CN110198300B - Honeypot operating system fingerprint hiding method and device - Google Patents
Honeypot operating system fingerprint hiding method and device Download PDFInfo
- Publication number
- CN110198300B CN110198300B CN201910187849.7A CN201910187849A CN110198300B CN 110198300 B CN110198300 B CN 110198300B CN 201910187849 A CN201910187849 A CN 201910187849A CN 110198300 B CN110198300 B CN 110198300B
- Authority
- CN
- China
- Prior art keywords
- operating system
- fingerprint
- system fingerprint
- function
- honeypot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Collating Specific Patterns (AREA)
- Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
Abstract
The invention discloses a honeypot operating system fingerprint concealing method and device, wherein the method comprises the following steps: constructing a system pseudo fingerprint, and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint; hijacking an operating system fingerprint access instruction and accessing the disguised operating system fingerprint file, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction; and outputting the system pseudo fingerprint as an access result of the operating system fingerprint access instruction. The method forges physical normal host fingerprints, defends conventional virtualized honeypot detection, and improves the concealment of the virtualized honeypot; meanwhile, the virtualized honeypot has the basic system characteristics of the physical mechanical honeypot in a low-cost mode, and the problems of high cost and difficult management of the physical mechanical honeypot in actual use are indirectly solved.
Description
Technical Field
The invention relates to the field of security defense, in particular to a honeypot operating system fingerprint concealing method and device.
Background
Honeypot technology is a technology for cheating attackers, and the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys so as to capture and analyze the attack. As shown in fig. 1, honeypots attract hackers to attack in the future, and further learn about the tools and methods used by hackers to infer their intentions and motivations.
In the prior art, honey pots are arranged mainly by two methods:
the first method comprises the following steps: virtualizing the honeypots. Honeypots are deployed and managed based on virtual machines or open source containers, the operation is simple, the use is convenient, the honeypots are widely used, but due to the universality, hackers are very sensitive to the honeypots, and as long as a certain object to be attacked is found to exist in the virtual machines or the open source containers, the hackers can further detect whether the object to be attacked is a honeypot or not and possibly abandon the attack.
And the second method comprises the following steps: and (5) physical mechanical honeypot. Directly deploy honeypots on physical machines, the honeypots have physical environments most similar to those of real machines, have high concealment, but are limited by the problems of inconvenient deployment and management and high cost, so that the honeypots are less applicable.
Disclosure of Invention
The invention provides a honeypot operating system fingerprint concealing method and device.
In one aspect, the invention provides a honeypot operating system fingerprint concealing method, which comprises the following steps:
constructing a system pseudo fingerprint, and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint;
hijacking an operating system fingerprint access instruction and accessing the disguised operating system fingerprint file, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction;
and outputting the system pseudo fingerprint as an access result of the operating system fingerprint access instruction.
In another aspect, a honeypot operating system fingerprint concealing apparatus is provided, the apparatus comprising:
the system pseudo fingerprint construction module is used for constructing a system pseudo fingerprint and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint;
the operating system fingerprint access instruction hijacking module is used for hijacking an operating system fingerprint access instruction and accessing the disguised operating system fingerprint file, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction;
and the output module is used for outputting the system pseudo fingerprint as an access result of the operating system fingerprint access instruction.
According to the honeypot operating system fingerprint hiding method and device, normal host fingerprints of a physical machine are forged, conventional virtualized honeypot detection is prevented, and the hiding performance of a virtualized honeypot is improved; meanwhile, the virtualized honeypot has the basic system characteristics of the physical mechanical honeypot in a low-cost mode, and the problems of high cost and difficult management of the physical mechanical honeypot in actual use are indirectly solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions and advantages of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of a honeypot system provided by the present invention;
FIG. 2 is a schematic diagram of the operating system fingerprint of honeypots deployed in VMware virtual machines of CentOS6.5 provided by the present invention;
FIG. 3 is a schematic diagram of the operating system fingerprint of a honeypot deployed in a docker virtualization device of ubuntu14.01 according to the present invention;
FIG. 4 is a flowchart of a method for concealing fingerprints in a honeypot operating system according to the present invention;
FIG. 5 is a schematic diagram of operating system fingerprints of honeypots deployed in VMware virtual machines of CentOS6.5 and output after hijacking disguise according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of operating system fingerprints of honeypots deployed in docker virtualization devices of ubuntu14.01 and output after hijacking masquerading according to an embodiment of the present invention;
FIG. 7 is a flowchart of a method for an operating system fingerprint access instruction to be an open instruction, hijacked and accessing the disguised operating system fingerprint file according to the present invention;
FIG. 8 is a flow chart of normally acquiring operating system fingerprints as provided by the present invention;
FIG. 9 is a flowchart of obtaining an operating system fingerprint under hijacking in an embodiment of the present invention;
FIG. 10 is a schematic diagram of the hijacking provided by the present invention;
FIG. 11 is a flowchart of the operating system fingerprint access command provided by the present invention being an operating system fingerprint read command, a hijacked operating system fingerprint access command, and accessing the disguised operating system fingerprint file;
FIG. 12 is a schematic diagram of a honeypot deployment scenario provided by the present invention;
FIG. 13 is a schematic diagram of a captured attack source map provided by the present invention for a high-concealment honeypot deployed using an embodiment of the present invention;
FIG. 14 is a block diagram of a honeypot operating system fingerprint concealing apparatus provided by the present invention;
FIG. 15 is a block diagram of an operating system fingerprint access instruction hijacking module provided by the present invention;
FIG. 16 is a block diagram of another operating system fingerprint access instruction hijacking module provided by the present invention;
fig. 17 is a hardware structural diagram of an apparatus for implementing the method provided by the embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In order to reduce the honeypot deployment cost, the embodiment of the invention can deploy honeypots on virtual machines or open source containers, and hide the real operating environment of the honeypots from the outside by modifying the operating system fingerprints of the honeypots, so that hackers can hardly find the honeypots and can be prevented from giving up attacks on the honeypots. Specifically, the embodiment of the present invention provides a method for concealing fingerprints of a honeypot operating system, where the honeypot is in a virtual running environment, and the virtual running environment includes a virtual machine or an open source container.
In one possible implementation, the honeypots can be deployed in virtual machines. For example, honeypots are deployed based on CentOS6.5 in VMware virtual machines. VMware is a world-leading provider of virtual machine solutions, and a centros (Community Enterprise Operating System) is one of Linux distribution versions, which is compiled from source code released by Red Hat Enterprise Linux according to the open source code specification, and is a fully open-source Operating System.
Referring to FIG. 2, it shows the operating system fingerprint of honeypots deployed in VMware virtual machines of CentOS6.5. If a hacker uses the environment detection command cat/proc/scsi/scsi to detect the operating system fingerprint, the operating system fingerprint of the running environment VMware virtual machine of the object to be attacked is directly displayed, and the fact that the object to be attacked is located in the virtual running environment is exposed, the hacker may suspect that the object to be attacked is a honeypot, so that the hacker gives up the attack and the honeypot fails.
In another possible implementation, the honeypots may be deployed in open source containers, which may be docker virtualization devices running at ubuntu 14.01. ubuntu (transliteration is friend help, grand graph, and Wuban graph) is an open source operating system mainly based on desktop applications, created by a global professional development team. The docker is an open-source application container engine, so that developers can package their applications and dependency packages into a portable container and then distribute the portable container to any popular Linux machine, and virtualization can be realized. The containers are fully sandboxed without any interface between each other.
Referring to FIG. 3, an operating system fingerprint of a honeypot deployed in a docker virtualization device of ubuntu14.01 is shown. If the hacker uses the environment detection command cat/proc/1/cgroup to detect the operating system fingerprint, the operating system fingerprint of the operating environment docker virtualization device of the object to be attacked is directly displayed, and the fact that the object to be attacked is located in the virtual operating environment is exposed, the hacker may suspect that the object to be attacked is a honeypot, so that the hacker gives up the attack and the honeypot fails.
In order to avoid honeypot failure, an embodiment of the present invention provides a honeypot operating system fingerprint hiding method, which can disguise an operating system fingerprint, as shown in fig. 4, where the method includes:
s101, constructing a system pseudo fingerprint, and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint.
S103, hijacking an operating system fingerprint access instruction and accessing the disguised operating system fingerprint file, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction.
And S105, outputting the system pseudo fingerprint as an access result of the operating system fingerprint access instruction.
Referring to FIG. 5, which corresponds to FIG. 2, there is shown operating system fingerprints of honeypots deployed in VMware virtual machines of CentOS6.5 that are hijacked and exported after masquerading, according to an embodiment of the present invention. Obviously, the environment detection command cat/proc/scsi/scsi is also used for detecting the fingerprint of the operating system, and the output result is a system fake fingerprint which causes the honeypot operating environment to be fake into a physical machine.
Referring to fig. 6, which corresponds to fig. 3, the operating system fingerprint of the honeypot deployed in the docker virtualization device of ubuntu14.01 output after hijacking masquerading according to the embodiment of the present invention is shown. Obviously, the environment detection command cat/proc/1/cgroup is also used for detecting the fingerprint of the operating system, and the output result is a system fake fingerprint which causes the honeypot operating environment to be fake into a physical machine.
Therefore, the honeypot operating system fingerprint hiding method provided by the embodiment of the invention can modify the operating system fingerprint of the honeypot and realize high hiding performance of the honeypot, so that the phenomenon that a malicious attacker stops an attack action to cause the honeypot to be incapable of capturing hacker actions due to the fact that the malicious attacker identifies the honeypot in advance is prevented.
In a particular embodiment, the honeypot system concealment method can be implemented based on LKM. The LKM (Linux kernel module) is a system kernel module, is a loadable kernel module used by a Linux kernel to extend functions thereof, can be dynamically loaded without realizing the whole kernel again, and therefore, a system pseudo fingerprint can be constructed based on the LKM technology, an operating system fingerprint access instruction is hijacked, and the system pseudo fingerprint is output as an access result of the operating system fingerprint access instruction.
In a specific embodiment, if the operating system fingerprint access instruction is an open instruction, the operating system fingerprint access instruction is hijacked, and the masquerading operating system fingerprint file is accessed, as shown in fig. 7, including:
and S1031, hijacking the open function in the system call list, and modifying the address of the open function into the address of the self-defined function, wherein the open object of the open function is the fingerprint related file of the operating system.
In particular, the open function can be hijacked by hook technology.
hook Chinese translates to a "hook" or "hook". After a hook event has occurred for a particular system event, the program that made the hook event will be notified by the system upon the occurrence of the hook event, and can then respond to the event at a first time. hook allows interception of handling messages or specific events, so that the hook function gets control right first, and hijacking is completed.
Specifically, hijacking is completed by replacing the address of the open function with the address of the custom function in the system call table, and the specific code for completing the replacement may be:
#define HOOK_SCT(sct,name)
Do{
real_##name=(void*)sct[_NR_##name];
sct[_NR_##name]=(void*)fake_##name;
}while(0)
specifically, the custom function may process a hook parameter, modify a filename parameter indicating a file to be opened into a masquerading operating system fingerprint file, take 2.txt as an example in the embodiment of the present invention, and then give the modified filename parameter to the open function for further processing.
Specifically, the code of the custom function may be:
s1032, responding to the operating system fingerprint access instruction, and opening the custom function.
S1033, executing the custom function to enable the opened object to be redirected to the disguised operating system fingerprint file.
S1034, executing the opening function.
Taking an example of acquiring an operating system fingerprint in an LKM manner, please refer to fig. 8, which shows a process of acquiring an operating system fingerprint under a normal condition, where the process sequentially issues an instruction to acquire an operating system fingerprint through an exec command according to an operation sequence, calls a system open function to open an operating system fingerprint-related file, reads the operating system fingerprint-related file, and outputs the content of the operating system fingerprint-related file.
In contrast, please refer to fig. 9, which illustrates a process of acquiring an operating system fingerprint under the hijacking condition in the embodiment of the present invention, where the process sequentially issues an instruction to acquire an operating system fingerprint through an exec command according to an operation sequence, hijacks the instruction to acquire an operating system fingerprint and accesses a custom function, redirects an open object to a masquerading operating system fingerprint file through the custom function, reads the masquerading operating system fingerprint file, and outputs the content of the masquerading operating system fingerprint file.
Please refer to fig. 10, which shows a schematic diagram after hijacking. It can be found that the operating system fingerprint access instruction/proc/1/cgroup has been hijacked, and the output is forged to the content in 2.txt, i.e. the system pseudo fingerprint.
In other possible embodiments, if the operating system fingerprint access instruction is an operating system fingerprint reading instruction, the hijacked operating system fingerprint access instruction and the masquerading operating system fingerprint file are accessed, as shown in fig. 11, including:
and S10310, hijacking the reading function in the system call list, and modifying the address of the reading function into the address of a self-defined function, wherein the reading object of the reading function is an operating system fingerprint related file.
S10320, responding to the operating system fingerprint access instruction, and opening the custom function.
S10330, executing the custom function to enable the read object to be redirected to the masquerading operating system fingerprint file.
S10340, executing the reading function.
In a preferred embodiment, before the hijacking operating system fingerprint access instruction and accessing the masquerading operating system fingerprint file, the method further includes a step of performing hijacking preparation, where the hijacking preparation includes:
s10301, an address of a system call table is obtained.
Specifically, the relevant codes may be:
s10302, closing read-only protection of the system call list.
Specifically, the relevant codes may be:
correspondingly, after the operating system fingerprint access instruction is hijacked and the camouflaged operating system fingerprint file is accessed, the method further comprises a hijacked recovery step, wherein the hijacked recovery step comprises the following steps:
and S1035, restoring the address of the opening function or the address of the reading function in the system call table.
Specifically, the relevant codes may be:
the # define UNHOOK _ SCT (SCT, name)// SCT parameter is the system call table address, the name parameter is the name of the open function
Sct[_NR_##name]=(void*)real_##name
And S1036, recovering the read-only protection of the system call list.
Specifically, the relevant codes may be:
the embodiment of the invention further discloses a specific scheme for concealing the fingerprints of the operating system by using a hijacking technology, which is used for forging the fingerprints of a physical normal host, defending the conventional virtualized honeypot detection and improving the concealment of the virtualized honeypot; meanwhile, the virtualized honeypot has the basic system characteristics of the physical mechanical honeypot in a low-cost mode, and the problems of high cost and difficult management of the physical mechanical honeypot in actual use are indirectly solved.
Further, the embodiment of the invention further provides a honeypot deployment scheme, the deployment scheme can run a plurality of honeypot systems on one network card, and the whole system is better maintained. These honeypot programs were packaged in a docker container and concealed using the methods provided by the embodiments of the present invention. The deployment environment provides a good isolation environment for the honeypots, the honeypots are easier to update, and meanwhile, the bodies of the honeypots can be installed in the vmware virtual machines, so that the honeypots are equivalent to a running environment which is virtualized by two environments, namely docker and vmware.
As shown in fig. 12, the honeypot deployment scheme integrates docker environments of multiple honeypots, and honeypots generate attack monitoring logs, and then an upper log management host performs collection statistics and attack data visualization.
The bottom layer is a docker honeypot set and comprises the following components:
conpot: the low-interaction industrial control honeypot provides a series of general industrial control protocols and can simulate complex industrial control infrastructure.
Cowrie: the interactive SSH honeypot based on kippo change can record violent attack account passwords and the like, provide a forged file system environment to record hacker operation behaviors, and store files downloaded through wget/curl and files uploaded through SFTP. kippo is a moderately interactive SSH honeypot, and provides a way for an attacker to log in the honeypot through SSH and perform some common command operations. Ssh (secure shell) is a general, powerful, software-based network security solution. Each time a computer sends data to the network, the SSH automatically encrypts it. When the data reaches the destination, the SSH automatically decrypts the encrypted data, and the whole process is transparent.
After an attacker takes the right of the next server down, small-range port detection or batch port scanning is likely to be carried out so as to be expanded transversely and obtain the control right of more servers, so that the intranet SSH honeypot is deployed, the attacker is induced into the honeypot, real-time alarm is triggered, and safety personnel can know that the attacker permeates the intranet, know which server is controlled and what operation the attacker does on the honeypot in time.
SFTP is an abbreviation of Secure File Transfer Protocol, Secure File Transfer Protocol. A secure network encryption method can be provided for transmitting files, and SFTP is part of SSH.
Dionaea: the application program running on Linux runs the program in a network environment, opens a default port of common Internet services, simulates normal services to give feedback when external connection exists, and records the network data flow in and out at the same time. And the network data flow is processed according to the category after being detected by the detection module, and if the code executed by utilizing the software bug exists, the simulation execution is carried out.
Elasticpot simulates honeypots of the elastcisearch RCE vulnerability, responding to the JSON format message of the fragile instance on a request of _ search,/_ nodes through a fake function. JSON (JavaScript Object Notation) is a lightweight data exchange format. It stores and represents data in a text format that is completely independent of the programming language. The compact and clear hierarchy makes JSON an ideal data exchange language. The network transmission method is easy to read and write by people, is easy to analyze and generate by machines, and effectively improves the network transmission efficiency.
Emobility: high interaction honeypot containers, aimed at collecting incentives and methods of attack against the next generation of traffic infrastructure. The Emobility honeynet comprises a central charging system, several charging points, and simulates the affairs of users. Once the attacker accesses the webpage interface of the central control system, the running charge transaction is monitored and processed, and the attacker interacts with a charge point. In addition, at random times, a hacker may interact with the user who is collecting the vehicle's fee.
Glastopf: the low-interaction type web application honeypot can simulate thousands of web vulnerabilities, respond to attackers according to different attack means of attacks, and then collect data in the process of attacking a target web application program. The method aims at realizing low interaction by classifying vulnerability exploitation modes and returning corresponding reasonable results for a certain type of exploitation modes aiming at an automatic vulnerability scanning/exploitation tool.
Honeytrap: and observing attacks aiming at TCP or UDP services, simulating some known services as a daemon, analyzing attack character strings and executing corresponding file downloading instructions. TCP (Transmission Control Protocol) is a connection-oriented, reliable transport layer communication Protocol based on a byte stream. UDP is a short name of User Datagram Protocol, a Chinese name is User Datagram Protocol, and is a connectionless transport layer Protocol in an open system interconnection reference model, and provides a transaction-oriented simple unreliable information transfer service.
Referring to FIG. 13, a captured attack sources map of a high-concealment honeypot deployed using an embodiment of the present invention is shown. Obviously, the embodiment of the invention obtains a better attack capturing effect by combining a plurality of high-concealment honeypots, which fully shows that the concealment method provided by the embodiment of the invention is effective.
Further, an embodiment of the present invention further provides a honeypot operating system fingerprint concealing apparatus, as shown in fig. 14, the apparatus includes:
the system pseudo fingerprint construction module 201 is configured to construct a system pseudo fingerprint, and generate a pseudo operating system fingerprint file according to the system pseudo fingerprint, where the system pseudo fingerprint belongs to a physical machine operating system fingerprint;
an operating system fingerprint access instruction hijacking module 202, configured to hijack an operating system fingerprint access instruction and access the disguised operating system fingerprint file, where the operating system fingerprint access instruction includes an operating system fingerprint open instruction or an operating system fingerprint read instruction;
and the output module 203 is configured to output the system pseudo fingerprint as an access result of the operating system fingerprint access instruction.
A hijack preparation module 204, configured to recover the address of the open function or the read function in the system call table; restoring read-only protection of the system call table;
the hijacking recovery module 205 is used for recovering the address of the open function or the address of the read function in the system call table; restoring read-only protection of the system call table.
As shown in fig. 15, the operating system fingerprint access instruction hijacking module 202 may include:
the first hijack unit 2021 is configured to hijack an open function in the system call table, and modify an address of the open function into an address of a custom function, where an open object of the open function is an operating system fingerprint-related file;
a first custom function opening unit 2023, configured to open the custom function in response to the operating system fingerprint access instruction;
a first redirection unit 2025, configured to execute the custom function so that the open object is redirected to the masquerading operating system fingerprint file;
a first execution unit 2027, configured to execute the open function.
As shown in fig. 16, the operating system fingerprint access instruction hijacking module 202 may further include:
the second hijack unit 2022 is configured to hijack a read function in the system call table, and modify an address of the read function into an address of a custom function, where a read object of the read function is an operating system fingerprint-related file;
a second custom function opening unit 2024, configured to open the custom function in response to the operating system fingerprint access instruction;
a second redirection unit 2026, configured to execute the custom function so that the read object is redirected to the masquerading operating system fingerprint file;
a second execution unit 2028, which executes the read function.
The embodiment of the invention provides a honeypot operating system fingerprint concealing device and a method thereof based on the same inventive concept.
The embodiment of the present invention further provides a computer storage medium, where the computer storage medium may store a plurality of instructions, where the instructions are suitable for being loaded by a processor and executed to perform the steps of the method for concealing fingerprints of a honeypot operating system according to the embodiment of the present invention, and a specific execution process may refer to specific descriptions of the embodiments of the method, and specifically includes:
constructing a system pseudo fingerprint, and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint;
hijacking an operating system fingerprint access instruction and accessing the disguised operating system fingerprint file, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction;
and outputting the system pseudo fingerprint as an access result of the operating system fingerprint access instruction.
Specifically, the honeypot system is deployed in a virtual operating environment, and the virtual operating environment comprises a virtual machine or an open source container.
Preferably, if the operating system fingerprint access instruction is an open instruction, the hijacked operating system fingerprint access instruction and the disguised operating system fingerprint file are accessed, including:
hijacking an opening function in a system call table, and modifying the address of the opening function into the address of a self-defined function, wherein the opening object of the opening function is an operating system fingerprint related file;
responding to the operating system fingerprint access instruction, and opening the custom function;
executing the custom function to cause an open object to be redirected to the disguised operating system fingerprint file;
the open function is executed.
Preferably, if the operating system fingerprint access instruction is an operating system fingerprint reading instruction, the hijacked operating system fingerprint access instruction and the disguised operating system fingerprint file are accessed, including:
hijacking a reading function in a system call table, and modifying the address of the reading function into the address of a self-defined function, wherein the reading object of the reading function is an operating system fingerprint related file;
responding to the operating system fingerprint access instruction, and opening the custom function;
executing the custom function to cause a read object to be redirected to the spoofed operating system fingerprint file;
the read function is executed.
Preferably, before the hijacking operating system fingerprint access instruction and accessing the camouflaged operating system fingerprint file, the method further includes a step of performing hijacking preparation, where the hijacking preparation includes:
acquiring an address of a system call table;
the read-only protection of the system call table is closed.
Preferably, after the hijacking operating system fingerprint access instruction accesses the camouflaged operating system fingerprint file, the method further includes a hijacking recovery step, where the hijacking recovery step includes:
restoring the address of the open function or the address of the read function in the system call table;
restoring read-only protection of the system call table.
Further, fig. 17 is a schematic diagram of a hardware structure of a device for implementing the method provided by the embodiment of the present invention, where the device may be a computer terminal, a mobile terminal, or a server, and the device may also participate in forming the apparatus provided by the embodiment of the present invention. As shown in fig. 17, the computer terminal 10 (or mobile device 10 or server 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, or a transmission device 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 17 is merely an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 17, or have a different configuration than shown in FIG. 17.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 can be used for storing software programs and modules of application software, such as program instructions/data storage devices corresponding to the method described in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, namely, implementing the above-mentioned honeypot operating system fingerprint hiding method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted that: the precedence order of the above embodiments of the present invention is only for description, and does not represent the merits of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device and server embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (6)
1. A honeypot operating system fingerprint concealment method, the method comprising:
deploying the Conpot honeypots, the Cowrie honeypots, the kippo honeypots, the Elasticpot honeypots, the Glastoppf honeypots and the Emobility honeypots in the same network card, packaging honeypot programs of the honeypots in containers, and installing main bodies of the honeypots in virtual machines;
constructing a system pseudo fingerprint, and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint, and the system pseudo fingerprint comprises at least one of the following: host information, Channel information, Vendor information, Model information, Rev information, Type information, cpuiset information, cpuacct information, devices information, freezer information, net _ cls information, and perf _ event information;
hijacking an operating system fingerprint access instruction, wherein the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction;
acquiring an address of a system call table, and closing read-only protection of the system call table;
hijacking a target function in a system call table, wherein the target function is an opening function or a reading function;
modifying the address of the target function into the address of a self-defined function;
opening the self-defined function;
executing the custom function to cause an access object of the target function to be redirected to the masquerading operating system fingerprint file;
executing the target function to access the disguised operating system fingerprint file and cause the system pseudo fingerprint to be output as an access result of an operating system fingerprint access instruction;
and restoring the address of the target function in the system call table.
2. The method of claim 1, wherein:
determining the target function as the open function under the condition that the operating system fingerprint access instruction is an operating system fingerprint open instruction;
and determining the target function as the read function under the condition that the operating system fingerprint access instruction is an operating system fingerprint read instruction.
3. A honeypot operating system fingerprint concealment apparatus, the apparatus comprising:
the system pseudo fingerprint construction module is used for constructing a system pseudo fingerprint and generating a pseudo operating system fingerprint file according to the system pseudo fingerprint, wherein the system pseudo fingerprint belongs to a physical machine operating system fingerprint, and the system pseudo fingerprint comprises at least one of the following: host information, Channel information, Vendor information, Model information, Rev information, Type information, cpuiset information, cpuacct information, devices information, freezer information, net _ cls information, and perf _ event information;
the operating system fingerprint access instruction hijacking module is used for hijacking an operating system fingerprint access instruction, and the operating system fingerprint access instruction comprises an operating system fingerprint opening instruction or an operating system fingerprint reading instruction; acquiring an address of a system call table, and closing read-only protection of the system call table; hijacking a target function in a system call table, wherein the target function is an opening function or a reading function; modifying the address of the target function into the address of a self-defined function; opening the self-defined function; executing the custom function to cause an access object of the target function to be redirected to the masquerading operating system fingerprint file; and restoring the address of the target function in the system call table;
the output module is used for executing the target function to access the disguised operating system fingerprint file and enable the system fake fingerprint to be output as an access result of an operating system fingerprint access instruction;
the device is also used for deploying the Conpot honeypots, the Cowrie honeypots, the kippo honeypots, the elastic honeypots, the Glastoppf honeypots and the Emobility honeypots in the same network card, packaging honeypot programs of the honeypots in containers, and installing main bodies of the honeypots in virtual machines.
4. The apparatus of claim 3, wherein the operating system fingerprint access instruction hijacking module is further configured to:
determining the target function as the open function under the condition that the operating system fingerprint access instruction is an operating system fingerprint open instruction;
and determining the target function as the read function under the condition that the operating system fingerprint access instruction is an operating system fingerprint read instruction.
5. A computer storage medium having stored thereon at least one instruction adapted to be loaded by a processor and to perform a honeypot operating system fingerprint concealment method of any of claims 1-2.
6. An electronic device, comprising a processor and a memory, wherein the memory stores at least one instruction for causing the processor to perform a honeypot operating system fingerprint concealment method of any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910187849.7A CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910187849.7A CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110198300A CN110198300A (en) | 2019-09-03 |
| CN110198300B true CN110198300B (en) | 2022-01-14 |
Family
ID=67751812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910187849.7A Active CN110198300B (en) | 2019-03-13 | 2019-03-13 | Honeypot operating system fingerprint hiding method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110198300B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112688932A (en) * | 2020-12-21 | 2021-04-20 | 杭州迪普科技股份有限公司 | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium |
| CN113079157A (en) * | 2021-03-31 | 2021-07-06 | 广州锦行网络科技有限公司 | Method and device for acquiring network attacker position and electronic equipment |
| CN114553529A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Data processing method, device, network equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856928B1 (en) * | 2012-06-28 | 2014-10-07 | Emc Corporation | Protecting electronic assets using false profiles in social networks |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
| CN107517226A (en) * | 2017-09-30 | 2017-12-26 | 北京奇虎科技有限公司 | Alarm method and device based on wireless network invasion |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| CN109460671A (en) * | 2018-10-21 | 2019-03-12 | 北京亚鸿世纪科技发展有限公司 | A method of realizing that web page contents are anti-tamper based on operating system nucleus |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10097581B1 (en) * | 2015-12-28 | 2018-10-09 | Amazon Technologies, Inc. | Honeypot computing services that include simulated computing resources |
-
2019
- 2019-03-13 CN CN201910187849.7A patent/CN110198300B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856928B1 (en) * | 2012-06-28 | 2014-10-07 | Emc Corporation | Protecting electronic assets using false profiles in social networks |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
| CN107517226A (en) * | 2017-09-30 | 2017-12-26 | 北京奇虎科技有限公司 | Alarm method and device based on wireless network invasion |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN107579997A (en) * | 2017-09-30 | 2018-01-12 | 北京奇虎科技有限公司 | Wireless network intrusion detection system |
| CN109460671A (en) * | 2018-10-21 | 2019-03-12 | 北京亚鸿世纪科技发展有限公司 | A method of realizing that web page contents are anti-tamper based on operating system nucleus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110198300A (en) | 2019-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11080399B2 (en) | System and method for vetting mobile phone software applications | |
| Zhang et al. | An IoT honeynet based on multiport honeypots for capturing IoT attacks | |
| TWI587170B (en) | Malware and exploit campaign detection system and method | |
| CN110391937B (en) | Internet of things honey net system based on SOAP service simulation | |
| Peter et al. | A practical guide to honeypots | |
| CN110198300B (en) | Honeypot operating system fingerprint hiding method and device | |
| RU2697950C2 (en) | System and method of detecting latent behaviour of browser extension | |
| Trajanovski et al. | An automated and comprehensive framework for IoT botnet detection and analysis (IoT-BDA) | |
| US11880458B2 (en) | Malware detection based on user interactions | |
| Le et al. | V-sandbox for dynamic analysis IoT botnet | |
| McKee et al. | Chatbots in a honeypot world | |
| Alasmary et al. | SHELLCORE: Automating malicious IoT software detection using shell commands representation | |
| Wicherski | Medium interaction honeypots | |
| Tran et al. | Towards malware detection in routers with C500-toolkit | |
| Adamczyk et al. | Dataset Generation Framework for Evaluation of IoT Linux Host–Based Intrusion Detection Systems | |
| Furfaro et al. | Gathering Malware Data through High-Interaction Honeypots. | |
| Muhovic | Behavioural analysis of malware using custom sandbox environments | |
| CN116502226B (en) | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system | |
| Pektaş | Classification des logiciels malveillants basée sur le comportement à l'aide de l'apprentissage automatique en ligne | |
| Madison | Honeyhive-A Network Intrusion Detection System Framework Utilizing Distributed Internet of Things Honeypot Sensors | |
| Ismaila et al. | Malware and Digital Forensics | |
| Rowe et al. | Decoy I/O Devices | |
| Tascon Gutierrez et al. | Malware Sandbox Deployment, Analysis and Development | |
| Zurutuza Ortega et al. | Dynamic monitoring of Android malware behavior: A DNS-based approach | |
| Dong | Understanding and Assessing the Security of Smart Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230925 Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd. Address before: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. |
|
| TR01 | Transfer of patent right |