CN103561004A - Cooperative type active defense system based on honey nets - Google Patents
Cooperative type active defense system based on honey nets Download PDFInfo
- Publication number
- CN103561004A CN103561004A CN201310500444.7A CN201310500444A CN103561004A CN 103561004 A CN103561004 A CN 103561004A CN 201310500444 A CN201310500444 A CN 201310500444A CN 103561004 A CN103561004 A CN 103561004A
- Authority
- CN
- China
- Prior art keywords
- attack
- server
- data
- global
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 94
- 235000012907 honey Nutrition 0.000 title claims abstract description 26
- 238000007405 data analysis Methods 0.000 claims abstract description 28
- 238000013481 data capture Methods 0.000 claims abstract description 17
- 238000000034 method Methods 0.000 claims abstract description 11
- 238000004458 analytical method Methods 0.000 claims description 45
- 238000001514 detection method Methods 0.000 claims description 20
- 238000000605 extraction Methods 0.000 claims description 12
- 238000012800 visualization Methods 0.000 claims description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 238000012731 temporal analysis Methods 0.000 claims description 2
- 238000000700 time series analysis Methods 0.000 claims description 2
- 238000010219 correlation analysis Methods 0.000 claims 1
- 230000000717 retained effect Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 9
- 230000006399 behavior Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 244000035744 Hura crepitans Species 0.000 description 4
- 230000002596 correlated effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000007500 overflow downdraw method Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本发明涉及网络安全领域,尤其涉及一种基于蜜网的协同式主动防御系统。The invention relates to the field of network security, in particular to a honeynet-based cooperative active defense system.
背景技术Background technique
随着互联网的发展,网络安全面临着越来越严重的威胁。当前几种主要的网络安全威胁:木马,蠕虫,僵尸网络,网络侦听,IPv6威胁,间谍软件与广告软件,零日漏洞,DDoS(分布式拒绝服务)攻击。对网络安全威胁进行有效的防御便成了当务之急。With the development of the Internet, network security is facing more and more serious threats. Several major current network security threats: Trojan horses, worms, botnets, network interception, IPv6 threats, spyware and adware, zero-day vulnerabilities, and DDoS (distributed denial of service) attacks. Effective defense against network security threats has become a top priority.
网络安全防御的类型按防御位置的不同可以分为基于主机层和基于网络层的防御;按防御时机不同可以分为被动防御和主动防御。传统的基于主机层的被动防御方法已经难以保护现有网络的安全,所以产生了主动防御的概念,通常是指通过程序自主发现的用户特征,使攻击者无法完成对攻击目标的攻击。The types of network security defense can be divided into host-based and network-based defenses according to different defense positions; they can be divided into passive defense and active defense according to different defense timing. The traditional passive defense method based on the host layer has been difficult to protect the security of the existing network, so the concept of active defense has emerged, which usually refers to the user characteristics independently discovered through the program, so that the attacker cannot complete the attack on the target.
主动防御的代表是入侵检测系统IDS(Intrusion Detect ion System),即依照一定的安全策略,对网络、系统的运行状况进行监视,尽可能发现各种攻击企图、攻击行为或者攻击结果,以保证网络系统资源的机密性、完整性和可用性,其实时性、主动性是传统安全措施难企及的,同时也弥补了被动防御系统不能保护未知类型攻击的缺点。但传统的入侵检测系统仍存在缺陷,由于入侵检测要处理的信息量非常大,对于攻击行为分类模型的好坏将直接影响到检测的效率。建立一个有效的入侵检测系统是一个巨大的知识工程,由于开发过程是手工的,致使目前入侵检测系统的可扩展性和适应性都受到限制。实际应用中的入侵检测模型仅能处理一种特殊的审计数据源,更新费用较高,速度也较慢。The representative of active defense is the Intrusion Detection System (IDS), which monitors the operating status of the network and the system according to a certain security policy, and discovers various attack attempts, attack behaviors or attack results as much as possible, so as to ensure the security of the network. The confidentiality, integrity and availability of system resources, its real-time and initiative are beyond the reach of traditional security measures, and it also makes up for the shortcomings of passive defense systems that cannot protect unknown types of attacks. However, there are still defects in the traditional intrusion detection system. Because the amount of information to be processed by intrusion detection is very large, the quality of the attack behavior classification model will directly affect the efficiency of detection. It is a huge knowledge project to build an effective intrusion detection system. Since the development process is manual, the scalability and adaptability of the current intrusion detection system are limited. The intrusion detection model in practical application can only deal with a special audit data source, and the update cost is high and the speed is slow.
为了克服传统入侵检测系统的局限性,应该采用一种更加自动和高效的机制,蜜罐(Honeypot)便是这样的一个系统。“蜜网项目组”(The Honeynet Project)的创始人LanceSpitzner给出了对蜜罐的权威定义:蜜罐是一种安全资源,其价值在于被扫描、攻击和攻陷。所有流入、流出蜜罐的网络流量都可能预示了扫描、攻击和攻陷。蜜罐按部署目的可分为产品型蜜罐和研究型蜜罐两类。蜜罐按其交互度的等级可分为低交互蜜罐和高交互蜜罐两类。蜜罐技术的优点包括:收集数据的保真度高,能够收集到新的攻击工具和攻击方法,不需要强大的资源支持、资金投入,比较容易掌握。In order to overcome the limitations of traditional intrusion detection systems, a more automatic and efficient mechanism should be adopted, and Honeypot is such a system. Lance Spitzner, founder of The Honeynet Project, gave an authoritative definition of honeypots: a honeypot is a security resource whose value lies in being scanned, attacked and compromised. All network traffic to and from a honeypot may indicate scanning, attacks, and compromises. According to the purpose of deployment, honeypots can be divided into two types: product honeypots and research honeypots. Honeypots can be divided into low-interaction honeypots and high-interaction honeypots according to their level of interaction. The advantages of honeypot technology include: the fidelity of collected data is high, new attack tools and attack methods can be collected, it does not require strong resource support and capital investment, and it is relatively easy to master.
一个蜜网包含一个或多个蜜罐,在保证网络的高度可控的同时,可以提供多种工具以方便对攻击信息的采集和分析。利用蜜网可以有效的改变防御者与攻击者之间的信息不对称。目前,高交互蜜网主要用于数据的攻击数据的提取、分析和研究,主要是对蜜网提取到的海量数据进行人工分析,发掘攻击者的攻击策略、攻击代码和攻击位置等相关信息。虽然最终可以达到防御的目的,但属于被动防御,需要大量的人工参与,并具有严重的滞后性,很难系统化与产品化。A honeynet includes one or more honeypots, which can provide a variety of tools to facilitate the collection and analysis of attack information while ensuring a high degree of controllability of the network. The use of honeynet can effectively change the information asymmetry between the defender and the attacker. At present, the high-interaction honeynet is mainly used for the extraction, analysis and research of data attack data, mainly to manually analyze the massive data extracted by the honeynet, and to discover the attacker's attack strategy, attack code and attack location and other related information. Although the purpose of defense can be achieved in the end, it is a passive defense that requires a lot of manual participation and has serious lag, making it difficult to systematize and productize.
发明内容Contents of the invention
针对现有技术的不足,本发明的目的是提出一种基于蜜网的协同式主动防御系统,它依托蜜网技术,采用协同式防御思想,能够实现网络层的主动防御,适用于大规模的企业网。Aiming at the deficiencies of the prior art, the purpose of the present invention is to propose a honeynet-based cooperative active defense system, which relies on the honeynet technology, adopts the cooperative defense idea, can realize active defense at the network layer, and is suitable for large-scale enterprise network.
为了实现以上发明目的,本发明采用以下技术方案:In order to realize the above object of the invention, the present invention adopts the following technical solutions:
一种基于蜜网的协同式主动防御系统,包括数据捕获模块、数据分析模块和数据控制模块,其特征在于:A honeynet-based cooperative active defense system, including a data capture module, a data analysis module and a data control module, is characterized in that:
所述数据捕获模块、数据分析模块和数据控制模块分布式地存在于一个蜜网中心和多个子网中,其中,The data capture module, data analysis module and data control module are distributed in a honeynet center and multiple subnets, wherein,
所述数据捕获模块包括位于蜜网中心的全局日志记录数据库和各子网中的蜜墙、多台蜜罐主机、远程日志记录服务器、入侵检测服务器;The data capture module includes a global log record database located at the honeynet center and a honey wall in each subnet, a plurality of honeypot hosts, a remote log record server, and an intrusion detection server;
所述数据分析模块包括位于蜜网中心的统计服务器、攻击模式提取服务器、全局恶意代码分析服务器、综合运算服务器、全局可视化服务器、全局统计数据库和全局特征数据库,以及各子网中的本地在线数据分析服务器;The data analysis module includes a statistical server located at the center of the honeynet, an attack pattern extraction server, a global malicious code analysis server, a comprehensive computing server, a global visualization server, a global statistical database and a global feature database, and local online data in each subnet analysis server;
所述数据控制模块包括位于蜜网中心的全局控制服务器、全局控制数据库和全局入侵行为规则数据库,以及各子网中的可重定向路由器、防火墙。The data control module includes a global control server located at the center of the honeynet, a global control database and a global intrusion behavior rule database, as well as redirectable routers and firewalls in each subnet.
本发明具有以下有益效果:The present invention has the following beneficial effects:
1、将蜜网技术与主动防御技术相结合,改善了传统蜜网技术被动防御的滞后性,降低了人工分析的工作量,提高了防御的实时性与准确性。1. The combination of honeynet technology and active defense technology improves the hysteresis of traditional honeynet technology passive defense, reduces the workload of manual analysis, and improves the real-time and accuracy of defense.
2、多个子网间的协同防御,弥补了单个子网的蜜网规模小、结构简单、信息单一等不足,进一步提高了防御的主动性与实时性。2. The coordinated defense between multiple subnets makes up for the shortcomings of a single subnet such as small scale, simple structure, and single information, and further improves the initiative and real-time performance of defense.
3、采用了简单、高效的数据分析算法,制定的防御策略具有很高的防御率、命中率和很低的漏防率和命中率。3. Using a simple and efficient data analysis algorithm, the defense strategy formulated has a high defense rate, hit rate and very low leakage prevention rate and hit rate.
4、蜜网收集的数据具有高可靠性和可控性,低成本。不需要用户上报,不会影响用户的正常通信,更不会泄露用户隐私。4. The data collected by the honeynet has high reliability and controllability, and low cost. There is no need for users to report, it will not affect the normal communication of users, and it will not leak user privacy.
5、在网络层实现防御,减轻了防火墙的负荷以及采用基于主机层防病毒软件的用户主机负担。5. The defense is implemented at the network layer, which reduces the load on the firewall and the burden on the user's host using anti-virus software based on the host layer.
6、欺骗模块增加了系统的稳健性。6. The deception module increases the robustness of the system.
附图说明Description of drawings
图1是基于蜜网的自主防御子系统的主要模块框架图Figure 1 is a frame diagram of the main modules of the autonomous defense subsystem based on the honeynet
图2是基于蜜网的自主防御子系统的网络部署图Figure 2 is a network deployment diagram of the autonomous defense subsystem based on the honeynet
图3是基于蜜网的协同式主动防御系统的主要模块框架图Figure 3 is a frame diagram of the main modules of the honeynet-based cooperative active defense system
图4是基于蜜网的协同式主动防御系统的网络部署图Figure 4 is a network deployment diagram of a cooperative active defense system based on honeynet
图5是加入了欺骗模块的基于蜜网的自主防御子系统的模块框架图Figure 5 is a block diagram of the honeynet-based autonomous defense subsystem with the deception module added
具体实施方式Detailed ways
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及示例性实施例,对本发明进行进一步详细说明。应当理解,此处所描述的示例性实施例仅用以解释本发明,并不用于限定本发明的适用范围。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and exemplary embodiments. It should be understood that the exemplary embodiments described here are only used to explain the present invention, and are not intended to limit the applicable scope of the present invention.
在介绍本发明的协同式主动防御系统之前,首先需要说明基于蜜网的自主防御子系统的工作机制。企业网可划分为多个子网,一般在C类网内按照每个的网段划分,在A、B类网内按照子网掩码划分。基于蜜网的自主式防御子系统就布置在单个子网内,它具有三个主要模块和一个附加模块。如图1、5所示,三个主要模块为数据捕获模块、数据分析模块和数据控制模块,附加模块为入侵欺骗模块。Before introducing the cooperative active defense system of the present invention, it is first necessary to explain the working mechanism of the honeynet-based autonomous defense subsystem. The enterprise network can be divided into multiple subnets, generally divided according to each network segment in the C class network, and divided according to the subnet mask in the A and B class networks. The autonomous honeynet-based defense subsystem is arranged within a single subnet, which has three main modules and one additional module. As shown in Figures 1 and 5, the three main modules are the data capture module, the data analysis module and the data control module, and the additional module is the intrusion deception module.
基于蜜网的自主防御子系统部署在单个子网内,即蜜网和用户网络位于同一网段中,如图2所示,在图中不仅标出了主要硬件,而且标出了模块分布及数据流方向。其中,数据捕获模块包括蜜墙(honeywall)、多台蜜罐主机、远程日志记录服务器、日志记录数据库和入侵检测服务器。数据分析模块包括离线数据分析服务器、在线数据分析服务器、可视化服务器、恶意代码分析服务器、统计数据库和特征数据库。数据控制模块包括控制服务器、控制数据库、路由器、蜜墙、防火墙和入侵行为规则数据库。The autonomous defense subsystem based on the honeynet is deployed in a single subnet, that is, the honeynet and the user network are located in the same network segment, as shown in Figure 2, in which not only the main hardware is marked, but also the module distribution and Data flow direction. Wherein, the data capturing module includes a honeywall, multiple honeypot hosts, a remote log recording server, a log recording database and an intrusion detection server. The data analysis module includes an offline data analysis server, an online data analysis server, a visualization server, a malicious code analysis server, a statistics database and a feature database. The data control module includes control server, control database, router, honey wall, firewall and intrusion behavior rule database.
1、数据捕获模块1. Data capture module
数据捕获模块属于输入模块,包括蜜墙、多台蜜罐主机、远程日志记录服务器、日志记录数据库和入侵检测服务器。The data capture module belongs to the input module, including honey wall, multiple honeypot hosts, remote logging server, logging database and intrusion detection server.
(1)蜜墙(蜜网网关)(1) Honey Wall (Honey Network Gateway)
蜜网可以布置在防火墙的外部、内部或者DMZ(非军事区)内,通常布置在用户网和外网的DMZ内,即可信用户内网与不可信外网之间的区域。对于用户网来说,蜜网是一个危险的区域,因为蜜罐是十分容易被攻击的主机,一旦攻击者利用蜜罐为跳板对用户网发动攻击,那么主动防御系统将得不偿失。而蜜墙就是蜜网与用户网之间唯一的屏障。蜜墙包括三个网络接口,eth0接入外网,eth1连接蜜网,而eth2作为一个秘密通道,连接到一个监控网络。蜜墙是一个对黑客不可见的链路层桥接设备,作为蜜网与其他网络的唯一连接点,所有流入流出蜜网的网络流量都将通过蜜墙,并受其控制和审计。同时,由于蜜墙是一个工作在链路层的桥接设备,不会对网络数据包进行TTL递减和网络路由,也不会提供本身的MAC地址,因此对攻击者而言,蜜墙是完全不可见的。The honeynet can be arranged outside, inside or in the DMZ (Demilitarized Zone) of the firewall, and is usually arranged in the DMZ of the user network and the external network, that is, the area between the trusted user internal network and the untrusted external network. For the user network, the honeynet is a dangerous area, because the honeypot is a very vulnerable host, once the attacker uses the honeypot as a springboard to launch an attack on the user network, the active defense system will not be worth the candle. The honey wall is the only barrier between the honey network and the user network. The honey wall includes three network interfaces, eth0 is connected to the external network, eth1 is connected to the honeynet, and eth2 is used as a secret channel to connect to a monitoring network. Honeywall is a link layer bridging device that is invisible to hackers. As the only connection point between the honeynet and other networks, all network traffic flowing into and out of the honeynet will pass through the honeywall and be controlled and audited by it. At the same time, because the Honeywall is a bridging device working at the link layer, it will not perform TTL decrement and network routing on network packets, and will not provide its own MAC address. Therefore, for attackers, the Honeywall is completely useless. visible.
(2)蜜罐主机(2) Honeypot host
在三台蜜罐主机上安装有运行在ring0级的恶意代码捕获程序,由于运行于ring0级,不易于被攻击者发现,它可以将被攻击蜜罐主机上的恶意代码自动或手动经过秘密通道传输至恶意代码分析服务器。在此服务器的虚拟机中运行有沙盒(sandbox)程序,在沙盒中分析恶意代码,分析结果可以被应用到数据控制模块中去。所有蜜罐主机过一段时间后需要进行一次维护。The malicious code capture program running at the ring0 level is installed on the three honeypot hosts. Since it runs at the ring0 level, it is not easy to be discovered by the attacker. It can automatically or manually pass the malicious code on the attacked honeypot host through the secret channel Transfer to malicious code analysis server. A sandbox (sandbox) program runs in the virtual machine of the server, and malicious codes are analyzed in the sandbox, and the analysis results can be applied to the data control module. All honeypot hosts need to be maintained after a period of time.
(3)客户端蜜罐工具(3) Client honeypot tools
为了增加蜜网的主动性,可以在部分蜜罐上运行具有网页爬虫功能的客户端蜜罐工具,如capture-HPC,它可以实现自动地搜索恶意服务器,实现对网页挂马的检测,加强数据捕获模块的功能。In order to increase the initiative of the honeynet, some honeypots can run client-side honeypot tools with web crawler functions, such as capture-HPC, which can automatically search for malicious servers, detect webpage Trojans, and strengthen data Capturing the function of the module.
(4)远程日志记录服务器与日志记录数据库(4) Remote logging server and logging database
远程日志记录服务器负责将蜜网传输来的数据实时存储在日志记录数据库中,并周期性地将日志记录数据库中的数据传输至数据分析模块。The remote logging server is responsible for storing the data transmitted by the honeynet in the logging database in real time, and periodically transmitting the data in the logging database to the data analysis module.
(5)入侵检测服务器(5) Intrusion detection server
考虑到攻击者有可能直接或首先入侵用户网络,为了增加系统的稳健性,将蜜网与基于行为特征的入侵检测系统结合起来,在用户网前面布置一个入侵检测服务器,它通过路由器的端口镜像功能检测通过用户网络的所有流量,一旦匹配了入侵行为规则数据库中的规则,则判定为入侵行为,将判定结果发送给控制服务器,由控制服务器直接修改防火墙规则,以弥补蜜网失效时的主动防御。另外,给蜜罐主机分配域名,将使蜜罐吸引更多攻击,但这会增加用户网络的潜在危险性。Considering that the attacker may invade the user network directly or first, in order to increase the robustness of the system, the honeynet is combined with the intrusion detection system based on behavior characteristics, and an intrusion detection server is arranged in front of the user network. The function detects all traffic passing through the user network. Once it matches the rules in the intrusion behavior rule database, it will be judged as an intrusion behavior, and the judgment result will be sent to the control server. The control server will directly modify the firewall rules to compensate for the failure of the honeynet. defense. In addition, assigning a domain name to the honeypot host will make the honeypot attract more attacks, but this will increase the potential danger of the user network.
2、数据分析模块2. Data analysis module
数据分析模块将不同的数据捕获模块捕获的信息进行融合、挖掘、分析,及时发现网络中可能存在的危险信息,将控制策略及时传输给各子网的数据分析模块,以实现提前预警,实时维护,周期性修正。作为示例,该模块中可以应用已经成熟的信息融合、数据挖掘、蜜网攻击事件分析等技术。比如,采用聚类、矩阵变换等数学方法,产生防御黑名单用于更改防火墙规则,提取攻击模式、恶意代码用于更改入侵行为规则。该模块是本系统的核心模块。数据分析模块包括离线分析服务器、在线分析服务器、可视化服务器、恶意代码分析服务器、统计数据库和特征数据库。The data analysis module integrates, mines, and analyzes the information captured by different data capture modules, discovers possible dangerous information in the network in time, and transmits the control strategy to the data analysis module of each subnet in time to achieve early warning and real-time maintenance , periodically revised. As an example, mature technologies such as information fusion, data mining, and honeynet attack event analysis can be applied in this module. For example, mathematical methods such as clustering and matrix transformation are used to generate defensive blacklists for changing firewall rules, and to extract attack patterns and malicious codes for changing intrusion behavior rules. This module is the core module of this system. The data analysis module includes an offline analysis server, an online analysis server, a visualization server, a malicious code analysis server, a statistics database and a feature database.
(1)在线分析服务器(1) Online analysis server
蜜网的所有流量数据从远程日志记录服务器传输到在线分析服务器,在线分析服务器实时地将数据包头信息与特征数据库中的攻击特征进行匹配,制定一些简单的防御策略,将需要防御的黑名单实时地传输至控制服务器。All traffic data of the honeynet is transmitted from the remote logging server to the online analysis server. The online analysis server matches the packet header information with the attack characteristics in the signature database in real time, formulates some simple defense strategies, and blacklists the blacklists that need to be defended in real time. transmitted to the control server.
(2)离线分析服务器(2) Offline analysis server
蜜网的所有流量数据从远程日志记录服务器传输至离线分析服务器,离线分析服务器的特点是精确性和复杂性,它统计一个周期(小时、天、周)内数据的指标,更新统计数据库,提取攻击特征和模式,更新特征数据库,并根据之前周期的数据预测攻击趋势,制定防御策略,将需要防御的黑名单周期性地传输至控制服务器。All flow data of the honeynet is transmitted from the remote logging server to the offline analysis server. The offline analysis server is characterized by accuracy and complexity. It counts the indicators of the data in a cycle (hour, day, week), updates the statistical database, extracts Attack characteristics and patterns, update the signature database, predict attack trends based on previous period data, formulate defense strategies, and periodically transmit blacklists that need defense to the control server.
(3)恶意代码分析服务器(3) Malicious code analysis server
蜜罐捕获的恶意代码自动地或手动地传输至恶意代码分析服务器,在其沙盒中运行恶意代码,提取其特征,更新特征数据库。The malicious code captured by the honeypot is automatically or manually transmitted to the malicious code analysis server, where the malicious code is run in its sandbox, its features are extracted, and the feature database is updated.
(4)可视化服务器(4) Visualization server
可视化服务器从统计数据库和特征数据库读取数据,将数据绘成图表,使管理者可以及时得了解整个系统的运行状况。The visualization server reads the data from the statistical database and the characteristic database, and draws the data into charts, so that the manager can know the operation status of the whole system in time.
3、数据控制模块3. Data control module
数据控制模块是主动防御的最终执行模块,是系统的输出模块,包括控制服务器、控制数据库、路由器、蜜墙、防火墙和入侵行为规则数据库。数据控制可以分为两方面,一方面是对内控制,包括路由器和蜜墙;另一方面是对外控制,包括防火墙和入侵行为规则数据库。The data control module is the final execution module of active defense and the output module of the system, including control server, control database, router, honey wall, firewall and intrusion behavior rule database. Data control can be divided into two aspects, one is internal control, including routers and honey walls; the other is external control, including firewalls and intrusion behavior rule databases.
(1)对内控制(1) Internal control
对内控制是指防止内部主机的攻击,主要防止蜜罐主机的攻击,包括路由器和蜜墙。路由器可以修改路由规则辅助蜜墙进行数据控制。蜜墙对流入的网络包不进行任何限制,使得黑客能攻入蜜网,但对黑客使用蜜网对外发起的跳板攻击进行严格控制。控制方法包括攻击包抑制和对外连接数限制两种手段。Internal control refers to preventing attacks from internal hosts, mainly honeypot hosts, including routers and honey walls. The router can modify the routing rules to assist the honey wall in data control. The honey wall does not impose any restrictions on the incoming network packets, allowing hackers to break into the honeynet, but strictly controls the springboard attacks launched by hackers using the honeynet. Control methods include attack packet suppression and external connection limit.
(2)对外控制(2) External control
对外控制是指防止外部主机的攻击,包括防火墙和入侵行为规则数据库。防火墙可以通过防御黑名单防御已知攻击者位置和攻击模式的攻击,可以通过保护白名单保证信任的主机地址不被误防御,防火墙通过反向路由器查询及过滤保留IP等方法可以拦截伪造IP发送的数据包。入侵行为规则数据库可以为数据捕获模块的入侵检测服务器提供防御已知攻击模式。External control refers to preventing attacks from external hosts, including firewalls and intrusion behavior rule databases. The firewall can defend against known attackers' location and attack mode through the defense blacklist, and can ensure that the trusted host address is not mistakenly defended through the protection of the whitelist. The firewall can intercept fake IP transmission through reverse router query and filtering to reserve IP. data packets. The intrusion behavior rule database can provide defense against known attack patterns for the intrusion detection server of the data capture module.
(3)控制服务器(3) Control server
控制服务器是数据控制模块的核心,它综合在线分析服务器的命令、离线分析服务器命令和控制数据库中的数据修改蜜墙、防火墙、入侵行为数据库的规则,实现对所有攻击的防御,特别是对于新出现的攻击,甚至是未知的攻击。The control server is the core of the data control module, which integrates the online analysis server command, the offline analysis server command, and the data in the control database to modify the rules of the honey wall, firewall, and intrusion behavior database to achieve defense against all attacks, especially for new Attacks that emerge, even unknown ones.
(4)控制数据库(4) Control database
控制数据库中存储控制服务器所有接收到和发出的命令,一旦故障出现可以进行查看和恢复。All commands received and issued by the control server are stored in the control database, which can be viewed and restored once a fault occurs.
4、入侵欺骗模块4. Intrusion deception module
为了增强系统的稳健性,考虑到攻击者会用蜜罐主机作为跳板攻击子网内的其余主机,而数据控制模块中的防火墙将蜜罐发往用户网络中的数据包截获,攻击者的二次攻击没有响应,很可能会发现所侵入的主机为蜜罐主机。一旦被攻击者发现真实属性,蜜罐主机便失去了作用。In order to enhance the robustness of the system, considering that the attacker will use the honeypot host as a springboard to attack other hosts in the subnet, and the firewall in the data control module intercepts the data packets sent by the honeypot to the user network, the attacker’s second If there is no response to this attack, it is likely that the invaded host is a honeypot host. Once the attacker discovers the real attributes, the honeypot host will lose its function.
如图2所示,入侵欺骗模块包括蜜场(honeyfarm)主机、蜜墙服务器和重定向路由器,蜜场是用户网络的镜像,模拟了用户网络的IP、端口、操作系统等,可以采用虚拟蜜罐技术在一台主机的缓存中实现。在路由器上采用重定向技术,将蜜罐发往用户网络中的数据包发往蜜场主机,蜜场发给蜜罐的数据可以通过蜜墙发送至攻击者,于是攻击者以为攻击成功,而系统则达到了防御的目的,并且使得蜜网不被攻击者所发现,达到了欺骗的目的。加入入侵欺骗模块的基于蜜网的自主防御子系统的模块框架图如图5所示。As shown in Figure 2, the intrusion deception module includes a honeyfarm (honeyfarm) host, a honeywall server, and a redirection router. The honeyfarm is a mirror image of the user network, simulating the IP, port, operating system, etc. Jar technology is implemented in a host's cache. The redirection technology is used on the router to send the data packets sent by the honeypot to the user network to the host of the honey field, and the data sent by the honey field to the honeypot can be sent to the attacker through the honey wall, so the attacker thinks the attack is successful, but The system achieves the purpose of defense, and prevents the honeynet from being discovered by attackers, achieving the purpose of deception. The module frame diagram of the honeynet-based autonomous defense subsystem adding the intrusion deception module is shown in Figure 5.
以上主要考虑的是系统的逻辑实现,下面考虑系统的物理实现,仍然考虑用户网在同一个网段中的情况。在一个实施例中,蜜网可以采用3台高交互服务器端蜜罐主机(操作系统分别为Linux,win2k,winxp)。由于用户网络的规模不是很大,运算负担不是很大,可以将多个服务合并在一个主机上完成。IDS采用snort软件实现,恶意代码捕捉采用北京大学的HoneyBow软件或者西安交大的malbox软件实现,蜜墙和数据分析模块可以都安置在一台主机上,honeynet组织的蜜墙软件拥有图形用户界面,可直接用于系统配置、管理、数据分析,或者采用西安交大的botwall软件,将截获到的pcap文件解析,从中读取攻击数据,统计每个周期内攻击主机的分布信息,受害端口的分布信息,攻击协议的分布信息等等,根据攻击主机数量、攻击协议、攻击端口、数据包平均大小等聚类出攻击模式,可以由这些数据画出趋势图,并进行适当预测,最后将黑名单发往防火墙控制规则,黑名单包括源IP地址和目标端口。The above mainly considers the logical realization of the system, the following considers the physical realization of the system, and still considers the situation that the user network is in the same network segment. In one embodiment, the honeynet can adopt three high-interaction server-side honeypot hosts (operating systems are respectively Linux, win2k, and winxp). Since the scale of the user network is not very large and the computing burden is not very large, multiple services can be combined on one host to complete. IDS is realized by snort software, and malicious code capture is realized by HoneyBow software of Peking University or malbox software of Xi’an Jiaotong University. The honeywall and data analysis module can both be placed on one host, and the honeywall software organized by honeynet has a graphical user interface, which can It can be directly used for system configuration, management, and data analysis, or use the botwall software of Xi'an Jiaotong University to analyze the intercepted pcap file, read the attack data from it, and count the distribution information of the attacking host and the distribution information of the victim port in each period. Distribution information of attack protocols, etc., cluster attack patterns according to the number of attacking hosts, attack protocols, attack ports, and average packet size, etc., and draw trend graphs from these data, make appropriate predictions, and finally send the blacklist to Firewall control rules, blacklist includes source IP address and destination port.
在以上介绍基于蜜网的自主防御子系统的基础上,下面详细说明本发明的基于蜜网的协同式主动防御系统。Based on the introduction of the honeynet-based autonomous defense subsystem above, the honeynet-based cooperative active defense system of the present invention will be described in detail below.
随着用户网络的扩大,上述自主防御子系统的负担将不断扩大,性能将受到严重影响,通过不断分离服务器可以解决性能问题。但是,随着用户网络不在一个网段内,用户网络的复杂性增加,用户网络的脆弱性也增加,防御难度增加了。无论增加多少台蜜罐主机,都难以反映不同类型不同网段内的用户网的不同特征,由此蜜网制定出的防御策略对于其他网段内的用户并不适用。因此,有必要采用分布式蜜网,即在每一个子网内布置几台蜜罐主机,在此,将一个网段看作一个子网。多个子网间相互协作进行协同式的主动防御,能够有效克服用户网络的脆弱性,会取得更好的主动防御效果。另外,采用集中式的分析和控制,结构简单,易于部署,降低了系统的工作量,提高了效率,更为重要的是实现了多个子蜜网的数据共享、交互、协调、同步,提高了防御的主动性。此处实现的协同式是针对各个子网来说的,强调的是各个子网的相互协同的方法,对于整个用户网络来说仍然是自主式的主动防御。With the expansion of the user network, the burden on the above-mentioned autonomous defense subsystem will continue to expand, and the performance will be seriously affected. The performance problem can be solved by continuously separating the servers. However, as the user network is not in a network segment, the complexity of the user network increases, the vulnerability of the user network also increases, and the difficulty of defense increases. No matter how many honeypot hosts are added, it is difficult to reflect the different characteristics of different types of user networks in different network segments. Therefore, the defense strategy formulated by the honeynet is not applicable to users in other network segments. Therefore, it is necessary to adopt a distributed honeynet, that is, to arrange several honeypot hosts in each subnet. Here, a network segment is regarded as a subnet. Multiple subnets cooperate with each other to carry out cooperative active defense, which can effectively overcome the vulnerability of user networks and achieve better active defense effects. In addition, it adopts centralized analysis and control, which has a simple structure and is easy to deploy, which reduces the workload of the system and improves efficiency. More importantly, it realizes data sharing, interaction, coordination and synchronization of multiple sub-honeynets, improving the defensive initiative. The synergy implemented here is for each subnet, emphasizing the mutual cooperation method of each subnet, which is still an autonomous active defense for the entire user network.
具体而言,基于蜜网的协同式主动防御系统的模块框图如图3所示。从各子网分离出来集成在一起的数据分析模块是整个系统的核心模块,另外,一些数据库也集中在一起。将这个加强了的数据分析模块称为蜜网中心(honeycenter),包括运算单元、数据单元、控制单元和可视化单元。运算单元包括统计服务器、攻击模式提取服务器、全局恶意代码分析服务器、综合运算服务器,数据单元包括全局日志记录数据库、全局统计数据库、全局特征数据库、全局控制数据库和全局入侵行为规则数据库,控制单元包括全局控制服务器,可视化单元包括全局可视化服务器。Specifically, the block diagram of the honeynet-based cooperative active defense system is shown in Figure 3. The data analysis module separated from each subnet and integrated together is the core module of the whole system. In addition, some databases are also integrated together. This strengthened data analysis module is called honey center (honeycenter), including computing unit, data unit, control unit and visualization unit. The computing unit includes a statistical server, an attack pattern extraction server, a global malicious code analysis server, and a comprehensive computing server. The data unit includes a global log record database, a global statistical database, a global feature database, a global control database, and a global intrusion behavior rule database. The control unit includes The global control server, the visualization unit includes the global visualization server.
另外,为了保证子网的健壮性和系统的实时性,在每个子网中仍然保留有自己的本地在线分析服务器,主要针对子网制定简单的实时自我防御策略。系统部署如图4所示,标出了子网和蜜网中心分布及数据流方向,略去了各模块分布的标注。协同式主动防御系统同样包括数据捕获模块、数据分析模块和数据控制模块,不过,与自主防御子系统相比,协同式主动防御系统的数据捕获模块、数据分析模块和数据控制模块的各个组成部件分布式地存在于蜜网中心和多个子网中。In addition, in order to ensure the robustness of the subnet and the real-time performance of the system, each subnet still retains its own local online analysis server, and mainly formulates simple real-time self-defense strategies for the subnet. The system deployment is shown in Figure 4. The distribution of subnets and honeynet centers and the direction of data flow are marked, and the distribution of each module is omitted. The cooperative active defense system also includes a data capture module, a data analysis module and a data control module. However, compared with the autonomous defense subsystem, the components of the data capture module, data analysis module and data control module of the cooperative active defense system Distributed in the honeynet center and multiple subnets.
数据捕获模块包括全局日志记录数据库和各子网中的蜜墙、多台蜜罐主机、远程日志记录服务器、入侵检测服务器。The data capture module includes a global log record database, a honey wall in each subnet, multiple honeypot hosts, a remote log record server, and an intrusion detection server.
数据分析模块包括统计服务器、攻击模式提取服务器、全局恶意代码分析服务器、综合运算服务器、全局可视化服务器、全局统计数据库和全局特征数据库和各子网中的本地在线数据分析服务器。The data analysis module includes a statistical server, an attack pattern extraction server, a global malicious code analysis server, a comprehensive calculation server, a global visualization server, a global statistical database and a global feature database, and local online data analysis servers in each subnet.
数据控制模块包括全局控制服务器、全局控制数据库、全局入侵行为规则数据库和各子网中的可重定向路由器、防火墙。The data control module includes a global control server, a global control database, a global intrusion behavior rule database, redirectable routers and firewalls in each subnet.
下面主要介绍蜜网中心的各个模块功能。The following mainly introduces the functions of each module of the honeynet center.
(1)远程日志记录服务器(1) Remote logging server
远程日志记录服务器将所在的子网数据捕获系统捕获到的攻击数据传输到全局日志记录数据库。The remote logging server transmits the attack data captured by the subnet data capturing system where it is located to the global logging database.
(2)全局日志记录数据库(2) Global logging database
全局日志记录数据库保存远程日志记录服务器传输来的子网数据捕获系统捕获到的攻击数据,供统计服务器、攻击模式提取服务器、综合运算服务器使用。The global log record database saves the attack data captured by the subnet data capture system transmitted from the remote log record server, and is used by the statistics server, attack pattern extraction server, and comprehensive computing server.
(3)统计服务器(3) Statistics server
统计服务器从全局日志记录数据库中提取所有数据,可以统计的项目包括:数据包协议的分布、数据包大小的分布、端口的分布、持续时间的分布、IP地域的分布、流量的分布、受攻击端口的分布、攻击源的分布、受攻击蜜罐的分布、攻击时段的分布等等,所有的统计项目可以对于全局统计,也可以对于部分子网进行统计。将所有统计的信息存入全局统计数据库,根据随时间变化统计分布信息,可以有效地预测攻击发生的趋势,可以作为制定防御策略的依据,并且所有统计信息可以处理为各种图标,直观地反映网络安全的变化趋势和整个系统运行状况。The statistics server extracts all data from the global log record database. The items that can be counted include: distribution of data packet protocol, distribution of data packet size, distribution of port, distribution of duration, distribution of IP region, distribution of traffic, attack The distribution of ports, the distribution of attack sources, the distribution of attacked honeypots, the distribution of attack time, etc. All statistical items can be collected for the overall statistics or for some subnets. All statistical information is stored in the global statistical database. According to the statistical distribution information changing over time, the trend of attacks can be effectively predicted, which can be used as the basis for formulating defense strategies, and all statistical information can be processed into various icons, which can be intuitively reflected Trends in network security and overall system health.
(4)攻击模式提取服务器(4) Attack pattern extraction server
攻击模式提取服务器主要使用数据挖掘和信息融合方法从日志数据中提取未知的攻击模式、攻击方式,以还原出攻击场景。首先,它对全局日志记录数据库中提取的所有数据进行攻击事件过滤,仅保留表示攻击事件的数据包。然后,它通过聚类算法对攻击时间数据包头数据进行处理,这些数据包括平均包大小、攻击持续时间、攻击端口、攻击数量、受害子网数量等等,从而提取出多种攻击模式,从攻击模式中可以进一步聚类得到攻击方式,如DDOS攻击、漏洞扫描攻击、漏洞注入攻击、蠕虫攻击等等。最后,它根据时间序列分析还原出攻击场景,得到的结果被存入全局特征数据库,作为综合运算服务器和在线分析服务器的防御策略制定依据,并通过可视化服务器直观地表现出来。最终,攻击模式提取服务器将攻击模式等攻击特征通过全局控制服务传输至全局入侵行为规则数据库,对直接攻击用户网的攻击进行主动防御。The attack pattern extraction server mainly uses data mining and information fusion methods to extract unknown attack patterns and attack methods from log data to restore attack scenarios. First, it performs attack event filtering on all data extracted from the global logging database, keeping only packets representing attack events. Then, it processes the header data of the attack time data through a clustering algorithm, which includes the average packet size, attack duration, attack port, number of attacks, number of victim subnets, etc., thereby extracting a variety of attack patterns, from the attack The patterns can be further clustered to obtain attack methods, such as DDOS attacks, vulnerability scanning attacks, vulnerability injection attacks, worm attacks, and so on. Finally, it restores the attack scenarios based on time series analysis, and the obtained results are stored in the global feature database as the basis for formulating defense strategies for the comprehensive computing server and online analysis server, and are displayed intuitively through the visualization server. Finally, the attack pattern extraction server transmits attack features such as attack patterns to the global intrusion behavior rule database through the global control service, and actively defends against attacks that directly attack the user network.
(5)综合运算服务器(5) Comprehensive computing server
综合运算服务器综合利用数据单元中的数据,分别针对每个子网产生相应的防御策略。首先,它对全局日志记录数据库中提取的所有数据进行攻击事件过滤。然后,它采用一些算法,如可以采用高可预测性的黑名单生成算法,通过统计数据库和特征数据库确定相关参数,通过受害子网关联度分析,攻击行为的威胁度分析和攻击者关联度分析确定最终防御策略,如需修改的防火墙黑名单和需通知的高危子网名单、需报警的内网外网攻击主机名单等。最后,综合运算服务器将运算结果传输至全局控制服务器。The comprehensive computing server comprehensively utilizes the data in the data unit to generate corresponding defense strategies for each subnet. First, it filters attack events on all data extracted from the global logging database. Then, it adopts some algorithms, such as a highly predictable blacklist generation algorithm, determines relevant parameters through the statistical database and feature database, analyzes the correlation degree of the victim subnet, the threat degree analysis of the attack behavior, and the attacker correlation degree analysis Determine the final defense strategy, such as the firewall blacklist that needs to be modified, the list of high-risk subnets that need to be notified, and the list of attacking hosts on the internal and external networks that need to be alerted. Finally, the comprehensive calculation server transmits the calculation results to the global control server.
此外,如同前述自主防御子系统中那样,为了增强系统的稳健性,协同式主动防御系统还可以包括入侵欺骗模块。该入侵欺骗模块包括蜜场(honeyfarm)主机、蜜墙服务器和重定向路由器,用于欺骗攻击者,保护蜜网。In addition, as in the aforementioned autonomous defense subsystem, in order to enhance the robustness of the system, the cooperative active defense system may also include an intrusion deception module. The intrusion deception module includes a honeyfarm (honeyfarm) host, a honey wall server and a redirection router, and is used to deceive attackers and protect the honeynet.
由此,利用集成的数据分析模块,协同式主动防御系统拥有自主式主动防御的所有功能。Thus, using the integrated data analysis module, the cooperative active defense system has all the functions of the autonomous active defense.
对于整个网络来说:For the entire network:
如果攻击者位于外网,一个已知攻击位置的攻击将被防火墙直接拦截,一个已知攻击模式的攻击如果先攻击用户网,则将被入侵检测服务器发现,由控制服务器修改防火墙规则,阻拦该攻击者位置的数据包。如果已知攻击模式的攻击先攻击蜜网,在线分析服务器分析其攻击者位置,由控制服务器修改防火墙规则阻拦。如果未知攻击模式的攻击先攻击蜜网,通过运算单元的分析,从流量特征和恶意代码分析中提取攻击特征和攻击模式,更新特征数据库,并由控制服务器更新全部或者一部分子网的防火强规则和入侵行为规则库,当同一类攻击再次攻击这些蜜网或者用户网时,由防火墙将其截获,整个实现了用户网的主动防御。If the attacker is located on the external network, an attack with a known attack location will be directly blocked by the firewall. If an attack with a known attack pattern first attacks the user network, it will be discovered by the intrusion detection server, and the control server will modify the firewall rules to block the attack. Packets at the attacker's location. If an attack with a known attack pattern attacks the honeynet first, the online analysis server analyzes the location of the attacker, and the control server modifies the firewall rules to block it. If an attack with an unknown attack pattern first attacks the honeynet, through the analysis of the computing unit, extract the attack characteristics and attack patterns from the traffic characteristics and malicious code analysis, update the characteristic database, and update the firewall rules of all or part of the subnets by the control server And the intrusion behavior rule base, when the same type of attack attacks these honeynets or user networks again, it will be intercepted by the firewall, which realizes the active defense of the user network.
对于单个子网来说:For a single subnet:
如果攻击者为内网用户,一个已知攻击模式的攻击如果先攻击子网内其他用户,则将被入侵检测服务器发现,由控制服务器对其进行通知并对子网报警,如果已知攻击模式的攻击先攻击蜜网,本地在线分析服务器分析其攻击者位置,由本地控制服务器对其进行通知并对子网报警。如果未知攻击模式的攻击先攻击蜜网,通过蜜网中心的分析,从流量特征和恶意代码分析中提取攻击特征和攻击模式,更新特征数据库,并由控制服务器对其进行通知并对子网报警,并且更新入侵行为规则库实现了对内网攻击的主动防御。If the attacker is an intranet user, if an attack with a known attack pattern first attacks other users in the subnet, it will be discovered by the intrusion detection server, and the control server will notify it and alert the subnet. The attack first attacks the honeynet, the local online analysis server analyzes the location of the attacker, and the local control server notifies it and alerts the subnet. If an attack with an unknown attack pattern first attacks the honeynet, through the analysis of the honeynet center, the attack characteristics and attack patterns are extracted from the traffic characteristics and malicious code analysis, and the signature database is updated, and the control server notifies it and alerts the subnet , and update the intrusion behavior rule base to realize the active defense against intranet attacks.
如果攻击者为其他子网内用户,一个已知攻击模式的攻击如果先攻击该子网内其他用户,则将被入侵检测服务器发现,由本地控制服务器修改防火墙规则,阻拦该攻击者位置的数据包,由全局控制服务器对其进行通知并对整个网络报警。如果已知攻击模式的攻击先攻击蜜网,在线分析服务器分析其攻击者位置,由本地控制服务器修改防火墙规则对其进行阻拦,由全局控制服务器对其进行通知并对整个网络报警。如果未知攻击模式的攻击先攻击蜜网,通过蜜网中心的分析,从流量特征和恶意代码分析中提取攻击特征和攻击模式,更新特征数据库,并由本地控制服务器修改防火墙规则对其进行阻拦,由全局控制服务器对其进行通知并对子网报警,并且更新入侵行为规则库实现了对内网攻击的主动防御。If the attacker is a user in another subnet, if an attack with a known attack mode first attacks other users in this subnet, it will be discovered by the intrusion detection server, and the local control server will modify the firewall rules to block the data at the attacker's location package, the global control server notifies it and alerts the entire network. If an attack with a known attack pattern first attacks the honeynet, the online analysis server analyzes the location of the attacker, the local control server modifies the firewall rules to block it, and the global control server notifies it and alerts the entire network. If an attack with an unknown attack pattern first attacks the honeynet, through the analysis of the honeynet center, the attack signature and attack pattern are extracted from the traffic characteristics and malicious code analysis, the signature database is updated, and the local control server modifies the firewall rules to block it. The global control server notifies it and alerts the subnet, and updates the intrusion behavior rule base to realize active defense against intranet attacks.
由于信息共享,单一子网可以利用其他子网中的蜜网捕获的数据来进行防御,主动性和预见性大幅得提高,原来对于它来说是未知的攻击,现在都成为已知的攻击,受攻击的几率大幅减小。另外,该系统为了提高拦截成功率,充分考虑到了各个子网的复杂性,即给各子网制定不同的防御策略,相似度越高的子网,防御策略越相似。一旦蜜罐被攻陷,蜜墙阻止蜜罐攻击用户,并且路由器将攻击数据流重定向至蜜场,以防止蜜罐被攻击者发现。防御效果与数据单元的分析速度成正相关,与分析周期成逆相关,离线分析越快,主动防御的效果越好。另外,防御效果与蜜网的分布广度也成正相关,即蜜网分布越多越散,主动防御的效果越好。Due to information sharing, a single subnet can use the data captured by honeynets in other subnets for defense, and the initiative and predictability are greatly improved. Attacks that were previously unknown to it are now known attacks. The chance of being attacked is greatly reduced. In addition, in order to improve the success rate of interception, the system fully considers the complexity of each subnet, that is, formulates different defense strategies for each subnet, and the higher the similarity of the subnet, the more similar the defense strategy is. Once the honeypot is compromised, the honeypot prevents the honeypot from attacking the user, and the router redirects the attack data flow to the honeyfield to prevent the honeypot from being discovered by the attacker. The defense effect is positively correlated with the analysis speed of the data unit, and inversely correlated with the analysis cycle. The faster the offline analysis, the better the effect of active defense. In addition, the defense effect is also positively correlated with the distribution breadth of honeynets, that is, the more honeynets are distributed, the better the effect of active defense.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. within range.
Claims (6)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103561004A true CN103561004A (en) | 2014-02-05 |
| CN103561004B CN103561004B (en) | 2016-10-12 |
Family
ID=50015154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310500444.7A Active CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103561004B (en) |
Cited By (48)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN104486320A (en) * | 2014-12-10 | 2015-04-01 | 国家电网公司 | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology |
| CN104579841A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System for generating statistical result for specific statistic data items according to received UDP messages |
| CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | A decoy method to protect web application security |
| CN105718801A (en) * | 2016-01-26 | 2016-06-29 | 国家信息技术安全研究中心 | Loophole clustering method based on programming mode and mode matching |
| CN106209867A (en) * | 2016-07-15 | 2016-12-07 | 北京元支点信息安全技术有限公司 | A kind of Advanced threat defence method and system |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | A network intrusion detection and active defense linkage control device |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN106534114A (en) * | 2016-11-10 | 2017-03-22 | 北京红马传媒文化发展有限公司 | Big-data-analysis-based anti-malicious attack system |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN106878438A (en) * | 2017-03-03 | 2017-06-20 | 久远谦长(北京)技术服务有限公司 | The method and system of user behavior analysis under a kind of https environment |
| CN106911662A (en) * | 2016-10-12 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of system and method for the low interaction of malice sample cultivation interaction conversion high |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN107360145A (en) * | 2017-06-30 | 2017-11-17 | 北京航空航天大学 | A kind of multinode honey pot system and its data analysing method |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107547546A (en) * | 2017-09-05 | 2018-01-05 | 山东师范大学 | The high interaction honey network data transmission method of lightweight based on card computer, system |
| CN107547495A (en) * | 2016-06-24 | 2018-01-05 | 卡巴斯基实验室股份制公司 | For protecting computer from the system and method for unwarranted remote management |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108366088A (en) * | 2017-12-28 | 2018-08-03 | 广州华夏职业学院 | A kind of information security early warning system for Instructing network |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN109255243A (en) * | 2018-09-28 | 2019-01-22 | 深信服科技股份有限公司 | Restorative procedure, system, device and the storage medium of potential threat in a kind of terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A virtualization-based attack intelligent decoy system and method |
| CN110035429A (en) * | 2019-04-09 | 2019-07-19 | 重庆邮电大学 | WiFi and anti-interference minimal redundancy method under ZigBee coexistance model |
| CN110505195A (en) * | 2019-06-26 | 2019-11-26 | 中电万维信息技术有限责任公司 | The dispositions method and system of fictitious host computer |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Kernel-based cross-terminal cross-version root attack detection and protection system |
| TWI682644B (en) * | 2019-01-07 | 2020-01-11 | 中華電信股份有限公司 | Dynamic protection method for network node and network protection server |
| CN111416810A (en) * | 2020-03-16 | 2020-07-14 | 北京计算机技术及应用研究所 | Multi-security-component cooperative response method based on group intelligence |
| CN111478912A (en) * | 2020-04-10 | 2020-07-31 | 厦门慢雾科技有限公司 | Block chain intrusion detection system and method |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN111756742A (en) * | 2020-06-24 | 2020-10-09 | 广州锦行网络科技有限公司 | Honeypot deception defense system and deception defense method thereof |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
| CN112995187A (en) * | 2021-03-09 | 2021-06-18 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN113079124A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | Intrusion behavior detection method and system and electronic equipment |
| CN109033825B (en) * | 2018-06-04 | 2021-07-30 | 温州市图盛科技有限公司 | A blockchain-based anti-attack power network system |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN114866326A (en) * | 2022-05-16 | 2022-08-05 | 上海磐御网络科技有限公司 | Camera honeypot construction method based on linux system |
| CN115580428A (en) * | 2022-08-26 | 2023-01-06 | 江苏省未来网络创新研究院 | Intrusion prevention optimization method and device based on missing scanning result |
| US11570212B2 (en) | 2018-03-19 | 2023-01-31 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Reverse Data Connection Control Method Based on Honeynet |
-
2013
- 2013-10-22 CN CN201310500444.7A patent/CN103561004B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Reverse Data Connection Control Method Based on Honeynet |
Non-Patent Citations (3)
| Title |
|---|
| XIAOBO MA ETC: "Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm", 《IEEE》 * |
| 熊明辉等: "基于主动安全策略的蜜网系统的设计与实现", 《计算机工程与设计》 * |
| 董国锋: "基于协同的虚拟蜜网实现与分析", 《华东师范大学硕士学位论文》 * |
Cited By (64)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN104486320A (en) * | 2014-12-10 | 2015-04-01 | 国家电网公司 | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology |
| CN104486320B (en) * | 2014-12-10 | 2018-10-26 | 国家电网公司 | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology |
| CN104579841B (en) * | 2015-01-09 | 2018-09-14 | 北京京东尚科信息技术有限公司 | The system to the statistical result of certain statistical data item is generated according to the UDP messages of reception |
| CN104579841A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System for generating statistical result for specific statistic data items according to received UDP messages |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | A decoy method to protect web application security |
| CN104967628B (en) * | 2015-07-16 | 2017-12-26 | 浙江大学 | A kind of decoy method of protection web applications safety |
| CN106506435B (en) * | 2015-09-08 | 2019-08-06 | 中国电信股份有限公司 | For detecting the method and firewall system of network attack |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN105718801A (en) * | 2016-01-26 | 2016-06-29 | 国家信息技术安全研究中心 | Loophole clustering method based on programming mode and mode matching |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107404465B (en) * | 2016-05-20 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107547495A (en) * | 2016-06-24 | 2018-01-05 | 卡巴斯基实验室股份制公司 | For protecting computer from the system and method for unwarranted remote management |
| CN106209867A (en) * | 2016-07-15 | 2016-12-07 | 北京元支点信息安全技术有限公司 | A kind of Advanced threat defence method and system |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| CN106375384B (en) * | 2016-08-28 | 2019-06-18 | 北京瑞和云图科技有限公司 | The management system and control method of image network flow in a kind of virtual network environment |
| CN106911662A (en) * | 2016-10-12 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of system and method for the low interaction of malice sample cultivation interaction conversion high |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | A network intrusion detection and active defense linkage control device |
| CN106330964B (en) * | 2016-10-14 | 2019-10-11 | 成都信息工程大学 | A network intrusion detection and active defense linkage control device |
| CN106534114A (en) * | 2016-11-10 | 2017-03-22 | 北京红马传媒文化发展有限公司 | Big-data-analysis-based anti-malicious attack system |
| CN106878438A (en) * | 2017-03-03 | 2017-06-20 | 久远谦长(北京)技术服务有限公司 | The method and system of user behavior analysis under a kind of https environment |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
| CN107360145B (en) * | 2017-06-30 | 2020-12-25 | 北京航空航天大学 | Multi-node honeypot system and data analysis method thereof |
| CN107360145A (en) * | 2017-06-30 | 2017-11-17 | 北京航空航天大学 | A kind of multinode honey pot system and its data analysing method |
| CN107277039B (en) * | 2017-07-18 | 2020-01-14 | 河北省科学院应用数学研究所 | Network attack data analysis and intelligent processing method |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN107547546B (en) * | 2017-09-05 | 2019-11-12 | 山东师范大学 | Lightweight high-interaction honeynet data transmission method and system based on card computer |
| CN107547546A (en) * | 2017-09-05 | 2018-01-05 | 山东师范大学 | The high interaction honey network data transmission method of lightweight based on card computer, system |
| CN108366088A (en) * | 2017-12-28 | 2018-08-03 | 广州华夏职业学院 | A kind of information security early warning system for Instructing network |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108183916B (en) * | 2018-01-15 | 2020-08-14 | 华北电力科学研究院有限责任公司 | Network attack detection method and device based on log analysis |
| US11570212B2 (en) | 2018-03-19 | 2023-01-31 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
| CN109033825B (en) * | 2018-06-04 | 2021-07-30 | 温州市图盛科技有限公司 | A blockchain-based anti-attack power network system |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN109255243B (en) * | 2018-09-28 | 2022-06-21 | 深信服科技股份有限公司 | Method, system, device and storage medium for repairing potential threats in terminal |
| CN109255243A (en) * | 2018-09-28 | 2019-01-22 | 深信服科技股份有限公司 | Restorative procedure, system, device and the storage medium of potential threat in a kind of terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| TWI682644B (en) * | 2019-01-07 | 2020-01-11 | 中華電信股份有限公司 | Dynamic protection method for network node and network protection server |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A virtualization-based attack intelligent decoy system and method |
| CN110035429A (en) * | 2019-04-09 | 2019-07-19 | 重庆邮电大学 | WiFi and anti-interference minimal redundancy method under ZigBee coexistance model |
| CN110035429B (en) * | 2019-04-09 | 2021-11-09 | 重庆邮电大学 | Anti-interference minimum redundancy method in WiFi and ZigBee coexistence mode |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110505195A (en) * | 2019-06-26 | 2019-11-26 | 中电万维信息技术有限责任公司 | The dispositions method and system of fictitious host computer |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Kernel-based cross-terminal cross-version root attack detection and protection system |
| CN113079124A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | Intrusion behavior detection method and system and electronic equipment |
| CN111416810A (en) * | 2020-03-16 | 2020-07-14 | 北京计算机技术及应用研究所 | Multi-security-component cooperative response method based on group intelligence |
| CN111478912A (en) * | 2020-04-10 | 2020-07-31 | 厦门慢雾科技有限公司 | Block chain intrusion detection system and method |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN111756742A (en) * | 2020-06-24 | 2020-10-09 | 广州锦行网络科技有限公司 | Honeypot deception defense system and deception defense method thereof |
| CN112187825B (en) * | 2020-10-13 | 2022-08-02 | 网络通信与安全紫金山实验室 | A honeypot defense method, system, device and medium based on mimic defense |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112788008B (en) * | 2020-12-30 | 2022-04-26 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
| CN112995187A (en) * | 2021-03-09 | 2021-06-18 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN112995187B (en) * | 2021-03-09 | 2022-12-06 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN114866326A (en) * | 2022-05-16 | 2022-08-05 | 上海磐御网络科技有限公司 | Camera honeypot construction method based on linux system |
| CN115580428A (en) * | 2022-08-26 | 2023-01-06 | 江苏省未来网络创新研究院 | Intrusion prevention optimization method and device based on missing scanning result |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103561004B (en) | 2016-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103561004B (en) | Cooperating type Active Defending System Against based on honey net | |
| CN111385236B (en) | Dynamic defense system based on network spoofing | |
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| CN112087413B (en) | Network attack intelligent dynamic protection and trapping system and method based on active detection | |
| TW201738796A (en) | Prevention and control method, apparatus and system for network attack | |
| KR101156005B1 (en) | System and method for network attack detection and analysis | |
| Chen et al. | Intrusion detection | |
| KR101553264B1 (en) | System and method for preventing network intrusion | |
| CN112398844A (en) | Implementation method of traffic analysis based on real-time drainage data of internal and external networks | |
| Lin et al. | Implementation of an SDN-based security defense mechanism against DDoS attacks | |
| CN115051836A (en) | APT attack dynamic defense method and system based on SDN | |
| Mishra et al. | Analysis of cloud computing vulnerability against DDoS | |
| Wang et al. | Distributed denial of service attack defence simulation based on honeynet technology | |
| Hirsi et al. | Comprehensive analysis of ddos anomaly detection in software-defined networks | |
| Ahmed et al. | A Linux-based IDPS using Snort | |
| Patel et al. | A snort-based secure edge router for smart home | |
| Proença et al. | How to use software–defined networking to improve security—A survey | |
| Mudgal et al. | Spark-based network security honeypot system: detailed performance analysis | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| Li-Juan | Honeypot-based defense system research and design | |
| Abdulrezzak et al. | Enhancing Intrusion Prevention in Snort System | |
| Ayeni et al. | Design and implementation of a medium interaction honeypot | |
| Seo et al. | Witnessing Distributed Denial-of-Service traffic from an attacker's network | |
| Rao et al. | Web Based Honeypots Network | |
| Rodrigues et al. | Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |