CN115208670B - Honey net construction method, device, electronic equipment and computer readable storage medium - Google Patents

Honey net construction method, device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN115208670B
CN115208670B CN202210836372.2A CN202210836372A CN115208670B CN 115208670 B CN115208670 B CN 115208670B CN 202210836372 A CN202210836372 A CN 202210836372A CN 115208670 B CN115208670 B CN 115208670B
Authority
CN
China
Prior art keywords
network
node
template
target
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210836372.2A
Other languages
Chinese (zh)
Other versions
CN115208670A (en
Inventor
李永梅
张彩霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210836372.2A priority Critical patent/CN115208670B/en
Publication of CN115208670A publication Critical patent/CN115208670A/en
Application granted granted Critical
Publication of CN115208670B publication Critical patent/CN115208670B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Abstract

The application provides a honey net construction method, a honey net construction device, electronic equipment and a computer readable storage medium, and relates to the technical field of network security. The method comprises the following steps: determining network information of a network to be protected; matching is carried out in a template library according to the network information, and a corresponding target service system template is determined; and constructing a honey network corresponding to the network to be protected based on the target service system template. According to the application, the network to be protected is matched and compared with the template library, so that the virtual service system corresponding to the real service system of the network to be protected can be identified as the target service system template, and the honey network of the virtual service system corresponding to the network to be protected is automatically constructed according to the target service system template, so that virtual service interaction can be carried out on the constructed honey network, the camouflage effect and the simulation capability of the honey network when the honey network camouflage the real network to be protected of a user are improved, the trapping efficiency of the honey network to an attacker is improved, and the safety of the user when the user uses the network is improved.

Description

Honey net construction method, device, electronic equipment and computer readable storage medium
Technical Field
The application relates to the technical field of network security, in particular to a honey net construction method, a honey net construction device, electronic equipment and a computer readable storage medium.
Background
The honeypot technology is essentially a technology for cheating an attacker, and by arranging a host machine serving as a bait and the like to form a trapping network serving as a honeynet, the attacker is induced to attack the honeynet, so that the attack behavior can be captured and analyzed, the tool and method used by the attacker are known, the attack intention and the motivation are presumed, the defender can clearly know the facing security threat, and the security protection capability of an actual system is enhanced through the technology and the management means.
In the prior art, when a honey network is constructed, a virtual host is generally added, so that an attacker is attracted through open services on the constructed virtual host or vulnerabilities on the services to attack the attacker, and the purpose of trapping the attacker is achieved. The similarity between the virtual network and the protected actual network of the current constructed honey network is low, which is unfavorable for achieving the purpose of trapping the attacker, and the trapping efficiency of the current honey network is low.
Disclosure of Invention
In view of the above, an object of the embodiments of the present application is to provide a method, an apparatus, an electronic device and a computer readable storage medium for constructing a honeynet, so as to solve the problem of low trapping efficiency of the honeynet on the attacker in the prior art.
In order to solve the above problems, in a first aspect, an embodiment of the present application provides a method for constructing a honeynet, where the method includes:
determining network information of a network to be protected;
matching in a template library according to the network information, and determining a corresponding target service system template;
and constructing a honey network corresponding to the network to be protected based on the target service system template.
In the implementation process, the real network information in the network to be protected is matched and compared with the template library, so that the template of the virtual service system corresponding to the real service system of the network information can be identified in the template library and used as the target service system template. Therefore, the honey network of the virtual service system corresponding to the network to be protected is automatically constructed according to the target service system template, the constructed honey network has high structural similarity with the real network to be protected used by a user, and virtual service interaction can be carried out when the honey network works. The method improves the camouflage effect and the simulation capability of the honey network when camouflage is carried out on the real network to be protected used by the user from the aspects of structure and business, thereby improving the trapping efficiency of the honey network on the attacker and improving the safety of the user when using the network.
Optionally, the matching in the template library according to the network information, determining a corresponding target service system template includes:
comparing the network information with a plurality of service system templates in the template library respectively to obtain a plurality of similarities;
and taking the business system template with the similarity reaching a threshold value as the target business system template matched with the network to be protected.
In the implementation process, the similarity between the network information and each service system template can be determined by sequentially comparing the network information of the network to be protected with a plurality of historical service system templates in the template library, so that the service system template with higher similarity is used as a target service system template matched with the network to be protected when the similarity reaches a threshold value. The method can screen a plurality of service system templates, and improves the effectiveness of the target service system templates.
Optionally, the constructing the honey network corresponding to the network to be protected based on the target service system template includes:
determining corresponding target nodes and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of the target node, a target node port with the target node network address opened, a target node service and a target node operating system;
Creating a virtual host based on the target node;
configuring corresponding target node network information in the virtual host;
and carrying out service configuration on the virtual host to obtain a honey network corresponding to the network to be protected.
In the implementation process, when the honey network corresponding to the network to be protected is constructed, the corresponding target node and the target node network information in the target service system template can be determined, so that one or more virtual hosts are newly built according to the target node, the corresponding target node network information is configured in the virtual hosts, the virtual nodes are provided with network addresses, corresponding ports, services, network structures of various nodes such as an operating system and the like, virtual service configuration is carried out on the virtual hosts on the basis of the target node network, and the honey network corresponding to the network to be protected and provided with virtual services can be obtained. The similarity between the honey network and the network structure to be protected is effectively improved, and the simulation capability of the business is effectively improved.
Optionally, the performing service configuration on the virtual host to obtain a honeynet corresponding to the network to be protected includes:
determining target service data in the target service system template, wherein the target service data comprises: at least one of a target service message and a target interaction frequency;
And configuring the corresponding target service data in the virtual host so as to enable the target node to perform analog data interaction, thereby obtaining the honey network comprising the virtual host corresponding to the network to be protected.
In the implementation process, the target service data in the target service system template can be obtained as simulated service data, and the simulated service data are configured in the target node network information, so that simulated data interaction can be performed among the virtual hosts corresponding to the plurality of target nodes, the relevance of the virtual service among the target nodes is increased, the honey network comprising one or more virtual hosts has the virtual service, and the simulation capability and the camouflage effect of the honey network are effectively improved.
Optionally, the determining the network information of the network to be protected includes:
extracting a scanning network segment in the network to be protected;
scanning the scanning network segment according to a scanning algorithm to identify the network information in the scanning network segment, wherein the network information comprises: at least one of a real node existing in the scanning network segment, a target network address corresponding to the real node, a target network port with the opened target network address, a target network service and a target operating system.
In the implementation process, in order to construct a corresponding honey network according to the real situation of the network to be protected, a scanning network segment in the network to be protected can be extracted first, and a scanning algorithm of a detection network is used for scanning in the scanning network segment so as to identify the network address of the host corresponding to the surviving real node and various information such as a port, service, operating system and the like developed by the address. The network information reflecting the actual structure of the network to be protected can be rapidly and accurately scanned and obtained, so that the similarity between the target service system template and the network to be protected, which are obtained by matching the network information in the template library, is effectively improved, and the protection effect of the honeynet to the network to be protected is improved.
Optionally, the method further comprises:
creating a business system template according to the network template, and taking a plurality of business system templates as the template library.
In the implementation process, the corresponding service system template can be created according to the network template, so that a template library is formed by a plurality of service system templates. The service system templates with various different structures can be arranged in the template library, so that the success rate of matching is improved.
Optionally, the creating a business system template according to the network template includes:
Determining a plurality of historical nodes, historical node network information and historical service data in the network template, wherein the historical node network information comprises: at least one of a history node network address of the history node, a history node port with the history node network address opened, a history node service and a history node operating system, wherein the history service data comprises: at least one of a historical service message and a historical interaction frequency;
configuring corresponding historical node network information in a plurality of historical nodes;
and configuring corresponding historical service data in a plurality of historical nodes to obtain the service system template.
In the implementation process, when each service system template is created, the historical nodes of the network in the network template, the network information of the historical nodes and the historical service data for service interaction in the network template can be obtained. Corresponding historical node network information is configured in the historical nodes, so that the network structure in the nodes is determined, corresponding historical service data is configured on the basis of the historical node network information, and a corresponding service system template is constructed. The service system template can be configured from two aspects of network structure and service interaction, so that the authenticity of the service system template and the service relevance between nodes are improved.
In a second aspect, an embodiment of the present application further provides a device for constructing a mesh, where the device includes:
the determining module is used for determining network information of the network to be protected;
the matching module is used for matching in a template library according to the network information and determining a corresponding target service system template;
and the construction module is used for constructing the honey network corresponding to the network to be protected based on the target service system template.
In a third aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and when the processor reads and executes the program instructions, the processor executes steps in any implementation manner of the foregoing honey network construction method.
In a fourth aspect, an embodiment of the present application further provides a computer readable storage medium, where computer program instructions are stored, where the computer program instructions, when read and executed by a processor, perform steps in any implementation of the above-mentioned honeynet construction method.
In summary, the application provides a method, a device, an electronic device and a computer readable storage medium for constructing a honeynet, which match corresponding business system templates through network information of a network to be protected, thereby constructing a corresponding honeynet according to network structures and business interactions of the business system templates, improving camouflage effect and simulation capability of the honeynet when camouflage a real network to be protected used by a user from multiple aspects of structures and businesses, improving the trapping efficiency of the honeynet to an attacker, and improving the safety of the user when using the network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic block diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a method for constructing a honeynet according to an embodiment of the present application;
fig. 3 is a detailed flowchart of step S300 according to an embodiment of the present application;
fig. 4 is a detailed flowchart of step S400 according to an embodiment of the present application;
fig. 5 is a detailed flowchart of step S440 according to an embodiment of the present application;
fig. 6 is a detailed flowchart of step S200 according to an embodiment of the present application;
fig. 7 is a schematic flow chart of another method for constructing a honeynet according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a honey net construction device according to an embodiment of the present application.
Icon: 100-an electronic device; 111-memory; 112-a memory controller; 113-a processor; 114-a peripheral interface; 115-an input-output unit; 116-a display unit; 600-honey net construction device; 610-a determination module; 620-a matching module; 630-build module.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on embodiments of the present application without making any inventive effort, are intended to fall within the scope of the embodiments of the present application.
In the prior art, because various network attacks such as denial of service attack, domain name hijacking attack, malicious crawler, webpage hanging horse, illegal override and the like have adverse effects on the network during use, in order to improve the security protection capability of the network, honeypot technology is generally used for active defense. Honeypots (honeyports) can be a service, a network page, a database or a complete operating system, and the like, and the purposes of cheating an attacker, attracting the attack, increasing the attack cost and reducing the security threat to an actual system or service are achieved by constructing a simulated system or service.
Honeynets (Honeynets) built on a honeypot basis are essentially high-interaction honeypot system forms, a simulated network consisting of multiple honeypots, with multiple honeypot hosts deployed in one network. When the network connects a plurality of honeypots together, a large false service network can be formed, a part of hosts are used for attracting the invasion of the attacker, and the invasion process of the attacker is monitored, so that on one hand, the attack behaviors of the attacker can be collected, and on the other hand, the related security protection strategy can be updated. The honeynet combines a plurality of honeypots, forms a trapping network similar to a real service network after the gateway, comprehensively captures and monitors all traffic entering the system architecture, has highly controllable network setting, has rich and various functional hosts, and can collect and sample various attack information.
In the prior art, a honey net with a corresponding structure is actively constructed by a system, and a virtual host is added in the constructed honey net, so that an attacker is attracted to attack the constructed honey net through opening services on the constructed virtual host or loopholes on the services, and the purpose of trapping the attacker is achieved.
However, compared with the protected actual network, the virtual network of the current constructed honey network has lower similarity in network structure and service, so that the current honey network has poorer camouflage effect and simulation capability, which is unfavorable for achieving the purpose of trapping an attacker, and has lower trapping efficiency.
In order to solve the above problems, the embodiment of the application provides a honey net construction method, which is applied to electronic equipment, wherein the electronic equipment can be electronic equipment with logic calculation functions such as a server, a personal computer (Personal Computer, PC), a tablet personal computer, a smart phone, a personal digital assistant (Personal Digital Assistant, PDA) and the like, and can be matched with a target service system template of a corresponding structure and service according to network information of a network to be protected so as to construct a honey net with higher simulation capability from multiple aspects of network structure and service interaction according to the target service system template, thereby improving the trapping efficiency of the honey net.
Optionally, referring to fig. 1, fig. 1 is a block schematic diagram of an electronic device according to an embodiment of the application. The electronic device 100 may include a memory 111, a memory controller 112, a processor 113, a peripheral interface 114, an input output unit 115, and a display unit 116. Those of ordinary skill in the art will appreciate that the configuration shown in fig. 1 is merely illustrative and is not limiting of the configuration of the electronic device 100. For example, electronic device 100 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The above-mentioned memory 111, memory controller 112, processor 113, peripheral interface 114, input/output unit 115 and display unit 116 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 113 is used to execute executable modules stored in the memory.
The Memory 111 may be, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read Only Memory (ROM), a programmable Read Only Memory (Programmable Read-Only Memory, PROM), an erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 111 is configured to store a program, and the processor 113 executes the program after receiving an execution instruction, and a method executed by the electronic device 100 according to the process definition disclosed in any embodiment of the present application may be applied to the processor 113 or implemented by the processor 113.
The processor 113 may be an integrated circuit chip having signal processing capabilities. The processor 113 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (digital signal processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field Programmable Gate Arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. The general purpose processor may be a microprocessor, but in the alternative, it may be any conventional processor or the like.
The peripheral interface 114 couples various input/output devices to the processor 113 and the memory 111. In some embodiments, the peripheral interface 114, the processor 113, and the memory controller 112 may be implemented in a single chip. In other examples, they may be implemented by separate chips.
The input/output unit 115 is used for providing input data to the user, for example, for enabling the user to input corresponding network information, selecting a corresponding service system template, and the like. The input/output unit 115 may be, but is not limited to, a mouse, a keyboard, and the like.
The display unit 116 described above provides an interactive interface (e.g., a user-operated interface) between the electronic device 100 and a user or is used to display image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the touch display may be a capacitive touch screen or a resistive touch screen, etc. supporting single-point and multi-point touch operations. Supporting single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are passed to the processor for calculation and processing. In the embodiment of the present application, the display unit 116 may display various information such as the structure of the constructed honeynet and the service interaction state of each node therein.
The electronic device in this embodiment may be used to execute each step in each honeynet construction method provided in the embodiment of the present application. The implementation of the honeynet construction method is described in detail below by means of several embodiments.
Referring to fig. 2, fig. 2 is a flowchart of a method for constructing a honeynet according to an embodiment of the present application, and the method may further include steps S200-S400.
Step S200, determining network information of the network to be protected.
In order to construct a honeynet with higher similarity to the network to be protected, network information reflecting the real situation of the network to be protected can be obtained. The acquisition mode can be scanning the network to be protected, or other modes such as collecting related information from the network to be protected.
Optionally, the network information is data reflecting the network condition of the real service system of the network to be protected, and may include one or more of multiple information such as a real node corresponding to the surviving real host in the network to be protected, a target network address of the real node, a target network port with an open target network address, a target network service, and a target operating system.
Optionally, the network to be protected which is required to be protected by the user currently can be determined from a plurality of networks, and the user can input the network to be protected on the user terminal, so that the electronic equipment terminal can receive the network to be protected determined by the user.
Step S300, matching is carried out in a template library according to the network information, and a corresponding target service system template is determined.
The template library can comprise a plurality of different service system templates, and the service system templates with higher similarity with the network information can be matched as target service system templates by comparing the network information with the plurality of service system templates.
Optionally, the target service system template may include information of each node in the network and virtual service information for performing data interaction between each node.
Step S400, constructing a honey network corresponding to the network to be protected based on the target service system template.
The network structure is similar to the network to be protected and the network has a virtual service system, and the nodes can simulate the honey network of the virtual service system for sending service data.
In the embodiment shown in fig. 2, the camouflage effect and the simulation capability of the honeynet when camouflage is carried out on the real network to be protected used by the user can be improved from the aspects of structure and service, so that the trapping efficiency of the honeynet on an attacker is improved, and the safety of the user when using the network is improved.
Optionally, referring to fig. 3, fig. 3 is a detailed flowchart of step S300 provided in an embodiment of the present application, and step S300 may further include steps S310 to S320.
Step S310, the network information is compared with a plurality of service system templates in the template library respectively, and a plurality of similarities are obtained.
The network information of the network to be protected can be compared with a plurality of historical service system templates in the template library in sequence, so that the similarity between the network information and each service system template is obtained.
Step S320, the business system template with similarity reaching the threshold value is used as a target business system template matched with the network to be protected.
The threshold may be a preset similarity threshold, for example, 98%, and a business system template with similarity exceeding the threshold may be used as the target business system template corresponding to the network information. By limiting the similarity value, the similarity between the target service system template and the network structure of the network to be protected and the real service system can be effectively improved, and adverse effects of poor camouflage effect and poor simulation capability of the honey network constructed when the similarity between the target service system template and the network to be protected is low are reduced.
Optionally, when there are a plurality of similarities exceeding a threshold, a business system template with the highest similarity may be selected as the target business system template; the service system template with the highest similarity can be directly used as the target service system template.
In the embodiment shown in fig. 3, a plurality of service system templates can be screened in the template library, so that the effectiveness of the target service system template is improved.
Optionally, referring to fig. 4, fig. 4 is a detailed flowchart of step S400 provided in the embodiment of the present application, and step S400 may further include steps S410-S440.
Step S410, corresponding target nodes and target node network information are determined according to the target business system template.
Wherein, the related data of the network structure in the target service system template, namely the corresponding number of target nodes and the network information of the target nodes existing in the target service system template, can be determined first. The target node network information may include: one or more of a plurality of information such as a target node network address of a target node, a target node port with the target node network address open, a target node service, a target node operating system and the like.
Step S420, newly creating a virtual host based on the target node.
The corresponding virtual hosts can be automatically built and started according to the target node, for example, when the target node is two nodes, 2 corresponding virtual hosts can be newly built and started, and the virtual hosts can be recorded as a virtual OA node 1 and a virtual OA node 2.
Step S430, configuring corresponding target node network information in the virtual host.
In order to make the network structure in the virtual host be similar to that in the network to be protected, the corresponding target node network information of each node can be configured in the virtual host. For example, relevant information such as a target node network address, a target node port with an open target node network address, a target node service, a target node operating system, and the like is configured in the virtual OA node 1 and the virtual OA node 2.
And step S440, carrying out service configuration on the virtual host to obtain a honey network corresponding to the network to be protected.
In order to enable the multiple nodes to perform simulated data interaction, virtual service configuration can be performed on the virtual host based on network information of the target nodes, and the multiple target nodes can be started to work after the configuration is completed, so that a honey network which is similar to the structure of the network to be protected and has a virtual service system is constructed.
Alternatively, in constructing the honey grid, the name of the unit to which the honey grid belongs, the area, the scale, and the like may be defined.
In the embodiment shown in fig. 4, the similarity between the honey network and the network structure to be protected and the simulation capability of the service are effectively improved.
Optionally, referring to fig. 5, fig. 5 is a detailed flowchart of step S440 according to an embodiment of the present application, and steps S441 to S442 may be further included in step S440.
In step S441, the target service data in the target service system template is determined.
The target service data may be various parameter data configured when the target service system template is constructed, and the target service data may include one or more of various service related information such as a target service message and a target interaction frequency.
For example, the target service message may be message data for performing virtual service interaction, such as newly created OA long data, login information for logging in the OA system, related data of the queried OA user, etc.; the target interaction frequency may be frequency or period data of interaction with the target service message, for example, sending and receiving the target service message every 30 minutes.
Step S442, configuring corresponding target service data in the virtual host to enable the target node to perform analog data interaction, thereby obtaining a honey network including the virtual host corresponding to the network to be protected.
The virtual service is configured on the basis of network information of a plurality of target nodes in the virtual service system according to the target service data, so that the virtual machine corresponding to each target node can perform simulated data interaction on the corresponding target service message according to the corresponding target interaction frequency, for example, service data messages are sent once in the virtual OA node 1 and the virtual OA node 2 in the virtual host every 30 minutes.
In the embodiment shown in fig. 5, by adding virtual service interaction in each node when the honeynet is constructed, the relevance of virtual service between each target node can be increased, so that the honeynet comprising one or more virtual hosts has virtual service, and the simulation capability and camouflage effect of the honeynet are effectively improved.
Optionally, referring to fig. 6, fig. 6 is a detailed flowchart of step S200 provided in the embodiment of the present application, and step S200 may further include steps S210-S220.
Step S210, extracting scanning network segments in the network to be protected.
In order to improve the efficiency of the acquired network information, the information in the network to be protected may be extracted to acquire a key scan network segment, because the network to be protected, which is uploaded or determined by the user and needs to be protected, is received in the electronic device, may have a plurality of network segments.
Illustratively, when the network to be protected is 10.7.212.227-10.7.212.236, then the extracted critical scan segments may be 10.36.3.Xx, etc.
Step S220, scanning the scanning network segment according to the scanning algorithm to identify the network information in the scanning network segment.
The scanning network segments can be scanned according to a scanning algorithm in an automatic detection network tool, such as a namp tool, so as to identify the real network structure and service system existing in the network to be protected. The scanned network information may include one or more of a plurality of information reflecting the real network structure and traffic conditions in the network to be protected, such as a real node existing in the scanned network segment, a target network address corresponding to the real node, a target network port with an open target network address, a target network service, and a target operating system.
Optionally, when scanning is performed, the scanning progress in the scanning process and various network information identified by scanning can be displayed for the staff to check and operate.
In the embodiment shown in fig. 6, network information reflecting the actual structure of the network to be protected can be quickly and accurately scanned and obtained, so that the method is applicable to various different networks to be protected and meets different requirements of various users.
Alternatively, a business system template may be created from a network template, with a plurality of business system templates as a template library. The business system templates with various different structures can be added in the template library, so that the success rate in matching is improved.
For example, referring to fig. 7, fig. 7 is a flowchart of another method for constructing a honeynet according to an embodiment of the present application, and the method may further include steps S510-530.
Step S510, determining a plurality of history nodes, history node network information and history service data in the network template.
When the corresponding service system template is constructed, the historical network template can be firstly obtained, and the network template is scanned and the like so as to obtain a plurality of historical nodes reflecting the network structure of the network template and the service system, the corresponding historical node network information and the historical service data on the historical nodes and the like. The historical node network information may include one or more of a historical node network address of a historical node, a historical node port with the historical node network address open, a historical node service, a historical node operating system and the like reflecting network structures and service conditions in the network template, and the historical service data may include one or more of a historical service message and service related information with a historical interaction frequency equal to that of the network template.
Alternatively, historical network templates may be obtained from a database of the network.
Step S520, corresponding history node network information is configured in the plurality of history nodes.
Corresponding historical node network information can be configured in a plurality of historical nodes existing in a network template, for example, when two historical nodes exist, an open 80 node port can be configured in the historical node 1, corresponding http node service is provided, and a historical operating system is set as a linux system; the historical operating system is set as a linux system and the like by configuring and developing 3306 node ports in the historical node 2 and providing corresponding mysql node services.
Step S530, configuring corresponding historical service data in a plurality of historical nodes to obtain a service system template.
The historical service data in the historical service system in the network template can be configured into the corresponding historical node on the basis of the network information of the historical node, so that the service system template with the network structure information and the service system information is created.
For example, the service configuration may be performed accordingly according to the historical service message and the historical interaction frequency in the historical service data, for example, configured to transmit or receive the historical service message every 30 minutes, and so on.
In the embodiment shown in fig. 7, the service system template can be configured from two aspects of network structure and service interaction, so that the authenticity of the service system template and the relevance of the service between nodes are improved.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a honey net construction device according to an embodiment of the present application, where the honey net construction device 600 may include:
a determining module 610, configured to determine network information of a network to be protected;
the matching module 620 is configured to perform matching in a template library according to the network information, and determine a corresponding target service system template;
and the construction module 630 is configured to construct a honeynet corresponding to the network to be protected based on the target service system template.
In an alternative embodiment, the matching module 620 may further include a comparison sub-module and a matching sub-module;
the comparison sub-module is used for respectively comparing the network information with a plurality of service system templates in the template library to obtain a plurality of similarities;
and the matching sub-module is used for taking the business system template with the similarity reaching the threshold value as a target business system template matched with the network to be protected.
In an alternative embodiment, the building module 630 may further include a node sub-module, a host sub-module, and a configuration sub-module;
The node submodule is used for determining corresponding target nodes and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of a target node, a target node port with an open target node network address, a target node service and a target node operating system;
the host sub-module is used for creating a virtual host based on the target node;
a configuration sub-module, configured to configure corresponding target node network information in the virtual host; and carrying out service configuration on the virtual host to obtain a honey network corresponding to the network to be protected.
In an optional embodiment, the configuration sub-module may further include a service sub-unit, configured to determine target service data in a target service system template, where the target service data includes: at least one of a target service message and a target interaction frequency; and configuring corresponding target service data in the virtual host so as to enable the target node to perform simulated data interaction to obtain a honey network comprising the virtual host corresponding to the network to be protected.
In an alternative embodiment, the determining module 610 may further include an extracting sub-module and a scanning sub-module;
The extraction submodule is used for extracting a scanning network segment in the network to be protected;
the scanning sub-module is used for scanning the scanning network segment according to a scanning algorithm so as to identify network information in the scanning network segment, wherein the network information comprises: at least one of a real node, a target network address corresponding to the real node, a target network port with an open target network address, a target network service and a target operating system existing in the network segment is scanned.
In an alternative embodiment, the honey network construction device 600 may further include a template creation module, configured to create a service system template according to the network template, and use a plurality of service system templates as a template library.
In an alternative embodiment, the template creation module may further include a template node sub-module and a template configuration sub-module;
the template node submodule is used for determining a plurality of historical nodes, historical node network information and historical service data in the network template, wherein the historical node network information comprises: at least one of a history node network address of a history node, a history node port with an opened history node network address, a history node service and a history node operating system, wherein the history service data comprises: at least one of a historical service message and a historical interaction frequency;
The template configuration submodule is used for configuring corresponding historical node network information in a plurality of historical nodes; and configuring corresponding historical service data in the plurality of historical nodes to obtain a service system template.
Since the principle of the honey net construction device 600 according to the embodiment of the present application for solving the problem is similar to that of the foregoing embodiments of the honey net construction method, the implementation of the honey net construction device 600 according to the present embodiment may refer to the description of the foregoing embodiments of the honey net construction method, and the repetition is omitted.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer program instructions, and when the computer program instructions are read and run by a processor, the steps in any one of the honey network construction methods provided by the embodiment are executed.
In summary, the embodiments of the present application provide a method, an apparatus, an electronic device, and a computer readable storage medium for constructing a honeynet, where network information of a network to be protected is matched with a corresponding service system template, so that a corresponding honeynet is constructed according to a network structure and service interaction of the service system template, and thus, camouflage effect and simulation capability of the honeynet when camouflage is performed on a real network to be protected used by a user are improved from aspects of the structure and the service, thereby improving efficiency of trapping an attacker by the honeynet, and improving security when the user uses the network.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

Claims (8)

1. A honey net construction method, characterized in that the method comprises:
determining network information of a network to be protected;
matching in a template library according to the network information, and determining a corresponding target service system template;
constructing a honey network corresponding to the network to be protected based on the target service system template;
wherein the method further comprises: creating a business system template according to a network template, and taking a plurality of business system templates as the template library;
the creating a business system template according to the network template comprises the following steps: determining a plurality of historical nodes, historical node network information and historical service data in the network template, wherein the historical node network information comprises: at least one of a history node network address of the history node, a history node port with the history node network address opened, a history node service and a history node operating system, wherein the history service data comprises: at least one of a historical service message and a historical interaction frequency; configuring corresponding historical node network information in a plurality of historical nodes; configuring corresponding historical service data in a plurality of historical nodes to obtain the service system template;
The target service system template comprises information of each node in a network and virtual service information for carrying out data interaction between each node.
2. The method of claim 1, wherein said matching in a template library according to the network information, determining a corresponding target business system template, comprises:
comparing the network information with a plurality of service system templates in the template library respectively to obtain a plurality of similarities;
and taking the business system template with the similarity reaching a threshold value as the target business system template matched with the network to be protected.
3. The method of claim 1, wherein the constructing the honeynet corresponding to the network to be protected based on the target service system template includes:
determining corresponding target nodes and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of the target node, a target node port with the target node network address opened, a target node service and a target node operating system;
Creating a virtual host based on the target node;
configuring corresponding target node network information in the virtual host;
and carrying out service configuration on the virtual host to obtain a honey network corresponding to the network to be protected.
4. The method of claim 3, wherein the performing service configuration on the virtual host to obtain the honeynet corresponding to the network to be protected includes:
determining target service data in the target service system template, wherein the target service data comprises: at least one of a target service message and a target interaction frequency;
and configuring the corresponding target service data in the virtual host so as to enable the target node to perform analog data interaction, thereby obtaining the honey network comprising the virtual host corresponding to the network to be protected.
5. The method of claim 1, wherein the determining network information for the network to be protected comprises:
extracting a scanning network segment in the network to be protected;
scanning the scanning network segment according to a scanning algorithm to identify the network information in the scanning network segment, wherein the network information comprises: at least one of a real node existing in the scanning network segment, a target network address corresponding to the real node, a target network port with the opened target network address, a target network service and a target operating system.
6. A honey comb construction apparatus, the apparatus comprising:
the determining module is used for determining network information of the network to be protected;
the matching module is used for matching in a template library according to the network information and determining a corresponding target service system template;
the construction module is used for constructing a honey network corresponding to the network to be protected based on the target service system template;
the template creation module is used for creating a service system template according to the network template, and taking a plurality of service system templates as the template library;
the template creation module comprises a template node sub-module and a template configuration sub-module; the template node submodule is used for determining a plurality of historical nodes, historical node network information and historical service data in the network template, wherein the historical node network information comprises: at least one of a history node network address of the history node, a history node port with the history node network address opened, a history node service and a history node operating system, wherein the history service data comprises: at least one of a historical service message and a historical interaction frequency; the template configuration submodule is used for configuring corresponding historical node network information in a plurality of historical nodes; configuring corresponding historical service data in a plurality of historical nodes to obtain the service system template;
The target service system template comprises information of each node in a network and virtual service information for carrying out data interaction between each node.
7. An electronic device comprising a memory and a processor, the memory having stored therein program instructions which, when executed by the processor, perform the steps of the method of any of claims 1-5.
8. A computer readable storage medium, characterized in that the readable storage medium has stored therein computer program instructions which, when executed by a processor, perform the steps of the method according to any of claims 1-5.
CN202210836372.2A 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium Active CN115208670B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210836372.2A CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210836372.2A CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115208670A CN115208670A (en) 2022-10-18
CN115208670B true CN115208670B (en) 2023-10-13

Family

ID=83582705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210836372.2A Active CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115208670B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
US9495188B1 (en) * 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN110768987A (en) * 2019-10-28 2020-02-07 电子科技大学 SDN-based dynamic deployment method and system for virtual honey network
US11050787B1 (en) * 2017-09-01 2021-06-29 Amazon Technologies, Inc. Adaptive configuration and deployment of honeypots in virtual networks
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN113676449A (en) * 2021-07-13 2021-11-19 北京奇艺世纪科技有限公司 Network attack processing method and device
CN114221815A (en) * 2021-12-16 2022-03-22 北京国腾创新科技有限公司 Intrusion detection method, storage medium and system based on honey arranging net

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
US8260588B2 (en) * 2009-10-16 2012-09-04 Oracle America, Inc. Virtualizing complex network topologies

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9495188B1 (en) * 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
US11050787B1 (en) * 2017-09-01 2021-06-29 Amazon Technologies, Inc. Adaptive configuration and deployment of honeypots in virtual networks
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN110768987A (en) * 2019-10-28 2020-02-07 电子科技大学 SDN-based dynamic deployment method and system for virtual honey network
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN113676449A (en) * 2021-07-13 2021-11-19 北京奇艺世纪科技有限公司 Network attack processing method and device
CN114221815A (en) * 2021-12-16 2022-03-22 北京国腾创新科技有限公司 Intrusion detection method, storage medium and system based on honey arranging net

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
向全青 ; .基于网络扫描技术的动态蜜罐网络设计与实现.信息技术.2013,(第06期),全文. *
张涛 ; 芦斌 ; 李玎 ; 何康 ; .一种基于软件定义网络的主机指纹抗探测模型.信息网络安全.2020,(07),全文. *

Also Published As

Publication number Publication date
CN115208670A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
CN110381045B (en) Attack operation processing method and device, storage medium and electronic device
US11196746B2 (en) Whitelisting of trusted accessors to restricted web pages
EP1559008B1 (en) Method for risk detection and analysis in a computer network
JP6201614B2 (en) Log analysis apparatus, method and program
US11487880B2 (en) Inferring security incidents from observational data
US20140157415A1 (en) Information security analysis using game theory and simulation
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
JP6674036B2 (en) Classification device, classification method and classification program
CN112134897B (en) Network attack data processing method and device
CN113014597A (en) Honeypot defense system
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
Arfeen et al. Endpoint detection & response: A malware identification solution
CN100568876C (en) The method and the equipment that is used to handle radio communication that are used for operating data processing system
CN114422255A (en) Cloud security simulation detection system and detection method
WO2018071356A1 (en) Graph-based attack chain discovery in enterprise security systems
CN115277068B (en) Novel honeypot system and method based on spoofing defense
CN113726790A (en) Network attack source identification and blocking method, system, device and medium
CN112532636A (en) Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
Djap et al. Xb-pot: Revealing honeypot-based attacker’s behaviors
CN115208670B (en) Honey net construction method, device, electronic equipment and computer readable storage medium
US20200089877A1 (en) Malicious event detection device, malicious event detection method, and malicious event detection program
US20230275912A1 (en) Graph-based analysis of security incidents
EP3964987A1 (en) Learning device, determination device, learning method, determination method, learning program, and determination program
Liu et al. A goal-oriented approach for modeling and analyzing attack graph
CN115296909B (en) Method, device, medium and attack response method for obtaining target honeypot system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant