CN110768987A - SDN-based dynamic deployment method and system for virtual honey network - Google Patents

SDN-based dynamic deployment method and system for virtual honey network Download PDF

Info

Publication number
CN110768987A
CN110768987A CN201911030408.2A CN201911030408A CN110768987A CN 110768987 A CN110768987 A CN 110768987A CN 201911030408 A CN201911030408 A CN 201911030408A CN 110768987 A CN110768987 A CN 110768987A
Authority
CN
China
Prior art keywords
honeypot
honeypots
network
honey
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911030408.2A
Other languages
Chinese (zh)
Inventor
陈爱国
罗光春
田玲
赵太银
王航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201911030408.2A priority Critical patent/CN110768987A/en
Publication of CN110768987A publication Critical patent/CN110768987A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention relates to the technical field of network security, discloses a dynamic deployment method of a virtual honey net based on an SDN (software defined network), and solves the technical problems that the honey net in the prior art is difficult to dynamically construct and actively induce, the configuration and maintenance are inflexible, the expandability is poor and the decoy degree is low. The method comprises the following steps: A. scanning a honey net to obtain a network entity, carrying out clustering analysis according to the attribute of the network entity to obtain a clustering result set, and setting a shadow honeypot candidate set according to the clustering result set; B. carrying out intrusion detection on the access flow, and redirecting the suspicious flow according to a matching rule; C. reward and punish the behavior of the deployed honeypots based on environment feedback, update the behavior probability of the set of the deployed honeypots, obtain the current honeynet deployment quality through the calculation of the global threat degree of the honeynet, and then select honeypots from the shadow honeypot candidate set according to the quality scores to perform dynamic deployment. In addition, the invention also discloses a dynamic deployment system of the virtual honey network based on the SDN, which is suitable for the dynamic deployment of the virtual honey network.

Description

SDN-based dynamic deployment method and system for virtual honey network
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for dynamic deployment of a virtual honey network based on an SDN (Software defined network).
Background
With the rapid development of computer and network technologies, the security problem is also coming along. Due to the natural non-peering of network attack and defense, the traditional passive network defense measures are difficult to deal with the continuously evolving network security threat. Honeypots and honeynets are produced as an active security defense mechanism, and the essence of the mechanism is a camouflage cheating strategy for attackers, the attackers are lured by simulating network bugs or deploying security resources without actual values, and the attack behaviors of the attackers are recorded. The security technicians can construct a targeted protection strategy by analyzing and deducing the attack strategy and the attack intention of the intruder, thereby effectively resisting unknown threats and improving the network security performance.
The existing honeypot technology is divided into a low-interaction honeypot, a medium-interaction honeypot and a high-interaction honeypot according to the difference of interaction degrees. The low-interaction honeypot only simulates or monitors certain specific ports and services, is easy to deploy and maintain, and is easy to be identified by attackers; the medium-interaction honeypot provides more interactive information, can expect partial activities, can give more responses compared with the low-interaction honeypot, but the risk is increased along with the increase; the high-interaction honeypot simulates a real operating system, captures and analyzes network attacks, greatly enhances the decoy and the usability, but also enhances the harmfulness to the real system, and is difficult to deploy and maintain.
Honeypot and honeynet technologies are developed to date, and are generally deployed in a low-interaction honeypot mixed mode and a high-interaction honeypot mixed mode, a large amount of physical equipment and IP address resources need to be maintained, and the honeypot and honeynet deployment method is high in consumption cost and not flexible enough. The honey net still adopts a static deployment mode, passively waits for the invasion of an attacker, cannot transfer and connect across honeypots, is difficult to dynamically construct and actively induce, and has the problems of high management and maintenance difficulty, insufficient expandability and the like.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the virtual honey net dynamic deployment method and system based on the SDN are provided, and the technical problems that a honey net in the prior art is difficult to dynamically construct and actively induce, configuration and maintenance are inflexible, expandability is poor and decoy degree is low are solved.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a dynamic deployment method of a virtual honey network based on an SDN comprises the following steps:
A. scanning a honey net to obtain a network entity, carrying out cluster analysis according to the attribute of the network entity to obtain a cluster result set, setting a shadow honey pot candidate set according to the cluster result set, and initializing the honey net system;
B. carrying out intrusion detection on the access flow, and redirecting the suspicious flow according to a matching rule;
C. reward and punish the behavior of the deployed honeypots based on environment feedback, update the behavior probability of the set of the deployed honeypots, obtain the current honeynet deployment quality through the calculation of the global threat degree of the honeynet, and then select honeypots from the shadow honeypot candidate set according to the quality scores to perform dynamic deployment.
As a further optimization, step a specifically includes:
a1, scanning relevant hosts in the honey net through a scanning tool to serve as network entities, and storing the network entities in a database; the network entity has host id, host type, open port and TCP fingerprint feature related attributes;
a2, performing clustering analysis by adopting a K-means algorithm according to the attributes of the network entities to obtain a clustering result set;
a3, setting the same number of honeypots for the results in each cluster according to the obtained specific clustering result set, and creating a shadow honeypot candidate set;
a4, selecting a certain number of honeypots from the shadow honeypot candidate set for deployment, and initializing the honeypot network system.
As a further optimization, step a2 specifically includes:
a21, setting the value range of the parameter K value in the K-means algorithm;
a22, randomly selecting a clustering center;
a23, distributing the corresponding network entities to the cluster centers with the respective Euclidean distances being the nearest:
Figure BDA0002249990530000021
where d (x, y) is the distance between the entities x and y, fnIs the characteristic attribute of the network entity, n represents the number of the characteristic attribute;
a24, recalculating a new clustering center;
and A25, performing multiple loop iteration according to the cluster to which the new cluster center belongs, and when the clustering threshold or the clustering condition is met, taking the cluster as the optimal clustering solution to obtain a clustering result set.
As a further optimization, step B specifically includes:
b1, when the access request arrives, firstly carrying out intrusion detection analysis;
b2, if the access request is risk-free, normal forwarding is carried out, otherwise, suspicious flow is judged to be notified to the SDN controller, and the step B3 is entered;
b3, the SDN controller issues a flow matching rule to the SDN switch;
and B4, redirecting the flow into a corresponding honeypot in the honeypot pool by the SDN switch according to the security threat level.
As a further optimization, step C specifically includes:
c1, selecting nodes one by one from the honeypot set in current operation, and performing corresponding reward and punishment on the honeypots according to environment feedback and the attack state suffered by the current host;
c2, dynamically updating the probability vectors of the honeypots in the current running honeypot set and the shadow honeypot candidate set according to a learning algorithm;
c3, calculating the current deployment quality of the honey nets in a certain time interval according to the global threat degree formula of the honey nets;
and C4, selecting different optimal honeypot individuals from the shadow honeypot candidate set according to the probability order to carry out honeypot dynamic deployment according to the corresponding grades of the current honeypot deployment quality in the pre-divided quality grades.
As a further optimization, step C1 specifically includes:
judging whether the honeypots in the honeypot pool successfully capture the attack or not within a certain time interval, and if the honeypots successfully capture the attack, rewarding the honeypots; if the service network is attacked or the suspicious traffic cannot be redirected into the honeypot pool, all honeypots in the honeypot pool are punished, and other remaining honeypots in the shadow honeypot candidate set are rewarded.
As a further optimization, step C2 specifically includes:
when the honeypot is rewarded, the probability vector is increased:
pi=pi+(1-λ)pi
when the honeypot is punished, the probability vector is reduced:
pj=pj-λ·pj
wherein λ is a learning parameter;
when the probability vector of the honeypot is larger than the threshold value LΦAnd if so, the probability vector is stored unchanged when the reward is obtained again.
As a further optimization, step C3 specifically includes:
the global threat degree theta is adopted to measure the deployment quality of the current honey net, and the calculation formula is as follows:
Figure BDA0002249990530000031
wherein the content of the first and second substances,
Figure BDA0002249990530000032
indicating the total number of times that a real host is attacked or the honeynet is unable to respond to the attack in the current honeynet deployment strategy,
Figure BDA0002249990530000033
representing the number of capture attacks of all honeypots in the honeypot pool, allThe local threat degree theta represents the threat degree of the whole network system at the moment.
As a further optimization, step C4 specifically includes:
c41, pre-dividing quality grades of deployment of four honey nets of a superior grade, a good grade, a medium grade and an inferior grade;
c42, determining the quality grade corresponding to the quality of the current honey net deployment;
c43, executing a honeypot dynamic deployment strategy according to the quality grade corresponding to the quality of the current honeynet deployment:
when the quality grade is the top grade, the deployment strategy is not changed;
when the quality grade is good grade, replacing the 10% honeypots with the optimal 10% honeypots in the shadow honeypot candidate set at the tail of the probability ranking in the honeypot pool;
when the quality grade is middle grade, removing 20% honeypots at the tail end of the probability sequencing in the honeypot pool, and deploying the optimal 40% honeypots in the shadow honeypot candidate set to the honeypot pool;
and when the quality grade is inferior, removing 50% honeypots at the tail of the probability sequencing in the honeypot pool, and deploying the optimal 80% honeypots in the shadow honeypot candidate set to the honeypot pool.
In addition, the invention also provides a virtual honey network dynamic deployment system based on the SDN, which comprises the following steps: the system comprises an intrusion detection module, an SDN controller and a honey net scheduling module;
the intrusion detection module is used for carrying out intrusion detection on the access flow, notifying a service switch to carry out normal forwarding if the detection result is normal flow, and identifying the attack type and notifying the attack type to an SDN controller if the detection result is suspicious flow;
the SDN controller comprises a flow table management module, a redirection module, a malicious behavior learner and a connection management module; the flow table management module is used for adding flow table entries for the suspicious flows detected by intrusion, generating corresponding flow tables and issuing the flow tables to the SDN switch, so that the SDN switch forwards the suspicious flows to corresponding honeypots in the honeypot pool; the redirection module is used in combination with the flow table management module and is used for creating service mapping and determining how to create the flow table entry according to the service mapping; the malicious behavior learner is used for learning the attack behaviors captured by the honeynet and storing the learning result in a malicious behavior log library so as to facilitate subsequent analysis; the connection management module is used for dynamically changing end-to-end connection between an attacker and honeypots to realize seamless switching between different honeypots;
the honey net scheduling module comprises a scanning module, an initialization module, a shadow honeypot creating module, an environment perception module, a reinforcement learning module and a dynamic deployment module; the scanning module is used for acquiring relevant host information in a network through scanning and storing the relevant host information in a database; the initialization module initializes the virtual honey net in advance according to the self-defined configuration; the shadow honeypot creation module is used for creating a honeypot candidate set which accords with an actual scene through the acquired host information, and the shadow honeypot is used as a honeypot backup and is continuously integrated through a Docker container technology; the environment sensing module is used for sensing the specific network change condition of each honeypot in the honeypot pool and the host computer; the cooperative learning module carries out reward and punishment on honeypots running in the honeypot pool and in the shadow honeypot candidate set on the basis of a learning algorithm through a learning automaton model, dynamically changes behavior probability of the honeypots and obtains an optimal honeypot; the dynamic deployment module is used for redeploying the honeypots when the deployment quality of the honeynets does not meet requirements or the honeypots are attacked and trapped and cannot be accessed.
The invention has the beneficial effects that:
the clustering algorithm is applied to the honey nets, so that the defects of manual configuration, strong subjectivity and the like in the traditional honey net deployment process are overcome, the corresponding honey nets are configured according to the real network topology, the result is more real, and the decoy of the honey nets is improved;
meanwhile, the dynamic allocation and scheduling of the SDN and the honey net are effectively combined, the problems that network flow is difficult to control and the like are solved, the honey net is used for quickly and efficiently selecting a reasonable deployment strategy through the change of a network attack environment, continuous integration and combination are carried out on honey pots, the problems that the traditional honey net is difficult to dynamically deploy and the like are effectively solved, and the active security defense mechanism is of great practical significance.
Drawings
Fig. 1 is a schematic structural diagram of a virtual honey network dynamic deployment system based on SDN in the present invention;
fig. 2 is a general flowchart of a dynamic deployment method of a virtual honey network based on SDN in the present invention;
FIG. 3 is a flow chart of an initialization process in a deployment method;
FIG. 4 is a schematic diagram illustrating a traffic redirection principle in a deployment method;
fig. 5 is a flow chart of dynamic deployment in the deployment method.
Detailed Description
The invention aims to provide a method and a system for dynamically deploying a virtual honey net based on an SDN (software defined network), and solves the technical problems that the honey net in the prior art is difficult to dynamically construct and actively induce, and is inflexible in configuration and maintenance, poor in expandability and low in decoy degree. The method carries out context perception in an unknown or dynamic network, and generates a most reasonable shadow honeypot candidate set through a clustering idea as a basis of a honeynet deployment strategy. And feeding back the optimal action to a honey net scheduling module by utilizing a cooperative perception method, performing reward punishment on honey pot deployment quality, dynamically maintaining action probability of the honey pots, and dynamically and self-adaptively selecting a honey net optimal deployment strategy from a shadow honey pot candidate set through global threat degree rating to realize dynamic configuration and continuous integration of the honey net. The invention can improve the decoy and fidelity of the honey net and obviously solves the problems of static solidification, difficult dynamic maintenance and the like of the traditional honey net environment.
As shown in fig. 1, the system for dynamically deploying a virtual honey network based on SDN in the present invention includes: the system comprises an intrusion detection module, an SDN controller and a honey net scheduling module; the specific functions of the various parts are explained as follows:
the network intrusion detection module is responsible for monitoring and checking input flow, firstly detects whether the flow contains any known characteristic attack when receiving an access request, and if the detection result is normal flow, the flow is normally forwarded to notify the service switch to access the service network; and if the detection result is suspicious flow, identifying the attack type and reporting to the SDN controller.
An SDN controller comprising four modules: the device comprises a flow table management module, a redirection module, a malicious behavior learner and a connection management module; the flow table management module is responsible for adding flow table items for suspicious flows detected by intrusion, the controller generates corresponding flow tables for the suspicious flows, the flow tables are issued to the SDN switch, and then the SDN switch forwards the flows to corresponding honeypots in the honeypot pool; the redirection submodule is combined with the flow table management submodule for use, a service mapping is created, according to the service mapping, the redirection module determines how to create a flow table item, and determines where to forward network flow, so that seamless service is provided for malicious flow to the maximum extent, and the concealment of the honey network is improved; the malicious behavior learner learns the attack behaviors captured by the honeynet and stores the results in a malicious behavior log library for subsequent more continuous specific analysis; the connection management submodule dynamically changes end-to-end connection between the attacker and the honeypots, and seamless switching between different honeypots is achieved.
The honey net scheduling module is the most important part of a dynamic honey net and comprises a scanning module, an initialization module, a shadow honey pot creating module, an environment perception module, a reinforcement learning module and a dynamic deployment module. The scanning module obtains relevant host information in a network through scanning and stores the relevant host information in a database; the initialization module initializes the virtual honey net in advance according to the self-defined configuration; the shadow honeypot creation module is used for creating a honeypot candidate set which accords with an actual scene through the acquired host information, and the shadow honeypot is used as a honeypot backup and is continuously integrated through a Docker container technology; the environment perception module perceives the concrete network change situation of each honeypot in the honeypot pool and the host computer suffering from the attack; the cooperative learning module carries out reward and punishment on honeypots in the honeypot pool running honeypots and the shadow honeypot candidate set through a learning algorithm through a learning automaton model, dynamically changes behavior probability of the honeypots and obtains an optimal honeypot; the dynamic deployment module realizes redeployment of the honeypots, and honeypot reconstruction can be carried out under two conditions, namely that honeynet deployment quality does not meet requirements, and honeypots are trapped and cannot be accessed.
Honeypots in the honeypot pool include low-interaction honeypots, medium-interaction honeypots and high-interaction honeypots, the honeypots are selected through shadow honeypot candidate sets, are constructed through a virtualization container technology, isolation between networks is guaranteed, attackers can be prevented from threatening the whole network environment by using the honeypots to the greatest extent, and dynamic performance and decoy performance of the honeynets can be guaranteed through continuous integration.
Based on the system, the overall flow of the dynamic deployment method of the virtual honey network is shown in fig. 2, and the method comprises three steps of preprocessing, redirection and reinforcement learning, wherein each step comprises a plurality of small steps. The preprocessing is initialization of the honey net, preparation is carried out for subsequent steps, the redirection is to redirect malicious traffic to a honey pot pool, threat to a real host is reduced, and the reinforcement learning step is a concrete embodiment of a real-time and effective dynamic deployment mode for the honey net provided by the invention.
As shown in fig. 3, which is a flowchart of an initialization process of the present invention, the context-aware honeypot deployment is performed in an unknown or dynamic network through a clustering idea, and the effectiveness of the honeynet can be maintained and enhanced with the most reasonable configuration by learning and simulating the real environment of the network. Firstly, scanning a network to obtain a network topology structure and network entity information according to specific requirements; secondly, clustering is carried out by adopting a K-means algorithm, and through parameter setting, an initial clustering tree K of the K-means is mainly set, so that automatic clustering is carried out to obtain an optimal solution. The method specifically comprises the following steps:
1.1 setting parameters: setting an initial clustering number K according to the characteristics of the K-means, wherein the range is not too large or too small according to specific performance and actual requirements, generally setting a K value to be 5 and setting the maximum iteration number to be 20 through multiple experimental verification.
The clustering algorithm comprises the following specific steps:
1.1.1 setting the parameter K value to 5;
1.1.2 randomly selecting a clustering center;
1.1.3 calculate the entity distance, for each network entity in the database, assign it to the nearest cluster center, the specific calculation process is as follows:
where d (x, y) is the distance between the entities x and y, fnIs the characteristic attribute of the network entity and n represents the number of characteristic attributes.
1.1.4 recalculating new cluster centers;
1.1.5 calling K-means again, and jumping to the step 1.1.2;
1.1.6 if the K value reaches the upper limit value K2 or the results of two continuous iterations are the same, ending the operation and obtaining the final clustering result set.
1.2 creating shadow honeypot candidate set: and setting the same number of honeypots for the results in each cluster according to the obtained specific clustering result set. The details are as follows:
1.2.1 setting honeypots with the same number of the cluster entities, and realizing the honeypot by a virtualization container technology, ensuring the truth of a honeynet and considering the influence of different cluster numbers. (ii) a
1.2.2, estimating the distribution of IP addresses in the corresponding clusters, and calculating the IP addresses of the shadow honeypots according to the estimated distribution;
1.2.3 the centroid of any cluster corresponds to a real entity, so the TCP-Stack of the shadow honeypot is equal to the TCP-Stack of the centroid system of the determined cluster;
1.2.4 estimating the distribution of Mac addresses in the corresponding clusters, and calculating the Mac addresses of the shadow honeypots according to the estimated distribution;
1.3 selecting a certain number of honeypots from the shadow honeypot candidate set for deployment, and initializing the honeypot network system.
After the preprocessing of the honey net, the invention enters the step of redirection, the flow redirection mechanism is based on an ODL controller, the process is shown in FIG. 4, and the specific implementation comprises the following steps:
2.1 when the access request arrives, firstly, the access request is detected and analyzed by an intrusion detection module, and when an attack behavior is detected, the access request is notified to the ODL controller;
2.2 the ODL controller issues the flow to the SDN switch through the flow table form by monitoring and analyzing the flow in the honeypot system, creates a forwarding rule, and completes flow redirection:
2.2.1 the ODL controller sends the flow to the service network virtual switch through the flow table form by flow identification and analysis;
2.2.2 the service network exchanger analyzes the flow control command and then forwards the content of the attacker request to the honey network exchanger;
and 2.2.3, controlling the flow by the honey net exchanger according to the forwarding rule and forwarding the flow to the corresponding honey pots in the honey pot pool.
And 2.3, the honey network sends the response flow to the ODL controller, and the ODL controller forwards the response flow to an external network through the service switch by changing the flow table information to complete information interaction.
As shown in fig. 5, the dynamic deployment phase includes the following steps:
3.1 environmental feedback: judging whether the honeypots in the honeypot pool successfully capture the attack or not within the time interval delta t, and if the honeypots successfully capture the attack, rewarding the honeypots; if the service network is attacked or malicious traffic cannot be redirected into the honeypot pool, punishing all honeypots in the honeypot pool, rewarding other remaining honeypots in the shadow honeypot candidate set, and setting a time interval delta t to be 2 h;
3.2 probability updating: when the honeypot is rewarded, the probability vector is increased, and the specific calculation process is as follows:
pi=pi+(1-λ)pi
when the honeypot is punished, the probability vector is reduced, and the specific calculation is as follows:
pj=pj-λ·pj
when the probability vector of the honeypot is larger than the threshold value LΦThe probability vector is stored when the reward is obtained again. Setting learning parameter lambda as 0.01 and threshold LΦ=0.95。
3.3 Global threat calculation: the global threat degree theta measures the deployment quality of the honey nets, and the specific calculation formula is as follows:
Figure BDA0002249990530000081
wherein the content of the first and second substances,
Figure BDA0002249990530000082
indicating the total number of times that a real host is attacked or the honeynet is unable to respond to the attack in the current honeynet deployment strategy,
Figure BDA0002249990530000083
the number of times of all honeypot capture attacks in the honeypot pool is shown, and the overall threat level shows the threat degree of the whole network system at the moment.
3.4 determining the quality grade of the honeynet deployment: due to the honey net redirection mechanism, when the quality of the honey net deployment strategy is good, the global threat degree is not too high, and the quality is divided into four quality grades of a superior grade, a good grade, a medium grade and an inferior grade according to the honey net deployment quality. The specific rule is as follows:
class I, which represents excellent, namely the quality effect of a honey pot deployment strategy in a honey pot pool is excellent;
class II, good representation, namely good quality effect of honey pot deployment strategy in the honey pot pool;
class III, representing medium, namely the quality effect of the honey pot deployment strategy in the honey pot pool is general;
and V type represents a disadvantage, namely the quality effect of the honey pot deployment strategy in the honey pot pool is poor.
After the global threat degree theta value of the honey network is obtained, the quality classification of the deployment strategy can be carried out, and the standard is shown in table 1:
table 1: deployment policy quality ranking table
Honey net deployment policy quality ranking Mass value range (%)
I (super) <1
II (good grade) 1-3
III (middle-grade) 3-7
V (inferior grade) >7
3.5 redeploying the honeypots according to the deployment quality grade of the honeynets: when the quality grade is the top grade, the deployment strategy is not changed; when the quality grade is good grade, replacing 10% honeypots with the most tail probability ranking in the honeypot pool by the optimal 10% in the shadow honeypot candidate set; when the quality grade is middle grade, removing 20% honeypots at the tail end of the probability sequencing in the honeypot pool, and deploying the optimal 40% of the shadow honeypot candidate set to the honeypot pool; and when the quality grade is inferior, removing 50% honeypots at the tail end of the probability sequencing in the honeypot pool, and deploying the optimal 80% of the shadow honeypot candidate set to the honeypot pool.
It should be noted that the above-mentioned embodiments are only specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and those skilled in the art should also cover equivalent substitutions/changes within the scope of the present invention.

Claims (10)

1. A dynamic deployment method of a virtual honey network based on SDN is characterized in that,
the method comprises the following steps:
A. scanning a honey net to obtain a network entity, carrying out cluster analysis according to the attribute of the network entity to obtain a cluster result set, setting a shadow honey pot candidate set according to the cluster result set, and initializing the honey net system;
B. carrying out intrusion detection on the access flow, and redirecting the suspicious flow according to a matching rule;
C. reward and punish the behavior of the deployed honeypots based on environment feedback, update the behavior probability of the set of the deployed honeypots, obtain the current honeynet deployment quality through the calculation of the global threat degree of the honeynet, and then select honeypots from the shadow honeypot candidate set according to the quality scores to perform dynamic deployment.
2. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 1,
the method is characterized in that the step A specifically comprises the following steps:
a1, scanning relevant hosts in the honey net through a scanning tool to serve as network entities, and storing the network entities in a database; the network entity has host id, host type, open port and TCP fingerprint feature related attributes;
a2, performing clustering analysis by adopting a K-means algorithm according to the attributes of the network entities to obtain a clustering result set;
a3, setting the same number of honeypots for the results in each cluster according to the obtained specific clustering result set, and creating a shadow honeypot candidate set;
a4, selecting a certain number of honeypots from the shadow honeypot candidate set for deployment, and initializing the honeypot network system.
3. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 2,
it is characterized in that step A2 specifically includes:
a21, setting the value range of the parameter K value in the K-means algorithm;
a22, randomly selecting a clustering center;
a23, distributing the corresponding network entities to the cluster centers with the respective Euclidean distances being the nearest:
Figure FDA0002249990520000011
where d (x, y) is the distance between the entities x and y, fnIs the characteristic attribute of the network entity, n represents the number of the characteristic attribute;
a24, recalculating a new clustering center;
and A25, performing multiple loop iteration according to the cluster to which the new cluster center belongs, and when the clustering threshold or the clustering condition is met, taking the cluster as the optimal clustering solution to obtain a clustering result set.
4. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 1,
the method is characterized in that the step B specifically comprises the following steps:
b1, when the access request arrives, firstly carrying out intrusion detection analysis;
b2, if the access request is risk-free, normal forwarding is carried out, otherwise, suspicious flow is judged to be notified to the SDN controller, and the step B3 is entered;
b3, the SDN controller issues a flow matching rule to the SDN switch;
and B4, redirecting the flow into a corresponding honeypot in the honeypot pool by the SDN switch according to the security threat level.
5. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 1,
the method is characterized in that the step C specifically comprises the following steps:
c1, selecting nodes one by one from the honeypot set in current operation, and performing corresponding reward and punishment on the honeypots according to environment feedback and the attack state suffered by the current host;
c2, dynamically updating the probability vectors of the honeypots in the current running honeypot set and the shadow honeypot candidate set according to a learning algorithm;
c3, calculating the current deployment quality of the honey nets in a certain time interval according to the global threat degree formula of the honey nets;
and C4, selecting different optimal honeypot individuals from the shadow honeypot candidate set according to the probability order to carry out honeypot dynamic deployment according to the corresponding grades of the current honeypot deployment quality in the pre-divided quality grades.
6. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 5,
it is characterized in that step C1 specifically includes:
judging whether the honeypots in the honeypot pool successfully capture the attack or not within a certain time interval, and if the honeypots successfully capture the attack, rewarding the honeypots; if the service network is attacked or the suspicious traffic cannot be redirected into the honeypot pool, all honeypots in the honeypot pool are punished, and other remaining honeypots in the shadow honeypot candidate set are rewarded.
7. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 5,
it is characterized in that step C2 specifically includes:
when the honeypot is rewarded, the probability vector is increased:
pi=pi+(1-λ)pi
when the honeypot is punished, the probability vector is reduced:
pj=pj-λ·pj
wherein λ is a learning parameter;
when the probability vector of the honeypot is larger than the threshold value LΦAnd if so, the probability vector is stored unchanged when the reward is obtained again.
8. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 5,
it is characterized in that step C3 specifically includes:
the global threat degree theta is adopted to measure the deployment quality of the current honey net, and the calculation formula is as follows:
Figure FDA0002249990520000031
wherein,
Figure FDA0002249990520000032
Indicating the total number of times that a real host is attacked or the honeynet is unable to respond to the attack in the current honeynet deployment strategy,
Figure FDA0002249990520000033
the number of times of capturing attacks of all honeypots in the honeypot pool is shown, and the global threat degree theta represents the threat degree of the whole network system at the moment.
9. The dynamic deployment method of the SDN-based virtual honey network as claimed in claim 5,
it is characterized in that step C4 specifically includes:
c41, pre-dividing quality grades of deployment of four honey nets of a superior grade, a good grade, a medium grade and an inferior grade;
c42, determining the quality grade corresponding to the quality of the current honey net deployment;
c43, executing a honeypot dynamic deployment strategy according to the quality grade corresponding to the quality of the current honeynet deployment:
when the quality grade is the top grade, the deployment strategy is not changed;
when the quality grade is good grade, replacing the 10% honeypots with the optimal 10% honeypots in the shadow honeypot candidate set at the tail of the probability ranking in the honeypot pool;
when the quality grade is middle grade, removing 20% honeypots at the tail end of the probability sequencing in the honeypot pool, and deploying the optimal 40% honeypots in the shadow honeypot candidate set to the honeypot pool;
and when the quality grade is inferior, removing 50% honeypots at the tail of the probability sequencing in the honeypot pool, and deploying the optimal 80% honeypots in the shadow honeypot candidate set to the honeypot pool.
10. SDN-based dynamic deployment system for virtual honey nets is characterized in that
The method comprises the following steps: the system comprises an intrusion detection module, an SDN controller and a honey net scheduling module;
the intrusion detection module is used for carrying out intrusion detection on the access flow, notifying a service switch to carry out normal forwarding if the detection result is normal flow, and identifying the attack type and notifying the attack type to an SDN controller if the detection result is suspicious flow;
the SDN controller comprises a flow table management module, a redirection module, a malicious behavior learner and a connection management module; the flow table management module is used for adding flow table entries for the suspicious flows detected by intrusion, generating corresponding flow tables and issuing the flow tables to the SDN switch, so that the SDN switch forwards the suspicious flows to corresponding honeypots in the honeypot pool; the redirection module is used in combination with the flow table management module and is used for creating service mapping and determining how to create the flow table entry according to the service mapping; the malicious behavior learner is used for learning the attack behaviors captured by the honeynet and storing the learning result in a malicious behavior log library so as to facilitate subsequent analysis; the connection management module is used for dynamically changing end-to-end connection between an attacker and honeypots to realize seamless switching between different honeypots;
the honey net scheduling module comprises a scanning module, an initialization module, a shadow honeypot creating module, an environment perception module, a reinforcement learning module and a dynamic deployment module; the scanning module is used for acquiring relevant host information in a network through scanning and storing the relevant host information in a database; the initialization module initializes the virtual honey net in advance according to the self-defined configuration; the shadow honeypot creation module is used for creating a honeypot candidate set which accords with an actual scene through the acquired host information, and the shadow honeypot is used as a honeypot backup and is continuously integrated through a Docker container technology; the environment sensing module is used for sensing the specific network change condition of each honeypot in the honeypot pool and the host computer; the cooperative learning module carries out reward and punishment on honeypots running in the honeypot pool and in the shadow honeypot candidate set on the basis of a learning algorithm through a learning automaton model, dynamically changes behavior probability of the honeypots and obtains an optimal honeypot; the dynamic deployment module is used for redeploying the honeypots when the deployment quality of the honeynets does not meet requirements or the honeypots are attacked and trapped and cannot be accessed.
CN201911030408.2A 2019-10-28 2019-10-28 SDN-based dynamic deployment method and system for virtual honey network Pending CN110768987A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911030408.2A CN110768987A (en) 2019-10-28 2019-10-28 SDN-based dynamic deployment method and system for virtual honey network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911030408.2A CN110768987A (en) 2019-10-28 2019-10-28 SDN-based dynamic deployment method and system for virtual honey network

Publications (1)

Publication Number Publication Date
CN110768987A true CN110768987A (en) 2020-02-07

Family

ID=69334025

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911030408.2A Pending CN110768987A (en) 2019-10-28 2019-10-28 SDN-based dynamic deployment method and system for virtual honey network

Country Status (1)

Country Link
CN (1) CN110768987A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019545A (en) * 2020-08-28 2020-12-01 杭州安恒信息安全技术有限公司 Honeypot network deployment method, device, equipment and medium
CN112118577A (en) * 2020-09-18 2020-12-22 国网山东省电力公司青岛供电公司 SDN virtual honeypot-based IoT network attack reduction system and method
CN112350848A (en) * 2020-06-11 2021-02-09 广州锦行网络科技有限公司 Visual dynamic honey net custom topology deployment method
CN112637226A (en) * 2020-12-28 2021-04-09 成都知道创宇信息技术有限公司 Site access response method and device and electronic equipment
CN113746810A (en) * 2021-08-13 2021-12-03 哈尔滨工大天创电子有限公司 Network attack inducing method, device, equipment and storage medium
CN113783881A (en) * 2021-09-15 2021-12-10 浙江工业大学 Network honeypot deployment method facing penetration attack
CN113810408A (en) * 2021-09-16 2021-12-17 杭州安恒信息技术股份有限公司 Network attack organization detection method, device, equipment and readable storage medium
CN113904852A (en) * 2021-10-11 2022-01-07 北京知道创宇信息技术股份有限公司 Honeypot dynamic deployment method and device, electronic equipment and readable storage medium
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN114285660A (en) * 2021-12-28 2022-04-05 赛尔网络有限公司 Method, device, equipment and medium for deploying honeynets
CN114363093A (en) * 2022-03-17 2022-04-15 浙江君同智能科技有限责任公司 Honeypot deployment active defense method based on deep reinforcement learning
CN114666096A (en) * 2022-02-24 2022-06-24 中国人民解放军国防科技大学 Intelligent honey net system based on dynamic service chain and implementation method thereof
CN114844666A (en) * 2022-03-16 2022-08-02 西安交通大学 Network flow analysis and reconstruction method and device
CN114978731A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Honey trapping implementation system and method based on diversity expansion
CN115208670A (en) * 2022-07-15 2022-10-18 北京天融信网络安全技术有限公司 Honey net construction method and device, electronic equipment and computer readable storage medium
CN115208800A (en) * 2022-09-16 2022-10-18 清华大学 Whole internet port scanning method and device based on reinforcement learning
CN115242467A (en) * 2022-07-05 2022-10-25 北京华顺信安科技有限公司 Network data identification method and system
CN117056613A (en) * 2023-10-12 2023-11-14 中质国优测评技术(北京)有限公司 Evaluation optimization method and system based on user joint preference

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116531A (en) * 2013-01-25 2013-05-22 浪潮(北京)电子信息产业有限公司 Storage system failure predicting method and storage system failure predicting device
US20140282823A1 (en) * 2013-03-15 2014-09-18 Enterasys Networks, Inc. Device and related method for establishing network policy based on applications
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116531A (en) * 2013-01-25 2013-05-22 浪潮(北京)电子信息产业有限公司 Storage system failure predicting method and storage system failure predicting device
US20140282823A1 (en) * 2013-03-15 2014-09-18 Enterasys Networks, Inc. Device and related method for establishing network policy based on applications
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DANIEL FRAUNHOLZ等: ""An Adaptive Honeypot Configuration, Deployment and Maintenance Strategy"", 《2017 19TH INTERNATIONAL CONFERENCE ON ADVANCED COMMUNICATION TECHNOLOGY (ICACT)》 *
司杨涛: ""面向主动防御的变色蜜网技术研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112350848A (en) * 2020-06-11 2021-02-09 广州锦行网络科技有限公司 Visual dynamic honey net custom topology deployment method
CN112350848B (en) * 2020-06-11 2021-09-21 广州锦行网络科技有限公司 Visual dynamic honey net custom topology deployment method
CN112019545A (en) * 2020-08-28 2020-12-01 杭州安恒信息安全技术有限公司 Honeypot network deployment method, device, equipment and medium
CN112019545B (en) * 2020-08-28 2022-08-12 杭州安恒信息安全技术有限公司 Honeypot network deployment method, device, equipment and medium
CN112118577A (en) * 2020-09-18 2020-12-22 国网山东省电力公司青岛供电公司 SDN virtual honeypot-based IoT network attack reduction system and method
CN112118577B (en) * 2020-09-18 2023-10-13 国网山东省电力公司青岛供电公司 SDN virtual honeypot-based IoT network attack reduction system and method
CN112637226A (en) * 2020-12-28 2021-04-09 成都知道创宇信息技术有限公司 Site access response method and device and electronic equipment
CN113746810A (en) * 2021-08-13 2021-12-03 哈尔滨工大天创电子有限公司 Network attack inducing method, device, equipment and storage medium
CN113783881A (en) * 2021-09-15 2021-12-10 浙江工业大学 Network honeypot deployment method facing penetration attack
CN113810408A (en) * 2021-09-16 2021-12-17 杭州安恒信息技术股份有限公司 Network attack organization detection method, device, equipment and readable storage medium
CN113904852A (en) * 2021-10-11 2022-01-07 北京知道创宇信息技术股份有限公司 Honeypot dynamic deployment method and device, electronic equipment and readable storage medium
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN114285660A (en) * 2021-12-28 2022-04-05 赛尔网络有限公司 Method, device, equipment and medium for deploying honeynets
CN114285660B (en) * 2021-12-28 2023-11-07 赛尔网络有限公司 Honey net deployment method, device, equipment and medium
CN114666096A (en) * 2022-02-24 2022-06-24 中国人民解放军国防科技大学 Intelligent honey net system based on dynamic service chain and implementation method thereof
CN114844666A (en) * 2022-03-16 2022-08-02 西安交通大学 Network flow analysis and reconstruction method and device
CN114363093A (en) * 2022-03-17 2022-04-15 浙江君同智能科技有限责任公司 Honeypot deployment active defense method based on deep reinforcement learning
CN114978731A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Honey trapping implementation system and method based on diversity expansion
CN115242467A (en) * 2022-07-05 2022-10-25 北京华顺信安科技有限公司 Network data identification method and system
CN115242467B (en) * 2022-07-05 2024-02-06 北京华顺信安科技有限公司 Network data identification method and system
CN115208670A (en) * 2022-07-15 2022-10-18 北京天融信网络安全技术有限公司 Honey net construction method and device, electronic equipment and computer readable storage medium
CN115208670B (en) * 2022-07-15 2023-10-13 北京天融信网络安全技术有限公司 Honey net construction method, device, electronic equipment and computer readable storage medium
CN115208800A (en) * 2022-09-16 2022-10-18 清华大学 Whole internet port scanning method and device based on reinforcement learning
CN115208800B (en) * 2022-09-16 2023-01-03 清华大学 Whole internet port scanning method and device based on reinforcement learning
CN117056613A (en) * 2023-10-12 2023-11-14 中质国优测评技术(北京)有限公司 Evaluation optimization method and system based on user joint preference

Similar Documents

Publication Publication Date Title
CN110768987A (en) SDN-based dynamic deployment method and system for virtual honey network
Alzubi et al. Intrusion detection system based on a modified binary grey wolf optimisation
Vidal et al. Adaptive artificial immune networks for mitigating DoS flooding attacks
Rathore et al. BlockSecIoTNet: Blockchain-based decentralized security architecture for IoT network
US11361220B2 (en) Systems and methods for a computer understanding multi modal data streams
Alkasassbeh et al. Detecting distributed denial of service attacks using data mining techniques
US9680867B2 (en) Network stimulation engine
Liang et al. Intrusion detection system for Internet of Things based on a machine learning approach
Velliangiri et al. Fuzzy-Taylor-elephant herd optimization inspired Deep Belief Network for DDoS attack detection and comparison with state-of-the-arts algorithms
CN110381045A (en) Treating method and apparatus, storage medium and the electronic device of attack operation
CN110493238A (en) Defence method, device, honey pot system and honey jar management server based on honey jar
CN110839031B (en) Malicious user behavior intelligent detection system based on reinforcement learning
CN110460572A (en) Mobile target defence policies choosing method and equipment based on Markov signaling games
CN109714364A (en) A kind of network security defence method based on Bayes&#39;s improved model
CN109617878A (en) A kind of construction method and system, computer readable storage medium of honey net
CN110958263B (en) Network attack detection method, device, equipment and storage medium
O’Reilly et al. Adversarial genetic programming for cyber security: A rising application domain where GP matters
Zakaria et al. A review on artificial intelligence techniques for developing intelligent honeypot
CN110071931A (en) Mimicry honey jar evolution method, device, equipment and computer readable storage medium
CN115580430A (en) Attack tree-pot deployment defense method and device based on deep reinforcement learning
Zhang et al. Sybil detection in social-activity networks: Modeling, algorithms and evaluations
CN114944939B (en) Network attack situation prediction model construction method, device, equipment and storage medium
Lin et al. Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet
Abulaish et al. Socialbots: Impacts, threat-dimensions, and defense challenges
Kong et al. Automated honeynet deployment strategy for active defense in container-based cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200207