CN111083117A - Botnet tracking and tracing system based on honeypots - Google Patents

Botnet tracking and tracing system based on honeypots Download PDF

Info

Publication number
CN111083117A
CN111083117A CN201911161703.1A CN201911161703A CN111083117A CN 111083117 A CN111083117 A CN 111083117A CN 201911161703 A CN201911161703 A CN 201911161703A CN 111083117 A CN111083117 A CN 111083117A
Authority
CN
China
Prior art keywords
honeypot
botnet
honeypots
attack
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911161703.1A
Other languages
Chinese (zh)
Inventor
邹福泰
王林
章思宇
姜开达
肖子彤
吴越
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Original Assignee
Shanghai Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University filed Critical Shanghai Jiaotong University
Priority to CN201911161703.1A priority Critical patent/CN111083117A/en
Publication of CN111083117A publication Critical patent/CN111083117A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Abstract

The invention discloses a honeypot-based botnet tracking and tracing system, which relates to the field of computer network security and comprises a honeypot system, a log recording and analyzing system and a botnet tracking system; the system of the invention captures and records the attack process by using the honeypot provided with the forwarding agent, the honeypot only receives the traffic from the forwarding agent, and all the traffic sent outwards passes through the forwarding agent; the forwarding agent is deployed in a network, receives, records and forwards the request of an attacker, and carries and isolates the attack by using the honeypot; the system uses the forwarding agent to monitor the connection of honeypots infected with malicious samples to the outside world, record the activity of botnet, and alarm the discovered attack behavior. Compared with a traditional honeypot system, the system has better secrecy and flexibility, and can be flexibly expanded according to the use condition.

Description

Botnet tracking and tracing system based on honeypots
Technical Field
The invention relates to the field of computer network security, in particular to a botnet tracing system based on honeypots.
Background
Botnet (Botnet) refers to a network composed of infected hosts, a malicious process running in the infected hosts is called Bot, and an attacker operates and controls a control server (C & C server) through instructions to attack the outside world. Botnets have the greatest advantage of having a large number of hosts available for attack. Botnets are one of the most serious security threats in today's network environment and are used for a variety of malicious activities against systems and services, including denial of service attacks, spam distribution, phishing, click fraud, and the like. Most botnets use common protocols to communicate and use a hiding technology to hide a back-end C & C server, so that the botnets are difficult to detect and monitor. Botnets have become one of the biggest threats to network security due to their large size and strong concealment.
The lifecycle of botnets comprises six phases: the six stages of construction, recruitment, interaction, sales, attack execution and completion are linear. This means that the successful execution of a botnet attack requires the successful completion of all previous phases. Most botnets use certain hiding techniques to ensure self-concealment, and currently, common techniques include encryption, polymorphism, IP spoofing, FF networks, and the like.
Regarding detection of botnets, there are two main detection methods at present: honeypot based detection and traffic monitoring based detection. Honeypots are widely used in malicious sample collection and research. Detection based on traffic snooping can be subdivided into signature-based, anomaly-based, DNS-based, and data mining-based. Effective network security management depends in large part on providing accurate, concise, and high quality information about malicious activities in a network, and honeypots are an effective tool for achieving this. Honeypots, while not capable of direct detection of infection, are one of the most effective tools for collecting and studying malicious samples. Meanwhile, honeypots also have their disadvantages. In summary, botnet tracking tools require an understanding of the communication modes of botnet C & C communications that would otherwise be recognized by attackers due to communication errors during the interaction phase, and the continued progress of inverse analysis techniques makes the development of tracking tools more difficult.
Therefore, those skilled in the art are dedicated to develop a honeypot-based botnet tracing system, which is combined with manual analysis of malicious samples, and realizes tracing of botnets by simulating or analyzing communication in botnets with the aid of a log recording and analyzing system.
Disclosure of Invention
In view of the above defects in the prior art, the technical problem to be solved by the present invention is to develop a novel honeypot tracing system which has better privacy and flexibility and can be flexibly expanded according to the use condition.
In order to achieve the purpose, the invention provides a botnet tracking and tracing system based on honeypots, which is characterized by comprising a honeypot system, a log recording and analyzing system and a botnet tracking system; the honeypot system comprises a forwarding agent and a honeypot, and is used for forging a real network environment and capturing a malicious sample; the forwarding agent is deployed at the network boundary and used for acquiring and recording communication from the Internet, forwarding the communication to the honeypot, maintaining the communication between the two parties when an attack is carried out, and finally storing the attack process as a log, wherein the honeypot bears the attack and isolates the activity of an attacker in the honeypot; the log recording and analyzing system and the honeypot system work cooperatively, the attack process is recorded in a log form, and an attack portrait and a malicious sample are extracted from the log; the botnet tracking system isolates and listens to communications between infected honeypots and attackers to record attacker behavior and botnet activity.
Further, the honeypot system monitors the honeypot using only the forwarding agent.
Furthermore, the honeypot system maintains a honeynet architecture, so that a virtual network structure is formed among a plurality of honeypots to confuse attackers.
Further, malicious samples captured by the logging and analysis system may be used for tracing and tracing the botnet and for protecting against attacks.
Further, the botnet tracking system may be used to discover and pre-warn of attack behavior.
Further, the malicious sample is analyzed using human labor.
Further, the botnet tracking system realizes the tracking of the botnet by simulating or analyzing the communication in the botnet.
Further, the communication mode of the botnet may be used for research and defense.
The invention also provides a honeypot-based botnet malicious sample capturing process, which is characterized by comprising the following steps of:
step 101, deploying and configuring honeypots, wherein the honeypots can adopt dockers, virtual machines and the like, and basic network services such as FTP (file transfer protocol), Web and the like are configured in the honeypots;
102, deploying forwarding agents at different positions in the network, opening general service ports such as 22 and 80 to the outside, configuring forwarding destinations into honeypots, and configuring honeynet nodes to form a false network structure among the honeypots;
103, finding the open port of the forwarding agent by an attacker through a scanning tool, and attacking;
104, the forwarding agent receives the attacker connection request, forwards the communication to the honeypot, and stores all the communication as a log;
105, enabling the honeypot to normally carry out an attack process, and isolating the attack within the honeypot range;
and step 106, if the attacker tries to attack other hosts in the internal network by taking the infected honeypot as a springboard, the forwarding agent forwards the attack to other honeypots, so that the attacker mistakenly thinks that the attacker is in the network of an organization.
The invention also provides a botnet tracking and tracing process based on honeypots, which is characterized by comprising the following steps:
step 107, the expert A analyzes the log stored in the infected honeypot;
step 108, the expert A uses a log recording and analyzing system to perform primary processing on the log to obtain an attack portrait and a malicious sample;
step 109, the expert A carries out reverse analysis on the malicious sample to obtain the address of the C & C server, the communication protocol between Bot and the C & C server and the encryption mode;
step 110, using the information obtained by analysis to perfect the forwarding agent;
step 111, the forwarding agent intercepts and records the communication between the malicious sample in the infected honeypot and the outside world, and stores the communication as a log;
step 112, monitoring the communication flow of the infected honeypots;
and 113, if an attack instruction is found in the monitoring process, alarming.
The invention uses the honeypot with the forwarding agent to capture and record the attack process. The forwarding agent is deployed in the network, receives, records and forwards the request of the attacker, and carries and isolates the attack by using the honeypot. Honeypots only accept traffic from agents and all traffic sent out goes through agents. The forwarding agent has the function of maintaining the structure of the honey net besides the functions of recording the attack process and forwarding the command of the attacker. Specifically, each honeypot in the honeynet is assigned one or one interval of IP addresses, and when an agent detects that the honeypot sends a malicious data packet with a target address of the corresponding IP, the malicious data packet is forwarded to an agent of another honeypot to simulate a real network environment. This approach can effectively combat behavior-based honeypot detection methods. For the system-level fingerprint identification and detection vector detection method, the honeypot system monitors the flow by using the forwarding agent, and does not directly use a monitoring tool, so that the probability of detection by the two detection methods is reduced.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
FIG. 1 is a schematic diagram of a botnet tracing system based on honeypots in accordance with a preferred embodiment of the present invention;
FIG. 2 is a flowchart of the operation of a botnet tracing system based on honeypots in accordance with a preferred embodiment of the present invention;
FIG. 3 is a schematic diagram of a botnet tracking and tracing system honeypot system based on honeypots in accordance with a preferred embodiment of the present invention;
FIG. 4 is a schematic diagram of a botnet tracking and tracing system logging and analysis system based on honeypots in accordance with a preferred embodiment of the present invention;
FIG. 5 is a schematic diagram of a botnet tracking system of the honeypot based botnet tracking traceability system in accordance with a preferred embodiment of the present invention.
Detailed Description
The technical contents of the preferred embodiments of the present invention will be more clearly and easily understood by referring to the drawings attached to the specification. The present invention may be embodied in many different forms of embodiments and the scope of the invention is not limited to the embodiments set forth herein.
As shown in figure 1, the invention designs a traceability tracking system of botnet based on honeypots, which forges real network environment through honeynets and forwarding agents, and meanwhile, only uses the forwarding agents to monitor honeypots, thereby improving concealment and deception. The botnet tracking system is deployed in a network, a honeypot system is used for capturing malicious samples, the malicious samples are analyzed manually, and tracking of the botnet is achieved by simulating or analyzing communication in the botnet under the assistance of a log recording and analyzing system. The system is shown as consisting of the following modules, including:
1) a honeypot system: the system is deployed at the network boundary, acquires and records communication from the Internet, forwards the communication to the honeypot, maintains the communication of both parties when the attack is carried out, and finally stores the attack process as a log;
2) the log recording and analyzing system comprises: the method is characterized by cooperating with a honeypot system, recording an attack process in a log form, and extracting an attack portrait and a malicious sample by analyzing the log;
3) botnet tracking system: the method adopts a mode of simulating the communication behavior of the malicious sample and the malicious sample C & C server or isolating and monitoring the communication of the infected honeypot to record the behavior of an attacker and discover and alarm attack activities.
A botnet tracing traceability system workflow based on honeypots is shown in fig. 2.
And deploying honeypot systems at different positions in the network, selecting a Docker, a virtual machine or a physical host by the target honeypot according to actual conditions, and configuring corresponding services in the target honeypot. To save resources, the target honeypots of the honeypot system at different locations can be the same. Since honeypots do not provide any actual service, any access and operation to honeypots is considered suspicious attack behavior. One normal operation honeypot can capture all attack behaviors without missing reports. In the system designed by the invention, the honeypot saves all communication between the attacker and the honeypot in the attack process as a log. Next, a manual work is introduced to process the log. First, the log is initially processed using a logging and analysis system. The log recording and analyzing system can restore the attack flow and extract tools and malicious samples uploaded by an attacker. Next, the expert a performs reverse analysis on the malicious sample to obtain the address of the C & C server, the communication protocol between Bot and the C & C server, and the encryption mode. And finally, monitoring the infected honeypots according to the information obtained by analysis to obtain the botnet activity record.
Figure 3 shows a honeypot system based on a botnet tracing system for honeypots.
The honeypot system is a main component of the system, and aims to provide a forged network environment which simulates a real system, attract attackers to attack the system so as to obtain an attack process and a malicious sample, and in addition, the infected honeypot can be used for post-zombie network tracking. The module mainly comprises a forwarding agent part and a honeypot part. The forwarding agent is deployed in the network, exposes ports to the outside world, and waits for an attacker to connect. When the agent receives the attacker connection request, the agent establishes connection with the corresponding honeypot, records the data message sent by the attacker, and forwards the data message to the honeypot. The honeypot is used for bearing attacks and isolating malicious samples, manual management is adopted for the honeypot, and the honeypot can use Docker, a virtual machine or an isolated real host.
Figure 4 shows a logging and analysis system for a honeypot based botnet tracing traceability system.
The log recording and analyzing system aims to provide a log function in the working process of the honeypot system and provide assistance when security personnel analyze the attack process. During the operation of the honeypot system, a logging interface is called, the captured communication is transmitted to a logging and analyzing system, and the logging and analyzing system records the attack process in a format easy to analyze by security personnel. In addition, in the process of analyzing the malicious samples, researchers call a log analysis interface to obtain the analysis of the attack process and the malicious samples captured by the honeypot system.
Figure 5 shows a botnet tracking system based on a honeypot botnet tracking provenance system.
And monitoring the communication between the botnet malicious sample and the C & C server by setting a forwarding agent. And the forwarding agent intercepts, records and forwards the communication between the C & C server and the malicious sample. The foregoing detailed description of the preferred embodiments of the invention has been presented.
It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.

Claims (10)

1. A botnet tracking and tracing system based on honeypots is characterized by comprising a honeypot system, a log recording and analyzing system and a botnet tracking system; the honeypot system comprises a forwarding agent and a honeypot, and is used for forging a real network environment and capturing a malicious sample; the forwarding agent is deployed at the network boundary and used for acquiring and recording communication from the Internet, forwarding the communication to the honeypot, maintaining the communication between the two parties when an attack is carried out, and finally storing the attack process as a log, wherein the honeypot bears the attack and isolates the activity of an attacker in the honeypot; the log recording and analyzing system and the honeypot system work cooperatively, the attack process is recorded in a log form, and an attack portrait and a malicious sample are extracted from the log; the botnet tracking system isolates and listens to communications between infected honeypots and attackers to record attacker behavior and botnet activity.
2. The botnet-based traceability system of honeypots of claim 1, wherein the honeypot system monitors the honeypots using only the forwarding agents.
3. The system of claim 1, wherein the honeypot system maintains a honeypot framework that forms a virtual network structure between honeypots to confuse attackers.
4. The honeypot-based botnet tracing system of claim 1, wherein malicious samples captured by the logging and analysis system can be used for tracing and defending against attacks on botnets.
5. The honeypot-based botnet tracing system of claim 1, wherein the botnet tracing system is operable to discover and pre-warn of offensive behavior.
6. The honeypot-based botnet tracing system of claim 1, wherein the malicious samples are analyzed using a human.
7. The honeypot-based botnet tracing system of claim 1, wherein the botnet tracing system enables tracing of botnets by mimicking or parsing communications in botnets.
8. The honeypot-based botnet traceability system of claim 1, wherein the communication mode of the botnet can be used for research and defense.
9. A botnet malicious sample capturing process based on honeypots is characterized by comprising the following steps:
step 101, deploying and configuring honeypots, wherein the honeypots can adopt dockers, virtual machines and the like, and basic network services such as FTP (file transfer protocol), Web and the like are configured in the honeypots;
102, deploying forwarding agents at different positions in the network, opening general service ports such as 22 and 80 to the outside, configuring forwarding destinations into honeypots, and configuring honeynet nodes to form a false network structure among the honeypots;
103, finding the open port of the forwarding agent by an attacker through a scanning tool, and attacking;
104, the forwarding agent receives the attacker connection request, forwards the communication to the honeypot, and stores all the communication as a log;
105, enabling the honeypot to normally carry out an attack process, and isolating the attack within the honeypot range;
and step 106, if the attacker tries to attack other hosts in the internal network by taking the infected honeypot as a springboard, the forwarding agent forwards the attack to other honeypots, so that the attacker mistakenly thinks that the attacker is in the network of an organization.
10. A botnet tracing and tracing process based on honeypots is characterized by comprising the following steps:
step 107, the expert A analyzes the log stored in the infected honeypot;
step 108, the expert A uses a log recording and analyzing system to perform primary processing on the log to obtain an attack portrait and a malicious sample;
step 109, the expert A carries out reverse analysis on the malicious sample to obtain the address of the C & C server, the communication protocol between Bot and the C & C server and the encryption mode;
step 110, using the information obtained by analysis to perfect the forwarding agent;
step 111, the forwarding agent intercepts and records the communication between the malicious sample in the infected honeypot and the outside world, and stores the communication as a log;
step 112, monitoring the communication flow of the infected honeypots;
and 113, if an attack instruction is found in the monitoring process, alarming.
CN201911161703.1A 2019-11-22 2019-11-22 Botnet tracking and tracing system based on honeypots Pending CN111083117A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911161703.1A CN111083117A (en) 2019-11-22 2019-11-22 Botnet tracking and tracing system based on honeypots

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911161703.1A CN111083117A (en) 2019-11-22 2019-11-22 Botnet tracking and tracing system based on honeypots

Publications (1)

Publication Number Publication Date
CN111083117A true CN111083117A (en) 2020-04-28

Family

ID=70311832

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911161703.1A Pending CN111083117A (en) 2019-11-22 2019-11-22 Botnet tracking and tracing system based on honeypots

Country Status (1)

Country Link
CN (1) CN111083117A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835758A (en) * 2020-07-10 2020-10-27 四川长虹电器股份有限公司 Honeypot attacker tracing method based on TCP/UDP transparent proxy
CN112003842A (en) * 2020-08-12 2020-11-27 杭州安恒信息安全技术有限公司 High-interaction honeypot system and honeypot protection method
CN112291247A (en) * 2020-10-30 2021-01-29 四川长虹电器股份有限公司 Flow forwarding-based honey net system for high coverage detection of local area network
CN112788065A (en) * 2021-02-20 2021-05-11 苏州知微安全科技有限公司 Internet of things zombie network tracking method and device based on honeypots and sandboxes
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device
CN114070630A (en) * 2021-11-17 2022-02-18 国网四川省电力公司眉山供电公司 Viscous honeypot system and interaction method thereof
CN115102785A (en) * 2022-07-25 2022-09-23 远江盛邦(北京)网络安全科技股份有限公司 Automatic tracing system and method for network attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
EP2903238A2 (en) * 2014-02-03 2015-08-05 Deutsche Telekom AG A router-based honeypot for detecting advanced persistent threats
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN109962912A (en) * 2019-03-06 2019-07-02 中国信息安全测评中心 A kind of defence method and system based on the drainage of honey jar flow
CN110225064A (en) * 2019-07-02 2019-09-10 恒安嘉新(北京)科技股份公司 Monitor method, apparatus, equipment and the storage medium of Botnet attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
EP2903238A2 (en) * 2014-02-03 2015-08-05 Deutsche Telekom AG A router-based honeypot for detecting advanced persistent threats
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system
CN109962912A (en) * 2019-03-06 2019-07-02 中国信息安全测评中心 A kind of defence method and system based on the drainage of honey jar flow
CN110225064A (en) * 2019-07-02 2019-09-10 恒安嘉新(北京)科技股份公司 Monitor method, apparatus, equipment and the storage medium of Botnet attack

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835758A (en) * 2020-07-10 2020-10-27 四川长虹电器股份有限公司 Honeypot attacker tracing method based on TCP/UDP transparent proxy
CN112003842A (en) * 2020-08-12 2020-11-27 杭州安恒信息安全技术有限公司 High-interaction honeypot system and honeypot protection method
CN112291247A (en) * 2020-10-30 2021-01-29 四川长虹电器股份有限公司 Flow forwarding-based honey net system for high coverage detection of local area network
CN112788065A (en) * 2021-02-20 2021-05-11 苏州知微安全科技有限公司 Internet of things zombie network tracking method and device based on honeypots and sandboxes
CN114070630A (en) * 2021-11-17 2022-02-18 国网四川省电力公司眉山供电公司 Viscous honeypot system and interaction method thereof
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device
CN114003903B (en) * 2021-12-28 2022-03-08 北京微步在线科技有限公司 Network attack tracing method and device
CN115102785A (en) * 2022-07-25 2022-09-23 远江盛邦(北京)网络安全科技股份有限公司 Automatic tracing system and method for network attack

Similar Documents

Publication Publication Date Title
CN111083117A (en) Botnet tracking and tracing system based on honeypots
EP1665011B1 (en) Method and system for displaying network security incidents
CN101567887B (en) Vulnerability simulation overload honeypot method
CN105915532B (en) A kind of recognition methods of host of falling and device
CN111756712B (en) Method for forging IP address and preventing attack based on virtual network equipment
CN107770199A (en) It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN107070929A (en) A kind of industry control network honey pot system
US20070067841A1 (en) Scalable monitor of malicious network traffic
US20110154492A1 (en) Malicious traffic isolation system and method using botnet information
CN101924757A (en) Method and system for reviewing Botnet
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN111641620A (en) Novel cloud honeypot method and framework for detecting evolution DDoS attack
Kaushik et al. Network forensic system for port scanning attack
CN111541670A (en) Novel dynamic honeypot system
CN112948821A (en) APT detection early warning method
CN113422774A (en) Automatic penetration testing method and device based on network protocol and storage medium
Li et al. The research and design of honeypot system applied in the LAN security
CN113572730A (en) Implementation method for actively and automatically trapping honeypots based on web
Lin et al. Implementation of an SDN-based security defense mechanism against DDoS attacks
Ren et al. Distributed agent-based real time network intrusion forensics system architecture design
CN110912887A (en) Bro-based APT monitoring system and method
CN112565197A (en) Third-party interactive honeypot implementation method based on internal and external network drainage abnormity
CN116760607A (en) Method and device for establishing honeypot trapping node, medium and equipment
CN112751861A (en) Malicious mail detection method and system based on dense network and network big data
CN111726810A (en) Wireless signal monitoring and wireless communication behavior auditing system in numerical control processing environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200428