CN113810423A - Industrial control honey pot - Google Patents
Industrial control honey pot Download PDFInfo
- Publication number
- CN113810423A CN113810423A CN202111105295.5A CN202111105295A CN113810423A CN 113810423 A CN113810423 A CN 113810423A CN 202111105295 A CN202111105295 A CN 202111105295A CN 113810423 A CN113810423 A CN 113810423A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- network
- data
- terminal
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 235000012907 honey Nutrition 0.000 title description 8
- 230000006399 behavior Effects 0.000 claims abstract description 40
- 238000005206 flow analysis Methods 0.000 claims abstract description 15
- 238000004088 simulation Methods 0.000 claims abstract description 9
- 230000000903 blocking effect Effects 0.000 claims abstract description 8
- 238000012216 screening Methods 0.000 claims abstract description 4
- 240000007651 Rubus glaucus Species 0.000 claims description 14
- 235000011034 Rubus glaucus Nutrition 0.000 claims description 14
- 235000009122 Rubus idaeus Nutrition 0.000 claims description 14
- 238000004891 communication Methods 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 claims description 2
- 230000009977 dual effect Effects 0.000 claims description 2
- 230000010076 replication Effects 0.000 claims description 2
- 238000000034 method Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000007123 defense Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000036039 immunity Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002361 inverse photoelectron spectroscopy Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an industrial control honeypot, which comprises a honeypot, a terminal collector, a honeypot data center and a terminal flow analysis alarm module, wherein the honeypot is connected with the terminal collector; and (4) honeypot: the simulation industrial control equipment is used for puzzling attackers or collecting attack behaviors of the attackers; a terminal collector: the system is arranged at a network outlet and used for collecting the flow data of the whole network; honeypot data center: collecting, screening, analyzing and studying collected whole network flow data, and confirming threat data; big data computing center: summarizing and analyzing all attack behaviors, extracting alarm rules and storing the alarm rules into an alarm rule base; the terminal flow analysis alarm module: and alarming and blocking all subsequent attack behaviors with the same characteristics by utilizing the alarm rule of the attack behaviors.
Description
Technical Field
The application relates to the field of industrial control network security, in particular to an industrial control honey pot.
Background
Currently, with the development of internet technology, network scanning, the spread of worms and virus codes, and malicious attack by hackers, etc. are risks that every host on a network may encounter at any time. In order to cope with the above-mentioned risks, anti-virus software and firewall technologies have been developed, but they are passive. The introduction of honeypot and honeynet technologies has formally resulted in an active outright to investigate these security threats on the network. However, a large number of attacks exist on the internet at present, which directly affect the security of the industrial control system, and the security situation of the industrial control system is more and more serious. In order to enhance the security of industrial control networks, many researchers have adopted honeypot technology to protect systems. The honeypot is a artificially established fake device, is not in the service logic, and can be discovered and attacked by the network. The honeypot as an active defense technology can attract attacks, analyze the attacks, speculate the attack intentions and supplement the results to threat blocking technologies such as firewalls, IDSs, IPSs and the like.
The honey net is a new concept developed gradually on the honey pot technology and can become a trapping network. One honeynet usually contains one or more honeypots, and honeypot technology is also a research type of high-interaction honeypot technology. Its main purpose is to collect attack information of hackers. However, the difference with the traditional honeypot technology is that the honeypot constitutes a hacker trapping network architecture, in which one or more honeypots can be included, while ensuring high controllability of the network, and providing various tools to facilitate acquisition and analysis of attack information.
Honeypots refer to baits deployed on a network that can masquerade as real networks, hosts and services, entice malicious attacks, and have the value of collecting information about attack activities on the network and monitoring, detecting and analyzing the information.
The honeynet system is used for collecting attack information of an intruder, and therefore, how to send out a network alarm and how to make real-time protection is an important component of the honeynet system.
Honeynets are an architecture, not a product (e.g., computer software), that is, consisting of one or more honeypots. Honeypots are a common tool that can trick attackers into the network, analyze the relevant information of the network data source, and obtain the login condition of the intruders. Typically, a honeynet has no production value, but rather, it has the value of detecting whether information system resources are unauthorized and illegal to use. Any data entering or leaving a honeypot may be considered a probe, attack or compromise. By learning how to trick an attacker into the network, an administrator can learn these knowledge to enhance the defense of his network and close the relevant vulnerabilities in the actual network.
The honey net is generally composed of one or more honeypot system architectures. The system may contain multiple similar or different databases, servers, web servers, routers, or printers. Furthermore, in this architecture, the network system is designed to allow hackers to interact with each other, monitoring all activities that occur.
In general, data control primarily contains the relevant activities and helps to reduce the risk of hackers using the honeynet to attack non-honeynet systems. The data control requirement gives hackers the freedom to enter and restrict their activities, and when hackers gain more freedom, hackers can bypass the data control and harm the system of the non-honeynet, thereby adding risk to the system. However, as more activities are restricted, it becomes more difficult to understand how hackers penetrate the organization's intranet. To successfully deploy an implementation, embodiments utilizing multiple levels of data control are utilized, including but not limited to these, such as: outbound connections, intrusion prevention gateways or broadband restrictions, etc., in combination with several different mechanisms, may help prevent a single point of failure, especially in dealing with new or unknown attacks. The honeynet project is also disclosed and suggested to operate in a closed experimental environment. Of course, if there is a failure of any mechanism (e.g., a process crashes, a hard drive is full, or a rule is misconfigured), the architecture of the honeynet may prevent all outbound activities.
In recent years, with the severe situation of industrial control safety, honeypot technology is increasingly applied to the field of industrial control, starting from simulation of protocols to simulation of industrial control environment, the interaction capacity is higher and higher, and the structure is more and more complex. In the open-source industrial control honeypot, simulation is mainly performed on industrial control protocols such as modbus, s7, IEC-104, DNP3 and the like. The conpot and the snap7 are relatively mature honeypot representatives, the conpot realizes simulation of protocols such as s7comm, modbus, bacnet and HTTP, the low-interaction honeypot is simple in deployment, protocol content is convenient to expand, and equipment information is configured in an xml form and is convenient to modify and maintain. Snap7 is a honeypot specific to Siemens PLC, and basically implements the s7comm protocol stack. The PLC simulation system can simulate the information and the state of actual equipment and realize the interaction of common PLC operation. However, these mainstream virtual honeypots can only simulate a single industrial control protocol, and therefore can only capture attack data of the single industrial control protocol.
CN102882884B provides a risk early warning system and method based on honey net in informatization production environment, which has at least one network analyzer. When the honeypot is attacked, the honeypot can inform the attacking client of the honeypot so that the client can take appropriate measures. In addition, the attacked honeypots can also inform other honeynets of the attack.
CN112953882A provides a developments honeypot defense system and defense method thereof, including the terminal body, the terminal body has signal detection, the identification module through signal connection, signal detection, the identification module is connected with the early warning respectively through the signal, alarm module and receiving module, the early warning, alarm module has information collection module through signal connection, information collection module has dynamic address random combination module through signal connection, dynamic address random combination module has false information spoofing module through signal connection, false information spoofing module has information source investigation module through signal connection, information source investigation module has information storage module through signal connection, information collection module is connected with information storage module through the signal. The dynamic honeypot defense system and the defense method thereof can randomly generate a false IP address when an intruder accesses the correct IP address.
The prior art has the following defects:
in conclusion, the existing honeypots are large in size and high in deployment difficulty; the existing honeypot itself can be broken into a springboard machine for attacking other assets, and safety risks are generated; the existing honeypot has limited capturing capability, can only identify the interaction between an attacker and the honeypot, is difficult to accurately identify the attack behavior, and further cannot extract all the behaviors of the attacker.
Disclosure of Invention
The invention provides an industrial control honeypot, which comprises:
the system comprises a honeypot, a terminal collector, a honeypot data center, a big data computing center, an alarm rule base and a terminal flow analysis alarm module;
the honeypot is connected with the terminal collector, the terminal collector is connected with the honeypot data center and the terminal flow analysis alarm module, the honeypot data center is connected with the big data calculation center, the big data calculation center is connected with the alarm rule base, and the alarm rule base is connected with the terminal flow analysis alarm module;
and (4) honeypot: the simulation industrial control equipment is used for puzzling attackers or collecting attack behaviors of the attackers;
a terminal collector: the system is arranged at a network outlet and used for collecting the flow data of the whole network;
honeypot data center: collecting, screening, analyzing and studying collected whole network flow data, and confirming threat data;
big data computing center: summarizing and analyzing all attack behaviors, extracting alarm rules and storing the alarm rules into an alarm rule base;
the terminal flow analysis alarm module: and alarming and blocking all subsequent attack behaviors with the same characteristics by utilizing the alarm rule of the attack behaviors.
Preferably, the honeypot further comprises:
a raspberry pie; the raspberry group is arranged between the honeypot and the terminal collector and is a hardware platform which is arranged for the honeypot and used for isolating the network card.
Preferably, the honeypot further comprises: an independent encrypted communication network; the independent encryption communication network is arranged between the terminal collector and the honeypot data center and is an independently established encryption transmission network independent of the Internet.
Preferably, the honeypot further comprises: a situation awareness computing center; and the situation awareness computing center is connected with the terminal collector and the big data computing center, and is used for obtaining evidence of network behaviors before and after the attack behavior discovered by the honeypot and acquiring all behaviors of an attacker from entering the network.
Preferably, the raspberry pi is based on miniaturized device deployment and multi-drop deployment.
Preferably, the raspberry pi adopts a dual network card design on hardware.
Preferably, the terminal collector is a flow copying and forwarding device, and receives the honeypot alarm and the log.
Preferably, the honeypot data center further comprises: and informing a network administrator of timely carrying out attack blocking on the really existing attack behaviors.
Preferably, the big data computing center judges an attack target, an attack path and a specific attack means from the whole industry level according to the history and real-time data of all behaviors of an attacker starting from entering the network.
Preferably, the terminal traffic analysis alarm module alarms and blocks similar attacks by utilizing industry coverage.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
and rapid multipoint deployment is carried out to form a honeypot network, the captured attack extracts all behaviors of the attacker through flow backtracking, the behaviors are summarized into rules and are sent to a terminal flow analysis alarm module, and the whole industry immunity is captured at one time.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of an industrial control honeypot structure provided by an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present invention. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Example 1:
as shown in fig. 1, the industrial control honey pot provided in the embodiment of the present application includes:
the system comprises a honeypot, a raspberry group, a terminal collector, an independent encryption communication network, a honeypot data center, a situation awareness computing center, a big data computing center, an alarm rule base and a terminal flow analysis alarm module;
the honeypot is connected with the raspberry pie, the raspberry pie is connected with the terminal collector, the terminal collector is connected with the independent encryption communication network, the terminal flow analysis alarm module and the situation perception calculation center, the independent encryption communication network is connected with the honeypot data center, the honeypot data center is connected with the big data calculation center, the big data calculation center is connected with the alarm rule base and the situation perception calculation center, and the alarm rule base is connected with the terminal flow analysis alarm module;
the honeypot comprises the following steps: the simulation industrial control equipment is used for puzzling attackers or collecting attack behaviors of the attackers;
the raspberry pie comprises: a hardware platform which is deployed in the honeypot and used for isolating the network card;
the terminal collector comprises: the system is arranged at a network outlet and used for collecting the flow data of the whole network;
the independent encrypted communication network: an independently established encryption transmission network independent of the Internet ensures the safety and reliability of data;
the honeypot data center: collecting, screening, analyzing and studying collected whole network flow data, and confirming threat data;
the situation awareness computing center: forensics is carried out on network behaviors before and after the attack behavior discovered by the honeypot, and all behaviors of an attacker starting from entering the network are obtained;
the big data computing center: summarizing and analyzing all attack behaviors, extracting alarm rules and storing the alarm rules into an alarm rule base;
the alarm rule base comprises: storing an attack behavior alarm rule;
the terminal flow analysis alarm module: and alarming and blocking all subsequent attack behaviors with the same characteristics by utilizing the alarm rules of the attack behaviors, so as to realize one-time capture of the whole-industry immunity.
In some embodiments, the raspberry pi is based on miniaturized device deployments and multi-drop deployments, enabling fast, massive, multi-drop deployments; the raspberry group adopts the design of two network cards on hardware, keeps apart the network card, guarantees that even the honeypot falls down also can't be used as springboard attack safety control district.
Specifically, in some embodiments, the terminal collector is specifically a traffic replication and forwarding device, and receives honeypot alarms and logs.
According to the above scheme, the honeypot data center further comprises: and informing a network administrator of timely carrying out attack blocking on the really existing attack behaviors.
Preferably, the big data computing center judges an attack target, an attack path and a specific attack means from the whole industry level according to the history and real-time data of all behaviors of an attacker starting from entering the network.
The terminal traffic analysis alarm module alarms and blocks similar attacks by utilizing industry coverage.
Existing honeypots themselves may be breached into jumpers for attacking other assets, creating a security risk. Strict isolation is done to the network to this honeypot is inside, and data are all transmitted through independent encryption network, and even the honeypot itself sinks also can't regard as the springboard, and the security can be guaranteed.
The existing honeypot has limited capturing capability, can only identify the interaction between an attacker and the honeypot, is difficult to accurately identify the attack behavior, and further cannot extract all the behaviors of the attacker. The honeypot in the application is matched with a full-flow capturing technology to restore and study the flow before and after the attack, and the whole process of the attack of an attacker can be reproduced. If an attacker attacks other assets before or after attacking the honeypot, the traditional honeypot cannot discover the behavior of the attacker, and the honeypot in the application can discover similar behaviors to avoid the attack behavior being ignored.
Embodiments of the subject matter and the functional operations described in this specification can be implemented in: digital electronic circuitry, tangibly embodied computer software or firmware, computer hardware including the structures disclosed in this specification and their structural equivalents, or a combination of one or more of them. Embodiments of the subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode and transmit information to suitable receiver apparatus for execution by the data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The processes and logic flows described in this specification can be performed by one or more programmable computers executing one or more computer programs to perform corresponding functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for executing computer programs include, for example, general and/or special purpose microprocessors, or any other type of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory and/or a random access memory. The basic components of a computer include a central processing unit for implementing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer does not necessarily have such a device. Moreover, a computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device such as a Universal Serial Bus (USB) flash drive, to name a few.
Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., an internal hard disk or a removable disk), magneto-optical disks, and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. An industrial honeypot, the honeypot comprising:
the system comprises a honeypot, a terminal collector, a honeypot data center, a big data computing center, an alarm rule base and a terminal flow analysis alarm module;
the honeypot is connected with the terminal collector, the terminal collector is connected with the honeypot data center and the terminal flow analysis alarm module, the honeypot data center is connected with the big data calculation center, the big data calculation center is connected with the alarm rule base, and the alarm rule base is connected with the terminal flow analysis alarm module;
the honeypot comprises the following steps: the simulation industrial control equipment is used for puzzling attackers or collecting attack behaviors of the attackers;
the terminal collector comprises: the system is arranged at a network outlet and used for collecting the flow data of the whole network;
the honeypot data center: collecting, screening, analyzing and studying collected whole network flow data, and confirming threat data;
the big data computing center: summarizing and analyzing all attack behaviors, extracting alarm rules and storing the alarm rules into an alarm rule base;
the terminal flow analysis alarm module: and alarming and blocking all subsequent attack behaviors with the same characteristics by utilizing the alarm rule of the attack behaviors.
2. The industrial honeypot of claim 1 further comprising:
a raspberry pie; the raspberry group is arranged between the honeypot and the terminal collector and is a hardware platform which is arranged for the honeypot and used for isolating the network card.
3. The industrial honeypot of claim 1 further comprising: an independent encrypted communication network; the independent encryption communication network is arranged between the terminal collector and the honeypot data center and is an independently established encryption transmission network independent of the internet.
4. The industrial honeypot of claim 1 further comprising: a situation awareness computing center; the situation awareness computing center is connected with the terminal collector and the big data computing center, forensics is conducted on network behaviors before and after the attack behaviors discovered by the honeypots, and all behaviors of an attacker starting to enter the network are obtained.
5. The industrial honeypot of claim 2, wherein the raspberry pi is based on miniaturized device deployments and multi-drop deployments.
6. The industrial honeypot of claim 5, wherein the raspberry pi is in a dual network card design in hardware.
7. Industrial honeypot as claimed in claim 1 wherein the terminal collector is specifically a traffic replication, forwarding device that receives honeypot alarms and logs.
8. The industrial honeypot of claim 1 wherein the honeypot data center further comprises: and informing a network administrator of timely carrying out attack blocking on the really existing attack behaviors.
9. The industrial honeypot of claim 1 in which the big data computing center determines attack targets, attack paths and specific attack means from an industry-wide level based on historical and real-time data of all actions of attackers since they enter the network.
10. The industrial honeypot of claim 9 in which the terminal traffic analysis alarm module uses industry coverage to alarm and block homogeneous attacks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111105295.5A CN113810423A (en) | 2021-09-22 | 2021-09-22 | Industrial control honey pot |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111105295.5A CN113810423A (en) | 2021-09-22 | 2021-09-22 | Industrial control honey pot |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113810423A true CN113810423A (en) | 2021-12-17 |
Family
ID=78939931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111105295.5A Pending CN113810423A (en) | 2021-09-22 | 2021-09-22 | Industrial control honey pot |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810423A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022054A (en) * | 2022-06-09 | 2022-09-06 | 安天科技集团股份有限公司 | Network attack springboard importance evaluation method, system, electronic device and storage medium |
| CN116502226A (en) * | 2023-06-27 | 2023-07-28 | 浙江大学 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN106534146A (en) * | 2016-11-28 | 2017-03-22 | 北京天行网安信息技术有限责任公司 | Safety monitoring system and method |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN108259472A (en) * | 2017-12-28 | 2018-07-06 | 广州锦行网络科技有限公司 | Dynamic joint defence mechanism based on attack analysis realizes system and method |
| CN111181998A (en) * | 2020-01-09 | 2020-05-19 | 南京邮电大学 | Design method of honeypot capture system for terminal equipment of Internet of things |
| CN112202738A (en) * | 2020-09-21 | 2021-01-08 | 北方工业大学 | Industrial control situation sensing system and method based on machine learning |
| CN112383538A (en) * | 2020-11-11 | 2021-02-19 | 西安热工研究院有限公司 | Hybrid high-interaction industrial honeypot system and method |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112822198A (en) * | 2021-01-15 | 2021-05-18 | 中国电子科技集团公司第十五研究所 | Multi-layer protocol network beacon implantation detection method for tracing application |
-
2021
- 2021-09-22 CN CN202111105295.5A patent/CN113810423A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN106534146A (en) * | 2016-11-28 | 2017-03-22 | 北京天行网安信息技术有限责任公司 | Safety monitoring system and method |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN108259472A (en) * | 2017-12-28 | 2018-07-06 | 广州锦行网络科技有限公司 | Dynamic joint defence mechanism based on attack analysis realizes system and method |
| CN111181998A (en) * | 2020-01-09 | 2020-05-19 | 南京邮电大学 | Design method of honeypot capture system for terminal equipment of Internet of things |
| CN112202738A (en) * | 2020-09-21 | 2021-01-08 | 北方工业大学 | Industrial control situation sensing system and method based on machine learning |
| CN112383538A (en) * | 2020-11-11 | 2021-02-19 | 西安热工研究院有限公司 | Hybrid high-interaction industrial honeypot system and method |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112822198A (en) * | 2021-01-15 | 2021-05-18 | 中国电子科技集团公司第十五研究所 | Multi-layer protocol network beacon implantation detection method for tracing application |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022054A (en) * | 2022-06-09 | 2022-09-06 | 安天科技集团股份有限公司 | Network attack springboard importance evaluation method, system, electronic device and storage medium |
| CN115022054B (en) * | 2022-06-09 | 2024-04-30 | 安天科技集团股份有限公司 | Network attack springboard importance assessment method, system, electronic equipment and storage medium |
| CN116502226A (en) * | 2023-06-27 | 2023-07-28 | 浙江大学 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
| CN116502226B (en) * | 2023-06-27 | 2023-09-08 | 浙江大学 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Stiawan et al. | Investigating brute force attack patterns in IoT network | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| Mairh et al. | Honeypot in network security: a survey | |
| Ho et al. | Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems | |
| Cazorla et al. | Cyber stealth attacks in critical information infrastructures | |
| Koziol | Intrusion detection with Snort | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| Cheema et al. | Prevention techniques against distributed denial of service attacks in heterogeneous networks: A systematic review | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| Kaur et al. | Comparison of network security tools-firewall, intrusion detection system and Honeypot | |
| CN113810423A (en) | Industrial control honey pot | |
| US10630708B2 (en) | Embedded device and method of processing network communication data | |
| Banerjee et al. | Network traffic analysis based iot botnet detection using honeynet data applying classification techniques | |
| Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
| Amal et al. | H-DOCTOR: Honeypot based firewall tuning for attack prevention | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| Abdullah et al. | Preliminary study of host and network-based analysis on P2P Botnet detection | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Al Makdi et al. | Trusted security model for IDS using deep learning | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Simkhada et al. | Security threats/attacks via botnets and botnet detection & prevention techniques in computer networks: a review | |
| Sharma et al. | Detection of threats in Honeynet using Honeywall | |
| Resmi et al. | Intrusion detection system techniques and tools: A survey | |
| Balogh et al. | LAN security analysis and design | |
| Huang et al. | Design and implementation of a distributed early warning system combined with intrusion detection system and honeypot |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211217 |