CN108322456A - A kind of phantom equipment method for building up, medium and the equipment of anti-network attack - Google Patents
A kind of phantom equipment method for building up, medium and the equipment of anti-network attack Download PDFInfo
- Publication number
- CN108322456A CN108322456A CN201810059506.8A CN201810059506A CN108322456A CN 108322456 A CN108322456 A CN 108322456A CN 201810059506 A CN201810059506 A CN 201810059506A CN 108322456 A CN108322456 A CN 108322456A
- Authority
- CN
- China
- Prior art keywords
- equipment
- phantom
- real
- mac
- template
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5046—Resolving address allocation conflicts; Testing of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5038—Address allocation for local use, e.g. in LAN or USB networks, or in a controller area network [CAN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of phantom equipment method for building up, medium and the equipment of anti-network attack.The method, including:Obtain the feature of real equipment in LAN;According to the feature, classify to the real equipment, will be used as a kind of equipment template per real equipment described in class;According to the equipment template, the configuration file of phantom equipment is set;The configuration file is loaded, the phantom equipment is generated.The phantom equipment that method through the invention generates and corresponding real equipment similarity height, can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped or alerted evidence obtaining;Meanwhile the phantom deployed with devices being built such that and use are simple, the computer resource and human resources of consuming are less, of less demanding to the safe professional technique of deployment and maintenance personnel.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of phantom equipment method for building up of anti-network attack,
Medium and equipment.
Background technology
The initiative type safeguard technologies such as existing honey net honey jar, can be with the automations such as effectively perceive and capture Botnet, script
Attack, but camouflage in the prior art cannot all be pretended well, be easy to be penetrated by attacker, trap is also easy
It is easily got around, defence capability is poor.Meanwhile the deployment and maintenance of the initiative type safeguard technologies such as traditional sweet net honey jar, to personnel
Safe professional technique it is more demanding.
Invention content
For the defects in the prior art, the present invention provides a kind of phantom equipment method for building up, the medium of anti-network attack
And equipment, the phantom equipment of foundation can ideally puppet be attached in network, defence capability is stronger.
In a first aspect, the present invention provides a kind of phantom equipment method for building up of anti-network attack, including:
Obtain the feature of real equipment in LAN;
According to the feature, classify to the real equipment, will be used as a kind of equipment per real equipment described in class
Template;
According to the equipment template, the configuration file of phantom equipment is set;
The configuration file is loaded, the phantom equipment is generated.
Optionally, described that the configuration file of phantom equipment is arranged according to the equipment template, including:
According to the equipment template, IP and MAC is distributed for each phantom equipment;
According to the equipment template corresponding described IP, MAC and the feature, the configuration text of corresponding phantom equipment is set
Part.
Optionally, described according to the equipment template, IP and MAC is distributed for each phantom equipment, including:
Count the corresponding real equipment quantity of each equipment template;
The corresponding phantom equipment of each equipment template is calculated according to default multiplying power based on the real equipment quantity
Quantity;
According to the IP of the real equipment, alternative IP is calculated;
It is the IP that the equipment template chooses respective numbers from the alternative IP according to the phantom number of devices;
According to the vendor characteristic of the equipment template, the MAC of corresponding phantom equipment is generated.
Optionally, according to the equipment template corresponding described IP, MAC and the feature, corresponding phantom equipment is set
Configuration file, including:
According to the feature of the equipment template, the corresponding feature of phantom equipment is set;
According to the IP, corresponding IP is set for the phantom equipment;
According to the MAC, corresponding MAC is set for the phantom equipment;
According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
Optionally, further include:
The real equipment newly reached the standard grade is monitored in real time;
Whether the IP and MAC for detecting the real equipment conflict with the IP and MAC of the phantom equipment;If not conflicting,
Continue to monitor the real equipment newly reached the standard grade;
If conflict, judges whether the IP of the real equipment conflicts with the IP of the phantom equipment;
If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the record of the phantom equipment;It changes described unreal
The corresponding configuration file of shadow equipment loads the modified configuration file, updates the phantom equipment;
If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;
It is that the phantom equipment chooses MAC again if conflict;According to the MAC chosen again, the phantom is updated
The MAC of equipment;
If not conflicting, continue to monitor the real equipment newly reached the standard grade.
Optionally, further include:
Judge the phantom equipment whether to the refresh cycle;
If so, the step of re-executing the feature of real equipment in the acquisition LAN;
If it is not, being then continuing with the phantom equipment.
Second aspect, the present invention provides a kind of anti-method of network attack, including:
The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is by a kind of anti-network attack
Phantom equipment method for building up establish;
Judge whether there is miscellaneous equipment and the phantom device talk;
If no, continuing to monitor the communication information of the phantom equipment;
If so, the miscellaneous equipment is then labeled as suspect device;
The communication of the suspect device and the phantom equipment and real equipment in the LAN is blocked, and will be described
The information of suspect device is sent to network administrator.
The third aspect, the present invention provides a kind of computer readable storage mediums, are stored thereon with computer program, the journey
A kind of phantom equipment method for building up of above-mentioned anti-network attack is realized when sequence is executed by processor.
Fourth aspect, the present invention provides a kind of computer equipments, including:Memory, processor and it is stored in memory
Computer program that is upper and can running on a processor, the processor realize that a kind of above-mentioned anti-network is attacked when executing described program
The phantom equipment method for building up hit.
The present invention provides a kind of phantom equipment method for building up of anti-network attack, including:It obtains and is really set in LAN
Standby feature;According to the feature, classify to the real equipment, will be used as a kind of equipment per real equipment described in class
Template;According to the equipment template, the configuration file of phantom equipment is set;The configuration file is loaded, the phantom is generated and sets
It is standby.Since the feature that each equipment template has is identical as the feature of real equipment, further according to equipment template-setup phantom equipment
Configuration file, according to configuration file generate phantom equipment, in this way, generate phantom equipment and corresponding real equipment similarity
Height can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped or accused
Alert evidence obtaining;Meanwhile the phantom deployed with devices being built such that and use are simple, the computer resource and human resources of consuming are less,
It is of less demanding to the safe professional technique of deployment and maintenance personnel.
The phantom equipment method for building up of a kind of anti-method of network attack provided by the invention and above-mentioned anti-network attack for
Identical inventive concept, advantageous effect having the same.
A kind of computer readable storage medium provided by the invention and a kind of computer equipment, with above-mentioned anti-network attack
Phantom equipment method for building up is for identical inventive concept, advantageous effect having the same.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art are briefly described.In all the appended drawings, similar element
Or part is generally identified by similar reference numeral.In attached drawing, each element or part might not be drawn according to actual ratio.
Fig. 1 is a kind of flow chart of the phantom equipment method for building up of anti-network attack provided by the invention;
Fig. 2 is a kind of flow chart of anti-method of network attack provided by the invention;
Fig. 3 is the structural schematic diagram that a kind of phantom equipment of anti-network attack provided by the invention establishes equipment.
Specific implementation mode
The embodiment of technical solution of the present invention is described in detail below in conjunction with attached drawing.Following embodiment is only used for
Clearly illustrate technical scheme of the present invention, therefore be intended only as example, and the protection of the present invention cannot be limited with this
Range.
It should be noted that unless otherwise indicated, technical term or scientific terminology used in this application should be this hair
The ordinary meaning that bright one of ordinary skill in the art are understood.
The present invention provides phantom equipment method for building up, medium, equipment and the anti-network attacks of a kind of anti-network attack
Method.The embodiment of the present invention is illustrated below in conjunction with the accompanying drawings.
First embodiment:
Referring to FIG. 1, Fig. 1 is a kind of phantom equipment method for building up for anti-network attack that the specific embodiment of the invention provides
Flow chart, a kind of phantom equipment method for building up of anti-network attack provided in this embodiment, including:
Step S101:Obtain the feature of real equipment in LAN.
Step S102:According to the feature, classify to the real equipment, it will be per real equipment conduct described in class
A kind of equipment template.
Step S103:According to the equipment template, the configuration file of phantom equipment is set.
Step S104:The configuration file is loaded, the phantom equipment is generated.
Wherein, feature may include:Device type, operating system, operation system fingerprint, open port, vendor characteristic etc..
Classified according to each real equipment in feature local area network, a classification corresponds to a kind of equipment template.For example,
A kind of one classification of operating system correspondence.
In the present invention, phantom equipment refers to preventing the dazzle system of network attack real equipment.
Since the feature that each equipment template has is identical as the feature of real equipment, further according to equipment template-setup phantom
The configuration file of equipment generates phantom equipment according to configuration file, in this way, the phantom equipment and corresponding real equipment phase that generate
It is high like degree, it can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped
Or alarm evidence obtaining;Meanwhile the phantom deployed with devices that is built such that and using simple, the computer resource of consuming and human resources compared with
It is few.
In a specific embodiment provided by the invention, described according to the equipment template, setting phantom equipment is matched
File is set, including:According to the equipment template, IP and MAC is distributed for each phantom equipment;It is corresponding according to the equipment template
The configuration file of corresponding phantom equipment is arranged in described IP, MAC and the feature.
Wherein, MAC refers to MAC Address, can be physical address or hardware address.
After classifying to real equipment well, need the feature for preserving each equipment template spare.
When configuration file is arranged, important parameter is IP and MAC.IP, MAC are not only set in configuration file, also
It needs that other parameters are arranged, for example, operation system fingerprint, operating system, open port etc., need to be arranged according to multiple features
Configuration file.By the way that configuration file is arranged according to multiple features, the similar phantom equipment with real equipment height can be obtained, is carried
The similarity of high phantom equipment.
In the present invention, described according to the equipment template, IP and MAC is distributed for each phantom equipment, including:Statistics is every
The corresponding real equipment quantity of a equipment template;Each institute is calculated according to default multiplying power based on the real equipment quantity
State the corresponding phantom number of devices of equipment template;According to the IP of the real equipment, alternative IP is calculated;According to the phantom equipment
Quantity is the IP that the equipment template chooses respective numbers from the alternative IP;According to the vendor characteristic of the equipment template,
Generate the MAC of corresponding phantom equipment.
When distributing IP and MAC for each phantom equipment, firstly, it is necessary to which it is corresponding to count each equipment template in LAN
Real equipment quantity calculates the quantity for the corresponding phantom equipment of each equipment template for needing to establish according to default multiplying power.So
Afterwards, the standby of phantom equipment is selected in conjunction with the idle IP stored in storage device the and IP newly calculated according to the IP of real equipment
IP is selected, keeps alternative IP different from the IP of real equipment.Wherein, it when selecting IP, needs to choose respective counts for each equipment template
The IP of amount, each phantom equipment must correspond to an IP.Finally, further according to the vendor characteristic of equipment template, MAC is generated,
Wherein, the vendor characteristic of equipment template i.e. the vendor characteristic of corresponding real equipment.The MAC of the phantom equipment of generation with it is true
The MAC of real equipment is different, and the MAC of each phantom equipment is different from.
It is that phantom equipment distributes IP and MAC in this way, background work personnel can be made to distinguish well really
Equipment and phantom equipment, meanwhile, and the similarity of phantom equipment and real equipment can be improved.Also, in this way, energy
The enough quantity that phantom equipment is adjusted according to the actual demand of different Intranet magnitudes, retractility are stronger.
In a specific embodiment provided by the invention, according to the equipment template corresponding described IP, MAC and described
The configuration file of corresponding phantom equipment is arranged in feature, including:According to the feature of the equipment template, setting phantom equipment is opposite
The feature answered;According to the IP, corresponding IP is set for the phantom equipment;According to the MAC, set for the phantom equipment
Corresponding MAC;According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
After IP and MAC being distributed for each phantom equipment, it is necessary to according to the corresponding equipment template of each phantom equipment
Configuration file is arranged in feature, IP and MAC.
Firstly, it is necessary to the template of the configuration file of phantom equipment be created, according to the corresponding equipment template pre-saved
The relevant parameter of configuration file is arranged in feature, for example, operating system, to the response action of TCP/UDP/ICMP data packets
(reset/closed/open etc.), operation system fingerprint, open port etc..
Wherein, it when open port is arranged, configures the port that the phantom equipment such as 22,80 are supported to proxy mode, acts on behalf of
IP and the port of phantom equipment are directed toward in service.By setting the open port of phantom equipment to proxy mode, can improve unreal
The fidelity of shadow equipment.
Wherein, it is also necessary to the clothes for configuring corresponding script for 21 equal ports phantom equipment is supported to open in corresponding port
Business.
Then, further according to the IP distributed, the IP of the configuration file of phantom equipment is set;Further according to the MAC distributed, if
Set the MAC of the configuration file of phantom equipment.
Finally, according to the parameter set, configuration file is generated.
By generating configuration file according to multiple features, IP and MAC, the phantom generated according to the configuration file can be improved
The similarity of equipment and real equipment.
In the present invention, when loading configuration file generates phantom equipment, Honeyd loading configuration files can be used, it is raw
At phantom equipment.Wherein, Honeyd is a open source software for generating Virtual honeypot.
In a specific embodiment provided by the invention, after the step of generating the phantom equipment, further include:It is real
When monitor the real equipment newly reached the standard grade;Detect the real equipment IP and MAC whether with the IP of the phantom equipment and
MAC conflicts;If not conflicting, continue to monitor the real equipment newly reached the standard grade;If conflict, judges the IP of the real equipment
Whether conflict with the IP of the phantom equipment;If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the phantom and set
Standby record;The corresponding configuration file of the phantom equipment is changed, the modified configuration file is loaded, updates the phantom
Equipment;If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;If conflict, weighs
It is newly that the phantom equipment chooses MAC;According to the MAC chosen again, the MAC of the phantom equipment is updated;If not conflicting,
Then continue to monitor the real equipment newly reached the standard grade.
After generating phantom equipment, can also include:Detect LAN in real equipment IP and MAC whether with phantom
The IP and MAC of equipment conflict, if conflict, need the parameter setting for adjusting phantom equipment.
Specifically detection process is:
The real equipment newly reached the standard grade is monitored in real time;Detect real equipment IP and MAC whether the IP and MAC with phantom equipment
Conflict;If not conflicting, continue to monitor the real equipment newly reached the standard grade.
If conflict, judges whether the IP of real equipment conflicts with the IP of phantom equipment;If conflict, deactivates the IP and correspond to
Phantom equipment, and delete the record of the phantom equipment;The corresponding configuration file of phantom equipment is changed, load is modified to match
File is set, phantom equipment is updated.In loading configuration file, new configuration file is loaded into using Honeyd.
If not conflicting, judge whether the MAC of real equipment conflicts with the MAC of phantom equipment;If conflict, being again should
Phantom equipment chooses MAC;According to the MAC chosen again, the MAC of the phantom equipment is updated;If not conflicting, continue to monitor on new
The real equipment of line.
By monitoring the real equipment newly reached the standard grade in real time, the phantom that can avoid confusion equipment and real equipment are avoided in profit
When preventing network attack with phantom equipment, mistake is monitored.
In a specific embodiment provided by the invention, after the step of generating the phantom equipment, further include:Sentence
Whether the phantom equipment of breaking is to the refresh cycle;If so, re-executing the feature of real equipment in the acquisition LAN
The step of;If it is not, being then continuing with the phantom equipment.
Using phantom equipment for a period of time after, whether need to judge phantom equipment to the refresh cycle, if it is not, then can be with
It is continuing with the phantom equipment;If so, needing to delete the phantom equipment, new phantom equipment is re-established.In this way, when true
When the feature of equipment changes, not applicable phantom equipment can be deleted in time, established corresponding phantom equipment, timely updated
Phantom equipment is better protected from network attack real equipment.
Wherein, the refresh cycle can determine based on experience value.
Method through the invention has fully absorbed the strong point of traditional honey jar honey network technology, can establish and real equipment
Similar phantom equipment, the phantom equipment ideally pseudo- can be attached in the real equipment in network, timely and effectively perceive net
Network is attacked and is traped or alerted evidence obtaining.In addition, the present invention disposes and using simply, these phantom equipment is generated in Intranet
Spent computer resource is seldom, relatively saves resource.Meanwhile the present invention can be according to the actual demand tune of different Intranet magnitudes
The quantity of phantom equipment is saved, in such manner, it is possible to provide corresponding phantom equipment for each real equipment.
More than, it is a kind of phantom equipment method for building up of anti-network attack provided by the invention.
Second embodiment:
Corresponding to those in the first embodiment the present invention also provides a kind of anti-method of network attack, referring to FIG. 2, it is this hair
A kind of schematic diagram for anti-method of network attack that bright embodiment provides.
A kind of anti-method of network attack that second embodiment of the invention provides, including:
Step S101:The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is real by first
The method described in example is applied to establish;
Step S102:Judge whether there is miscellaneous equipment and the phantom device talk;
Step S103:If no, continuing to monitor the communication information of the phantom equipment;
Step S104:If so, the miscellaneous equipment is then labeled as suspect device;
Step S105:Block leading to for the phantom equipment and real equipment in the suspect device and the LAN
News, and the information of the suspect device is sent to network administrator.
After generating phantom equipment, need phantom equipment puppet being attached in real equipment.Phantom equipment can be used as true
The shadow of equipment, disguise as real equipment avoid real equipment from being attacked.Wherein, the method that phantom equipment prevents network attack
For:The communication information for monitoring phantom equipment in local area network in real time, judges whether there is miscellaneous equipment and phantom device talk, if not having
Have, then continues the communication information for monitoring phantom equipment;If so, miscellaneous equipment is then labeled as suspect device;Block suspect device
With the communication of phantom equipment and real equipment, prevent suspect device from attacking real equipment.At the same time it can also by suspect device
Information is sent to network administrator, and network administrator is allow to do relevant treatment in time according to the information of suspect device.
Wherein, when having monitored miscellaneous equipment with phantom device talk, short message/E-mail/SNMP can be passed through
The information for the suspect device that the modes such as Trap/syslog will be seen that is sent to network administrator.
In the communication and command for blocking suspect device and phantom equipment, this can also continue to monitoring, and whether there is or not miscellaneous equipments and phantom
Device talk continues to monitor suspect device.
In the present invention, the risk information of the phantom equipment can also be acquired in real time;The risk information is sent to
User.
After generating phantom equipment, the risk information of phantom equipment can also be acquired in real time, and risk information is sent
To user, for alerting and prompting the risk of user's phantom equipment.
When acquiring risk information, the risk information of Honeyd acquisition phantom equipment can be used.
Wherein, risk information can refer to the information such as hacker attack, miscellaneous equipment and phantom device talk.
By acquiring the risk information of phantom equipment, the relevant risk information of user's phantom equipment can be warned in time.
3rd embodiment:
In above-mentioned first embodiment, a kind of phantom equipment method for building up of anti-network attack is provided, in conjunction with above-mentioned
First embodiment, third embodiment of the invention provide a kind of computer readable storage medium, are stored thereon with computer program, should
A kind of phantom equipment method for building up for anti-network attack that above-mentioned first embodiment provides is realized when program is executed by processor.
Fourth embodiment:
In conjunction with a kind of phantom equipment method for building up for anti-network attack that first embodiment provides, the present invention also provides one kind
Computer equipment, including:Memory, processor and storage on a memory and the computer program that can run on a processor,
The processor realizes that a kind of phantom equipment for anti-network attack that above-mentioned first embodiment provides is established when executing described program
Method.Fig. 3 shows a kind of hardware architecture diagram of computer equipment provided in an embodiment of the present invention.
Specifically, above-mentioned processor 201 may include central processing unit (CPU) or specific integrated circuit
(Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention
One or more integrated circuits of example.
Memory 202 may include the mass storage for data or instruction.For example unrestricted, memory
202 may include hard disk drive (Hard Disk Drive, HDD), floppy disk, flash memory, CD, magneto-optic disk, tape or logical
With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing
In the case of suitable, memory 202 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores
Device 202 can be inside or outside data processing equipment.In a particular embodiment, memory 202 is nonvolatile solid state storage
Device.In a particular embodiment, memory 202 includes read-only memory (ROM).In a suitable case, which can be mask
The ROM of programming, programming ROM (PROM), erasable PROM (EPROM), electric erasable PROM (EEPROM), electrically-alterable ROM
(EAROM) or the combination of flash memory or two or more the above.
Processor 201 is by reading and executing the computer program instructions stored in memory 202, to realize above-mentioned implementation
The phantom equipment method for building up of any one anti-network attack in example.
In one example, the equipment of establishing of anti-network attack phantom equipment may also include communication interface 203 and bus
210.Wherein, as shown in Fig. 2, processor 201, memory 202, communication interface 203 are connected by bus 210 and completed each other
Communication.
Communication interface 203 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment
Communication.
Bus 210 includes hardware, software or both, and the phantom equipment of anti-network attack is established the component of equipment coupling each other
It is connected together.For example unrestricted, bus may include accelerated graphics port (AGP) or other graphics bus, enhancing industry
Standard architecture (EISA) bus, front side bus (FSB), super transmission (HT) interconnection, Industry Standard Architecture (ISA) bus, infiniband
Wide interconnection, low pin count (LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) are total
Line, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part
(VLB) combination of bus or other suitable buses or two or more the above.In a suitable case, bus
210 may include one or more buses.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers to appoint
What suitable bus or interconnection.
It should be clear that the invention is not limited in specific configuration described above and shown in figure and processing.
For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated
The step of body, is as example.But procedure of the invention is not limited to described and illustrated specific steps, this field
Technical staff can be variously modified, modification and addition after the spirit for understanding the present invention, or suitable between changing the step
Sequence.
Functional block shown in above structure diagram can be implemented as hardware, software, firmware or combination thereof.When
When realizing in hardware, electronic circuit, application-specific integrated circuit (ASIC), firmware appropriate, plug-in unit, function may, for example, be
Card etc..When being realized with software mode, element of the invention is used to execute the program or code segment of required task.Journey
Sequence either code segment can be stored in machine readable media or the data-signal by being carried in carrier wave in transmission medium or
Person's communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.It is machine readable
The example of medium include electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disk, CD-ROM,
CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via the calculating of internet, Intranet etc.
Machine network is downloaded.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to
So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into
Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme should all cover in the claim of the present invention and the range of specification.
Claims (9)
1. a kind of phantom equipment method for building up of anti-network attack, which is characterized in that including:
Obtain the feature of real equipment in LAN;
According to the feature, classify to the real equipment, will be used as a kind of equipment template per real equipment described in class;
According to the equipment template, the configuration file of phantom equipment is set;
The configuration file is loaded, the phantom equipment is generated.
2. according to the method described in claim 1, it is characterized in that, described according to the equipment template, setting phantom equipment
Configuration file, including:
According to the equipment template, IP and MAC is distributed for each phantom equipment;
According to the equipment template corresponding described IP, MAC and the feature, the configuration file of corresponding phantom equipment is set.
3. it is each phantom equipment according to the method described in claim 2, it is characterized in that, described according to the equipment template
IP and MAC is distributed, including:
Count the corresponding real equipment quantity of each equipment template;
The corresponding phantom number of devices of each equipment template is calculated according to default multiplying power based on the real equipment quantity;
According to the IP of the real equipment, alternative IP is calculated;
It is the IP that the equipment template chooses respective numbers from the alternative IP according to the phantom number of devices;
According to the vendor characteristic of the equipment template, the MAC of corresponding phantom equipment is generated.
4. according to the method described in claim 2, it is characterized in that, according to the equipment template corresponding described IP, MAC and institute
Feature is stated, the configuration file of corresponding phantom equipment is set, including:
According to the feature of the equipment template, the corresponding feature of phantom equipment is set;
According to the IP, corresponding IP is set for the phantom equipment;
According to the MAC, corresponding MAC is set for the phantom equipment;
According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
5. according to the method described in claim 1, it is characterized in that, further including:
The real equipment newly reached the standard grade is monitored in real time;
Whether the IP and MAC for detecting the real equipment conflict with the IP and MAC of the phantom equipment;If not conflicting, continue
Monitor the real equipment newly reached the standard grade;
If conflict, judges whether the IP of the real equipment conflicts with the IP of the phantom equipment;
If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the record of the phantom equipment;The phantom is changed to set
Standby corresponding configuration file, loads the modified configuration file, updates the phantom equipment;
If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;
It is that the phantom equipment chooses MAC again if conflict;According to the MAC chosen again, the phantom equipment is updated
MAC;
If not conflicting, continue to monitor the real equipment newly reached the standard grade.
6. according to the method described in claim 1, it is characterized in that, further including:
Judge the phantom equipment whether to the refresh cycle;
If so, the step of re-executing the feature of real equipment in the acquisition LAN;
If it is not, being then continuing with the phantom equipment.
7. a kind of anti-method of network attack, which is characterized in that including:
The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is by claim 1-6 any one
The method is established;
Judge whether there is miscellaneous equipment and the phantom device talk;
If no, continuing to monitor the communication information of the phantom equipment;
If so, the miscellaneous equipment is then labeled as suspect device;
The communication of the suspect device and the phantom equipment and real equipment in the LAN is blocked, and will be described suspicious
The information of equipment is sent to network administrator.
8. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
The method described in one of claim 1-6 is realized when row.
9. a kind of computer equipment, including:Memory, processor and storage are on a memory and the meter that can run on a processor
Calculation machine program, which is characterized in that the processor realizes the method described in one of claim 1-6 when executing described program.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810059506.8A CN108322456A (en) | 2018-01-22 | 2018-01-22 | A kind of phantom equipment method for building up, medium and the equipment of anti-network attack |
PCT/CN2018/096106 WO2019140876A1 (en) | 2018-01-22 | 2018-07-18 | Method for establishing phantom device capable of network attack prevention, medium, and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810059506.8A CN108322456A (en) | 2018-01-22 | 2018-01-22 | A kind of phantom equipment method for building up, medium and the equipment of anti-network attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108322456A true CN108322456A (en) | 2018-07-24 |
Family
ID=62887561
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810059506.8A Pending CN108322456A (en) | 2018-01-22 | 2018-01-22 | A kind of phantom equipment method for building up, medium and the equipment of anti-network attack |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108322456A (en) |
WO (1) | WO2019140876A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115664844A (en) * | 2022-11-17 | 2023-01-31 | 博智安全科技股份有限公司 | Protocol agent-based honeypot camouflage simulation method and device and electronic equipment |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112578761B (en) * | 2021-02-03 | 2023-05-26 | 山东云天安全技术有限公司 | Industrial control honey pot safety protection device and method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN105024977A (en) * | 2014-04-25 | 2015-11-04 | 湖北大学 | Network tracking system based on digital watermarking and honeypot technology |
US20170019425A1 (en) * | 2014-09-30 | 2017-01-19 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582907B (en) * | 2009-06-24 | 2012-07-04 | 成都市华为赛门铁克科技有限公司 | Method for enhancing the trapping capability of honeynet and honeynet system |
CN103634264A (en) * | 2012-08-20 | 2014-03-12 | 江苏中科慧创信息安全技术有限公司 | Active trapping method based on behavior analysis |
CN107222515B (en) * | 2016-03-22 | 2021-05-04 | 阿里巴巴集团控股有限公司 | Honeypot deployment method and device and cloud server |
-
2018
- 2018-01-22 CN CN201810059506.8A patent/CN108322456A/en active Pending
- 2018-07-18 WO PCT/CN2018/096106 patent/WO2019140876A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
CN105024977A (en) * | 2014-04-25 | 2015-11-04 | 湖北大学 | Network tracking system based on digital watermarking and honeypot technology |
US20170019425A1 (en) * | 2014-09-30 | 2017-01-19 | Palo Alto Networks, Inc. | Synchronizing a honey network configuration to reflect a target network environment |
CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115664844A (en) * | 2022-11-17 | 2023-01-31 | 博智安全科技股份有限公司 | Protocol agent-based honeypot camouflage simulation method and device and electronic equipment |
CN115664844B (en) * | 2022-11-17 | 2024-02-23 | 博智安全科技股份有限公司 | Honeypot camouflage simulation method and device based on protocol agent and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
WO2019140876A1 (en) | 2019-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10534906B1 (en) | Detection efficacy of virtual machine-based analysis with application specific events | |
KR102017810B1 (en) | Preventive Instrusion Device and Method for Mobile Devices | |
US10931635B2 (en) | Host behavior and network analytics based automotive secure gateway | |
Artail et al. | A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks | |
US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
US10778700B2 (en) | Malicious encrypted network traffic identification using fourier transform | |
US7877795B2 (en) | Methods, systems, and computer program products for automatically configuring firewalls | |
US11562068B2 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
Karim et al. | Mobile botnet attacks-an emerging threat: Classification, review and open issues | |
US20180020024A1 (en) | Methods and Systems for Using Self-learning Techniques to Protect a Web Application | |
US20160078236A1 (en) | System and method for programmably creating and customizing security applications via a graphical user interface | |
Kaushik et al. | Detection of attacks in an intrusion detection system | |
Alsakran et al. | Intrusion detection systems for smart home iot devices: experimental comparison study | |
CN116055163A (en) | Login information acquisition and blocking method based on eBPF XDP | |
Ádám et al. | Artificial neural network based IDS | |
Sou et al. | Random packet inspection scheme for network intrusion prevention in LTE core networks | |
CN108322456A (en) | A kind of phantom equipment method for building up, medium and the equipment of anti-network attack | |
CN113347184A (en) | Method, device, equipment and medium for testing network flow security detection engine | |
Auliar et al. | Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures | |
WO2017217247A1 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
CN116319074A (en) | Method and device for detecting collapse equipment based on multi-source log and electronic equipment | |
CN109218315B (en) | Safety management method and safety management device | |
US20220060485A1 (en) | Threat forecasting | |
KR100959264B1 (en) | A system for monitoring network process's and preventing proliferation of zombi pc and the method thereof | |
Pell et al. | Multi-Stage Threat Modeling and Security Monitoring in 5GCN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180724 |