CN107454068B - Honey net safety situation perception method combining immune hazard theory - Google Patents
Honey net safety situation perception method combining immune hazard theory Download PDFInfo
- Publication number
- CN107454068B CN107454068B CN201710599561.1A CN201710599561A CN107454068B CN 107454068 B CN107454068 B CN 107454068B CN 201710599561 A CN201710599561 A CN 201710599561A CN 107454068 B CN107454068 B CN 107454068B
- Authority
- CN
- China
- Prior art keywords
- honey net
- honey
- theory
- network
- signals
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000008447 perception Effects 0.000 title claims abstract description 12
- 239000000427 antigen Substances 0.000 claims abstract description 20
- 108091007433 antigens Proteins 0.000 claims abstract description 20
- 102000036639 antigens Human genes 0.000 claims abstract description 20
- 238000013507 mapping Methods 0.000 claims abstract description 9
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000004519 manufacturing process Methods 0.000 claims description 9
- 230000005012 migration Effects 0.000 claims description 8
- 238000013508 migration Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 5
- 102100032814 ATP-dependent zinc metalloprotease YME1L1 Human genes 0.000 claims description 4
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 claims description 4
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 claims description 4
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 claims description 4
- 101800000795 Proadrenomedullin N-20 terminal peptide Proteins 0.000 claims description 4
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 claims description 4
- 238000005065 mining Methods 0.000 claims description 4
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000004069 differentiation Effects 0.000 claims description 3
- 230000010354 integration Effects 0.000 claims description 3
- HEFNNWSXXWATRW-UHFFFAOYSA-N Ibuprofen Chemical compound CC(C)CC1=CC=C(C(C)C(O)=O)C=C1 HEFNNWSXXWATRW-UHFFFAOYSA-N 0.000 claims description 2
- 230000001939 inductive effect Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 abstract description 10
- 238000007500 overflow downdraw method Methods 0.000 abstract description 3
- 230000007547 defect Effects 0.000 abstract description 2
- 210000004443 dendritic cell Anatomy 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- NAWXUBYGYWOOIX-SFHVURJKSA-N (2s)-2-[[4-[2-(2,4-diaminoquinazolin-6-yl)ethyl]benzoyl]amino]-4-methylidenepentanedioic acid Chemical compound C1=CC2=NC(N)=NC(N)=C2C=C1CCC1=CC=C(C(=O)N[C@@H](CC(=C)C(O)=O)C(O)=O)C=C1 NAWXUBYGYWOOIX-SFHVURJKSA-N 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 208000003443 Unconsciousness Diseases 0.000 description 1
- 230000006907 apoptotic process Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 210000004027 cell Anatomy 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 210000000987 immune system Anatomy 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 210000004698 lymphocyte Anatomy 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 230000004043 responsiveness Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000019491 signal transduction Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a honey net security situation perception method combining immune danger theory, considering the data packet entering/flowing out of the honey net as malicious flow, mapping the operation of the information of account, data and service, including stealing, tampering, deleting and other behaviors as the input signal of the immune danger theory, combining the mapped antigen information, calculating by using the immune danger theory to obtain the global threat degree value reflecting the attack degree of the whole honey net, and visually mapping the network security situation; aiming at the defects of the existing honey net data fusion method, the invention provides the honey net security situation sensing method combined with the immune hazard theory, and the honey net security situation sensing method can accurately reflect the attack strength of the honey net and implement effective situation sensing and security early warning when the typical network threats such as remote scanning, denial of service attack, software and operating system bugs are faced.
Description
Technical Field
The invention relates to a security situation perception method for a honey net, in particular to a honey net security situation perception method combining an immune hazard theory.
Background
Honeypots (honeypots) and honeynets (honeyynets) are used as an active defense technology, and can effectively trap, capture and analyze the ubiquitous threats faced by large-scale networks. With the gradual evolution of novel attack means, a defender in the inferior situation of the game is increasingly unconscious when protecting network resources by using traditional means such as a firewall, an intrusion detection system and the like; the honey net technology attracts attackers through deploying vivid baits, comprehensively and deeply grasps attack behaviors, speculates attack intentions, analyzes attack mechanisms, reduces risks of a production network, and simultaneously enhances the safety protection capability of an integral network system.
The security situation awareness is responsible for analyzing the network security situation and evaluating the network risk, so that defense measures are taken in advance. Firstly, extracting features, for example, counting acquired data of a honey net by a basic empirical analysis method, and extracting threat features; then, carrying out attack analysis, and mining the true phase behind the data by using a multivariate information fusion method; and finally, calculating to generate a threat situation assessment report, and providing safety early warning and decision support for network safety management. However, the honey net data generally has the characteristics of multiple types, high redundancy and low semantic meaning, and the network security situation is difficult to intuitively explain in the prior art.
Disclosure of Invention
Aiming at the defects of the existing honey net data fusion method, the invention provides the honey net security situation sensing method combined with the immune hazard theory, and the honey net security situation sensing method can accurately reflect the attack strength of the honey net and implement effective situation sensing and security early warning when the typical network threats such as remote scanning, denial of service attack, software and operating system bugs are faced.
The technical scheme adopted by the invention is as follows:
a honey net safety situation perception method combining immune hazard theory is characterized by comprising the following steps: the method comprises the following steps:
1) setting up a honey net cluster according to a corresponding topological structure, configuring false data and services in nodes, and reserving a certain number of unprotected vulnerabilities for inducing an attacker to come in front in a node operating system and application software thereof;
2) acquiring and storing network flow in a preset time period in the honey net, counting the network flow and specific behavior characteristics in the honey net, mapping the network flow and the specific behavior characteristics into different types of signals, and using the signals as input signals of a danger theory;
3) in the statistical honeynet system, in a set time period, statistics is carried out on a host/server process, a PID (proportion integration differentiation) of the host/server process, a log and attacker keystroke information, and the statistics is mapped into antigen information;
4) performing basic analysis on an input signal by using a DCA algorithm in an immune risk theory and combining antigen information to obtain output signals Mature (MA), Semi-Mature (SM) and CSM;
5) after obtaining the output signal, the central management node of the honey net utilizes Mature and Semi-Mature to calculate the global threat value V of the honey net, thereby representing the security situation of the honey net, or returns to the step 2).
Mapping the percentage deviation of HTTP/HTTPS protocol traffic, the percentage deviation of DNS protocol traffic, the percentage deviation of POP3 and IMAP e-mail protocol traffic, and the percentage deviation of FTP protocol traffic to Safe type signals S5, S6, S7, S8 in turn according to the traffic data of step 2), and mapping the change ratio of packet size and the change ratio of packet inter-arrival time in network traffic to Danger type signals S1 and S2.
The specific behavior characteristics of the honey net in the step 2) are the times of tampering and unauthorized deletion of data resources and the fault-free ratio of the honey net system relative to a real production network within a set time period in the honey net, and the specific behavior characteristics are mapped into PAMPs type signals S3 and Inflam type signals S9 in sequence.
The antigen information is different from danger signals and is responsible for providing information of threats and related sources, and potential attackers can be found and traced by means of the antigen mining clues and contact in the safety situation analysis.
In step 4), a basis analysis is performed using the following weight matrix, thereby obtaining an output signal.
The specific operation of calculating the global threat value V of the honey net in the step 5) or returning to the step 2) is to perform the specific operation on the basis of comparing the CSM value which is responsible for controlling the work period of the honey net with a set migration threshold value, wherein the specific operation corresponds to the CSM value exceeding the migration threshold value and the CSM value not exceeding the migration threshold value.
The logs are firewall logs, IDS/IPS logs, and antivirus logs.
The invention has the following beneficial and positive effects:
1. in view of the gradual strengthening of the current novel network attack means, the invention can effectively hide the real production network by utilizing the honey net technology, thereby reducing the risk of the production network suffering from the attack.
2. The invention utilizes the honey net technology to attract attackers by deploying vivid baits, can comprehensively and deeply master attack behaviors, further speculates attack intentions, analyzes attack mechanisms and enhances the safety protection capability of the whole network system.
3. The invention aims at the collected and captured honeynet data, and utilizes the immune hazard theory to calculate and obtain the global threat degree value reflecting the attack degree of the whole honeynet, thereby greatly improving the system responsiveness and accuracy and being capable of visually mapping the network security situation.
Drawings
FIG. 1 is a honey net safety situation perception model based on immune hazard theory;
FIG. 2 is a flow chart of a process for a single Dendritic Cell node in a mesh cluster;
Detailed Description
The invention is described in detail below with reference to the drawings of the specification: in fig. 1, the left honey nets a to N are deployed honey net clusters, and the right honey nets are central management nodes responsible for security situation perception and early warning; for each honey net element, including the honey net host, the honey net server and the honey net gateway, all map to one Dendritic Cell node, and the processing flow of the single Dendritic Cell node is shown in FIG. 2.
Example (b): the invention relates to a honey net safety situation perception method based on an immune hazard theory, which specifically comprises the following steps:
step 1: the honey net has self particularity, so a network manager firstly needs to build a honey net cluster, autonomously design a honey net topological structure, configure false data and services in nodes, reserve a certain number of unprotected vulnerabilities in a node operating system and application software thereof and induce an attacker to come forward;
step 2: because the honey net does not have production activities and authorization services thereof, data packets entering/flowing out of the honey net can be regarded as malicious traffic, and operations on information such as accounts, data, services and the like, including stealing, tampering, deleting and the like, can be regarded as the functions of attackers. Therefore, this step needs to summarize the most representative behavior characteristics as the input signal of the danger theory to be mapped.
And step 3: according to the immune risk theory, when the danger signal is sent by the unexpected apoptosis cell, the APC is activated and carries out the capture of the antigen, and then the APC presents the recognized antigen to the lymphocyte to generate the antibody. Therefore, the antigen is different from a danger signal and is responsible for providing information of the threat per se and related sources, and potential attackers must be found and traced in a safety precaution model by means of antigen mining clues and contact. Therefore, the step is responsible for defining and collecting the antigen information in the honeynet.
And 4, step 4: after defining and capturing the input signal and the antigen, the output signals are calculated according to the DCA algorithm, including three types of output signals, MA (Material), SM (Semi-Material) and CSM (Co-Stimulation).
And 5: and controlling the work cycle of the honey net according to the CSM signal obtained by calculation, if the CSM value exceeds a set migration threshold value, the honey net needs to present the analysis results of antigen information, output signals and the like to the right part shown in the figure 1, and the central management node performs overall security situation perception and early warning analysis of the network. Otherwise, continuously collecting and calculating the output signal.
The following describes the relevant contents contained in step 1, step 2, step 3, step 4 and step 5 in detail:
step 1:
the application of the immune hazard theory needs a certain-scale sampling space, so that the DCA algorithm can really play a role only by simulating the biotomy effect, and the larger the scale of the honey net system is, the better the DCA algorithm is.
(II) step 2:
table 1 shows a mapping table of the input signals in the present embodiment.
TABLE 1 input Signal mapping
Danger signal:
an attacker usually utilizes modes of controlling flow such as denial of service attack and the like to cause long-term or short-term paralysis-causing effect on a target network, and along with the gradual growth of botnet, the distributed denial of service attack is more concealed and more destructive, so that dynamic monitoring on the flow change trend is urgently needed.
For the actual requirement of traffic statistics, the packet size (ps) and the packet inter-arrival time (pi) are analyzed here, in equation (1), the signal α is definedpsIt is intended to calculate the real-time deviation of the sampled traffic in terms of packet size, where ps is the instantaneous sampled traffic packet average size,
is the average size of the traffic packets under normal conditions in equation (2), signal α is definedpiFor calculating the real-time deviation of the sampled traffic in terms of packet arrival time interval, pi and
respectively representing the instant traffic arrival time interval and the normal sample average arrival time interval.
The Safe signal:
the business body of the network is a person, so the network behavior can fully reflect the intention and intention of the executor. Under the condition that the deployment of the honey net application is relatively comprehensive (including Web service, domain name service, e-mail service, FTP service and the like), from the application layer protocol of the data packet, the behavior situation of main protocols such as HTTP/HTTPS, DNS, POP3, FTP and the like should be analyzed.
Equations (3) through (6), respectively, define the signal βhp、βdns、βpopAnd βftpThe deviation of the real-time protocol stream weight of HTTP/HTTPs, DNS, POP3, and FTP from the normal protocol stream weight is shown. The signal can fully reflect the access dynamic and real-time intention of the user, and if the change amplitude is too large, a potential attack threat can exist.
PAMPs signals:
malicious attackers typically use network scanning tools to perform reconnaissance on the target network to obtain the necessary intelligence. Starting from this potential threat, for the honeypot cluster and the honeynet gateway, it is necessary to count the exposure condition of important information such as the host survival amount, the port opening number, the OS type and version, and the like.
λ=∑ts(Nhs+Nps+Nos) (7)
As shown in equation (7), the signal λ is defined as the overall degree to which the honeynet is exposed to the scanning threat. Wherein N ishs(HostScanned, hs) represents the number of scans suffered by the host, Nps(PortScanned, ps) represents the number of scans a port suffers, Nos(OSScanned, os) represents the number of scans the operating system suffers.
The most attractive core of the honeynet to most professional and organized attackers is due to its data material. Therefore, from the situation that the data resource is attacked, the data files, log files and gateway configuration files in the honeypot should be mined from events such as access reading (Read), tampering (tamped) and deletion (Deleted).
ρ=∑ts(Frd+Ftd+Fdd) (8)
In equation (8), the signal ρ is defined as the overall degree of threat to the honeynet data. Wherein, Frd(Read, rd) represents the number of times the file was accessed and Read, Ftd(Tampered, td) represents the number of times the file has been Tampered with, Fdd(Deleted, dd) represents the number of times a file was maliciously Deleted.
Infilam signal:
the scope of the current cyberspace attack encompasses the whole life cycle of the information system, and whether from underlying hardware, operating systems, or application software, an attacker may infiltrate from each link of design, production, transportation, sale, use, operation, maintenance, update, and the like. Therefore, inevitable fault reasons of software and hardware are eliminated, and the reliability of normal operation of the honey net system can reflect the safety degree of the system to a certain extent.
mtbf=∑(t1+t2+...+tn)/rn(9)
In equation (9), mtbf is defined as the mean time to failure of the network. Wherein, t1To tnRepresents the accumulated working time r corresponding to all information systems such as host computers, servers and the like in the networknRepresenting the number of faults that occur to the network within a given guard period. Based on this, formula (10) defines the signal
Characterizing the fault-free ratio of the honeynet system to the production network, mtbf thereinHAnd mtbfpRespectively representing the mean time between failures of the honey net and the production network with the same software and hardware configuration.
(II) step 3:
in the honey net security situation perception method based on immune hazard theory, all DCs are responsible for capturing antigens, the composition structure of the DCs is consistent, and the DCs mainly comprise network flow, host/server processes and PID (proportion integration differentiation) of the host/server processes, logs (firewall logs, IDS/IPS logs, antivirus logs and the like) and attacker keystroke information. According to the danger theory, capturing as much antigen information as possible is one of the key elements for improving the robustness of the system model.
(III) step 4:
equation (11) gives the calculation method of the output signal. Wherein D isj、SjAnd PkRespectively representing all Danger input signals, Safe input signals and PAMPs input signals, DW (Danger weight), SW (Safe weight) and PW (PAMPsweight) respectively representing the weight values corresponding to the three types of input signals, and Inf representing the value of the Inflight signal.
Equation (11) is based on weighted summation, which has the advantage of improving the efficiency of the basic analysis while simplifying the complex gene regulation and signal transduction in the immune system. The classical dendritic cells and DCA algorithm application study employed an input signal weight matrix as shown in table 2, which is used herein to calculate the output signal of the underlying analysis.
TABLE 2 weight matrix
CSM, Semi-match and match output signals need to be respectively calculated according to the weight matrix and the formula (11) in the table 2. Given that the input signal is known, it can be obtained
And the value of Inf. If CSM is calculated, the result is
Accordingly, the MA signal results in
(IV) step 5:
each honeynet system needs to complete capture and collection of signals and antigens and implement basic analysis according to a DCA algorithm. In the three types of output signals, the CSM is responsible for controlling the working period of the honey net, if the CSM value exceeds a set migration threshold value, the honey net needs to present the analysis results of antigen information, output signals and the like to Env B, and the central management node performs the safety early warning analysis of the whole network.
Starting from a model, defining global threat degree upsilon of a network systemGAs shown in equation (12). Wherein,
and
the sum of the Mature and Semi-quality output signal values of all the honeynet systems in the model is respectively shown, and the global threat level shows the threat degree of the whole network system at the moment.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications, equivalent variations and modifications made to the above embodiment according to the technical spirit of the present invention still fall within the scope of the technical solution of the present invention.
Claims (5)
1. A honey net safety situation perception method combining immune hazard theory is characterized by comprising the following steps: the method comprises the following steps:
1) setting up a honey net cluster according to a corresponding topological structure, configuring false data and services in nodes, and reserving a certain number of unprotected vulnerabilities for inducing an attacker to come in front in a node operating system and application software thereof;
2) acquiring and storing network flow in a preset time period in the honey net, counting the network flow and specific behavior characteristics in the honey net, mapping the network flow and the specific behavior characteristics into different types of signals, and using the signals as input signals of a danger theory; the method comprises the following steps:
(1) the traffic data maps the percentage deviation of HTTP/HTTPS protocol traffic, the percentage deviation of DNS protocol traffic, the percentage deviation of POP3 and IMAP e mail protocol traffic and the percentage deviation of FTP protocol traffic into Safe type signals S5, S6, S7 and S8 in turn, and maps the change rate of the size of the data packet in the network traffic and the change rate of the arrival interval time of the data packet into Danger type signals S1 and S2;
(2) the specific behavior characteristics of the honey net are the frequency of tampering and unauthorized deletion of data resources in a set time period in the honey net and the fault-free ratio of the honey net system relative to a real production network, and the data resources are sequentially mapped into PAMPs type signals S3 and Inflam type signals S9;
3) in the statistical honeynet system, in a set time period, statistics is carried out on a host/server process, a PID (proportion integration differentiation) of the host/server process, a log and attacker keystroke information, and the statistics is mapped into antigen information;
4) performing basic analysis on an input signal by using a DCA algorithm in an immune risk theory and combining antigen information to obtain output signals Mature (MA), Semi-Mature (SM) and CSM;
5) after the output signal is obtained, the central management node of the honey net calculates the global threat value V of the honey net by using Mature and Semi-Mature, thereby representing the security situation of the honey net, or returns to the step 2); wherein, starting from a model, defining the global threat degree upsilon of a network systemG,
As shown in equation (12), wherein,
and
respectively representing the sum of the output signal values of the Mature and the Semi-mat of all the honeynet systems in the model and the global threatThe degree represents the threat level of the whole network system at the moment.
2. The method for sensing the safety situation of honeynets according to claim 1, wherein the method comprises the following steps: the antigen information is different from danger signals and is responsible for providing information of threats and related sources, and potential attackers can be found and traced by means of the antigen mining clues and contact in the safety situation analysis.
3. The method for sensing the safety situation of honeynets according to claim 1, wherein the method comprises the following steps: in step 4), a basis analysis is performed using the following weight matrix, thereby obtaining an output signal.
4. The method for sensing the safety situation of honeynets according to claim 1, wherein the method comprises the following steps: the specific operation of calculating the global threat value V of the honey net in the step 5) or returning to the step 2) is to perform the specific operation on the basis of comparing the CSM value which is responsible for controlling the work period of the honey net with a set migration threshold value, wherein the specific operation corresponds to the CSM value exceeding the migration threshold value and the CSM value not exceeding the migration threshold value.
5. The method for sensing the safety situation of honeynets according to claim 1, wherein the method comprises the following steps: the logs are firewall logs, IDS/IPS logs, and antivirus logs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710599561.1A CN107454068B (en) | 2017-07-21 | 2017-07-21 | Honey net safety situation perception method combining immune hazard theory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710599561.1A CN107454068B (en) | 2017-07-21 | 2017-07-21 | Honey net safety situation perception method combining immune hazard theory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107454068A CN107454068A (en) | 2017-12-08 |
| CN107454068B true CN107454068B (en) | 2020-05-15 |
Family
ID=60487952
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710599561.1A Active CN107454068B (en) | 2017-07-21 | 2017-07-21 | Honey net safety situation perception method combining immune hazard theory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107454068B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108804941A (en) * | 2018-05-23 | 2018-11-13 | 郑州信大天瑞信息技术有限公司 | A kind of application security postures cognitive method |
| CN109164786B (en) * | 2018-08-24 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
| CN111147518B (en) * | 2019-12-30 | 2021-08-13 | 论客科技(广州)有限公司 | Attack and defense countermeasure based e-mail system security evaluation method and device |
| CN113381981B (en) * | 2021-05-13 | 2023-02-21 | 中国科学院信息工程研究所 | Social attack stress transformation protection method and system, electronic device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103749001B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | The self-protection GU Generic Unit of Inner Network Security Monitor System |
| CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
| CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
| CN105681250A (en) * | 2014-11-17 | 2016-06-15 | 中国信息安全测评中心 | Botnet distributed real-time detection method and system |
-
2017
- 2017-07-21 CN CN201710599561.1A patent/CN107454068B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103749001B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | The self-protection GU Generic Unit of Inner Network Security Monitor System |
| CN103581186A (en) * | 2013-11-05 | 2014-02-12 | 中国科学院计算技术研究所 | Network security situation awareness method and system |
| CN105681250A (en) * | 2014-11-17 | 2016-06-15 | 中国信息安全测评中心 | Botnet distributed real-time detection method and system |
| CN105491013A (en) * | 2015-11-20 | 2016-04-13 | 电子科技大学 | Multi-domain network security situation perception model and method based on SDN |
Non-Patent Citations (3)
| Title |
|---|
| 仿生计算在网络空间安全领域的应用新探;陈剑锋;《通信技术》;20160531;全文 * |
| 基于蜜罐的免疫病毒检测模型的设计;秦晓倩;《计算机工程与设计》;20081031;全文 * |
| 蜜罐与免疫入侵检测系统联动模型设计;李学宝;《现代计算机》;20110228;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107454068A (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11693964B2 (en) | Cyber security using one or more models trained on a normal behavior | |
| US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CN106534195B (en) | A kind of network attack person's behavior analysis method based on attack graph | |
| EP3528463A1 (en) | An artificial intelligence cyber security analyst | |
| CN107454068B (en) | Honey net safety situation perception method combining immune hazard theory | |
| CN103563302B (en) | Networked asset information management | |
| CN102821002B (en) | Network flow abnormal detecting method and system | |
| US20160352759A1 (en) | Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls | |
| CN103957203B (en) | A kind of network security protection system | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| CN103227798A (en) | Immunological network system | |
| US9961047B2 (en) | Network security management | |
| Beigh et al. | Intrusion Detection and Prevention System: Classification and Quick | |
| CN114417329A (en) | Threat information production and analysis method based on federal learning | |
| CN115150124A (en) | Fraud defense system | |
| CN115134166A (en) | Attack tracing method based on honey holes | |
| Anastasiadis et al. | A novel high-interaction honeypot network for internet of vehicles | |
| CN116760636A (en) | Active defense system and method for unknown threat | |
| Carrasco et al. | A Proposal for a New Way of Classifying Network Security Metrics: Study of the Information Collected through a Honeypot | |
| Gavrilovic et al. | Snort IDS system visualization interface for alert analysis | |
| Jain et al. | The role of decision tree technique for automating intrusion detection system | |
| Wang et al. | SWIM: An Effective Method to Perceive Cyberspace Situation from Honeynet | |
| US20240333740A1 (en) | Systems and methods for detecting complex attacks in a computer network | |
| Emran et al. | A system architecture for computer intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |