CN114553529A

CN114553529A - Data processing method, device, network equipment and storage medium

Info

Publication number: CN114553529A
Application number: CN202210160665.3A
Authority: CN
Inventors: 王绍东; 薛征宇; 毛敏其; 杨承林; 刘旭
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2022-02-22
Filing date: 2022-02-22
Publication date: 2022-05-27

Abstract

The embodiment of the invention is suitable for the technical field of computers, and provides a data processing method, a data processing device, network equipment and a storage medium, wherein the data processing method comprises the following steps: intercepting a first response packet; the first response packet represents a response packet sent by the service system according to the first access request; inserting honeypot characteristics into the first response packet to obtain a second response packet; sending the second response packet to the first peer device; the first peer device characterizes a sender of the first access request.

Description

Data processing method, device, network equipment and storage medium

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a data processing method, an apparatus, a network device, and a storage medium.

Background

Currently, the related art protects business systems by deploying honeypots. But basically an attacker will use an anti-honeypot feature plug-in that quickly identifies the honeypot, resulting in honeypot failure.

Disclosure of Invention

In order to solve the above problem, embodiments of the present invention provide a data processing method, apparatus, network device, and storage medium, so as to at least solve the problem that an attacker in the related art can identify honeypots using anti-honeypot feature plug-ins.

The technical scheme of the invention is realized as follows:

in a first aspect, an embodiment of the present invention provides a data processing method, where the method includes:

intercepting a first response packet; the first response packet represents a response packet sent by the service system according to the first access request;

inserting honeypot features into the first response packet to obtain a second response packet;

sending the second response packet to a first peer device; the first peer device characterizes a sender of the first access request.

In the above embodiment, the relevant parameters of the honeypot profile are dynamically changed over time.

In the above embodiment, the inserting a honeypot feature into the first response packet to obtain a second response packet includes:

analyzing the first response packet to obtain a document object model of the first response packet;

determining a location point for inserting the honeypot feature in the document object model;

and inserting the honeypot feature at the position point to obtain the second response packet.

In the above embodiment, before inserting the honeypot feature in the first response packet, the method further includes:

acquiring configuration parameters selected by a user;

generating the honeypot feature based on the configuration parameters.

In the above embodiment, before intercepting the first response packet, the method further includes:

and acquiring a service system to be protected configured by a user so as to insert a response packet to the service system into the honeypot feature.

In the above embodiment, the honeypot features include: the attacker identity traceable code.

In a second aspect, an embodiment of the present invention provides a data processing apparatus, including:

the intercepting module is used for intercepting the first response packet; the first response packet represents a response packet sent by the service system according to the first access request;

the inserting module is used for inserting honeypot features into the first response packet to obtain a second response packet;

the sending module is used for sending the second response packet to the first peer device; the first peer device characterizes a sender of the first access request.

In a third aspect, an embodiment of the present invention provides a network device, including a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the data processing method provided in the first aspect of the embodiment of the present invention.

In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. Which when executed by a processor performs the steps of the data processing method as provided by the first aspect of an embodiment of the invention.

In a fifth aspect, an embodiment of the present invention provides a cloud computing platform, which includes a data processing software module for implementing a network device, where the data processing software module is configured to implement the steps of the data processing method provided in the first aspect of the embodiment of the present invention.

The embodiment of the invention obtains a second response packet by intercepting a first response packet sent by a service system according to a first access request and inserting honeypot characteristics into the first response packet, and sends the second response packet to a sender of the first access request. If the sender of the first access request is an attacker with the anti-honeypot feature plug-in, the anti-honeypot feature plug-in can identify the honeypot features in the second response packet, so that the attacker thinks that the second response packet is sent by the honeypot and mistakenly thinks that the real service system is the honeypot, and the attacker gives up the attack to protect the service system.

Drawings

Fig. 1 is a schematic diagram of a flow direction according to an embodiment of the present invention;

fig. 2 is a schematic flow chart illustrating an implementation of a data processing method according to an embodiment of the present invention;

FIG. 3 is a schematic flow chart of another implementation of a data processing method according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart illustrating another implementation of a data processing method according to an embodiment of the present invention;

FIG. 5 is a diagram illustrating a structure of a document object model according to an embodiment of the present invention;

FIG. 6 is a schematic flow chart of another implementation of a data processing method according to an embodiment of the present invention;

FIG. 7 is a diagram illustrating a data processing flow according to an embodiment of the present invention;

FIG. 8 is a schematic flow chart of honeypot feature insertion according to an embodiment of the present invention;

FIG. 9 is a diagram of a data processing apparatus according to an embodiment of the present invention;

fig. 10 is a schematic diagram of a network device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The honeypot is a virtual system, is equivalent to an information collection system, simulates a real service system of an enterprise through the honeypot, and is used for luring hackers to attack in the future when invading a bait. After the attacker invades, tools and information used by the hacker are collected through monitoring and analysis, and then the defense system of the attacker is consolidated.

At present, most honeypots are provided with and open corresponding false applications or systems on a Docker (container) or a virtual machine, an attacker is induced to access the false applications or systems, the time of the attacker can be delayed, when the attack features are identity tracing codes, the attacker can be traced by capturing fingerprints of the attacker, and the fingerprints can be virtual network identity information such as social accounts or equipment information of attack equipment. At present, the main means of honeypot tracing is to insert honeypot features (namely identity tracing codes) into open honeypot applications, induce attackers who have logged in third-party applications to access the applications and then get fingerprints captured by the honeypot features, and send the fingerprints to a defender, so that the attackers are traced to personal identities by security experts.

However, at present, attackers basically use anti-honeypot feature plug-ins, which can quickly identify honeypots and honeypot features thereof, and can give an alarm to attackers and even perform interception on honeypot features, so that honeypots fail.

In view of the above drawbacks of the related art, embodiments of the present invention provide a data processing method, which enables an attacker with an anti-honeypot feature plug-in to misunderstand that a real service system is a honeypot. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.

Fig. 1 is a schematic diagram of a flow direction provided in an embodiment of the present invention, where a network device may be a virtual device installed on a host where a service system is located, for example, a firewall in the form of a virtual machine; the network device may also be a hardware server, such as a gateway or a proxy server. The network equipment is used for forwarding an access request sent by an attacker or a real user to the service system and forwarding a response packet sent by the service system to the attacker or the real user. In the present application, it is necessary to ensure as much as possible that the request and response traffic of the protected service system pass through the network device, and any session with the service system is established on the network device. The network device protects the service system by preventing an attacker from directly contacting the service system. The relationship between the network device and the service system may be one-to-one or one-to-many. The user can configure the protection strategy for the protected service system in the network equipment, and the influence on normal users and other normal services is reduced as much as possible. Such as protection policy against Structured Query Language (SQL) injection, prohibiting access to a set Uniform Resource Locator (URL), and the like.

Fig. 2 is a schematic diagram of an implementation flow of a data processing method provided in an embodiment of the present invention, where an execution subject of the data processing method is a network device in the foregoing embodiment. Referring to fig. 2, the data processing method includes:

s201, intercepting a first response packet; the first response packet represents a response packet sent by the service system according to the first access request.

Here, the first response packet is a response packet sent by the service system according to the first access request, and the first access request may be a malicious access request sent by an attacker or a normal access request sent by a real user.

The network device may receive the first access request, and forward the first access request to the service system (specifically, whether the first access request is forwarded by the network device, which is not limited in this application), and the service system generates a first response packet according to the first access request, and sends the first response packet to a sender of the first access request.

In the embodiment of the present invention, the network device intercepts the first response packet sent by the service system, regardless of whether the receiver of the first response packet is a normal user or an attacker.

S202, inserting honeypot characteristics into the first response packet to obtain a second response packet.

Here, the first response packet issued by the service system does not contain the honeypot feature, and the network device inserts the honeypot feature in the first response packet. In one embodiment, the honeypot features include: the attacker identity tracing code may also be called honeypot tracing code.

In practical applications, honeypot features include: TCP/IP protocol stack and network characteristics including number of connections, network traffic, packet content, TCP/IP values, network delay, etc. The attacker can find out that the attacking operating system is not the identified operating system through the fingerprint identification of the protocol stack, so that the existence of the honeypot is considered. The attacker can also judge whether honeypots exist through network delay.

Referring to fig. 3, in an embodiment, prior to inserting a honeypot feature in the first response packet, the method further comprises:

s301, obtaining the configuration parameters selected by the user.

S302, generating the honeypot characteristics based on the configuration parameters.

Here, the configuration parameters may be configured for related parameters of the honeypot traceability code, such as cross-domain request frequency (e.g., one minute request sending frequency), request sites (e.g., third party application sites such as hundredth cafe, newsgang microblog, and the like), traceability codes and code obfuscation modes of different honeypot manufacturers, and the like. Of course, the configuration parameters can also be configured for other relevant parameters of the honeypot features besides the honeypot tracing code.

The user can set this parameter of cross-domain access frequency to a larger value, so that the probability that honeypot features are detected as honeypots is increased. The user can also adjust the configuration parameters once every a period of time, so that the effect of dynamically changing relevant parameters of the honeypot characteristics along with the time is realized, and an attacker is prevented from deleting the honeypot characteristics through a simple script. The reason why the attackers can delete the honeypot features through simple scripts is that: after the attacker deletes the honeypot feature, the attacker can then initiate an attack. In order to avoid the attack of an attacker, the honeypot characteristics can be dynamically changed, so that the attacker is difficult to delete the honeypot characteristics in a simple mode, dare not to attack, and further better protect a real service system.

The embodiment of the invention can provide some configuration parameters for the user to select, and finally generate the honeypot characteristics according to the configuration parameters selected by the user. Alternatively, a combination of certain configuration parameters is set in advance, and when an instruction to generate the honeypot feature is received, the honeypot feature is automatically generated based on the combination of the preset configuration parameters.

In one embodiment, the relevant parameters of the honeypot characteristics dynamically change over time (the change instruction can be triggered automatically at regular time or manually by a user). The meaning of the relevant parameters is some parameters needed when generating the honeypot feature and/or the insertion location of the honeypot feature. Such as: cross-domain request frequency, request site, source code of different honeypot vendors, code obfuscation mode, and/or inserted location point. By dynamically changing the honeypot characteristics, attackers are prevented from obtaining the honeypot characteristics through simple analysis, the attackers can be resisted with analysis, the attackers are prevented from deleting the honeypot characteristics through simple scripts, and the real service system is further protected better.

Honeypot tracing code is taken as an example to describe the related technical means of dynamic change. In practical application, the honeypot source tracing code can be subjected to code obfuscation to generate new honeypot features. Code obfuscation, also known as floral instructions, is the act of transforming the code of a computer program into a functionally equivalent, but difficult to read and understand, form. The embodiment of the invention can carry out code obfuscation from three aspects of layout, data and control.

Layout obfuscation: identifier obfuscation may be performed, including identifier obfuscation of constant, variable, and function names; garbage codes can be inserted into the honeypot tracing codes; and the code volume can be reduced and the reading difficulty can be increased by deleting indentation and/or line feed characters.

Data obfuscation: the method comprises the steps of encoding and mixing numbers, character strings, arrays and Boolean, and comprises the modes of hexadecimal encoding, Unicode encoding, Base64 encoding and mixing, character string splitting, character string encryption and the like.

Control obfuscation: the reading and analyzing difficulty of the code is increased by flattening the prior flow of the original code and then changing the prior flow into a circulating flow.

Through constantly changing the complexity of honeypot traceability codes, an attacker can not delete the honeypot traceability codes through writing simple scripts at a client, the attacker can not play a role in anti-honeypot feature plug-in, the attacker is induced to identify a real business system as a honeypot, and the honeypot traceability codes are difficult to reject through simple means, so that the attacker is dare not to attack due to fear of defending a defender to take own identity information.

Referring to fig. 4, in an embodiment, the inserting honeypot feature into the first response packet to obtain a second response packet includes:

s401, analyzing the first response packet to obtain a document object model of the first response packet.

Here, the first response packet may be parsed using a Deep Packet Inspection (DPI) technique. Deep packet inspection is a special network technology, and general network equipment only looks at an ethernet header and an IP header without analyzing contents in TCP/UDP, which is called shallow packet inspection; the corresponding deep packet inspection checks the content in TCP/UDP, so it is called deep packet inspection.

And acquiring application content in the first response packet through deep data packet detection, and acquiring a Document Object Model (DOM) containing element nodes and attribute nodes.

The DOM is a display form of a hypertext Markup Language (HTML) or Extensible Markup Language (XML) structure, and the HTML/XML can be modified by modifying the DOM through programming. A complete set of methods is provided in JavaScript to acquire, traverse and operate the DOM.

S402, determining the position points of the honeypot features inserted into the document object model.

The DOM employs a tree structure, each part of which is called a node, including element nodes and attribute nodes, and the document object model is used to manipulate these nodes.

Referring to fig. 5, fig. 5 is a schematic structural diagram of a document object model according to an embodiment of the present invention. The document object model shown in fig. 5 is tree-shaped, and the head includes element nodes meta and title; the element nodes a, img, div, etc. are included in the body. The element node further includes an attribute node, for example, a div element node includes an attribute node id and a class.

The position point refers to a node in the document object model, and is a position point into which the honeypot feature can be inserted as long as the code can be normally executed after the honeypot feature is inserted.

S403, inserting the honeypot features into the position points to obtain the second response packet.

It should be understood that the honeypot feature is only required to be inserted at one location point, for example, the honeypot feature is inserted in the middle of the < div > element node, and then the document object model is encapsulated to obtain the second response packet.

Referring to FIG. 6, in one embodiment, the determining the location points for inserting the honeypot features in the document object model includes:

s601, determining at least two position points in the document object model.

S602, determining a position point for inserting the honeypot feature from the at least two position points.

A plurality of position points into which honeypot features can be inserted can be determined in the document object model, and one position point can be selected to be inserted into honeypot features in a random selection mode.

In practical application, the position point of the characteristic of inserting the real honeypots into the honeypots can be referred, the position point can be kept consistent with the position point of inserting the real honeypots, habits of the real honeypots are simulated, and attackers are induced to identify real service systems as the honeypots.

In an embodiment, in determining the location points of the honeypot features inserted in the document object model, the method comprises:

and changing the position point inserted into the honeypot characteristic when a change instruction is received.

Here, the change instruction may be triggered automatically at regular time or manually by a user, and the position point inserted into the honeypot feature is changed irregularly, so that an attacker is prevented from easily recognizing the position of the honeypot feature in the response packet, deleting the honeypot feature, and continuously developing the oppressive deception defense for the attacker.

In one embodiment, before intercepting the first response packet, the method further comprises:

In the embodiment of the present invention, the relationship between the network device and the service system may be one-to-one or one-to-many. The service system to be protected configured in the network device forwards a response packet which is transmitted to an attacker or a real user by the service system to the service system being protected. For the response packet of the service system, the network device inserts the honeypot feature in the response packet.

S203, sending the second response packet to a first peer device; the first peer device characterizes a sender of the first access request.

And after the second response packet is obtained, the second response packet is sent to the sender of the first access request, and because the second response packet contains honeypot characteristics, if the sender of the first access request is an attacker and an anti-honeypot characteristic plug-in is deployed, the anti-honeypot characteristic plug-in can consider that the second response packet is sent by honeypots, so that the attacker mistakenly considers that the real service system is a honeypot, and the attacker gives up subsequent attacks. If the sender of the first access request is a normal user, the normal user does not use the anti-honeypot feature plug-in dedicated for the attacker to access the service system, so that the attack is not affected.

The embodiment of the invention obtains a second response packet by intercepting a first response packet sent by a service system according to a first access request and inserting honeypot characteristics into the first response packet, and sends the second response packet to a sender of the first access request. If the sender of the first access request is an attacker with the anti-honeypot feature plug-in, the anti-honeypot feature plug-in can identify the honeypot features in the second response packet, so that the attacker thinks that the second response packet is sent by the honeypot and mistakenly thinks that the real service system is the honeypot, and the attacker gives up the attack, thereby protecting the service system.

Referring to fig. 7, fig. 7 is a schematic diagram of a data processing flow according to an embodiment of the present invention. The data processing flow comprises steps P1 to P8:

step P1: the network device of the deployment flow level can be a gateway or a firewall, and it is necessary to ensure that the protected service system request and response flows pass through the network device as much as possible, and the session is established on the network device.

Step P2: the protection strategy for the protected service system is configured, the service system needing protection is selected in the network equipment, the application protection is pertinently started, the normal operation of the original passive application protection capability of the network equipment is ensured, and the influence on normal users and other normal services is reduced as far as possible.

Step P3: and intercepting an access response packet of the protected system.

Step P4: and analyzing the response packet to obtain a document object model.

Step P5: and finding element nodes or attribute nodes of the insertable codes.

Determining whether human intervention is required, and if not, entering P6; if manual access is required, P7 is entered.

Step P6: the network device automatically randomly inserts honeypot traceable code into the code executable location.

The P6 mainly realizes automatic insertion, and the network device can automatically insert honeypot tracing plug-in codes into the response packet after parsing the response packet and can irregularly replace the inserted position points. For example, a firewall discovers a plurality of nodes, an identity traceability code in a JS code form is inserted in the middle of one < div > element node which can be inserted, a data packet is encapsulated and then returned to a requester, and a JSONP cross-domain request is utilized to simulate honeypot traceability identity behavior. After a random period of time, the code insertion point is automatically transformed.

Step P7: and configuring honeypot source tracing codes and parameters thereof.

The network device may provide some optional parameters for manual configuration, for example, the optional parameters may include cross-domain request frequency (e.g., one minute request sending frequency), request sites (e.g., third party application sites such as Baidu post bar, Sina microblog, etc.), source tracing codes of different honeypot manufacturers, code obfuscation modes, and the like, and the network device completes code insertion according to the manually configured honeypot source tracing code parameters and repackages the data packet to return to the requester.

Step P8: and the network equipment repackages the data packet with the inserted code and returns the data packet to the client.

And after the network equipment completes the code insertion, repackaging the data packet and returning the data packet to the requester.

According to the embodiment of the invention, because the fire wall inserts the honeypot tracing code into the response packet, the anti-honeypot feature plug-in of the attacker can identify the honeypot feature in the response packet, so that the response packet is considered to be sent by the honeypot, the actual service system is mistakenly considered to be the honeypot, the attacker gives up subsequent attacks, and the service system is protected.

Referring to fig. 8, fig. 8 is a schematic flow chart of honeypot feature insertion according to an embodiment of the present invention. The honeypot characteristic insertion process comprises the following steps:

in the first step, an attacker initiates access to the business system a.

And secondly, the firewall receives the access request and forwards the access request to the service system A.

And thirdly, the service system A returns a service system response to the firewall.

Fourth, the firewall inserts honeypot features (fig. 8 exemplifies honeypot tracing code, also called identity tracing code) into the response packet.

And fifthly, the firewall returns the response packet inserted with the honeypot tracing code to the attacker.

And sixthly, the attacker accesses the third-party site through the response packet inserted with the honeypot source tracing code.

And seventhly, alarming or blocking by the anti-honeypot plug-in of the attacker.

And eighthly, the attacker considers that the A service system is the honeypot, or the anti-honeypot plug-in is closed and then accessed.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.

In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

Referring to fig. 9, fig. 9 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention, and as shown in fig. 9, the apparatus includes an intercepting module, an inserting module, and a sending module.

the inserting module is used for inserting honeypot characteristics into the first response packet to obtain a second response packet;

In the above embodiment, the inserting module inserts the honeypot feature in the first response packet to obtain a second response packet, including:

In the above embodiment, the inserting module determines the position point of the honeypot feature inserted in the document object model, including:

determining at least two location points in the document object model;

determining a location point from the at least two location points at which the honeypot feature is inserted.

In the above embodiment, the method further comprises:

the first acquisition module is used for acquiring configuration parameters selected by a user;

a generating module for generating the honeypot feature based on the configuration parameter.

In the above embodiment, the apparatus further comprises:

and the second acquisition module is used for acquiring the service system to be protected configured by the user so as to insert the response packet of the service system into the honeypot characteristics.

In practical applications, the intercepting module, the inserting module and the sending module may be implemented by a Processor in a network device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA).

It should be noted that: in the above embodiment, when performing data processing, the device is only illustrated by dividing the modules, and in practical applications, the processing may be distributed to different modules according to needs, that is, the internal structure of the device is divided into different modules to complete all or part of the processing described above. In addition, the apparatus provided in the above embodiments and the data processing method embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.

The data processing device may be in the form of an image file, and after the image file is executed, the image file may be run in the form of a container or a virtual machine, so as to implement the data processing method described in the present application. Certainly, the present invention is not limited to the form of an image file, and as long as some software forms capable of implementing the data processing method described in the present application are within the protection scope of the present application, for example, the software forms may also be software modules implemented in a hypervisor (virtual machine monitor) in a cloud computing platform.

Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present application, an embodiment of the present application further provides a network device. Fig. 10 is a schematic diagram of a hardware structure of a network device according to an embodiment of the present application, and as shown in fig. 10, the network device includes:

the communication interface can carry out information interaction with other equipment such as network equipment and the like;

and the processor is connected with the communication interface to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes at the network equipment side when running a computer program. And the computer program is stored on the memory.

Of course, in practice, the various components in the network device are coupled together by a bus system. It will be appreciated that a bus system is used to enable communications among the components. The bus system includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for the sake of clarity the various buses are labeled as a bus system in figure 10.

The memory in the embodiments of the present application is used to store various types of data to support the operation of the network device. Examples of such data include: any computer program for operating on a network device.

The network device may be a hardware gateway (such as a hardware firewall) or a server deployed with a "software module capable of running the data processing method of the present application" (such as a software firewall).

It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

The cloud computing platform is a business form which organizes a plurality of independent server physical hardware resources into pooled resources by adopting computing virtualization, network virtualization and storage virtualization technologies, is a software defined resource structure based on virtualization technology development and can provide resource capacity in forms of virtual machines, containers and the like. The fixed relation between hardware and an operating system is eliminated, the communication of a network is relied on to unify resource scheduling, and then required virtual resources and services are provided.

The current cloud computing platform supports several service modes:

SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full rights;

PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development, quality control or production server;

IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.

The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in a memory where a processor reads the programs in the memory and in combination with its hardware performs the steps of the method as previously described.

Optionally, when the processor executes the program, the corresponding process implemented by the network device in each method of the embodiment of the present application is implemented, and for brevity, no further description is given here.

In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a first memory storing a computer program, where the computer program is executable by a processor of a network device to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, network device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The embodiment of the invention also comprises a cloud computing platform, wherein the cloud computing platform comprises a data processing software module, and the data processing software module is used for executing the steps of the data processing method.

Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A data processing method is applied to network equipment; characterized in that the method comprises:

2. The method according to claim 1, characterized in that the relevant parameters of the honeypot profile are dynamically changing over time.

3. The method of claim 1, wherein the inserting of the honeypot signature into the first response packet to obtain a second response packet comprises:

4. The method of claim 1, wherein prior to inserting a honeypot signature in the first response packet, the method further comprises:

acquiring configuration parameters selected by a user;

generating the honeypot feature based on the configuration parameter.

5. The method of any of claims 1 to 4, further comprising, prior to intercepting the first response packet:

6. The method according to any one of claims 1 to 4, characterized in that the honeypot features comprise: the attacker identity traceable code.

7. A data processing apparatus, comprising:

8. A network device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the data processing method according to any one of claims 1 to 6 when executing the computer program.

9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to carry out the data processing method according to any one of claims 1 to 6.

10. A cloud computing platform comprising data processing software modules for implementing network devices, the data processing software modules being configured to implement the steps of the data processing method of any one of claims 1 to 6.