CN115150156A - Honeypot implementation method and device and storage medium - Google Patents
Honeypot implementation method and device and storage medium Download PDFInfo
- Publication number
- CN115150156A CN115150156A CN202210759965.3A CN202210759965A CN115150156A CN 115150156 A CN115150156 A CN 115150156A CN 202210759965 A CN202210759965 A CN 202210759965A CN 115150156 A CN115150156 A CN 115150156A
- Authority
- CN
- China
- Prior art keywords
- network element
- security
- network
- event report
- honeypot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004458 analytical method Methods 0.000 claims abstract description 60
- 238000012544 monitoring process Methods 0.000 claims description 57
- 230000006870 function Effects 0.000 claims description 15
- 238000004891 communication Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 10
- 230000000977 initiatory effect Effects 0.000 claims description 8
- 238000002955 isolation Methods 0.000 claims description 7
- 230000009471 action Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 230000001976 improved effect Effects 0.000 abstract description 21
- 230000000694 effects Effects 0.000 abstract description 7
- 235000012907 honey Nutrition 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 20
- 238000007726 management method Methods 0.000 description 9
- 230000001960 triggered effect Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 230000004927 fusion Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000001939 inductive effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000153 supplemental effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The disclosure provides a honeypot implementation method, a honeypot implementation device and a storage medium, and relates to the technical field of network security. The disclosed honey pot implementation method comprises the following steps: receiving a security event report and a network element event report of a target network; performing security analysis based on a security threat model according to the security event report of the target network and the network element event report; and in the case that the safety analysis determines that the safety exception exists, starting honeypot deployment. By the method, the invalid running time of the honeypot system can be reduced, and the pertinence and the effect stability of the honeypot system are improved.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular, to a honeypot implementation method, device and storage medium.
Background
The honeypot technology is a network attack inducing technology, and by inducing an attacker to attack harmless assets and capturing and analyzing the attack behavior, an attack tool and a method are obtained, the attack intention is presumed, and the reinforcement of the protection capability is further assisted.
Disclosure of Invention
One object of the present disclosure is to improve deployment timeliness and effectiveness of honeypots.
According to an aspect of some embodiments of the present disclosure, a method for implementing a honeypot is provided, including: receiving a security event report and a network element event report of a target network; performing security analysis based on a security threat model according to the security event report of the target network and the network element event report; and under the condition that the safety abnormity is determined to exist through the safety analysis, the honeypot deployment is started.
In some embodiments, initiating honeypot deployment includes: determining an associated network element associated with the security exception; honeypot deployment is performed for the associated application and the associated network element.
In some embodiments, determining the associated network element associated with the security exception comprises: according to a Protocol Data Unit (PDU) session, a communication path and associated applications are analyzed, a control plane network element relation chain for providing services for communication is determined, and an associated network element is determined.
In some embodiments, performing honeypot deployment for an associated application and an associated network element comprises: generating network slice adjustment information according to the associated application and the associated network element; sending the network slice adjustment information to corresponding execution equipment so as to isolate and apply one or more network elements in the associated network elements to the same network slice; and after the configuration completion response of the corresponding execution equipment is obtained, starting honeypot monitoring.
In some embodiments, generating network slice adjustment information from the associated application and the associated network element comprises: determining and setting the security level of the network element in the associated network element; aiming at a target network element with a first security level, adjusting the slice attribute of a network slice where the target network element is located, and generating network slice adjustment information for deploying honeypots in the target network element; sending the network slice adjustment information to the corresponding execution device includes: and sending the network slice adjustment information to the network management equipment and the target network element so as to start the honeypot deployment aiming at the target network element, wherein the target network element and the network management equipment execute configuration operation according to the network slice adjustment information.
In some embodiments, performing honeypot deployment for the associated application and the associated network element further comprises: after the associated network element is determined, a supplementary report request is sent to the associated network element, and a supplementary event report fed back by the associated network element is obtained; determining the security level of the network element in the associated network element comprises: and determining the security level of the network element in the associated network element according to the security event report and the network element event report and the supplementary event report of the associated network element.
In some embodiments, determining the security level of the network element in the associated network element comprises: determining a security confidence level according to the security event report and the network element event report and the supplementary event report of the associated network element; and determining the security level of one or more network elements in the associated network elements according to the preset security confidence threshold and the security confidence.
In some embodiments, the network slice adjustment information comprises one or more of an application notification report, a network element notification report, or a network management notification report; the application notification report comprises one or more of an application address table, an application network interface, an application extension and an isolation action requirement; the network element notification report comprises network element security attributes and network element slice attributes; and the gateway notification report includes network slice adjustment trigger information.
In some embodiments, initiating honeypot monitoring comprises: generating monitoring starting information, wherein the monitoring starting information comprises an in-slice network element log monitoring starting notice, a flow monitoring starting notice or an isolation AF (Application Function) log monitoring starting notice; and sending the monitoring starting information to a corresponding network element.
In some embodiments, the method further comprises: and after the security level of the network element is determined to be the second level or the network slice adjustment information is generated, sending analysis feedback information to a network manager and one or more network elements in the target network.
In some embodiments, the method further comprises: subscribing to a security event report to the security device, so that the security device sends the security event report at a first predetermined frequency or triggered by a first predetermined event; and subscribing the network element event report to the network element of the target network so that the network element sends the network element event report according to a second predetermined frequency or under the trigger of a second predetermined event.
According to an aspect of some embodiments of the present disclosure, an apparatus for implementing honeypots is provided, including: an event report receiving unit configured to receive a security event report and a network element event report of a target network; an analysis unit configured to perform security analysis based on a security threat model according to a security event report of a target network and a network element event report; and the honeypot deployment unit is configured to start honeypot deployment under the condition that the safety abnormity is determined to exist through the safety analysis.
In some embodiments, the apparatus further comprises a subscription unit configured to: subscribing to a security event report to the security device, so that the security device sends the security event report at a first predetermined frequency or triggered by a first predetermined event; and subscribing the network element event report to the network element of the target network, so that the network element sends the network element event report according to a second preset frequency or under the trigger of a second preset event.
According to an aspect of some embodiments of the present disclosure, an apparatus for implementing honeypots is provided, including: a memory; and a processor coupled to the memory, the processor configured to perform any one of the honeypot implementation methods as mentioned above based on instructions stored in the memory.
According to an aspect of some embodiments of the present disclosure, a non-transitory computer-readable storage medium is proposed, on which computer program instructions are stored, which instructions, when executed by a processor, implement the steps of the implementation method of any one of the honeypots above.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:
fig. 1 is a flow diagram of some embodiments of a method of implementing a honeypot of the present disclosure.
Fig. 2 is a flow diagram of some embodiments of initiating honeypot deployment in a honeypot implementation of the present disclosure.
FIG. 3 is a flow diagram of further embodiments in a method of implementing a honeypot of the present disclosure.
Fig. 4 is a schematic diagram of some embodiments of an implementation apparatus of a honeypot of the present disclosure.
Fig. 5 is a schematic diagram of another embodiment of an implementation apparatus of a honeypot of the present disclosure.
Fig. 6 is a schematic diagram of further embodiments of an implementation apparatus of honeypots of the present disclosure.
Fig. 7 is a schematic diagram of some embodiments of an NWDAF (Network Data analysis Function) Network element implementation based on the present disclosure.
Fig. 8 is a schematic diagram of further embodiments of an NWDAF network element-based implementation of the present disclosure.
Detailed Description
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
The inventor finds that the honeypot technology in the related art is limited in exposure range of induced assets, and the implementation effect has certain randomness. The time of contrast input, monitoring technology cost, efficiency is lower.
The utility model provides a honeypot implementation method, carry out real-time information collection and monitoring to the network, discover the security anomaly dynamically, and then carry out honeypot deployment to both guarantee normal business operation, realize honeypot observation and study under the condition that the attacker does not notice. On the basis of guaranteeing the network security, the continuous updating of defense experience and technology is promoted.
A flow chart of some embodiments of a method of implementing a honeypot of the present disclosure is shown in fig. 1.
In step 120, the device executing the honeypot implementing method receives a security event report and a network element event report of a target network.
In some embodiments, the security event report of the target network may come from a security device already in the network, and the security device may detect network security conditions and generate a security event report based on the manner in the related art. In some embodiments, the security device generates, provides, and reports of security events at predetermined periods; in some embodiments, the security device generates, provides a security event report upon discovering a security exception. In some embodiments, the security device may generate and provide the security event report in real time when the security anomaly is found on the basis of generating and providing the security event report at a predetermined cycle. By such a method, the timeliness of obtaining the security event report can be improved.
In some embodiments, the network element event report may be generated and reported by a network element with its own event monitoring capability on the network. In some embodiments, the network element may generate and provide the network element event report at a predetermined period; in some embodiments, the network element generates and provides a network element event report when a security anomaly is discovered. In some embodiments, the network element may generate and provide the network element event report in real time when the security exception is found on the basis of generating and providing the network element event report at a predetermined period. By the method, the timeliness of obtaining the network element event report can be improved.
In some embodiments, the network element and the security device can provide the event report by subscribing to the network element and the security device, so that successive requests are not required, and the workload of obtaining the event report is reduced.
In some embodiments, the security device is pre-subscribed to the security event report so that the security device sends the security event report at a first predetermined frequency or triggered by a first predetermined event. In some embodiments, the network element of the target network is subscribed to the network element event report in advance, so that the network element sends the network element event report according to a second predetermined frequency or under the trigger of a second predetermined event.
In some embodiments of the present invention, the, the predetermined frequency or predetermined event may be set or adjusted as desired.
In step 140, a security analysis is performed based on the security threat model according to the security event report of the target network and the network element event report.
In some embodiments, a security judgment condition for the security event report and the network element event report may be included in the security threat model, and whether a security exception occurs is determined by matching or judging parameters in the report.
In some embodiments, the security threat model may be a machine learning model, pre-trained with sample data of a large number of security event reports and network element event reports labeled with known security anomaly or normal labels. And injecting the safety event report and the network element event report into the trained safety threat model to obtain a judgment result of whether safety abnormity occurs.
In some embodiments, the security threat model may further determine, by means of cluster analysis and the like, a classification corresponding to the current security event report and the network element event report based on the known security event report and the network element event report in the security abnormal state, and the security event report and the network element event report in the normal state, and further determine whether a security abnormality occurs at present.
In step 160, in case it is determined by the security analysis that there is a security anomaly, the relevant equipment is triggered to start honeypot deployment.
In some embodiments, the associated network element and the associated application associated with the security anomaly may be determined first, and then honeypot deployment may be performed for the associated application and the associated network element, the associated application and the associated network element may be divided into the same network slice, and the network slice may be isolated, thereby reducing the impact on other network areas.
Based on the method in the embodiment, the time for deploying the honeypots can be determined according to the analysis of the network events, and the deployment is started only under the condition of safety abnormity, so that the invalid running time of a honeypot system is shortened, the honeypots are prevented from being idle for a long time, and the input time and the honeypot monitoring cost are reduced; the pertinence and the effect stability of the honeypot operation system are improved.
In some embodiments, the pertinence may be further improved in the process of initiating honeypot deployment. A flowchart of some embodiments of initiating honeypot deployment in a honeypot implementation of the present disclosure is shown in fig. 2.
In step 261, the associated network element associated with the security exception is determined. In some embodiments, a PDU session related to the analyzed security exception may be determined, and then a communication path and an associated application may be analyzed based on the PDU session, and a control plane network element relationship chain that serves a communication event of the security exception may be determined, and then an associated network element may be determined.
In some embodiments, a network element with security exception is determined according to a security event report and a network element event report, a corresponding PDU session is determined according to an incidence relation between network elements, a path of the session and a target application are determined, and the target application is used as an incidence application; in some embodiments, the PDU session with the security exception is determined according to the security event report and the network element event report, the path of the session and the target application are determined, and the target application is taken as the associated application. In some embodiments, the network elements on the path of the session are taken as associated network elements, including the network element on the network side and the user terminal. In some embodiments, the associated network elements further include a control plane network element that services the communication event of the security anomaly and each network element in the relationship chain.
In step 262, network slice adjustment information is generated based on the associated application and the associated network element. In some embodiments, the network slice adjustment information is configuration information that isolates the configuring network element and the associated application in the same network slice.
In some embodiments, network slice adjustment information may be generated for the associated application and all associated network elements, thereby improving the comprehensiveness of honeypot coverage; in some embodiments, the network slice adjustment information may be generated for the associated application and a portion of the associated network elements, thereby reducing the monitoring burden of the honeypot system and improving the monitoring pertinence.
In some embodiments, the security level of the network element in the associated network element is determined and set, and then different policies are adopted for the associated network elements of different security levels. For example, regarding a network element with a security level of a monitoring level (a first level), the network element is used as a target network element, slice attributes of a network slice where the target network element is located are adjusted, and network slice adjustment information for deploying honeypots in the target network element is generated. For example, for a network element whose security level is the observation level (second level), the observation state may be maintained, and its level attribute may be set to the observation level. By the method, the problem that the honeypot system is overloaded due to excessive associated network elements can be avoided, the honeypot safety and the analysis capability are improved, the monitoring and analysis pressure is reduced, and the operation efficiency is improved.
In some embodiments, the security level may be determined from network element event report analysis, and the security event reports may also be analyzed in combination to improve the comprehensiveness of the analysis. By such a method, the reliability of the security level analysis can be improved.
In some embodiments, after determining the associated network element, a supplementary report request may be sent to the associated network element to obtain a supplementary event report fed back by the associated network element, so as to obtain more detailed and rich information about the associated network element. Subsequently, when the security level is determined, the security event report is analyzed in a coordinated manner, and the network element event report and the supplementary event report of the associated network element are reported. By such a method, the reliability of the security level analysis can be further improved.
In some embodiments, the security confidence may be determined first, for example, from the security event report and the network element event report and supplemental event report of the associated network element. Further, comparing a preset security confidence threshold with the security confidence, if the security confidence is reached (for example, the greater the security confidence is, the safer the greater the security confidence is, the less the security confidence threshold is equal to the security confidence threshold, that is, the security confidence threshold is reached, otherwise, the security confidence threshold is not reached, if the smaller the security confidence is, the safer the greater the security confidence is, the greater the security confidence threshold is, that is, the security confidence threshold is reached, otherwise, the security confidence threshold is not reached), the corresponding associated network element is at a monitoring level, and is used as a target network element for subsequent network slice adjustment; and if the security confidence is not reached, the corresponding associated network element is at an observation level. In some embodiments, after the analysis is completed, analysis feedback information may be sent to the network manager and the network element in the target network. By the method in the embodiment, the reliability of network element security level judgment can be improved, so that the reliability of subsequent honeypot data acquisition is improved, and the analysis capability of honeypots on security threats is improved.
In some embodiments, the network slice adjustment information comprises one or more of an application notification report, a network element notification report, or a network management notification report. The application notification report includes one or more of an application address table, an application network interface, an application extension, and an isolated action requirement. The network element notification report includes network element security attributes and network element slice attributes. The gateway notification report includes network slice adjustment trigger information. Based on the method in the embodiment, the network slice adjustment information aiming at the application, the network element and the network management can be generated, the target network element and the associated application can be isolated in the same network slice, the influence of the security threat on other parts of the network is avoided, and the reliability of the honeypot is improved.
In step 263, the network slice adjustment information is sent to the corresponding executing device so as to isolate one or more of the associated network elements from the associated application in the same network slice. In some embodiments, the notification report may be sent to the corresponding network element and the corresponding network manager according to the specific execution node of the application notification report, the network element notification report, and the network management notification report.
In some embodiments, after determining that the configuration is completed, the analysis feedback information may be sent to the network manager and the network element in the target network.
In step 264, after the configuration completion response of the corresponding execution device is obtained, honeypot monitoring is started. In some embodiments, monitoring start information may be generated, where the monitoring start information includes an intra-slice network element log monitoring start notification, a traffic monitoring start notification, or an isolated application function AF log monitoring start notification. Further, the monitoring start information is sent to the corresponding network element. In some embodiments, the corresponding network elements may be determined based on the specific connection mode, function of the network node and the honeypot system scheme of the related art.
Based on the method in the embodiment, the comprehensive security monitoring mechanism with high resource consumption can be triggered and started in a targeted and dynamic manner by adopting different monitoring strategies in the classification of the associated nodes, so that the targeted analysis and the security investigation of the honeypots are realized, and the cost of the monitored resources and time is reduced.
In some embodiments, the honeypot implementation method disclosed by the present disclosure can be implemented based on a real-time monitoring mechanism of an NWDAF network element, and utilizes the real-time information collection and monitoring capability of the NWDAF network element on a 5G network to perform security fusion analysis and analysis result feedback, and timely schedules network slices to complete isolation of an attack path and an attack target, thereby ensuring normal service operation, and implementing honeypot observation and learning without being perceived by an attacker. On the basis of guaranteeing the network security, the continuous updating of defense experience and technology is promoted.
A flow chart of further embodiments in a method of implementing a honeypot of the present disclosure is shown in fig. 3.
In step 311, the device executing the honeypot implementation method subscribes to the security device for the security event report, and subscribes to the network element event report for the network element of the target network.
In step 312, the network element receiving the subscription reports the subscribed event information periodically as required, or reports the subscribed event information under certain conditions. The equipment executing the honeypot implementation method obtains subscription information by receiving the corresponding event report, and then detects and judges the security abnormity based on the 5G security threat model according to the subscription information.
In step 313, when a security anomaly is found, the communication path and the target application are analyzed based on the PDU session, and the control plane network element relation chain providing services for the communication is analyzed to obtain the information of the relation network element. Further, the request for obtaining more information is sent to the associated network element, so as to obtain the supplementary event report.
In step 314, the device executing the honeypot implementation method integrates the event report of each associated network element and the event report of the security device, and determines an analysis result. In some embodiments, the analysis results may include characteristics of the associated application, threat, and the like.
In step 315, a security confidence is calculated based on the analysis results. In some embodiments, the security confidence of each associated node may also be directly obtained according to the operation in step 314.
Further, a specific dynamic honeypot deployment process is triggered.
In step 321, the associated application is determined. In some embodiments, the associated application may be determined from the analysis in steps 313 or 314. In some embodiments, the result of the analysis in the preceding step is read to determine the associated application.
In step 322, application extension and isolation for the associated application is initiated.
In step 323, the associated network element is determined. In some embodiments, the associated network element is determined from the analysis in step 313 or 314. In some embodiments, the result of the analysis in the preamble step is read to determine the associated network element.
In step 324, a security level of the network element is determined based on the security confidence determined in step 315. If the security confidence does not reach the set threshold, determining that the security level of the network element is the observation level, setting the level attribute of the network element as the observation level, skipping the steps 325 and 326 for the network element, and executing the step 327. If the security confidence reaches the set threshold, the security level of the network element is determined to be the monitoring level, and step 325 is executed.
In step 325, the security level of the network element is set as the monitoring level, the slice attribute of the network element is modified, and the honeypot deployment process for the network element is started.
In step 326, network slice adjustment information is generated, including: generating an application notification report, wherein the application notification report comprises: application address table, application network interface, application extension and isolation action requirements; generating a network element notification report, wherein the network element notification report comprises: network element security attributes and network element slicing attributes; generating a network management notification report, wherein the network management notification report comprises: network slice adjustment trigger information. And (4) marking a uniform network label on related network node pairs to ensure that the network node pairs are in the same network slice.
In step 327, the analysis feedback information is sent to a Network manager and a Network element (including a NEF (Network Exposure Function) Network element).
In step 328, the network configuration is complete, the network slice is adjusted, and the honeypot deployment is complete.
In step 329, after receiving the response information of the network configuration, an intra-slice meta log monitoring start notification, a traffic monitoring start notification, and an isolated AF log monitoring start notification are generated. The notification of the monitoring and starting of the network element log in the slice comprises the following steps: a network element table and a log monitoring starting trigger key are closed; the flow monitoring starting notice comprises the following steps: a network element meter is closed, and a flow monitoring starting trigger key is started; the isolating AF log monitoring starting notice comprises the following steps: and associating an application ID table and a log monitoring starting trigger key. And sending corresponding starting notice to a network manager and a network element (including a NEF network element). Further, the honeypot system operates to perform the intra-slice meta-log monitoring, the intra-slice traffic monitoring, and the isolated AF log monitoring in steps 331 to 333.
Based on the method in the embodiment, based on the network security analysis function, the honeypot system is enabled not to be idle for a long time and is closer to the real service environment by triggering the threat event obtained by analysis and dynamically deploying the honeypot mechanism as required, so that the induced attack efficiency can be greatly improved; a comprehensive safety monitoring mechanism with high resource consumption is triggered and started in a targeted and dynamic mode to achieve targeted analysis and safety detection of honeypots, and monitoring resource and time cost can be greatly reduced.
A schematic diagram of some embodiments of a honeypot implementation of the present disclosure is shown in fig. 4.
The event report receiving unit 411 can receive a security event report of a target network and a network element event report. In some embodiments, the security event report of the target network may come from a security device already in the network, and the security device may detect network security conditions and generate a security event report based on the manner in the related art. In some embodiments, the security device generates, provides, at predetermined periods, security event reports; in some embodiments, the security device generates, provides a security event report upon discovering a security exception. In some embodiments, the security device may generate and provide the security event report in real time when the security anomaly is found on the basis of generating and providing the security event report at a predetermined cycle.
The analysis unit 412 is capable of performing security analysis based on the security threat model according to the security event report of the target network and the network element event report.
The honeypot deployment unit 413 can trigger the relevant devices to start honeypot deployment if it is determined through security analysis that a security exception exists. In some embodiments, the associated network element and the associated application associated with the security anomaly may be determined first, and then honeypot deployment may be performed for the associated application and the associated network element, the associated application and the associated network element may be divided into the same network slice, and the network slice may be isolated, thereby reducing the impact on other network areas. In some embodiments, honeypot deployment unit 413 can perform honeypot deployment based on the manner shown in any of the embodiments above.
The device can determine the time for deploying the honeypots according to the analysis of the network events, and only starts deployment under the condition of safety abnormity, so that the invalid running time of the honeypot system is reduced, the honeypots are prevented from being idle for a long time, and the input time and the honeypot monitoring cost are reduced; the pertinence and the effect stability of the honeypot operation system are improved.
In some embodiments, as shown in fig. 4, the honeypot implementation apparatus may further include a subscription unit 414 capable of subscribing to the security event report from the security device in advance, so that the security device sends the security event report according to the first predetermined frequency or under the trigger of the first predetermined event. In some embodiments, the network element of the target network is subscribed to the network element event report in advance, so that the network element sends the network element event report according to a second predetermined frequency or under the trigger of a second predetermined event.
Based on the method in the embodiment, the event report can be timely acquired by utilizing the event subscription function of the network node, and the timeliness of security threat discovery and honeypot deployment is improved.
The structural schematic diagram of an embodiment of the honey pot implementing device of the present disclosure is shown in fig. 5. The honeypot implementation includes a memory 501 and a processor 502. Wherein: the memory 501 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is for storing the instructions in the corresponding embodiments of the method of implementing the honeypot above. The processor 502 is coupled to the memory 501 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 502 is used for executing instructions stored in the memory, so that the input time and the honeypot monitoring cost can be reduced, and the pertinence and the effect stability of the honeypot system are improved.
In one embodiment, as also shown in fig. 6, the honeypot implementation 600 includes a memory 601 and a processor 602. The processor 602 is coupled to the memory 601 by a BUS 603. The honeypot implementation 600 can also be coupled to an external storage 605 via a storage interface 604 for invoking external data, and to a network or another computer system (not shown) via a network interface 606. And will not be described in detail herein.
In the embodiment, the data instructions are stored in the memory and processed by the processor, so that the input time and the honeypot monitoring cost can be reduced, and the pertinence and the effect stability of the honeypot system are improved.
In another embodiment, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of a method in the corresponding embodiment of the method of implementing a honeypot. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
In addition, the disclosure proposes an NWDAF network element, which is improved based on the related functions of the NWDAF network element in the related art. A schematic diagram of some embodiments of an NWDAF network element 70 of the present disclosure is shown in fig. 7. The NWDAF network element is a node in the 5G network that performs a network data analysis function, and the NWDAF network element of the present disclosure includes any one of the honeypot implementation apparatuses 71 mentioned above in addition to the general elements in the related art.
The NWDAF network element can determine the time for deploying the honeypots according to the analysis of the network events, and only starts deployment under the condition of safety abnormity, so that the invalid running time of the honeypot system is reduced, the honeypot is prevented from being idle for a long time, the input time and the honeypot monitoring cost are reduced, and the pertinence and the effect stability of the honeypot system are improved; the real-time monitoring mechanism of the network equipment can be fully utilized, the implementation cost is reduced, and the effective utilization rate of the functions of the network equipment is improved.
A schematic diagram of further embodiments of an NWDAF network element 80 of the present disclosure is shown in fig. 8. Included in NWDAF network element 80 are security personalization analysis engine 811 and base engine 812. The base engine 812 includes NWDAF based capabilities including base analysis capabilities, data storage capabilities, data acquisition capabilities, benchmark analysis models, base training algorithms, and the ability to feed back analysis results to 5G networks and gateways.
The security personalization analysis engine 811 comprises a 5G security threat model, security threat fusion analysis, security confidence judgment, PDU association analysis, network element association chain analysis, network element security attribute scheduling, network element security policy scheduling, and honeypot deployment enabling notification module.
And the 5G security threat model is used for defining 5G security threat flow, behavior and path characteristics and identifying and analyzing the security threats in the 5G network.
And the security threat fusion analysis module is used for analyzing in combination with the state and the operation information of the 5G network element and the security event reported by the security equipment.
And the safety confidence judgment module is used for judging the occurrence probability of the safety threat, the path related probability and the probability of the target being attacked.
And the PDU correlation analysis module is used for analyzing a PDU session communication path involved in the attack.
And the network element association chain analysis module is used for analyzing the network element instance which provides service for the UE or the user plane network element associated with the attack path in the related control plane network element types.
And the network element security attribute scheduling module is used for adjusting the network element security attributes according to the analysis condition.
And the network element security policy scheduling module is used for adjusting the network element security policy according to the analysis condition.
And the honeypot deployment starting notification module is used for forming a notification of honeypot deployment starting configuration change facing network management and network elements.
The NWDAF can collect and monitor the real-time information of the 5G network based on the original capability; by carrying out security fusion analysis and analysis result feedback, network slices are scheduled in time, the isolation of an attack path and an attack target is completed, normal service operation is ensured, and honeypot observation and learning are realized under the condition that an attacker is unaware.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described sequence of steps for the method is for illustration only, the steps of the methods of the present disclosure are not limited to the order specifically described above unless specifically indicated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Finally, it should be noted that: the above examples are intended only to illustrate the technical solutions of the present disclosure and not to limit them; although the present disclosure has been described in detail with reference to preferred embodiments, those of ordinary skill in the art will understand that: modifications to the specific embodiments of the disclosure or equivalent substitutions for parts of the technical features may still be made; all such modifications are intended to be included within the scope of the claims of this disclosure without departing from the spirit thereof.
Claims (15)
1. A method for realizing honeypots comprises the following steps:
receiving a security event report and a network element event report of a target network;
performing security analysis based on a security threat model according to the security event report of the target network and the network element event report;
initiating honeypot deployment if it is determined by the security analysis that a security anomaly exists.
2. The method of claim 1, wherein the initiating honeypot deployment comprises:
determining an associated network element associated with the security exception;
and executing honeypot deployment aiming at the associated application and the associated network element.
3. The method of claim 2, wherein the determining an associated network element associated with the security exception comprises:
and according to the protocol data unit PDU conversation analysis communication path and the associated application, determining a control plane network element relation chain for providing service for communication, and determining the associated network element.
4. The method of claim 2, wherein the performing honeypot deployment for an associated application and the associated network element comprises:
generating network slice adjustment information according to the correlation application and the correlation network element;
sending the network slice adjustment information to corresponding execution equipment so as to isolate one or more network elements in the associated network elements and apply the network slices together with the associated network elements; and
and after the configuration completion response of the corresponding execution equipment is obtained, starting honeypot monitoring.
5. The method of claim 4, wherein,
the generating network slice adjustment information according to the associated application and the associated network element comprises:
determining and setting the security level of the network element in the associated network element;
aiming at a target network element with a first security level, adjusting the slice attribute of a network slice where the target network element is located, and generating network slice adjustment information for deploying honeypots in the target network element;
the sending the network slice adjustment information to the corresponding execution device includes: and sending the network slice adjustment information to network management equipment and the target network element so as to start to deploy honeypots for the target network element, wherein the target network element and the network management equipment execute configuration operation according to the network slice adjustment information.
6. The method of claim 5, wherein the performing honeypot deployment for an associated application and the associated network element further comprises: after the associated network element is determined, sending a supplementary report request to the associated network element to obtain a supplementary event report fed back by the associated network element;
determining the security level of the network element in the associated network element comprises: and determining the security level of the network element in the associated network element according to the security event report, the network element event report of the associated network element and the supplementary event report.
7. The method of claim 6, wherein determining a security level of a network element in the associated network element comprises:
determining a security confidence level according to the security event report and the network element event report and the supplementary event report of the associated network element;
and determining the security level of one or more network elements in the associated network elements according to a preset security confidence threshold and the security confidence.
8. The method of claim 4, wherein the network slice adjustment information comprises one or more of an application notification report, a network element notification report, or a network management notification report;
the application notification report comprises one or more of an application address table, an application network interface, an application extension, and an isolation action requirement;
the network element notification report comprises network element security attributes and network element slice attributes; and
the gateway notification report includes network slice adjustment trigger information.
9. The method of claim 4, wherein the initiating honeypot monitoring comprises:
generating monitoring starting information, wherein the monitoring starting information comprises an in-slice network element log monitoring starting notice, a flow monitoring starting notice or an isolated Application Function (AF) log monitoring starting notice;
and sending the monitoring starting information to a corresponding network element.
10. The method of claim 5, further comprising:
and after the security level of the network element is determined to be the second level or network slice adjustment information is generated, sending analysis feedback information to a network manager and one or more network elements in the target network.
11. The method of claim 1, further comprising:
subscribing a security event report to a security device so that the security device sends the security event report according to a first predetermined frequency or under the trigger of a first predetermined event;
and subscribing a network element event report to a network element of the target network so that the network element sends the network element event report according to a second preset frequency or under the trigger of a second preset event.
12. An implementation apparatus of honeypots, comprising:
an event report receiving unit configured to receive a security event report and a network element event report of a target network;
an analysis unit configured to perform security analysis based on the security threat model according to the security event report of the target network and the network element event report;
a honeypot deployment unit configured to initiate honeypot deployment if it is determined by the security analysis that a security anomaly exists.
13. The apparatus of claim 12, further comprising a subscription unit configured to:
subscribing a security event report to a security device so that the security device sends the security event report according to a first predetermined frequency or under the trigger of a first predetermined event; and
and subscribing a network element event report to a network element of the target network so that the network element sends the network element event report according to a second preset frequency or under the trigger of a second preset event.
14. An implementation apparatus of honeypots, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-11 based on instructions stored in the memory.
15. A non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210759965.3A CN115150156A (en) | 2022-06-30 | 2022-06-30 | Honeypot implementation method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210759965.3A CN115150156A (en) | 2022-06-30 | 2022-06-30 | Honeypot implementation method and device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115150156A true CN115150156A (en) | 2022-10-04 |
Family
ID=83410640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210759965.3A Pending CN115150156A (en) | 2022-06-30 | 2022-06-30 | Honeypot implementation method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150156A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN112350848A (en) * | 2020-06-11 | 2021-02-09 | 广州锦行网络科技有限公司 | Visual dynamic honey net custom topology deployment method |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| US20210194925A1 (en) * | 2019-12-19 | 2021-06-24 | Palo Alto Networks, Inc. | Large scale high-interactive honeypot farm |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
-
2022
- 2022-06-30 CN CN202210759965.3A patent/CN115150156A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| US20210194925A1 (en) * | 2019-12-19 | 2021-06-24 | Palo Alto Networks, Inc. | Large scale high-interactive honeypot farm |
| CN112350848A (en) * | 2020-06-11 | 2021-02-09 | 广州锦行网络科技有限公司 | Visual dynamic honey net custom topology deployment method |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9571508B2 (en) | Systems and methods for distributed rule-based correlation of events | |
| US9578045B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| US9432389B1 (en) | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object | |
| US10200506B2 (en) | Method, system and device for monitoring data | |
| CN110995468B (en) | System fault processing method, device, equipment and storage medium of system to be analyzed | |
| US10917793B2 (en) | Verifying network subsystem integrity with blockchain | |
| WO2022083226A1 (en) | Anomaly identification method and system, storage medium and electronic device | |
| CN111800412B (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| CN110309029B (en) | Abnormal data acquisition method and device, computer equipment and storage medium | |
| EP2800024A1 (en) | System and methods for identifying applications in mobile networks | |
| US20170223035A1 (en) | Scaling method and management device | |
| CN110417717B (en) | Login behavior identification method and device | |
| CN106533724B (en) | Method, device and system for monitoring and optimizing Network Function Virtualization (NFV) network | |
| US9459983B2 (en) | Method and apparatus of establishing customized network monitoring criteria | |
| US20140330968A1 (en) | Method and trend analyzer for analyzing data in a communication network | |
| US8806002B2 (en) | P2P activity detection and management | |
| CN112491883A (en) | Method, device, electronic device and storage medium for detecting web attack | |
| Spanoudakis et al. | The serenity runtime monitoring framework | |
| CN113419935B (en) | Mobile terminal performance monitoring method, device, equipment and storage medium | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| CN108023882B (en) | Collaborative data leakage prevention method and system | |
| CN103685298A (en) | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method | |
| CN115150156A (en) | Honeypot implementation method and device and storage medium | |
| CN106210159B (en) | Domain name resolution method and device | |
| CN114205169B (en) | Network security defense method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |