CN117544335A - Bait activation method, device, equipment and storage medium - Google Patents
Bait activation method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117544335A CN117544335A CN202311123225.1A CN202311123225A CN117544335A CN 117544335 A CN117544335 A CN 117544335A CN 202311123225 A CN202311123225 A CN 202311123225A CN 117544335 A CN117544335 A CN 117544335A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- bait
- audit
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004913 activation Effects 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012550 audit Methods 0.000 claims abstract description 146
- 230000003213 activating effect Effects 0.000 claims abstract description 30
- 230000006399 behavior Effects 0.000 claims description 73
- 238000007726 management method Methods 0.000 claims description 32
- 230000005540 biological transmission Effects 0.000 claims description 7
- 239000002699 waste material Substances 0.000 abstract description 8
- 235000012907 honey Nutrition 0.000 description 24
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000017105 transposition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a bait activation method, a device, equipment and a storage medium, belonging to the technical field of network security. The invention obtains user audit data and determines user behavior audit data according to the user audit data; determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics; and activating database baits and system file baits when the specified type of data is sensitive data. By the method, the bait does not need to work all the time, different baits can be activated according to the data types to protect the data security when the user behavior characteristics are matched with the user security vulnerability characteristics, the resource waste caused by continuous activation of the baits is solved, and the network security can be ensured.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for activating a bait.
Background
With the development of internet technology, network security hidden dangers are in more and more application scenes. In recent years, network attack events frequently occur in the internet industry, which brings great loss and negative influence to enterprises, and network security is also valued. Network security may be viewed, among other things, as a series of asymmetric conflicts between defenders and aggressors. The defender needs to keep the attacker out of the door right (or safe) all the time, and the attacker needs to be right once to succeed. This requires a high level of security for the defender on its network, requiring a targeted risk management process.
In order to prevent network attacks, the related technology generally deploys systems such as a honey point, a honey net and a honey pot on a near-protected object side, and further clones a real target and induces an attacker (namely deploys baits) through the systems such as the honey point, the honey net and the honey pot so as to deceive the attacker into attacking a false target, so that an attacker is finally far away from the real target by analyzing an attack means through interaction with the attacker.
However, there is a lack of management methods for managing baits, and thus, once baits are deployed in systems such as honey points, honey nets and honey pots, the baits need to be continuously operated, which easily causes problems such as resource waste.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a bait activation method, device, equipment and storage medium, which aim to solve the technical problem of resource waste caused by continuous work of baits in the prior art.
To achieve the above object, the present invention provides a bait activation method comprising the steps of:
acquiring user audit data, and determining user behavior audit data according to the user audit data;
determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics;
and activating database baits and system file baits when the specified type of data is sensitive data.
Optionally, the acquiring user audit data includes:
acquiring user behavior data, security event information, service audit data and appointed type data from a big data audit platform;
obtaining user behavior audit data according to the user behavior data and the security event information;
and obtaining user audit data according to the user behavior audit data, the service audit data and the specified type data.
Optionally, before determining the specified type of data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics, the method further includes:
determining user safety configuration, network management information and external trust information according to the user behavior audit data;
judging whether a configuration vulnerability exists according to the user security configuration to obtain a first judgment result;
judging whether a management vulnerability exists or not according to the network management information, and obtaining a second judgment result;
judging whether a trust vulnerability exists according to the external trust information, and obtaining a third judgment result;
and determining whether the user behavior audit data meets the user security vulnerability characteristics according to the first judgment result, the second judgment result and the third judgment result.
Optionally, when the specified type of data is sensitive data, activating database baits and system file baits, including:
determining user access data according to the specified type data;
activating database baits when the specified type of data is sensitive data;
activating the system file bait is accomplished by deploying the bait file.
Optionally, the implementing the activation system file bait by deploying a bait file includes:
acquiring target words of a target directory and a target file system;
replacing and transposing the target word to generate false file content;
and obtaining a decoy file according to the content of the fake file, and connecting the decoy file with a hidden interface for deployment.
Optionally, when the specified type of data is sensitive data, activating the database bait and the system file bait further comprises:
determining the data type of the sensitive data, and determining the potential vulnerability type according to the data type;
determining whether the sensitive data has a security vulnerability according to the data type and the potential vulnerability type;
transmitting a data bait request with a transmission target address to a single-hop adjacent node through a source node;
matching the received feedback route request with a preset node;
and when the matching fails, determining the single-hop adjacent node as a malicious node and discarding the malicious node.
Optionally, when the user behavior audit data meets the user security vulnerability characteristics, determining the specified type data according to the user audit data further includes:
when the specified type data is not sensitive data, determining service audit data according to the user audit data;
judging whether an application program calling security hole exists or not according to the service audit data;
if the application program call security hole exists, the system file decoy is activated.
In addition, to achieve the above object, the present invention also provides a bait activation device, including:
the data acquisition module is used for acquiring user audit data and determining user behavior audit data according to the user audit data;
the vulnerability confirming module is used for determining appointed type data according to the user auditing data when the user behavior auditing data meets the user security vulnerability characteristics;
and the bait activation module is used for activating database baits and system file baits when the specified type data are sensitive data.
In addition, to achieve the above object, the present invention also proposes a bait activation device comprising: a memory, a processor, and a decoy activation program stored on the memory and running on the processor, the decoy activation program configured to implement the decoy activation method as described above.
In addition, to achieve the above object, the present invention also proposes a storage medium having stored thereon a bait activation program which, when executed by a processor, implements the bait activation method as described above.
The method comprises the steps of obtaining user audit data and determining user behavior audit data according to the user audit data; determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics; and activating database baits and system file baits when the specified type of data is sensitive data. By the method, the bait does not need to work all the time, different baits can be activated according to the data types to protect the data security when the user behavior characteristics are matched with the user security vulnerability characteristics, the resource waste caused by continuous activation of the baits is solved, and the network security can be ensured.
Drawings
FIG. 1 is a schematic diagram of the architecture of a bait activation device for a hardware operating environment in accordance with an embodiment of the invention;
fig. 2 is a schematic flow chart of a first embodiment of the bait activation method according to the invention;
fig. 3 is a flow chart of a second embodiment of the bait activation method of the invention;
fig. 4 is a block diagram of a first embodiment of a bait activation device in accordance with the invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a bait activation device in a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the bait activation device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the configuration shown in fig. 1 is not limiting of the bait activation device and may include more or fewer components than shown, or may combine certain components, or may be arranged in a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a bait activation program may be included in the memory 1005 as one type of storage medium.
In the bait activation device shown in fig. 1, the network interface 1004 is primarily used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the bait activation device according to the present invention may be disposed in the bait activation device, and the bait activation device invokes the bait activation program stored in the memory 1005 through the processor 1001 and executes the bait activation method provided by the embodiment of the present invention.
An embodiment of the present invention provides a method for activating a bait, referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a method for activating a bait according to the present invention.
In this embodiment, the bait activation method includes the following steps:
step S10: and acquiring user audit data, and determining user behavior audit data according to the user audit data.
In this embodiment, the execution body of the embodiment may be the bait activation device, where the bait activation device has functions of data processing, data communication, and program running, and the bait activation device may be a bait management server, and may be an entity server or a cloud server. Of course, other devices with similar functions may be used, and the implementation conditions are not limited thereto. For ease of description, this embodiment will be described with respect to a bait activation device.
It should be appreciated that with the development of internet technology, network security risks are appearing in more and more application scenarios. In recent years, network attack events frequently occur in the internet industry, which brings great loss and negative influence to enterprises, and network security is also valued. Network security may be viewed, among other things, as a series of asymmetric conflicts between defenders and aggressors. The defender needs to keep the attacker out of the door right (or safe) all the time, and the attacker needs to be right once to succeed. This requires a high level of security for the defender on its network, requiring a targeted risk management process. In order to prevent network attacks, the related technology generally deploys systems such as a honey point, a honey net and a honey pot on a near-protected object side, and further clones a real target and induces an attacker (namely deploys baits) through the systems such as the honey point, the honey net and the honey pot so as to deceive the attacker into attacking a false target, so that an attacker is finally far away from the real target by analyzing an attack means through interaction with the attacker. The honey net is an active security defense system which is deliberately designed to have holes and induce an attacker to attack so as to capture the behavior of the attacker, and is a simulation network with the function of trapping network attacks, wherein the simulation network consists of a plurality of honey pots and a network analysis system. Honeypots are defined as "a false, attractive and decoy resource that is valuable in being detected, attacked, and even trapped". The server, the host and other resources without attack value are deployed in the honey network to trap the attacker, the attack behavior of the attacker on the target network is captured and provided for network management personnel to conduct research and analysis, and the attack method, the strategy and the purpose of the attacker are judged, so that self defense measures are updated, and the real network resources are protected. However, in the related art, there is a lack of a management method for managing baits, so that once the baits are deployed, the baits need to be continuously operated once in the systems such as honey points, honey nets and honey pots, and thus the problems of resource waste and the like are easily caused.
It should be understood that, in this embodiment of the present disclosure, the activation mechanism of the bait is provided, specifically, the bait is activated only when the specified condition is satisfied, so, compared to the manner that in the prior art, after the systems such as the honey point, the honey net, the honey pot, and the like are deployed, the bait needs to work continuously once, in this embodiment, the bait does not need to work continuously, and when the user or the tenant behavior feature matches the user security vulnerability feature, different baits can be activated according to the data type to protect data security, so, on one hand, the problems of resource waste in the related art and the like can be solved, and on the other hand, network security can also be ensured. And taking whether the data accessed by the user or the tenant is sensitive data or not as a demarcation point, and activating different baits by adopting different activation modes according to different results. Specifically, if the data is sensitive, the bait management server activates the database bait and the user or system file bait on one hand; on the other hand, according to the audit data of the appointed type data, when judging that the sensitive data has security holes, activating the data bait. If the data is not sensitive data, judging whether an API call security hole exists according to the service audit data, and if the API call security hole exists, enabling a user or a system file to be decoy by the decoy management server. When the user or tenant behavior characteristics are determined to be matched with the user security vulnerability characteristics based on the user behavior audit data or tenant behavior audit data, judging whether the data accessed by the user or tenant is sensitive data or not according to the audit data of the appointed type data.
The user audit data includes user behavior audit data, service audit data and specified type data.
Further, in order to accurately obtain user audit data from the big data audit platform, the step of obtaining user audit data in step S10 includes: acquiring user behavior data, security event information, service audit data and appointed type data from a big data audit platform; obtaining user behavior audit data according to the user behavior data and the security event information; and obtaining user audit data according to the user behavior audit data, the service audit data and the specified type data.
It should be understood that the object for which the user audit data is directed in the solution of this embodiment may be a user or a tenant.
In a specific implementation, the user behavior audit data refers to data obtained by auditing the operation behaviors of the user/tenant. User behavior audit data may include important user behavior, date and time of important security events, user, event type, whether the event was successful, and other audit-related information. Similarly, tenant behavior audit data includes dates and times of important tenant behavior and important security events, tenants, event types, whether the event was successful, and other audit-related information.
It should be noted that the service audit data, or may also be referred to as application service audit data, is an audit result obtained after the security audit is performed on the operation behavior of the resource range grasped by the service provider/application service provider, and may include, for example, audit service timeliness, audit data type, audit depth, and level, etc.
It should be understood that the audit data of the specified data type may be understood as data obtained after the data of the specified data type is audited according to a preset requirement. For example, assuming that audit data of a data operation of a database needs to be acquired, log information of the data operation performed on the database may be acquired, and then each log information is audited and an audit result is generated, thereby obtaining audit data of the data operation of the specified database.
By the method, various audit data are obtained from the big data audit platform, and the enabled bait type is judged subsequently.
Step S20: and determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics.
In a specific implementation, determining whether the user behavior audit data satisfies the user-class security vulnerability characteristics is determined based on the user's configuration, network management information, and external trust information.
Further, in order to determine whether the user behavior audit information meets the user security vulnerability characteristics, before step S20, the method further includes: determining user safety configuration, network management information and external trust information according to the user behavior audit data; judging whether a configuration vulnerability exists according to the user security configuration to obtain a first judgment result; judging whether a management vulnerability exists or not according to the network management information, and obtaining a second judgment result; judging whether a trust vulnerability exists according to the external trust information, and obtaining a third judgment result; and determining whether the user behavior audit data meets the user security vulnerability characteristics according to the first judgment result, the second judgment result and the third judgment result.
It should be noted that, a user security hole may be understood as a defect in a specific implementation or a system security policy caused by an operation behavior of a user, so that an attacker can access or destroy a system without authorization. Such as configuration vulnerabilities, management vulnerabilities, and trust vulnerabilities.
It should be understood that a configuration vulnerability refers to security not functioning due to unreasonable or incomplete security configuration. After the network is changed, the internal security configuration of the system is not changed in time, so that security holes are caused. The management loophole refers to a security loophole caused by carelessness of a network manager, for example, the password of the manager is too short or the password is not changed for a long time, so that password attack is caused; or both servers may share a user name or password. Trust loopholes refer to machines that over trust foreign partners, and once such machines are hacked, network security is severely compromised.
In implementations, the user-class security breach features are also features that are capable of characterizing the possible presence of user-class security breaches. For example, taking a user security hole as an example of a management hole, if it is determined that the password of the user or tenant administrator is too short or the password is not changed for a long time, the user or tenant behavior feature is considered to match the user security hole feature.
When it is determined that the user or tenant behavior feature matches the user security vulnerability feature based on the user behavior audit data or tenant behavior audit data, whether the data accessed by the user or tenant is sensitive data is determined according to the audit data of the specified type of data. Before judging whether the data accessed by the user or the tenant is sensitive data according to the audit data of the appointed type data, the sensitive data can be defined and divided in advance, for example, information such as online banking login credentials, company login credentials, credit card detailed information, login credentials or user name/password is defined as the sensitive data, so that after the audit data of the appointed type data is obtained, whether the data accessed by the user or the tenant is sensitive data can be judged according to the audit data of the appointed type data.
It should be understood that when any one of the first judgment result, the second judgment result and the third judgment result is successful, it is determined that the user behavior audit data meets the user security vulnerability characteristics.
By the method, whether the user behavior audit data meets the user security vulnerability characteristics or not is accurately judged.
Step S30: and activating database baits and system file baits when the specified type of data is sensitive data.
It should be noted that, whether the data is sensitive data is judged according to the appointed type data, then the activation of database baits and system file baits is carried out according to the data type of the sensitive data, if yes, the baits management server activates the database baits and the user or system file baits on one hand; on the other hand, according to the audit data of the appointed type data, when judging that the sensitive data has security holes, activating the data bait.
Further, in order to activate and enable the data bait after determining that the specified type of data is sensitive data, after step S30, the method further includes: determining the data type of the sensitive data, and determining the potential vulnerability type according to the data type; determining whether the sensitive data has a security vulnerability according to the data type and the potential vulnerability type; transmitting a data bait request with a transmission target address to a single-hop adjacent node through a source node; matching the received feedback route request with a preset node; and when the matching fails, determining the single-hop adjacent node as a malicious node and discarding the malicious node.
It should be understood that, when judging whether the sensitive data itself has a security hole, the corresponding judging method may be adopted to judge according to the data type of the sensitive data itself and the possible hole type. For example, assume that sensitive data is taken as information such as an online banking login credential, a company login credential, a login credential or a user name/password, and considering that the data is administrator password or password data, and that the data is often easy to generate a management vulnerability, when judging whether the sensitive data itself has a security vulnerability, it is also possible to judge whether the sensitive data has a management vulnerability feature, for example, the online banking login credential, the company login credential, the login credential or the user name/password is too short, or the online banking login credential, the company login credential, the login credential or the user name/password is not changed for a long time. If these conditions are met, it is considered that the sensitive data itself has security holes.
In a specific implementation, if the sensitive data is configuration type data, considering that the type data is easy to generate configuration loopholes generally, when judging whether the sensitive data has security loopholes or not, whether the sensitive data of the configuration type has the characteristics of the configuration loopholes or not can be judged, for example, whether the sensitive data of the configuration type has the problems of unreasonable or incomplete security configuration or not is judged, if so, the sensitive data is considered to have the security loopholes.
It should be noted that, when it is determined that the security hole exists in the sensitive data, the data bait is activated. In particular, data baiting is primarily intended to entice an attacker to send false (fake) routing requests to sensitive data. The data baits activated here are mainly used to perform aggressor node detection and mitigation processes.
It should be appreciated that it is contemplated that the user will typically transmit the acquired sensitive data to the user's destination address after the user has acquired the sensitive data, and that the user will typically select the shortest data transmission path during the transmission. Based on this, the speculative attacker will typically declare itself as the best and shortest path to the target. Therefore, the data bait execution mode of the scheme is as follows: first, a bait request with a target address is sent by the source node to its single hop neighbor node. Typically, upon receipt of a decoy request, an attacker will reply with a false (fake) routing request, even if it is not the target node. In addition, this false (fake) route request packet is provided as an input to the flow table lookup. And detecting and buffering the attack, and if no attacker is found, carrying out sensitive data transmission. The source node that receives this false (fake) route request from the attacker will check it using the original destination address. When a false (fake) routing request returned by a node (attacker) does not match the original node, the source node will detect it as a malicious node and discard it from the network.
By the method, whether the sensitive data has security holes or not is judged according to the audit data of the specified type, and the data bait is activated when the security holes exist in the sensitive data.
Further, in order to perform security protection when the specified type of data is not sensitive data, after step S30, the method further includes: when the specified type data is not sensitive data, determining service audit data according to the user audit data; judging whether an application program calling security hole exists or not according to the service audit data; if the application program call security hole exists, the system file decoy is activated.
In specific implementation, if the data is not sensitive data, judging whether an API call security hole exists according to the service audit data, and if the API call security hole exists, enabling a user or a system file to be decoy by the decoy management server.
It should be noted that, or if the data accessed by the user or the tenant is not sensitive data in the specified type data, whether an API call security hole exists is determined according to the service audit data, and if so, the bait management server activates the user or the system file bait.
By the method, whether the API call security hole exists or not is judged according to the service audit data, if so, the bait management server activates the user or the system file bait, and the security of the system is improved.
According to the embodiment, user auditing data are obtained, and user behavior auditing data are determined according to the user auditing data; determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics; and activating database baits and system file baits when the specified type of data is sensitive data. By the method, the bait does not need to work all the time, different baits can be activated according to the data types to protect the data security when the user behavior characteristics are matched with the user security vulnerability characteristics, the resource waste caused by continuous activation of the baits is solved, and the network security can be ensured.
Referring to fig. 3, fig. 3 is a schematic flow chart of a second embodiment of a bait activation method according to the invention.
Based on the above first embodiment, the bait activation method in this embodiment includes, at step S30:
step S301: and determining user access data according to the specified type data.
It should be noted that, first, access data of the user, that is, data that the user views or transmits, is determined.
Step S302: and activating database baits when the specified type of data is sensitive data.
It should be appreciated that the manner in which the specified type of data is determined to be sensitive data and the database bait is activated is as follows: and according to the audit data of the specified type data, if the data accessed by the user or the tenant is judged to be sensitive data, the bait management server activates database baits and user or system file baits. Where a database bait, e.g., TABLE CREDIT_ CARDS or VIEW EMPLOYEES _SALARY, may be inserted into a database to entice an attacker as an implementation module of a database management system that is responsible for monitoring access to the bait, alerting a database administrator, and recording malicious activity.
Step S303: activating the system file bait is accomplished by deploying the bait file.
In an implementation, the system file baits are generated by deploying dummy files.
Further, in order to accurately deploy the dummy file and activate the decoy file, step S303 includes: acquiring target words of a target directory and a target file system; replacing and transposing the target word to generate false file content; and obtaining a decoy file according to the content of the fake file, and connecting the decoy file with a hidden interface for deployment.
It should be noted that, users or system files are decoy, automatically deploy decoy files, monitor the decoy files, and once these files are accessed, alert the system users. To increase decoy temptation, the replacement and transposition of words collected from the target directory and target file system to generate spurious file content; file-based spoofing techniques have focused primarily on decoy user data files, and in order to prevent legitimate activities from accessing the decoy system files to trigger false alarms, a hidden interface is introduced through which the decoy files are excluded. This approach may further improve the detection of hackers, since the attack must call some system files.
The embodiment determines user access data according to the specified type data; activating database baits when the specified type of data is sensitive data; activating the system file bait is accomplished by deploying the bait file. By the method, when the specified type data is determined to be sensitive data, the database baits and the system file baits are deployed according to the specified type data, and the safety of the system and the sensitivity of the baits to activation are improved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium stores a bait activation program, and the bait activation program realizes the steps of the bait activation method when being executed by a processor.
Because the storage medium adopts all the technical schemes of all the embodiments, the storage medium has at least all the beneficial effects brought by the technical schemes of the embodiments, and the description is omitted here.
Referring to fig. 4, fig. 4 is a block diagram of a first embodiment of the bait activation device of the present invention.
As shown in fig. 4, the bait activation device according to the embodiment of the invention includes:
the data acquisition module 10 is configured to acquire user audit data, and determine user behavior audit data according to the user audit data.
The data acquisition module 10 is configured to acquire user audit data, and determine user behavior audit data according to the user audit data.
And the vulnerability confirming module 20 is used for determining specified type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics.
The bait activation module 30 is used for activating database baits and system file baits when the specified type of data is sensitive data.
The embodiment obtains user audit data and determines user behavior audit data according to the user audit data; determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics; and activating database baits and system file baits when the specified type of data is sensitive data. By the method, the bait does not need to work all the time, different baits can be activated according to the data types to protect the data security when the user behavior characteristics are matched with the user security vulnerability characteristics, the resource waste caused by continuous activation of the baits is solved, and the network security can be ensured.
In one embodiment, the data obtaining module 10 is further configured to obtain user behavior data, security event information, service audit data, and specified type data from a big data audit platform; obtaining user behavior audit data according to the user behavior data and the security event information; and obtaining user audit data according to the user behavior audit data, the service audit data and the specified type data.
In one embodiment, the vulnerability verification module 20 is further configured to determine user security configuration, network management information and external trust information according to the user behavior audit data; judging whether a configuration vulnerability exists according to the user security configuration to obtain a first judgment result; judging whether a management vulnerability exists or not according to the network management information, and obtaining a second judgment result; judging whether a trust vulnerability exists according to the external trust information, and obtaining a third judgment result; and determining whether the user behavior audit data meets the user security vulnerability characteristics according to the first judgment result, the second judgment result and the third judgment result.
In one embodiment, the bait activation module 30 is further configured to determine user access data based on the specified type of data; activating database baits when the specified type of data is sensitive data; activating the system file bait is accomplished by deploying the bait file.
In one embodiment, the bait activation module 30 is further configured to obtain a target directory and target words of a target file system; replacing and transposing the target word to generate false file content; and obtaining a decoy file according to the content of the fake file, and connecting the decoy file with a hidden interface for deployment.
In an embodiment, the bait activation module 30 is further configured to determine a data type of the sensitive data, and determine a potential vulnerability type according to the data type; determining whether the sensitive data has a security vulnerability according to the data type and the potential vulnerability type; transmitting a data bait request with a transmission target address to a single-hop adjacent node through a source node; matching the received feedback route request with a preset node; and when the matching fails, determining the single-hop adjacent node as a malicious node and discarding the malicious node.
In one embodiment, the bait activation module 30 is further configured to determine service audit data based on the user audit data when the specified type of data is not sensitive data; judging whether an application program calling security hole exists or not according to the service audit data; if the application program call security hole exists, the system file decoy is activated.
It should be understood that the foregoing is illustrative only and is not limiting, and that in specific applications, those skilled in the art may set the invention as desired, and the invention is not limited thereto.
It should be noted that the above-described working procedure is merely illustrative, and does not limit the scope of the present invention, and in practical application, a person skilled in the art may select part or all of them according to actual needs to achieve the purpose of the embodiment, which is not limited herein.
In addition, technical details not described in detail in this embodiment may refer to the bait activation method provided in any embodiment of the present invention, and are not described herein.
Furthermore, it should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read Only Memory)/RAM, magnetic disk, optical disk) and including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. A method of bait activation, the method comprising:
acquiring user audit data, and determining user behavior audit data according to the user audit data;
determining appointed type data according to the user audit data when the user behavior audit data meets the user security vulnerability characteristics;
and activating database baits and system file baits when the specified type of data is sensitive data.
2. The bait activation method of claim 1, wherein the obtaining user audit data comprises:
acquiring user behavior data, security event information, service audit data and appointed type data from a big data audit platform;
obtaining user behavior audit data according to the user behavior data and the security event information;
and obtaining user audit data according to the user behavior audit data, the service audit data and the specified type data.
3. The bait activation method of claim 1, wherein when the user behavior audit data meets a user class security vulnerability feature, before determining specified type data from the user audit data, further comprising:
determining user safety configuration, network management information and external trust information according to the user behavior audit data;
judging whether a configuration vulnerability exists according to the user security configuration to obtain a first judgment result;
judging whether a management vulnerability exists or not according to the network management information, and obtaining a second judgment result;
judging whether a trust vulnerability exists according to the external trust information, and obtaining a third judgment result;
and determining whether the user behavior audit data meets the user security vulnerability characteristics according to the first judgment result, the second judgment result and the third judgment result.
4. The bait activation method of claim 1, wherein activating database baits and system file baits when the specified type of data is sensitive data comprises:
determining user access data according to the specified type data;
activating database baits when the specified type of data is sensitive data;
activating the system file bait is accomplished by deploying the bait file.
5. The bait activation method of claim 4, wherein the implementing the activation system file bait by deploying a bait file comprises:
acquiring target words of a target directory and a target file system;
replacing and transposing the target word to generate false file content;
and obtaining a decoy file according to the content of the fake file, and connecting the decoy file with a hidden interface for deployment.
6. The bait activation method of claim 1, wherein after activating database baits and system file baits when the specified type of data is sensitive data, further comprising:
determining the data type of the sensitive data, and determining the potential vulnerability type according to the data type;
determining whether the sensitive data has a security vulnerability according to the data type and the potential vulnerability type;
transmitting a data bait request with a transmission target address to a single-hop adjacent node through a source node;
matching the received feedback route request with a preset node;
and when the matching fails, determining the single-hop adjacent node as a malicious node and discarding the malicious node.
7. The bait activation method of claim 1, wherein after determining the specified type of data from the user audit data when the user behavior audit data meets a user class security vulnerability feature, further comprising:
when the specified type data is not sensitive data, determining service audit data according to the user audit data;
judging whether an application program calling security hole exists or not according to the service audit data;
if the application program call security hole exists, the system file decoy is activated.
8. A bait activation device, wherein the bait activation device comprises:
the data acquisition module is used for acquiring user audit data and determining user behavior audit data according to the user audit data;
the vulnerability confirming module is used for determining appointed type data according to the user auditing data when the user behavior auditing data meets the user security vulnerability characteristics;
and the bait activation module is used for activating database baits and system file baits when the specified type data are sensitive data.
9. A bait activation device, wherein the bait activation device comprises: a memory, a processor, and a bait activation program stored on the memory and running on the processor, the bait activation program being configured to implement the bait activation method as claimed in any one of claims 1 to 7.
10. A storage medium having stored thereon a bait activation program which when executed by a processor implements the bait activation method as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311123225.1A CN117544335A (en) | 2023-09-01 | 2023-09-01 | Bait activation method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311123225.1A CN117544335A (en) | 2023-09-01 | 2023-09-01 | Bait activation method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117544335A true CN117544335A (en) | 2024-02-09 |
Family
ID=89784849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311123225.1A Pending CN117544335A (en) | 2023-09-01 | 2023-09-01 | Bait activation method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117544335A (en) |
-
2023
- 2023-09-01 CN CN202311123225.1A patent/CN117544335A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6894003B2 (en) | Defense against APT attacks | |
| US10542006B2 (en) | Network security based on redirection of questionable network access | |
| RU2622870C2 (en) | System and method for evaluating malicious websites | |
| US8407791B2 (en) | Integrated cyber network security system and method | |
| Khan et al. | A cognitive and concurrent cyber kill chain model | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| Han et al. | Evaluation of deception-based web attacks detection | |
| CN111786966A (en) | Method and device for browsing webpage | |
| Kalla et al. | Phishing detection implementation using databricks and artificial Intelligence | |
| CN112910907A (en) | Defense method, device, client, server, storage medium and system | |
| CN105791323B (en) | The defence method and equipment of unknown malware | |
| Fraunholz et al. | Defending web servers with feints, distraction and obfuscation | |
| Wang et al. | Detecting Targeted Attacks by Multilayer Deception. | |
| Jeremiah | Intrusion detection system to enhance network security using raspberry pi honeypot in kali linux | |
| Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
| CN114500026A (en) | Network traffic processing method, device and storage medium | |
| CN117040871A (en) | Network security operation service method | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| Georgina et al. | Deception Based Techniques Against Ransomwares: a Systematic Review | |
| Ojugo et al. | Forging A Smart Dependable Data Integrity And Protection System Through Hybrid-Integration Honeypot In Web and Database Server | |
| AT&T | sample_cyber_security | |
| CN117544335A (en) | Bait activation method, device, equipment and storage medium | |
| Doshi et al. | SQL FILTER–SQL Injection prevention and logging using dynamic network filter | |
| Wickline | The Capabilities of Antivirus Software to Detect and Prevent Emerging Cyberthreats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |