CN110198300A - A kind of honey jar operation system fingerprint concealment method and device - Google Patents
A kind of honey jar operation system fingerprint concealment method and device Download PDFInfo
- Publication number
- CN110198300A CN110198300A CN201910187849.7A CN201910187849A CN110198300A CN 110198300 A CN110198300 A CN 110198300A CN 201910187849 A CN201910187849 A CN 201910187849A CN 110198300 A CN110198300 A CN 110198300A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- operation system
- function
- access instruction
- system fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention discloses a kind of honey jar operation system fingerprint concealment method and devices, which comprises building system puppet fingerprint, and Disguise of OS file fingerprint is generated according to the system puppet fingerprint, the system puppet fingerprint belongs to physical machine operation system fingerprint;Operation system fingerprint access instruction is kidnapped, and accesses the Disguise of OS file fingerprint, the operation system fingerprint access instruction includes that operation system fingerprint open instructions or operation system fingerprint read instruction;It is exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.The present invention forges the normal host fingerprint of physics, and conventional virtualization honey jar is defendd to detect, and improves the concealment of virtualization honey jar;Make to virtualize honey jar in a manner of inexpensive simultaneously and possess the fundamental system feature of physical machine honey jar, solves the problems, such as physical machine honey jar cost high in actual use, unmanageable indirectly.
Description
Technical field
The present invention relates to Prevention-Security field, especially a kind of honey jar operation system fingerprint concealment method and device.
Background technique
Honeypot Techniques are the technologies that a kind of couple of attacker is cheated, by arranging some hosts as bait, network
Service or information lure that attacker implements to attack to them into, to be captured and be analyzed to attack.As shown in Figure 1,
Honey jar lures hacker to come to attack, and then understands tool and method used in hacker, thus it is speculated that it is intended to and motivation.
The prior art arranges honey jar, and there are mainly two types of methods:
The first: virtualization honey jar.It is easy to operate based on virtual machine or the deployment of open source container and management honey jar, it uses
It is convenient, extensive use is obtained, but due to its popularity, hacker is very sensitive to such honey jar, as long as finding that some is waited for
Object of attack will further detect whether it is honey jar, and be likely to abandon attacking there are in virtual machine or open source container.
Second: physical machine honey jar.Directly honey jar is deployed in physical machine, this honey jar itself has and real machine
Most like physical environment, concealment is high, but is limited to dispose and manages inconvenient and problem at high cost, so answering
With less.
Summary of the invention
The present invention provides a kind of honey jar operation system fingerprint concealment method and devices.
On the one hand, the present invention provides a kind of honey jar operation system fingerprint concealment methods, which comprises
Building system puppet fingerprint, and Disguise of OS file fingerprint, the system are generated according to the system puppet fingerprint
Pseudo- fingerprint belongs to physical machine operation system fingerprint;
Operation system fingerprint access instruction is kidnapped, and accesses the Disguise of OS file fingerprint, the operating system
Fingerprint giving access instruction includes that operation system fingerprint open instructions or operation system fingerprint read instruction;
It is exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.
On the other hand a kind of honey jar operation system fingerprint concealed device is provided, described device includes:
System puppet fingerprint constructs module, generates camouflage behaviour for constructing system puppet fingerprint, and according to the system puppet fingerprint
Make system fingerprint file, the system puppet fingerprint belongs to physical machine operation system fingerprint;
Operation system fingerprint access instruction kidnaps module, for kidnapping operation system fingerprint access instruction, and described in access
Disguise of OS file fingerprint, the operation system fingerprint access instruction include operation system fingerprint open instructions or operation system
Fingerprint of uniting reads instruction;
Output module, it is defeated for being carried out using the system puppet fingerprint as the access result of operation system fingerprint access instruction
Out.
A kind of honey jar operation system fingerprint concealment method and device provided by the invention are forged the normal host of physical machine and are referred to
Line defends conventional virtualization honey jar to detect, and improves the concealment of virtualization honey jar;Make virtualization honey in a manner of inexpensive simultaneously
Tank possesses the fundamental system feature of physical machine honey jar, solves physical machine honey jar cost high in actual use, unmanageable indirectly
The problem of.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology and advantage, below will be to implementation
Example or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, the accompanying drawings in the following description is only
It is only some embodiments of the present invention, for those of ordinary skill in the art, without creative efforts,
It can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is honey pot system schematic diagram provided by the invention;
Fig. 2 is the operation system fingerprint of the honey jar in the VMware virtual machine provided by the invention for being deployed in CentOS6.5
Schematic diagram;
Fig. 3 is the operation system of the honey jar in the docker virtual equipment provided by the invention for being deployed in ubuntu14.01
System fingerprint schematic diagram;
Fig. 4 is a kind of honey jar operation system fingerprint concealment method flow chart provided by the invention;
Fig. 5 be it is provided by the invention by the embodiment of the present invention kidnap camouflage after export be deployed in CentOS6.5's
The operation system fingerprint schematic diagram of honey jar in VMware virtual machine;
Fig. 6 be it is provided by the invention by the embodiment of the present invention kidnap camouflage after export be deployed in ubuntu14.01's
The operation system fingerprint schematic diagram of honey jar in docker virtual equipment;
Fig. 7 be it is provided by the invention, operation system fingerprint access instruction is open instructions, the visit of kidnapped operation system fingerprint
It asks instruction, and accesses the Disguise of OS file fingerprint method flow diagram;
Fig. 8 is the flow chart provided by the invention for obtaining operation system fingerprint under normal circumstances;
Fig. 9 is the flow chart that operation system fingerprint is obtained in the case of kidnapping in the embodiment of the present invention provided by the invention;
Figure 10 is the schematic diagram after abduction provided by the invention;
Figure 11 is that operation system fingerprint access instruction provided by the invention is that operation system fingerprint reads instruction, kidnaps behaviour
Make system fingerprint access instruction, and accesses the Disguise of OS file fingerprint flow chart;
Figure 12 is honey jar deployment scheme schematic diagram provided by the invention;
Figure 13 is the attack source of the capture of the highly concealed type honey jar provided by the invention disposed using the embodiment of the present invention
Map schematic diagram;
Figure 14 is a kind of honey jar operation system fingerprint concealed device block diagram provided by the invention;
Figure 15 is that operation system fingerprint access instruction provided by the invention kidnaps module frame chart;
Figure 16 is that another operation system fingerprint access instruction provided by the invention kidnaps module frame chart;
Figure 17 is a kind of hardware knot of equipment for realizing method provided by the embodiment of the present invention provided by the invention
Structure schematic diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art without making creative work it is obtained it is all its
His embodiment, shall fall within the protection scope of the present invention.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or server need not limit
In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce
The other step or units of product or equipment inherently.
In order to reduce honey jar lower deployment cost, honey jar can be deployed on virtual machine or open source container by the embodiment of the present invention,
By modifying the operation system fingerprint of honey jar, the real running environment of honey jar is externally hidden, so that hacker is difficult to send out
Existing honey jar, prevents it from abandoning the attack to honey jar.Specifically, it is hidden to provide a kind of honey jar operation system fingerprint for the embodiment of the present invention
Method, the honey jar are in virtual execution environment, and the virtual execution environment includes virtual machine or open source container.
In a feasible embodiment, the honey jar can be deployed among virtual machine.For example, in VMware void
Honey jar is disposed based on CentOS6.5 in quasi- machine.VMware is world-leading virtual machine solutions supplier, CentOS
(Community Enterprise Operating System, community's Enterprise Operation System) is one of Linux release, it
It comes from Red Hat Enterprise Linux and provides that the source code released compiles according to open source code, be one
Finish the operating system in standard-sized sheet source.
It refers to Fig. 2, and it illustrates the operating systems of the honey jar in the VMware virtual machine for being deployed in CentOS6.5 to refer to
Line.If hacker use environment sense command cat/proc/scsi/scsi detects operation system fingerprint, directly display out wait attack
The operation system fingerprint for hitting the running environment VMware virtual machine of object, exposes and is located at virtual execution environment to object of attack
The fact, then hacker, which would be possible to suspect, to be a honey jar to object of attack, to abandon attacking, so that honey jar fails.
In another feasible embodiment, the honey jar can be deployed in open source container, the open source container
It can be the docker virtual equipment for running on ubuntu14.01.Ubuntu (transliteration be friend side open up, it is excellent as figure, Wu Bantu)
It is an open source operating system based on desktop application, by the operating system for specializing in group train to globalize.
Docker be one open source application container engine, allow developer can be packaged they application and rely on packet it is removable to one
In the container of plant, then it is published on the Linux machine of any prevalence, also may be implemented to virtualize.Container is complete using husky
Punch-out equipment system does not have any interface between each other.
Referring to FIG. 3, it illustrates the operation systems of the honey jar in the docker virtual equipment for being deployed in ubuntu14.01
System fingerprint.If hacker use environment sense command cat/proc/1/cgroup detect operation system fingerprint, directly display out to
The operation system fingerprint of the running environment docker virtual equipment of object of attack, exposes and is located at virtual operation to object of attack
The fact that environment, then hacker, which would be possible to suspect, to be a honey jar to object of attack, to abandon attacking, so that honey jar loses
Effect.
In order to avoid honey jar failure, the embodiment of the present invention provides a kind of honey jar operation system fingerprint concealment method can be to behaviour
Pretended as system fingerprint, as shown in Figure 4, which comprises
S101. system puppet fingerprint is constructed, and Disguise of OS file fingerprint is generated according to the system puppet fingerprint, it is described
System puppet fingerprint belongs to physical machine operation system fingerprint.
S103. operation system fingerprint access instruction is kidnapped, and accesses the Disguise of OS file fingerprint, the operation
System fingerprint access instruction includes that operation system fingerprint open instructions or operation system fingerprint read instruction.
S105. it is exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.
Referring to FIG. 5, it is corresponding with Fig. 2, being deployed in of exporting after the embodiment of the present invention kidnaps camouflage is shown
The operation system fingerprint of honey jar in the VMware virtual machine of CentOS6.5.It is clear that being equally use environment sense command
Cat/proc/scsi/scsi detect operation system fingerprint, output the result is that being by what honey jar running environment was forged into physical machine
Puppet of uniting fingerprint.
Referring to FIG. 6, it is corresponding with Fig. 3, being deployed in of exporting after the embodiment of the present invention kidnaps camouflage is shown
The operation system fingerprint of honey jar in the docker virtual equipment of ubuntu14.01.It is clear that being equally use environment inspection
Survey order cat/proc/1/cgroup detect operation system fingerprint, output the result is that honey jar running environment is forged into physics
The system puppet fingerprint of machine.
As it can be seen that a kind of honey jar operation system fingerprint concealment method provided in an embodiment of the present invention, can modify the behaviour of honey jar
Make system fingerprint, realize the highly concealed type of honey jar, to prevent malicious attacker from identifying honey jar in advance and the behavior that halts attacks
And the phenomenon that causing honey jar that can not capture hacker's behavior.
In a specific embodiment, the honey pot system concealment method can be implemented based on LKM.LKM(linux
Kernel module) it is system kernel module, it is linux kernel to extend UV-Vis spectra used in its function,
System puppet fingerprint can be constructed based on LKM technology with dynamically load, without entire kernel is realized again, therefore, kidnap behaviour
Make system fingerprint access instruction, and the system puppet fingerprint is defeated as the progress of the access result of operation system fingerprint access instruction
Out.
In a specific embodiment, operation system fingerprint access instruction is open instructions, then kidnapped operating system
Fingerprint giving access instruction, and the Disguise of OS file fingerprint is accessed, as shown in fig. 7, comprises:
S1031. the opening function in subsystem call table is kidnapped, and its address is revised as to the address of custom function, institute
Stating and opening the opening object of function is operation system fingerprint associated documents.
Specifically, it can be kidnapped by hook technology and open function.
Hook Chinese is translated into " hook " or " hook ".After carrying out hook to specific system event, once occur
Hook event just will receive the notice of system to the program that the event carries out hook, and at this moment program can be in first time to this
Event responds.Hook allows to intercept and capture processing message or particular event, so that Hook Function first obtains control, completes
It kidnaps.
Specifically, by completing to rob by the address that the address for opening function is substituted for custom function in subsystem call table
It holds, the specific code for completing replacement can be with are as follows:
#define HOOK_SCT(sct,name)
Do{
Real_##name=(void*) sct [_ NR_##name];
Sct [_ NR_##name]=(void*) fake_##name;
}while(0)
Specifically, the custom function can handle hook parameter, and the filename ginseng for indicating file to be opened
Number is revised as Disguise of OS file fingerprint, and the embodiment of the present invention is with 2.txt as an example, then modifying
Filename parameter is given opening function and is continued with.
Specifically, the code of the custom function can be with are as follows:
S1032. in response to the operation system fingerprint access instruction, the custom function is opened.
S1033. the custom function is executed so that opening object is redirected to the Disguise of OS fingerprint
File.
S1034. the opening function is executed.
By taking LKM mode obtains operation system fingerprint as an example, referring to FIG. 8, it illustrates obtain operation system under normal circumstances
The process of system fingerprint, the process, which is followed successively by issue by exec order according to operation order, obtains operation system fingerprint instruction,
Calling system opens function opening operation system fingerprint associated documents, reads the operation system fingerprint associated documents, exports institute
State the content of operation system fingerprint associated documents.
In contrast, referring to FIG. 9, it illustrates obtain operating system in the case of kidnapping in the embodiment of the present invention
The process of fingerprint, the process, which is followed successively by issue by exec order according to operation order, obtains operation system fingerprint instruction, robs
It holds the acquisition operation system fingerprint and instructs and access custom function, by custom function opening object is redirected
To Disguise of OS file fingerprint, the Disguise of OS file fingerprint is read, exports the Disguise of OS fingerprint
The content of file.
Referring to FIG. 10, it illustrates the schematic diagrames after abduction.It can be found that operation system fingerprint access instruction/proc/
1/cgroup has been held as a hostage, and exports the content being forged in 2.txt, i.e. system puppet fingerprint.
In other feasible embodiments, operation system fingerprint access instruction is that operation system fingerprint reads instruction, then
Kidnapped operation system fingerprint access instruction, and the Disguise of OS file fingerprint is accessed, as shown in figure 11, comprising:
S10310. the function reading in subsystem call table is kidnapped, and its address is revised as to the address of custom function, institute
The reading object for stating function reading is operation system fingerprint associated documents.
S10320. in response to the operation system fingerprint access instruction, the custom function is opened.
S10330. the custom function is executed so that reading object is redirected to the Disguise of OS fingerprint
File.
S10340. the function reading is executed.
In a preferred embodiment, in the abduction operation system fingerprint access instruction, and the camouflage behaviour is accessed
Make system fingerprint file, before, further includes the steps that kidnap preparing, the abduction preparation includes:
S10301. the address of subsystem call table is obtained.
Specifically, correlative code can be with are as follows:
S10302. the read protection of subsystem call table is closed.
Specifically, correlative code can be with are as follows:
Correspondingly, in the abduction operation system fingerprint access instruction, and the Disguise of OS file fingerprint is accessed,
It later, further include kidnapping recovering step, the abduction recovery includes:
S1035. the address of the opening function in recovery system call list or the address of function reading.
Specifically, correlative code can be with are as follows:
#define UNHOOK_SCT (sct, name) //sct parameter is subsystem call table address, and name parameter is open
The title of function
Sct [_ NR_##name]=(void*) real_##name
S1036. restore the read protection of the subsystem call table.
Specifically, correlative code can be with are as follows:
The embodiment of the present invention further discloses the concrete scheme by abduction technology hidden operation system fingerprint, counterfeit
Normal host fingerprint is managed, conventional virtualization honey jar is defendd to detect, improves the concealment of virtualization honey jar;Simultaneously with low cost side
Formula makes to virtualize the fundamental system feature that honey jar possesses physical machine honey jar, and it is high in actual use to solve physical machine honey jar indirectly
Cost, unmanageable problem.
Further, the embodiment of the present invention furthermore provides the deployment scheme of honey jar, and the deployment scheme can be one
Multiple honey pot systems are run on a network interface card, and whole system is more preferably safeguarded.These honey jar programs are encapsulated in docker container
And it is carried out using method provided in an embodiment of the present invention hidden.Deployed environment for honey jar provide good isolation environment and
More easily update, while the main body of honey jar can be mounted in vmware virtual machine, such honey jar be equivalent to gather around by
The running environment of docker and vmware two virtualizations.
As shown in figure 12, the honey jar deployment scheme incorporates the docker environment of a variety of honey jars, and honey jar generates attack prison
Log is controlled, then statistics is collected by upper layer log management host and carries out attack data visualization.
Bottom is docker honey jar set comprising following components:
Conpot: low interactive industry control honey jar provides a series of universal industrial control protocols, can simulate complicated industry control base
Infrastructure.
Cowrie: the middle interactive SSH honey jar based on kippo change can record brute force attack account number cipher etc., and mention
Hacker's operation behavior is recorded for the file system environment of forgery, and saves through the wget/curl file downloaded and passes through
The file that SFTP is uploaded.Kippo is the SSH honey jar of a medium interaction, provides an approach for attacker's operation, attacks
The person of hitting can log in honey jar by SSH, and do some common command operations.SSH (Secure Shell) be it is a kind of it is general,
Powerful, software-based network security solution.When computer sends data to network every time, SSH can be automatic
It is encrypted.When data arrive at the destination, SSH is automatically decrypted encryption data, and whole process is all transparent.
After attacker takes down the permission of a server, it is likely that will do it the detection of small-scale port or batch
Port scan, so as to extending transversely, the control of acquisition more multiserver, therefore Intranet SSH honey jar is disposed, attacker is lured
Come in honey jar, trigger Real-time Alarm, Security Officer can be allowed, which to know in time, has had attacker to permeate Intranet, which platform clothes known
Business device is controlled and which operation attacker has done on honey jar.
SFTP is the abbreviation of Secure File Transfer Protocol, secure file transportation protocol.It can be transmission
File provides a kind of encryption method of safe network, and SFTP is a portion of SSH.
Dionaea: running on an application program on Linux, program run under network environment, open
The default port of Internet general service, when there is external connection, simulation normal service, which is given, to be fed back, while recording discrepancy
Network data flow.Category is handled after network data flow is detected via detection module, if there is being held using software vulnerability
Capable code is then emulated.
Elasticpot simulates the honey jar of elastcisearch RCE loophole, by forging function in _ search ,/_
The JSON format messages of fragile example are responded in the request of nodes.JSON (JavaScript Object Notation, JS pairs
As numbered musical notation) be a kind of lightweight data interchange format.It stored using the text formatting for being totally independent of programming language and
Indicate data.Succinctly and clearly hierarchical structure makes JSON become ideal data interchange language.It is easy to people to read and write,
It is also easy to machine parsing simultaneously and generates, and effectively promotes network transmission efficiency.
Emobility: height interaction honey jar container, it is intended to collect the attack motivation for next-generation traffic infrastructure and side
Method.Emobility honey net includes a central charging system, several toll sites, the affairs of analog subscriber.Once attacker accesses
Central control system web interface monitors and handles operation charge transaction, and interacts with toll site.In addition to this, black in random time
Visitor may with just interacted in the user of pickup vehicle expense.
Glastopf: low interactive web application honey jar can simulate thousands of webpage loophole, not for attack
Attacker is responded with attack means, then collects data from the attack process to target webpage application program.Its target
It is for automation vulnerability scanning/using tool, by sorting out to vulnerability exploit mode, for certain a kind of Land use systems
Corresponding legitimate result is returned, low interaction is realized with this.
Honeytrap: the attack that observation is serviced for TCP or UDP simulates some well-known clothes as a demons
Business, and can analytical attack character string, execute corresponding downloading file instruction.TCP(Transmission Control
Protocol transmission control protocol) it is a kind of connection-oriented, reliable transport layer communication protocol based on byte stream.UDP is
The abbreviation of User Datagram Protocol, Chinese name are User Datagram Protocol, are Open System Interconnection Reference Models
The connectionless transport layer protocol of middle one kind provides the simple unreliable information transmission service towards affairs.
Figure 13 is please referred to, it illustrates the attack sources of the capture for the highly concealed type honey jar for using the embodiment of the present invention to dispose
Map.It is clear that the embodiment of the present invention obtains preferable attack capture in such a way that a variety of highly concealed type honey jars combine
Effect, this has also absolutely proved that concealment method provided in an embodiment of the present invention is effective.
Further, the embodiment of the present invention also provides a kind of honey jar operation system fingerprint concealed device, as shown in figure 14, institute
Stating device includes:
System puppet fingerprint constructs module 201, for constructing system puppet fingerprint, and is generated and is pretended according to the system puppet fingerprint
Operation system fingerprint file, the system puppet fingerprint belong to physical machine operation system fingerprint;
Operation system fingerprint access instruction kidnaps module 202, for kidnapping operation system fingerprint access instruction, and accesses institute
Disguise of OS file fingerprint is stated, the operation system fingerprint access instruction includes operation system fingerprint open instructions or operation
System fingerprint reads instruction;
Output module 203, for using the system puppet fingerprint as the access result of operation system fingerprint access instruction into
Row output.
Preparation module 204 is kidnapped, for the address for opening function or function reading in recovery system call list;Restore institute
State the read protection of subsystem call table;
Recovery module 205 is kidnapped, for the address of the opening function in recovery system call list or the address of function reading;
Restore the read protection of the subsystem call table.
As shown in figure 15, the operation system fingerprint access instruction abduction module 202 may include:
First kidnaps unit 2021, is revised as making by oneself for kidnapping the opening function in subsystem call table, and by its address
The address of adopted function, the opening object for opening function are operation system fingerprint associated documents;
First custom function opening unit 2023, for opening institute in response to the operation system fingerprint access instruction
State custom function;
First redirects unit 2025, for execute the custom function so that open object be redirected to it is described
Disguise of OS file fingerprint;
First execution unit 2027, for executing the opening function.
As shown in figure 16, the operation system fingerprint access instruction, which kidnaps module 202, to include:
Second kidnaps unit 2022, is revised as making by oneself for kidnapping the function reading in subsystem call table, and by its address
The address of adopted function, the reading object of the function reading are operation system fingerprint associated documents;
Second custom function opening unit 2024, for opening institute in response to the operation system fingerprint access instruction
State custom function;
Second redirects unit 2026, for execute the custom function so that reading object be redirected to it is described
Disguise of OS file fingerprint;
Second execution unit 2028, executes the function reading.
A kind of honey jar operation system fingerprint concealed device provided in an embodiment of the present invention is based on identical with embodiment of the method
Inventive concept.
The embodiment of the invention also provides a kind of computer storage medium, the computer storage medium can store more
Item instruction, described instruction are hidden suitable for being loaded as processor and executing a kind of honey jar operation system fingerprint described in the embodiment of the present invention
Cover method and step, specific implementation procedure can illustrating with method reference implementation example, specifically include:
Building system puppet fingerprint, and Disguise of OS file fingerprint, the system are generated according to the system puppet fingerprint
Pseudo- fingerprint belongs to physical machine operation system fingerprint;
Operation system fingerprint access instruction is kidnapped, and accesses the Disguise of OS file fingerprint, the operating system
Fingerprint giving access instruction includes that operation system fingerprint open instructions or operation system fingerprint read instruction;
It is exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.
Specifically, the honey pot system is deployed in virtual execution environment, and the virtual execution environment includes virtual machine or opens
Source container.
Preferably, operation system fingerprint access instruction is open instructions, then kidnapped operation system fingerprint access instruction, and
Access the Disguise of OS file fingerprint, comprising:
The opening function in subsystem call table is kidnapped, and its address is revised as to the address of custom function, the opening
The opening object of function is operation system fingerprint associated documents;
In response to the operation system fingerprint access instruction, the custom function is opened;
The custom function is executed so that opening object is redirected to the Disguise of OS file fingerprint;
Execute the opening function.
Preferably, operation system fingerprint access instruction is that operation system fingerprint reads instruction, then kidnapped operating system refers to
Line access instruction, and access the Disguise of OS file fingerprint, comprising:
The function reading in subsystem call table is kidnapped, and its address is revised as to the address of custom function, the reading
The reading object of function is operation system fingerprint associated documents;
In response to the operation system fingerprint access instruction, the custom function is opened;
The custom function is executed so that reading object is redirected to the Disguise of OS file fingerprint;
Execute the function reading.
Preferably, in the abduction operation system fingerprint access instruction, and the Disguise of OS file fingerprint is accessed,
Before, further include the steps that kidnap preparing, the abduction preparation includes:
Obtain the address of subsystem call table;
Close the read protection of subsystem call table.
Preferably, in the abduction operation system fingerprint access instruction, and the Disguise of OS file fingerprint is accessed,
It later, further include kidnapping recovering step, the abduction recovery includes:
The address of opening function in recovery system call list or the address of function reading;
Restore the read protection of the subsystem call table.
Further, Figure 17 shows a kind of hardware knots of equipment for realizing method provided by the embodiment of the present invention
Structure schematic diagram, the equipment can be terminal, mobile terminal or server, and the equipment, which may also participate in, constitutes this hair
Device provided by bright embodiment.As shown in figure 17, terminal 10 (or mobile device 10 or server 10) may include
(processor 102 may include but not for one or more (to use 102a, 102b ... ... in figure, 102n to show) processor 102
Be limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.), memory 104 for storing data or use
In the transmitting device 106 of communication function.In addition to this, it can also include: display, input/output interface (I/O interface), lead to
With the port universal serial bus (USB) (can be used as a port in the port of I/O interface is included), network interface, power supply and/
Or camera.It will appreciated by the skilled person that structure shown in Figure 17 is only to illustrate, not to above-mentioned electronic device
Structure cause to limit.For example, terminal 10 may also include more perhaps less component or tool than shown in Figure 17
There is the configuration different from shown in Figure 17.
It is to be noted that said one or multiple processors 102 and/or other data processing circuits lead to herein
Can often " data processing circuit " be referred to as.The data processing circuit all or part of can be presented as software, hardware, firmware
Or any other combination.In addition, data processing circuit for single independent processing module or all or part of can be integrated to meter
In any one in other elements in calculation machine terminal 10 (or mobile device).As involved in the embodiment of the present application,
The data processing circuit controls (such as the selection for the variable resistance end path connecting with interface) as a kind of processor.
Memory 104 can be used for storing the software program and module of application software, as described in the embodiment of the present invention
Corresponding program instruction/the data storage device of method, the software program that processor 102 is stored in memory 104 by operation
And module realizes that a kind of above-mentioned honey jar operation system fingerprint is hidden thereby executing various function application and data processing
Cover method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic
Property storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise
The memory remotely located relative to processor 102, these remote memories can pass through network connection to terminal 10.
The example of above-mentioned network includes but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of terminal 10 provide.In an example, transmitting device 106 includes that a network is suitable
Orchestration (Network Interface Controller, NIC), can be connected by base station with other network equipments so as to
Internet is communicated.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module,
For wirelessly being communicated with internet.
Display can such as touch-screen type liquid crystal display (LCD), the liquid crystal display aloow user with
The user interface of terminal 10 (or mobile device) interacts.
It should be understood that embodiments of the present invention sequencing is for illustration only, do not represent the advantages or disadvantages of the embodiments.
And above-mentioned this specification specific embodiment is described.Other embodiments are within the scope of the appended claims.One
In a little situations, the movement recorded in detail in the claims or step can be executed according to the sequence being different from embodiment and
Still desired result may be implemented.In addition, process depicted in the drawing not necessarily requires the particular order shown or company
Continuous sequence is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or
It may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device and
For server example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to side
The part of method embodiment illustrates.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of honey jar operation system fingerprint concealment method, which is characterized in that the described method includes:
Building system puppet fingerprint, and Disguise of OS file fingerprint is generated according to the system puppet fingerprint, the system puppet refers to
Line belongs to physical machine operation system fingerprint;
Operation system fingerprint access instruction is kidnapped, and accesses the Disguise of OS file fingerprint, the operation system fingerprint
Access instruction includes that operation system fingerprint open instructions or operation system fingerprint read instruction;
It is exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.
2. method according to claim 1, which is characterized in that the honey pot system is deployed in virtual execution environment, the void
Quasi- running environment includes virtual machine or open source container.
3. according to the method described in claim 1, it is characterized by:
Operation system fingerprint access instruction is open instructions, then the kidnapped operation system fingerprint access instruction, and accesses institute
State Disguise of OS file fingerprint, comprising:
The opening function in subsystem call table is kidnapped, and its address is revised as to the address of custom function, the opening function
Opening object be operation system fingerprint associated documents;
In response to the operation system fingerprint access instruction, the custom function is opened;
The custom function is executed so that opening object is redirected to the Disguise of OS file fingerprint;
Execute the opening function.
4. method according to claim 1, which is characterized in that operation system fingerprint access instruction is operation system fingerprint reading
It instructs, then the kidnapped operation system fingerprint access instruction, and accesses the Disguise of OS file fingerprint, comprising:
The function reading in subsystem call table is kidnapped, and its address is revised as to the address of custom function, the function reading
Reading object be operation system fingerprint associated documents;
In response to the operation system fingerprint access instruction, the custom function is opened;
The custom function is executed so that reading object is redirected to the Disguise of OS file fingerprint;
Execute the function reading.
5. the method according to claim 3 or 4, it is characterised in that:
In the abduction operation system fingerprint access instruction, and accesses the Disguise of OS file fingerprint and further include before
Kidnap the step of preparing, the abduction preparation includes:
Obtain the address of subsystem call table;
Close the read protection of subsystem call table.
6. according to the method described in claim 5, it is characterized by:
In the abduction operation system fingerprint access instruction, and accesses the Disguise of OS file fingerprint and further include later
Recovering step is kidnapped, the abduction recovery includes:
The address of opening function in recovery system call list or the address of function reading;
Restore the read protection of the subsystem call table.
7. a kind of honey jar operation system fingerprint concealed device, which is characterized in that described device includes:
System puppet fingerprint constructs module, generates camouflage operation system for constructing system puppet fingerprint, and according to the system puppet fingerprint
System file fingerprint, the system puppet fingerprint belong to physical machine operation system fingerprint;
Operation system fingerprint access instruction kidnaps module, for kidnapping operation system fingerprint access instruction, and accesses the camouflage
Operation system fingerprint file, the operation system fingerprint access instruction include that operation system fingerprint open instructions or operating system refer to
Line reads instruction;
Output module, for being exported the system puppet fingerprint as the access result of operation system fingerprint access instruction.
8. device according to claim 7, which is characterized in that the operation system fingerprint access instruction kidnaps module and includes:
First kidnaps unit, is revised as custom function for kidnapping the opening function in subsystem call table, and by its address
Address, the opening object for opening function are operation system fingerprint associated documents;
First custom function opening unit, for opening described customized in response to the operation system fingerprint access instruction
Function;
First redirects unit, for executing the custom function so that opening object is redirected to the camouflage operation
System fingerprint file;
First execution unit, for executing the opening function.
9. device according to claim 7, which is characterized in that the operation system fingerprint access instruction kidnaps module and includes:
Second kidnaps unit, is revised as custom function for kidnapping the function reading in subsystem call table, and by its address
Address, the reading object of the function reading are operation system fingerprint associated documents;
Second custom function opening unit, for opening described customized in response to the operation system fingerprint access instruction
Function;
Second redirects unit, for executing the custom function so that reading object is redirected to the camouflage operation
System fingerprint file;
Second execution unit executes the function reading.
10. device according to claim 7, which is characterized in that further include:
Preparation module is kidnapped, for the address for opening function or function reading in recovery system call list;Restore the system
The read protection of call list;
Recovery module is kidnapped, for the address of the opening function in recovery system call list or the address of function reading;Restore institute
State the read protection of subsystem call table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910187849.7A CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910187849.7A CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110198300A true CN110198300A (en) | 2019-09-03 |
CN110198300B CN110198300B (en) | 2022-01-14 |
Family
ID=67751812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910187849.7A Active CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110198300B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112688932A (en) * | 2020-12-21 | 2021-04-20 | 杭州迪普科技股份有限公司 | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium |
CN113079157A (en) * | 2021-03-31 | 2021-07-06 | 广州锦行网络科技有限公司 | Method and device for acquiring network attacker position and electronic equipment |
CN114553529A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Data processing method, device, network equipment and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8856928B1 (en) * | 2012-06-28 | 2014-10-07 | Emc Corporation | Protecting electronic assets using false profiles in social networks |
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
CN107517226A (en) * | 2017-09-30 | 2017-12-26 | 北京奇虎科技有限公司 | Alarm method and device based on wireless network invasion |
CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
US20180262529A1 (en) * | 2015-12-28 | 2018-09-13 | Amazon Technologies, Inc. | Honeypot computing services that include simulated computing resources |
CN109460671A (en) * | 2018-10-21 | 2019-03-12 | 北京亚鸿世纪科技发展有限公司 | A method of realizing that web page contents are anti-tamper based on operating system nucleus |
-
2019
- 2019-03-13 CN CN201910187849.7A patent/CN110198300B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8856928B1 (en) * | 2012-06-28 | 2014-10-07 | Emc Corporation | Protecting electronic assets using false profiles in social networks |
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
US20180262529A1 (en) * | 2015-12-28 | 2018-09-13 | Amazon Technologies, Inc. | Honeypot computing services that include simulated computing resources |
CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
CN107517226A (en) * | 2017-09-30 | 2017-12-26 | 北京奇虎科技有限公司 | Alarm method and device based on wireless network invasion |
CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
CN109460671A (en) * | 2018-10-21 | 2019-03-12 | 北京亚鸿世纪科技发展有限公司 | A method of realizing that web page contents are anti-tamper based on operating system nucleus |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112688932A (en) * | 2020-12-21 | 2021-04-20 | 杭州迪普科技股份有限公司 | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium |
CN113079157A (en) * | 2021-03-31 | 2021-07-06 | 广州锦行网络科技有限公司 | Method and device for acquiring network attacker position and electronic equipment |
CN114553529A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Data processing method, device, network equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110198300B (en) | 2022-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhang et al. | An IoT honeynet based on multiport honeypots for capturing IoT attacks | |
CN104885092B (en) | Security system and method for operating system | |
US9253208B1 (en) | System and method for automated phishing detection rule evolution | |
US12058148B2 (en) | Distributed threat sensor analysis and correlation | |
CN101610264B (en) | Firewall system, safety service platform and firewall system management method | |
US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
CN110391937B (en) | Internet of things honey net system based on SOAP service simulation | |
US12039048B2 (en) | System and method for automatic generation of malware detection traps | |
CN110198300A (en) | A kind of honey jar operation system fingerprint concealment method and device | |
CN102549559A (en) | Virtual object indirection in a hosted computer environment | |
CN110334512A (en) | The staticametric method and apparatus of credible calculating platform based on binary system structure | |
CN109074454A (en) | Malware is grouped automatically based on artefact | |
US20210344726A1 (en) | Threat sensor deployment and management | |
CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
CN107682312A (en) | A kind of security protection system and method | |
Luntovskyy et al. | Cryptographic technology blockchain and its applications | |
CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
CN116866076A (en) | Network honey pot identification method, device, equipment and storage medium | |
CN116346430A (en) | Network threat management system based on high-interactivity honeypot | |
CN109145638A (en) | A kind of method and device being obtained from loading module function | |
D’souza et al. | Blockchain and AI in pharmaceutical supply chain | |
CN108737373A (en) | A kind of security forensics method for catenet equipment concealment techniques | |
Ovasapyan et al. | Detection of attacks on the Internet of Things based on intelligent analysis of devices functioning indicators | |
Adamczyk et al. | Dataset Generation Framework for Evaluation of IoT Linux Host–Based Intrusion Detection Systems | |
Godtliebsen | Product Tracing in the Norwegian Fishing Industry Supply Chain Utilizing GoQuorum Blockchain and Smart Contracts |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230925 Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |