CN110855659A - redis honeypot deployment system - Google Patents
redis honeypot deployment system Download PDFInfo
- Publication number
- CN110855659A CN110855659A CN201911083788.6A CN201911083788A CN110855659A CN 110855659 A CN110855659 A CN 110855659A CN 201911083788 A CN201911083788 A CN 201911083788A CN 110855659 A CN110855659 A CN 110855659A
- Authority
- CN
- China
- Prior art keywords
- redis
- attack
- instructions
- data
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a redis honeypot deployment system, which comprises: the flow monitoring module is used as a redis proxy server and used for acquiring communication data of interaction between a redis client and a redis actual server; the flow analysis module is used for converting the communication data acquired by the flow monitoring module into plaintext data which is easy to identify and generalizing a threat log; the data reporting module is used for forwarding the generalized threat logs to the cloud analysis module in real time through an Hpfeeds protocol; the cloud analysis module is used for analyzing the log data of the reported threat logs and making a defense strategy; the data storage module is used for storing the log data into a database for backtracking; the method and the system are used for monitoring and analyzing the flow of the invading redis so as to make defensive measures in a targeted mode and protect the redis service on a normal host.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a redis honeypot deployment system.
Background
redis is an open-source, high-performance key-value store database. All key-values of the redis are stored in the memory, and have high single-machine reading and writing functions. The storage types supported by the method are many, including string, list, set, zset and hash. Currently, redis is applied by a large number of companies, and is very vulnerable because it defaults to use without authentication; furthermore, many people are also very vulnerable to hacking using weak passwords because of the high speed access available to redis. The compromised redis can be used by hackers to modify files, leaving behind backdoor programs that can even obtain webshell, root rights under certain conditions.
Honeypot technology is a technology that spoofs internet attackers. It can be generally considered that honeypots are an unmanned, but closely monitored network host, which contains false high-value resources and some vulnerabilities to attract intruders to attack honeypot hosts for the purpose of protecting real hosts. Meanwhile, the honeypot can record all instructions of hackers for attacking, and accordingly a means for defending against the attack is established for the real host to use. By adopting the honeypot technology, unknown attacks can be resisted to a certain extent, and the protection capability of an actual system is enhanced.
However, in the existing honeypot research, there are few researches on database honeypots, especially redis honeypots, and especially some honeypots monitor operation instructions based on system logs, third-party plug-ins and the like, so that key operation data are quite easy to miss. Furthermore, honeypot studies mostly involve only the collection of data, and no analysis of the data.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a redis honeypot deployment system which is used for monitoring and analyzing the flow invading the redis so as to make a defensive measure in a targeted manner and protect the redis service on a normal host.
In order to achieve the purpose, the invention adopts the technical scheme that: a redis honeypot deployment system, comprising:
the flow monitoring module is used as a redis proxy server and used for acquiring communication data of interaction between a redis client and a redis actual server;
the flow analysis module is used for converting the communication data acquired by the flow monitoring module into plaintext data which is easy to identify and generalizing a threat log;
the data reporting module is used for forwarding the generalized threat logs to the cloud analysis module in real time through an Hpfeeds protocol;
the cloud analysis module is used for analyzing the log data of the reported threat logs and making a defense strategy;
and the data storage module is used for storing the log data into a database for backtracking.
As a preferred implementation mode, the default port of the redis real server is modified to be other unoccupied ports, the original default port of the redis real server is monitored by the redis proxy server built by the socket and select module of the python script, the information of the redis client in the default port is monitored in real time, and the flow monitoring module collects the information by forwarding communication data between the redis real server and the redis client.
As another preferred embodiment, the traffic analysis module converts the received communication data into plaintext data easy to identify by interpreting a redis underlying communication protocol, and generates a threat log in a uniform format by combining parameters of socket connection and an original instruction of redis analysis.
In another preferred embodiment, the threat log includes a session id, a source ip, a source port, an operation instruction time, operation details, and an original log.
As another preferred embodiment, after the redis client connects the redis, the python script randomly generates a unique session id, and all the operations performed by the redis client belong to the session id.
As another preferred embodiment, a basic analysis unit of the cloud analysis module is an event log, the event log includes logs with the same session id in threat logs uploaded by the Hpfeeds protocol, and the event log is analyzed to be a malicious ip, an attack instruction and an attack target.
As another preferred embodiment, the analyzing of the event log into a malicious ip, an attack instruction, and an attack target specifically includes: firstly, judging whether a user carries out password authentication for multiple times in a short time or whether file inquiry or file modification actions are carried out after authentication, if so, determining that the event is a malicious event, wherein the source ip of the user is a malicious ip, and if not, indicating that the user only carries out tentative or learning behaviors and is not malicious operation; secondly, whether password authentication is carried out for multiple times in a short time is judged according to the operation instruction of the user, and if yes, the attack instruction is of a password blasting type.
As another preferred embodiment, after the user completes authentication, the operation instructions of the user are extracted, and if the operation instructions are not instructions for direct exit, all the operation instructions are attack instructions, and the attack instructions include file query type attack instructions and file modification type attack instructions.
In another preferred embodiment, the attack instruction further includes an unknown attack instruction for discovering a 0day bug.
As another preferred embodiment, the data storage module stores malicious ip, attack instructions, attack targets and original logs respectively, associates the malicious ip, the attack instructions, the attack targets and the original logs by session id, compares the stored data when a new instruction arrives, adds storage if the new instruction is an attack instruction which appears for the first time, and only stores the original logs if the new instruction is the attack instruction which appears for the first time, thereby facilitating backtracking.
The invention has the beneficial effects that: the invention can collect all the flow operated by the external attacker through the redis proxy server, does not omit important attack data, and has three important characteristics to the attack: and extracting and analyzing an attack source, an attack instruction and an attack target, so that the redis actual service can defend and filter the malicious attack pertinence.
Drawings
FIG. 1 is a system block diagram of an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Examples
As shown in fig. 1, a redis honeypot deployment system includes:
the flow monitoring module is a redis proxy server and monitors the information of the redis client in the default port of the redis actual server in real time, so that the data sent by the redis client can be transmitted to the redis proxy server firstly; the redis proxy server receives and forwards the data to the redis real server, receives the data returned by the redis real server, and then sends the data to the redis client; therefore, the redis proxy server can receive the interactive traffic between all the redis clients and the redis real server.
The flow analysis module can convert the received data into plaintext data easy to read by reading a redis bottom layer communication protocol, and generates a threat log in a unified format including contents such as session id, source ip, source port, operation instruction time, operation details, original log and the like by combining parameters of socket connection and an original instruction of redis analysis, wherein the session id is a unique session id randomly generated by a python script after a remote host is connected with the redis every time, all operations performed by the remote host belong to the session id, the operation details are further decomposition of the operation instruction and comprise an executed instruction, a user, a result and the like, and finally all data interacted by a redis client and a redis actual service end in the redis primary instruction are integrated into the threat log for reporting.
The data reporting module is an Hpfeeds protocol, and the threat logs are uploaded to the cloud analysis module for analysis every time the threat logs are generated.
A basic analysis unit of the cloud analysis module is an event log, all logs with the same session id in the logs uploaded by the Hpfeeds protocol are integrated to form the event log, and the event log is analyzed into different contents such as malicious ip, attack instructions, attack targets and the like; firstly, judging whether a user carries out password authentication for multiple times in a short time or whether file inquiry or modification actions are carried out after authentication, if so, determining that the event is a malicious event, wherein the source ip of the user is a malicious ip, and if not, indicating that the user only carries out tentative or learning behaviors and is not a malicious operation; secondly, judging whether to carry out password authentication for multiple times in a short time or not according to an operation instruction of a user, and if so, judging that the attack instruction is of a password blasting type; after the user completes authentication, extracting operation instructions of the user, if the operation instructions are not instructions for direct exit, all the operation instructions are attack instructions and can be divided into file query type attack instructions and file modification type attack instructions, the query files can be subjected to secret stealing of a database, library dragging and library collision attacks and the like, the modification files can be provided with a back door and further operate a host computer and the like, and in addition, unknown attack instructions are set to discover 0day bugs; and finally, marking the object corresponding to the previous attack instruction as an attack target, wherein the object mainly comprises information such as a path, a name, content and the like of file query or modification, and the file attack can be identified in detail.
The cloud storage module stores the malicious ip, the attack instruction, the attack target and the original log to a database for backtracking. Judging whether the malicious attack occurs for the first time, if so, storing the malicious ip, the attack instruction and the attack target together with the original log into a database, and if not, only storing the original log so as to prevent the database for storing the malicious instruction from being overlarge and trace back the instruction when needed; the data storage module stores the analyzed malicious instruction result, and respectively stores contents such as malicious ip, attack instruction, attack target and the like, and the contents are associated together by a session id.
By storing the malicious ip, the attack instruction and the attack target and then strengthening and protecting the target file and the target service in a targeted manner in the redis actual server or carrying out targeted filtration on the malicious request, the malicious attack prevention function can be effectively played.
The redis honeypot deployment system of this embodiment is further described below by taking actual deployment as an example
1. Building a redis proxy server:
first, the default port of the redis real server is modified to be other unoccupied ports, and the original default port 6379 of the redis proxy server for monitoring the redis is built by the python script socket and the select module.
Parsing and generalization of the redis instruction:
when a user who has completed password authentication makes an attack, for example, the attacker sends the following instructions to the redis proxy server:
1)config set dir/root/.ssh;
2)config set dbfilename authorized_keys;
3)set xxx"\n\n\ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQC81NVpk8QyY1Roeo8lvHzjp-PkvkWy4vYTzJi0msFaxvbpkQ0k2EvWDL8gxCPiu5/TzA47xTTKkk2H9Us0ciPnKRHliJMx7X0t4HaQj2LZ15t186O4JBaZhD4AEHkJDl9g1kR5XVtJmeQREv7GNCMFhFILyre1BWrrMrZbT4x1SMimOfbvhi2itSB9tReMQYkgpiQ0RnV1YDgk83/+Hrroot@test\n\n\n"
4)save.
firstly, a redis is connected, a first instruction can arrive at a redis proxy server, the redis proxy server records the operation of the connection, simultaneously records a source ip and a source port of the connection and the time of the connection according to a socket, and randomly generates a session id through a uuid module to serve as the unique identification of the connected redis client. And then, the redis proxy server forwards the connection request to the redis real server, the request returned by the redis real server also reaches the redis proxy server firstly, and the redis proxy server records the response returned by the redis real server at the moment as the result of the previous operation and then transmits the response to the redis client. Then, the connected redis clients sequentially send the 2 nd, 3 rd and 4 th instructions, and the redis proxy server of python sequentially processes the instructions as the step of processing the first instruction to obtain data such as session id and the like, and the session id is the same as the session id of the first instruction.
Since the interactive data between the redis client and the redis actual server is encoded through the communication protocol, it needs to be analyzed through the redis communication protocol to generate the original redis operation instruction. For example, the original communication code of the first attack instruction is: b '. 4\ r \ n $6\ r \ nconfig \ r \ n $3\ r \ nset \ r \ n $3\ r \ ndir \ r \ n $10\ r \ n/. root/. ssh \ r \ n', which can be converted into the original input instruction configset dir/root/. ssh through the analysis of the symbols.
Combining session id, source ip, source port, session time, operation details and original instruction of one-time redis client-side and redis real server-side flow interaction, generating a threat log (taking the first instruction as an example) with the following structure:
{ Session _ id:'d 2903a92-3529-4d36-bf73-dd1 f8279e54a ', Date: ' 2019-08-2116:35:41.845 ', src _ ip: ' 127.0.0.1 ', src _ port:51704, Type: ' File modification ', ' operation _ info { ' operation ': configset dir ', ' result ': 0 ' } Original log: configset dir/root/. ssh }.
Finally, the threat log is released by the Hpfeeds protocol.
3. Analyzing the event log:
and the cloud program receives the threat logs issued by the redis analysis program in real time by using an Hpfeeds protocol. A plurality of instructions sent by an attacker in one session have the same session id and are aggregated into an event log, and the format of the event log is as follows:
one event log comprises a plurality of attack operations in one session of an attacker, the specific operations of the attacker in the event log are analyzed, because the user modifies the file, the behavior is classified as a malicious attack, the source ip is judged as a malicious ip, attack instructions config set dir/root/. ssh and the like are judged as malicious instructions, and the attack targets are a target path/root/. ssh and a target file authorized _ keys.
4. Storing the malicious instructions:
and finally, storing the recorded malicious ip, the attack instruction and the attack target through the mongo database. Firstly, whether malicious ip, attack instructions, attack targets and the like in the new event log exist in a database or not is judged, and the complete matching is taken as the standard. If the event log exists, only the original event log is stored for backtracking, and the database is prevented from being overlarge. And if the attack is the first attack, storing the malicious ip, the attack instruction, the attack target and the original event log into a database.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Claims (10)
1. A redis honeypot deployment system, comprising:
the flow monitoring module is used as a redis proxy server and used for acquiring communication data of interaction between a redis client and a redis actual server;
the flow analysis module is used for converting the communication data acquired by the flow monitoring module into plaintext data which is easy to identify and generalizing a threat log;
the data reporting module is used for forwarding the generalized threat logs to the cloud analysis module in real time through an Hpfeeds protocol;
the cloud analysis module is used for analyzing the log data of the reported threat logs and making a defense strategy;
and the data storage module is used for storing the log data into a database for backtracking.
2. The redis honeypot deployment system of claim 1, wherein the default port of the redis real server is modified to be an unoccupied port, the socket and select module of the python script builds a redis proxy server to monitor the original default port of the redis real server, and monitor redis client information in the default port in real time, and the traffic monitoring module collects the original default port by forwarding communication data between the redis real server and the redis client.
3. The redis honeypot deployment system of claim 1, wherein the traffic parsing module converts the received communication data into plaintext data that is easy to recognize by interpreting a redis underlying communication protocol, and generates a threat log in a unified format by combining parameters of socket connection and original instructions of redis parsing.
4. The redis honeypot deployment system of claim 3, wherein the threat logs comprise a session id, a source ip, a source port, an operation instruction time, operation details, and an original log.
5. The redis honeypot deployment system of claim 4, wherein after a redis client connects to the redis, the python script randomly generates a unique session id, and all operations performed by the redis client belong to the session id.
6. The redis honeypot deployment system of claim 5, wherein a basic analysis unit of the cloud analysis module is an event log, the event log includes logs with the same session id in threat logs uploaded by an Hpfeeds protocol, and the event log is analyzed as a malicious ip, an attack instruction and an attack target.
7. The redis honeypot deployment system of claim 6, wherein the analysis of the event log as malicious ip, attack directives, and attack targets specifically comprises: firstly, judging whether a user carries out password authentication for multiple times in a short time or whether file inquiry or file modification actions are carried out after authentication, if so, determining that the event is a malicious event, wherein the source ip of the user is a malicious ip, and if not, indicating that the user only carries out tentative or learning behaviors and is not malicious operation; secondly, whether password authentication is carried out for multiple times in a short time is judged according to the operation instruction of the user, and if yes, the attack instruction is of a password blasting type.
8. The redis honeypot deployment system of claim 7, wherein after the user completes authentication, the operation instructions of the user are extracted, and if the operation instructions are not instructions for direct exit, all the operation instructions are attack instructions, and the attack instructions include file query type attack instructions and file modification type attack instructions.
9. The redis honeypot deployment system of claim 8, wherein the attack instructions further comprise unknown class attack instructions to discover a 0day bug.
10. The redis honeypot deployment system of claim 9, wherein the data storage module stores malicious ip, attack instructions, attack targets, and original logs respectively, associates with session id, compares stored data when a new instruction arrives, adds storage if it is an attack instruction that occurs for the first time, otherwise only stores original logs, facilitating backtracking.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911083788.6A CN110855659A (en) | 2019-11-07 | 2019-11-07 | redis honeypot deployment system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911083788.6A CN110855659A (en) | 2019-11-07 | 2019-11-07 | redis honeypot deployment system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110855659A true CN110855659A (en) | 2020-02-28 |
Family
ID=69598916
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911083788.6A Pending CN110855659A (en) | 2019-11-07 | 2019-11-07 | redis honeypot deployment system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855659A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111541645A (en) * | 2020-03-24 | 2020-08-14 | 国家计算机网络与信息安全管理中心 | VoIP service knowledge base construction method and system |
| CN111835758A (en) * | 2020-07-10 | 2020-10-27 | 四川长虹电器股份有限公司 | Honeypot attacker tracing method based on TCP/UDP transparent proxy |
| CN112532636A (en) * | 2020-12-02 | 2021-03-19 | 赛尔网络有限公司 | Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow |
| CN112637244A (en) * | 2021-01-08 | 2021-04-09 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN113329062A (en) * | 2021-05-10 | 2021-08-31 | 灵羲科技(北京)有限公司 | Data sharing method and device, electronic equipment and storage medium |
| CN114422490A (en) * | 2021-11-16 | 2022-04-29 | 云南电网有限责任公司信息中心 | Numerical control drainage method and system based on openness |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105357179A (en) * | 2015-09-29 | 2016-02-24 | 深信服网络科技(深圳)有限公司 | Network attack handling method and network attack handling device |
| WO2018022259A1 (en) * | 2016-07-26 | 2018-02-01 | Microsoft Technology Licensing, Llc | Remediation for ransomware attacks on cloud drive folders |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
-
2019
- 2019-11-07 CN CN201911083788.6A patent/CN110855659A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN105357179A (en) * | 2015-09-29 | 2016-02-24 | 深信服网络科技(深圳)有限公司 | Network attack handling method and network attack handling device |
| WO2018022259A1 (en) * | 2016-07-26 | 2018-02-01 | Microsoft Technology Licensing, Llc | Remediation for ransomware attacks on cloud drive folders |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111541645A (en) * | 2020-03-24 | 2020-08-14 | 国家计算机网络与信息安全管理中心 | VoIP service knowledge base construction method and system |
| CN111541645B (en) * | 2020-03-24 | 2022-06-17 | 国家计算机网络与信息安全管理中心 | VoIP service knowledge base construction method and system |
| CN111835758A (en) * | 2020-07-10 | 2020-10-27 | 四川长虹电器股份有限公司 | Honeypot attacker tracing method based on TCP/UDP transparent proxy |
| CN112532636A (en) * | 2020-12-02 | 2021-03-19 | 赛尔网络有限公司 | Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow |
| CN112637244A (en) * | 2021-01-08 | 2021-04-09 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN112637244B (en) * | 2021-01-08 | 2023-07-07 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN113329062A (en) * | 2021-05-10 | 2021-08-31 | 灵羲科技(北京)有限公司 | Data sharing method and device, electronic equipment and storage medium |
| CN113162948A (en) * | 2021-05-12 | 2021-07-23 | 上海交通大学宁波人工智能研究院 | Modularized industrial control honey pot system |
| CN114422490A (en) * | 2021-11-16 | 2022-04-29 | 云南电网有限责任公司信息中心 | Numerical control drainage method and system based on openness |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10560434B2 (en) | Automated honeypot provisioning system | |
| Ullah et al. | Data exfiltration: A review of external attack vectors and countermeasures | |
| CN110855659A (en) | redis honeypot deployment system | |
| CN112769821B (en) | Threat response method and device based on threat intelligence and ATT & CK | |
| CN108780485B (en) | Pattern matching based data set extraction | |
| EP3691217B1 (en) | Web traffic logging system and method for detecting web hacking in real time | |
| Jang-Jaccard et al. | A survey of emerging threats in cybersecurity | |
| US9971891B2 (en) | Methods, systems, and media for detecting covert malware | |
| Rafique et al. | Firma: Malware clustering and network signature generation with mixed network behaviors | |
| US20210011999A1 (en) | Method for Systematic Collection and Analysis of Forensic Data in a Unified Communications System Deployed in a Cloud Environment | |
| Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Zeinali | Analysis of security information and event management (SIEM) evasion and detection methods | |
| Ojugo et al. | Forging A Smart Dependable Data Integrity And Protection System Through Hybrid-Integration Honeypot In Web and Database Server | |
| Hatada et al. | Finding new varieties of malware with the classification of network behavior | |
| Jayasekara | Security operations & incident management: Case study analysis | |
| Sree et al. | Secure logging scheme for forensic analysis in cloud | |
| Sobesto | Empirical studies based on honeypots for characterizing attackers behavior | |
| Bocchi et al. | Network connectivity graph for malicious traffic dissection | |
| Banerjee | Detection and behavioral analysis of botnets using honeynets and classification techniques | |
| Mancini | Security analytics with Elastic | |
| Cao et al. | A framework for generation, replay, and analysis of real-world attack variants | |
| Bortolameotti | Detection and evaluation of data exfiltration | |
| Junewon | Acquiring digital evidence from Botnet attacks: procedures and methods | |
| Sakthipriya et al. | Intrusion Detection for Web Application: An Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |
|
| RJ01 | Rejection of invention patent application after publication |