CN110266650A - The recognition methods of Conpot industry control honey jar - Google Patents

The recognition methods of Conpot industry control honey jar Download PDF

Info

Publication number
CN110266650A
CN110266650A CN201910435098.6A CN201910435098A CN110266650A CN 110266650 A CN110266650 A CN 110266650A CN 201910435098 A CN201910435098 A CN 201910435098A CN 110266650 A CN110266650 A CN 110266650A
Authority
CN
China
Prior art keywords
identified
conpot
industry control
honey jar
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910435098.6A
Other languages
Chinese (zh)
Other versions
CN110266650B (en
Inventor
吕世超
张悦阳
游建舟
闫兆腾
孙利民
朱红松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910435098.6A priority Critical patent/CN110266650B/en
Publication of CN110266650A publication Critical patent/CN110266650A/en
Application granted granted Critical
Publication of CN110266650B publication Critical patent/CN110266650B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the present invention provides a kind of recognition methods of Conpot industry control honey jar, comprising: the first message obtained in advance is split as two parts;The first part that first message is sent to system to be identified continues the second part that the first message is sent to the system to be identified after preset time, and the preset time disconnects duration for Conpot industry control honey jar;If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey jar.The embodiment of the present invention possesses the features such as accuracy is high, identity is strong, strong operability.

Description

The recognition methods of Conpot industry control honey jar
Technical field
The present invention relates to technical field of network security, more particularly, to the recognition methods of Conpot industry control honey jar.
Background technique
In recent years, a series of pernicious security attack events for industrial control system have occurred successively all over the world.This A little attackers have not only grasped industry control security knowledge and skillfully using network attack tools, but also are familiar with the Business Stream of industrial control system Journey.Its attack traffic is sparse and has high duration and strong concealment, the safety detections such as intrusion detection, firewall and preventive means It is difficult to find.Therefore, in academia and industrial circle it has been proposed that traping attacker using Honeypot Techniques.In industrial control system network The industry control honey jar of middle deployment, can not only luring network attack, person attacks, and realizes that industry control threatens delaying for infiltration, but also It can analyze attack traffic, promote industrial control system security threat ability of discovery, providing for the operation of industry control enterprise continuous production has by force The safety guarantee of power.
Honey jar is once identified that honey jar will lose its original value by attacker, is a kind of quilt penetrated and failed Dynamic formula Initiative Defense means.In recent years, Anti-Honeypot research becomes increasingly active, and attacker starts systematically to study how to identify With counter honey jar, and knowledge production is shared by hacker community, results in many traditional honey jars and fail one after another.In this context, The anti-recognition capability for improving honey jar becomes the hot spot of cyber-defence area research.Anti-Honeypot is also referred to as anti-Honeypot Techniques (Anti-Honeypot), refer to and the presence or absence of honey jar software is detected by various technological means, and then judge to be attacked Hit whether target is in honey jar environment.
In academia, foreign countries all achieve certain achievement for the Study of recognition of traditional honey jar and test, have had very More honey jars know method for distinguishing: Neal Krawetz first proposed based on the method for sending spam and identify SMTP honey jar Anti-Honeypot technology;Thorsten Holz successively respectively knows various honey jars from two angles of network layer and system layer Other technology has carried out detailed elaboration;For low interactive honey jar, the Tadayoshi Konho in California, USA Santiago branch school Etc. the statistical measurement recognition methods proposed through agreement clock difference;Gajrani in 2015 etc. is proposed through dynamical system control The method for making to identify virtual environment feature.Identification for high interaction honey jar, due to Sebek be in sweet net is built can not or Scarce, therefore the presence or absence of honey jar is judged by identifying Sebek, it is the main method of high interaction honey jar identification.Joseph Corey proposes a kind of Sebek detection based on dd attack method, in running background dd and ping order is run, if on host If being mounted with Sebek, the interaction two-way time of ping order can be made to greatly increase, to detect the presence of honey jar; Phrack by analysis memory in the information such as Magic value and source destination slogan, propose it is a kind of based on kernel module detection Honey jar recognition methods.
In industry, the existing anti-honey jar software Honeypot Hunter of business of foreign countries, while maximum equipment search engine Shodan also has certain honey jar recognition capability.But for industry control honey jar, due to PLC closure and agreement it is privately owned Property, it is many to be suitable for traditional honey jar knowledge method for distinguishing, it is no longer desirable for the identification of industry control honey jar, this leads to the identification of industry control honey jar Still rest on the primary stage.Under external at present known these honey jar recognition methods and product, especially industrial control system environment Recognition methods, in the update of the update and system environments of coping with honey jar software version, the feasibility and validity of detection are equal The basic demand of technical grade identification cannot be reached.There has been no documents to show that existing domestic institution starts systematic research industry control at present Anti-Honeypot.For the continuous renewal of system and software version, the research of Anti-Honeypot is also being faced with new challenges.
Summary of the invention
The embodiment of the present invention provides a kind of Conpot work for overcoming the above problem or at least being partially solved the above problem Control the recognition methods of honey jar.
First aspect, the embodiment of the present invention provide a kind of recognition methods of Conpot industry control honey jar, comprising:
The first message obtained in advance is split as two parts;
The first part that first message is sent to system to be identified continues after preset time to described to be identified System sends the second part of the first message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control Honey jar.
The second aspect, the embodiment of the present invention provide the recognition methods of another kind Conpot industry control honey jar, comprising:
The first message obtained in advance is split into two parts, is preset wherein the length of the first part of the first message is less than Byte, the preset byte are the identifiable shortest word section of Conpot industry control honey jar;
Two parts of first message are successively sent to system to be identified, if receiving the system feedback to be identified Exception response then knows that the system to be identified is Conpot industry control honey jar.
The third aspect, the embodiment of the present invention provide a kind of identification device of Conpot industry control honey jar, comprising:
First splits module, and the first message for that will obtain in advance is split as two parts;
First sending module, for sending the first part of first message to system to be identified, after preset time, Continue the second part that the first message is sent to the system to be identified, the preset time is the disconnection of Conpot industry control honey jar Connect duration;
First judgment module is known described wait know if the exception response for receiving the system feedback to be identified Other system is Conpot industry control honey jar.
4th aspect, the embodiment of the present invention provide the identification device of another kind Conpot industry control honey jar, comprising:
Second splits module, the first message obtained in advance is split into two parts, wherein the first part of the first message Length be less than preset byte, the preset byte be the identifiable shortest word section of Conpot industry control honey jar;
Second sending module, for successively sending two parts of first message to system to be identified;
Second judgment module is known described wait know if the exception response for receiving the system feedback to be identified Other system is Conpot industry control honey jar.
5th aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory Computer program that is upper and can running on a processor, the processor realize such as first aspect or second when executing described program Provided by aspect the step of method.
6th aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating Machine program, when which is executed by processor the step of realization method as provided by first aspect or second aspect.
The recognition methods of Conpot industry control honey jar provided in an embodiment of the present invention, by the way that message is split as two parts, to The system to be identified sends first part's message, after at least 5 seconds, continues to send second part report to the system to be identified Text knows that the system to be identified is Conpot industry control honey jar if receiving the exception response of the system feedback to be identified, Possess the features such as accuracy is high, identity is strong, strong operability.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram of the recognition methods of Conpot industry control honey jar provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of the recognition methods of the Conpot industry control honey jar of another embodiment of the present invention;
Fig. 3 is the structural schematic diagram of the identification device of Conpot industry control honey jar provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the identification device for the Conpot industry control honey jar that another embodiment of the present invention provides
Fig. 5 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Conpot industry control honey jar is a kind of common type of industry control honey jar, and Fig. 1 is Conpot provided in an embodiment of the present invention The flow diagram of the recognition methods of industry control honey jar, as shown in Figure 1, comprising:
S101, the first message obtained in advance is split as two parts;
S102, the first part that first message is sent to system to be identified, after preset time, continue to it is described to Identifying system sends the second part of the first message, and the preset time disconnects duration for Conpot industry control honey jar;
If S103, the exception response for receiving the system feedback to be identified, know that the system to be identified is Conpot industry control honey jar.
It should be noted that during Conpot industry control honey jar is realized, in order to avoid a connection long-time occupied bandwidth, It is provided with sock.settimeout (timeout) parameter, and timeout numerical value is 5, and meaning is in Conpot industry control honey Tank is 5 seconds without the duration under communications status, keeping connection.Fin_ack request is sent by Conpot after 5 seconds to disconnect.And Real equipment is because business needs, and there is no the operation that this is disconnected, can keep the validity of connection and steady for a long time Qualitative, this is Conpot frame and real equipment is a significantization difference in realization.
Specifically, normal message is split two sections first, first sends first segment, by 10 seconds and then send the Two sections.If equipment is Conpot industry control honey jar, connection can disconnect automatically when 5 seconds, then second segment message is retransmited over If, can obtain one disconnected report an error.
On the basis of the various embodiments described above, as a kind of alternative embodiment, if receiving the system feedback to be identified Normal response, then the second message obtained in advance is split into two parts, wherein the length of the first part of the second message is small In preset byte, the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
Two parts of second message are successively sent to the system to be identified, if it is anti-to receive the system to be identified The exception response of feedback then knows that the system to be identified is Conpot industry control honey jar.
The embodiment of the present invention is by dividing the depth of the code of ModBus protocol analysis part in Conpot industry control honey jar Analysis, the key point for summing up identification are that it has received preceding 7 bytes first, if receiving byte is less than 7, will be considered that this is One invalid Modbus message, is then discarded, and disconnects and terminates this session.Required by Modbus protocol specification Protocol length will be greater than 7 bytes.If a normal Modbus protocol massages are forcibly cut off, so that first part Less than 7 bytes of length, then it is successively sent to real equipment, then real equipment can carry out normal response, still, Conpot honey jar realizes the case where process does not account for fragment, and the agreement correctness verification operation of Conpot honey jar can be by this Secondary disconnecting, this allows for attacker and is unable to get correct response, and then identifies that Conpot honey jar has run Modbus Agreement.
It should be noted that in the two methods that the embodiment of the present invention proposes, the first scheme there are temporal requirement, Although and the automatic Connection Time of general Conpot industry control honey jar is 5 seconds, is not excluded for the more long Conpot of setting duration Industry control honey jar, so remain on even if having received normal response and be likely to be Conpot industry control honey jar, and second scheme is benefit It is obtained with depth analysis of the Conpot industry control honey jar to Modbus protocol analysis, there is no need to wait asking for certain time length Topic, and it is also more accurate.The above two recognition methods of the embodiment of the present invention, the first is special according to honey pot system layer frame It levies and identified, and is identified according to the protocol analysis feature of relational graph, two schemes are belonged to based on honey jar The honey jar feature of system carries out knowledge method for distinguishing.
It is described to continue to send out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above The second part of the first message is sent, or successively sends two parts of second message to the system to be identified, later also Include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and practical institute Whether the IP of difference, system to be identified between the industrial environment at place is provided by ISP and whether the IP of system to be identified occurs In one of preset threat information bank or a variety of identified.Specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, Then know that the system to be identified is Conpot industry control honey jar.
It should be noted that the judgement of geographical location information can have many means, such as by some IP locating websites, originally Inventive embodiments can effectively position the specific position IP, and precision can achieve within 500 meters, according to locating for real equipment The difference between geographical location that industrial environment and practical IP are positioned, is analyzed by ISP, if the geographical location IP and practical work Control environmental difference is larger, then the embodiment of the present invention determines that a possibility that this equipment is honey jar is just higher.
It is provided according to the IP of system to be identified by Internet Service Provider, then knows that the system to be identified is Conpot Industry control honey jar.
ISP (Internet Service Provider), Internet Service Provider provide to users are comprehensive Internet access business, information service and the telecom operators of value-added service.ICP (Internet Content Provider), Web content service provider refers to and provides the telecom operators of internet information business and value-added service.
In Internet application service industry chain " equipment supplier --- basic network operator --- content collecting person and Sheng In production person --- service supplier --- user ", ISP/ICP is in the position of content collecting person, the producer and service supplier It sets.For specific ISP, provide service be also it is relatively single-minded and stable, it is especially rare in the address global ip v4 instantly Under conditions of, seldom there is something special can make ISP provide an independent practical IP for honey jar.Business common sense based on this point Logic, if the IP address that honey jar is placed mostly is provided by Cloud Server provider, whether the embodiment of the present invention is by determining the ISP For Cloud Server provider, whether the equipment to determine to possess the IP is honey jar.
It is appeared according to the IP of system to be identified and then knows that the system to be identified is in preset threat information bank Conpot industry control honey jar.
By threatening information bank to obtain the feature corresponded to IP once or threatening information on network, the IP corresponding device is determined Concrete type.For example, if the IP that can inquire an industrial control equipment on threatening information acquisition website is once used as IDC Server used, then can be concluded that using the equipment of the IP be honey jar substantially.
It should be noted that above-mentioned three kinds carry out knowledge method for distinguishing using IP feature, can individually carry out using.Due to Know method for distinguishing in the presence of the process of quantization using IP feature, and industry control honey jar is judged whether it is according to the value after quantization, needs Accurate threshold value is wanted, therefore the embodiment of the present invention can obtain more accurate threshold value by counting to mass data.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, The provider for then continuing the IP of the system to be identified described in the public online enquiries, if being no more than the information source of the second preset threshold number It shows that the IP of the system to be identified is provided by Internet Service Provider, then continues whether to be occurred according to the IP of system to be identified It is identified in preset threat information bank.
On the basis of the various embodiments described above, as a kind of alternative embodiment, if the IP of system to be identified do not appear in it is pre- If threat information bank in, then according in the integrality of protocol realization, the situation of change of system status information and time sequence status One or more identified.
Specifically, from the integrality angle authentication equipment of protocol realization whether honey jar.By indentification protocol function code whether Realize it is complete, to distinguish whether the equipment is honey jar.This point can be by sending out rarer request message, and root to equipment The completeness of device protocol is judged according to the response information of equipment.
By investigation it is found that the industry control honey jar of Conpot, device status information are all to be previously set or at random at present Production, but can for normal distribution and certain regularity be presented in a certain range in the numerical value in practical industry control environment.Work It is not one layer constant though controlling environment to stablize.Especially coil state, buffer status, file record, temperature, valve The information such as door state, can be different with the difference of system current operating environment.Pass through system mode in comparison different time sections Whether information changes, and can effectively judge whether current system is true system.
During realization, above status information is all fixed and invariable many honey jars, this does not simultaneously meet actual industry Business logic.The embodiment of the present invention is by obtaining because production needs to cause to be easy to produce in system the data information of variation, to sentence Whether whithin a period of time disconnected data information changes to judge whether the equipment is a honey jar.
If a honey jar fidelity is sufficiently high, further progress multioperation is needed to combine, according to special characteristic after combination Change whether identified, it is as follows to draft assembled scheme:
(1) read coil+write coil+read coil
(2) read register+masked-write register+writes register+read register
(3) random combine operate+read file record
For low interactive honey jar, do not have from the external function of passively changing equipment various information, so this A thinking is exactly the corresponding change by remotely changing all kinds of control information of equipment and then inquiry system status information, if It does not change, then it is honey jar equipment that the equipment, which has very maximum probability,.But this recognition methods is for true in industry control scene Real equipment is likely to result in the disaster for being difficult to predict, so there is no identify using this method as honey jar under the premise of safety One of main method, and using this method as the alternative approach of verifying honey jar.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the integrality according to protocol realization is The situation of change and one of time sequence status of status information of uniting or it is a variety of identified, specifically:
If the Protocol integrity of system to be identified is lower than third predetermined threshold value, know that the system to be identified is Conpot Industry control honey jar;Conversely, then compare the situation of change of system status information in different time, if system status information does not change or not Rule variation then knows that the system to be identified is Conpot industry control honey jar, if system status information is led in regularity variation The control information of dynamic change system to be identified, and whether identification system to be identified is changed according to system status information, if system shape State information changes, then knowing system to be identified not is Conpot honey jar.
It is described that whether identification system to be identified is changed according to system status information on the basis of the various embodiments described above, if System status information changes, later further include:
If the not sent change of system status information, according to the Protocol fingerprint, network load, network flow of system to be identified One of amount delay feature, route characteristics and redirecting features or a variety of identification systems to be identified.
Specifically, for different operating system when handling the network information there are different data features of response, here it is be " fingerprint " of system.The fingerprint of system, which is realized, derives from ICP/IP protocol stack.Operation system fingerprint based on ICP/IP protocol stack Identification is the technology of comparative maturity, and the common tool of this respect has Nmap, Queso etc..This identifying schemes are in Honeyd honey jar Extraordinary effect is obtained in identification practice.For example, 0.8 version of Honeyd is due to the realization of TCP/IP protocol stack and true System is compared, and there are significant differences in the processing of network data packet fragmentation.That is design of the Honeyd in IP fragmentation recombination part is deposited In great loophole.Protocol number is not handled in the Ipfrag.c file of Honeyd, resulting in Honeyd and can not identifying is It is no to recombinate the IP fragment that a source, purpose IP address and protocol number match and protocol fields numerical value is different.In addition, Honeyd The operating system of simulation and service are in three-way handshake process, and true operating system has substantive difference.True behaviour Make system during second handshake, after server end sends a SYN/ACK packet, if not receiving the confirmation of client ACK is wrapped, server end will be retransmitted for the first time.If a period of time does not receive ACK confirmation packet after waiting yet, server end will It carries out second to retransmit, until number of retransmissions is more than maximum retransmission as defined in system, system can just cut off connection.Honeyd Since multiple retransmission mechanism is not present in the defect on realizing.
It is loaded by the maximum network that real equipment and honey jar can be born, between the maximum number of connections that can alternatively allow Difference, to determine whether an equipment is honey jar.The different honey pot systems for operating in the same physical machine, in system resource When sufficient, they can utilize resource peacefully, play each self-applying, however when system resource deficiency, resource will occurs in they Contention generates warfare.True difference host uses various resources due to independent mutually, then it is existing will not to show contention for resource As.However, the response different with conventional state can be generated in interactive process due to contention for resource between honey jar, it is poor by these The response of alienation is so that honey jar is easy to distinguish with real equipment.Therefore, if attacked using a kind of method such as big flow, When aggravating some system load, by comparing other systems response speed at this time and they it is normal when response speed deviation Value, it can be determined that go out whether to detect honey pot system
Based on the detection technique of network flow delay feature, most Honeypot are built upon to ICMP ECHO (ping) reaction time will be slower than true system.Experiment shows the time delay fluctuation based on the ICMP ping order serviced, can Effectively to identify honey jar.
Routing and redirecting features, determined by the time-to-live (TTL) equipment whether be Honeyd fictionalize come Honey jar.As soon as will do it countdown later when a package is endowed ttl value (with the second or jumping station number (hop) as unit).? In IP agreement, TTL be as unit of hop, it is every just to subtract one by a router, if package ttl value be reduced 0 when It waits, will be dropped.In this way, when package fails to reach the destination for some reason in transmittance process, so that it may It is full of on network always to avoid it.It is demonstrated experimentally that by Honeyd fictionalize Lai honey jar, TTL will not be according to process Routing reduce and reduces, value be artificial settings a fixed value, this does not meet with truth.So the present invention is implemented Example can be come by this point it is effective identify Honeyd fictionalize come honey jar.
Fig. 2 is the flow diagram of the recognition methods of the Conpot industry control honey jar of another embodiment of the present invention, such as Fig. 2 institute Show, comprising:
S201, the first message obtained in advance is split into two parts, wherein the length of the first part of the first message is small In preset byte, the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
S202, two parts that first message is successively sent to system to be identified;
If S203, the exception response for receiving the system feedback to be identified, know that the system to be identified is Conpot industry control honey jar.
It is described successively to be sent out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above Two parts of first message are sent, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split as two Point;
The first part that second message is sent to the system to be identified, after preset time, continue to it is described to Identifying system sends the second part of the second message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control Honey jar.
It is described successively to be sent out to the system to be identified as a kind of alternative embodiment on the basis of the various embodiments described above Two parts of first message are sent, or continue the second part for sending the second message to the system to be identified, later also Include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and practical institute Whether the IP of difference, system to be identified between the industrial environment at place is provided by ISP and whether the IP of system to be identified occurs In one of preset threat information bank or a variety of identified.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, Then know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if more than the information source of the second preset threshold number It shows that the IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control Honey jar;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is in preset threat information bank Conpot industry control honey jar.
On the basis of the various embodiments described above, as a kind of alternative embodiment, the position IP according to system to be identified Whether the IP of difference, system to be identified between actually located industrial environment is provided by ISP and the IP of system to be identified Whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, The provider for then continuing the IP of the system to be identified described in the public online enquiries, if being no more than the information source of the second preset threshold number It shows that the IP of the system to be identified is provided by Internet Service Provider, then continues whether to be occurred according to the IP of system to be identified It is identified in preset threat information bank.
Fig. 3 is the structural schematic diagram of the identification device of Conpot industry control honey jar provided in an embodiment of the present invention, such as Fig. 3 institute Show, the identification device of the Conpot industry control honey jar includes: that the first fractionation module 301, the first sending module 302 and first judge mould Block 303, in which:
First splits module 301, and the first message for that will obtain in advance is split as two parts;
First sending module 302, for sending the first part of first message to system to be identified, in preset time Afterwards, continue the second part that the first message is sent to the system to be identified, the preset time is Conpot industry control honey jar Disconnect duration;
First judgment module 303, if the exception response for receiving the system feedback to be identified, know it is described to Identifying system is Conpot industry control honey jar.
The identification device of Conpot industry control honey jar provided in an embodiment of the present invention specifically executes above-mentioned each Conpot industry control honey The recognition methods embodiment process of tank please specifically be detailed in the content of the recognition methods embodiment of above-mentioned each Conpot industry control honey jar, Details are not described herein.The identification device of Conpot industry control honey jar provided in an embodiment of the present invention possess accuracy is high, identity is strong, The features such as strong operability.
Fig. 4 is the structural schematic diagram of the identification device for the Conpot industry control honey jar that another embodiment of the present invention provides, such as Shown in Fig. 4, the identification device of the Conpot industry control honey jar includes:
Second splits module 402, the first message obtained in advance is split into two parts, wherein first of the first message The length divided is less than preset byte, and the preset byte is the identifiable shortest word section of Conpot industry control honey jar;
Second sending module 402, for successively sending two parts of first message to system to be identified;
Second judgment module 403, if the exception response for receiving the system feedback to be identified, know it is described to Identifying system is Conpot industry control honey jar.
The identification device of Conpot industry control honey jar provided in an embodiment of the present invention specifically executes above-mentioned each Conpot industry control honey The recognition methods embodiment process of tank please specifically be detailed in the content of the recognition methods embodiment of above-mentioned each Conpot industry control honey jar, Details are not described herein.The identification device of Conpot industry control honey jar provided in an embodiment of the present invention possess accuracy is high, identity is strong, The features such as strong operability.
Fig. 5 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention, as shown in Fig. 5, the electronic equipment It may include: processor (processor) 510,520, memory communication interface (Communications Interface) (memory) 530 and communication bus 540, wherein processor 510, communication interface 520, memory 530 pass through communication bus 540 Complete mutual communication.Processor 510 can call the meter that is stored on memory 530 and can run on processor 510 Calculation machine program, to execute the recognition methods of the Conpot industry control honey jar of the various embodiments described above offer, for example, will obtain in advance The first message be split as two parts;The first part that first message is sent to system to be identified, after preset time, after Continue the second part that the first message is sent to the system to be identified, the preset time is the disconnection of Conpot industry control honey jar Connect duration;If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot work Control honey jar.Alternatively, the first message obtained in advance is split into two parts, wherein the length of the first part of the first message is less than Preset byte, the preset byte are the identifiable shortest word section of Conpot industry control honey jar, successively send institute to system to be identified Two parts of the first message are stated, if receiving the exception response of the system feedback to be identified, know the system to be identified For Conpot industry control honey jar.
In addition, the logical order in above-mentioned memory 530 can be realized by way of SFU software functional unit and conduct Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words It can be embodied in the form of software products, which is stored in a storage medium, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively The all or part of the steps of a embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk Etc. the various media that can store program code.
The embodiment of the present invention also provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, The computer program is implemented to carry out the identification side of the Conpot industry control honey jar of the various embodiments described above offer when being executed by processor Method, for example, the first message obtained in advance is split as two parts;The of first message is sent to system to be identified A part continues the second part that the first message is sent to the system to be identified after preset time, and the preset time is Conpot industry control honey jar disconnects duration;If receiving the exception response of the system feedback to be identified, know described System to be identified is Conpot industry control honey jar.Alternatively, the first message obtained in advance is split into two parts, wherein the first message First part length be less than preset byte, the preset byte be the identifiable shortest word section of Conpot industry control honey jar, according to Secondary two parts that first message is sent to system to be identified, if receiving the exception response of the system feedback to be identified, Then know that the system to be identified is Conpot industry control honey jar.
By obtaining the whole network industrial control equipment data, the embodiment of the present invention has carried out functionally excellent to honey jar recognition methods Change the enhancing with robustness.The format fields of recognition result include IP, agreement and recognition result.
Wherein recognition result has following four kinds of forms:
(1) IpNotSurvival:IP is not survived because network cause or ICMP service close can not ping it is logical;
(2) RejectInteraction: IP survival is specified in refusal connection, but doubtful because of port shutdown or firewall etc. Effective connection can not be established;
(3) HoenyPot: equipment is identified as honey jar;
(4) RealDevice: equipment is identified as real equipment.
This test obtains 830966 IP for opening 502 ports first, and 1320600 were opened 102 ports IP, 2670806 opened the IP of 2404 ports.By screening, leaves 2155 and run the industrial control equipment of S7 agreement, 5870 A equipment for having run Modbus agreement, 362 equipment for having run IEC104 agreement:
The above equipment is identified using the honey jar recognition methods that the embodiment of the present invention proposes, compares the identification of Shodan As a result, Shodan only has found 345 Conpot honey jars in the whole world, and the honey jar recognition methods that the embodiment of the present invention proposes can identify Honey jar number out is up to 2432, is as many as 7 times of Shodan recognition result.
Extraction section result carries out the verifying of Shodan spreadability, have chosen in honey jar result IP be 129.2.27.108 simultaneously Mark is the equipment of HoneyPot, is searched in Shodan, and discovery Shodan can not be determined as honey jar, but according to The scanning information of honey jar, the embodiment of the present invention can also explicitly find, what is opened is 502 terminations, but Device Identification is Siemens SIMATIC S7-200, hence it is evident that is the equipment of Siemens S7, it is evident that be this There is mistake in Conpot honey jar configuration information, and Shodan can not but identify it, but the honey that the embodiment of the present invention proposes Tank recognition methods but can be identified effectively to the Conpot honey jar.It can be seen that the honey jar identification that the embodiment of the present invention proposes Method possesses resolution more higher than Conpot and accuracy rate.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of recognition methods of Conpot industry control honey jar characterized by comprising
The first message obtained in advance is split as two parts;
The first part that first message is sent to system to be identified continues after preset time to the system to be identified The second part of the first message is sent, the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey Tank.
2. the recognition methods of Conpot industry control honey jar according to claim 1, which is characterized in that it is described continue to it is described to Identifying system sends the second part of the first message, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split into two parts, Wherein the length of the first part of the second message is less than preset byte, and the preset byte is that Conpot industry control honey jar is identifiable Shortest word section;
Two parts of second message are successively sent to the system to be identified, if receiving the system feedback to be identified Exception response then knows that the system to be identified is Conpot industry control honey jar.
3. the recognition methods of Conpot industry control honey jar according to claim 2, which is characterized in that it is described continue to it is described to Identifying system sends the second part of the first message, or successively sends to the system to be identified two of second message Point, later further include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and actually located work It is default whether the IP of difference, system to be identified between industry environment appeared in by the IP of ISP offer and system to be identified One of threat information bank or a variety of identified.
4. the recognition methods of Conpot industry control honey jar according to claim 3, which is characterized in that described according to system to be identified Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, then obtains Know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if the information source more than the second preset threshold number is shown The IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control honey Tank;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is Conpot work in preset threat information bank Control honey jar.
5. the recognition methods of Conpot industry control honey jar according to claim 3, which is characterized in that described according to system to be identified Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, then after The provider for continuing the IP of the system to be identified described in the public online enquiries, if the information source for being no more than the second preset threshold number is shown Whether the IP of the system to be identified is provided by Internet Service Provider, then continue to be appeared according to the IP of system to be identified pre- If threat information bank in identified.
6. a kind of recognition methods of Conpot industry control honey jar characterized by comprising
The first message obtained in advance is split into two parts, wherein the length of the first part of the first message is less than predetermined word Section, the preset byte are the identifiable shortest word section of Conpot industry control honey jar;
Two parts of first message are successively sent to system to be identified;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey Tank.
7. the recognition methods of Conpot industry control honey jar according to claim 6, which is characterized in that it is described successively to it is described to Identifying system sends two parts of first message, later further include:
If receiving the normal response of the system feedback to be identified, the second message obtained in advance is split as two parts;
The first part that second message is sent to the system to be identified continues after preset time to described to be identified System sends the second part of the second message, and the preset time disconnects duration for Conpot industry control honey jar;
If receiving the exception response of the system feedback to be identified, know that the system to be identified is Conpot industry control honey Tank.
8. the recognition methods of Conpot industry control honey jar according to claim 7, which is characterized in that it is described successively to it is described to Identifying system sends two parts of first message, or continues second that the second message is sent to the system to be identified Point, later further include:
If receiving the normal response of the system feedback to be identified, according to the position IP of system to be identified and actually located work It is default whether the IP of difference, system to be identified between industry environment appeared in by the IP of ISP offer and system to be identified One of threat information bank or a variety of identified.
9. the recognition methods of Conpot industry control honey jar according to claim 8, which is characterized in that described according to system to be identified Whether the IP of difference, system to be identified between the position IP and actually located industrial environment of system is provided by ISP and wait know The IP of other system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
It is greater than the first preset threshold according to the difference between the position IP and actually located industrial environment of system to be identified, then obtains Know that the system to be identified is Conpot industry control honey jar;
The provider of the IP of the system to be identified described in the public online enquiries, if the information source more than the second preset threshold number is shown The IP of the system to be identified is provided by Internet Service Provider, then knows that the system to be identified is Conpot industry control honey Tank;Or
It is appeared according to the IP of system to be identified and then knows that the system to be identified is Conpot work in preset threat information bank Control honey jar.
10. the recognition methods of Conpot industry control honey jar according to claim 8, which is characterized in that described according to be identified The IP of difference, system to be identified between the position IP and actually located industrial environment of system whether by ISP provide and to The IP of identifying system whether appear in one of preset threat information bank or it is a variety of identified, specifically:
According to the difference between the position IP and actually located industrial environment of system to be identified less than the first preset threshold, then after The provider for continuing the IP of the system to be identified described in the public online enquiries, if the information source for being no more than the second preset threshold number is shown Whether the IP of the system to be identified is provided by Internet Service Provider, then continue to be appeared according to the IP of system to be identified pre- If threat information bank in identified.
CN201910435098.6A 2019-05-23 2019-05-23 Identification method of Conpot industrial control honeypot Active CN110266650B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910435098.6A CN110266650B (en) 2019-05-23 2019-05-23 Identification method of Conpot industrial control honeypot

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910435098.6A CN110266650B (en) 2019-05-23 2019-05-23 Identification method of Conpot industrial control honeypot

Publications (2)

Publication Number Publication Date
CN110266650A true CN110266650A (en) 2019-09-20
CN110266650B CN110266650B (en) 2020-05-29

Family

ID=67915251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910435098.6A Active CN110266650B (en) 2019-05-23 2019-05-23 Identification method of Conpot industrial control honeypot

Country Status (1)

Country Link
CN (1) CN110266650B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677414A (en) * 2019-09-27 2020-01-10 北京知道创宇信息技术股份有限公司 Network detection method and device, electronic equipment and computer readable storage medium
CN111212053A (en) * 2019-12-27 2020-05-29 太原理工大学 Industrial control honeypot-oriented homologous attack analysis method
CN112235241A (en) * 2020-09-08 2021-01-15 广州大学 Industrial control honeypot feature extraction method, system and medium based on fuzzy test
CN112600822A (en) * 2020-12-09 2021-04-02 国网四川省电力公司信息通信公司 Network security system and method based on automatic drainage tool
CN113765883A (en) * 2021-07-28 2021-12-07 辽宁谛听信息科技有限公司 Industrial control network honeypot identification method based on successive probability discrimination algorithm

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system
US9912695B1 (en) * 2017-04-06 2018-03-06 Qualcomm Incorporated Techniques for using a honeypot to protect a server
CN108429739A (en) * 2018-02-12 2018-08-21 烽台科技(北京)有限公司 A kind of method, system and the terminal device of identification honey jar
CN108600193A (en) * 2018-04-03 2018-09-28 北京威努特技术有限公司 A kind of industry control honey jar recognition methods based on machine learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9912695B1 (en) * 2017-04-06 2018-03-06 Qualcomm Incorporated Techniques for using a honeypot to protect a server
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system
CN108429739A (en) * 2018-02-12 2018-08-21 烽台科技(北京)有限公司 A kind of method, system and the terminal device of identification honey jar
CN108600193A (en) * 2018-04-03 2018-09-28 北京威努特技术有限公司 A kind of industry control honey jar recognition methods based on machine learning

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677414A (en) * 2019-09-27 2020-01-10 北京知道创宇信息技术股份有限公司 Network detection method and device, electronic equipment and computer readable storage medium
CN111212053A (en) * 2019-12-27 2020-05-29 太原理工大学 Industrial control honeypot-oriented homologous attack analysis method
CN111212053B (en) * 2019-12-27 2022-03-11 太原理工大学 Industrial control honeypot-oriented homologous attack analysis method
CN112235241A (en) * 2020-09-08 2021-01-15 广州大学 Industrial control honeypot feature extraction method, system and medium based on fuzzy test
CN112600822A (en) * 2020-12-09 2021-04-02 国网四川省电力公司信息通信公司 Network security system and method based on automatic drainage tool
CN113765883A (en) * 2021-07-28 2021-12-07 辽宁谛听信息科技有限公司 Industrial control network honeypot identification method based on successive probability discrimination algorithm

Also Published As

Publication number Publication date
CN110266650B (en) 2020-05-29

Similar Documents

Publication Publication Date Title
CN110266650A (en) The recognition methods of Conpot industry control honey jar
CN109194680B (en) Network attack identification method, device and equipment
Prasad et al. An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic
CN101180826B (en) Upper-level protocol authentication
US8869275B2 (en) Systems and methods to detect and respond to distributed denial of service (DDoS) attacks
US8561188B1 (en) Command and control channel detection with query string signature
US8769681B1 (en) Methods and system for DMA based distributed denial of service protection
US20050240989A1 (en) Method of sharing state between stateful inspection firewalls on mep network
US11489853B2 (en) Distributed threat sensor data aggregation and data export
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
CN113329029B (en) Situation awareness node defense method and system for APT attack
CN108270722B (en) Attack behavior detection method and device
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN107204965B (en) Method and system for intercepting password cracking behavior
CN105610856A (en) DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition
CN105577669B (en) A kind of method and device of the false source attack of identification
CN107800723A (en) CC attack guarding methods and equipment
Saravanan et al. A new framework to alleviate DDoS vulnerabilities in cloud computing.
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
Darwish et al. Vulnerability Assessment and Experimentation of Smart Grid DNP3.
KR20200109875A (en) Harmful ip determining method
CN102510386A (en) Distributed attack prevention method and device
CN114221804B (en) Honeypot identification method based on feature identification and interactive verification
CN112261004B (en) Method and device for detecting Domain Flux data stream

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant