CN102882884A - Honeynet-based risk prewarning system and method in information production environment - Google Patents
Honeynet-based risk prewarning system and method in information production environment Download PDFInfo
- Publication number
- CN102882884A CN102882884A CN2012103884611A CN201210388461A CN102882884A CN 102882884 A CN102882884 A CN 102882884A CN 2012103884611 A CN2012103884611 A CN 2012103884611A CN 201210388461 A CN201210388461 A CN 201210388461A CN 102882884 A CN102882884 A CN 102882884A
- Authority
- CN
- China
- Prior art keywords
- data
- analysis
- honey
- client
- net
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a honeynet-based risk prewarning system and a honeynet-based risk prewarning method in an information production environment. The system is provided with a network analyzer at least. When a honey pot is attacked, the honey pot can remind a client which is attacked by the honey pot so that the client can take appropriate measures. In addition, the attacked honey pot can also remind other honeynets of attacks. The communication aims to remind the client which receives the same or similar attacks. More importantly, in appropriate situations, the alarm can early warn other clients to take the appropriate measures to prevent the attacks and circulate in the same way; and through an intelligent analysis technology, a report form generated after the client takes and executes the appropriate measures to a manager for viewing. Because the system belongs to a modularized system, the system is updated or expanded easily, and the distributed design advantages can be realized.
Description
Technical field
The present invention relates to the computer network security technology field, relate in particular under a kind of e-manufacturing environment Warning System and method based on the honey net.
Background technology
At present, along with the development of Internet technology, the propagation of network sweep, worm and viral code and hacker's malicious attack etc. has been every danger that main frame may run at any time on the network.In order to tackle above-mentioned danger, anti-virus software and firewall technology grow up, but they are passive.The proposition of honey jar and sweet network technology formally produces for these security threats on the research network that makes an initiative sally.
The honey net is a new concept that grows up gradually on Honeypot Techniques, can become the trapping network again.Usually comprise one or more honey jars in the honey net, Honeypot Techniques is the high mutual Honeypot Techniques of a class research in fact still.Its main purpose is the attack information of collecting the hacker.But be with the difference of traditional Honeypot Techniques, the honey net has consisted of a hacker and has traped the network architectural framework, in this framework, can comprise one or more honey jars, guarantee simultaneously the high controllability of network, and provide multiple types of tools with convenient collection and analysis to attack information.
Honey jar refers to be deployed on the network, can disguise oneself as real network, main frame and service, the bait of temptation malicious attack, its value is the attack activity information on can collection network, and to these information monitor, determination and analysis.
Honeynet system is in order to collect invader's attack information, thereby, how to send network alert, how to make the important part that real-time protection is honeynet system.
The honey net is a kind of framework, rather than product (such as computer software), namely is comprised of one or more honey jars.Honey jar is a general general instrument, and it can inveigle the assailant to enter this network, thereby analyzes the relevant information in this network data source, obtains invader's login situation.Usually, a sweet net does not have productive value, and on the contrary, whether its value is to detect will not authorize and illegally use information system resources.Any data that enter or leave a honey jar may be regarded as probe, attack or compromise.How to inveigle the assailant to enter in the network by study, the keeper can learn these knowledge, to strengthen the defence capability of its network, is closed in the relevant vulnerability in the real network.
What be worth special concern is, the honey net is a kind of high mutual honey jar that catches the data type that constitutes a threat to, this honey jar is real time operating system, application or the service that general hacker uses, its advantage is exactly to be to allow the network manager can see that what instrument the assailant uses catch more assailants' invasion information, in addition, this possess the very difficult victim discovery of high interactively honey jar, because his complexity also is difficult to dispose and safeguard.
High interactively honey jar is different from low interactive honey jar, and this often provides limited interactive simulation operating system, application program and service, but low mutual honey jar may be easier to dispose and safeguard, the system that these are complicated more is difficult for discovering.In addition, the keeper often can only obtain the relevant tactics that limited information comprises the assailant.
Honey jar neither a computer do not use as a computer yet.The honey net normally is comprised of one or more honey pot system frameworks by one.This system can comprise a plurality of similar or different databases, server, the webserver, router or printer.In addition, in this framework, Design of Network System can be monitored all activities of this generation for allowing the hacker mutually interactive.
In a single day the honey planar network architecture is created, and needs to dispose timely, to attract hostile activity.As everyone knows, successful deployment requires Data Control and data acquisition to combine.Data Control requires in the ignorant situation of hacker, and system records hacker's comings and goings automatically, and gathers all relevant informations of hacker, and in sum, the Data Control stage preferentially gathers data and concentrates and analyze.
In the ordinary course of things, Data Control is mainly contained correlated activation and is helped to reduce the hacker attacks non-honeynet system with sweet net risk.Data Control requires to give the freedom that the hacker enters sweet net and limits its activity, and when the hacker obtains more when free, the hacker can walk around Data Control and damage the system of non-honey net, thereby increases risk to system.Yet when more activity was restricted, it became and more thinks little of the hacker and how to be penetrated into and to organize Intranet.Want successfully to dispose the embodiment that enforcement will utilize multi-level Data Control, level includes but are not limited to these, such as: departures connection, intrusion prevention gateway or broadband restriction etc., in conjunction with several different mechanism, can help to prevent the single failure point, especially process new or unknown attack.Honey net project also open suggestion operates under an experimental situation that is closed.Certainly, if there is the framework of failure (for example, a process is died, and hard disk drive is full, or the rule configuration mistake) the honey net of any mechanism may stop all departures activities.
Common sweet net environment has necessarily required Data Control, to satisfy specific target.Such as he should can realize self-defined and full-automatic simultaneously, has simultaneously two data key-courses at least, to prevent fault.When data control system breaks down, do not allow under the state of an opening, to leave system, can only allow in honey jar, to access, also should keep all connection status inbound and departures, the keeper can be at any time can be in this locality or the Remote configuration Data Control Center, connection should be to be difficult to discover, and when a honey jar was broken, automatic alarm should come into force.
Data acquisition mainly is the activity of monitoring and recording the hacker in the honey net.In case data are hunted down, it will be initiatively analyzed, to understand hacker's instrument, tactics and motivation.All be vital as Data Control and the captured information composition mechanism that combines, under the general condition, the number of plies is more, and the information that captive information often obtains is more.
Data Control, data acquisition also need to satisfy some target.For example, the data that sweet net is caught should not be stored in local honey jar, should arrange during data acquisition in order, reduce data contamination.Sweet net may be further polluted in data contamination, and like this, the data of catching are also just invalid.Data contamination all is an activity not adequately described in any environment.Namely the keeper is by attacking honey net test Fare Collection System for example, and it comprises: all inbound departures connect that (Firewall Logging), network activity (namely data capture of packets) and system activity etc. catch packet filed at least 1 year.All packets all are Real time visibles, and data also are considered as automatic file, for later analysis.Various deployment and the mode of operation of honey jar recorded in standardized daily record constantly.All honey jars of being captured be should give the log of standardization, detailedization, and the data acquisition of sweet net gateway should keep constantly consistent besides, and the data resource that captures can not have any modification, to guarantee the integrity protection of data.
Yet Data Control, its minimum standard are not because have the different technology of holding and method just passable, and often minimum standard of data acquisition needs in the honey jar data capture, should at first be determined the data of which type of data and what form.In addition, Firewall Log should be converted to the ASCII fromat of iptables, can use one such as the instrument of Sebek as for the activity of system itself, as the hiding kernel module of system, be used for specially catching the network with the dump host activities, prevent simultaneously the hacker illegally to smell the spy network.
Except Data Control and data capture, the 3rd requires namely data acquisition, and this also is necessary.Usually be applicable in distributed environment, a plurality of sweet nets be carried out data acquisition.This respect may be more special, because sweet net is the part of distributed network, for this, it is useful doing like this, collects in the center and catch no matter be the network data that is in logic or physically diverse location.But enterprise only has a sweet net, and it is just enough to have Data Control and data acquisition.
Just as Data Control and data acquisition, data acquisition also has certain realize target.For example, the honey net name definition of certain form should be arranged, can keep like this each honey jar website to have a unique type of identifier.The data of catching from transducer like this, can be guaranteed confidentiality, integrality, the authenticity of data.Associated mechanisms or test and appraisal tissue should be anonymous with data, and so tissue keeps maintaining secrecy of its former IP address and other information.Distributed honeynet will keep the accurate synchronization of data constantly just as the time protocol of a network standardization.
Similar data capture, data acquisition also have relevant standard to follow, and what data is these standards can determine, form and naming method that these data are used are to the central node that sends at last.Such as the data type of honey net can comprise binary log and the Firewall Log of PCAP ASCII fromat, and automatically is forwarded to central node every day.For example, the form that the time UNC can be followed is: the date (respective file can be ROO-20050825-001A-pcap.log), Firewall Log also can be named like this: respective file is (for example 20050825roo-001A-fwlogs.txt).In addition, the sweet net of each tissue has a unique identifier.
Certainly, there is risk in the leakage of the address of honey jar, and risk comprises: endanger, survey, forbid and put forward power, when sweet net was used for attacking or injures other non-honeynet systems, harm also just existed.For example, the hacker can illegally enter in the honey net, and send attack to the purpose victim, detection refers to identification or the exposure of each identity in the honey net, in case sweet net is found or exposes, it is worth and can greatly reduces, because the hacker can ignore or walk around honey jar now, thereby allows sweet net lose the ability of capturing information.Such as, connect to attempt if sweet barrier has 10 departures, but the hacker has been found that its identity, only need 11 times this moment or departures of more times number connect and attempt, and check the 11st time or whether other number of times set off successfully.In addition, the hacker is after entering the honey net, if packet is modified, amended packet is mail to the payload system, and then in transmission course, check and whether revise, in addition, if flow is to transmit by special passage in sweet network server, the delay that increases so shows, sweet net is certain position therein just.On honey jar, the hacker is with these method detection data acquisition functions.If forbid sweet net correlation function, will consist of risk, why so say, be because the hacker can be in the unwitting situation of keeper disable data control/data acquisition function, in case disabled, the hacker can continue data falsification, allow the keeper think still in functions such as service data collections.
Because risk can not be eliminated fully, so will reduce risks to greatest extent, this also is following optimal path.For helping to reduce these risks, people propose various suggestions, and specialized department points out to have a quite honey jar of the real time monitoring of specialty.Can customize modification, to adapt to the honey jar of oneself, so the result who finally demonstrates is different, because Honeypot Techniques is to increase income with disclosed, therefore, anyone comprises the hacker, all has the access of default setting.
Summary of the invention
Purpose of the present invention is exactly in order to address the above problem, Warning System and method based on the honey net are provided under the e-manufacturing environment, it can generate the decision scheme of an exercisable early warning system automatically, it can constantly scan the flow of rogue activity, its result can intelligence analysis, and a plurality of clients are taked the intelligence action.
To achieve these goals, the present invention adopts following technical scheme:
Under a kind of e-manufacturing environment based on the Warning System of honey net, comprise several clients, the honey net, be connected by the Internet between honey net and the client, described sweet net comprises honey jar, server, filter, switch, database, at least one network analyzer, switch, the business information transmitter, the automatic decision device, described automatic decision device comprises the intruding detection system control desk, analysis console, described sweet net connects by the Internet, described server is connected with database by switch, database is connected with switch by network analyzer, described switch connects the automatic decision device, described switch also is connected with the business information transmitter by the Internet, described filter is connected with database with network analyzer respectively, described client comprises the counteroffensive box, switch and far-end client, described counteroffensive box is connected with the far-end client by switch;
When a honey jar in a certain honey net was attacked, honey jar gave warning in advance, and informs to be about to the client that quilt is attacked, and client can be taked adequate measures like this; The honey jar of being attacked is notified other sweet nets simultaneously; Other sweet nets also its corresponding client of early warning take adequate measures to prevent from attacking in advance, and the analysis console in the honey net is by intellectual analysis, and the form that client is generated Ex post is transferred to the keeper.
The workflow of described method for early warning is as follows:
Step 1: the network traffics of the network analyzer listening port of honey net;
Step 2: the filter of honey net filters, and stores snoop results into database;
Step 3: sweet net enters three kinds of parallel parsing stages: signature analysis, the analysis of statistics anomaly analysis and data flow-based;
Step 4: the result of three kinds of analyses is directly sent into analysis console and intruding detection system control desk, and the data of wherein sending into analysis console enter automatic decision after the control desk processing by analysis, then enter the intruding detection system control desk; Perhaps, deposit first three kinds of analysis results in database, then send into respectively analysis console and intruding detection system control desk by the data in the database, the data of wherein sending into analysis console enter automatic decision after the control desk processing by analysis, then enter the intruding detection system control desk again.
The specific works step of the analysis console in the described step 4 is as follows:
Step 1: beginning;
Step 2: the network analyzer receive data receives at least the data from a network analyzer; Described network analyzer is the part of a honey net at least simultaneously;
Step 3: generate grouped data, by data are carried out sifting sort according to certain hierarchical structure attribute;
Step 4: the data to classification sort, and use at least a predetermined attribute;
Step 5: carry out session with a client, have a relevant attribute at least;
Step 6: receive the request from client, carry out a topic;
Step 7: according to client's request for information about, send associated materials, and in time notify.
Described signature analysis method is the realization in intruding detection system, is based on string matching, string matching, and a string code namely, ordinary representation detects specific malicious traffic stream feature by the packet that relatively imports into; Signature comprises a phrase or the order of often attacking, if find a coupling, will produce alarm; If no, the signature on the grouping comparison list; Until all signatures are through checking; In case finish, next packet can be read into internal memory, can begin again in the process that wherein signature checks.
Described statistics exception analysis method be by comparative observation to behavior and the behavior of expection attempt to seek invasion; The statistics anomaly analysis is based on signature analysis, and it mates attack known in observation data and the database for detection of the attack of new the unknown and needn't depend on.
The analysis of described data flow-based is flow and the total flow of network of more current honey jar; Observe network traffics, concentrate on some malicious traffic streams, the end user of the Internet is the type, transport layer protocol of characteristics, the network traffics in the quantity of seeing malicious traffic stream, identification malicious traffic stream source and according to five-tuple, comprising purpose IP address, source, source and target port and TLP; For each stream, the time that statistic gathering is different, the quantity of transmission or receive data bag, the source and target parameter, Reflector, window size, each stream, even a local IP and port numbers and remote I P and port numbers are only arranged; Local computer typically refers to the main frame of client operation and the information of collection, and remote machine typically refers to other main frames in current network; Collect rear a certain amount of data from local IP and far-end IP, each data set compares, and uses a specific form, analyzes last specified data.
Described network analyzer is used for receive data, and according to data classification demonstration, and reach as much as possible predetermined attribute hierarchy, arrangement is according to the confidential data of predetermined attribute, pass on one or more attribute related subjects that subscribe to client, receive the request of passing on from another client.
Described predetermined attribute comprises source, geographical position, theme, seriousness, frequency, time, procotol, sees for details as described in the figure seven.
Beneficial effect of the present invention:
1 it be more than one agency distributed system, can collect and shared data.
2 it can constantly scan the flow of rogue activity, the analysis that its result can intelligence, and a plurality of clients are taked the intelligence action.
3 can automatic activation based on the script of event data.Certainly, also can make the reaction of its autonomous type, strike back invasion such as change firewall policy real-time on fire compartment wall as defensive measure or the adjustment of jumping off property strategy.
4 it can customized personal to satisfy particular demands.
5 its only need or do not need special network service condition just can make HardwareUpgring because this scheme belongs to modular system, can be easy to realize system upgrade or expansion, consequently can realize distributed design advantage.
Description of drawings
Fig. 1 is an example of an interactive honey jar server farm
Fig. 2 and Fig. 3 are that what to show is that each is based on the embodiment of the sweet network server field that can operate early warning system;
Fig. 4 is based on the flow chart of the honeynet system of Risk-warning under the e-manufacturing environment;
Fig. 5 is multiple automatic decision point, breakout and agent's Relations Among figure;
Fig. 6 is the cardinal principle network structure that honey jar is installed;
Fig. 7 is that honey is netted the detailed instance graph that arranges;
Fig. 8 is the graph of a relation between automatic decision point, breakout and the use java snoop agents;
Embodiment
The invention will be further described below in conjunction with accompanying drawing and embodiment.
As shown in Figure 1, when honey jar was attacked, honey jar can be informed the client of its attack, so that client can be taked adequate measures.In addition, the honey jar of being attacked also can be notified the attack of other honey nets.The purpose of this communication is to remind to receive the client of identical or similar attack.The more important thing is that in appropriate circumstances, this alarm can other clients of early warning take adequate measures to prevent this attack.
As shown in Figure 2, based on one of the early warning system correlated activation about the present invention's honey network server field.A sweet network server field comprises a plurality of sweet nets, and he detects for the network traffics of each honey jar and the result is sorted.The filter that configuration is relevant can determine which activity or data are regarded as attacking, and relevant data or filter can be stored or be packaged into the database storage, and the data of storing in database can be retrieved.In addition, but this filter visual instrument of data formation in the filtering of network traffic is also conveniently checked.Yet such network visualization instrument is brought into neither be very necessary in the network analyzer.
Example of the present invention is based on the sweet network server field that can operate early warning system, and the computer-readable recording mediums such as computer form one or more sweet nets, the network technology that can help user or keeper to learn to invade.It allows potential assailant to access this honey jar, this honey jar can be used as a virtual network, and learn various infiltration technologies, the computer-readable recording mediums such as this computer can generate user/keeper automatically to current or potential unwarranted access, then determine defendance or strike back this network.
Network analyzer can obtain and analyze the data on flows that sends from filter.This is that network analyzer can be used as an intruding detection system (IDS).IDS is can real-time analysis and the packet data recording of IP network.Some IDS increases income, and other are not then increased income.Use flexibly rule language, IDS can carry out and can seek or mate dependency rule, and detect various attack or smell spy, can scan and smell spy not only in following these: buffer overflow, stealthy TCP, CGI are attacked, SMB surveys, trial of operation system fingerprint etc.
The result that network analyzer analyzes, these results can be forwarded to an information center, can comprise that second database, analysis console, feedback controller also have a full-automatic automatic analysis control desk.Correlated results may be forwarded to first second database.And the storage correlated results, and the result is transferred to feedback controller, and further analyze correlated results. here, feedback controller can customize, and is not necessary, because be not that each nework analysis module has a relevant feedback controller.
As shown in Figure 3, but the present invention's real-time operation, can be with relevant database.If there is not database, can directly forward the result one of to analysis console or feedback controller or both all send.
Automatic analyzer is received from the correlated results of analysis console and is analyzed.The alarm that these packet includes network analyzers/analysis console generates, in addition, automatic analyzer can be received the data from feedback controller, it comprises general introduction, detailed description and data on flows of information etc.
As shown in Figure 5, automatic analyzer receives and process the related data automatic analyzer can sort out the result (such as by grouping, ordering etc.), and association attributes includes but are not limited to: data environment, theme, seriousness, frequency, time, procotol etc. correlation combiner.
In addition, automatic analyzer can compare the correlation attack method automatically, and advises or determine to take adequate measures.Be correlated with and include but not limited to for example these, an action plan is arranged, need reconfigure fire compartment wall, if having potential attack or shutdown system can notify the keeper, in diagram 5, can demonstrate out the expression of relevant point of departure, and be encryption safe.This also concentrates in sweet network server field or other the long-range or distributed environment and operates.
Client can select to require to carry out one or more themes.The present invention or automatic Forward-reques, and the notice client carrying out or carrying out, client can manual operation or machine automatically carry out, a complete example includes but are not limited to sweet net, produces network, virtual net and simulation net etc.
As shown in Figure 4, in a sweet network server field based on exercisable early warning system, instruction is the coding by some tangible computer-readable mediums, the executable file by a computer or computer-related devices, such as PDA(Personal Digital Assistant), laser disc (CD), the CD player, mobile phone, USB flash memory driver, the instruction that floppy disk etc. can use any computer language or form to write.The example of computer language or form comprises JAVA, C++, and COBOL, XML etc., this explanation comprises data from one or more network analyzers (as attacking or smelling and visit data).The data that receive may come to the same thing with above-mentioned basically.Although each network analyzer may be the part of a honey net, each network analyzer is the part of another one honey jar server farm.In addition, each network analyzer may be the assembly that reaches into of one or more honey nets.
The data that receive can classified (such as grouping etc.) become the predetermined hierarchical structures such as attribute.Equally, these attributes include but not limited to procotol of test environment, theme, seriousness, frequency, time, use etc.Setup of attribute can be according to keeper's demand, by Administrator.After the classification, data can use these predetermined attributes to sort at least.In addition, these attributes can be added into related pattern (for example, form, figure, chart, letter etc.), convenient and client communication.One of purpose of this communication is to allow client to determine which theme (S).For example (theme include but not limited to following several respects) proposed an activity program, reconfigure fire compartment wall, described the type of receive data, counterattack, or shutdown system etc., the identification potential attack is also informed the keeper, receives one or more predetermined attribute request from client, the information of computer notice client-requested, as attacking, counterattack has been initiated in the affirmation of the function that tightens security, etc. relevant information.
Sweet network server field based on exercisable early warning system comprises numerous assemblies.These assemblies may include but not limited to following one or more router, switch, fire compartment wall, server, flow detection and storage server.For example, embodiment comprises the 7204VXR of a Cisco router based on the honey of exercisable early warning system toward server farm, Cisco's 2950 switches, the PLX515E of Cisco fire compartment wall and VPN, Cisco PIX501 fire compartment wall, ten gateways, 935 server catalyst Catalysts, four 1U LINUX servers, two Sun ultra park servers, the Self-similar Network Traffic Generator of Arbornet and Dell Terra byte storage server.
As shown in Figure 6 and Figure 7, the Internet can be directly connected to Cisco PIX515E fire compartment wall, and the DMZ district on the PIX can be connected to the Cisco2950 switch.DMZ1 can carry all applicable servers.A single port on Cisco's 2950 switches can be configured to a span port.The Snort of trust server can be connected to span port, and this port also can be shared by Dell Terra byte storage server and bear, and may be positioned at second fire compartment wall (PIX501 of Cisco) the Arbornet Self-similar Network Traffic Generator of back.The purpose of a flow generator is the DMZ that produces in the simulation traffic.Service and transaction all should be simulated.The volume business of a plurality of Web server operations may allow the invader more tempting.In addition, the e-mail server can move IMAP and other email protocols, is to be undertaken by Email and related service because current great majority are attacked.Therefore, the invader can walk around the agreement of the Emails such as fire compartment wall or tunnel, because a typical fire compartment wall can not prevent such Email attack.This function is more to attract the invader.
Cisco PIX501 fire compartment wall is the outer flow of a transmitting system basically.It does not accept any flow from honey net territory usually.Therefore, the invader only might see the flow at Honeynet, and can not see the flow generator in the fire compartment wall back.
The PIX515E of Cisco fire compartment wall can have a plurality of interfaces.An interface can be used for DMZ1.Record and monitoring are at the flow of Cisco2950 switch by span port.The information of collecting from the monitoring system of this port can be resolved.Such as Snort and tcpdump, all can use.
The second interface (such as internal interface) can be connected to existing laboratory, and comprising two parts, first comprises that common computer is connected to the Internet; Second portion can be separated by fire compartment wall.
The corresponding strategies of data flow can realize with different firewall filtering rules.For example, this strategy possibility:
(1) HTTP that allows, SMTP, ICMP etc. enter into DMZ1 to PIX515E
(2) only allow the traffic of setting up to the PIX515E's of internal interface.
(3) do not allow any flow from the outside to PIX501.
Following order line has demonstrated fully the code sample to the PIX515 of Cisco.
TABLE1
Sample?Code?on?a?Cisco?PIX515E.
Sample?Code
interface?ethernetO?10baset
interface?ethernetl100full
Nameif?thernetO?outside?securityO
nameif?ethernetl?inside?security1OO
enable?password?AL8sZHguc0aiRyab?encrypted
passwd?AL8sZHguc0aiRyab?encrypted
hostname?STOP
domain-name?xyz.com
access-list101permit?tcp?any?host192.168.6.12eq4125
access-list101permit?tcp?any?host192.168.6.12eq?https
access-list101permit?tcp?any?host192.168.6.12eq444
access-list101permit?tcp?any?host192.168.6.12eq?smtp
access-list101permit?tcp?any?host192.168.6.6eq4899
access-list101permit?tcp?any?host192.168.6.80eq4899
ip?address?outside10.1.10.2255.255.255.0
ip?address?inside192.168.6.1255.255.255.0
global(outside)1interface
nat(inside)10.0.0.00.0.0.000
access-group101in?interface?outside
route?outside0.0.0.00.0.0.010.1.10.11
sysopt?connection?permit-ipsec
Flow generator can be used for sending the Attacking Packets of Honeynet.During the detection of Honeynet, can send a notice to the N+1 system.This detection and notice can realize programmed logic according to different network analysis equipment.
Time delay can calculate the Data Share System of use.Data Share System can be reminded purpose system and related service system.This process can by sending the connection of a sign link, connect such as VPN.Strategy fails (such as firewall rule) and the New Policy that recovers also may be integrated.Using non-Cisco firewall system, strategy deletion or that have Restoration Mechanism can be customized development.
Cisco PIX515E fire compartment wall can be supported the flow bandwidth of Small-size office network.If occuring in the network, extensive aggression and this attack be not detected, just can form DoS attack or cause network congestion because flow is excessive.In order to stop DoS attack or network system to be blocked, PIX has realized a kind of flow cleaning mechanism based on firewall technology.Say on the principle that the PIX515E fire compartment wall can carry out the arp clear command and be used for emptying the arp high-speed cache.
Ensure the production network security and make up honeynet system that in order to obtain data from honeynet system, product must allow the user can gather, be understood and can make timely reaction to network traffics.In order to realize this goal, for the honeynet system physical architecture, external module is necessary.This module can be connected to honeynet system by the span port (mirror port) on Cisco's 2950 switches.Utilize this collection mode can catch flow and send to honeynet system.
At least to there be two data acquisition modules just can reach optimum efficiency.Generally speaking, be subjected to the independently restriction of physical technique and physical location, flow is collected with the form of Pcap.Many products have all been integrated the libpcap library file, so these products are usually with the form reading out data of Pcap.For data system and the software that can read the Pcap form, need to use such as softwares such as TCPDUMP.TCPDUMP can analyze traffic redirect or the data of catching are stored to the Another application program and be further analyzed.In addition, many analysis software have based on the packet capture ability of libpcap and use as instant analysis.The best approach is to utilize the data of TCPDUMP crawl to do data-flow analysis and instant packet capture, and the collision detection engine that utilizes snort to increase income is done signature and abnormality detection.
The present invention can use the analysis of three types: signature analysis, add up the analysis of unusual and data flow-based.
Signature analysis, first method are the realizations in intruding detection system, are based on string matching (being also referred to as pattern matching).String matching, a string code namely, ordinary representation detects specific malicious traffic stream feature by the packet that relatively imports into.Signature can comprise a phrase or the order of often attacking, if find a coupling, will produce alarm.If no, but the signature on the grouping comparison list.Signature may produce repetition, until all signatures are through checking.In case finish, next packet can be read into internal memory, can begin again in the process that wherein signature checks.
Preferably use the Snort intrusion detection engine based on the analysis of signature.Snort is the current popular and network traffic analysis engine increasing income, be easy to expand.Engine can comprise that quite widely rule set (for example, signature) and a custom rule generate flexibly language.Snort also comprises its packet capture interface, can take the span port of network switch too is configured to read the data file of tcpdump.The setting of these rules can manage from remote console.
The statistics anomaly analysis, by comparative observation to the behavior of behavior and expection attempt to seek and invade.The statistics part can help to describe specifically or the probabilistic model of anticipatory behavior.The advantage of statistics anomaly analysis is, based on signature analysis, it can be for detection of the attack of new the unknown, and needn't depend on attack known in coupling observation data and the database.In essence, this analysis can help real-time intrusion detection.
In statistics during anomaly analysis, usage statistics bag abnormality detection engine (SPADE) preferably.SPADE is the application program of increasing income, and the analysis ability of anomaly-based is provided.In fact, SPADE is the plug-in unit of Snort, and Snort and use statistics interact, and can attempt to find out uncommon or suspicious packet by the unusual score that is assigned as each packet.By mating common packet header thresholding, can determine unusual mark.For example, the data of 80 ports of purpose IP address 192.168.1.10 are a kind of bags.Yet, if the source IP address 158.187.1.22 of packet, purpose IP address 192.168.1.10, Here it is another kind of packet.SPADE generally safeguards the information of this probability tables, can pass through the weighted calculation dependent probability.Therefore, bag target ip address 192.168.1.10(for example, Web server) and the probability of target port 80 are quite high (P(x)=0.5), this means half of network traffics, the webserver of can directly flowing through.Yet an outside ip address, 158.187.1.22 send a packet to Web server and FIN attribute set, and probability may much lower (P(Y)=0.001).Actual these probability scores that unusually may be derived from, according to formula A (X)=-log2 (P (X)) (1), therefore, the example of front, (X)=1, and A(y)=9.965.These uncommon events often can be more unusual.SPADE is in can allowing the threshold value that arranges, and the detailed data bank that alarm is sent to.
Flow and the total flow of network of the general more current honey jar of the analysis of data flow-based.Observe network traffics, usually concentrate on some malicious traffic streams, the end user of the Internet is the quantity of seeing malicious traffic stream, characteristics, the type of network traffics, the transport layer protocol (as: TCP in identification malicious traffic stream source, UDP, ICMP and IGMP, TLP), also can be according to five-tuple, comprising purpose IP address, source, source and target port and TLP.For each stream, statistic gathering may comprise the different time, the quantity of transmission or receive data bag, and the source and target parameter, Reflector, window size etc., each stream, even a local IP and port numbers and remote I P and port numbers are only arranged.Local computer typically refers to the main frame of client operation and the information of collection, and remote machine typically refers to other main frames in current network.Collect rear a certain amount of data from local IP and far-end IP, each data set compares, and uses a specific form, and such as figure, figure, table wait and analyze last specified data.
For these analysis tools, the collocation method recommendation.In addition, each is recommended to local instrument or the main frame that manages, must be by its basic interface.But Snort is often managed by SnortCenter, the management application program, and telemanagement is disposed the respective rule collection according to its engine status by a gui interface.This software can be used jointly with the Snort engine, but needs to install an Apache Webserver who supports the PHP script function.
Embodiment
The present invention can be divided into two stages and carry out.Flow detection Main Basis type I and Type II mistake (such as network traffics) between phase I.Second stage is determined time of fire alarming.As everyone knows, the detection method of anomaly-based often has higher rate of false alarm.
Measure the time and the precision that detect, can help the user to determine suitable sweet net.This wherein has two key factors, to the certainty of current active network and the promptness of warning.Fig. 2 and 3 shows the mutual and related data flow between these modules.The data flow of tcpdump may be admitted to three modules, for detection of signature, and unusual and flow.The warning result of its output can submit to its audit by reaction module.
As shown in Figure 7, move the back-to-back PIX515E of Cisco fire compartment wall in current certain production network environment, network is arranged on remote zone.The VPN session can be established to telecommunication network from honey jar.Attack can be sent to Honeynet and be used for the test response time, the Access Control List (ACL) of reduction telecommunication network.In case attacked, will be monitored the port that uses switch, such as Cisco's 2950 switches.It can be at interface operation monitoring flow.The control running software is in engine, and by vpn tunneling, the PIX515 of Cisco fire compartment wall can send a signal to remote firewall.In another module, it is positioned at another and produces network, can code analysis, and to make decision, and set up the Access Control List (ACL) of a new fire compartment wall, the delay of whole affairs can further be optimized under the different loads condition.
Each network of this experimental hypothesis only has an entrance, or same strategy is carried out in all entrances.This hypothesis makes network can take more precautionary measures.Yet the present invention can also allow more than one network ingress point.Equally, the present invention allows to carry out many strategies in many network traffic direction.
The present invention can delete former strategy or be covered to a rare new strategy to guarantee the security strategy change.New Policy can be a strategy safety or unsafe.But both must write hereof in advance.This process can be carried out rapidly in one or more fire compartment walls.
The present invention can create (or parameterized Access Control List (ACL) of instantiation) corresponding Access Control List (ACL).Use network management system, such as cisco network, respective list can be automatically loaded.These management systems are based on based on Web and manage.This method can permit a user to each situation and create single Access Control List (ACL) and allow sweet network server field to automatically perform.
Time can be used as one of the achievement of the output of experiment, to determine the validity of this framework.For example, the user may estimate to change the time after the switch strategy execution.In communication process, can avoid forewarning attack, and attack can be classified.In addition, when data analysis unit produced alarm, the user can estimate to attack sweet net, produce network, safeguards the total time of oneself tightening up between its periphery.According to different loading conditions and attack, can repeat this process.
Non real-time activity and other instruments
Intrusion detection analysis console (ACID) is an application program of increasing income, and can resolve different Log data formats, comprises Snort and SPADE.In addition, ACID may be presented at one simple and use the different Log data format such as network interface.Alarm and search are used the Query Builder of a very complex and are divided into groups.The ACID control desk can possess the 3rd layer and 4 layers of header and the ability that its packet is decoded of showing.ACID can provide some useful visualization functions, comprises that As time goes on figure waits relevant alarm and multiple statistical graph.ACID needs the support of a Web server and PHP, uses with the database collocation simultaneously.
The present invention needs two databases.One can be used for storing the network traffics of catching, and this storehouse may need a large amount of memory spaces; Another kind can be used for supporting the structuring data, and this helps to analyze, management or supervision assembly.Latter's capacity relative is smaller.For example, latter storehouse is MySQL or PostgreSQL.
Visual general as an independent network traffic analysis and embody construction package of the present invention.Yet, visual also may being put into at one or more network analyzers, or at the instrument of one or more analysis console.Wherein software can provide the example of visualization function to comprise ACID and CoralReef.In addition, an instrument of increasing income, visual for high-level network traffics such as Etherape, can be used for showing the connection between two IP addresses of line between per 2.The row representative is that coloud coding represents different agreements, and the size of end points and lines can be used for quoting the flow of each connection.Etherape may be installed separately, spanning tree generating port that like this can be real-time.Conversely, can directly send among the policymaker.
Honey network server field and distributed experiment
Honey jar of the present invention can relate to the data of other system.Described software module, namely the process data stream in the honey net can be processed the data from a plurality of honey jars.The present invention can be used as the set of the honey net of source early warning system.In order to realize this goal, the ability of decision package can be extended.
Agency plant can be used for managing on-line alarm and reaction module.Any computer language or form etc. such as Java, can be used for the establishment system, as shown in Figure 8.This system can realize using between the different point of departure realization system and send message.The point of departure related example is Java message server (JMS).Detect agency (such as Snort), notice can be sent to an automatic decision, such as Java(JDM).Snort can send the SNMP alarm to JDM.At this moment, JDM is configurable, and therefore, this will be the alarm that can set different strategy reply JDM.The JDM major function sends JMS message often to JMS.Yet the present invention can use OpenJMS, and this is an Open-Source Tools of realizing based on the JMS standard.In the future, OpenJMS can help to substitute other JMS.Listening agent such as Java listening agent (JLA), can be finished the complete response process that JMS monitors sensitive event, and these events can based on different formations and theme and with its classification, send to different JDMs with them.If JLAs is external system, JLAs can communicate by VPN, operates JMS this moment, to guarantee that JLAs can obtain relevant sensitization message.According to the JLAs system of current operation, various JLAs can process these message in a different manner.For example, in specific alarm, purpose is to change the fire compartment wall setting, thereby changes the IP table configuration in the system that it is moving.The code that uses in this experiment can be attached in the computer program inventory.
In addition, the port that their spam is crossed by sweet Netcom can be used for communicating by letter mutually, shown in Fig. 7 and 1.The present invention reflects based on off-the-shelf and uses honey jar software.Since auto-alarming, strategy meeting dynamic change, and honey jar can input based on inside (from the flow of another honey jar) or strategy is revised in outside input.For example, honey jar 1 operates in remote site, and links to each other with the front end fire compartment wall, sets up from honey jar 1 to honey jar 2 connection by VPN, as shown in Figure 7.Attack this moment and be sent to honey jar 1, the Access Control List (ACL) of recovery honey jar 2 is also tested the correlated response time.Another time attack is then carried out outside fire compartment wall by Self-similar Network Traffic Generator, in case attack, the user is by monitoring the SPAM port of switch.SNORT is at interface operation and mirror image flow, and the control running software is in decision center, and decision center can be sent a signal by vpn tunneling from a fire compartment wall to another fire compartment wall.But decision center is produced code analysis in the network at another.More than these are analyzed, decision center is often maked decision and and to the new Access Control List (ACL) of the interpolation of fire compartment wall.The delay of affairs can also be optimized under the different loads condition.
Although above-mentionedly by reference to the accompanying drawings the specific embodiment of the present invention is described; but be not limiting the scope of the invention; one of ordinary skill in the art should be understood that; on the basis of technical scheme of the present invention, those skilled in the art do not need to pay various modifications that creative work can make or distortion still in protection scope of the present invention.
Claims (8)
- Under the e-manufacturing environment based on the Warning System of honey net, it is characterized in that, comprise several clients, the honey net, be connected by the Internet between honey net and the client, described sweet net comprises honey jar, server, filter, switch, database, at least one network analyzer, switch, the business information transmitter, the automatic decision device, described automatic decision device comprises the intruding detection system control desk, analysis console, described sweet net connects by the Internet, described server is connected with database by switch, database is connected with switch by network analyzer, described switch connects the automatic decision device, described switch also is connected with the business information transmitter by the Internet, described filter is connected with database with network analyzer respectively, described client comprises the counteroffensive box, switch and far-end client, described counteroffensive box is connected with the far-end client by switch; When a honey jar in a certain honey net was attacked, honey jar gave warning in advance, and informs to be about to the client that quilt is attacked, and client can be taked adequate measures like this; The honey jar of being attacked is notified other sweet nets simultaneously; Other sweet nets also its corresponding client of early warning take adequate measures to prevent from attacking in advance, and the analysis console in the honey net is by intellectual analysis, and the form that client is generated Ex post is transferred to the keeper.
- Under a kind of e-manufacturing environment as claimed in claim 1 based on the Warning System of honey net, it is characterized in that, described network analyzer is used for receive data, and according to data classification demonstration, and reach as much as possible predetermined attribute hierarchy, arrangement is passed on one or more attribute related subjects that subscribe to client according to the confidential data of predetermined attribute, receives the request of passing on from another client.
- Under a kind of e-manufacturing environment as claimed in claim 2 based on the Warning System of honey net, it is characterized in that described predetermined attribute comprises source, geographical position, theme, seriousness, frequency, time, procotol.
- 4. the method for work that adopts based on the Warning System of honey net under a kind of e-manufacturing environment as claimed in claim 1 is characterized in that concrete steps are as follows:Step 1: the network traffics of the network analyzer listening port of honey net;Step 2: the filter of honey net filters, and stores snoop results into database;Step 3: sweet net enters three kinds of parallel parsing stages: signature analysis, the analysis of statistics anomaly analysis and data flow-based;Step 4: sweet net is directly sent the result of three kinds of analyses into analysis console and intruding detection system control desk, and the data of wherein sending into analysis console enter automatic decision after the control desk processing by analysis, then enter the intruding detection system control desk; Perhaps, deposit first three kinds of analysis results in database, then send into respectively analysis console and intruding detection system control desk by the data in the database, the data of wherein sending into analysis console enter automatic decision after the control desk processing by analysis, then enter the intruding detection system control desk again.
- Under a kind of e-manufacturing environment as claimed in claim 4 based on the method for prewarning risk of honey net, it is characterized in that the specific works step of the analysis console in the described step 4 is as follows:Step 1: beginning;Step 2: the network analyzer receive data receives at least the data from a network analyzer; Described network analyzer is the part of a honey net at least simultaneously;Step 3: generate grouped data, by data are carried out sifting sort according to certain hierarchical structure attribute;Step 4: the data to classification sort, and use at least a predetermined attribute;Step 5: carry out session with a client, have a relevant attribute at least;Step 6: receive the request from client, carry out a topic;Step 7: according to client's request for information about, send associated materials, and in time notify.
- Under a kind of e-manufacturing environment as claimed in claim 4 based on the method for prewarning risk of honey net, it is characterized in that, described signature analysis is the realization in intruding detection system, be based on string matching, string matching, a string code namely, ordinary representation detects specific malicious traffic stream feature by the packet that relatively imports into; Signature comprises a phrase or the order of often attacking, if find a coupling, will produce alarm; If no, the signature on the grouping comparison list; Until all signatures are through checking; In case finish, next packet can be read into internal memory, can begin again in the process that wherein signature checks.
- Under a kind of e-manufacturing environment as claimed in claim 4 based on the method for prewarning risk of honey net, it is characterized in that, described statistics anomaly analysis be by comparative observation to behavior and the behavior of expection attempt to seek invasion; The statistics anomaly analysis is based on signature analysis, and it mates attack known in observation data and the database for detection of the attack of new the unknown and needn't depend on.
- Under a kind of e-manufacturing environment as claimed in claim 4 based on the method for prewarning risk of honey net, it is characterized in that the analysis of described data flow-based is flow and the total flow of network of more current honey jar; Observe network traffics, concentrate on some malicious traffic streams, the end user of the Internet is the type, transport layer protocol of characteristics, the network traffics in the quantity of seeing malicious traffic stream, identification malicious traffic stream source and according to five-tuple, comprising purpose IP address, source, source and target port and TLP; For each stream, the time that statistic gathering is different, the quantity of transmission or receive data bag, the source and target parameter, Reflector, window size, each stream, even a local IP and port numbers and remote I P and port numbers are only arranged; Local computer typically refers to the main frame of client operation and the information of collection, and remote machine typically refers to other main frames in current network; Collect rear a certain amount of data from local IP and far-end IP, each data set compares, and uses a specific form, analyzes last specified data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210388461.1A CN102882884B (en) | 2012-10-13 | 2012-10-13 | Honeynet-based risk prewarning system and method in information production environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210388461.1A CN102882884B (en) | 2012-10-13 | 2012-10-13 | Honeynet-based risk prewarning system and method in information production environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102882884A true CN102882884A (en) | 2013-01-16 |
| CN102882884B CN102882884B (en) | 2014-12-24 |
Family
ID=47484027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210388461.1A Active CN102882884B (en) | 2012-10-13 | 2012-10-13 | Honeynet-based risk prewarning system and method in information production environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102882884B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144164A (en) * | 2014-08-06 | 2014-11-12 | 武汉安问科技发展有限责任公司 | Extension defense method based on network intrusion |
| CN105488393A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Database honey pot based attack behavior intention classification method and system |
| CN107465663A (en) * | 2017-07-06 | 2017-12-12 | 广州锦行网络科技有限公司 | A kind of implementation method and device of the seamless honey jar of network |
| CN107645398A (en) * | 2016-07-22 | 2018-01-30 | 北京金山云网络技术有限公司 | A kind of method and apparatus of diagnostic network performance and failure |
| CN107819633A (en) * | 2017-11-30 | 2018-03-20 | 国网河南省电力公司商丘供电公司 | It is a kind of quickly to find and handle the system and its processing method of network failure |
| CN108134797A (en) * | 2017-12-28 | 2018-06-08 | 广州锦行网络科技有限公司 | System and method is realized in attack counter based on Honeypot Techniques |
| CN108521406A (en) * | 2018-03-21 | 2018-09-11 | 沈阳化工大学 | A method of capturing network worm based on Honeypot Techniques |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN109495472A (en) * | 2018-11-19 | 2019-03-19 | 南京邮电大学 | A kind of defence method for intranet and extranet camera configuration weak passwurd loophole |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109711173A (en) * | 2019-02-03 | 2019-05-03 | 北京大学 | A kind of password file leakage detection method |
| CN109995716A (en) * | 2017-12-29 | 2019-07-09 | 北京安天网络安全技术有限公司 | Behavior exciting method and device based on high interaction honey pot system |
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| CN111226426A (en) * | 2017-10-18 | 2020-06-02 | 国际商业机器公司 | Identification of attack flows in a multi-layer network topology |
| CN111541670A (en) * | 2020-04-17 | 2020-08-14 | 广州锦行网络科技有限公司 | Novel dynamic honeypot system |
| CN111865996A (en) * | 2020-07-24 | 2020-10-30 | 中国工商银行股份有限公司 | Data detection method and device and electronic equipment |
| CN111885041A (en) * | 2020-07-17 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Attack scene reconstruction method based on honeypot threat data |
| CN112788023A (en) * | 2020-12-30 | 2021-05-11 | 成都知道创宇信息技术有限公司 | Honeypot management method based on secure network and related device |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| TWI742799B (en) * | 2019-10-18 | 2021-10-11 | 臺灣銀行股份有限公司 | Network attack analysis method |
| CN113824745A (en) * | 2021-11-24 | 2021-12-21 | 武汉大学 | Network safety emergency disposal system based on recurrent neural network model |
| CN113904878A (en) * | 2021-12-10 | 2022-01-07 | 浙江木链物联网科技有限公司 | Data processing method and system based on large number of nodes and readable storage medium |
| CN114189568A (en) * | 2022-02-14 | 2022-03-15 | 北京安盟信息技术股份有限公司 | Method and system for rapidly processing UDP (user Datagram protocol) data packet |
| CN114598504A (en) * | 2022-02-21 | 2022-06-07 | 烽台科技(北京)有限公司 | Risk assessment method and device, electronic equipment and readable storage medium |
| CN114640537A (en) * | 2022-03-31 | 2022-06-17 | 杭州安恒信息技术股份有限公司 | Intranet transverse movement detection method, device, equipment and medium |
| CN116436668A (en) * | 2023-04-12 | 2023-07-14 | 广州市点易资讯科技有限公司 | Information security control method and related device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2761542C1 (en) * | 2021-03-15 | 2021-12-09 | Акционерное общество "Лаборатория Касперского" | System and method for forming a system of trap resources |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050027837A1 (en) * | 2003-07-29 | 2005-02-03 | Enterasys Networks, Inc. | System and method for dynamic network policy management |
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN102546621A (en) * | 2010-12-27 | 2012-07-04 | 阿瓦雅公司 | System and method for VOIP honeypot for converged VOIP services |
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
-
2012
- 2012-10-13 CN CN201210388461.1A patent/CN102882884B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050027837A1 (en) * | 2003-07-29 | 2005-02-03 | Enterasys Networks, Inc. | System and method for dynamic network policy management |
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN102546621A (en) * | 2010-12-27 | 2012-07-04 | 阿瓦雅公司 | System and method for VOIP honeypot for converged VOIP services |
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
Non-Patent Citations (1)
| Title |
|---|
| 徐沛沛 等: ""大型网络终端IT运维安全监控与风险预警系统"", 《电路信息化》, 30 September 2011 (2011-09-30) * |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144164A (en) * | 2014-08-06 | 2014-11-12 | 武汉安问科技发展有限责任公司 | Extension defense method based on network intrusion |
| CN105488393A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Database honey pot based attack behavior intention classification method and system |
| CN105488393B (en) * | 2014-12-27 | 2018-07-03 | 哈尔滨安天科技股份有限公司 | A kind of attack intent classifier method and system based on database honey jar |
| CN107645398A (en) * | 2016-07-22 | 2018-01-30 | 北京金山云网络技术有限公司 | A kind of method and apparatus of diagnostic network performance and failure |
| CN107465663A (en) * | 2017-07-06 | 2017-12-12 | 广州锦行网络科技有限公司 | A kind of implementation method and device of the seamless honey jar of network |
| CN111226426A (en) * | 2017-10-18 | 2020-06-02 | 国际商业机器公司 | Identification of attack flows in a multi-layer network topology |
| CN107819633A (en) * | 2017-11-30 | 2018-03-20 | 国网河南省电力公司商丘供电公司 | It is a kind of quickly to find and handle the system and its processing method of network failure |
| CN108134797A (en) * | 2017-12-28 | 2018-06-08 | 广州锦行网络科技有限公司 | System and method is realized in attack counter based on Honeypot Techniques |
| CN109995716A (en) * | 2017-12-29 | 2019-07-09 | 北京安天网络安全技术有限公司 | Behavior exciting method and device based on high interaction honey pot system |
| CN108521406A (en) * | 2018-03-21 | 2018-09-11 | 沈阳化工大学 | A method of capturing network worm based on Honeypot Techniques |
| CN109495472A (en) * | 2018-11-19 | 2019-03-19 | 南京邮电大学 | A kind of defence method for intranet and extranet camera configuration weak passwurd loophole |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109711173A (en) * | 2019-02-03 | 2019-05-03 | 北京大学 | A kind of password file leakage detection method |
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| TWI742799B (en) * | 2019-10-18 | 2021-10-11 | 臺灣銀行股份有限公司 | Network attack analysis method |
| CN111541670A (en) * | 2020-04-17 | 2020-08-14 | 广州锦行网络科技有限公司 | Novel dynamic honeypot system |
| CN111885041A (en) * | 2020-07-17 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Attack scene reconstruction method based on honeypot threat data |
| CN111865996A (en) * | 2020-07-24 | 2020-10-30 | 中国工商银行股份有限公司 | Data detection method and device and electronic equipment |
| CN112788023A (en) * | 2020-12-30 | 2021-05-11 | 成都知道创宇信息技术有限公司 | Honeypot management method based on secure network and related device |
| CN113162948B (en) * | 2021-05-12 | 2022-07-26 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN113824745A (en) * | 2021-11-24 | 2021-12-21 | 武汉大学 | Network safety emergency disposal system based on recurrent neural network model |
| CN113904878A (en) * | 2021-12-10 | 2022-01-07 | 浙江木链物联网科技有限公司 | Data processing method and system based on large number of nodes and readable storage medium |
| CN114189568A (en) * | 2022-02-14 | 2022-03-15 | 北京安盟信息技术股份有限公司 | Method and system for rapidly processing UDP (user Datagram protocol) data packet |
| CN114189568B (en) * | 2022-02-14 | 2022-05-31 | 北京华御数观科技有限公司 | Method and system for rapidly processing UDP (user Datagram protocol) data packet |
| CN114598504A (en) * | 2022-02-21 | 2022-06-07 | 烽台科技(北京)有限公司 | Risk assessment method and device, electronic equipment and readable storage medium |
| CN114598504B (en) * | 2022-02-21 | 2023-11-03 | 烽台科技(北京)有限公司 | Risk assessment method and device, electronic equipment and readable storage medium |
| CN114640537A (en) * | 2022-03-31 | 2022-06-17 | 杭州安恒信息技术股份有限公司 | Intranet transverse movement detection method, device, equipment and medium |
| CN116436668A (en) * | 2023-04-12 | 2023-07-14 | 广州市点易资讯科技有限公司 | Information security control method and related device |
| CN116436668B (en) * | 2023-04-12 | 2023-11-10 | 广州市点易资讯科技有限公司 | Information security control method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102882884B (en) | 2014-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882884B (en) | Honeynet-based risk prewarning system and method in information production environment | |
| US20060101516A1 (en) | Honeynet farms as an early warning system for production networks | |
| Lakkaraju et al. | NVisionIP: netflow visualizations of system state for security situational awareness | |
| US8209759B2 (en) | Security incident manager | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| CN106992955A (en) | APT fire walls | |
| Bidou | Security operation center concepts & implementation | |
| Vacas et al. | Detecting network threats using OSINT knowledge-based IDS | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| Beg et al. | Feasibility of intrusion detection system with high performance computing: A survey | |
| Priya et al. | Containerized cloud-based honeypot deception for tracking attackers | |
| Nazer et al. | Current intrusion detection techniques in information technology-a detailed analysis | |
| Baláž et al. | ModSecurity IDMEF module | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
| Mishra et al. | Artificial intelligent firewall | |
| Gavrilovic et al. | Snort IDS system visualization interface for alert analysis | |
| Hsin et al. | A study of alert-based collaborative defense | |
| Гарасимчук et al. | Analysis of principles and systems for detecting remote attacks through the internet | |
| Selvaraj et al. | Enhancing intrusion detection system performance using firecol protection services based honeypot system | |
| Kaur et al. | Intrusion detection system using honeypots and swarm intelligence | |
| Gavrilovic et al. | Snort IDS system visualization interface | |
| Movva et al. | Intelligent IDS: Venus Fly-Trap Optimization with Honeypot Approach for Intrusion Detection and Prevention | |
| Rehák et al. | Agent methods for network intrusion detection and response | |
| Anusha et al. | MAM-ISSIDS: multi-agent model-based intelligent and self-sharing intrusion detection system for distributed network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: STATE GRID CORPORATION OF CHINA Free format text: FORMER OWNER: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID SHANDONG ELECTRIC POWER COMPANY Effective date: 20141115 Owner name: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID SHAN Free format text: FORMER OWNER: STATE GRID CORPORATION OF CHINA Effective date: 20141115 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: Wang Yue Central Road Ji'nan City, Shandong province 250002 City No. 2000 Applicant after: ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID SHANDONG ELECTRIC POWER Co. Applicant after: State Grid Corporation of China Address before: 250002, No. 1, South Second Ring Road, Shizhong District, Shandong, Ji'nan Applicant before: ELECTRIC POWER RESEARCH INSTITUTE OF SHANDONG ELECTRIC POWER Corp. Applicant before: State Grid Corporation of China |
|
| CB03 | Change of inventor or designer information |
Inventor after: Ren Tiancheng Inventor after: Liu Xin Inventor after: Jing Junshuang Inventor after: Ma Lei Inventor after: Meng Yu Inventor after: Xu Naiyuan Inventor after: Wu Guanbin Inventor before: Ren Tiancheng Inventor before: Liu Xin Inventor before: Jing Junshuang Inventor before: Ma Lei Inventor before: Meng Yu |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: REN TIANCHENG LIU XIN JING JUNSHUANG MA LEI MENG YU TO: REN TIANCHENG LIU XIN JING JUNSHUANG MA LEI MENG YU XU NAIYUAN WU GUANBIN Free format text: CORRECT: ADDRESS; FROM: 250002 JINAN, SHANDONG PROVINCE TO: 100031 XICHENG, BEIJING Free format text: CORRECT: APPLICANT; FROM: SHANDONG ELECTRIC POWER SCIENCE AND RESEARCH INSTITUTE, SHANDONG ELECTRICPOWER CORPORATION TO: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID SHANDONG ELECTRIC POWER COMPANY |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20141115 Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID SHANDONG ELECTRIC POWER Co. Address before: Wang Yue Central Road Ji'nan City, Shandong province 250002 City No. 2000 Applicant before: ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID SHANDONG ELECTRIC POWER Co. Applicant before: State Grid Corporation of China |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |