CN110493238A - Defence method, device, honey pot system and honey jar management server based on honey jar - Google Patents
Defence method, device, honey pot system and honey jar management server based on honey jar Download PDFInfo
- Publication number
- CN110493238A CN110493238A CN201910790301.1A CN201910790301A CN110493238A CN 110493238 A CN110493238 A CN 110493238A CN 201910790301 A CN201910790301 A CN 201910790301A CN 110493238 A CN110493238 A CN 110493238A
- Authority
- CN
- China
- Prior art keywords
- honey jar
- equipment
- honey
- monitoring module
- attacker
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The embodiment provides a kind of defence method based on honey jar, device, honey pot system and honey jar management servers, are related to network technique field.The defence method based on honey jar is applied to honey jar management server, comprising: determines that the honey jar equipment for being provided with and monitoring module, the honey jar equipment are the entity devices for being in practical application scene and being not in virtual machine environment;The intrusion behavior of attacker is monitored based on the honey jar equipment for monitoring module is provided with.Therefore, technical solution provided in an embodiment of the present invention is a kind of Honeypot Techniques based on actual environment, and can alleviate existing Honeypot Techniques has identification degree-of-difficulty factor is lower is easily penetrated by attacker, the identification degree-of-difficulty factor for improving attacker is conducive to improve trap effect and success rate.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of defence method based on honey jar, device,
Honey pot system and honey jar management server.
Background technique
Honey jar (honeypot) is a kind of for traping the secure resources of invader, value is to be detected, attack or
It captures, Honeypot Techniques are a kind of by false resource trick invader, to acquire intruder attack data and analysis invasion
Person's attack, to reach the Deception Technique for protecting true host object.I.e. honey jar is a kind of system configured meticulously in advance, should
Honey pot system, which may contain, to be attacked and invades to honey jar for cheating hacker, that is to say, that meaning existing for honey jar just exists
In being invaded, any interbehavior with honey jar is construed as invading, therefore can acquire intruder attack by honey jar
Data and analysis intruder attack behavior.
Honeypot Techniques used in currently available technology only rest on virtualization level, and such honey jar can only capture mostly
To it is some automation infection worm samples, for higher level invader almost without effect.Although existing honey jar skill
Art can induce invader to attack to a certain extent, but identification degree-of-difficulty factor is lower, is easy to be discovered by attacker, i.e.,
When attacker has found that some honey jar is used to detect attack, attacker will avoid carrying out again within the system any
Activity, attacker can may also notify this discovery other attackers, attackers all in this way that can avoid the honey jar.
To sum up, there is identification degree-of-difficulty factor be lower is easily penetrated by attacker in existing Honeypot Techniques.
Summary of the invention
The purpose of the present invention includes, for example, providing a kind of defence method based on honey jar, device, honey pot system and honey
Tank management server, capable of alleviating existing Honeypot Techniques, degree-of-difficulty factor is lower easily to be asked by what attacker penetrated in the presence of recognizing
Topic, improves the identification degree-of-difficulty factor of attacker.
The embodiment of the present invention this can be implemented so that
In a first aspect, the embodiment of the present invention provides a kind of defence method based on honey jar, it is applied to honey jar management server,
The following steps are included:
Determine that the honey jar equipment for being provided with and monitoring module, the honey jar equipment are in practical application scene and to be not in
The entity device of virtual machine environment;
The intrusion behavior of attacker is monitored based on the honey jar equipment for being provided with monitoring module.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein institute
Stating and monitoring module includes high interaction honey jar monitoring programme.
With reference to first aspect, the embodiment of the invention provides second of possible embodiments of first aspect, wherein institute
Stating honey jar equipment is more, and more honey jar equipment are connected with each other by network access equipment.
With reference to first aspect, the embodiment of the invention provides the third possible embodiments of first aspect, wherein institute
The intrusion behavior based on the honey jar equipment non-attack person for being provided with monitoring module is stated to be monitored, comprising:
The monitoring data that the honey jar equipment is sent is received, the monitoring data carries the identity mark of the honey jar equipment
Know.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein institute
State method further include:
It is traped based on target intrusion behavior of the default baiting techniques to attacker.
The 4th kind of possible embodiment with reference to first aspect, the embodiment of the invention provides the 5th kind of first aspect
Possible embodiment, wherein the default baiting techniques include:
By the back-stage management address of cache of the actual services system of practical application scene at preset honey jar environment address.
Second aspect, the embodiment of the present invention provide a kind of defence installation based on honey jar, comprising:
Determining module is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is in practical application
Scene and the entity device for being not in virtual machine environment;
Monitoring module, for being supervised based on the honey jar equipment for being provided with monitoring module to the intrusion behavior of attacker
It listens.
The third aspect, the embodiment of the present invention provide a kind of honey pot system, comprising: the entity arranged according to practical application scene
Equipment and honey jar management server;
The entity device, for providing the trapping clue for attracting attacker to be invaded;
The honey jar management server is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is place
In practical application scene and the entity device that is not in virtual machine environment;Based on the honey jar equipment for being provided with monitoring module
The intrusion behavior of attacker is monitored.
Fourth aspect, the embodiment of the present invention provide a kind of honey jar management server, comprising: processor, memory and bus,
The memory is stored with the executable machine readable instructions of the processor, when computer equipment operation, the processor
By bus communication between the memory, the machine readable instructions execute above-mentioned aforementioned reality when being executed by the processor
The step of applying mode described in any item methods.
5th aspect, the embodiment of the present invention provide a kind of computer readable storage medium, the computer-readable storage medium
Computer program is stored in matter, the computer program executes any one of above-mentioned aforementioned embodiments institute when being run by processor
The step of method stated.
The embodiment of the present invention bring it is following the utility model has the advantages that
It is provided in an embodiment of the present invention by the defence method of honey jar, device, honey pot system, honey jar management server and based on
Calculation machine readable storage medium storing program for executing, wherein honey jar management server should be applied to based on the defence method of honey jar, comprising: determine setting
There is the honey jar equipment for monitoring module, which is in practical application scene and to be not in the entity of virtual machine environment and set
It is standby;The intrusion behavior of attacker is monitored based on the honey jar equipment for being provided with monitoring module.Therefore, the present invention is implemented
The technical solution that example provides, is a kind of Honeypot Techniques based on actual environment, can alleviate existing Honeypot Techniques and there is identification
Degree-of-difficulty factor lower the problem of easily being penetrated by attacker, improve the identification degree-of-difficulty factor of attacker.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 is a kind of flow chart of the defence method based on honey jar provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another defence method based on honey jar provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic diagram of the defence installation based on honey jar provided in an embodiment of the present invention;
Fig. 4 is a kind of system architecture schematic diagram of honey pot system provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of honey jar management server provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.The present invention being usually described and illustrated herein in the accompanying drawings is implemented
The component of example can be arranged and be designed with a variety of different configurations.
Therefore, the detailed description of the embodiment of the present invention provided in the accompanying drawings is not intended to limit below claimed
The scope of the present invention, but be merely representative of selected embodiment of the invention.Based on the embodiments of the present invention, this field is common
Technical staff's every other embodiment obtained without creative efforts belongs to the model that the present invention protects
It encloses.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.
In the description of the present invention, it should be noted that if there is the side of the instructions such as term " on ", "lower", "inner", "outside"
Position or positional relationship be based on the orientation or positional relationship shown in the drawings or the invention product using when the side usually put
Position or positional relationship, are merely for convenience of description of the present invention and simplification of the description, rather than the device or member of indication or suggestion meaning
Part must have a particular orientation, be constructed and operated in a specific orientation, therefore be not considered as limiting the invention.
In addition, being only used for distinguishing description if there is term " first ", " second " etc., it is not understood to indicate or imply phase
To importance.
It should be noted that in the absence of conflict, the feature in the embodiment of the present invention can be combined with each other.
The technology that the Honeypot Techniques Initiative Defense important as one, trapping are invaded, current existing Honeypot Techniques only stop
Virtualization level, such as virtual machine analog service system are stayed in, such honey jar can only capture some automation infection mostly
Worm sample, for higher level invader almost without effect.Although existing Honeypot Techniques to a certain extent can
Enough induction invaders attack, but lower in the presence of identification degree-of-difficulty factor, are easy existing defects and are found by attacker, to reach
Less than trapping purpose.
Based on this, a kind of defence method based on honey jar provided in an embodiment of the present invention, device, honey pot system, honey jar pipe
Server and computer readable storage medium are managed, the identification degree-of-difficulty factor of attacker can be improved.
For convenient for understanding the present embodiment, first to a kind of defence based on honey jar disclosed in the embodiment of the present invention
Method describes in detail.
Embodiment 1
Referring to FIG. 1, present embodiments providing a kind of defence method based on honey jar, it is applied to honey jar management server,
Include:
Step S102 determines the honey jar equipment for being provided with and monitoring module, and the honey jar equipment is in practical application scene
And it is not in the entity device of virtual machine environment;
Step S104 monitors the intrusion behavior of attacker based on the honey jar equipment for monitoring module is provided with.
In step s 102, above-mentioned monitoring module include but is not limited to install oracle listener (such as honey jar monitor journey
Sequence) or third party's security procedure (such as XX security guard), task manager, Multirouter Traffic Grapher, image collecting device (example
Such as physics camera), wherein third party's security procedure is for being monitored system software and security protection, task manager
For monitoring process, Multirouter Traffic Grapher for being monitored to flow, image collecting device be used to operate interface into
Row monitoring, while image collecting device permission is being got in attacker, and by operating and controlling image acquisition device to practical application
Scene is checked, is conducive to give up the doubt that hacker is a honey jar to present reality application environment, is improved trapping success rate.
Above-mentioned practical application scene can be operative scenario (such as enterprise's office scene), the living scene (example of reality
Such as Intelligent household scene) true environment, and not virtual scene, nor equipment internal simulation scene (such as with void
The business scenario of quasi- machine simulation).Above-mentioned virtual machine environment for example can be the system environments for being equipped with virtual machine image file,
It is true that above-mentioned entity device can be physical computer, server, physics camera, router, network switch etc.
Physical equipment, above-mentioned entity device, which is to provide, the trapping clue for attracting attacker to be invaded;The trapping clue be with
The relevant clue of the practical application scene, such as can be system vulnerability, or file and information containing various forgeries, it inhales
Draw attacker to attack and invade.To sum up, the honey jar equipment of the present embodiment is to be different from being equipped with dress virtual machine image file
Or system is in the entity device of virtual machine environment.
Include honey jar management server in an exemplary scene, in system architecture and is arranged according to practical application scene
N number of entity device, wherein N positive integer.N number of entity device can all be arranged as honey jar equipment;It is certainly contemplated that arriving and not all
Entity device can all be attacked, therefore (can be measured and be somebody's turn to do with the weight for the probability and/or entity device that binding entity equipment is attacked
The significance level of equipment) arrange honey jar equipment, the entity device that probability is big and/or weight is big is arranged as honey jar equipment, especially
It is in the case of there are many entity device, and user therefrom can select entity to set according to above-mentioned layout rules (probability or weight)
It is standby to be arranged as honey jar equipment.
In one embodiment, can by the entity devices such as physical computer dispose monitor module (such as honey jar supervise
Control program) form honey jar equipment.
Specifically, when honey jar management server determine need that module is monitored in installation on specific entity device when, can be with
After establishing communication connection with entity device, specific entity device can be needed monitoring module to be mounted by honey jar management server
It is sent to entity device, after entity device receives image file, module is monitored in control operation, will be monitored module and is mounted on reality
Honey jar equipment is formed in body equipment.
In other optional embodiments, user can arrange multiple entity devices according to practical application scene, then
It selects at least one in multiple entity devices monitoring module is carried out pre-installation and forms honey jar equipment, by the identity of entity device
Mark is labeled, and generates a honey jar device identification table, which is stored in honey jar management server,
Honey jar management server by the honey jar device identification table and its whether be in virtual machine environment and determine that online entity is set
Whether standby be to be provided with the honey jar equipment for monitoring module.
In alternative embodiments, the monitoring module includes high interaction honey jar monitoring programme.
In alternative embodiments, the honey jar equipment is more, and more honey jar equipment pass through network access equipment phase
It connects.
Here more honey jar equipment are interconnected to form Internet of Things by network access equipment, the honey jar in Internet of Things is set
It is standby that data sharing may be implemented.
In alternative embodiments, network access equipment can be router, network switch etc..
It should be pointed out that Internet of Things also may include being connected with network access equipment according to practical application environment arrangement
Entity device (such as user does not choose the physical equipment that module is monitored in setting, i.e., entity device herein can not be honey jar
Equipment), at this point, entity device is also a node of the Internet of Things, referred to herein as the non-honey jar node of Internet of Things, for area
Point, above-mentioned honey jar equipment is known as the honey jar node of Internet of Things.
The above-mentioned S104 that do not walk is carried out in the intrusion behavior based on the honey jar equipment non-attack person for being provided with monitoring module
It monitors, comprising the following steps:
1, the monitoring data that the honey jar equipment is sent is received, the monitoring data carries the identity of the honey jar equipment
Mark.
Here monitoring data includes process monitoring data, network monitoring data, file monitor data, above-mentioned identity mark
Know (Identification, abbreviation ID) be used for monitoring data equipment source, identity for example can be node attribute,
Type (camera or flow monitor), IP address etc..
Therefore, honey jar management server can be to be associated with the honey jar equipment of transmission by the identity.
Specifically, the monitoring module of honey jar equipment continues in real time to be monitored the Internet of Things honey jar of height emulation, and record
In device systems includes but is not limited to process, the activity condition of network, file, generates log.
Process, file, network etc. are monitored by honey jar equipment, obtain process variation file operation network activity
Situation, to identify the intrusion behavior (being referred to as attack or illegal operation) of attacker.
In optional embodiment, this method can also include: to store to monitoring data.
Specifically, storage equipment here can be in server by the supervising data storage of record into storage equipment
The memory in portion is also possible to the memory of external connection.
It should be noted that in other embodiments, monitoring data does not have to return to honey jar management server, honey jar equipment
By monitoring data distributed storage on each node (can be honey jar node and be also possible to non-honey jar node) of Internet of Things, so
Honey jar management server extracts from each node of cloth according to unique ID of equipment and is reduced to monitoring data afterwards, and can
User is prompted to generate warning information.
The true physical equipment containing monitoring means by honey jar equipment in this present embodiment, true physical equipment according to
Practical application scene (such as office scene) deployment, which contains backup and to non-public data by desensitization process
True operation system (the same with genuine operation system i.e. on surface, the data of the disclosure all disclose, underground number
According to just desensitizing, i.e., the operation system will be free from non-public data).Therefore, the honey jar compared to existing virtualization level is set
Standby, the defence method based on honey jar provided in this embodiment is a kind of internet of things equipment simulated under real life environment completely
Dispositions method of the environment as a whole set of honey jar sets honey jar equipment for real-life a collection of entity device, to reach
Physical layer cheats the purpose of invader, alleviates existing Honeypot Techniques and has that identification degree-of-difficulty factor is lower easily to be penetrated by attacker
Problem improves the identification degree-of-difficulty factor of attacker, avoids being found by attacker, is conducive to improve trapping success rate.
Embodiment 2
Referring to Fig. 2, defender on the basis of aforementioned schemes, the embodiment of the invention provides another kind based on honey jar
Method, the difference from embodiment 1 is that, the method also includes:
Step S202 is traped based on target intrusion behavior of the default baiting techniques to attacker.
Above-mentioned target intrusion behavior for example can be access to file destination or to the access of target network address (such as
Core data access to actual services system).
In alternative embodiments, the default baiting techniques include: by the actual services system of practical application scene
Back-stage management address of cache at preset honey jar environment address.
Defence method provided in an embodiment of the present invention based on honey jar, by the arrangement to real life environment and scene,
A set of honey jar equipment based entirely on reality is provided, induction hacker carries out Network Intrusion to the set facility or equipment, in conjunction with honey jar
Monitoring module in equipment is to including but not limited to process, file, the multi-dimensional data progress of network are real in equipment built-in system
When recording and storage, realize the purpose traped to invader.And this method is by being based on default baiting techniques to attack
The target intrusion behavior of person is traped, not only the intrusion behavior or attack operation of available attacker, can also be to true
Operation system is protected, and the normal operation of actual services system is protected.
Embodiment 3
Based on the same inventive concept, be based on corresponding with the defence method based on honey jar is additionally provided in the embodiment of the present application
The defence installation of honey jar, the principle and the embodiment of the present application solved the problems, such as due to the device in the embodiment of the present application are above-mentioned based on honey
The defence method of tank is similar, therefore the implementation of device may refer to the implementation of method, and overlaps will not be repeated.
Fig. 3 is the schematic diagram of the defence installation provided by the embodiments of the present application based on honey jar.
Referring to Fig. 3, which comprises determining that module 301 and monitoring module 302;
Wherein it is determined that module 301, is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is to be in
Practical application scene and the entity device for being not in virtual machine environment;
Monitoring module 302, for based on it is described be provided with monitor the honey jar equipment of module to the intrusion behavior of attacker into
Row monitoring.
In a kind of optional embodiment, the monitoring module includes high interaction honey jar monitoring programme.
In a kind of optional embodiment, the honey jar equipment is more, and more honey jar equipment pass through network access equipment phase
It connects.
In a kind of optional embodiment, the module of monitoring is monitored the honey jar equipment of module and non-is attacked based on described be provided with
When the intrusion behavior for the person of hitting is monitored, it is specifically used for: receives the monitoring data that the honey jar equipment is sent, the monitoring data
Carry the identity of the honey jar equipment.
In a kind of optional embodiment, the monitoring data includes process monitoring data, network monitoring data, file monitor
Data.
In a kind of optional embodiment, described device further include:
Module 303 is traped, for traping based on target intrusion behavior of the default baiting techniques to attacker.
In a kind of optional embodiment, the default baiting techniques include: by actual services system under practical application environment
Back-stage management address of cache at preset honey jar environment address.
Defence installation provided by the embodiments of the present application based on honey jar, with the defence provided by the above embodiment based on honey jar
Method technical characteristic having the same reaches identical technical effect so also can solve identical technical problem.
The embodiment of the present invention also provides a kind of honey pot system, comprising:
According to the entity device and honey jar management server of practical application scene arrangement;
The entity device, for providing the trapping clue for attracting attacker to be invaded;The trapping clue for institute
State the relevant clue of actual services scene;
The honey jar management server is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is place
In practical application scene and the entity device that is not in virtual machine environment;Based on the honey jar equipment for being provided with monitoring module
The intrusion behavior of attacker is monitored.
The working principle of honey pot system provided in this embodiment is briefly described below:
1) prepare a real environment, specifically true physical entity can be disposed according to the actual services scene of client
Equipment, in actual services system, some trapping clues under physical entity equipment is reserved can invade this set object with vectored attack person
Manage the Internet of things system that entity device is formed.
2) it determines a batch entity device in the physical entity equipment of deployment and high interaction honey jar monitoring programme is installed
To honey jar equipment.
3) monitoring programme in honey jar equipment continues in real time to be monitored the Internet of things system of height emulation, and records and set
In standby system includes but is not limited to process, the activity condition of network, file, records the illegal act and operation of invader, will
The information of record is uploaded to honey jar management server.
4) honey jar management server baiting techniques used in trapping process include but is not limited in actual services system
Back-stage management address of cache in the environment of honey jar.
System of defense provided in an embodiment of the present invention based on honey jar, according to user's actual services system in practical application ring
Entity device is disposed in border (practical work environment or real-life situation), and determine a collection of entity device as honey jar equipment,
Honeypot Techniques are really incorporated in practical work or actual life, attacker is made to be difficult to distinguish to honey jar environment.
Fig. 4 shows a kind of system architecture schematic diagram of honey pot system provided in an embodiment of the present invention.
Referring to fig. 4, which specifically includes that such as robot manipulating task scene, camera head monitor scene, office field
The practical applications scene such as scape, Intelligent household scene, based on the honey jar environment of above-mentioned practical application scene construction physical simulation, such as
Several installations monitoring modules are selected in more true computer equipments of the office in the scene that will handle official business to obtain that monitoring mould is installed
The honey jar equipment of block, honey jar equipment pass through internet and honey jar management server communication, honey jar management by router interconnection
Server determines the honey jar equipment for being equipped with and monitoring module, and is monitored based on the honey jar equipment for being equipped with monitoring module.
The course of work of the system is briefly described so that scene is handled official business by enterprise as an example below:
True camera, router and more true computer equipments are deployed in a room, wherein more
True computer equipment and true camera are set by router interconnection composition Internet of Things in true computer equipment host
It sets high interaction honey jar monitoring programme and obtains honey jar equipment, honey jar equipment is in the honey jar environment of physical simulation, computer equipment
The IP address that clue is host, booting account number cipher are traped, the trapping clue of camera is the password (such as number) called, black
After viewing true working environment by transferring camera when visitor's invasion, with learning the IP of computer equipment host from computer equipment
The attack to computer equipment host is initiated in location and booting account number cipher etc., the height interaction honey in camera and computer equipment host
Tank monitoring programme is monitored and captures to the intrusion behavior of hacker, records intrusion behavior and the operation of hacker, generates log letter
It ceases and log information is sent to honey jar management server, honey jar management server will invade the back-stage management address of host access
(service function), which is mapped or jumped in preset honey jar environment address (default network address), is traped.
System provided in an embodiment of the present invention and device have by simulating the internet of things equipment scene of real-life completely
There is higher fidelity, and the operation system of trapping can be associated with real-life scene arrangement, for example induce
After hacker is invaded by operation system, Internal camera head permission is obtained, the scene of high emulation is seen from camera, as far as possible
Give up the doubt that hacker is honey jar to current system, improve identification degree-of-difficulty factor and trapping success rate.
The emulator for traping hacker is referred to real rank, increased by honey pot system provided by the embodiments of the present application
Hacker improves trap effect and success rate to the identification degree-of-difficulty factor of honey jar.
Referring to Fig. 5, the embodiment of the present invention also provides a kind of honey jar management server 100, comprising:
Processor 41, memory 42 and bus 43;Memory 42 is executed instruction for storing, including memory 421 and outside
Memory 422;Here memory 421 is also referred to as built-in storage, for temporarily storing the operational data in processor 41, and with it is hard
The data that the external memories such as disk 422 exchange, processor 41 carry out data exchange by memory 421 and external memory 422, when
When the honey jar management server 100 is run, communicated between the processor 41 and the memory 42 by bus 43, so that
The processor 41 is executed in User space to give an order:
Determine that the honey jar equipment for being provided with and monitoring module, the honey jar equipment are in practical application scene and to be not in
The entity device of virtual machine environment;
The intrusion behavior of attacker is monitored based on the honey jar equipment for being provided with monitoring module.
Optionally, in the instruction that processor 41 executes, the monitoring module includes high interaction honey jar monitoring programme.
Optionally, in the instruction that processor 41 executes, the honey jar equipment is more, and more honey jar equipment are connect by network
Enter equipment interconnection.
Optionally, in the instruction that processor 41 executes, based on the honey jar equipment non-attack person for being provided with monitoring module
Intrusion behavior monitored, comprising:
The monitoring data that the honey jar equipment is sent is received, the monitoring data carries the identity mark of the honey jar equipment
Know.
Optionally, in the instruction that processor 41 executes, the monitoring data includes process monitoring data, network monitoring number
According to, file monitor data.
Optionally, in the instruction that processor 41 executes, the method also includes:
It is traped based on target intrusion behavior of the default baiting techniques to attacker.
Optionally, in the instruction that processor 41 executes, the default baiting techniques include:
By the back-stage management address of cache of the actual services system under practical application environment at preset honey jar environment address.
The embodiment of the present invention also provides a kind of computer readable storage medium, and meter is stored on computer readable storage medium
Calculation machine program executes the Fast-Flux that combination provided by the above embodiment threatens information when computer program is run by processor
The step of detection method of Botnet.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit,
Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect
Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional module or unit in each embodiment of the present invention can integrate in one processing unit,
It is also possible to each unit to physically exist alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of defence method based on honey jar, which is characterized in that be applied to honey jar management server, comprising the following steps:
Determine that the honey jar equipment for being provided with and monitoring module, the honey jar equipment are in practical application scene and to be not in virtual
The entity device of machine environment;
The intrusion behavior of attacker is monitored based on the honey jar equipment for being provided with monitoring module.
2. the method according to claim 1, wherein the monitoring module includes high interaction honey jar monitoring programme.
3. more honey jar equipment pass through the method according to claim 1, wherein the honey jar equipment is more
Network access equipment is connected with each other.
4. the method according to claim 1, wherein described based on the honey jar equipment for being provided with monitoring module
The intrusion behavior of non-attack person is monitored, comprising:
The monitoring data that the honey jar equipment is sent is received, the monitoring data carries the identity of the honey jar equipment.
5. the method according to claim 1, wherein the method also includes:
It is traped based on target intrusion behavior of the default baiting techniques to attacker.
6. according to the method described in claim 5, it is characterized in that, the default baiting techniques include:
By the back-stage management address of cache of the actual services system of practical application scene at preset honey jar environment address.
7. a kind of defence installation based on honey jar characterized by comprising
Determining module is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is in practical application scene
And it is not in the entity device of virtual machine environment;
Monitoring module, for being monitored based on the honey jar equipment for being provided with monitoring module the intrusion behavior of attacker.
8. a kind of honey pot system characterized by comprising taken according to the entity device and honey jar management of practical application scene arrangement
Business device;
The entity device, for providing the trapping clue for attracting attacker to be invaded;
The honey jar management server is provided with the honey jar equipment for monitoring module for determining, the honey jar equipment is in existing
Real application scenarios and the entity device that is not in virtual machine environment;Attacked against each other based on the honey jar equipment for being provided with monitoring module
The intrusion behavior for the person of hitting is monitored.
9. a kind of honey jar management server characterized by comprising processor, memory and bus, the memory are stored with
The executable machine readable instructions of the processor, when computer equipment operation, between the processor and the memory
By bus communication, executed described in 1 to 6 any one of the claims when the machine readable instructions are executed by the processor
Method the step of.
10. a kind of computer readable storage medium, computer program, feature are stored on the computer readable storage medium
The step of being, the described in any item methods of the claims 1 to 6 executed when the computer program is run by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910790301.1A CN110493238A (en) | 2019-08-26 | 2019-08-26 | Defence method, device, honey pot system and honey jar management server based on honey jar |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910790301.1A CN110493238A (en) | 2019-08-26 | 2019-08-26 | Defence method, device, honey pot system and honey jar management server based on honey jar |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110493238A true CN110493238A (en) | 2019-11-22 |
Family
ID=68554217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910790301.1A Pending CN110493238A (en) | 2019-08-26 | 2019-08-26 | Defence method, device, honey pot system and honey jar management server based on honey jar |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110493238A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556061A (en) * | 2020-04-29 | 2020-08-18 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN111800407A (en) * | 2020-06-30 | 2020-10-20 | 北京海益同展信息科技有限公司 | Network attack defense method and device, electronic equipment and storage medium |
| CN112039717A (en) * | 2020-06-29 | 2020-12-04 | 微梦创科网络科技(中国)有限公司 | Honeypot-based real-time monitoring method and system |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN113794674A (en) * | 2021-03-09 | 2021-12-14 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN113949520A (en) * | 2020-06-29 | 2022-01-18 | 奇安信科技集团股份有限公司 | Method, apparatus, computer device and readable storage medium for spoof trapping |
| CN114285622A (en) * | 2021-12-09 | 2022-04-05 | 安天科技集团股份有限公司 | Active trapping security defense method, system, electronic equipment and storage medium |
| CN114650153A (en) * | 2020-12-17 | 2022-06-21 | 浙江宇视科技有限公司 | Video network security risk prevention system and method |
| CN114884744A (en) * | 2022-06-07 | 2022-08-09 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Attack behavior analysis method and electronic equipment |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN104144164A (en) * | 2014-08-06 | 2014-11-12 | 武汉安问科技发展有限责任公司 | Extension defense method based on network intrusion |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107370756A (en) * | 2017-08-25 | 2017-11-21 | 北京神州绿盟信息安全科技股份有限公司 | A kind of sweet net means of defence and system |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| US20180167412A1 (en) * | 2016-12-08 | 2018-06-14 | Stealth Security, Inc. | Prevention of malicious automation attacks on a web service |
-
2019
- 2019-08-26 CN CN201910790301.1A patent/CN110493238A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN104144164A (en) * | 2014-08-06 | 2014-11-12 | 武汉安问科技发展有限责任公司 | Extension defense method based on network intrusion |
| US20180167412A1 (en) * | 2016-12-08 | 2018-06-14 | Stealth Security, Inc. | Prevention of malicious automation attacks on a web service |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107370756A (en) * | 2017-08-25 | 2017-11-21 | 北京神州绿盟信息安全科技股份有限公司 | A kind of sweet net means of defence and system |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
Non-Patent Citations (1)
| Title |
|---|
| 鲁智勇: "网络安全防护理论与技术", 《国防工业出版社》 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556061A (en) * | 2020-04-29 | 2020-08-18 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN111556061B (en) * | 2020-04-29 | 2022-07-12 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN112039717B (en) * | 2020-06-29 | 2022-10-28 | 微梦创科网络科技(中国)有限公司 | Honeypot-based real-time monitoring method and system |
| CN112039717A (en) * | 2020-06-29 | 2020-12-04 | 微梦创科网络科技(中国)有限公司 | Honeypot-based real-time monitoring method and system |
| CN113949520A (en) * | 2020-06-29 | 2022-01-18 | 奇安信科技集团股份有限公司 | Method, apparatus, computer device and readable storage medium for spoof trapping |
| CN113949520B (en) * | 2020-06-29 | 2024-02-09 | 奇安信科技集团股份有限公司 | Method, apparatus, computer device and readable storage medium for fraud trapping |
| CN111800407A (en) * | 2020-06-30 | 2020-10-20 | 北京海益同展信息科技有限公司 | Network attack defense method and device, electronic equipment and storage medium |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112187825B (en) * | 2020-10-13 | 2022-08-02 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN114650153B (en) * | 2020-12-17 | 2024-04-05 | 浙江宇视科技有限公司 | Video network security risk prevention system and method |
| CN114650153A (en) * | 2020-12-17 | 2022-06-21 | 浙江宇视科技有限公司 | Video network security risk prevention system and method |
| CN113794674A (en) * | 2021-03-09 | 2021-12-14 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN113794674B (en) * | 2021-03-09 | 2024-04-09 | 北京沃东天骏信息技术有限公司 | Method, device and system for detecting mail |
| CN114285622B (en) * | 2021-12-09 | 2024-01-26 | 安天科技集团股份有限公司 | Active trapping security defense method, system, electronic equipment and storage medium |
| CN114285622A (en) * | 2021-12-09 | 2022-04-05 | 安天科技集团股份有限公司 | Active trapping security defense method, system, electronic equipment and storage medium |
| CN114884744A (en) * | 2022-06-07 | 2022-08-09 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Attack behavior analysis method and electronic equipment |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
| CN116132090B (en) * | 2022-11-09 | 2024-04-02 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| CN112187825B (en) | Honeypot defense method, system, equipment and medium based on mimicry defense | |
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| CN104392175B (en) | Cloud application attack processing method, apparatus and system in a kind of cloud computing system | |
| US9680867B2 (en) | Network stimulation engine | |
| Zhuang et al. | Investigating the application of moving target defenses to network security | |
| Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20150052520A1 (en) | Method and apparatus for virtual machine trust isolation in a cloud environment | |
| CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
| US11481478B2 (en) | Anomalous user session detector | |
| US10878067B2 (en) | Physical activity and IT alert correlation | |
| CN113098906B (en) | Application method of micro honeypots in modern families | |
| CN113612783B (en) | Honeypot protection system | |
| US11425150B1 (en) | Lateral movement visualization for intrusion detection and remediation | |
| CN110351237A (en) | Honey jar method and device for numerically-controlled machine tool | |
| CN114584359B (en) | Security trapping method, device and computer equipment | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
| CN113971288A (en) | Big data technology-based smart campus security management and control platform | |
| WO2020069741A1 (en) | Network surveillance system | |
| EP4235470A1 (en) | Method and network component for protecting networked infrastructures | |
| Anastasiadis et al. | A Novel High-Interaction Honeypot Network for Internet of Vehicles | |
| Aborujilah et al. | Critical review of intrusion detection systems in cloud computing environment | |
| Du et al. | Active defense security model in the application of network deception system design |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191122 |
|
| RJ01 | Rejection of invention patent application after publication |