CN110266650A - The recognition methods of Conpot industry control honey jar - Google Patents
The recognition methods of Conpot industry control honey jar Download PDFInfo
- Publication number
- CN110266650A CN110266650A CN201910435098.6A CN201910435098A CN110266650A CN 110266650 A CN110266650 A CN 110266650A CN 201910435098 A CN201910435098 A CN 201910435098A CN 110266650 A CN110266650 A CN 110266650A
- Authority
- CN
- China
- Prior art keywords
- identified
- conpot
- industry control
- honey jar
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1475—Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the present invention provides a kind of recognition methods of Conpot industry control honey jar, comprising: the first message obtained in advance is split as two parts;The first part that first message is sent to system to be identified continues the second part that the first message is sent to the system to be identified after preset time, and the preset time disconnects duration for Conpot industry control honey jar;If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey jar.The embodiment of the present invention possesses the features such as accuracy is high, identity is strong, strong operability.
Description
Technical field
The present invention relates to technical field of network security, more particularly, to the recognition methods of Conpot industry control honey jar.
Background technique
In recent years, a series of pernicious security attack events for industrial control system have occurred successively all over the world.This
A little attackers have not only grasped industry control security knowledge and skillfully using network attack tools, but also are familiar with the Business Stream of industrial control system
Journey.Its attack traffic is sparse and has high duration and strong concealment, the safety detections such as intrusion detection, firewall and preventive means
It is difficult to find.Therefore, in academia and industrial circle it has been proposed that traping attacker using Honeypot Techniques.In industrial control system network
The industry control honey jar of middle deployment, can not only luring network attack, person attacks, and realizes that industry control threatens delaying for infiltration, but also
It can analyze attack traffic, promote industrial control system security threat ability of discovery, providing for the operation of industry control enterprise continuous production has by force
The safety guarantee of power.
Honey jar is once identified that honey jar will lose its original value by attacker, is a kind of quilt penetrated and failed
Dynamic formula Initiative Defense means.In recent years, Anti-Honeypot research becomes increasingly active, and attacker starts systematically to study how to identify
With counter honey jar, and knowledge production is shared by hacker community, results in many traditional honey jars and fail one after another.In this context,
The anti-recognition capability for improving honey jar becomes the hot spot of cyber-defence area research.Anti-Honeypot is also referred to as anti-Honeypot Techniques
(Anti-Honeypot), refer to and the presence or absence of honey jar software is detected by various technological means, and then judge to be attacked
Hit whether target is in honey jar environment.
In academia, foreign countries all achieve certain achievement for the Study of recognition of traditional honey jar and test, have had very
More honey jars know method for distinguishing: Neal Krawetz first proposed based on the method for sending spam and identify SMTP honey jar
Anti-Honeypot technology;Thorsten Holz successively respectively knows various honey jars from two angles of network layer and system layer
Other technology has carried out detailed elaboration;For low interactive honey jar, the Tadayoshi Konho in California, USA Santiago branch school
Etc. the statistical measurement recognition methods proposed through agreement clock difference;Gajrani in 2015 etc. is proposed through dynamical system control
The method for making to identify virtual environment feature.Identification for high interaction honey jar, due to Sebek be in sweet net is built can not or
Scarce, therefore the presence or absence of honey jar is judged by identifying Sebek, it is the main method of high interaction honey jar identification.Joseph
Corey proposes a kind of Sebek detection based on dd attack method, in running background dd and ping order is run, if on host
If being mounted with Sebek, the interaction two-way time of ping order can be made to greatly increase, to detect the presence of honey jar;
Phrack by analysis memory in the information such as Magic value and source destination slogan, propose it is a kind of based on kernel module detection
Honey jar recognition methods.
In industry, the existing anti-honey jar software Honeypot Hunter of business of foreign countries, while maximum equipment search engine
Shodan also has certain honey jar recognition capability.But for industry control honey jar, due to PLC closure and agreement it is privately owned
Property, it is many to be suitable for traditional honey jar knowledge method for distinguishing, it is no longer desirable for the identification of industry control honey jar, this leads to the identification of industry control honey jar
Still rest on the primary stage.Under external at present known these honey jar recognition methods and product, especially industrial control system environment
Recognition methods, in the update of the update and system environments of coping with honey jar software version, the feasibility and validity of detection are equal
The basic demand of technical grade identification cannot be reached.There has been no documents to show that existing domestic institution starts systematic research industry control at present
Anti-Honeypot.For the continuous renewal of system and software version, the research of Anti-Honeypot is also being faced with new challenges.
Summary of the invention
The embodiment of the present invention provides a kind of Conpot work for overcoming the above problem or at least being partially solved the above problem
Control the recognition methods of honey jar.
First aspect, the embodiment of the present invention provide a kind of recognition methods of Conpot industry control honey jar, comprising:
The first message obtained in advance is split as two parts;
The first part that first message is sent to system to be identified continues after preset time to described to be identified
System sends the second part of the first message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control
Honey jar.
The second aspect, the embodiment of the present invention provide the recognition methods of another kind Conpot industry control honey jar, comprising:
The first message obtained in advance is split into two parts, is preset wherein the length of the first part of the first message is less than
Byte, the preset byte are the identifiable shortest word section of Conpot industry control honey jar;
Two parts of first message are successively sent to system to be identified, if receiving the system feedback to be identified
Exception response then knows that the system to be identified is Conpot industry control honey jar.
The third aspect, the embodiment of the present invention provide a kind of identification device of Conpot industry control honey jar, comprising:
First splits module, and the first message for that will obtain in advance is split as two parts;
First sending module, for sending the first part of first message to system to be identified, after preset time,
Continue the second part that the first message is sent to the system to be identified, the preset time is the disconnection of Conpot industry control honey jar
Connect duration;
First judgment module is known described wait know if the exception response for receiving the system feedback to be identified
Other system is Conpot industry control honey jar.
4th aspect, the embodiment of the present invention provide the identification device of another kind Conpot industry control honey jar, comprising:
Second splits module, the first message obtained in advance is split into two parts, wherein the first part of the first message
Length be less than preset byte, the preset byte be the identifiable shortest word section of Conpot industry control honey jar;
Second sending module, for successively sending two parts of first message to system to be identified;
Second judgment module is known described wait know if the exception response for receiving the system feedback to be identified
Other system is Conpot industry control honey jar.
5th aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory
Computer program that is upper and can running on a processor, the processor realize such as first aspect or second when executing described program
Provided by aspect the step of method.
6th aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating
Machine program, when which is executed by processor the step of realization method as provided by first aspect or second aspect.
The recognition methods of Conpot industry control honey jar provided in an embodiment of the present invention, by the way that message is split as two parts, to
The system to be identified sends first part's message, after at least 5 seconds, continues to send second part report to the system to be identified
Text knows that the system to be identified is Conpot industry control honey jar if receiving the exception response of the system feedback to be identified,
Possess the features such as accuracy is high, identity is strong, strong operability.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram of the recognition methods of Conpot industry control honey jar provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of the recognition methods of the Conpot industry control honey jar of another embodiment of the present invention;
Fig. 3 is the structural schematic diagram of the identification device of Conpot industry control honey jar provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the identification device for the Conpot industry control honey jar that another embodiment of the present invention provides
Fig. 5 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Conpot industry control honey jar is a kind of common type of industry control honey jar, and Fig. 1 is Conpot provided in an embodiment of the present invention
The flow diagram of the recognition methods of industry control honey jar, as shown in Figure 1, comprising:
S101, the first message obtained in advance is split as two parts;
S102, the first part that first message is sent to system to be identified, after preset time, continue to it is described to
Identifying system sends the second part of the first message, and the preset time disconnects duration for Conpot industry control honey jar;
If S103, the exception response for receiving the system feedback to be identified, know that the system to be identified is
Conpot industry control honey jar.
It should be noted that during Conpot industry control honey jar is realized, in order to avoid a connection long-time occupied bandwidth,
It is provided with sock.settimeout (timeout) parameter, and timeout numerical value is 5, and meaning is in Conpot industry control honey
Tank is 5 seconds without the duration under communications status, keeping connection.Fin_ack request is sent by Conpot after 5 seconds to disconnect.And
Real equipment is because business needs, and there is no the operation that this is disconnected, can keep the validity of connection and steady for a long time
Qualitative, this is Conpot frame and real equipment is a significantization difference in realization.
Specifically, normal message is split two sections first, first sends first segment, by 10 seconds and then send the
Two sections.If equipment is Conpot industry control honey jar, connection can disconnect automatically when 5 seconds, then second segment message is retransmited over
If, can obtain one disconnected report an error.
On the basis of the various embodiments described above, as a kind of alternative embodiment, if receiving the system feedback to be identified
Normal response, then the second message obtained in advance is split into two parts, wherein the length of the first part of the second message is small
In preset byte, the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
Two parts of second message are successively sent to the system to be identified, if it is anti-to receive the system to be identified
The exception response of feedback then knows that the system to be identified is Conpot industry control honey jar.
The embodiment of the present invention is by dividing the depth of the code of ModBus protocol analysis part in Conpot industry control honey jar
Analysis, the key point for summing up identification are that it has received preceding 7 bytes first, if receiving byte is less than 7, will be considered that this is
One invalid Modbus message, is then discarded, and disconnects and terminates this session.Required by Modbus protocol specification
Protocol length will be greater than 7 bytes.If a normal Modbus protocol massages are forcibly cut off, so that first part
Less than 7 bytes of length, then it is successively sent to real equipment, then real equipment can carry out normal response, still,
Conpot honey jar realizes the case where process does not account for fragment, and the agreement correctness verification operation of Conpot honey jar can be by this
Secondary disconnecting, this allows for attacker and is unable to get correct response, and then identifies that Conpot honey jar has run Modbus
Agreement.
It should be noted that in the two methods that the embodiment of the present invention proposes, the first scheme there are temporal requirement,
Although and the automatic Connection Time of general Conpot industry control honey jar is 5 seconds, is not excluded for the more long Conpot of setting duration
Industry control honey jar, so remain on even if having received normal response and be likely to be Conpot industry control honey jar, and second scheme is benefit
It is obtained with depth analysis of the Conpot industry control honey jar to Modbus protocol analysis, there is no need to wait asking for certain time length
Topic, and it is also more accurate.The above two recognition methods of the embodiment of the present invention, the first is special according to honey pot system layer frame
It levies and identified, and is identified according to the protocol analysis feature of relational graph, two schemes are belonged to based on honey jar
The honey jar feature of system carries out knowledge method for distinguishing.
It is described to continue to send out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above
The second part of the first message is sent, or successively sends two parts of second message to the system to be identified, later also
Include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and practical institute
Whether the IP of difference, system to be identified between the industrial environment at place is provided by ISP and whether the IP of system to be identified occurs
In one of preset threat information bank or a variety of identified.Specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified,
Then know that the system to be identified is Conpot industry control honey jar.
It should be noted that the judgement of geographical location information can have many means, such as by some IP locating websites, originally
Inventive embodiments can effectively position the specific position IP, and precision can achieve within 500 meters, according to locating for real equipment
The difference between geographical location that industrial environment and practical IP are positioned, is analyzed by ISP, if the geographical location IP and practical work
Control environmental difference is larger, then the embodiment of the present invention determines that a possibility that this equipment is honey jar is just higher.
It is provided according to the IP of system to be identified by Internet Service Provider, then knows that the system to be identified is Conpot
Industry control honey jar.
ISP (Internet Service Provider), Internet Service Provider provide to users are comprehensive
Internet access business, information service and the telecom operators of value-added service.ICP (Internet Content
Provider), Web content service provider refers to and provides the telecom operators of internet information business and value-added service.
In Internet application service industry chain " equipment supplier --- basic network operator --- content collecting person and Sheng
In production person --- service supplier --- user ", ISP/ICP is in the position of content collecting person, the producer and service supplier
It sets.For specific ISP, provide service be also it is relatively single-minded and stable, it is especially rare in the address global ip v4 instantly
Under conditions of, seldom there is something special can make ISP provide an independent practical IP for honey jar.Business common sense based on this point
Logic, if the IP address that honey jar is placed mostly is provided by Cloud Server provider, whether the embodiment of the present invention is by determining the ISP
For Cloud Server provider, whether the equipment to determine to possess the IP is honey jar.
It is appeared according to the IP of system to be identified and then knows that the system to be identified is in preset threat information bank
Conpot industry control honey jar.
By threatening information bank to obtain the feature corresponded to IP once or threatening information on network, the IP corresponding device is determined
Concrete type.For example, if the IP that can inquire an industrial control equipment on threatening information acquisition website is once used as IDC
Server used, then can be concluded that using the equipment of the IP be honey jar substantially.
It should be noted that above-mentioned three kinds carry out knowledge method for distinguishing using IP feature, can individually carry out using.Due to
Know method for distinguishing in the presence of the process of quantization using IP feature, and industry control honey jar is judged whether it is according to the value after quantization, needs
Accurate threshold value is wanted, therefore the embodiment of the present invention can obtain more accurate threshold value by counting to mass data.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified
Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified
Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold,
The provider for then continuing the IP of the system to be identified described in the public online enquiries, if being no more than the information source of the second preset threshold number
It shows that the IP of the system to be identified is provided by Internet Service Provider, then continues whether to be occurred according to the IP of system to be identified
It is identified in preset threat information bank.
On the basis of the various embodiments described above, as a kind of alternative embodiment, if the IP of system to be identified do not appear in it is pre-
If threat information bank in, then according in the integrality of protocol realization, the situation of change of system status information and time sequence status
One or more identified.
Specifically, from the integrality angle authentication equipment of protocol realization whether honey jar.By indentification protocol function code whether
Realize it is complete, to distinguish whether the equipment is honey jar.This point can be by sending out rarer request message, and root to equipment
The completeness of device protocol is judged according to the response information of equipment.
By investigation it is found that the industry control honey jar of Conpot, device status information are all to be previously set or at random at present
Production, but can for normal distribution and certain regularity be presented in a certain range in the numerical value in practical industry control environment.Work
It is not one layer constant though controlling environment to stablize.Especially coil state, buffer status, file record, temperature, valve
The information such as door state, can be different with the difference of system current operating environment.Pass through system mode in comparison different time sections
Whether information changes, and can effectively judge whether current system is true system.
During realization, above status information is all fixed and invariable many honey jars, this does not simultaneously meet actual industry
Business logic.The embodiment of the present invention is by obtaining because production needs to cause to be easy to produce in system the data information of variation, to sentence
Whether whithin a period of time disconnected data information changes to judge whether the equipment is a honey jar.
If a honey jar fidelity is sufficiently high, further progress multioperation is needed to combine, according to special characteristic after combination
Change whether identified, it is as follows to draft assembled scheme:
(1) read coil+write coil+read coil
(2) read register+masked-write register+writes register+read register
(3) random combine operate+read file record
For low interactive honey jar, do not have from the external function of passively changing equipment various information, so this
A thinking is exactly the corresponding change by remotely changing all kinds of control information of equipment and then inquiry system status information, if
It does not change, then it is honey jar equipment that the equipment, which has very maximum probability,.But this recognition methods is for true in industry control scene
Real equipment is likely to result in the disaster for being difficult to predict, so there is no identify using this method as honey jar under the premise of safety
One of main method, and using this method as the alternative approach of verifying honey jar.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the integrality according to protocol realization is
The situation of change and one of time sequence status of status information of uniting or it is a variety of identified, specifically:
If the Protocol integrity of system to be identified is lower than third predetermined threshold value, know that the system to be identified is Conpot
Industry control honey jar;Conversely, then compare the situation of change of system status information in different time, if system status information does not change or not
Rule variation then knows that the system to be identified is Conpot industry control honey jar, if system status information is led in regularity variation
The control information of dynamic change system to be identified, and whether identification system to be identified is changed according to system status information, if system shape
State information changes, then knowing system to be identified not is Conpot honey jar.
It is described that whether identification system to be identified is changed according to system status information on the basis of the various embodiments described above, if
System status information changes, later further include:
If the not sent change of system status information, according to the Protocol fingerprint, network load, network flow of system to be identified
One of amount delay feature, route characteristics and redirecting features or a variety of identification systems to be identified.
Specifically, for different operating system when handling the network information there are different data features of response, here it is be
" fingerprint " of system.The fingerprint of system, which is realized, derives from ICP/IP protocol stack.Operation system fingerprint based on ICP/IP protocol stack
Identification is the technology of comparative maturity, and the common tool of this respect has Nmap, Queso etc..This identifying schemes are in Honeyd honey jar
Extraordinary effect is obtained in identification practice.For example, 0.8 version of Honeyd is due to the realization of TCP/IP protocol stack and true
System is compared, and there are significant differences in the processing of network data packet fragmentation.That is design of the Honeyd in IP fragmentation recombination part is deposited
In great loophole.Protocol number is not handled in the Ipfrag.c file of Honeyd, resulting in Honeyd and can not identifying is
It is no to recombinate the IP fragment that a source, purpose IP address and protocol number match and protocol fields numerical value is different.In addition, Honeyd
The operating system of simulation and service are in three-way handshake process, and true operating system has substantive difference.True behaviour
Make system during second handshake, after server end sends a SYN/ACK packet, if not receiving the confirmation of client
ACK is wrapped, server end will be retransmitted for the first time.If a period of time does not receive ACK confirmation packet after waiting yet, server end will
It carries out second to retransmit, until number of retransmissions is more than maximum retransmission as defined in system, system can just cut off connection.Honeyd
Since multiple retransmission mechanism is not present in the defect on realizing.
It is loaded by the maximum network that real equipment and honey jar can be born, between the maximum number of connections that can alternatively allow
Difference, to determine whether an equipment is honey jar.The different honey pot systems for operating in the same physical machine, in system resource
When sufficient, they can utilize resource peacefully, play each self-applying, however when system resource deficiency, resource will occurs in they
Contention generates warfare.True difference host uses various resources due to independent mutually, then it is existing will not to show contention for resource
As.However, the response different with conventional state can be generated in interactive process due to contention for resource between honey jar, it is poor by these
The response of alienation is so that honey jar is easy to distinguish with real equipment.Therefore, if attacked using a kind of method such as big flow,
When aggravating some system load, by comparing other systems response speed at this time and they it is normal when response speed deviation
Value, it can be determined that go out whether to detect honey pot system
Based on the detection technique of network flow delay feature, most Honeypot are built upon to ICMP ECHO
(ping) reaction time will be slower than true system.Experiment shows the time delay fluctuation based on the ICMP ping order serviced, can
Effectively to identify honey jar.
Routing and redirecting features, determined by the time-to-live (TTL) equipment whether be Honeyd fictionalize come
Honey jar.As soon as will do it countdown later when a package is endowed ttl value (with the second or jumping station number (hop) as unit).?
In IP agreement, TTL be as unit of hop, it is every just to subtract one by a router, if package ttl value be reduced 0 when
It waits, will be dropped.In this way, when package fails to reach the destination for some reason in transmittance process, so that it may
It is full of on network always to avoid it.It is demonstrated experimentally that by Honeyd fictionalize Lai honey jar, TTL will not be according to process
Routing reduce and reduces, value be artificial settings a fixed value, this does not meet with truth.So the present invention is implemented
Example can be come by this point it is effective identify Honeyd fictionalize come honey jar.
Fig. 2 is the flow diagram of the recognition methods of the Conpot industry control honey jar of another embodiment of the present invention, such as Fig. 2 institute
Show, comprising:
S201, the first message obtained in advance is split into two parts, wherein the length of the first part of the first message is small
In preset byte, the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
S202, two parts that first message is successively sent to system to be identified;
If S203, the exception response for receiving the system feedback to be identified, know that the system to be identified is
Conpot industry control honey jar.
It is described successively to be sent out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above
Two parts of first message are sent, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split as two
Point;
The first part that second message is sent to the system to be identified, after preset time, continue to it is described to
Identifying system sends the second part of the second message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control
Honey jar.
It is described successively to be sent out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above
Two parts of first message are sent, or continue the second part for sending the second message to the system to be identified, later also
Include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and practical institute
Whether the IP of difference, system to be identified between the industrial environment at place is provided by ISP and whether the IP of system to be identified occurs
In one of preset threat information bank or a variety of identified.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified
Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified
Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified,
Then know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if more than the information source of the second preset threshold number
It shows that the IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control
Honey jar;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is in preset threat information bank
Conpot industry control honey jar.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified
Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified
Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold,
The provider for then continuing the IP of the system to be identified described in the public online enquiries, if being no more than the information source of the second preset threshold number
It shows that the IP of the system to be identified is provided by Internet Service Provider, then continues whether to be occurred according to the IP of system to be identified
It is identified in preset threat information bank.
Fig. 3 is the structural schematic diagram of the identification device of Conpot industry control honey jar provided in an embodiment of the present invention, such as Fig. 3 institute
Show, the identification device of the Conpot industry control honey jar includes: that the first fractionation module 301, the first sending module 302 and first judge mould
Block 303, in which:
First splits module 301, and the first message for that will obtain in advance is split as two parts;
First sending module 302, for sending the first part of first message to system to be identified, in preset time
Afterwards, continue the second part that the first message is sent to the system to be identified, the preset time is Conpot industry control honey jar
Disconnect duration;
First judgment module 303, if the exception response for receiving the system feedback to be identified, know it is described to
Identifying system is Conpot industry control honey jar.
The identification device of Conpot industry control honey jar provided in an embodiment of the present invention specifically executes above-mentioned each Conpot industry control honey
The recognition methods embodiment process of tank please specifically be detailed in the content of the recognition methods embodiment of above-mentioned each Conpot industry control honey jar,
Details are not described herein.The identification device of Conpot industry control honey jar provided in an embodiment of the present invention possess accuracy is high, identity is strong,
The features such as strong operability.
Fig. 4 is the structural schematic diagram of the identification device for the Conpot industry control honey jar that another embodiment of the present invention provides, such as
Shown in Fig. 4, the identification device of the Conpot industry control honey jar includes:
Second splits module 402, the first message obtained in advance is split into two parts, wherein first of the first message
The length divided is less than preset byte, and the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
Second sending module 402, for successively sending two parts of first message to system to be identified;
Second judgment module 403, if the exception response for receiving the system feedback to be identified, know it is described to
Identifying system is Conpot industry control honey jar.
The identification device of Conpot industry control honey jar provided in an embodiment of the present invention specifically executes above-mentioned each Conpot industry control honey
The recognition methods embodiment process of tank please specifically be detailed in the content of the recognition methods embodiment of above-mentioned each Conpot industry control honey jar,
Details are not described herein.The identification device of Conpot industry control honey jar provided in an embodiment of the present invention possess accuracy is high, identity is strong,
The features such as strong operability.
Fig. 5 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention, as shown in Fig. 5, the electronic equipment
It may include: processor (processor) 510,520, memory communication interface (Communications Interface)
(memory) 530 and communication bus 540, wherein processor 510, communication interface 520, memory 530 pass through communication bus 540
Complete mutual communication.Processor 510 can call the meter that is stored on memory 530 and can run on processor 510
Calculation machine program, to execute the recognition methods of the Conpot industry control honey jar of the various embodiments described above offer, for example, will obtain in advance
The first message be split as two parts;The first part that first message is sent to system to be identified, after preset time, after
Continue the second part that the first message is sent to the system to be identified, the preset time is the disconnection of Conpot industry control honey jar
Connect duration;If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot work
Control honey jar.Alternatively, the first message obtained in advance is split into two parts, wherein the length of the first part of the first message is less than
Preset byte, the preset byte are the identifiable shortest word section of Conpot industry control honey jar, successively send institute to system to be identified
Two parts of the first message are stated, if receiving the exception response of the system feedback to be identified, know the system to be identified
For Conpot industry control honey jar.
In addition, the logical order in above-mentioned memory 530 can be realized by way of SFU software functional unit and conduct
Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally
The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words
It can be embodied in the form of software products, which is stored in a storage medium, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively
The all or part of the steps of a embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory
(ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk
Etc. the various media that can store program code.
The embodiment of the present invention also provides a kind of non-transient computer readable storage medium, is stored thereon with computer program,
The computer program is implemented to carry out the identification side of the Conpot industry control honey jar of the various embodiments described above offer when being executed by processor
Method, for example, the first message obtained in advance is split as two parts;The of first message is sent to system to be identified
A part continues the second part that the first message is sent to the system to be identified after preset time, and the preset time is
Conpot industry control honey jar disconnects duration;If receiving the exception response of the system feedback to be identified, know described
System to be identified is Conpot industry control honey jar.Alternatively, the first message obtained in advance is split into two parts, wherein the first message
First part length be less than preset byte, the preset byte be the identifiable shortest word section of Conpot industry control honey jar, according to
Secondary two parts that first message is sent to system to be identified, if receiving the exception response of the system feedback to be identified,
Then know that the system to be identified is Conpot industry control honey jar.
By obtaining the whole network industrial control equipment data, the embodiment of the present invention has carried out functionally excellent to honey jar recognition methods
Change the enhancing with robustness.The format fields of recognition result include IP, agreement and recognition result.
Wherein recognition result has following four kinds of forms:
(1) IpNotSurvival:IP is not survived because network cause or ICMP service close can not ping it is logical;
(2) RejectInteraction: IP survival is specified in refusal connection, but doubtful because of port shutdown or firewall etc.
Effective connection can not be established;
(3) HoenyPot: equipment is identified as honey jar;
(4) RealDevice: equipment is identified as real equipment.
This test obtains 830966 IP for opening 502 ports first, and 1320600 were opened 102 ports
IP, 2670806 opened the IP of 2404 ports.By screening, leaves 2155 and run the industrial control equipment of S7 agreement, 5870
A equipment for having run Modbus agreement, 362 equipment for having run IEC104 agreement:
The above equipment is identified using the honey jar recognition methods that the embodiment of the present invention proposes, compares the identification of Shodan
As a result, Shodan only has found 345 Conpot honey jars in the whole world, and the honey jar recognition methods that the embodiment of the present invention proposes can identify
Honey jar number out is up to 2432, is as many as 7 times of Shodan recognition result.
Extraction section result carries out the verifying of Shodan spreadability, have chosen in honey jar result IP be 129.2.27.108 simultaneously
Mark is the equipment of HoneyPot, is searched in Shodan, and discovery Shodan can not be determined as honey jar, but according to
The scanning information of honey jar, the embodiment of the present invention can also explicitly find, what is opened is 502 terminations, but Device
Identification is Siemens SIMATIC S7-200, hence it is evident that is the equipment of Siemens S7, it is evident that be this
There is mistake in Conpot honey jar configuration information, and Shodan can not but identify it, but the honey that the embodiment of the present invention proposes
Tank recognition methods but can be identified effectively to the Conpot honey jar.It can be seen that the honey jar identification that the embodiment of the present invention proposes
Method possesses resolution more higher than Conpot and accuracy rate.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of recognition methods of Conpot industry control honey jar characterized by comprising
The first message obtained in advance is split as two parts;
The first part that first message is sent to system to be identified continues after preset time to the system to be identified
The second part of the first message is sent, the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey
Tank.
2. the recognition methods of Conpot industry control honey jar according to claim 1, which is characterized in that it is described continue to it is described to
Identifying system sends the second part of the first message, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split into two parts,
Wherein the length of the first part of the second message is less than preset byte, and the preset byte is that Conpot industry control honey jar is identifiable
Shortest word section;
Two parts of second message are successively sent to the system to be identified, if receiving the system feedback to be identified
Exception response then knows that the system to be identified is Conpot industry control honey jar.
3. the recognition methods of Conpot industry control honey jar according to claim 2, which is characterized in that it is described continue to it is described to
Identifying system sends the second part of the first message, or successively sends to the system to be identified two of second message
Point, later further include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and actually located work
It is default whether the IP of difference, system to be identified between industry environment appeared in by the IP of ISP offer and system to be identified
One of threat information bank or a variety of identified.
4. the recognition methods of Conpot industry control honey jar according to claim 3, which is characterized in that described according to system to be identified
Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know
The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, then obtains
Know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if the information source more than the second preset threshold number is shown
The IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control honey
Tank;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is Conpot work in preset threat information bank
Control honey jar.
5. the recognition methods of Conpot industry control honey jar according to claim 3, which is characterized in that described according to system to be identified
Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know
The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, then after
The provider for continuing the IP of the system to be identified described in the public online enquiries, if the information source for being no more than the second preset threshold number is shown
Whether the IP of the system to be identified is provided by Internet Service Provider, then continue to be appeared according to the IP of system to be identified pre-
If threat information bank in identified.
6. a kind of recognition methods of Conpot industry control honey jar characterized by comprising
The first message obtained in advance is split into two parts, wherein the length of the first part of the first message is less than predetermined word
Section, the preset byte are the identifiable shortest word section of Conpot industry control honey jar;
Two parts of first message are successively sent to system to be identified;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey
Tank.
7. the recognition methods of Conpot industry control honey jar according to claim 6, which is characterized in that it is described successively to it is described to
Identifying system sends two parts of first message, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split as two parts;
The first part that second message is sent to the system to be identified continues after preset time to described to be identified
System sends the second part of the second message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey
Tank.
8. the recognition methods of Conpot industry control honey jar according to claim 7, which is characterized in that it is described successively to it is described to
Identifying system sends two parts of first message, or continues second that the second message is sent to the system to be identified
Point, later further include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and actually located work
It is default whether the IP of difference, system to be identified between industry environment appeared in by the IP of ISP offer and system to be identified
One of threat information bank or a variety of identified.
9. the recognition methods of Conpot industry control honey jar according to claim 8, which is characterized in that described according to system to be identified
Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know
The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, then obtains
Know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if the information source more than the second preset threshold number is shown
The IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control honey
Tank;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is Conpot work in preset threat information bank
Control honey jar.
10. the recognition methods of Conpot industry control honey jar according to claim 8, which is characterized in that described according to be identified
The IP of difference, system to be identified between the position IP and actually located industrial environment of system whether by ISP provide and to
The IP of identifying system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, then after
The provider for continuing the IP of the system to be identified described in the public online enquiries, if the information source for being no more than the second preset threshold number is shown
Whether the IP of the system to be identified is provided by Internet Service Provider, then continue to be appeared according to the IP of system to be identified pre-
If threat information bank in identified.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910435098.6A CN110266650B (en) | 2019-05-23 | 2019-05-23 | Identification method of Conpot industrial control honeypot |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910435098.6A CN110266650B (en) | 2019-05-23 | 2019-05-23 | Identification method of Conpot industrial control honeypot |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110266650A true CN110266650A (en) | 2019-09-20 |
CN110266650B CN110266650B (en) | 2020-05-29 |
Family
ID=67915251
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910435098.6A Active CN110266650B (en) | 2019-05-23 | 2019-05-23 | Identification method of Conpot industrial control honeypot |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110266650B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110677414A (en) * | 2019-09-27 | 2020-01-10 | 北京知道创宇信息技术股份有限公司 | Network detection method and device, electronic equipment and computer readable storage medium |
CN111212053A (en) * | 2019-12-27 | 2020-05-29 | 太原理工大学 | Industrial control honeypot-oriented homologous attack analysis method |
CN112235241A (en) * | 2020-09-08 | 2021-01-15 | 广州大学 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
CN113765883A (en) * | 2021-07-28 | 2021-12-07 | 辽宁谛听信息科技有限公司 | Industrial control network honeypot identification method based on successive probability discrimination algorithm |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
US9912695B1 (en) * | 2017-04-06 | 2018-03-06 | Qualcomm Incorporated | Techniques for using a honeypot to protect a server |
CN108429739A (en) * | 2018-02-12 | 2018-08-21 | 烽台科技(北京)有限公司 | A kind of method, system and the terminal device of identification honey jar |
CN108600193A (en) * | 2018-04-03 | 2018-09-28 | 北京威努特技术有限公司 | A kind of industry control honey jar recognition methods based on machine learning |
-
2019
- 2019-05-23 CN CN201910435098.6A patent/CN110266650B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9912695B1 (en) * | 2017-04-06 | 2018-03-06 | Qualcomm Incorporated | Techniques for using a honeypot to protect a server |
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
CN108429739A (en) * | 2018-02-12 | 2018-08-21 | 烽台科技(北京)有限公司 | A kind of method, system and the terminal device of identification honey jar |
CN108600193A (en) * | 2018-04-03 | 2018-09-28 | 北京威努特技术有限公司 | A kind of industry control honey jar recognition methods based on machine learning |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110677414A (en) * | 2019-09-27 | 2020-01-10 | 北京知道创宇信息技术股份有限公司 | Network detection method and device, electronic equipment and computer readable storage medium |
CN111212053A (en) * | 2019-12-27 | 2020-05-29 | 太原理工大学 | Industrial control honeypot-oriented homologous attack analysis method |
CN111212053B (en) * | 2019-12-27 | 2022-03-11 | 太原理工大学 | Industrial control honeypot-oriented homologous attack analysis method |
CN112235241A (en) * | 2020-09-08 | 2021-01-15 | 广州大学 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
CN112600822A (en) * | 2020-12-09 | 2021-04-02 | 国网四川省电力公司信息通信公司 | Network security system and method based on automatic drainage tool |
CN113765883A (en) * | 2021-07-28 | 2021-12-07 | 辽宁谛听信息科技有限公司 | Industrial control network honeypot identification method based on successive probability discrimination algorithm |
Also Published As
Publication number | Publication date |
---|---|
CN110266650B (en) | 2020-05-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110266650A (en) | The recognition methods of Conpot industry control honey jar | |
CN109194680B (en) | Network attack identification method, device and equipment | |
Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
CN101180826B (en) | Upper-level protocol authentication | |
US8869275B2 (en) | Systems and methods to detect and respond to distributed denial of service (DDoS) attacks | |
US8561188B1 (en) | Command and control channel detection with query string signature | |
US8769681B1 (en) | Methods and system for DMA based distributed denial of service protection | |
US20050240989A1 (en) | Method of sharing state between stateful inspection firewalls on mep network | |
US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
KR20130014226A (en) | Dns flooding attack detection method on the characteristics by attack traffic type | |
Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
CN113329029B (en) | Situation awareness node defense method and system for APT attack | |
CN108270722B (en) | Attack behavior detection method and device | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
CN107204965B (en) | Method and system for intercepting password cracking behavior | |
CN105610856A (en) | DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition | |
CN105577669B (en) | A kind of method and device of the false source attack of identification | |
CN107800723A (en) | CC attack guarding methods and equipment | |
Saravanan et al. | A new framework to alleviate DDoS vulnerabilities in cloud computing. | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
Darwish et al. | Vulnerability Assessment and Experimentation of Smart Grid DNP3. | |
KR20200109875A (en) | Harmful ip determining method | |
CN102510386A (en) | Distributed attack prevention method and device | |
CN114221804B (en) | Honeypot identification method based on feature identification and interactive verification | |
CN112261004B (en) | Method and device for detecting Domain Flux data stream |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |