WO2019140876A1 - Method for establishing phantom device capable of network attack prevention, medium, and device - Google Patents

Method for establishing phantom device capable of network attack prevention, medium, and device Download PDF

Info

Publication number
WO2019140876A1
WO2019140876A1 PCT/CN2018/096106 CN2018096106W WO2019140876A1 WO 2019140876 A1 WO2019140876 A1 WO 2019140876A1 CN 2018096106 W CN2018096106 W CN 2018096106W WO 2019140876 A1 WO2019140876 A1 WO 2019140876A1
Authority
WO
WIPO (PCT)
Prior art keywords
phantom
real
phantom device
mac address
template
Prior art date
Application number
PCT/CN2018/096106
Other languages
French (fr)
Chinese (zh)
Inventor
肖政
涂大志
戴昌
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019140876A1 publication Critical patent/WO2019140876A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5038Address allocation for local use, e.g. in LAN or USB networks, or in a controller area network [CAN]

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method, a medium, and a device for establishing a phantom device for preventing network attacks.
  • honeynet honeypot is a network system, not a single host, this network system is hidden behind the firewall, all incoming and outgoing data is monitored, captured and controlled; honeypot technology It is a technique for spoofing an attacker. By arranging some hosts, network services or information as bait, the attacker is induced to attack them, so that the attack behavior can be captured and analyzed to understand the tools used by the attacker. And methods, speculating on the intent and motivation of the attack, can enable the defenders to clearly understand the security threats they face, and enhance the security protection of the actual system through technical and management means; these active defense technologies can effectively perceive and capture the botnet.
  • the application provides a method, a medium and a device for establishing a phantom device for preventing network attacks, and the established phantom device can be perfectly camouflaged into the network, and has strong defense capability.
  • the present application provides a method for establishing a phantom device for preventing network attacks, including:
  • the real device is classified, and each type of the real device is used as a device template
  • the configuration file is loaded to generate the phantom device.
  • the setting, according to the device template, a configuration file of the phantom device includes:
  • the assigning an IP address and a MAC address to each phantom device according to the device template includes:
  • the configuration file of the corresponding phantom device is set according to the IP, the MAC address, and the feature corresponding to the device template, including:
  • a profile of the phantom device is generated according to the set characteristics, IP, and MAC address of the phantom device.
  • the setting corresponding to the phantom device according to the feature of the device template includes:
  • the open port of the phantom device is set to a proxy mode according to an open port feature of the device module.
  • the method further comprises:
  • the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the configuration file corresponding to the phantom device is modified, and the modified The configuration file, updating the phantom device;
  • IP of the real device does not conflict with the IP of the phantom device, determining whether the MAC address of the real device conflicts with the MAC address of the phantom device;
  • the MAC address of the real device conflicts with the MAC address of the phantom device, reselecting a MAC address for the phantom device; updating the MAC address of the phantom device according to the reselected MAC address;
  • the new device that is newly online is continuously monitored.
  • the method further comprises:
  • the present application provides a method for preventing network attacks, including:
  • the method further comprises: continuously monitoring the suspicious device while blocking communication between the suspect device and the phantom device and the real device in the local area network.
  • the method further includes: collecting the risk information of the phantom device in real time after the phantom device is established, and transmitting the risk information to the user.
  • the present application provides a computer readable storage medium having stored thereon a computer program executed by a processor to implement the phantom device for preventing network attacks according to the first aspect. method.
  • the present application provides a computer device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to implement The method for establishing a phantom device for preventing network attacks according to the first aspect.
  • the present application provides a method for establishing a phantom device for preventing network attacks, comprising: acquiring features of real devices in a local area network; classifying the real devices according to the features, and using each type of the real devices as a type a device template, configured to set a configuration file of the phantom device according to the device template, and load the configuration file to generate the phantom device. Since each device template has the same characteristics as the real device, the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect.
  • the phantom device thus established is simple to deploy and use, consumes less computer resources and human resources, and is deployed and maintained. The safety and technical requirements of personnel are not high.
  • the method for preventing network attacks provided by the present application has the same advantageous effects as the method for establishing the phantom device for preventing network attacks described above.
  • a computer readable storage medium and a computer device provided by the present application have the same beneficial effects as the above-described phantom device establishment method for preventing network attacks.
  • FIG. 1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to the present invention
  • FIG. 3 is a schematic structural diagram of a computer device according to the present invention.
  • the invention provides a phantom device establishment method, a medium, a device and an anti-network attack method for preventing network attacks.
  • FIG. 1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to an embodiment of the present invention.
  • Step S101 Acquire a feature of a real device in the local area network.
  • Step S102 According to the feature, classify the real device, and use each type of the real device as a device template.
  • Step S103 Set a configuration file of the phantom device according to the device template.
  • Step S104 Load the configuration file to generate the phantom device.
  • the features may include: device type, operating system, operating system fingerprint, open port, vendor feature, and the like.
  • each real device in the local area network is classified, and one category corresponds to one device template.
  • one operating system corresponds to a category.
  • a phantom device refers to a masquerading system that prevents a network from attacking a real device.
  • the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect.
  • the camouflage into the network realize high simulation camouflage, timely and effectively perceive network attacks and conduct trapping or alarm forensics; at the same time, the phantom device thus established is simple to deploy and use, and consumes less computer resources and human resources.
  • the setting a configuration file of the phantom device according to the device template includes: assigning an IP (Internet Protocol) and a MAC (Media Access) to each phantom device according to the device template. Control or Medium Access Control) address; set a configuration file of the corresponding phantom device according to the IP, MAC address, and the feature corresponding to the device template.
  • IP Internet Protocol
  • MAC Media Access
  • the MAC address can be a physical address or a hardware address.
  • IP and MAC addresses are IP and MAC addresses.
  • IP address and MAC address must be set, but also other parameters, such as operating system fingerprint, operating system, open port, etc., need to be set according to multiple characteristics.
  • the assigning an IP address and a MAC address to each phantom device according to the device template includes: counting the number of real devices corresponding to each device template; and based on the number of real devices, according to a preset magnification Calculating a number of phantom devices corresponding to each of the device templates; calculating an alternative IP according to the IP of the real device; and selecting a corresponding quantity from the candidate IP for the device template according to the phantom device number IP; generates a MAC address of the corresponding phantom device according to the vendor characteristics of the device template.
  • the MAC address is generated according to the vendor characteristics of the device template, where the vendor feature of the device template is the vendor feature of the corresponding real device.
  • the generated phantom device has a different MAC address than the real device's MAC address, and each phantom device has a different MAC address.
  • the background staff can distinguish between real devices and phantom devices, and at the same time, improve the similarity between phantom devices and real devices. Moreover, in this way, the number of phantom devices can be adjusted according to the actual needs of different intranet levels, and the scalability is strong.
  • setting a configuration file of the corresponding phantom device according to the IP, the MAC address, and the feature corresponding to the device template including: setting a phantom device according to the feature of the device template Corresponding features; setting a corresponding IP for the phantom device according to the IP; setting a corresponding MAC address for the phantom device according to the MAC address; according to the feature of the phantom device, IP And a MAC address, generating a configuration file of the phantom device.
  • the port supported by the phantom device such as 22, 80 is configured as the proxy mode, and the proxy service points to the IP and port of the phantom device.
  • the phantom device's emulation can be improved by setting the phantom device's open port to proxy mode.
  • the similarity of the phantom device generated from the profile to the real device can be improved.
  • Honeyd when a profile is loaded to generate a phantom device, Honeyd can be used to load a profile to generate a phantom device.
  • Honeyd is an open source software for generating virtual honeypots.
  • the method further includes: monitoring a real device that is newly online in real time; detecting whether an IP address and a MAC address of the real device are related to an IP of the phantom device And the MAC address conflicts; if there is no conflict, the device continues to listen to the new device that is online; if the conflict occurs, it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP address of the real device Determining the IP conflict of the phantom device, deactivating the phantom device corresponding to the IP, and deleting the record of the phantom device; modifying the configuration file corresponding to the phantom device, loading the modified configuration file, and updating the phantom If the IP address of the real device does not conflict with the IP address of the phantom device, determine whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the IP address of the real device does not conflict with the IP address of the phantom device, determine whether the
  • the method further includes: detecting whether the IP address and the MAC address of the real device in the local area network conflict with the IP address and the MAC address of the phantom device, and if the conflict occurs, adjusting the parameter setting of the phantom device.
  • the specific detection process is:
  • Real-time monitoring of the real device on the new line detecting whether the IP and MAC address of the real device conflict with the IP and MAC address of the phantom device; if there is no conflict, it continues to listen to the new device that is online.
  • the conflict it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP of the real device conflicts with the IP of the phantom device, the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the phantom is modified
  • the configuration file corresponding to the device load the modified configuration file, and update the phantom device. When loading the configuration file, use Honeyd to load the new configuration file.
  • the IP of the real device does not conflict with the IP of the phantom device, it is determined whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the MAC address of the real device conflicts with the MAC address of the phantom device, the phantom device is selected again. MAC address; update the MAC address of the phantom device according to the reselected MAC address; if the MAC address of the real device does not conflict with the MAC address of the phantom device, continue to listen to the new device that is online.
  • the method further includes: determining whether the phantom device has reached a refresh cycle; if yes, performing the step of establishing a phantom device; if not, continuing Use the phantom device.
  • the phantom device After using the phantom device for a period of time, it is necessary to determine whether the phantom device has reached the refresh cycle. If not, the phantom device can continue to be used; if so, the phantom device needs to be deleted and a new phantom device is re-established. In this way, when the characteristics of the real device change, the phantom device that is not applicable can be deleted in time, the corresponding phantom device is established, and the phantom device is updated in time to better prevent the network from attacking the real device.
  • the refresh period can be determined based on the empirical value.
  • the advantages of the traditional honeypot honey net technology are fully absorbed, and a phantom device similar to the real device can be established, and the phantom device can be perfectly camouflaged into the real device in the network, and the network attack is timely and effectively perceived.
  • Conduct trapping or alarm forensics the present invention is simple to deploy and use, and the generation of these phantom devices in the internal network consumes a small amount of computer resources and saves resources.
  • the present invention can adjust the number of phantom devices according to the actual needs of different intranet levels, so that corresponding phantom devices can be provided for each real device.
  • the above is a method for establishing a phantom device for preventing network attacks provided by the present invention.
  • the present invention further provides a method for preventing network attacks.
  • FIG. 2 it is a schematic diagram of a method for preventing network attacks according to an embodiment of the present invention.
  • Step S101 Real-time monitoring communication information of the phantom device in the local area network; wherein the phantom device is established by the method described in the first embodiment;
  • Step S102 determining whether another device communicates with the phantom device
  • Step S103 If not, continue to monitor the communication information of the phantom device;
  • Step S104 If yes, mark the other device as a suspicious device
  • Step S105 Block communication between the suspicious device and the phantom device and the real device in the local area network, and send the information of the suspicious device to a network administrator.
  • the phantom device After the phantom device is generated, the phantom device needs to be spoofed into the real device.
  • the phantom device can be used as a shadow of a real device, pretending to be a real device, and preventing the real device from being attacked.
  • the phantom device prevents the network attack by: monitoring the communication information of the phantom device in the local area network in real time, determining whether other devices communicate with the phantom device, and if not, continuing to monitor the communication information of the phantom device; if any, the other
  • the device is marked as a suspicious device; the suspicious device is blocked from communicating with the phantom device and the real device, so that the suspicious device cannot attack the real device.
  • the information of the suspicious device can also be sent to the network administrator, so that the network administrator can perform related processing according to the information of the suspicious device in time.
  • the information of the discovered suspicious device can be sent to the network administrator through SMS/E-mail/SNMP Trap/syslog.
  • the risk information of the phantom device may also be collected in real time; the risk information is sent to the user.
  • the risk information of the phantom device can also be collected in real time, and the risk information is sent to the user for alerting and alerting the user to the risk of the phantom device.
  • the risk information may refer to information such as hacker attacks, communication between other devices and phantom devices.
  • the risk information of the phantom device of the user can be promptly alerted.
  • a phantom device establishment method for preventing network attacks is provided.
  • a third embodiment of the present invention provides a computer readable storage medium on which a computer program is stored. When the program is executed by the processor, the phantom device establishment method for preventing network attacks provided by the foregoing first embodiment is implemented.
  • the present invention further provides a computer device, including: a memory, a processor, and a computer program stored on the memory and operable on the processor,
  • the phantom device establishing method for preventing network attacks provided by the foregoing first embodiment is implemented when the processor executes the program.
  • FIG. 3 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
  • the processor 201 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • Memory 202 can include mass storage for data or instructions.
  • the memory 202 may include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these.
  • Memory 202 may include removable or non-removable (or fixed) media, where appropriate.
  • Memory 202 may be internal or external to the data processing device, where appropriate.
  • memory 202 is a non-volatile solid state memory.
  • memory 202 includes a Read-Only Memory (ROM).
  • the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable).
  • PROM Programmable Read-only Memory
  • EPROM Erasable Programmable ROM
  • PROM Electrically Erasable Programmable
  • EEPROM Electrically rewritable ROM
  • flash memory or a combination of two or more of these.
  • the processor 201 implements the phantom device establishment method for preventing any network attack by reading and executing the computer program instructions stored in the memory 202.
  • the establishment device of the anti-network attack phantom device may further include a communication interface 203 and a bus 210. As shown in FIG. 2, the processor 201, the memory 202, and the communication interface 203 are connected by the bus 210 and complete communication with each other.
  • the communication interface 203 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
  • the bus 210 includes hardware, software, or both, and couples components of the phantom device-creating device that are resistant to network attacks to each other.
  • the bus may include Accelerated Graphic Ports or Advanced Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (EISA) bus, Front Side Bus (Front Side Bus, FSB), HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, microchannel architecture ( MicroChannel Architecture, MCA) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus, VLB) bus or other suitable bus or a combination of two or more of these.
  • Bus 210 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
  • the functional blocks shown in the above structural block diagram may be implemented as hardware, software, firmware, or a combination thereof.
  • hardware When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like.
  • ASIC application specific integrated circuit
  • the elements of the present invention are programs or code segments that are used to perform the required tasks.
  • the program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier.
  • a "machine-readable medium” can include any medium that can store or transfer information.
  • machine-readable media examples include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like.
  • the code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method for establishing a phantom device capable of network attack prevention, a medium, and a device. The method comprises: obtaining features of real devices in a local area network; classifying the real devices according to the features, and separately using each type of real devices as a device template; setting a configuration file of a phantom device according to the device template; and loading the configuration file to generate the phantom device. A phantom device generated with the method of the present invention is highly similar to a corresponding real device and thus can be perfectly camouflaged in a network, so that high-simulation camouflage is achieved and a network attack can be promptly and effectively sensed, and trapped or warned and evidenced; furthermore, the phantom device established in this way is simple in deployment and use, less in consumed computer and human resources, and low in requirements for security expertise of deployment and maintenance personnel.

Description

一种防网络攻击的幻影设备建立的方法、介质及设备Method, medium and device for establishing phantom device for preventing network attack 技术领域Technical field
本发明涉及网络安全技术领域,具体涉及一种防网络攻击的幻影设备建立的方法、介质及设备。The present invention relates to the field of network security technologies, and in particular, to a method, a medium, and a device for establishing a phantom device for preventing network attacks.
背景技术Background technique
现有蜜网蜜罐等主动防御技术,蜜网是一个网路系统,而并非某台单一主机,这一网络系统隐藏在防火墙后面,所有进出的资料都受到监控、捕获及控制;蜜罐技术是一种对攻击方进行欺骗的技术,通过布置一些作为诱饵的主机、网络服务或者信息,诱使攻击方对它们实施攻击,从而可以对攻击行为进行捕获和分析,了解攻击方所使用的工具与方法,推测攻击意图和动机,能够让防御方清晰了解他们所面对的安全威胁,并通过技术和管理手段来增强实际系统的安全防护能力;这些主动防御技术,可以有效感知和捕获僵尸网络、脚本等自动化的攻击,但是现有技术中的伪装技术都不能很好地进行伪装,容易被攻击者识破,陷阱也容易被轻松绕开,防御能力较差。同时,传统的蜜网蜜罐等主动防御技术的部署和维护,对人员的安全专业技术要求较高。Active defensive technology such as honeynet honeypot, honeynet is a network system, not a single host, this network system is hidden behind the firewall, all incoming and outgoing data is monitored, captured and controlled; honeypot technology It is a technique for spoofing an attacker. By arranging some hosts, network services or information as bait, the attacker is induced to attack them, so that the attack behavior can be captured and analyzed to understand the tools used by the attacker. And methods, speculating on the intent and motivation of the attack, can enable the defenders to clearly understand the security threats they face, and enhance the security protection of the actual system through technical and management means; these active defense technologies can effectively perceive and capture the botnet. Automatic attacks such as scripts, but the camouflage techniques in the prior art are not well camouflaged, and are easily seen by attackers. The traps are easily circumvented and the defense ability is poor. At the same time, the deployment and maintenance of the active defense technology such as the traditional honeypot honeypot is highly demanding on the safety professional skills of personnel.
发明内容Summary of the invention
本申请提供一种防网络攻击的幻影设备建立的方法、介质及设备,建立的幻影设备能够完美地伪装到网络中,防御能力较强。The application provides a method, a medium and a device for establishing a phantom device for preventing network attacks, and the established phantom device can be perfectly camouflaged into the network, and has strong defense capability.
第一方面,本申请提供了一种防网络攻击的幻影设备建立方法,包括:In a first aspect, the present application provides a method for establishing a phantom device for preventing network attacks, including:
获取局域网中真实设备的特征;Obtaining the characteristics of real devices in the local area network;
根据所述特征,对所述真实设备进行分类,将每类所述真实设备分别作为一种设备模板;According to the feature, the real device is classified, and each type of the real device is used as a device template;
根据所述设备模板,设置幻影设备的配置文件;Setting a configuration file of the phantom device according to the device template;
加载所述配置文件,生成所述幻影设备。The configuration file is loaded to generate the phantom device.
优选地,所述根据所述设备模板,设置幻影设备的配置文件,包括:Preferably, the setting, according to the device template, a configuration file of the phantom device, includes:
根据所述设备模板,为每个幻影设备分配IP和MAC地址;Assigning an IP address and a MAC address to each phantom device according to the device template;
根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件。优选地,所述根据所述设备模板,为每个幻影设备分配IP和MAC地址,包括:And setting a configuration file of the corresponding phantom device according to the IP, the MAC address, and the feature corresponding to the device template. Preferably, the assigning an IP address and a MAC address to each phantom device according to the device template includes:
统计每个所述设备模板对应的真实设备数量;Counting the number of real devices corresponding to each of the device templates;
基于所述真实设备数量,根据预设倍率,计算每个所述设备模板对应的幻影设备数量;Calculating, according to the preset number of devices, a number of phantom devices corresponding to each of the device templates according to the preset number of devices;
根据所述真实设备的IP,计算备选IP;Calculating an alternative IP according to the IP of the real device;
根据所述幻影设备数量,从所述备选IP中为所述设备模板选取相应数量的IP;Selecting, according to the number of phantom devices, a corresponding number of IPs from the candidate IP for the device template;
根据所述设备模板的厂商特征,生成相应幻影设备的MAC地址。Generating a MAC address of the corresponding phantom device according to the vendor characteristics of the device template.
优选地,根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件,包括:Preferably, the configuration file of the corresponding phantom device is set according to the IP, the MAC address, and the feature corresponding to the device template, including:
根据所述设备模板的特征,设置幻影设备相对应的特征;Setting corresponding features of the phantom device according to characteristics of the device template;
根据所述IP,为所述幻影设备设定相应的IP;Setting a corresponding IP for the phantom device according to the IP;
根据所述MAC地址,为所述幻影设备设定相应的MAC地址;Setting a corresponding MAC address for the phantom device according to the MAC address;
根据设置的所述幻影设备的特征、IP和MAC地址,生成所述幻影设备的配置文件。A profile of the phantom device is generated according to the set characteristics, IP, and MAC address of the phantom device.
优选地,所述根据所述设备模板的特征,设置幻影设备相对应的特征,包括:Preferably, the setting corresponding to the phantom device according to the feature of the device template includes:
根据所述设备模块的开放端口特征,将所述幻影设备的开放端口设置为代理模式。The open port of the phantom device is set to a proxy mode according to an open port feature of the device module.
优选地,还包括:Preferably, the method further comprises:
实时监听新上线的所述真实设备;Real-time monitoring of the real device that is newly launched;
检测所述真实设备的IP和MAC地址是否与所述幻影设备的IP和MAC 地址冲突;若不冲突,则继续监听新上线的所述真实设备;Detecting whether the IP and MAC address of the real device conflict with the IP and MAC address of the phantom device; if not, continuing to monitor the new device that is online;
若冲突,则判断所述真实设备的IP是否与所述幻影设备的IP冲突;If the conflict occurs, determining whether the IP of the real device conflicts with the IP of the phantom device;
若所述真实设备的IP与所述幻影设备的IP冲突,则停用所述IP对应的幻影设备,并删除所述幻影设备的记录;修改所述幻影设备对应的配置文件,加载修改后的所述配置文件,更新所述幻影设备;If the IP of the real device conflicts with the IP of the phantom device, the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the configuration file corresponding to the phantom device is modified, and the modified The configuration file, updating the phantom device;
若所述真实设备的IP与所述幻影设备的IP不冲突,则判断所述真实设备的MAC地址是否与所述幻影设备的MAC地址冲突;If the IP of the real device does not conflict with the IP of the phantom device, determining whether the MAC address of the real device conflicts with the MAC address of the phantom device;
若所述真实设备的MAC地址与所述幻影设备的MAC地址冲突,则重新为所述幻影设备选取MAC地址;根据重新选取的所述MAC地址,更新所述幻影设备的MAC地址;If the MAC address of the real device conflicts with the MAC address of the phantom device, reselecting a MAC address for the phantom device; updating the MAC address of the phantom device according to the reselected MAC address;
若所述真实设备的MAC地址与所述幻影设备的MAC地址不冲突,则继续监听新上线的所述真实设备。If the MAC address of the real device does not conflict with the MAC address of the phantom device, the new device that is newly online is continuously monitored.
优选地,还包括:Preferably, the method further comprises:
判断所述幻影设备是否到了刷新周期;Determining whether the phantom device has reached a refresh cycle;
若是,则重新执行建立幻影设备的步骤;If yes, re-execute the steps of establishing a phantom device;
若否,则继续使用所述幻影设备。If not, continue to use the phantom device.
第二方面,结合第一方面本申请提供了一种防网络攻击的方法,包括:In a second aspect, the present application provides a method for preventing network attacks, including:
实时监测局域网中幻影设备的通讯信息;其中,所述幻影设备由第一方面所述的方法建立;Real-time monitoring of communication information of a phantom device in a local area network; wherein the phantom device is established by the method described in the first aspect;
判断是否有其它设备与所述幻影设备通讯;Determining whether there are other devices communicating with the phantom device;
若没有,则继续监测所述幻影设备的通讯信息;If not, continue to monitor the communication information of the phantom device;
若有,则将所述其它设备标记为可疑设备;If so, mark the other device as a suspicious device;
阻断所述可疑设备与所述局域网中的所述幻影设备和真实设备的通讯,并将所述可疑设备的信息发送至网络管理员。Blocking communication between the suspicious device and the phantom device and the real device in the local area network, and transmitting the information of the suspicious device to a network administrator.
优选地,还包括:在阻断所述可疑设备与所述局域网中的所述幻影设备和真实设备的通讯时,继续监测可疑设备。Preferably, the method further comprises: continuously monitoring the suspicious device while blocking communication between the suspect device and the phantom device and the real device in the local area network.
优选地,还包括:在建立所述幻影设备之后,实时采集所述幻影设备的风险信息,并将所述风险信息发送给用户。Preferably, the method further includes: collecting the risk information of the phantom device in real time after the phantom device is established, and transmitting the risk information to the user.
第三方面,结合第一方面,本申请提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行以实现第一方面所述的防网络攻击的幻影设备建立的方法。In a third aspect, in conjunction with the first aspect, the present application provides a computer readable storage medium having stored thereon a computer program executed by a processor to implement the phantom device for preventing network attacks according to the first aspect. method.
第四方面,结合第一方面,本申请提供了一种计算机设备,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序以实现第一方面所述的防网络攻击的幻影设备建立的方法。In a fourth aspect, in conjunction with the first aspect, the present application provides a computer device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to implement The method for establishing a phantom device for preventing network attacks according to the first aspect.
本申请提供了一种防网络攻击的幻影设备建立的方法,包括:获取局域网中真实设备的特征;根据所述特征,对所述真实设备进行分类,将每类所述真实设备均作为一种设备模板;根据所述设备模板,设置幻影设备的配置文件;加载所述配置文件,生成所述幻影设备。由于每种设备模板具有的特征与真实设备的特征相同,再根据设备模板设置幻影设备的配置文件,根据配置文件生成幻影设备,这样,生成的幻影设备与相应的真实设备相似度高,能够完美地伪装到网络中,实现高仿真伪装,及时有效地感知网络攻击并进行诱捕或告警取证;同时,这样建立的幻影设备部署和使用简单,耗费的计算机资源和人力资源较少,对部署和维护人员的安全专业技术要求不高。The present application provides a method for establishing a phantom device for preventing network attacks, comprising: acquiring features of real devices in a local area network; classifying the real devices according to the features, and using each type of the real devices as a type a device template, configured to set a configuration file of the phantom device according to the device template, and load the configuration file to generate the phantom device. Since each device template has the same characteristics as the real device, the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect. It is disguised into the network to achieve high emulation camouflage, timely and effectively perceive network attacks and conduct trapping or alarm forensics. At the same time, the phantom device thus established is simple to deploy and use, consumes less computer resources and human resources, and is deployed and maintained. The safety and technical requirements of personnel are not high.
本申请提供的防网络攻击的方法与上述防网络攻击的幻影设备建立的方法出于相同的发明构思,具有相同的有益效果。The method for preventing network attacks provided by the present application has the same advantageous effects as the method for establishing the phantom device for preventing network attacks described above.
本申请提供的一种计算机可读存储介质和一种计算机设备,与上述防网络攻击的幻影设备建立方法出于相同的发明构思,具有相同的有益效果。A computer readable storage medium and a computer device provided by the present application have the same beneficial effects as the above-described phantom device establishment method for preventing network attacks.
附图说明DRAWINGS
为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。在所有附图中,类似的元件或部分一般由类似的附图标记标识。附图中,各元件或部分并不一定按照实际的比例绘制。In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the specific embodiments or the description of the prior art will be briefly described below. In all the figures, like elements or parts are generally identified by like reference numerals. In the figures, elements or parts are not necessarily drawn to scale.
图1为本发明提供的一种防网络攻击的幻影设备建立的方法的流程图;1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to the present invention;
图2为本发明提供的一种防网络攻击的方法的流程图;2 is a flowchart of a method for preventing network attacks according to the present invention;
图3为本发明提供的一种计算机设备的结构示意图。FIG. 3 is a schematic structural diagram of a computer device according to the present invention.
具体实施方式Detailed ways
下面将结合附图对本发明技术方案的实施例进行详细的描述。以下实施例仅用于更加清楚地说明本发明的技术方案,因此只是作为示例,而不能以此来限制本发明的保护范围。The embodiments of the technical solution of the present invention will be described in detail below with reference to the accompanying drawings. The following embodiments are only used to more clearly illustrate the technical solutions of the present invention, and thus are merely exemplary and are not intended to limit the scope of the present invention.
需要注意的是,除非另有说明,本申请使用的技术术语或者科学术语应当为本发明所属领域技术人员所理解的通常意义。It should be noted that the technical terms or scientific terms used herein should be used in the ordinary meaning as understood by those skilled in the art to which the invention belongs, unless otherwise stated.
本发明提供了一种防网络攻击的幻影设备建立方法、介质、设备以及防网络攻击方法。下面结合附图对本发明的实施例进行说明。The invention provides a phantom device establishment method, a medium, a device and an anti-network attack method for preventing network attacks. Embodiments of the present invention will be described below with reference to the accompanying drawings.
第一实施例:First embodiment:
请参考图1,图1为本发明具体实施例提供的一种防网络攻击的幻影设备建立方法的流程图,本实施例提供的一种防网络攻击的幻影设备建立方法,包括:Please refer to FIG. 1 . FIG. 1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to an embodiment of the present invention.
步骤S101:获取局域网中真实设备的特征。Step S101: Acquire a feature of a real device in the local area network.
步骤S102:根据所述特征,对所述真实设备进行分类,将每类所述真实设备分别作为一种设备模板。Step S102: According to the feature, classify the real device, and use each type of the real device as a device template.
步骤S103:根据所述设备模板,设置幻影设备的配置文件。Step S103: Set a configuration file of the phantom device according to the device template.
步骤S104:加载所述配置文件,生成所述幻影设备。Step S104: Load the configuration file to generate the phantom device.
其中,特征可以包括:设备类型、操作系统、操作系统指纹、开放端 口、厂商特征等。The features may include: device type, operating system, operating system fingerprint, open port, vendor feature, and the like.
根据特征对局域网中各个真实设备进行分类,一个类别对应一种设备模板。例如,一种操作系统对应一个类别。According to the feature, each real device in the local area network is classified, and one category corresponds to one device template. For example, an operating system corresponds to a category.
在本发明中,幻影设备是指防止网络攻击真实设备的伪装系统。In the present invention, a phantom device refers to a masquerading system that prevents a network from attacking a real device.
由于每种设备模板具有的特征与真实设备的特征相同,再根据设备模板设置幻影设备的配置文件,根据配置文件生成幻影设备,这样,生成的幻影设备与相应的真实设备相似度高,能够完美地伪装到网络中,实现高仿真伪装,及时有效地感知网络攻击并进行诱捕或告警取证;同时,这样建立的幻影设备部署和使用简单,耗费的计算机资源和人力资源较少。Since each device template has the same characteristics as the real device, the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect. The camouflage into the network, realize high simulation camouflage, timely and effectively perceive network attacks and conduct trapping or alarm forensics; at the same time, the phantom device thus established is simple to deploy and use, and consumes less computer resources and human resources.
在本发明提供的一个具体实施例中,所述根据所述设备模板,设置幻影设备的配置文件,包括:根据所述设备模板,为每个幻影设备分配IP(Internet Protocol)和MAC(Media Access Control或者Medium Access Control)地址;根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件。In a specific embodiment of the present invention, the setting a configuration file of the phantom device according to the device template includes: assigning an IP (Internet Protocol) and a MAC (Media Access) to each phantom device according to the device template. Control or Medium Access Control) address; set a configuration file of the corresponding phantom device according to the IP, MAC address, and the feature corresponding to the device template.
其中,MAC地址,可以是物理地址或硬件地址。The MAC address can be a physical address or a hardware address.
在对真实设备分类好后,需要保存各个设备模板的特征备用。After classifying the real devices, you need to save the feature backup of each device template.
在设置配置文件时,重要的参数为IP和MAC地址。在配置文件中不仅要设置IP、MAC地址,还需要设置其它参数,例如,操作系统指纹、操作系统、开放端口等,需要根据多个特征来设置配置文件。通过根据多个特征设置配置文件,能够得到与真实设备高度相似的幻影设备,提高幻影设备的相似度。When setting up a configuration file, the important parameters are IP and MAC addresses. In the configuration file, not only the IP address and MAC address must be set, but also other parameters, such as operating system fingerprint, operating system, open port, etc., need to be set according to multiple characteristics. By setting a profile based on multiple features, it is possible to obtain a phantom device that is highly similar to a real device, improving the similarity of the phantom device.
在本发明中,所述根据所述设备模板,为每个幻影设备分配IP和MAC地址,包括:统计每个所述设备模板对应的真实设备数量;基于所述真实设备数量,根据预设倍率,计算每个所述设备模板对应的幻影设备数量;根据所述真实设备的IP,计算备选IP;根据所述幻影设备数量,从所述备选IP中为所述设备模板选取相应数量的IP;根据所述设备模板的厂商特征,生成相应幻影设备的MAC地址。In the present invention, the assigning an IP address and a MAC address to each phantom device according to the device template includes: counting the number of real devices corresponding to each device template; and based on the number of real devices, according to a preset magnification Calculating a number of phantom devices corresponding to each of the device templates; calculating an alternative IP according to the IP of the real device; and selecting a corresponding quantity from the candidate IP for the device template according to the phantom device number IP; generates a MAC address of the corresponding phantom device according to the vendor characteristics of the device template.
在为每个幻影设备分配IP和MAC地址时,首先,需要统计局域网中每 个设备模板对应的真实设备数量,根据预设倍率,计算需要建立的每个设备模板对应的幻影设备的数量。然后,根据真实设备的IP,结合存储设备中存储的空闲IP以及新计算的IP,选择幻影设备的备选IP,使备选IP与真实设备的IP不同。其中,在选择IP时,需要为每个设备模板选取相应数量的IP,每一个幻影设备都必须对应一个IP。最后,再根据设备模板的厂商特征,生成MAC地址,其中,设备模板的厂商特征也就是相应的真实设备的厂商特征。生成的幻影设备的MAC地址与真实设备的MAC地址不同,且每一个幻影设备的MAC地址都不相同。When assigning IP addresses and MAC addresses to each phantom device, you need to count the number of real devices corresponding to each device template in the LAN, and calculate the number of phantom devices corresponding to each device template to be established according to the preset magnification. Then, according to the IP of the real device, combined with the idle IP stored in the storage device and the newly calculated IP, the alternative IP of the phantom device is selected such that the alternative IP is different from the IP of the real device. Among them, when selecting IP, you need to select the corresponding number of IPs for each device template, and each phantom device must correspond to one IP. Finally, the MAC address is generated according to the vendor characteristics of the device template, where the vendor feature of the device template is the vendor feature of the corresponding real device. The generated phantom device has a different MAC address than the real device's MAC address, and each phantom device has a different MAC address.
通过这种方式为幻影设备分配IP和MAC地址,能够使后台工作人员很好地区分开真实设备和幻影设备,同时,又能够提高幻影设备与真实设备的相似度。并且,通过这种方式,能够根据不同内网量级的实际需求调节幻影设备的数量,伸缩性较强。By assigning IP and MAC addresses to the phantom devices in this way, the background staff can distinguish between real devices and phantom devices, and at the same time, improve the similarity between phantom devices and real devices. Moreover, in this way, the number of phantom devices can be adjusted according to the actual needs of different intranet levels, and the scalability is strong.
在本发明提供的一个具体实施例中,根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件,包括:根据所述设备模板的特征,设置幻影设备相对应的特征;根据所述IP,为所述幻影设备设定相应的IP;根据所述MAC地址,为所述幻影设备设定相应的MAC地址;根据设置的所述幻影设备的特征、IP和MAC地址,生成所述幻影设备的配置文件。In a specific embodiment of the present invention, setting a configuration file of the corresponding phantom device according to the IP, the MAC address, and the feature corresponding to the device template, including: setting a phantom device according to the feature of the device template Corresponding features; setting a corresponding IP for the phantom device according to the IP; setting a corresponding MAC address for the phantom device according to the MAC address; according to the feature of the phantom device, IP And a MAC address, generating a configuration file of the phantom device.
为每个幻影设备分配完IP和MAC地址后,就需要根据每个幻影设备对应的设备模板的特征、IP和MAC地址,设置配置文件。After assigning IP and MAC addresses to each phantom device, you need to set the configuration file according to the characteristics, IP and MAC address of the device template corresponding to each phantom device.
首先,需要创建幻影设备的配置文件的模板,根据预先保存的相应的设备模板的特征,设置配置文件的相应参数,例如,操作系统、对TCP/UDP/ICMP数据包的响应动作(reset/closed/open等)、操作系统指纹、开放端口等。First, you need to create a template for the configuration file of the phantom device, and set the corresponding parameters of the configuration file according to the characteristics of the corresponding device template saved in advance, for example, the operating system and the response action to the TCP/UDP/ICMP packet (reset/closed) /open, etc.), operating system fingerprints, open ports, etc.
其中,在设置开放端口时,将22,80等幻影设备支持的端口配置为代理模式,代理服务指向幻影设备的IP和端口。通过将幻影设备的开放端口设置为代理模式,能够提高幻影设备的仿真度。Among them, when setting the open port, the port supported by the phantom device such as 22, 80 is configured as the proxy mode, and the proxy service points to the IP and port of the phantom device. The phantom device's emulation can be improved by setting the phantom device's open port to proxy mode.
其中,还需要为21等端口配置相应的脚本来支撑幻影设备在相应端口开放的服务。Among them, you need to configure the corresponding script for the 21 ports to support the services that the phantom device is open on the corresponding port.
然后,再根据分配好的IP,设置幻影设备的配置文件的IP;再根据分配好的MAC地址,设置幻影设备的配置文件的MAC地址。Then, according to the assigned IP, set the IP of the configuration file of the phantom device; and then set the MAC address of the configuration file of the phantom device according to the assigned MAC address.
最后,根据设置好的参数,生成配置文件。Finally, a configuration file is generated based on the set parameters.
通过根据多个特征、IP和MAC地址生成配置文件,能够提高根据该配置文件生成的幻影设备与真实设备的相似度。By generating a profile based on a plurality of features, IPs, and MAC addresses, the similarity of the phantom device generated from the profile to the real device can be improved.
在本发明中,在加载配置文件生成幻影设备时,可以使用Honeyd加载配置文件,生成幻影设备。其中,Honeyd是一款用于生成虚拟蜜罐的开源软件。In the present invention, when a profile is loaded to generate a phantom device, Honeyd can be used to load a profile to generate a phantom device. Among them, Honeyd is an open source software for generating virtual honeypots.
在本发明提供的一个具体实施例中,在生成所述幻影设备的步骤之后,还包括:实时监听新上线的真实设备;检测所述真实设备的IP和MAC地址是否与所述幻影设备的IP和MAC地址冲突;若不冲突,则继续监听新上线的所述真实设备;若冲突,则判断所述真实设备的IP是否与所述幻影设备的IP冲突;若所述真实设备的IP与所述幻影设备的IP冲突,则停用所述IP对应的幻影设备,并删除所述幻影设备的记录;修改所述幻影设备对应的配置文件,加载修改后的所述配置文件,更新所述幻影设备;若所述真实设备的IP与所述幻影设备的IP不冲突,则判断所述真实设备的MAC地址是否与所述幻影设备的MAC地址冲突;若所述真实设备的MAC地址与所述幻影设备的MAC地址冲突,则重新为所述幻影设备选取MAC地址;根据重新选取的所述MAC地址,更新幻影设备的MAC地址;若所述真实设备的MAC地址与所述幻影设备的MAC地址不冲突,则继续监听新上线的所述真实设备。In a specific embodiment provided by the present invention, after the step of generating the phantom device, the method further includes: monitoring a real device that is newly online in real time; detecting whether an IP address and a MAC address of the real device are related to an IP of the phantom device And the MAC address conflicts; if there is no conflict, the device continues to listen to the new device that is online; if the conflict occurs, it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP address of the real device Determining the IP conflict of the phantom device, deactivating the phantom device corresponding to the IP, and deleting the record of the phantom device; modifying the configuration file corresponding to the phantom device, loading the modified configuration file, and updating the phantom If the IP address of the real device does not conflict with the IP address of the phantom device, determine whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the MAC address of the real device is If the MAC address of the phantom device conflicts, the MAC address is newly selected for the phantom device; and the MAC address of the phantom device is updated according to the reselected MAC address; MAC addresses of the phantom device apparatus does not conflict, then the device continues listening to the new on-line transactions.
在生成幻影设备之后,还可以包括:检测局域网中真实设备的IP和MAC地址是否与幻影设备的IP和MAC地址冲突,若冲突,则需要调整幻影设备的参数设置。After the phantom device is generated, the method further includes: detecting whether the IP address and the MAC address of the real device in the local area network conflict with the IP address and the MAC address of the phantom device, and if the conflict occurs, adjusting the parameter setting of the phantom device.
具体检测过程为:The specific detection process is:
实时监听新上线的真实设备;检测真实设备的IP和MAC地址是否与幻影设备的IP和MAC地址冲突;若不冲突,则继续监听新上线的真实设备。Real-time monitoring of the real device on the new line; detecting whether the IP and MAC address of the real device conflict with the IP and MAC address of the phantom device; if there is no conflict, it continues to listen to the new device that is online.
若冲突,则判断真实设备的IP是否与幻影设备的IP冲突;若真实设 备的IP与幻影设备的IP冲突,则停用该IP对应的幻影设备,并删除该幻影设备的记录;修改该幻影设备对应的配置文件,加载修改后的配置文件,更新幻影设备。在加载配置文件时,使用Honeyd载入新配置文件。If the conflict occurs, it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP of the real device conflicts with the IP of the phantom device, the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the phantom is modified The configuration file corresponding to the device, load the modified configuration file, and update the phantom device. When loading the configuration file, use Honeyd to load the new configuration file.
若真实设备的IP与幻影设备的IP不冲突,则判断真实设备的MAC地址是否与幻影设备的MAC地址冲突;若真实设备的MAC地址与幻影设备的MAC地址冲突,则重新为该幻影设备选取MAC地址;根据重新选取的MAC地址,更新该幻影设备的MAC地址;若真实设备的MAC地址与幻影设备的MAC地址不冲突,则继续监听新上线的真实设备。If the IP of the real device does not conflict with the IP of the phantom device, it is determined whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the MAC address of the real device conflicts with the MAC address of the phantom device, the phantom device is selected again. MAC address; update the MAC address of the phantom device according to the reselected MAC address; if the MAC address of the real device does not conflict with the MAC address of the phantom device, continue to listen to the new device that is online.
通过实时监听新上线的真实设备,能够避免混淆幻影设备与真实设备,避免在利用幻影设备防止网络攻击时,监控错误。By monitoring real-time devices on the new line in real time, you can avoid confusing phantom devices with real devices and avoid monitoring errors when using phantom devices to prevent network attacks.
在本发明提供的一个具体实施例中,在生成所述幻影设备的步骤之后,还包括:判断所述幻影设备是否到了刷新周期;若是,则重新执行建立幻影设备的步骤;若否,则继续使用所述幻影设备。In a specific embodiment provided by the present invention, after the step of generating the phantom device, the method further includes: determining whether the phantom device has reached a refresh cycle; if yes, performing the step of establishing a phantom device; if not, continuing Use the phantom device.
在使用幻影设备一段时间后,需要判断幻影设备是否到了刷新周期,若否,则可以继续使用该幻影设备;若是,则需要删除该幻影设备,重新建立新的幻影设备。这样,当真实设备的特征发生变化时,可以及时删除不适用的幻影设备,建立相应的幻影设备,及时更新幻影设备,更好地防止网络攻击真实设备。After using the phantom device for a period of time, it is necessary to determine whether the phantom device has reached the refresh cycle. If not, the phantom device can continue to be used; if so, the phantom device needs to be deleted and a new phantom device is re-established. In this way, when the characteristics of the real device change, the phantom device that is not applicable can be deleted in time, the corresponding phantom device is established, and the phantom device is updated in time to better prevent the network from attacking the real device.
其中,刷新周期可以根据经验值来确定。The refresh period can be determined based on the empirical value.
通过本发明的方法,充分吸收了传统蜜罐蜜网技术的长处,可以建立与真实设备相似的幻影设备,该幻影设备可以完美地伪装到网络中的真实设备中,及时有效地感知网络攻击并进行诱捕或告警取证。另外,本发明部署和使用简单,在内网中产生这些幻影设备所耗费的计算机资源很少,较节省资源。同时,本发明可以根据不同内网量级的实际需求调节幻影设备的数量,这样,能够为每个真实设备都提供相应的幻影设备。By the method of the invention, the advantages of the traditional honeypot honey net technology are fully absorbed, and a phantom device similar to the real device can be established, and the phantom device can be perfectly camouflaged into the real device in the network, and the network attack is timely and effectively perceived. Conduct trapping or alarm forensics. In addition, the present invention is simple to deploy and use, and the generation of these phantom devices in the internal network consumes a small amount of computer resources and saves resources. At the same time, the present invention can adjust the number of phantom devices according to the actual needs of different intranet levels, so that corresponding phantom devices can be provided for each real device.
以上,为本发明提供的一种防网络攻击的幻影设备建立方法。The above is a method for establishing a phantom device for preventing network attacks provided by the present invention.
第二实施例:Second embodiment:
与第一实施例相对应的本发明还提供一种防网络攻击方法,请参考图2,其为本发明实施例提供的一种防网络攻击的方法的示意图。The present invention further provides a method for preventing network attacks. Referring to FIG. 2, it is a schematic diagram of a method for preventing network attacks according to an embodiment of the present invention.
本发明第二实施例提供的一种防网络攻击方法,包括:A method for preventing network attacks provided by the second embodiment of the present invention includes:
步骤S101:实时监测局域网中幻影设备的通讯信息;其中,所述幻影设备由第一实施例中所述的方法建立;Step S101: Real-time monitoring communication information of the phantom device in the local area network; wherein the phantom device is established by the method described in the first embodiment;
步骤S102:判断是否有其它设备与所述幻影设备通讯;Step S102: determining whether another device communicates with the phantom device;
步骤S103:若没有,则继续监测所述幻影设备的通讯信息;Step S103: If not, continue to monitor the communication information of the phantom device;
步骤S104:若有,则将所述其它设备标记为可疑设备;Step S104: If yes, mark the other device as a suspicious device;
步骤S105:阻断所述可疑设备与所述局域网中的所述幻影设备和真实设备的通讯,并将所述可疑设备的信息发送至网络管理员。Step S105: Block communication between the suspicious device and the phantom device and the real device in the local area network, and send the information of the suspicious device to a network administrator.
在生成幻影设备后,需要将幻影设备伪装到真实设备中。幻影设备可以作为真实设备的影子,伪装为真实设备,避免真实设备被攻击。其中,幻影设备防止网络攻击的方法为:实时监测局域网络中幻影设备的通讯信息,判断是否有其它设备与幻影设备通讯,若没有,则继续监测幻影设备的通讯信息;若有,则将其它设备标记为可疑设备;阻断可疑设备与幻影设备和真实设备的通讯,使可疑设备不能攻击真实设备。同时,还可以将可疑设备的信息发送至网络管理员,使网络管理员可以根据可疑设备的信息及时做相关处理。After the phantom device is generated, the phantom device needs to be spoofed into the real device. The phantom device can be used as a shadow of a real device, pretending to be a real device, and preventing the real device from being attacked. The phantom device prevents the network attack by: monitoring the communication information of the phantom device in the local area network in real time, determining whether other devices communicate with the phantom device, and if not, continuing to monitor the communication information of the phantom device; if any, the other The device is marked as a suspicious device; the suspicious device is blocked from communicating with the phantom device and the real device, so that the suspicious device cannot attack the real device. At the same time, the information of the suspicious device can also be sent to the network administrator, so that the network administrator can perform related processing according to the information of the suspicious device in time.
其中,当监测到有其它设备与幻影设备通讯时,可以通过短信/E-mail/SNMP Trap/syslog等方式将发现的可疑设备的信息发送给网络管理员。When it is detected that other devices communicate with the phantom device, the information of the discovered suspicious device can be sent to the network administrator through SMS/E-mail/SNMP Trap/syslog.
在阻断可疑设备与幻影设备的通讯指挥,还可以继续监听有无其它设备与幻影设备通讯,继续监测可疑设备。In blocking the communication command between the suspicious device and the phantom device, you can continue to monitor whether other devices communicate with the phantom device and continue to monitor the suspicious device.
在本发明中,还可以实时采集所述幻影设备的风险信息;将所述风险信息发送给用户。In the present invention, the risk information of the phantom device may also be collected in real time; the risk information is sent to the user.
在建立幻影设备之后,还可以实时采集幻影设备的风险信息,并将风险信息发送给用户,以用于告警和提示用户幻影设备的风险。After the phantom device is established, the risk information of the phantom device can also be collected in real time, and the risk information is sent to the user for alerting and alerting the user to the risk of the phantom device.
在采集风险信息时,可以使用Honeyd采集幻影设备的风险信息。When collecting risk information, you can use Honeyd to collect risk information from the phantom device.
其中,风险信息可以指黑客攻击、其它设备与幻影设备通讯等信息。Among them, the risk information may refer to information such as hacker attacks, communication between other devices and phantom devices.
通过采集幻影设备的风险信息,能够及时警示用户幻影设备的相关风险信息。By collecting the risk information of the phantom device, the risk information of the phantom device of the user can be promptly alerted.
第三实施例:Third embodiment:
在上述的第一实施例中,提供了一种防网络攻击的幻影设备建立方法,结合上述第一实施例,本发明第三实施例提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述第一实施例提供的一种防网络攻击的幻影设备建立方法。In the above-mentioned first embodiment, a phantom device establishment method for preventing network attacks is provided. In combination with the above-described first embodiment, a third embodiment of the present invention provides a computer readable storage medium on which a computer program is stored. When the program is executed by the processor, the phantom device establishment method for preventing network attacks provided by the foregoing first embodiment is implemented.
第四实施例:Fourth embodiment:
结合第一实施例提供的一种防网络攻击的幻影设备建立方法,本发明还提供一种计算机设备,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述第一实施例提供的一种防网络攻击的幻影设备建立方法。图3示出了本发明实施例提供的一种计算机设备的硬件结构示意图。In conjunction with the phantom device establishment method for preventing network attacks provided by the first embodiment, the present invention further provides a computer device, including: a memory, a processor, and a computer program stored on the memory and operable on the processor, The phantom device establishing method for preventing network attacks provided by the foregoing first embodiment is implemented when the processor executes the program. FIG. 3 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
具体地,上述处理器201可以包括中央处理器(Central Processing Unit,CPU),或者特定集成电路(Application Specific Integrated Circuit,ASIC),或者可以被配置成实施本发明实施例的一个或多个集成电路。Specifically, the processor 201 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
存储器202可以包括用于数据或指令的大容量存储器。举例来说而非限制,存储器202可包括硬盘驱动器(Hard Disk Drive,HDD)、软盘驱动器、闪存、光盘、磁光盘、磁带或通用串行总线(Universal Serial Bus,USB)驱动器或者两个或更多个以上这些的组合。在合适的情况下,存储器202可包括可移除或不可移除(或固定)的介质。在合适的情况下,存储器202可在数据处理装置的内部或外部。在特定实施例中,存储器202是非易失性固态存储器。在特定实施例中,存储器202包括只读存储器(Read-Only Memory,ROM)。在合适的情况下,该ROM可以是掩模编程的ROM、可编程ROM(Programmable read-only memory,PROM)、可擦除PROM(Erasable  Programmable ROM,EPROM)、电可擦除PROM(Electrically Erasable Programmable Read Only Memory,EEPROM)、电可改写ROM(EAROM)或闪存或者两个或更多个以上这些的组合。 Memory 202 can include mass storage for data or instructions. By way of example and not limitation, the memory 202 may include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these. Memory 202 may include removable or non-removable (or fixed) media, where appropriate. Memory 202 may be internal or external to the data processing device, where appropriate. In a particular embodiment, memory 202 is a non-volatile solid state memory. In a particular embodiment, memory 202 includes a Read-Only Memory (ROM). Where appropriate, the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable). Read Only Memory (EEPROM), electrically rewritable ROM (EAROM) or flash memory or a combination of two or more of these.
处理器201通过读取并执行存储器202中存储的计算机程序指令,以实现上述实施例中的任意一种防网络攻击的幻影设备建立方法。The processor 201 implements the phantom device establishment method for preventing any network attack by reading and executing the computer program instructions stored in the memory 202.
在一个示例中,防网络攻击幻影设备的建立设备还可包括通信接口203和总线210。其中,如图2所示,处理器201、存储器202、通信接口203通过总线210连接并完成相互间的通信。In one example, the establishment device of the anti-network attack phantom device may further include a communication interface 203 and a bus 210. As shown in FIG. 2, the processor 201, the memory 202, and the communication interface 203 are connected by the bus 210 and complete communication with each other.
通信接口203,主要用于实现本发明实施例中各模块、装置、单元和/或设备之间的通信。The communication interface 203 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
总线210包括硬件、软件或两者,将防网络攻击的幻影设备建立设备的部件彼此耦接在一起。举例来说而非限制,总线可包括加速图形端口(Accelerated Graphic Ports或者Advanced Graphic Ports,AGP)或其他图形总线、增强工业标准架构(Extended Industry Standard Architecture,EISA)总线、前端总线(Front Side Bus,FSB)、超传输(HyperTransport,HT)互连、工业标准架构(Industry Standard Architecture,ISA)总线、无限带宽互连、低引脚数(Low Pin Count,LPC)总线、存储器总线、微通道架构(MicroChannel Architecture,MCA)总线、外围组件互连(Peripheral Component Interconnect,PCI)总线、PCI-Express(PCI-X)总线、串行高级技术附件(Serial Advanced Technology Attachment,SATA)总线、视频电子标准协会局部(VESA local bus,VLB)总线或其他合适的总线或者两个或更多个以上这些的组合。在合适的情况下,总线210可包括一个或多个总线。尽管本发明实施例描述和示出了特定的总线,但本发明考虑任何合适的总线或互连。The bus 210 includes hardware, software, or both, and couples components of the phantom device-creating device that are resistant to network attacks to each other. By way of example and not limitation, the bus may include Accelerated Graphic Ports or Advanced Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (EISA) bus, Front Side Bus (Front Side Bus, FSB), HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, microchannel architecture ( MicroChannel Architecture, MCA) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus, VLB) bus or other suitable bus or a combination of two or more of these. Bus 210 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
需要明确的是,本发明并不局限于上文所描述并在图中示出的特定配置和处理。为了简明起见,这里省略了对已知方法的详细描述。在上述实施例中,描述和示出了若干具体的步骤作为示例。但是,本发明的方法过程并不限于所描述和示出的具体步骤,本领域的技术人员可以在领会本发明的精神后,作出各种改变、修改和添加,或者改变步骤之间的顺序。It is to be understood that the invention is not limited to the specific configurations and processes described above and illustrated in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps have been described and illustrated as examples. However, the method of the present invention is not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions, or change the order between the steps after the spirit of the invention.
以上的结构框图中所示的功能块可以实现为硬件、软件、固件或者它们的组合。当以硬件方式实现时,其可以例如是电子电路、专用集成电路(ASIC)、适当的固件、插件、功能卡等等。当以软件方式实现时,本发明的元素是被用于执行所需任务的程序或者代码段。程序或者代码段可以存储在机器可读介质中,或者通过载波中携带的数据信号在传输介质或者通信链路上传送。“机器可读介质”可以包括能够存储或传输信息的任何介质。机器可读介质的例子包括电子电路、半导体存储器设备、ROM、闪存、可擦除ROM(EROM)、软盘、CD-ROM、光盘、硬盘、光纤介质、射频(RF)链路,等等。代码段可以经由诸如因特网、内联网等的计算机网络被下载。The functional blocks shown in the above structural block diagram may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like. When implemented in software, the elements of the present invention are programs or code segments that are used to perform the required tasks. The program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier. A "machine-readable medium" can include any medium that can store or transfer information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like. The code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. The scope is intended to be included within the scope of the claims and the description of the invention.

Claims (12)

  1. 一种防网络攻击的幻影设备建立的方法,其特征在于,包括:A method for establishing a phantom device for preventing network attacks, comprising:
    获取局域网中真实设备的特征;Obtaining the characteristics of real devices in the local area network;
    根据所述特征,对所述真实设备进行分类,将每类所述真实设备分别作为一种设备模板;According to the feature, the real device is classified, and each type of the real device is used as a device template;
    根据所述设备模板,设置幻影设备的配置文件;Setting a configuration file of the phantom device according to the device template;
    加载所述配置文件,生成所述幻影设备。The configuration file is loaded to generate the phantom device.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述设备模板,设置幻影设备的配置文件,包括:The method according to claim 1, wherein the setting a configuration file of the phantom device according to the device template comprises:
    根据所述设备模板,为每个幻影设备分配IP和MAC地址;Assigning an IP address and a MAC address to each phantom device according to the device template;
    根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件。And setting a configuration file of the corresponding phantom device according to the IP, the MAC address, and the feature corresponding to the device template.
  3. 根据权利要求2所述的方法,其特征在于,所述根据所述设备模板,为每个幻影设备分配IP和MAC地址,包括:The method according to claim 2, wherein the assigning IP and MAC addresses to each phantom device according to the device template comprises:
    统计每个所述设备模板对应的真实设备数量;Counting the number of real devices corresponding to each of the device templates;
    基于所述真实设备数量,根据预设倍率,计算每个所述设备模板对应的幻影设备数量;Calculating, according to the preset number of devices, a number of phantom devices corresponding to each of the device templates according to the preset number of devices;
    根据所述真实设备的IP,计算备选IP;Calculating an alternative IP according to the IP of the real device;
    根据所述幻影设备数量,从所述备选IP中为所述设备模板选取相应数量的IP;Selecting, according to the number of phantom devices, a corresponding number of IPs from the candidate IP for the device template;
    根据所述设备模板的厂商特征,生成相应幻影设备的MAC地址。Generating a MAC address of the corresponding phantom device according to the vendor characteristics of the device template.
  4. 根据权利要求2所述的方法,其特征在于,根据所述设备模板对应的所述IP、MAC地址和所述特征,设置相应幻影设备的配置文件,包括:The method according to claim 2, wherein the configuration file of the corresponding phantom device is set according to the IP, the MAC address and the feature corresponding to the device template, including:
    根据所述设备模板的特征,设置幻影设备相对应的特征;Setting corresponding features of the phantom device according to characteristics of the device template;
    根据所述IP,为所述幻影设备设定相应的IP;Setting a corresponding IP for the phantom device according to the IP;
    根据所述MAC地址,为所述幻影设备设定相应的MAC地址;Setting a corresponding MAC address for the phantom device according to the MAC address;
    根据设置的所述幻影设备的特征、IP和MAC地址,生成所述幻影设备 的配置文件。A profile of the phantom device is generated based on the characteristics, IP, and MAC address of the phantom device that is set.
  5. 根据权利要求4所述的方法,其特征在于,所述根据所述设备模板的特征,设置幻影设备相对应的特征,包括:The method according to claim 4, wherein the setting the corresponding feature of the phantom device according to the feature of the device template comprises:
    根据所述设备模块的开放端口特征,将所述幻影设备的开放端口设置为代理模式。The open port of the phantom device is set to a proxy mode according to an open port feature of the device module.
  6. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    实时监听新上线的真实设备;Real-time monitoring of real devices that are newly launched;
    检测所述真实设备的IP和MAC地址是否与所述幻影设备的IP和MAC地址冲突;若不冲突,则继续监听新上线的所述真实设备;Detecting whether the IP address and the MAC address of the real device conflict with the IP address and the MAC address of the phantom device; if not, continuing to monitor the new device that is online;
    若冲突,则判断所述真实设备的IP是否与所述幻影设备的IP冲突;If the conflict occurs, determining whether the IP of the real device conflicts with the IP of the phantom device;
    若所述真实设备的IP与所述幻影设备的IP冲突,则停用所述IP对应的幻影设备,并删除所述幻影设备的记录;修改所述幻影设备对应的配置文件,加载修改后的所述配置文件,更新所述幻影设备;If the IP of the real device conflicts with the IP of the phantom device, the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the configuration file corresponding to the phantom device is modified, and the modified The configuration file, updating the phantom device;
    若所述真实设备的IP与所述幻影设备的IP不冲突,则判断所述真实设备的MAC地址是否与所述幻影设备的MAC地址冲突;If the IP of the real device does not conflict with the IP of the phantom device, determining whether the MAC address of the real device conflicts with the MAC address of the phantom device;
    若所述真实设备的MAC地址与所述幻影设备的MAC地址冲突,则重新为所述幻影设备选取MAC地址;根据重新选取的所述MAC地址,更新所述幻影设备的MAC地址;If the MAC address of the real device conflicts with the MAC address of the phantom device, reselecting a MAC address for the phantom device; updating the MAC address of the phantom device according to the reselected MAC address;
    若所述真实设备的MAC地址与所述幻影设备的MAC地址不冲突,则继续监听新上线的所述真实设备。If the MAC address of the real device does not conflict with the MAC address of the phantom device, the new device that is newly online is continuously monitored.
  7. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    判断所述幻影设备是否到了刷新周期;Determining whether the phantom device has reached a refresh cycle;
    若是,则重新执行建立幻影设备的步骤;If yes, re-execute the steps of establishing a phantom device;
    若否,则继续使用所述幻影设备。If not, continue to use the phantom device.
  8. 一种防网络攻击方法,其特征在于,包括:An anti-network attack method, comprising:
    实时监测局域网中幻影设备的通讯信息;其中,所述幻影设备由权利要求1-7任意一项所述的方法建立;Real-time monitoring of communication information of a phantom device in a local area network; wherein the phantom device is established by the method of any one of claims 1-7;
    判断是否有其它设备与所述幻影设备通讯;Determining whether there are other devices communicating with the phantom device;
    若没有,则继续监测所述幻影设备的通讯信息;If not, continue to monitor the communication information of the phantom device;
    若有,则将所述其它设备标记为可疑设备;If so, mark the other device as a suspicious device;
    阻断所述可疑设备与所述局域网中的所述幻影设备和真实设备的通讯,并将所述可疑设备的信息发送至网络管理员。Blocking communication between the suspicious device and the phantom device and the real device in the local area network, and transmitting the information of the suspicious device to a network administrator.
  9. 根据权利要求8所述的方法,其特征在于,还包括:在阻断所述可疑设备与所述局域网中的所述幻影设备和真实设备的通讯时,继续监测可疑设备。The method of claim 8 further comprising: continuously monitoring the suspicious device while blocking communication between the suspect device and the phantom device and the real device in the local area network.
  10. 根据权利要求8所述的方法,其特征在于,还包括:在建立所述幻影设备之后,实时采集所述幻影设备的风险信息,并将所述风险信息发送给用户。The method according to claim 8, further comprising: collecting the risk information of the phantom device in real time after the phantom device is established, and transmitting the risk information to the user.
  11. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行以实现权利要求1-7任一项所述的方法。A computer readable storage medium having stored thereon a computer program, characterized in that the program is executed by a processor to implement the method of any of claims 1-7.
  12. 一种计算机设备,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序以实现权利要求1-7任一项所述的方法。A computer apparatus comprising: a memory, a processor, and a computer program stored on the memory and operative on the processor, wherein the processor executes the program to implement any of claims 1-7 The method described.
PCT/CN2018/096106 2018-01-22 2018-07-18 Method for establishing phantom device capable of network attack prevention, medium, and device WO2019140876A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810059506.8 2018-01-22
CN201810059506.8A CN108322456A (en) 2018-01-22 2018-01-22 A kind of phantom equipment method for building up, medium and the equipment of anti-network attack

Publications (1)

Publication Number Publication Date
WO2019140876A1 true WO2019140876A1 (en) 2019-07-25

Family

ID=62887561

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096106 WO2019140876A1 (en) 2018-01-22 2018-07-18 Method for establishing phantom device capable of network attack prevention, medium, and device

Country Status (2)

Country Link
CN (1) CN108322456A (en)
WO (1) WO2019140876A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112578761A (en) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664844B (en) * 2022-11-17 2024-02-23 博智安全科技股份有限公司 Honeypot camouflage simulation method and device based on protocol agent and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Method for enhancing the trapping capability of honeynet and honeynet system
CN103634264A (en) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 Active trapping method based on behavior analysis
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107222515A (en) * 2016-03-22 2017-09-29 阿里巴巴集团控股有限公司 Honey jar dispositions method, device and cloud server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887B (en) * 2008-12-25 2012-05-23 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN103139184B (en) * 2011-12-02 2016-03-30 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN105024977A (en) * 2014-04-25 2015-11-04 湖北大学 Network tracking system based on digital watermarking and honeypot technology
CN107241338A (en) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Method for enhancing the trapping capability of honeynet and honeynet system
CN103634264A (en) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 Active trapping method based on behavior analysis
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107222515A (en) * 2016-03-22 2017-09-29 阿里巴巴集团控股有限公司 Honey jar dispositions method, device and cloud server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG SHAOFANG ET AL.: "Deployment of honeypot system in virtual environment", COMPUTER KNOWLEDGE AND TECHNOLOGY, vol. 13, no. 23, 31 August 2017 (2017-08-31), pages 1 - 3 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112578761A (en) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Also Published As

Publication number Publication date
CN108322456A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
US11757844B2 (en) Smart proxy for a large scale high-interaction honeypot farm
US11757936B2 (en) Large scale high-interactive honeypot farm
US10992704B2 (en) Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US10404661B2 (en) Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
US10230689B2 (en) Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network
Antonakakis et al. Understanding the mirai botnet
US10015198B2 (en) Synchronizing a honey network configuration to reflect a target network environment
US9838416B1 (en) System and method of detecting malicious content
US8997231B2 (en) Preventive intrusion device and method for mobile devices
Tsikerdekis et al. Approaches for preventing honeypot detection and compromise
US20110093951A1 (en) Computer worm defense system and method
CN110381041B (en) Distributed denial of service attack situation detection method and device
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
Chovancová et al. Securing Distributed Computer Systems Using an Advanced Sophisticated Hybrid Honeypot Technology.
Qin et al. Worm detection using local networks
WO2019140876A1 (en) Method for establishing phantom device capable of network attack prevention, medium, and device
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
US8661102B1 (en) System, method and computer program product for detecting patterns among information from a distributed honey pot system
Rodrigues et al. Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach
WO2020057156A1 (en) Safety management method and safety management device
Ohri et al. Software-Defined Networking Security Challenges and Solutions: A Comprehensive Survey
Adenuga-Taiwo et al. Security analysis of onos software-defined network platform
CN115225297B (en) Method and device for blocking network intrusion
US11997133B2 (en) Algorithmically detecting malicious packets in DDoS attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18901509

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.11.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18901509

Country of ref document: EP

Kind code of ref document: A1