control instruction for controlling the honey pot probe, wherein the first control instruction at least comprises one of the following: and starting a probe starting instruction of the honey pot probe, closing an instruction of closing the honey pot probe and setting an instruction of setting the number of services of the honey pot probe corresponding to the simulation service.
Further, the device for monitoring the attack behavior further comprises:
the second control module is used for controlling the honeypot application according to the second control instruction after detecting the second control instruction for controlling the honeypot application, wherein the second control instruction at least comprises one of the following steps: an increase instruction to increase the honeypot application, a decrease instruction to decrease the honeypot application, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application.
The specific implementation manner of the device for monitoring the attack behavior is basically the same as that of each embodiment of the method for monitoring the attack behavior, and is not repeated here.
In addition, the invention also provides equipment for monitoring the attack behaviors. As shown in fig. 4, fig. 4 is a schematic structural diagram of a hardware running environment according to an embodiment of the present invention.
It should be noted that fig. 4 is a schematic structural diagram of a hardware running environment of the attack behavior monitoring device. The monitoring equipment of the attack behavior in the embodiment of the invention can be terminal equipment such as a PC, a portable computer and the like.
As shown in fig. 4, the attack behavior monitoring device may include: a processor 1001, such as a CPU, memory 1005, user interface 1003, network interface 1004, communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure of the offensive behavior monitoring device illustrated in fig. 4 does not constitute a limitation of the offensive behavior monitoring device, and may include more or fewer components than illustrated, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 4, an operating system, a network communication module, a user interface module, and a monitoring program of an attack behavior may be included in a memory 1005 as one type of computer storage medium. The operating system is a program for managing and controlling hardware and software resources of the equipment for monitoring the attack, and supports the operation of other software or programs.
In the attack behavior monitoring device shown in fig. 4, the user interface 1003 is mainly used for connecting to a terminal device, and performing data communication with the terminal device, for example, sending alarm information to the terminal device; the network interface 1004 is mainly used for a background server and is in data communication with the background server; the processor 1001 may be configured to call a monitoring program of an attack behavior stored in the memory 1005 and execute the steps of the attack behavior monitoring method as described above.
The specific implementation manner of the attack behavior monitoring device is basically the same as that of each embodiment of the attack behavior monitoring method, and is not repeated here.
In addition, the embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores an attack behavior monitoring program, and the attack behavior monitoring program realizes the steps of the attack behavior monitoring method when being executed by a processor.
The specific implementation manner of the computer readable storage medium of the present invention is basically the same as the embodiments of the method for monitoring the attack behavior, and will not be described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (7)
1. The method for monitoring the attack behavior is characterized by comprising the following steps of:
Acquiring honeypot data through a honeypot probe corresponding to a monitored host; the honeypot data are data corresponding to the access request received by the monitored host; the honeypot data includes: probe information, an IP address corresponding to the access request, a flow type corresponding to the access request and a service type corresponding to the access request; the probe information includes: a probe mark and the name of the monitored host corresponding to the probe;
determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; determining the target honey application corresponding to the service type according to a preset mapping relation between the service type and the honey application; each honey pot probe is provided with ports corresponding to different service types;
monitoring, by the target honeypot application, an attack behavior that attacks the monitored host according to the honeypot data;
the step of monitoring the attack behavior of the monitored host according to the honeypot data by the target honeypot application comprises the following steps:
Executing attack operation corresponding to the honeypot data through the target honeypot application;
acquiring attack data corresponding to the attack operation, so as to monitor the attack behavior of the monitored host according to the attack data;
after the step of monitoring the attack behavior of the monitored host according to the honeypot data by the target honeypot application, the method further comprises the following steps:
executing honeypot backtracking operation according to the attack data to determine attack intention of an attacker corresponding to the monitored host;
the step of executing the honeypot backtracking operation according to the attack data to determine the attack intention of the attacker corresponding to the monitored host comprises the following steps:
executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker corresponding to the monitored host under attack in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker; the honeypot backtracking operation process comprises the steps of executing identity information capturing logic;
determining the attack intention of the attacker according to the attack behavior information and the identity information; the attack intent includes: attack source IP address, attack type, and attack payload.
2. The method for monitoring the attack as set forth in claim 1, wherein after the step of determining the attack intention of the attacker based on the attack behavior information and the identity information, further comprising:
and outputting alarm information containing the attack intention so as to prompt a user of the attack intention corresponding to the monitored host through the alarm information.
3. The method for monitoring an attack as set forth in claim 1, wherein the method for monitoring an attack further comprises:
when a first control instruction for controlling the honey pot probe is detected, controlling the corresponding honey pot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following: and starting a probe starting instruction of the honey pot probe, closing an instruction of closing the honey pot probe and setting an instruction of setting the number of services of the honey pot probe corresponding to the simulation service.
4. A method of monitoring an attack as set forth in any one of claims 1 to 3, wherein the method of monitoring an attack further comprises:
when a second control instruction for controlling the honeypot application is detected, controlling the honeypot application according to the second control instruction, wherein the second control instruction at least comprises one of the following: an increase instruction to increase the honeypot application, a decrease instruction to decrease the honeypot application, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application.
5. An apparatus for monitoring an attack, wherein the apparatus for monitoring an attack comprises:
the acquisition module is used for acquiring honeypot data through a honeypot probe corresponding to the monitored host; the honeypot data are data corresponding to the access request received by the monitored host; the honeypot data includes: probe information, an IP address corresponding to the access request, a flow type corresponding to the access request and a service type corresponding to the access request; the probe information includes: a probe mark and the name of the monitored host corresponding to the probe;
the determining module is used for determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; determining the target honey application corresponding to the service type according to a preset mapping relation between the service type and the honey application; each honey pot probe is provided with ports corresponding to different service types;
the monitoring module is used for monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application;
The device for monitoring the attack behavior further comprises: an execution module; the monitoring module includes: the first execution unit and the first acquisition unit; the execution module comprises: the second execution unit and the second acquisition unit;
and in the aspect of monitoring the attack behavior of the monitored host according to the honeypot data by the target honeypot application:
the first execution unit is used for executing attack operation corresponding to the honeypot data through the target honeypot application;
the first acquisition unit is used for acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of the monitored host according to the attack data;
after the target honeypot application is used, the attack behavior of the monitored host is monitored according to the honeypot data:
the execution module is used for executing honeypot backtracking operation according to the attack data so as to determine the attack intention of an attacker corresponding to the monitored host;
and executing honeypot backtracking operation according to the attack data to determine an attack intention of an attacker corresponding to the monitored host computer:
The second execution unit is used for executing honeypot backtracking operation according to the attack data;
the second obtaining unit is used for obtaining identity information of an attacker corresponding to the monitored host in the process of the honeypot backtracking operation and obtaining attack behavior information of the attacker; the honeypot backtracking operation process comprises the steps of executing identity information capturing logic;
the determining module is used for determining the attack intention of the attacker according to the attack behavior information and the identity information; the attack intent includes: attack source IP address, attack type, and attack payload.
6. An attack monitoring apparatus, characterized in that it comprises a memory, a processor and an attack monitoring program stored on the memory and executable on the processor, which attack monitoring program, when executed by the processor, implements the steps of the attack monitoring method according to any of claims 1 to 4.
7. A computer-readable storage medium, wherein an attack behavior monitoring program is stored on the computer-readable storage medium, which when executed by a processor implements the steps of the attack behavior monitoring method according to any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010510412.5A CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010510412.5A CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111651757A CN111651757A (en) | 2020-09-11 |
| CN111651757B true CN111651757B (en) | 2024-04-09 |
Family
ID=72347299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010510412.5A Active CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111651757B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111865815B (en) * | 2020-09-24 | 2020-11-24 | 中国人民解放军国防科技大学 | Flow classification method and system based on federal learning |
| CN114531258B (en) * | 2020-11-05 | 2023-04-18 | 腾讯科技(深圳)有限公司 | Network attack behavior processing method and device, storage medium and electronic equipment |
| CN112637244B (en) * | 2021-01-08 | 2023-07-07 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN112699009A (en) * | 2021-01-12 | 2021-04-23 | 树根互联技术有限公司 | Data detection method and device, server and storage medium |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112995151B (en) * | 2021-02-08 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113438199B (en) * | 2021-05-07 | 2023-04-18 | 中国银行股份有限公司 | Database attack defense method, device and system |
| CN113676449B (en) * | 2021-07-13 | 2023-05-05 | 北京奇艺世纪科技有限公司 | Network attack processing method and device |
| CN113645253B (en) * | 2021-08-27 | 2023-05-26 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114024774A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Method and device for generating attacker portrait and electronic equipment |
| CN114500086B (en) * | 2022-02-22 | 2022-11-04 | 山东云天安全技术有限公司 | Honeypot safety state determination method, electronic device and computer-readable storage medium |
| CN114826663B (en) * | 2022-03-18 | 2023-12-01 | 烽台科技(北京)有限公司 | Honeypot identification method, device, equipment and storage medium |
| CN115189905B (en) * | 2022-05-09 | 2023-05-23 | 济南大学 | Network communication and safety control integrated machine and working method thereof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
| CN110958250A (en) * | 2019-12-04 | 2020-04-03 | 百度在线网络技术(北京)有限公司 | Port monitoring method and device and electronic equipment |
| CN110990115A (en) * | 2019-11-21 | 2020-04-10 | 博智安全科技股份有限公司 | Containerized deployment management system and method for honeypots |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109033885B (en) * | 2017-06-09 | 2022-11-18 | 腾讯科技(深圳)有限公司 | Data response method, terminal equipment and server |
-
2020
- 2020-06-05 CN CN202010510412.5A patent/CN111651757B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110990115A (en) * | 2019-11-21 | 2020-04-10 | 博智安全科技股份有限公司 | Containerized deployment management system and method for honeypots |
| CN110958250A (en) * | 2019-12-04 | 2020-04-03 | 百度在线网络技术(北京)有限公司 | Port monitoring method and device and electronic equipment |
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111651757A (en) | 2020-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| CN105553917B (en) | Method and system for detecting webpage bugs | |
| CN105939326A (en) | Message processing method and device | |
| CN113259392B (en) | Network security attack and defense method, device and storage medium | |
| CN107040518B (en) | Private cloud server login method and system | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN113676449A (en) | Network attack processing method and device | |
| CN113098835A (en) | Honeypot implementation method based on block chain, honeypot client and honeypot system | |
| CN113868659B (en) | Vulnerability detection method and system | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN110909350B (en) | Method for remotely and accurately identifying WebShell backdoor | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| CN116318783A (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| CN109560960B (en) | WAF brute force cracking protection parameter configuration method and device and WAF system | |
| CN114024740A (en) | Threat trapping method based on secret tag bait | |
| CN109543419B (en) | Method and device for detecting asset security | |
| CN116074280A (en) | Application intrusion prevention system identification method, device, equipment and storage medium | |
| CN113114609A (en) | Webshell detection evidence obtaining method and system | |
| KR20180076174A (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |