CN114499915A - Trapping attack method, device and system combining virtual nodes and honeypots - Google Patents
Trapping attack method, device and system combining virtual nodes and honeypots Download PDFInfo
- Publication number
- CN114499915A CN114499915A CN202111147138.0A CN202111147138A CN114499915A CN 114499915 A CN114499915 A CN 114499915A CN 202111147138 A CN202111147138 A CN 202111147138A CN 114499915 A CN114499915 A CN 114499915A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- attack
- trapping
- attacker
- virtual node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The application relates to the technical field of mobile communication and internet, and discloses a trapping attack method, a trapping attack device and a trapping attack system for combining a virtual node with a honeypot, wherein the trapping attack method for combining the virtual node with the honeypot comprises the steps of receiving an attack behavior which is monitored by the honeypot and is generated on the virtual node; whether threat perception exists is judged through analyzing attack behaviors; when judging that the attack behavior does not belong to threat perception, ignoring the attack behavior; and when the threat perception is judged to belong to, calling honeypot simulation real equipment to make corresponding response, and trapping an attacker to continue attacking. After the judgment that the virtual data packet is subjected to danger sensing, the honeypot encrypts the virtual data packet to achieve the effect of trapping the attacker, at the moment, the virtual node is mainly a carrier of the virtual data packet, the honeypot mainly acquires the attack behavior, and the combination of the virtual node and the honeypot enables the virtual node to perform trapping response on the attacker in the process of trapping the attacker for attacking, so that the virtual node is more real, and the trapping attack is more effective.
Description
Technical Field
A trapping attack method, device and system combining virtual nodes and honeypots.
Background
In network communication, a network protocol is easily attacked by malicious attacks, so that normal communication between devices cannot be performed, and a virtual module is usually established on the devices or between the devices and a router, so that a port attacked by an attacker is transferred to the virtual module.
Generally, the virtual module only comprises an IP address and a port, and cannot perform other support services, so that the attack behavior of an attacker is random.
Disclosure of Invention
In order to induce an attacker to attack a virtual module, the application provides a trapping attack method, a trapping attack device and a trapping attack system combining a virtual node and a honeypot, and the trapping attack method, the trapping attack device and the trapping attack system have the characteristic that the attacker is trapped to attack the virtual node by combining the honeypot and the virtual node.
The above object of the present invention is achieved by the following technical solutions:
a trapping attack method combining a virtual node and a honeypot is characterized by comprising the following steps:
receiving the attack behavior generated on the virtual node monitored by the honeypot;
whether threat perception exists is judged through analyzing attack behaviors;
when judging that the attack behavior does not belong to threat perception, ignoring the attack behavior;
and when the threat perception is judged to belong to, calling honeypot simulation real equipment to make corresponding response, and trapping an attacker to continue attacking.
By adopting the technical scheme, the honeypot can monitor the attack behavior of the attack virtual node, then the monitored attack behavior is transmitted to the interception module, the interception module analyzes the attack behavior, judges whether the attack behavior belongs to threat perception or not, if not, ignores the attack behavior, only needs to respond to the attack behavior with threat, and when the attack behavior belongs to the threat perception, the interception module calls the honeypot to enable the honeypot to simulate real equipment to respond to the attack behavior, so that an attacker is trapped, and the attacker continuously attacks the false node provided with the honeypot, thereby protecting the real equipment.
In a preferred example, the system can be further configured to: the step of receiving the attack behavior generated on the virtual node and monitored by the honeypot comprises the following steps:
honeypots are added in the equipment or the interception module, and each honeypot serves one port;
and encrypting the data packet and the virtual data packet generated by the virtual node through the honeypot.
By adopting the technical scheme, one honeypot is arranged for each port of the equipment or the interception module, so that each honeypot only serves one port, the service efficiency is improved, each honeypot encrypts the virtual data packet sent from the port, and an attacker can attack and acquire the data packet only by carrying out decryption operation when the virtual data packet is attacked.
In a preferred example, the system can be further configured to: the step of receiving the attack behavior generated on the virtual node and monitored by the honeypot comprises the following steps:
honeypots are added in the equipment or the interception module, and one honeypot serves a plurality of ports;
and encrypting the data packet and the data packet generated by the virtual node through the honeypot.
By adopting the technical scheme, the honeypot is configured for the equipment or the interception module, one honeypot corresponds to all ports of the equipment or the interception module, so that the honeypot is more convenient to establish, the honeypot encrypts the virtual data packet of the same equipment or the interception module, and an attacker can attack and acquire the data packet only by carrying out decryption operation when the virtual data packet is attacked.
In a preferred example, the system can be further configured to: the step of judging whether the attack behavior belongs to threat perception or not through analysis comprises the following steps:
carrying out preliminary judgment on the attack behavior, and judging whether the attack behavior is dangerous or not;
when the attack behavior danger is judged, carrying out dynamic analysis and static analysis on the attack behavior through an algorithm;
and determining a judgment result according to a preset rule after the analysis is finished.
By adopting the technical scheme, when the router judges the attack behavior, firstly, the attack behavior is preliminarily judged, the attack behavior is preliminarily screened, then, the attack behavior judged to be dangerous is analyzed through an algorithm, and after the attack behavior is dynamically analyzed and statically analyzed, the final judgment is carried out according to a preset rule; the initial judgment can eliminate some obvious and non-dangerous behaviors, each attack behavior does not need to be processed, the attack behaviors needing algorithm analysis are reduced to a certain extent, the processing process is simpler and more convenient, and the judgment efficiency is higher.
In a preferred example, the system can be further configured to: when the judgment is that the threat perception is achieved, calling honeypot simulation real equipment to make corresponding response, and trapping an attacker to continue attacking the honeypot simulation real equipment comprises the following steps:
judging whether the attack behavior belongs to threat perception;
calling honeypot equipment to judge that an attacker decrypts the data packet of the virtual node;
and the honeypot equipment continues to send the encrypted data packets, so that the attacker is trapped to continue attacking.
By adopting the technical scheme, when the attack behavior is judged to be threat perception, the intercepting module judges that an attacker tries to decrypt the data packet of the virtual node, and the honeypot can continue to send the encrypted data packet to attract the attention of the attacker, so that the attacker continues to attack the current virtual node, and the effect of trapping the attacker is achieved.
In a preferred example, the system can be further configured to: when the judgment is that the attack belongs to threat perception, calling honeypot simulation real equipment to make corresponding response, and after the step of trapping an attacker to continue attacking, the method comprises the following steps:
judging the attacker decryption password acquired by the honeypot equipment;
and when the password is judged to be an error password, generating a virtual data packet through the virtual node to trap an attacker for attacking, and storing the attack behavior judged to be threat perception and a decryption password for the attacker into a database.
By adopting the technical scheme, when the decryption password of the attacker is wrong, the attacker cannot correctly unlock the virtual data packet, the attack of the attacker is unsuccessful, but when the honeypot detects the behavior, the equipment or the interception module sends more encrypted virtual data packets to induce the attacker, so that the attacker pays attention to and attacks a large number of virtual data packets, and the trapping effect is achieved.
A trapping attack device combining a virtual node and a honeypot comprises:
the storage stores an attack behavior judgment program and stores the attack behavior of threat perception and judgment of attacker decryption information;
a processor for calling the memory to execute the method of any one of claims 1 to 6 when performing a trap attack action.
By adopting the technical scheme, the judgment of the attack behavior with threat perception and the decryption password of the attacker is stored in the memory, and the judgment program in the memory is called by the processor to judge when the trapping attack is carried out.
A trapping attack system combining a virtual node and a honeypot comprises:
and the router is used for grabbing and forwarding the data packet.
The switch is connected with the router and used for forwarding the data packet;
the intercepting module is arranged between the router and the switch, is provided with a honeypot, comprises the device and is used for judging the attack behavior, storing the attack behavior of threat perception and a decryption password of an attacker and modifying a source address of a data packet captured by the router;
the equipment comprises a plurality of equipment terminals and an exchanger, wherein the equipment terminals are connected with the exchanger, virtual nodes are arranged on the equipment and send out virtual data packets, and honeypots are arranged on each virtual node and used for monitoring attack behaviors, encrypting the virtual data packets and acquiring decryption passwords of attackers.
By adopting the technical scheme, the virtual node is arranged on the equipment terminal, the honeypot is arranged on the equipment, the honeypot directly sends the attack behavior to the interception module after monitoring the attack behavior, then the two-step judgment of the attack behavior is carried out through the interception module, after the judgment is finished, if the attack behavior is threat perception, the router controls the honeypot to send the encrypted virtual data packet, so that an attacker notices a large amount of encrypted virtual data packets, and traps the attacker through the virtual data packet, the interaction between the router and the equipment is carried out through the switch no matter whether the real data packet or the virtual data packet is, and the interception module is used for disguising the real data packet, so that the attacker can attack the virtual node with higher probability.
A trapping attack system combining a virtual node and a honeypot comprises:
the router is used for capturing and forwarding data packets;
the switch is connected with the router and used for forwarding the data packet;
the intercepting module is arranged between the router and the switch, is provided with a honeypot, comprises the device and is used for judging the attack behavior, storing the attack behavior of threat perception and a decryption password of an attacker and modifying a source address of a data packet captured by the router; the system comprises an interception module and a hardware module, wherein the interception module is provided with a virtual node, and the interception module is provided with a honeypot, and the honeypot is used for monitoring the attack behavior and acquiring the decryption password of an attacker.
And the equipment terminals are connected with the switch.
By adopting the technical scheme, the virtual nodes are arranged on the interception module, the honeypot is arranged on the interception module, the honeypot directly sends the attack behavior to the interception module after monitoring the attack behavior, then two-step judgment of the attack behavior is carried out through the interception module, after the judgment is finished, if the attack behavior is threat perception, the honeypot sends the encrypted virtual data packet, so that an attacker notices a large amount of encrypted virtual data packets, and traps the attacker through the virtual data packet, the interaction between the router and the equipment is carried out through the switch no matter whether the attacker is a real data packet or a virtual data packet, and the interception module is used for disguising the real data packet, so that the attacker can attack the virtual nodes with higher probability.
In summary, the attack behavior is monitored by the honeypot, then the judgment of the attack behavior is performed by the interception module, and after the judgment is that the attack behavior is a dangerous sensing, the honeypot encrypts the virtual data packet to achieve an effect of trapping an attacker.
Drawings
Fig. 1 is a block diagram of a trapping attack system in which a virtual node is combined with a honeypot in embodiment 1 of the present application.
Fig. 2 is a flowchart of a trapping attack method in which a virtual node is combined with a honeypot in embodiment 1 of the present application.
Fig. 3 is a flowchart of the method of step S400 in fig. 2.
Fig. 4 is a flowchart of the method of step S600 in fig. 2.
Fig. 5 is a block diagram of a trapping attack system in which virtual nodes are combined with honeypots in embodiment 2 of the present application.
Detailed Description
The present invention is described in further detail below with reference to figures 1-5.
The present embodiment is only for explaining the present invention, and it is not limited to the present invention, and those skilled in the art can make modifications of the present embodiment without inventive contribution as needed after reading the present specification, but all of them are protected by patent law within the scope of the claims of the present invention.
Example 1
Referring to fig. 1, a trapping attack system of a virtual node combined with honeypots includes: a router, a switch, an interception module and a plurality of equipment terminals,
the router is used for forwarding the data packet;
the switch is connected with the router and used for forwarding the data packet;
the intercepting module is arranged between the router and the switch and used for modifying a source address of the data packet captured by the intercepting module, wherein the source address of the data packet is modified mainly for mixing a real data packet with a virtual data packet; the method is used for judging the attack behavior and storing the attack behavior of threat perception and the decryption password of the attacker. The interception module is provided with a trapping attack device combining a virtual node and a honeypot, and comprises a memory and a processor, wherein the memory stores a judgment program of an attack behavior and stores the attack behavior threatening the perception and the judgment of a decryption password of an attacker. When the processor carries out the trapping attack behavior, the processor calls the memory to execute the following method
The equipment is provided with a honeypot, and the honeypot is used for monitoring the attack behavior, encrypting the virtual data packet and acquiring a decryption password of an attacker. The terminal here may employ a PC or the like.
Honeypots are better than intelligence collection systems. The honeypot seems to be an intentional target for a person to attack, and attracts hackers to attack from the beginning. Therefore, after the attacker invades, the attacker can know how successful he has been, and know the latest attack and vulnerability launched by the server at any time. It is also possible to gather all kinds of tools used by hackers and master their social network by eavesdropping on the connections between the hackers.
After an attacker attacks the virtual nodes, the honeypot monitors the attack behaviors, the monitored attack behaviors are transmitted to the interception module, the interception module processes and judges the attack behaviors, the interception module mainly judges according to the flow of the false nodes to judge whether the attack behaviors belong to threat perception, if the attack behaviors belong to the threat perception, the honeypot is called again to trap the attacker, and meanwhile information such as decryption passwords and the like generated in the trapping process of the attacker is obtained.
Referring to fig. 2, a trapping attack method combining a virtual node and a honeypot includes the following steps:
step S100, honeypots are added to the equipment or the interception module, and each honeypot serves one port.
In another embodiment, one honeypot may be used to serve multiple ports. When one honeypot serves one port, a plurality of honeypots are deployed in the virtual node, so that deployment of the honeypots is troublesome, the number of honeypots corresponding to the intercepting module is large, and information of the honeypots is received and processed, so that the method is suitable for the condition that the number of ports of the virtual node is small. When one honeypot serves a plurality of ports, only one honeypot needs to be deployed in each virtual node, the ports are processed by one honeypot at the same time, the processing efficiency is not as high as that of the plurality of honeypots, but the deployment is convenient, and the method is suitable for the condition that the ports of the virtual nodes are more.
Step S200, the data packet and the virtual data packet generated by the virtual node are encrypted through the honeypot.
The honeypot is internally provided with an encryption algorithm for encrypting the virtual data packet, and mainly aims to facilitate judgment of attack behaviors, so that an attacker is not easy to break the virtual data packet through encryption of the virtual data packet, and more information of the attacker can be obtained.
And step S300, receiving the attack behavior generated on the virtual node monitored by the honeypot.
When an attacker attacks a port of a virtual node, a honeypot serving the port monitors the attack behavior and transmits the attack behavior to a server. At the moment, the attack is monitored and transmitted by the honeypot as long as the attack is generated, and the honeypot does not judge.
And step S400, judging whether the attack behavior belongs to threat perception or not by analyzing the attack behavior.
And step S500, when judging that the attack behavior does not belong to threat perception, ignoring the attack behavior.
And S600, when the threat perception is judged to belong to, calling honeypot simulation real equipment to make corresponding response, and trapping an attacker to continue attacking.
When the attack behavior of some attackers does not cause any damage to the virtual data packet, namely, no threat perception exists, the attack behavior can be ignored. When the attack behavior of the attacker damages the virtual data packet, threat perception exists, the honeypot is called to make a response, the response is mainly to inform the attacker of successful attack, so that the attacker uses the port as a breakthrough, the attacker is trapped to attack the port, various information of the attacker is captured, and the attack behavior is convenient to grasp.
Further, threat perception can be divided into a plurality of grades, judgment of different grades is carried out, and more accurate classification determination can be carried out on attack behaviors.
And step S700, judging the attacker decryption password acquired by the honeypot equipment.
And step S800, when the password is judged to be an error password, generating a virtual data packet through the virtual node to trap an attacker for attacking, and storing the attack behavior judged to be threat perception and a decryption password for the attacker into a database.
The attacker can generate a decryption password, the virtual data packet attacked by the attacker is decrypted through the decryption password, when the password is judged to be wrong, the honeypot sends a false message to the attacker, the attacker can misunderstand that the virtual data packet is already decrypted, then the virtual node sends more virtual data packets than before to trap the attacker, and the path of the attacker can be more clearly detected by the honeypot.
Referring to fig. 3, in step S400, the step of determining whether the attack behavior belongs to threat awareness by analyzing the attack behavior includes:
step S410, carrying out preliminary judgment on the attack behavior, and judging whether the attack behavior is dangerous or not;
for example, after an attacker attacks a port of a virtual node, a decryption password cannot be generated for an encrypted virtual data packet, and such an attack behavior can be preliminarily determined as not dangerous because the attacker cannot attack the virtual data packet and is stored in the interception module, but only as a low-level behavior with less danger.
Step S420, when the attack behavior danger is judged, carrying out dynamic analysis and static analysis on the attack behavior through an algorithm;
when the attack behavior is judged to generate the decryption password for the encrypted virtual data packet, the attack behavior is a dangerous attack behavior, the attack behavior is subjected to dynamic analysis and static analysis, an attacker continuously attacks the virtual data packet in the dynamic analysis and continuously generates a plurality of decryption passwords, and the static analysis is that the attack behavior comprises the plurality of decryption passwords.
And step S430, determining a judgment result according to a preset rule after the analysis is finished.
The attack behavior that only one decryption password is generated can be judged as the mild dangerous attack behavior, the attack behavior that a plurality of decryption passwords are generated but the virtual data packet cannot be cracked is judged as the moderate dangerous attack behavior, the attack behavior that a plurality of decryption passwords are generated and the virtual data packet can be cracked is judged as the severe dangerous attack behavior, and the attack behaviors are classified and stored.
The step of searching for the attack behavior can also be added in the honeypot of the router, when a certain amount of attack behaviors are stored and the attack behaviors are encountered, advanced searching and matching can be performed, if the matched attack behaviors exist, the honeypot can directly respond without judging, and the judgment efficiency of the attack behaviors is greatly improved.
Referring to fig. 4, in step S600, when it is determined that the threat perception is satisfied, the step of calling the honeypot simulation real device to make a corresponding response and trapping the attacker to continue attacking includes:
and step S610, judging that the attack behavior belongs to threat perception.
Step S620, call the honeypot to determine that the attacker decrypts the virtual data packet of the virtual node.
And step S630, the honeypot device continues to send the encrypted data packets, and the attacker is trapped to continue attacking.
When the attack behavior is judged to be threat perception according to the steps, the honeypot judges whether an attacker decrypts the virtual data packets of the virtual nodes, if the attacker decrypts the virtual nodes is judged, the honeypot sends false decryption success information to the attacker at the moment, the attacker is trapped to continue to attack the current port, and meanwhile the honeypot generates more encrypted virtual data packets, so that the attacker attacks the virtual data packets, and the information of the attacker is conveniently and comprehensively captured.
For example, there is an implementation process, there are three terminal devices in the whole system, which are respectively PC1, PC2 and PC3, each of PC1 and PC2 is provided with a dummy node, each device is provided with a honeypot, each honeypot corresponds to two ports of the dummy node, and the honeypot encrypts data packets sent from all the ports of the device and virtual data packets sent from the dummy node at the same time. At the moment, two attackers respectively make an attack behavior A and an attack behavior B, the two attackers attack one port of the honeypot, the honeypot monitors the behaviors and transmits the behaviors to the interception module, and the interception module respectively judges the two attack behaviors, wherein the attack behavior A is judged to be incapable of generating a decryption password, so the attack behavior A does not belong to threat perception. And the attack behavior B is judged to be capable of generating a decryption password, at the moment, the attack behavior B is judged to belong to threat perception, then the interception module controls the honeypot to continuously send the encrypted virtual data packet, the honeypot judges the decryption password generated by the attack behavior B, and when the judgment is incorrect, false decryption information is sent to an attacker, and the attacker is trapped to continuously attack the honeypot.
If the situation that the direct decryption is successful exists, the virtual data packet does not affect the whole network in a short time, but the information of the successful decryption can be sent to the router as a prompt, so that the worker can take precautions as early as possible.
Example 2
The difference from the embodiment 1 is that the dummy node is arranged on an interception module, and the interception module is provided with a honeypot, and the honeypot is used for monitoring the attack behavior and acquiring the decryption password of the attacker. The situation is more suitable for the situation that when the virtual nodes are not conveniently arranged on the equipment terminals, for example, a plurality of PC terminals distributed in different areas exist, and all the equipment terminals are connected with the router through the interception module, all the false nodes are arranged on the interception module, so that the construction of the whole virtual network is facilitated, and the arrangement of honeypots on the false nodes is also facilitated.
Claims (9)
1. A trapping attack method combining a virtual node and a honeypot is characterized by comprising the following steps:
receiving the attack behavior generated on the virtual node monitored by the honeypot;
whether threat perception exists is judged through analyzing attack behaviors;
when judging that the attack behavior does not belong to threat perception, ignoring the attack behavior;
and when the threat perception is judged to belong to, calling honeypot simulation real equipment to make corresponding response, and trapping an attacker to continue attacking.
2. The method for trapping attack by combination of virtual node and honeypot according to claim 1, wherein the step of receiving the attack behavior generated on the virtual node monitored by the honeypot is preceded by:
honeypots are added in the equipment or the interception module, and each honeypot serves one port;
and encrypting the data packet and the virtual data packet generated by the virtual node through the honeypot.
3. The method for trapping attack by combination of virtual node and honeypot according to claim 1, wherein the step of receiving the attack behavior generated on the virtual node monitored by the honeypot is preceded by:
honeypots are added in the equipment or the interception module, and one honeypot serves a plurality of ports;
and encrypting the data packet and the data packet generated by the virtual node through the honeypot.
4. A virtual node and honeypot combined trapping attack method according to claim 2 or 3, wherein the step of determining whether the attack behavior belongs to threat perception by analyzing the attack behavior comprises:
carrying out preliminary judgment on the attack behavior, and judging whether the attack behavior is dangerous or not;
when the attack behavior danger is judged, carrying out dynamic analysis and static analysis on the attack behavior through an algorithm;
and determining a judgment result according to a preset rule after the analysis is finished.
5. The method for trapping and attacking by combining the virtual node and the honeypot according to claim 4, wherein when the virtual node and the honeypot are judged to belong to threat perception, the honeypot is called to simulate a real device to respond correspondingly, and the step of trapping and attacking further comprises:
judging that the attack behavior belongs to threat perception;
calling the honeypot to judge that the attacker decrypts the data packet of the virtual node;
and continuously sending the encrypted data packet through the honeypot, and trapping the attacker to continuously attack.
6. The method for trapping and attacking by combining the virtual node and the honeypot according to claim 5, wherein when the judgment is that the virtual node and the honeypot belong to the threat perception, the honeypot is called to simulate a real device to make a corresponding response, and the step of trapping the attacker to continue attacking comprises the following steps:
judging the attacker decryption password acquired by the honeypot;
and when the password is judged to be an error password, generating a virtual data packet through the virtual node to trap an attacker for attacking, and storing the attack behavior judged to be threat perception and a decryption password for the attacker into a database.
7. A trapping attack device combining a virtual node and a honeypot is characterized by comprising:
the storage stores a judgment program of the attack behavior and stores the attack behavior of threat perception and the judgment of the decryption password of the attacker;
a processor for calling the memory to execute the method of any one of claims 1 to 6 when performing a trap attack action.
8. A trapping attack system combining a virtual node and a honeypot is characterized by comprising:
the router is used for forwarding the data packet;
the switch is connected with the router and used for forwarding the data packet;
the intercepting module is arranged between the router and the switch, comprises the device of claim 7, is used for capturing the data packet, is used for judging the attack behavior, stores the attack behavior sensed by the threat and the decryption password of an attacker, and modifies the source address of the captured data packet;
the equipment comprises a plurality of equipment terminals and an exchanger, wherein the equipment terminals are connected with the exchanger, virtual nodes are arranged on the equipment and send out virtual data packets, honeypots are arranged on the equipment and used for monitoring attack behaviors, encrypting the data packets and the virtual data packets and acquiring decryption passwords of attackers.
9. A trapping attack system combining a virtual node and a honeypot is characterized by comprising:
the router is used for grabbing and forwarding data packets;
the switch is connected with the router and used for forwarding the data packet;
the intercepting module is arranged between the router and the switch, is provided with a honeypot, comprises the device of claim 7, is used for judging the attack behavior, storing the attack behavior of threat perception and a decryption password of an attacker, and is used for modifying a source address of a data packet captured by the router; the intercepting module is provided with a virtual node and a honeypot, and the honeypot is used for monitoring the attack behavior and acquiring the decryption password of an attacker;
and the equipment terminals are connected with the switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147138.0A CN114499915B (en) | 2021-09-28 | 2021-09-28 | Trapping attack method, device and system combining virtual nodes and honeypots |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147138.0A CN114499915B (en) | 2021-09-28 | 2021-09-28 | Trapping attack method, device and system combining virtual nodes and honeypots |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499915A true CN114499915A (en) | 2022-05-13 |
| CN114499915B CN114499915B (en) | 2022-12-02 |
Family
ID=81492303
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111147138.0A Active CN114499915B (en) | 2021-09-28 | 2021-09-28 | Trapping attack method, device and system combining virtual nodes and honeypots |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499915B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150140A (en) * | 2022-06-23 | 2022-10-04 | 云南电网有限责任公司 | Distributed attack trapping system and method based on centralized and unified defense deployment |
| CN117118760A (en) * | 2023-10-24 | 2023-11-24 | 北京派网科技有限公司 | Threat perception method, device and storage medium for traffic forwarding based on pseudo network |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN110381041A (en) * | 2019-06-28 | 2019-10-25 | 奇安信科技集团股份有限公司 | Distributed denial of service attack situation detection method and device |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112333203A (en) * | 2020-11-26 | 2021-02-05 | 哈尔滨工程大学 | RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology |
| US10986129B1 (en) * | 2019-03-28 | 2021-04-20 | Rapid7, Inc. | Live deployment of deception systems |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
-
2021
- 2021-09-28 CN CN202111147138.0A patent/CN114499915B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| US10986129B1 (en) * | 2019-03-28 | 2021-04-20 | Rapid7, Inc. | Live deployment of deception systems |
| CN110381041A (en) * | 2019-06-28 | 2019-10-25 | 奇安信科技集团股份有限公司 | Distributed denial of service attack situation detection method and device |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112333203A (en) * | 2020-11-26 | 2021-02-05 | 哈尔滨工程大学 | RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150140A (en) * | 2022-06-23 | 2022-10-04 | 云南电网有限责任公司 | Distributed attack trapping system and method based on centralized and unified defense deployment |
| CN115150140B (en) * | 2022-06-23 | 2024-04-09 | 云南电网有限责任公司 | Distributed attack trapping system based on centralized unified defense arrangement |
| CN117118760A (en) * | 2023-10-24 | 2023-11-24 | 北京派网科技有限公司 | Threat perception method, device and storage medium for traffic forwarding based on pseudo network |
| CN117118760B (en) * | 2023-10-24 | 2024-01-23 | 北京派网科技有限公司 | Threat perception method, device and storage medium for traffic forwarding based on pseudo network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499915B (en) | 2022-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| KR101369727B1 (en) | Apparatus and method for controlling traffic based on captcha | |
| CN114499915B (en) | Trapping attack method, device and system combining virtual nodes and honeypots | |
| CN101621428B (en) | Botnet detection method, botnet detection system and related equipment | |
| US20030204728A1 (en) | Steganographically authenticated packet traffic | |
| EP3433749B1 (en) | Identifying and trapping wireless based attacks on networks using deceptive network emulation | |
| Kumar et al. | Review on security and privacy concerns in Internet of Things | |
| CN114244570B (en) | Illegal external connection monitoring method and device for terminal, computer equipment and storage medium | |
| CN110581836B (en) | Data processing method, device and equipment | |
| CN101431521A (en) | Anti-Trojan network security system and method | |
| CN110753014B (en) | Threat perception method, equipment and device based on flow forwarding and storage medium | |
| CN110086806B (en) | Scanning system for plant station equipment system bugs | |
| CN114567493A (en) | P2P flow screening and forwarding system based on FPGA | |
| CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
| Zhang et al. | Unveiling malicious activities in lan with honeypot | |
| Mane et al. | An efficient technique to detect slow rate DDoS attack from a private Tor network | |
| Kralevska et al. | Towards 5g intrusion detection scenarios with omnet++ | |
| CN116319028A (en) | Rebound shell attack interception method and device | |
| Yin et al. | Honeypot and scan detection in intrusion detection system | |
| US20220103582A1 (en) | System and method for cybersecurity | |
| Gromov et al. | Tackling Multiple Security Threats in an IoT Environment | |
| Ragupathy et al. | Detecting Denial of Service Attacks by Analysing Network Traffic in Wireless Networks | |
| CN115208596B (en) | Network intrusion prevention method, device and storage medium | |
| Kamal et al. | Analysis of network communication attacks | |
| CN115333866A (en) | Security protection method, device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |