CN115296909B - Method, device, medium and attack response method for obtaining target honeypot system - Google Patents

Method, device, medium and attack response method for obtaining target honeypot system Download PDF

Info

Publication number
CN115296909B
CN115296909B CN202210934661.6A CN202210934661A CN115296909B CN 115296909 B CN115296909 B CN 115296909B CN 202210934661 A CN202210934661 A CN 202210934661A CN 115296909 B CN115296909 B CN 115296909B
Authority
CN
China
Prior art keywords
honeypot
target
security device
vulnerability
candidate security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210934661.6A
Other languages
Chinese (zh)
Other versions
CN115296909A (en
Inventor
蒋晓青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210934661.6A priority Critical patent/CN115296909B/en
Publication of CN115296909A publication Critical patent/CN115296909A/en
Application granted granted Critical
Publication of CN115296909B publication Critical patent/CN115296909B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a method, a device, a medium and an attack response method for obtaining a target honeypot system, wherein the method comprises the following steps: acquiring an original honeypot system and a system version number of target safety equipment, wherein the original honeypot system is used for receiving malicious traffic of an attack source and is deployed on the target safety equipment; searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and carrying out configuration updating on the original honeypot system based on the configuration information to obtain a target honeypot system. According to the method and the device for establishing the target honey system, the target honey system can be established rapidly through the target honey information table, so that reusability of the target honey system can be improved.

Description

Method, device, medium and attack response method for obtaining target honeypot system
Technical Field
The embodiment of the application relates to the field of network security, in particular to a method, a device, a medium and an attack response method for obtaining a target honeypot system.
Background
The honeypot system induces an attack source to attack the decoy host by arranging a plurality of decoy hosts, network services or information, so that the attack behavior can be captured and analyzed. In the related art, a honeypot system is generally customized by a fixed manufacturer according to the requirement, resulting in higher cost of customizing the honeypot system and poorer reusability of the honeypot system.
Therefore, how to improve the reusability of the honeypot system and reduce the cost of manufacturing the honeypot system becomes a problem to be solved.
Disclosure of Invention
The embodiment of the application provides a method, a device, a medium and an attack response method for obtaining a target honeypot system.
In a first aspect, the present application provides a method of obtaining a target honeypot system, the method comprising: acquiring an original honeypot system and a system version number of target safety equipment, wherein the original honeypot system is used for receiving malicious traffic of an attack source and is deployed on the target safety equipment; searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and carrying out configuration updating on the original honeypot system based on the configuration information to obtain a target honeypot system.
Therefore, unlike the method that needs to be customized according to the requirement when manufacturing the honeypot system in each time in the related art, the embodiment of the application rapidly establishes the target honeypot system through the target honeypot information table, thereby improving the reusability of the target honeypot system and reducing the manufacturing cost.
With reference to the first aspect, in an embodiment of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on the target candidate security device; before searching the configuration information corresponding to the system version number in the target honeypot information table, the method further comprises: acquiring a system version number of at least one candidate security device; searching the target candidate security device with the system vulnerability from the at least one candidate security device, and acquiring the vulnerability number of the system vulnerability on the target candidate security device; and adding the system version number of the target candidate security device and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
Therefore, in the embodiment of the application, the vulnerability numbers corresponding to the system vulnerabilities on the target candidate security equipment are added in the honeypot information table, so that the honeypot information table can be directly read in the process of generating the target honeypot system, and the system vulnerabilities can be added, thereby improving the efficiency of generating the target honeypot system.
With reference to the first aspect, in an embodiment of the present application, the at least one candidate security device includes a first candidate security device, where the first candidate security device is any one of the at least one candidate security device; after the obtaining the system version number of the at least one candidate security device, the method further comprises: when the fact that the first candidate security device does not have the system loopholes is confirmed, further confirming that the first candidate security device has the application loopholes, and acquiring a first loophole number of the application loopholes, wherein the application loopholes are loopholes corresponding to application programs; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
Therefore, in the embodiment of the application, under the condition that the system loopholes do not exist in the equipment, the application loopholes are acquired, and the first loophole numbers of the application loopholes are added into the honeypot information table, so that the application loopholes can be added for the system in the process of generating the target honeypot system.
With reference to the first aspect, in an embodiment of the present application, the target honey tank information table is further used to record operation resource information, where the operation resource information adopts a section where an operation parameter value is located to represent different operation capacities; before searching the configuration information corresponding to the system version number in the target honeypot information table, the method further comprises: calculating an operational parameter value of the at least one candidate security device, wherein the operational parameter value is used to characterize an operational capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
With reference to the first aspect, in an embodiment of the present application, the operation parameter value includes an average number of clock cycles CPI required for executing each instruction in a preset time, and a number of instructions MIPS processed per second; said calculating an operational parameter value of said at least one candidate security device comprises: calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device separately; the generating the operation resource information according to the operation parameter value includes: acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; the computing resource information is characterized by adopting the first computing resource information and the second computing resource information.
Therefore, the embodiment of the application can enable the target honeypot system to have certain operation capability by calculating the operation parameter value of at least one candidate safety device and generating the operation resource information according to the operation parameter value, thereby enabling the target honeypot system to have similar functions to the real device system and enabling an attack source to be not easy to perceive the existence of the target honeypot system.
With reference to the first aspect, in an implementation manner of the present application, the searching configuration information corresponding to the system version number in the target honeypot information table includes: searching vulnerability information and operation resource information corresponding to the system version number of the target safety equipment in a target honeypot information table; the updating of the original honeypot system based on the configuration information to obtain a target honeypot system comprises the following steps: and carrying out configuration updating on the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
Therefore, the embodiment of the application can rapidly configure the high-interaction target honeypot system with the function similar to that of a real system by configuring and updating the original honeypot system with the vulnerability information and the operation resource information.
With reference to the first aspect, in an embodiment of the present application, before the acquiring the original honeypot system, the method further includes: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
Therefore, the embodiment of the application can change the flow characteristics by hiding the flow characteristics of the initial honeypot system, thereby preventing the flow characteristics from being identified by attack sources.
With reference to the first aspect, in an embodiment of the present application, the system version numbers in the target honeypot information table are arranged according to the number of queries.
Therefore, the embodiment of the application can sort the system version numbers through the inquiry times, and can put the information with high use frequency in front, thereby improving the efficiency of obtaining the target honeypot system.
In a second aspect, the present application provides an apparatus for obtaining a target honeypot system, the apparatus comprising: an original system acquisition module configured to acquire an original honeypot system for receiving malicious traffic of an attack source and to acquire a system version number of a target security device on which the original honeypot system is deployed; the configuration information acquisition module is configured to search configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and the system configuration module is configured to update the original honeypot system based on the configuration information to obtain a target honeypot system.
With reference to the second aspect, in an embodiment of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on the target candidate security device; the configuration information acquisition module is further configured to: acquiring a system version number of at least one candidate security device; searching the target candidate security device with the system vulnerability from the at least one candidate security device, and acquiring the vulnerability number of the system vulnerability on the target candidate security device; and adding the system version number of the target candidate security device and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in an embodiment of the present application, the at least one candidate security device includes a first candidate security device, where the first candidate security device is any one of the at least one candidate security device; the configuration information acquisition module is further configured to: when the fact that the first candidate security device does not have the system loopholes is confirmed, further confirming that the first candidate security device has the application loopholes, and acquiring a first loophole number of the application loopholes, wherein the application loopholes are loopholes corresponding to application programs; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in an embodiment of the present application, the target honey tank information table is further used to record operation resource information, where the operation resource information adopts a section where an operation parameter value is located to represent different operation capacities; the configuration information acquisition module is further configured to: calculating an operational parameter value of the at least one candidate security device, wherein the operational parameter value is used to characterize an operational capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in one embodiment of the present application, the operation parameter value includes an average number of clock cycles CPI required for executing each instruction in a preset time, and a number of instructions MIPS processed per second; the configuration information acquisition module is further configured to: calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device separately; acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; the computing resource information is characterized by adopting the first computing resource information and the second computing resource information.
With reference to the second aspect, in an embodiment of the present application, the configuration information acquisition module is further configured to: searching vulnerability information and operation resource information corresponding to the system version number of the target safety equipment in a target honeypot information table; and carrying out configuration updating on the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
With reference to the second aspect, in one embodiment of the present application, the raw system acquisition module is configured to: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
With reference to the second aspect, in an embodiment of the present application, the system version numbers in the target honeypot information table are arranged according to the number of queries.
In a third aspect, the present application provides an attack response method, which is applied to the target honeypot system obtained in any embodiment of the first aspect, where the attack response method includes: inducing an attack source to send malicious traffic according to the vulnerability information; and responding to the malicious traffic, and sending a response message to the attack source.
Therefore, the embodiment of the application enables the target honeypot system to be more in line with the function of the real system by enabling the target honeypot system to send the response message to the attack source, so that the attack source is not easy to identify the target honeypot system.
In a fourth aspect, the present application provides an electronic device, comprising: a processor, a memory, and a bus; the processor is connected to the memory via the bus, the memory storing a computer program for implementing the method according to any embodiment of the first aspect when the computer program is executed by the processor.
In a fifth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed, performs a method according to any embodiment of the first aspect.
Drawings
FIG. 1 is a schematic diagram of an attack-response system according to an embodiment of the present application;
FIG. 2 is one of the flow charts of the method of obtaining a target honeypot system shown in an embodiment of the application;
FIG. 3 is a second flow chart of a method of obtaining a target honeypot system according to an embodiment of the application;
FIG. 4 is a third flow chart illustrating a method of obtaining a target honeypot system in accordance with an embodiment of the application;
FIG. 5 is a fourth flow chart of a method of obtaining a target honeypot system shown in an embodiment of the application;
FIG. 6 is a schematic diagram of the device composition of the system for obtaining a target honeypot according to an embodiment of the application;
fig. 7 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments of the present application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present application based on the embodiments of the present application.
In the related technology, by arranging some hosts serving as baits in the intranet, an attack source is induced to attack the hosts, so that attack behaviors can be captured and analyzed, tools and methods used by the attack source are known, attack intention and motivation are presumed, safety equipment can clearly know security threats faced by the intranet, and the security protection capability of the intranet is enhanced through technology and management means.
In order to solve the problems in the background art, in some embodiments of the present application, configuration information is obtained in a target honeypot information table, and an original honeypot system is configured according to the obtained configuration information to obtain the target honeypot system. For example, in some embodiments of the present application, firstly, a system version number of a target security device for deploying an original honeypot system is obtained, then, the system version number and configuration information corresponding to the system version number are searched in a target honeypot information table, and finally, the original honeypot system is reconfigured according to the configuration information to obtain the target honeypot system, so that the target honeypot system is quickly built through the target honeypot information table, thereby improving the reusability of the target honeypot system and reducing the manufacturing cost.
The method steps in the embodiments of the present application are described in detail below with reference to the drawings.
FIG. 1 provides an attack-response system of some embodiments of the present application that implements an attack using a target honeypot system derived in some embodiments of the present application, including an attack source 110 and a target honeypot system 120. Specifically, the attack source 110 sends malicious traffic to the target honeypot system 120, and after the target honeypot system 120 obtains the malicious traffic, the target honeypot system 120 sends a response message to the attack source 110, and stores the malicious traffic in a database of the security device, so that the security device analyzes the malicious traffic and generates an interception policy.
In the related art, a honeypot system is generally customized on demand by a fixed manufacturer, resulting in higher cost of customizing the honeypot system and poorer reusability of the honeypot system. In the embodiment of the application, the configuration information corresponding to the system version number is searched in the target honeypot information table, and the target honeypot system is obtained through the configuration information, so that the honeypot system can be automatically obtained without customizing the honeypot system according to the requirement by a fixed manufacturer.
Methods of obtaining the target honeypot system of some embodiments of the application by the server will be described below.
To at least solve the above problems, as shown in fig. 2, some embodiments of the present application provide a method for obtaining a target honeypot system, the method comprising:
s210, acquiring an original honeypot system and acquiring a system version number of the target security device.
It should be noted that, the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device. It will be appreciated that the target security device is a device that needs to be exposed to malicious traffic sent by the source of the attack.
The source of the attack may be an external network device that sends malicious traffic. For example, assuming that the intranet is secure, the attack source refers to an external network device that wants to attack the intranet. The size of the intranet is not limited by the embodiments of the present application. For example, in some embodiments the intranet is a network with a university, in some embodiments the intranet is a corporate network, in some embodiments the intranet is a city network, and so on. It will be appreciated that if the intranet is a college network, the source of the attack is all extranet devices that want to attack the college network.
The target security device is a security device for protecting the intranet device, so that a program corresponding to the target honeypot system is deployed on the target security device. Because of the large number of vulnerabilities in the target honeypot system, all traffic accessing the target honeypot system is considered malicious traffic.
In one embodiment of the present application, before S210, the method further includes: and acquiring an initial honeypot system, extracting flow characteristics corresponding to the initial honeypot system, and hiding the flow characteristics to obtain the original honeypot system.
It should be noted that, if the initial honeypot system is an open-source low-interaction honeypot system, the response message will carry a flow characteristic (for example, the flow characteristic is a characteristic string carrying the initial honeypot system) if the initial honeypot system is caused to send a response message, and after the attack source obtains the response message carrying the flow characteristic, it may identify the honeypot system in the target security device through the flow characteristic. Meanwhile, the response message containing the flow characteristics can be monitored by the flow rule of the attack source, so that the attack source can not send malicious flow to the honeypot system. Therefore, after the initial honeypot system is obtained, the traffic characteristics are hidden, namely, the traffic characteristics are prevented from being carried when the message is sent, the traffic characteristics are modified, and the basic service functions of the initial honeypot system are reserved.
Specifically, first, an open source initial honeypot system, e.g., a con, is obtained. Then, all traffic fixed strings in the initial honeypot system are modified, for example, the traffic fixed strings include "Original Siemens Equipment, 88111222", "IM151-8 PN/DP CPU", etc., "Original Siemens Equipment, 88111222" are encrypted using an encryption algorithm (e.g., base 64) to be "T3JpZ luYWwgU2 lubwvcycbfxvpcg 1 lbnq=", and "zyywwwvvuutqlljgcgccbb=3221" are obtained using a forward ordering function out of order.
That is, the fixed character string with characteristics is changed into a random form, so that the matching of the characteristics of the traffic rules of the attacked source in the traffic can be avoided.
It will be appreciated that the present application is not limited to the manner in which all flow fixed strings are handled in an initial honeypot system, and the above manner in which the forward ordering function is used to disrupt the order is merely an example.
S220, searching configuration information corresponding to the system version number in the target honeypot information table.
The target honeypot information table is used for recording vulnerability information and operation resource information corresponding to different system version numbers.
The following illustrates an implementation process for obtaining the target honeypot information table.
In one embodiment of the present application, before S220, the method includes:
s221, acquiring the system version number of at least one candidate security device.
That is, at least one candidate security device is all security devices capable of mounting the honey system, and in the process of establishing the target honey information table, it is necessary to acquire the system version number of each candidate security device in the at least one candidate security device, and then use the system version number of each candidate security device as a key (key) in the honey information table, that is, use the system version number as an index in the honey information table.
Specifically, the original honeypot system is deployed into candidate safety devices with different system version numbers based on all the existing windows, linux system versions, and all the candidate safety devices for constructing the original honeypot system are manufactured into clusters and the honeypot information table is combed. The honeypot information table encompasses most of the existing windows and linux system versions, and the original honeypot system is deployed in all of these systems.
As shown in Table 1, in some embodiments of the application, the honeypot information table includes a system version number and an original honeypot system source. For example, the original honeypot system source corresponding to the system version number "Windows 10 for x64-based Systems" in Table 1 is "content".
Table 1 honeypot information Table 1
System version Original honeypot system source
Windows 10 conpot
Windows 10 for x64-based Systems conpot
Windows 10 for 32-bit Systems conpot
Windows 10 21H2 for x64-based Systems conpot
Windows 10 21H2 for ARM64-based Systems conpot
Windows 10 21H2 for 32-bit Systems conpot
Windows 10 21H1 for x64-based Systems conpot
Windows 10 21H1 for ARM64-based Systems conpot
Windows 10 21H1 for 32-bit Systems conpot
Windows 10 20H2 for x64-based Systems conpot
S222, searching target candidate security devices with system holes from at least one candidate security device, and acquiring the hole numbers of the system holes on the target candidate security devices.
That is, the candidate security devices with the system loopholes are used as target candidate security devices if the system loopholes exist in the candidate security devices by means of crawlers. And then, acquiring the vulnerability numbers of the system vulnerabilities on the selected target candidate security equipment.
For example, one of the candidate security devices has a system version number of Windows 10, and confirms that a system vulnerability in the Windows 10 system is found, and then further obtains a vulnerability number of the system vulnerability as "CVE-2021-33739".
For example, one of the candidate security devices has a system version number of Windows 10for x64-based Systems, confirms that a system vulnerability in the system is found, and then further obtains a vulnerability number of "CVE-2022-21127".
S223, adding the system version number of the target candidate security device and the corresponding vulnerability number into the honeypot information table to obtain a target honeypot information table.
That is, after the vulnerability number of the target candidate security device is acquired, the vulnerability number corresponding to the system version number thereof is added to the honeypot information table, and the target honeypot information table is acquired.
As shown in Table 2, in some embodiments of the application, the target honeypot information table (one) includes a system version, an original honeypot system source, whether a system vulnerability exists, and a vulnerability number.
Table 2 target honeypot information Table 1
It will be appreciated that the number of candidate security devices for the same system version may be multiple, and that the vulnerability number of the same candidate security device may be one or multiple.
In one embodiment of the application, the at least one candidate security device comprises a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device.
Further included after S221 is:
firstly, when the first candidate security device is confirmed to have no system loopholes, further confirming that the first candidate security device has application loopholes, and acquiring a first loophole number of the application loopholes.
That is, the first candidate security device may not have a system vulnerability, and further crawling of the application vulnerability in the first candidate security device is required at this time, and the vulnerability number of the application vulnerability, that is, the first vulnerability number, is obtained.
For example, the system version number of the first candidate security device is Windows 10 21H2 for ARM64-based Systems, it is confirmed that the first candidate security device does not have a system vulnerability, then the application vulnerability in the first candidate security device is further crawled, and the first vulnerability number is CVE-2022-21128.
It may be appreciated that the application vulnerability is a vulnerability corresponding to an application program, for example, the application vulnerability may be a vulnerability of a third party payment application program, or may be a vulnerability of a music application program.
And then, adding the system version number of the first candidate security device and the corresponding first vulnerability number into the honeypot information table to obtain a target honeypot information table.
That is, after the first vulnerability number is acquired, the first vulnerability number corresponding to the system version number thereof is added to the honeypot information table to obtain the target honeypot information table.
As shown in Table 3, in some embodiments of the application, the target honeypot information table (two) includes a system version, an original honeypot system source, whether a system vulnerability exists, and a vulnerability number. If the system loopholes exist, no is filled in, which means that the system loopholes do not exist and the application loopholes exist.
Table 3 target honeypot information table (II)
As a specific embodiment of the application, the system vulnerability crawler is performed on the cluster obtained in the table 1, and the application vulnerabilities or the system high-risk vulnerabilities corresponding to all the system versions in the table 1 are crawled. If a system vulnerability exists, the system can be attacked by the outside, the processing is not needed, only the vulnerability information is needed to be recorded, if no system vulnerability exists, but service or application vulnerabilities exist, 1-3 vulnerability environments are crawled, and the configuration needed by the vulnerability environments is arranged in the original honeypot system. The method of actively exposing the loopholes is adopted so as to later attract attack sources to attack.
In one embodiment of the present application, the target honey information table may be configured to record, in addition to the vulnerability information related to the vulnerability, operation resource information. The computing resource information adopts intervals where computing parameter values are located to represent different computing capacities. The steps for obtaining the target honeypot information table are as follows:
first, an operational parameter value of at least one candidate security device is calculated.
It will be appreciated that the operational parameter values are used to characterize the operational capabilities of at least one candidate security device. The operational parameter values include the average number of clock cycles CPI required to execute each instruction in a preset time, as well as the number of instructions MIPS processed per second. Wherein the preset time may be one hour.
Specifically, CPI and MIPS of each candidate security device in the at least one candidate security device are calculated separately.
The formula for CPI is shown in the following formula (1):
where IC represents the total number of instructions, m represents the total number of clock cycles required to execute the instructions of the IC number, n represents the number of categories of CPI, CPI i CPI, P representing instructions of any kind i Representing the percentage of any type of instruction in the total instruction quantity, P i =IC i /IC。
The calculation formula of MIPS is shown in the following formula (2):
MIPS=IC/T CPU ×106IC=f/CPI (2)
wherein T is CPU Representing the time the CPU spends on the program, T CPU The following formula (3) shows:
T CPU =m×T=m×1/f=(CPI×IC)/f (3)
where T represents a clock period, f represents a clock frequency (i.e., a main frequency), and the clock period and the clock frequency are reciprocal, i.e., t=1/f.
It should be noted that units of MIPS may be counted in millions, for example, MIPS may have a value of 1 (million) or 50 (million).
Then, the operation resource information is generated from the operation parameter value.
Specifically, a target reference value interval where CPI of each candidate security device is located is obtained, and first operation resource information is obtained. And acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information.
The computing resource information is characterized by adopting the first computing resource information and the second computing resource information.
Specifically, if the calculated CPI values are 6, 17, 24, 35, and 40, respectively, the segments for obtaining the CPI include 5-10, 10-15, 15-20, 20-25, 25-30, 30-35, and 35-40 according to the reference data interval in which the CPI value is located. The above-described segmentation may be characterized using "5/10/15/20/25/30/35/40", i.e., the first computational resource information is "5/10/15/20/25/30/35/40".
If the calculated values of MIPS are 50, 140, 230, 280 and 300, respectively, the segments for obtaining MIPS include 50-100, 100-150, 150-200, 200-250 and 250-3000 according to the reference data interval in which the value of MIPS is located. The above-described segmentation may be characterized using "50/100/150/200/250/300", i.e. the second computational resource information is "50/100/150/200/250/300".
And finally, adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain a target honeypot information table.
That is, after the first and second arithmetic resource information are obtained, they are added to the honey information table to obtain the target honey information table.
As shown in table 4, in some embodiments of the application, the target honeypot information table (three) includes a system version, an original honeypot system source, whether a system vulnerability exists, a vulnerability number, first computing resource information, and second computing resource information.
Table 4 target honeypot information table (III)
In one embodiment of the present application, after the target honeypot information table (iii) is obtained, the performance information of at least one candidate security device is obtained using a script. Specifically, all environment information configurations including upper application environments, open services and port numbers, including product databases and running process thread environments are integrated into a target honeypot information table by using scripts. The high-interaction honeypot can be automatically formed, so that an attack source cannot distinguish a normal system from a honeypot system while the highest degree of honeypot imitates a product machine, and the vulnerability suction flow can be actively exposed.
In one embodiment of the present application, the system version numbers in the target honeypot information table are arranged according to the number of queries.
That is, in the process of using the target honeypot information table, the number of times the system version number is queried (i.e. the usage rate is high) is counted once every a period of time, and the system version number with the number of times and the corresponding original honeypot system source, whether the system vulnerability exists, the vulnerability number, the first operation resource information and the second operation resource information are ranked in front. And the target honeypot information table is automatically optimized and ranked, the system version number with high ranking is preferentially tried to be matched, and the construction efficiency is improved.
And S230, carrying out configuration updating on the original honeypot system based on the configuration information to obtain the target honeypot system.
It is understood that the original honeypot system is a low-interaction honeypot and the target honeypot system is a high-interaction honeypot.
That is, after the target honeypot information table is established, in the process of needing to be generated, first, vulnerability information and operation resource information corresponding to the system version number of the target security device are searched in the target honeypot information table, and then, the original honeypot system is configured and updated based on the vulnerability information and the operation resource information, so that the target honeypot system is obtained.
Specifically, when the target honeypot system is established, the original honeypot system is first deployed on the target security device, and the system version number of the target security device is acquired, for example, the system version number of the target security device is "Windows 10 21h2 for 32-bit Systems". Then, searching configuration information corresponding to the system version number in a target honeypot information table, including vulnerability information and operation resource information, and updating the original honeypot system by using the vulnerability information and the operation resource information to obtain the target honeypot system with high interaction.
It should be noted that, the original honeypot system can only receive the malicious traffic of the attack source, and the target honeypot system can not only receive the malicious traffic of the attack source, but also send a response message to the attack source, so that the attack source cannot distinguish the normal system from the target honeypot system.
As shown in fig. 3, as an embodiment of the present application, the processing of the original honeypot system includes:
s301, loading an original honeypot system, and carrying out feature modification on source codes to prevent the source codes from being scanned by regular features.
S302, a honeypot information table is initially created, and clusters are created on the basis of an original honeypot system.
S303, automatically performing vulnerability environment arrangement on all system environments in the honeypot information table.
S304, perfecting the honeypot information table by using a script according to CPI and MIPS values.
S305, performing performance system investigation on the candidate security devices by using the script and automatically matching the honeypot information table.
As shown in fig. 4, as an embodiment of the present application, the process of obtaining the target honeypot system includes:
s401, performing environment investigation on the target safety equipment by using the script, and performing configuration update on the original honeypot system to obtain the target honeypot system.
S402, automatically optimizing a target honeypot information table.
The embodiment of the method for obtaining the target honeypot system provided by the application is described above, and the specific embodiment of the method for obtaining the target honeypot system provided by the application is described below.
Technical defects in the related art include: the honeypot system in the related art only has simple interaction capability, such as specific Secure Shell (ssh) access and return of cracking results, but other complex responses of an attack source are completely not replied. In addition, the honey system codes in the related technology are too fixed, the flow characteristics are obvious and invariable, the characteristics are easily written into the flow rules by an attack source to be identified, and the high-interaction honey in the related technology needs to be customized by a communication manufacturer, so that the reusability is poor and the cost is high.
Accordingly, the present application aims to solve the following problems: first, solve low interactive honeypot function singleness, the confusing is low to the problem of being easily by characteristic monitoring. Second, the problem of poor reusability of high-interaction honeypots is solved. Thirdly, the problem of honeypot scanning identification performed after an external network invades an internal network and the problem of high cost of customizing a high-interaction honeypot are solved.
Specifically, the application supplements the original honeypot system on the system environment and the code, so that the original honeypot system can imitate a normal system, has the capability of attracting attack sources to attack and drain, can more effectively capture malicious traffic of the attack sources, and can automatically configure and reuse when changing the application environment. So that the usage scenario can be automatically matched and the low-interaction honeypot (i.e. the original honeypot system) can be built into the high-interaction honeypot (i.e. the target honeypot system) containing the vulnerability environment.
As shown in fig. 5, in some embodiments of the application, a method of obtaining a target honeypot system is provided, the method illustratively comprising:
s510, acquiring the system version number of at least one candidate security device.
S520, matching the corresponding system version number through the honeypot information table.
S530, detecting whether a system vulnerability exists, if so, executing S540, crawling the system vulnerability, adding the system vulnerability into the honeypot information table, and if not, executing S550, crawling the application vulnerability, and adding the system vulnerability into the honeypot information table.
S560, selecting corresponding operation resource information according to the CPI value and the MIPS value, and adding the operation resource information into a honeypot information table.
S570, traversing service port numbers of candidate security devices and integrating the database into a honeypot information table.
And S580, carrying out matching update on the original honeypot system to obtain the target honeypot system.
Specifically, the application is applied to sandboxed products of enterprises, and after the honeypot system is deployed, attack sources are attracted to attack in a vulnerability exposure mode, so that attack means and attack traffic are captured, and the safety of management equipment is enhanced.
In some embodiments of the application, a method for obtaining a target honeypot system is provided, the method specifically comprising:
First, an open source initial honeypot system is obtained. For example, open source honeypots: and (5) a con. Modifying all flow fixed character strings in the original honeypot system source code, such as: original Siemens Equipment, 88111222, IM151-8 PN/DP CPU, and some specific characters appear in the traffic, and can be monitored by traffic rules of attack sources, if Original Siemens Equipment is encrypted by base64, the character strings are as follows: t3JpZ luywgu 2 llbwvucybfcvxvpcg 1 lbnq=, after scrambling the order using the forward ordering function, obtained:
ZYyXWwWVVuUuTQppnllllJgGFcccbBb=3221
therefore, the fixed character strings with characteristics are changed into random form, the original honeypot system is obtained, and the characteristic matching of the flow rules of the attacked source in the flow can be avoided.
And secondly, deeply processing the original honeypot system processed in the previous step, adding the original honeypot system into all the counted windows and linux systems to form a preliminary cluster, and carding the honeypot information table.
And thirdly, crawling each system vulnerability or application vulnerability environment by using a crawler according to the system version in the honeypot information table obtained in the last step, and arranging the vulnerability environments into the original honeypot system to update the honeypot information table.
And fourthly, continuously processing the honeypot information table aiming at CPI and MIPS values, and continuously processing the honeypot information table based on an average value of the performance in the hour by taking a section as a unit to obtain a target honeypot information table, so that the processing resource information can be conveniently selected from the honeypot information table.
And fifthly, performing performance system investigation on the target safety equipment by using the script, automatically matching the target honeypot information table, checking whether the system version is in the target honeypot information table, and repeating all the steps from the first step to the fourth step if the system version is not in the target honeypot information table. If so, performing a sixth step, for example, comparing the system version of the target security device with the win7 x64 sp1 and the target honeypot information table to confirm that the target security device has the system vulnerability, so that no other vulnerabilities need to be integrated, and performing the next step.
And sixthly, traversing all environment information configurations by using scripts, wherein the environment information configurations comprise an upper application environment, an open service and port number, a product database, an operating process thread environment and the like are integrated on a target honeypot information table, and a new high-interaction honeypot is automatically formed.
And seventhly, the matching sequence of the configuration information with high utilization rate is advanced, and the matching efficiency is automatically improved. The target honeypot information table is updated and the system version not attached in the target honeypot information table is automatically integrated.
Therefore, the application has the technical key point that the low-interaction honeypot steps are processed: randomizing the characteristic character strings in the open-source low-interaction honeypot and the fixed characteristics in the flow, so as to avoid characteristic recognition; generating a brand new high-interaction honeypot: the method has the advantages that the function of the low-interaction honeypot is kept, meanwhile, the environment hosts of the honeypot products are kept consistent, and under the condition of the vulnerability of the integrated system version, a brand new high-interaction honeypot with a drainage function is automatically generated; and automatically generating a honey information table of the honey cluster, and automatically matching the honey with the corresponding performance according to the performance of the computer, thereby having the functions of automatically adjusting the use priority and updating the cluster base system.
Therefore, the application automatically generates the high-interaction honeypot under any product environment, reduces the cost of customization and other aspects, and enhances the reusability and portability of the honeypot. The attack information of the attack source is collected more effectively, so that unknown attacks are protected in advance, and unnecessary losses are avoided.
Having described a specific embodiment of a method for obtaining a target honeypot system provided by the present application, an apparatus for obtaining a target honeypot system will be described.
As shown in fig. 6, some embodiments of the application provide an apparatus 600 for obtaining a target honeypot system, the apparatus comprising: an original system acquisition module 610, a configuration information acquisition module 620, and a system configuration module 630.
An original system acquisition module 610 configured to acquire an original honeypot system for receiving malicious traffic of an attack source and to acquire a system version number of a target security device on which the original honeypot system is deployed.
The configuration information obtaining module 620 is configured to search the configuration information corresponding to the system version number in a target honeypot information table, where the target honeypot information table is at least used for recording vulnerability information related to the system version number.
And a system configuration module 630 configured to perform configuration update on the original honeypot system based on the configuration information to obtain a target honeypot system.
In one embodiment of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on the target candidate security device; the configuration information acquisition module 620 is further configured to: acquiring a system version number of at least one candidate security device; searching the target candidate security device with the system vulnerability from the at least one candidate security device, and acquiring the vulnerability number of the system vulnerability on the target candidate security device; and adding the system version number of the target candidate security device and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
In one embodiment of the present application, the at least one candidate security device comprises a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device; the configuration information acquisition module 620 is further configured to: when the fact that the first candidate security device does not have the system loopholes is confirmed, further confirming that the first candidate security device has the application loopholes, and acquiring a first loophole number of the application loopholes, wherein the application loopholes are loopholes corresponding to application programs; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
In one embodiment of the present application, the target honeypot information table is further used for recording operation resource information, where the operation resource information adopts a section where an operation parameter value is located to represent different operation capacities; the configuration information acquisition module 620 is further configured to: calculating an operational parameter value of the at least one candidate security device, wherein the operational parameter value is used to characterize an operational capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
In one embodiment of the application, the operational parameter values include an average number of clock cycles CPI required to execute each instruction in a preset time, and a number of instructions MIPS processed per second; the configuration information acquisition module 620 is further configured to: calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device separately; acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; the computing resource information is characterized by adopting the first computing resource information and the second computing resource information.
In one embodiment of the present application, the configuration information acquisition module 620 is further configured to: searching vulnerability information and operation resource information corresponding to the system version number of the target safety equipment in a target honeypot information table; and carrying out configuration updating on the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
In one embodiment of the present application, the raw system acquisition module 610 is configured to: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
In one embodiment of the present application, the system version numbers in the target honeypot information table are arranged according to the number of queries.
In an embodiment of the present application, the module shown in fig. 6 can implement each process in the embodiments of the methods of fig. 1 to 5. The operation and/or function of the individual modules in fig. 6 are respectively for realizing the respective flows in the method embodiments in fig. 1 to 5. Reference is specifically made to the description in the above method embodiments, and detailed descriptions are omitted here as appropriate to avoid repetition.
As shown in fig. 7, an embodiment of the present application provides an electronic device 700, including: processor 710, memory 720 and bus 730, said processor being connected to said memory by means of said bus, said memory storing a computer program for implementing the method according to any of the above-mentioned embodiments when executed by said processor, see in particular the description of the above-mentioned method embodiments, and detailed descriptions are omitted here as appropriate for avoiding repetition.
Wherein the bus is used to enable direct connection communication of these components. The processor in the embodiment of the application can be an integrated circuit chip with signal processing capability. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory has stored therein computer readable instructions which, when executed by the processor, perform the method described in the above embodiments.
It will be appreciated that the configuration shown in fig. 7 is illustrative only and may include more or fewer components than shown in fig. 7 or have a different configuration than shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application also provide a computer readable storage medium, on which a computer program is stored, which when executed by a server, implements a method according to any one of the foregoing embodiments, and specifically reference may be made to the description in the foregoing method embodiments, and detailed descriptions are omitted herein as appropriate for avoiding repetition.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of obtaining a target honeypot system, the method comprising:
acquiring an original honeypot system and a system version number of target safety equipment, wherein the original honeypot system is used for receiving malicious traffic of an attack source and is deployed on the target safety equipment;
Searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number;
based on the configuration information, carrying out configuration updating on the original honeypot system to obtain a target honeypot system;
the vulnerability information comprises vulnerability numbers of system vulnerabilities on target candidate security equipment; before searching the configuration information corresponding to the system version number in the target honeypot information table, the method further comprises:
acquiring a system version number of at least one candidate security device; searching the target candidate security device with the system vulnerability from the at least one candidate security device, and acquiring the vulnerability number of the system vulnerability on the target candidate security device; adding the system version number of the target candidate security device and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table;
wherein the at least one candidate security device comprises a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device; after the obtaining the system version number of the at least one candidate security device, the method further comprises:
When the fact that the first candidate security device does not have the system loopholes is confirmed, further confirming that the first candidate security device has the application loopholes, and acquiring a first loophole number of the application loopholes, wherein the application loopholes are loopholes corresponding to application programs; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
2. The method of claim 1, wherein the target honeypot information table is further used for recording operation resource information, and the operation resource information adopts intervals where operation parameter values are located to represent different operation capacities;
before searching the configuration information corresponding to the system version number in the target honeypot information table, the method further comprises:
calculating the operation parameter value of the at least one candidate security device, wherein the operation parameter value is used for representing the operation capability of the at least one candidate security device;
generating the operation resource information according to the operation parameter value;
and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
3. The method of claim 2, wherein the operational parameter values include an average number of clock cycles CPI required to execute each instruction within a preset time, and a number of instructions MIPS processed per second;
said calculating said operational parameter value of said at least one candidate security device comprises:
calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device separately;
the generating the operation resource information according to the operation parameter value includes:
acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information;
acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information;
the computing resource information is characterized by adopting the first computing resource information and the second computing resource information.
4. A method according to any one of claims 1-3, wherein searching the configuration information corresponding to the system version number in the target honeypot information table includes:
searching vulnerability information and operation resource information corresponding to the system version number of the target safety equipment in a target honeypot information table;
The updating of the original honeypot system based on the configuration information to obtain a target honeypot system comprises the following steps:
and carrying out configuration updating on the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
5. A method according to any one of claims 1-3, wherein prior to said obtaining an original honeypot system, the method further comprises:
acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system;
and hiding the flow characteristics to obtain the original honeypot system.
6. A method according to any one of claims 1-3, wherein the system version numbers in the target honeypot information table are arranged according to the number of queries.
7. An apparatus for obtaining a target honeypot system, the apparatus comprising:
an original system acquisition module configured to acquire an original honeypot system for receiving malicious traffic of an attack source and to acquire a system version number of a target security device on which the original honeypot system is deployed;
The configuration information acquisition module is configured to search configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number;
the system configuration module is configured to update the original honeypot system based on the configuration information to obtain a target honeypot system;
the vulnerability information comprises vulnerability numbers of system vulnerabilities on target candidate security equipment; the configuration information acquisition module is further configured to:
acquiring a system version number of at least one candidate security device; searching the target candidate security device with the system vulnerability from the at least one candidate security device, and acquiring the vulnerability number of the system vulnerability on the target candidate security device; adding the system version number of the target candidate security device and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table;
wherein the at least one candidate security device comprises a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device; the configuration information acquisition module is further configured to:
When the fact that the first candidate security device does not have the system loopholes is confirmed, further confirming that the first candidate security device has the application loopholes, and acquiring a first loophole number of the application loopholes, wherein the application loopholes are loopholes corresponding to application programs; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
8. An attack response method, which is applied to the target honeypot system obtained according to any one of claims 1-6, and comprises the following steps:
inducing an attack source to send malicious traffic according to the vulnerability information;
and responding to the malicious traffic, and sending a response message to the attack source.
9. An electronic device, comprising: a processor, a memory, and a bus;
the processor is connected to the memory via the bus, the memory storing a computer program which, when executed by the processor, performs the method according to any of claims 1-6.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed, implements the method according to any of claims 1-6.
CN202210934661.6A 2022-08-04 2022-08-04 Method, device, medium and attack response method for obtaining target honeypot system Active CN115296909B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210934661.6A CN115296909B (en) 2022-08-04 2022-08-04 Method, device, medium and attack response method for obtaining target honeypot system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210934661.6A CN115296909B (en) 2022-08-04 2022-08-04 Method, device, medium and attack response method for obtaining target honeypot system

Publications (2)

Publication Number Publication Date
CN115296909A CN115296909A (en) 2022-11-04
CN115296909B true CN115296909B (en) 2023-11-10

Family

ID=83827118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210934661.6A Active CN115296909B (en) 2022-08-04 2022-08-04 Method, device, medium and attack response method for obtaining target honeypot system

Country Status (1)

Country Link
CN (1) CN115296909B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN110391937A (en) * 2019-07-25 2019-10-29 哈尔滨工业大学 A kind of Internet of Things honeynet system based on SOAP service simulation
CN111488547A (en) * 2020-04-16 2020-08-04 广州锦行网络科技有限公司 Implementation device for flattening management of honeypots and honeynets based on web technology
CN111818062A (en) * 2020-07-10 2020-10-23 四川长虹电器股份有限公司 Docker-based CentOS high-interaction honeypot system and implementation method thereof
CN112187825A (en) * 2020-10-13 2021-01-05 网络通信与安全紫金山实验室 Honeypot defense method, system, equipment and medium based on mimicry defense
CN112367307A (en) * 2020-10-27 2021-02-12 中国电子科技集团公司第二十八研究所 Intrusion detection method and system based on container-grade honey pot group
CN113553590A (en) * 2021-08-12 2021-10-26 广州锦行网络科技有限公司 Method for preventing attackers from escaping from honeypots
CN114500026A (en) * 2022-01-20 2022-05-13 深信服科技股份有限公司 Network traffic processing method, device and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10270798B2 (en) * 2015-10-08 2019-04-23 Siege Technologies LLC Assessing effectiveness of cybersecurity technologies
US11263295B2 (en) * 2019-07-08 2022-03-01 Cloud Linux Software Inc. Systems and methods for intrusion detection and prevention using software patching and honeypots
US11271907B2 (en) * 2019-12-19 2022-03-08 Palo Alto Networks, Inc. Smart proxy for a large scale high-interaction honeypot farm

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN110391937A (en) * 2019-07-25 2019-10-29 哈尔滨工业大学 A kind of Internet of Things honeynet system based on SOAP service simulation
CN111488547A (en) * 2020-04-16 2020-08-04 广州锦行网络科技有限公司 Implementation device for flattening management of honeypots and honeynets based on web technology
CN111818062A (en) * 2020-07-10 2020-10-23 四川长虹电器股份有限公司 Docker-based CentOS high-interaction honeypot system and implementation method thereof
CN112187825A (en) * 2020-10-13 2021-01-05 网络通信与安全紫金山实验室 Honeypot defense method, system, equipment and medium based on mimicry defense
CN112367307A (en) * 2020-10-27 2021-02-12 中国电子科技集团公司第二十八研究所 Intrusion detection method and system based on container-grade honey pot group
CN113553590A (en) * 2021-08-12 2021-10-26 广州锦行网络科技有限公司 Method for preventing attackers from escaping from honeypots
CN114500026A (en) * 2022-01-20 2022-05-13 深信服科技股份有限公司 Network traffic processing method, device and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ArkHoney:基于协同机制的Web蜜罐;贾召鹏;方滨兴;崔翔;刘奇旭;;计算机学报(02);全文 *

Also Published As

Publication number Publication date
CN115296909A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN110381045B (en) Attack operation processing method and device, storage medium and electronic device
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US7555777B2 (en) Preventing attacks in a data processing system
US9723018B2 (en) System and method of analyzing web content
US11036855B2 (en) Detecting frame injection through web page analysis
US20200014697A1 (en) Whitelisting of trusted accessors to restricted web pages
US20160099960A1 (en) System and method for scanning hosts using an autonomous, self-destructing payload
CN112738071A (en) Method and device for constructing attack chain topology
Bartoli et al. A framework for large-scale detection of Web site defacements
CN110351237B (en) Honeypot method and device for numerical control machine tool
CN113098835A (en) Honeypot implementation method based on block chain, honeypot client and honeypot system
CN109756467B (en) Phishing website identification method and device
Djap et al. Xb-pot: Revealing honeypot-based attacker’s behaviors
CN114124414B (en) Method and device for generating honey service, method for capturing attack behavior data, computer equipment and storage medium
Abuadbba et al. Towards web phishing detection limitations and mitigation
CN115296909B (en) Method, device, medium and attack response method for obtaining target honeypot system
Rahman et al. Classification of spamming attacks to blogging websites and their security techniques
CN111125702A (en) Virus identification method and device
CN115102785A (en) Automatic tracing system and method for network attack
CN113596044A (en) Network protection method and device, electronic equipment and storage medium
CN115065537B (en) Defending system and dynamic defending method aiming at WEB application automatic attack behaviors
CN115208670B (en) Honey net construction method, device, electronic equipment and computer readable storage medium
US20230275908A1 (en) Thumbprinting security incidents via graph embeddings
CN116545718A (en) Data classification method, device, storage medium and computer equipment
CN117914848A (en) Method and device for transmitting files across networks, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant