CN108322456A - A kind of phantom equipment method for building up, medium and the equipment of anti-network attack - Google Patents

A kind of phantom equipment method for building up, medium and the equipment of anti-network attack Download PDF

Info

Publication number
CN108322456A
CN108322456A CN201810059506.8A CN201810059506A CN108322456A CN 108322456 A CN108322456 A CN 108322456A CN 201810059506 A CN201810059506 A CN 201810059506A CN 108322456 A CN108322456 A CN 108322456A
Authority
CN
China
Prior art keywords
equipment
phantom
real
mac
template
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810059506.8A
Other languages
Chinese (zh)
Inventor
肖政
涂大志
戴昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen United Soft Polytron Technologies Inc
Original Assignee
Shenzhen United Soft Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen United Soft Polytron Technologies Inc filed Critical Shenzhen United Soft Polytron Technologies Inc
Priority to CN201810059506.8A priority Critical patent/CN108322456A/en
Priority to PCT/CN2018/096106 priority patent/WO2019140876A1/en
Publication of CN108322456A publication Critical patent/CN108322456A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5038Address allocation for local use, e.g. in LAN or USB networks, or in a controller area network [CAN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of phantom equipment method for building up, medium and the equipment of anti-network attack.The method, including:Obtain the feature of real equipment in LAN;According to the feature, classify to the real equipment, will be used as a kind of equipment template per real equipment described in class;According to the equipment template, the configuration file of phantom equipment is set;The configuration file is loaded, the phantom equipment is generated.The phantom equipment that method through the invention generates and corresponding real equipment similarity height, can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped or alerted evidence obtaining;Meanwhile the phantom deployed with devices being built such that and use are simple, the computer resource and human resources of consuming are less, of less demanding to the safe professional technique of deployment and maintenance personnel.

Description

A kind of phantom equipment method for building up, medium and the equipment of anti-network attack
Technical field
The present invention relates to technical field of network security, and in particular to a kind of phantom equipment method for building up of anti-network attack, Medium and equipment.
Background technology
The initiative type safeguard technologies such as existing honey net honey jar, can be with the automations such as effectively perceive and capture Botnet, script Attack, but camouflage in the prior art cannot all be pretended well, be easy to be penetrated by attacker, trap is also easy It is easily got around, defence capability is poor.Meanwhile the deployment and maintenance of the initiative type safeguard technologies such as traditional sweet net honey jar, to personnel Safe professional technique it is more demanding.
Invention content
For the defects in the prior art, the present invention provides a kind of phantom equipment method for building up, the medium of anti-network attack And equipment, the phantom equipment of foundation can ideally puppet be attached in network, defence capability is stronger.
In a first aspect, the present invention provides a kind of phantom equipment method for building up of anti-network attack, including:
Obtain the feature of real equipment in LAN;
According to the feature, classify to the real equipment, will be used as a kind of equipment per real equipment described in class Template;
According to the equipment template, the configuration file of phantom equipment is set;
The configuration file is loaded, the phantom equipment is generated.
Optionally, described that the configuration file of phantom equipment is arranged according to the equipment template, including:
According to the equipment template, IP and MAC is distributed for each phantom equipment;
According to the equipment template corresponding described IP, MAC and the feature, the configuration text of corresponding phantom equipment is set Part.
Optionally, described according to the equipment template, IP and MAC is distributed for each phantom equipment, including:
Count the corresponding real equipment quantity of each equipment template;
The corresponding phantom equipment of each equipment template is calculated according to default multiplying power based on the real equipment quantity Quantity;
According to the IP of the real equipment, alternative IP is calculated;
It is the IP that the equipment template chooses respective numbers from the alternative IP according to the phantom number of devices;
According to the vendor characteristic of the equipment template, the MAC of corresponding phantom equipment is generated.
Optionally, according to the equipment template corresponding described IP, MAC and the feature, corresponding phantom equipment is set Configuration file, including:
According to the feature of the equipment template, the corresponding feature of phantom equipment is set;
According to the IP, corresponding IP is set for the phantom equipment;
According to the MAC, corresponding MAC is set for the phantom equipment;
According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
Optionally, further include:
The real equipment newly reached the standard grade is monitored in real time;
Whether the IP and MAC for detecting the real equipment conflict with the IP and MAC of the phantom equipment;If not conflicting, Continue to monitor the real equipment newly reached the standard grade;
If conflict, judges whether the IP of the real equipment conflicts with the IP of the phantom equipment;
If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the record of the phantom equipment;It changes described unreal The corresponding configuration file of shadow equipment loads the modified configuration file, updates the phantom equipment;
If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;
It is that the phantom equipment chooses MAC again if conflict;According to the MAC chosen again, the phantom is updated The MAC of equipment;
If not conflicting, continue to monitor the real equipment newly reached the standard grade.
Optionally, further include:
Judge the phantom equipment whether to the refresh cycle;
If so, the step of re-executing the feature of real equipment in the acquisition LAN;
If it is not, being then continuing with the phantom equipment.
Second aspect, the present invention provides a kind of anti-method of network attack, including:
The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is by a kind of anti-network attack Phantom equipment method for building up establish;
Judge whether there is miscellaneous equipment and the phantom device talk;
If no, continuing to monitor the communication information of the phantom equipment;
If so, the miscellaneous equipment is then labeled as suspect device;
The communication of the suspect device and the phantom equipment and real equipment in the LAN is blocked, and will be described The information of suspect device is sent to network administrator.
The third aspect, the present invention provides a kind of computer readable storage mediums, are stored thereon with computer program, the journey A kind of phantom equipment method for building up of above-mentioned anti-network attack is realized when sequence is executed by processor.
Fourth aspect, the present invention provides a kind of computer equipments, including:Memory, processor and it is stored in memory Computer program that is upper and can running on a processor, the processor realize that a kind of above-mentioned anti-network is attacked when executing described program The phantom equipment method for building up hit.
The present invention provides a kind of phantom equipment method for building up of anti-network attack, including:It obtains and is really set in LAN Standby feature;According to the feature, classify to the real equipment, will be used as a kind of equipment per real equipment described in class Template;According to the equipment template, the configuration file of phantom equipment is set;The configuration file is loaded, the phantom is generated and sets It is standby.Since the feature that each equipment template has is identical as the feature of real equipment, further according to equipment template-setup phantom equipment Configuration file, according to configuration file generate phantom equipment, in this way, generate phantom equipment and corresponding real equipment similarity Height can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped or accused Alert evidence obtaining;Meanwhile the phantom deployed with devices being built such that and use are simple, the computer resource and human resources of consuming are less, It is of less demanding to the safe professional technique of deployment and maintenance personnel.
The phantom equipment method for building up of a kind of anti-method of network attack provided by the invention and above-mentioned anti-network attack for Identical inventive concept, advantageous effect having the same.
A kind of computer readable storage medium provided by the invention and a kind of computer equipment, with above-mentioned anti-network attack Phantom equipment method for building up is for identical inventive concept, advantageous effect having the same.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described.In all the appended drawings, similar element Or part is generally identified by similar reference numeral.In attached drawing, each element or part might not be drawn according to actual ratio.
Fig. 1 is a kind of flow chart of the phantom equipment method for building up of anti-network attack provided by the invention;
Fig. 2 is a kind of flow chart of anti-method of network attack provided by the invention;
Fig. 3 is the structural schematic diagram that a kind of phantom equipment of anti-network attack provided by the invention establishes equipment.
Specific implementation mode
The embodiment of technical solution of the present invention is described in detail below in conjunction with attached drawing.Following embodiment is only used for Clearly illustrate technical scheme of the present invention, therefore be intended only as example, and the protection of the present invention cannot be limited with this Range.
It should be noted that unless otherwise indicated, technical term or scientific terminology used in this application should be this hair The ordinary meaning that bright one of ordinary skill in the art are understood.
The present invention provides phantom equipment method for building up, medium, equipment and the anti-network attacks of a kind of anti-network attack Method.The embodiment of the present invention is illustrated below in conjunction with the accompanying drawings.
First embodiment:
Referring to FIG. 1, Fig. 1 is a kind of phantom equipment method for building up for anti-network attack that the specific embodiment of the invention provides Flow chart, a kind of phantom equipment method for building up of anti-network attack provided in this embodiment, including:
Step S101:Obtain the feature of real equipment in LAN.
Step S102:According to the feature, classify to the real equipment, it will be per real equipment conduct described in class A kind of equipment template.
Step S103:According to the equipment template, the configuration file of phantom equipment is set.
Step S104:The configuration file is loaded, the phantom equipment is generated.
Wherein, feature may include:Device type, operating system, operation system fingerprint, open port, vendor characteristic etc..
Classified according to each real equipment in feature local area network, a classification corresponds to a kind of equipment template.For example, A kind of one classification of operating system correspondence.
In the present invention, phantom equipment refers to preventing the dazzle system of network attack real equipment.
Since the feature that each equipment template has is identical as the feature of real equipment, further according to equipment template-setup phantom The configuration file of equipment generates phantom equipment according to configuration file, in this way, the phantom equipment and corresponding real equipment phase that generate It is high like degree, it can ideally puppet be attached in network, realize high emulation camouflage, timely and effectively sensing network is attacked and traped Or alarm evidence obtaining;Meanwhile the phantom deployed with devices that is built such that and using simple, the computer resource of consuming and human resources compared with It is few.
In a specific embodiment provided by the invention, described according to the equipment template, setting phantom equipment is matched File is set, including:According to the equipment template, IP and MAC is distributed for each phantom equipment;It is corresponding according to the equipment template The configuration file of corresponding phantom equipment is arranged in described IP, MAC and the feature.
Wherein, MAC refers to MAC Address, can be physical address or hardware address.
After classifying to real equipment well, need the feature for preserving each equipment template spare.
When configuration file is arranged, important parameter is IP and MAC.IP, MAC are not only set in configuration file, also It needs that other parameters are arranged, for example, operation system fingerprint, operating system, open port etc., need to be arranged according to multiple features Configuration file.By the way that configuration file is arranged according to multiple features, the similar phantom equipment with real equipment height can be obtained, is carried The similarity of high phantom equipment.
In the present invention, described according to the equipment template, IP and MAC is distributed for each phantom equipment, including:Statistics is every The corresponding real equipment quantity of a equipment template;Each institute is calculated according to default multiplying power based on the real equipment quantity State the corresponding phantom number of devices of equipment template;According to the IP of the real equipment, alternative IP is calculated;According to the phantom equipment Quantity is the IP that the equipment template chooses respective numbers from the alternative IP;According to the vendor characteristic of the equipment template, Generate the MAC of corresponding phantom equipment.
When distributing IP and MAC for each phantom equipment, firstly, it is necessary to which it is corresponding to count each equipment template in LAN Real equipment quantity calculates the quantity for the corresponding phantom equipment of each equipment template for needing to establish according to default multiplying power.So Afterwards, the standby of phantom equipment is selected in conjunction with the idle IP stored in storage device the and IP newly calculated according to the IP of real equipment IP is selected, keeps alternative IP different from the IP of real equipment.Wherein, it when selecting IP, needs to choose respective counts for each equipment template The IP of amount, each phantom equipment must correspond to an IP.Finally, further according to the vendor characteristic of equipment template, MAC is generated, Wherein, the vendor characteristic of equipment template i.e. the vendor characteristic of corresponding real equipment.The MAC of the phantom equipment of generation with it is true The MAC of real equipment is different, and the MAC of each phantom equipment is different from.
It is that phantom equipment distributes IP and MAC in this way, background work personnel can be made to distinguish well really Equipment and phantom equipment, meanwhile, and the similarity of phantom equipment and real equipment can be improved.Also, in this way, energy The enough quantity that phantom equipment is adjusted according to the actual demand of different Intranet magnitudes, retractility are stronger.
In a specific embodiment provided by the invention, according to the equipment template corresponding described IP, MAC and described The configuration file of corresponding phantom equipment is arranged in feature, including:According to the feature of the equipment template, setting phantom equipment is opposite The feature answered;According to the IP, corresponding IP is set for the phantom equipment;According to the MAC, set for the phantom equipment Corresponding MAC;According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
After IP and MAC being distributed for each phantom equipment, it is necessary to according to the corresponding equipment template of each phantom equipment Configuration file is arranged in feature, IP and MAC.
Firstly, it is necessary to the template of the configuration file of phantom equipment be created, according to the corresponding equipment template pre-saved The relevant parameter of configuration file is arranged in feature, for example, operating system, to the response action of TCP/UDP/ICMP data packets (reset/closed/open etc.), operation system fingerprint, open port etc..
Wherein, it when open port is arranged, configures the port that the phantom equipment such as 22,80 are supported to proxy mode, acts on behalf of IP and the port of phantom equipment are directed toward in service.By setting the open port of phantom equipment to proxy mode, can improve unreal The fidelity of shadow equipment.
Wherein, it is also necessary to the clothes for configuring corresponding script for 21 equal ports phantom equipment is supported to open in corresponding port Business.
Then, further according to the IP distributed, the IP of the configuration file of phantom equipment is set;Further according to the MAC distributed, if Set the MAC of the configuration file of phantom equipment.
Finally, according to the parameter set, configuration file is generated.
By generating configuration file according to multiple features, IP and MAC, the phantom generated according to the configuration file can be improved The similarity of equipment and real equipment.
In the present invention, when loading configuration file generates phantom equipment, Honeyd loading configuration files can be used, it is raw At phantom equipment.Wherein, Honeyd is a open source software for generating Virtual honeypot.
In a specific embodiment provided by the invention, after the step of generating the phantom equipment, further include:It is real When monitor the real equipment newly reached the standard grade;Detect the real equipment IP and MAC whether with the IP of the phantom equipment and MAC conflicts;If not conflicting, continue to monitor the real equipment newly reached the standard grade;If conflict, judges the IP of the real equipment Whether conflict with the IP of the phantom equipment;If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the phantom and set Standby record;The corresponding configuration file of the phantom equipment is changed, the modified configuration file is loaded, updates the phantom Equipment;If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;If conflict, weighs It is newly that the phantom equipment chooses MAC;According to the MAC chosen again, the MAC of the phantom equipment is updated;If not conflicting, Then continue to monitor the real equipment newly reached the standard grade.
After generating phantom equipment, can also include:Detect LAN in real equipment IP and MAC whether with phantom The IP and MAC of equipment conflict, if conflict, need the parameter setting for adjusting phantom equipment.
Specifically detection process is:
The real equipment newly reached the standard grade is monitored in real time;Detect real equipment IP and MAC whether the IP and MAC with phantom equipment Conflict;If not conflicting, continue to monitor the real equipment newly reached the standard grade.
If conflict, judges whether the IP of real equipment conflicts with the IP of phantom equipment;If conflict, deactivates the IP and correspond to Phantom equipment, and delete the record of the phantom equipment;The corresponding configuration file of phantom equipment is changed, load is modified to match File is set, phantom equipment is updated.In loading configuration file, new configuration file is loaded into using Honeyd.
If not conflicting, judge whether the MAC of real equipment conflicts with the MAC of phantom equipment;If conflict, being again should Phantom equipment chooses MAC;According to the MAC chosen again, the MAC of the phantom equipment is updated;If not conflicting, continue to monitor on new The real equipment of line.
By monitoring the real equipment newly reached the standard grade in real time, the phantom that can avoid confusion equipment and real equipment are avoided in profit When preventing network attack with phantom equipment, mistake is monitored.
In a specific embodiment provided by the invention, after the step of generating the phantom equipment, further include:Sentence Whether the phantom equipment of breaking is to the refresh cycle;If so, re-executing the feature of real equipment in the acquisition LAN The step of;If it is not, being then continuing with the phantom equipment.
Using phantom equipment for a period of time after, whether need to judge phantom equipment to the refresh cycle, if it is not, then can be with It is continuing with the phantom equipment;If so, needing to delete the phantom equipment, new phantom equipment is re-established.In this way, when true When the feature of equipment changes, not applicable phantom equipment can be deleted in time, established corresponding phantom equipment, timely updated Phantom equipment is better protected from network attack real equipment.
Wherein, the refresh cycle can determine based on experience value.
Method through the invention has fully absorbed the strong point of traditional honey jar honey network technology, can establish and real equipment Similar phantom equipment, the phantom equipment ideally pseudo- can be attached in the real equipment in network, timely and effectively perceive net Network is attacked and is traped or alerted evidence obtaining.In addition, the present invention disposes and using simply, these phantom equipment is generated in Intranet Spent computer resource is seldom, relatively saves resource.Meanwhile the present invention can be according to the actual demand tune of different Intranet magnitudes The quantity of phantom equipment is saved, in such manner, it is possible to provide corresponding phantom equipment for each real equipment.
More than, it is a kind of phantom equipment method for building up of anti-network attack provided by the invention.
Second embodiment:
Corresponding to those in the first embodiment the present invention also provides a kind of anti-method of network attack, referring to FIG. 2, it is this hair A kind of schematic diagram for anti-method of network attack that bright embodiment provides.
A kind of anti-method of network attack that second embodiment of the invention provides, including:
Step S101:The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is real by first The method described in example is applied to establish;
Step S102:Judge whether there is miscellaneous equipment and the phantom device talk;
Step S103:If no, continuing to monitor the communication information of the phantom equipment;
Step S104:If so, the miscellaneous equipment is then labeled as suspect device;
Step S105:Block leading to for the phantom equipment and real equipment in the suspect device and the LAN News, and the information of the suspect device is sent to network administrator.
After generating phantom equipment, need phantom equipment puppet being attached in real equipment.Phantom equipment can be used as true The shadow of equipment, disguise as real equipment avoid real equipment from being attacked.Wherein, the method that phantom equipment prevents network attack For:The communication information for monitoring phantom equipment in local area network in real time, judges whether there is miscellaneous equipment and phantom device talk, if not having Have, then continues the communication information for monitoring phantom equipment;If so, miscellaneous equipment is then labeled as suspect device;Block suspect device With the communication of phantom equipment and real equipment, prevent suspect device from attacking real equipment.At the same time it can also by suspect device Information is sent to network administrator, and network administrator is allow to do relevant treatment in time according to the information of suspect device.
Wherein, when having monitored miscellaneous equipment with phantom device talk, short message/E-mail/SNMP can be passed through The information for the suspect device that the modes such as Trap/syslog will be seen that is sent to network administrator.
In the communication and command for blocking suspect device and phantom equipment, this can also continue to monitoring, and whether there is or not miscellaneous equipments and phantom Device talk continues to monitor suspect device.
In the present invention, the risk information of the phantom equipment can also be acquired in real time;The risk information is sent to User.
After generating phantom equipment, the risk information of phantom equipment can also be acquired in real time, and risk information is sent To user, for alerting and prompting the risk of user's phantom equipment.
When acquiring risk information, the risk information of Honeyd acquisition phantom equipment can be used.
Wherein, risk information can refer to the information such as hacker attack, miscellaneous equipment and phantom device talk.
By acquiring the risk information of phantom equipment, the relevant risk information of user's phantom equipment can be warned in time.
3rd embodiment:
In above-mentioned first embodiment, a kind of phantom equipment method for building up of anti-network attack is provided, in conjunction with above-mentioned First embodiment, third embodiment of the invention provide a kind of computer readable storage medium, are stored thereon with computer program, should A kind of phantom equipment method for building up for anti-network attack that above-mentioned first embodiment provides is realized when program is executed by processor.
Fourth embodiment:
In conjunction with a kind of phantom equipment method for building up for anti-network attack that first embodiment provides, the present invention also provides one kind Computer equipment, including:Memory, processor and storage on a memory and the computer program that can run on a processor, The processor realizes that a kind of phantom equipment for anti-network attack that above-mentioned first embodiment provides is established when executing described program Method.Fig. 3 shows a kind of hardware architecture diagram of computer equipment provided in an embodiment of the present invention.
Specifically, above-mentioned processor 201 may include central processing unit (CPU) or specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention One or more integrated circuits of example.
Memory 202 may include the mass storage for data or instruction.For example unrestricted, memory 202 may include hard disk drive (Hard Disk Drive, HDD), floppy disk, flash memory, CD, magneto-optic disk, tape or logical With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing In the case of suitable, memory 202 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores Device 202 can be inside or outside data processing equipment.In a particular embodiment, memory 202 is nonvolatile solid state storage Device.In a particular embodiment, memory 202 includes read-only memory (ROM).In a suitable case, which can be mask The ROM of programming, programming ROM (PROM), erasable PROM (EPROM), electric erasable PROM (EEPROM), electrically-alterable ROM (EAROM) or the combination of flash memory or two or more the above.
Processor 201 is by reading and executing the computer program instructions stored in memory 202, to realize above-mentioned implementation The phantom equipment method for building up of any one anti-network attack in example.
In one example, the equipment of establishing of anti-network attack phantom equipment may also include communication interface 203 and bus 210.Wherein, as shown in Fig. 2, processor 201, memory 202, communication interface 203 are connected by bus 210 and completed each other Communication.
Communication interface 203 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment Communication.
Bus 210 includes hardware, software or both, and the phantom equipment of anti-network attack is established the component of equipment coupling each other It is connected together.For example unrestricted, bus may include accelerated graphics port (AGP) or other graphics bus, enhancing industry Standard architecture (EISA) bus, front side bus (FSB), super transmission (HT) interconnection, Industry Standard Architecture (ISA) bus, infiniband Wide interconnection, low pin count (LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) are total Line, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part (VLB) combination of bus or other suitable buses or two or more the above.In a suitable case, bus 210 may include one or more buses.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers to appoint What suitable bus or interconnection.
It should be clear that the invention is not limited in specific configuration described above and shown in figure and processing. For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated The step of body, is as example.But procedure of the invention is not limited to described and illustrated specific steps, this field Technical staff can be variously modified, modification and addition after the spirit for understanding the present invention, or suitable between changing the step Sequence.
Functional block shown in above structure diagram can be implemented as hardware, software, firmware or combination thereof.When When realizing in hardware, electronic circuit, application-specific integrated circuit (ASIC), firmware appropriate, plug-in unit, function may, for example, be Card etc..When being realized with software mode, element of the invention is used to execute the program or code segment of required task.Journey Sequence either code segment can be stored in machine readable media or the data-signal by being carried in carrier wave in transmission medium or Person's communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.It is machine readable The example of medium include electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via the calculating of internet, Intranet etc. Machine network is downloaded.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme should all cover in the claim of the present invention and the range of specification.

Claims (9)

1. a kind of phantom equipment method for building up of anti-network attack, which is characterized in that including:
Obtain the feature of real equipment in LAN;
According to the feature, classify to the real equipment, will be used as a kind of equipment template per real equipment described in class;
According to the equipment template, the configuration file of phantom equipment is set;
The configuration file is loaded, the phantom equipment is generated.
2. according to the method described in claim 1, it is characterized in that, described according to the equipment template, setting phantom equipment Configuration file, including:
According to the equipment template, IP and MAC is distributed for each phantom equipment;
According to the equipment template corresponding described IP, MAC and the feature, the configuration file of corresponding phantom equipment is set.
3. it is each phantom equipment according to the method described in claim 2, it is characterized in that, described according to the equipment template IP and MAC is distributed, including:
Count the corresponding real equipment quantity of each equipment template;
The corresponding phantom number of devices of each equipment template is calculated according to default multiplying power based on the real equipment quantity;
According to the IP of the real equipment, alternative IP is calculated;
It is the IP that the equipment template chooses respective numbers from the alternative IP according to the phantom number of devices;
According to the vendor characteristic of the equipment template, the MAC of corresponding phantom equipment is generated.
4. according to the method described in claim 2, it is characterized in that, according to the equipment template corresponding described IP, MAC and institute Feature is stated, the configuration file of corresponding phantom equipment is set, including:
According to the feature of the equipment template, the corresponding feature of phantom equipment is set;
According to the IP, corresponding IP is set for the phantom equipment;
According to the MAC, corresponding MAC is set for the phantom equipment;
According to feature, IP and the MAC of the phantom equipment of setting, the configuration file of the phantom equipment is generated.
5. according to the method described in claim 1, it is characterized in that, further including:
The real equipment newly reached the standard grade is monitored in real time;
Whether the IP and MAC for detecting the real equipment conflict with the IP and MAC of the phantom equipment;If not conflicting, continue Monitor the real equipment newly reached the standard grade;
If conflict, judges whether the IP of the real equipment conflicts with the IP of the phantom equipment;
If conflict, the corresponding phantom equipment of the IP is deactivated, and delete the record of the phantom equipment;The phantom is changed to set Standby corresponding configuration file, loads the modified configuration file, updates the phantom equipment;
If not conflicting, judge whether the MAC of the real equipment conflicts with the MAC of the phantom equipment;
It is that the phantom equipment chooses MAC again if conflict;According to the MAC chosen again, the phantom equipment is updated MAC;
If not conflicting, continue to monitor the real equipment newly reached the standard grade.
6. according to the method described in claim 1, it is characterized in that, further including:
Judge the phantom equipment whether to the refresh cycle;
If so, the step of re-executing the feature of real equipment in the acquisition LAN;
If it is not, being then continuing with the phantom equipment.
7. a kind of anti-method of network attack, which is characterized in that including:
The communication information of phantom equipment in LAN is monitored in real time;Wherein, the phantom equipment is by claim 1-6 any one The method is established;
Judge whether there is miscellaneous equipment and the phantom device talk;
If no, continuing to monitor the communication information of the phantom equipment;
If so, the miscellaneous equipment is then labeled as suspect device;
The communication of the suspect device and the phantom equipment and real equipment in the LAN is blocked, and will be described suspicious The information of equipment is sent to network administrator.
8. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor The method described in one of claim 1-6 is realized when row.
9. a kind of computer equipment, including:Memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, which is characterized in that the processor realizes the method described in one of claim 1-6 when executing described program.
CN201810059506.8A 2018-01-22 2018-01-22 A kind of phantom equipment method for building up, medium and the equipment of anti-network attack Pending CN108322456A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810059506.8A CN108322456A (en) 2018-01-22 2018-01-22 A kind of phantom equipment method for building up, medium and the equipment of anti-network attack
PCT/CN2018/096106 WO2019140876A1 (en) 2018-01-22 2018-07-18 Method for establishing phantom device capable of network attack prevention, medium, and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810059506.8A CN108322456A (en) 2018-01-22 2018-01-22 A kind of phantom equipment method for building up, medium and the equipment of anti-network attack

Publications (1)

Publication Number Publication Date
CN108322456A true CN108322456A (en) 2018-07-24

Family

ID=62887561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810059506.8A Pending CN108322456A (en) 2018-01-22 2018-01-22 A kind of phantom equipment method for building up, medium and the equipment of anti-network attack

Country Status (2)

Country Link
CN (1) CN108322456A (en)
WO (1) WO2019140876A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664844A (en) * 2022-11-17 2023-01-31 博智安全科技股份有限公司 Protocol agent-based honeypot camouflage simulation method and device and electronic equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112578761B (en) * 2021-02-03 2023-05-26 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN105024977A (en) * 2014-04-25 2015-11-04 湖北大学 Network tracking system based on digital watermarking and honeypot technology
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107241338A (en) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907B (en) * 2009-06-24 2012-07-04 成都市华为赛门铁克科技有限公司 Method for enhancing the trapping capability of honeynet and honeynet system
CN103634264A (en) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 Active trapping method based on behavior analysis
CN107222515B (en) * 2016-03-22 2021-05-04 阿里巴巴集团控股有限公司 Honeypot deployment method and device and cloud server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN105024977A (en) * 2014-04-25 2015-11-04 湖北大学 Network tracking system based on digital watermarking and honeypot technology
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107241338A (en) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664844A (en) * 2022-11-17 2023-01-31 博智安全科技股份有限公司 Protocol agent-based honeypot camouflage simulation method and device and electronic equipment
CN115664844B (en) * 2022-11-17 2024-02-23 博智安全科技股份有限公司 Honeypot camouflage simulation method and device based on protocol agent and electronic equipment

Also Published As

Publication number Publication date
WO2019140876A1 (en) 2019-07-25

Similar Documents

Publication Publication Date Title
US10534906B1 (en) Detection efficacy of virtual machine-based analysis with application specific events
KR102017810B1 (en) Preventive Instrusion Device and Method for Mobile Devices
US10931635B2 (en) Host behavior and network analytics based automotive secure gateway
Artail et al. A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US10778700B2 (en) Malicious encrypted network traffic identification using fourier transform
US7877795B2 (en) Methods, systems, and computer program products for automatically configuring firewalls
US11562068B2 (en) Performing threat detection by synergistically combining results of static file analysis and behavior analysis
Karim et al. Mobile botnet attacks-an emerging threat: Classification, review and open issues
US20180020024A1 (en) Methods and Systems for Using Self-learning Techniques to Protect a Web Application
US20160078236A1 (en) System and method for programmably creating and customizing security applications via a graphical user interface
Kaushik et al. Detection of attacks in an intrusion detection system
Alsakran et al. Intrusion detection systems for smart home iot devices: experimental comparison study
CN116055163A (en) Login information acquisition and blocking method based on eBPF XDP
Ádám et al. Artificial neural network based IDS
Sou et al. Random packet inspection scheme for network intrusion prevention in LTE core networks
CN108322456A (en) A kind of phantom equipment method for building up, medium and the equipment of anti-network attack
CN113347184A (en) Method, device, equipment and medium for testing network flow security detection engine
Auliar et al. Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures
WO2017217247A1 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN116319074A (en) Method and device for detecting collapse equipment based on multi-source log and electronic equipment
CN109218315B (en) Safety management method and safety management device
US20220060485A1 (en) Threat forecasting
KR100959264B1 (en) A system for monitoring network process's and preventing proliferation of zombi pc and the method thereof
Pell et al. Multi-Stage Threat Modeling and Security Monitoring in 5GCN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180724