CN111343174A - Intelligent learning type self-response industrial internet honeypot induction method and system - Google Patents

Intelligent learning type self-response industrial internet honeypot induction method and system Download PDF

Info

Publication number
CN111343174A
CN111343174A CN202010109410.5A CN202010109410A CN111343174A CN 111343174 A CN111343174 A CN 111343174A CN 202010109410 A CN202010109410 A CN 202010109410A CN 111343174 A CN111343174 A CN 111343174A
Authority
CN
China
Prior art keywords
response
request
probability
sequence
prediction model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010109410.5A
Other languages
Chinese (zh)
Other versions
CN111343174B (en
Inventor
王文君
赵杰
达盼飞
郑力达
李明蕊
魏国富
殷钱安
梁淑云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202010109410.5A priority Critical patent/CN111343174B/en
Publication of CN111343174A publication Critical patent/CN111343174A/en
Application granted granted Critical
Publication of CN111343174B publication Critical patent/CN111343174B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F16/2308Concurrency control
    • G06F16/2315Optimistic concurrency control
    • G06F16/2322Optimistic concurrency control using timestamps
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Signal Processing (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Fuzzy Systems (AREA)
  • Probability & Statistics with Applications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an intelligent learning type self-response industrial internet honeypot induction method and system, which comprises sample data processing, wherein a service request command of an industrial environment under a normal condition within a set time period, equipment for responding to the request command and response content are periodically acquired, and a request response sequence is processed and generated to serve as a model training sample data set; response prediction model training; threat trapping, namely acquiring request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, feeding back the request data and recording the data until the attack is finished, and then adding the acquired original attack request response sequence into a sample data set; the above process is repeated. The method truly simulates various industrial control systems and services through deep learning of data interaction of various industrial control systems, can deceive attackers, cannot expose the attackers, and provides powerful guarantee for the safety of the industrial internet.

Description

Intelligent learning type self-response industrial internet honeypot induction method and system
Technical Field
The invention relates to the technical field of industrial internet security services, in particular to an intelligent learning type self-response industrial internet honeypot induction method and system.
Background
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
Honeypot technology is generally divided into low-interaction honeypots and high-interaction honeypots according to the degree of interaction provided by a deceptive environment, the low-interaction honeypots generally simulate partial features of software, and the high-interaction honeypots are interactions existing in real systems. At present, the deception defense technology is mostly applied to 0-day bug, threat trapping and intranet security defense. But most fraud defense techniques employ low interaction emulation modules with fixed reply logic and limited level of interaction. The limited level of interaction is therefore insufficient to pass inspection, fail to capture a true attack, and is easily discovered by an attacker, forming anti-spoofing. While the malware of devices in the industrial internet is relatively simple, the effectiveness of industrial internet fraud defense will be compromised if the response is not processed correctly.
Application number 201711290075.8 discloses an industrial internet-oriented industrial control protocol honeypot with a self-learning function and application thereof, which utilizes the industrial internet-oriented honeypot with the self-learning function, not only can discover threats existing in an industrial control network timely and quickly, but also can continuously deeply and vividly simulate industrial control equipment through self-learning so as to improve deceptiveness and enhance the ability of collecting and early warning industrial control threats. However, in the technology, a self-learning method is not explicitly disclosed, and the self-learning process is only directed to the current access request, and no association is made between the previous access request and the response result, and in addition, the technology is only directed to the IP of the attacker, the geographic location corresponding to the IP, and the like, which are basic attributes of the attacker, and cannot realize the complete behavior of capturing the attacker as a decoy for later-stage trapping.
Disclosure of Invention
The invention aims to solve the technical problem that the prior art lacks a method for threatening the trapping and executing the real attack behavior, provides an intelligent learning type self-response industrial internet honeypot induction method, and correspondingly provides various intelligent learning type self-response industrial internet honeypot induction systems.
The invention solves the technical problems through the following technical means:
an intelligent learning type self-response industrial internet honeypot induction method,
s01, sample data processing
Regularly acquiring a service request command of an industrial environment under a normal condition within a set time period, and encoding different request commands so as to generate a request encoding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
s02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence of the request data is located on a probability suffix tree according to a current response prediction model, giving feedback to the request data, simultaneously recording a request response sequence, splicing historical request response sequences when next request data of the current attacker is received, repeatedly executing a step of searching a node where a request subsequence of the request data is located on the probability suffix tree according to the current response prediction model, and giving feedback to the request data until the attack is finished.
And training the probability suffix tree by using the service data in the real industrial environment to obtain a honeypot simulating a real industrial control system, thereby achieving the purpose of trapping attackers. In addition, the acquired new attack data updates the sample data set in time, so that the response prediction model is updated in real time, and the honeypot simulation effect is better.
Preferably, the method further includes step S04, adding the original attack request response sequence acquired in step S03 to the sample data set in step S01; steps S01-S03 are repeated.
Preferably, in step S02, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
Preferably, in step S03, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the "no response" is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to the attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
Preferably, when there are a plurality of codes with the maximum probability value, one of the codes is selected as a result according to a preset standard, and then response content corresponding to the code is returned.
Correspondingly, the invention also provides an intelligent learning type self-response industrial internet honeypot induction system, which comprises
The sample data processing module is used for periodically acquiring a service request command of an industrial environment under a normal condition within a set time period and coding different request commands so as to generate a request coding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
the response prediction model training module is used for training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model;
and the threat trapping module is used for acquiring the request data of the current attacker, searching the node of the request subsequence on the probability suffix tree according to the current response prediction model, feeding back the request data, simultaneously recording the request response sequence, splicing the historical request response sequence when receiving the next request data, returning the response result through the current response prediction model until the attack is finished, and then adding the acquired original attack request response sequence into the sample data set to obtain the updated sample data set.
Preferably, the method further comprises a learning module, which performs update iteration on the response prediction model by using the updated sample data set.
Preferably, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
Preferably, in the threat trapping module, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the 'no response' is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to an attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
Preferably, when there are a plurality of codes with the maximum probability value, one of the codes is selected as a result according to a preset standard, and then response content corresponding to the code is returned.
The invention has the advantages that: the probability suffix tree is trained by utilizing the service data in the real industrial environment to obtain the honeypot simulating the real industrial control system, an attacker can be deceived to execute complete attack behaviors without exposure, meanwhile, the invasion behaviors and the attack types of the attacker can be recorded, the sample data set is updated in time by the obtained new attack data, the response prediction model is updated in real time, and the honeypot simulation effect is better.
Drawings
Fig. 1 is a schematic structural diagram of a probabilistic suffix tree in an intelligent learning type self-response industrial internet honeypot induction method according to embodiment 1 of the present invention;
fig. 2 is a block diagram of a honeypot induction method for an intelligent learning type self-response industrial internet according to embodiment 2 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, an intelligent learning type self-response industrial internet honeypot induction method,
s01, sample data processing
The flow engine unit regularly collects a request sequence of an attacker in a honeypot within a period of time (such as 3 months) and a service request sequence of an industrial environment under a normal condition within a period of time, and then the coding unit codes different request commands, such as a character 'A' representing an 'open' command and the like, so as to generate a coding sequence corresponding to the request. According to the request sequences of attackers and service request sequences under industrial environment, devices in the industrial Internet are selected to be detected one by one under the condition of supervision, meanwhile, the devices responding to the requests and response contents are recorded into an original response table, response behaviors in the original response table are coded, for example, a character B represents a response of opening the devices, and the like, the response codes are spliced into a request command sequence, if a certain request does not respond, the codes corresponding to 'no response' are spliced into the request command sequence, and therefore a request response sequence is generated and serves as a model training sample data set;
for the regular updating of the sample data set, the flow engine unit is synchronized with the industrial internet central database periodically to acquire a new original request, and the internet of things knowledge table is searched to acquire the latest knowledge of the internet of things equipment.
S02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model; as shown in fig. 2, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, performing recursion on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or a candidate child node set is empty;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, directly returning 'no response' if the request subsequence is not searched, returning a response code with a maximum probability value on the node if the request subsequence is searched, selecting one code as a result according to a preset standard when a plurality of codes with the maximum probability value exist, searching response content corresponding to the response code, returning the response content to the attacker, simultaneously recording the request response sequence, splicing a historical request response sequence when next request data is received, and returning response content corresponding to the response code with the maximum probability value through the model. Until the attack is finished, adding the obtained original attack request response sequence into the sample data set in the step S01;
and S04, repeating the steps S01-S03 to finish the update iteration of the response prediction model.
For example, there is a PLC in the industrial control environment, under normal conditions, the PLC will perform corresponding actions after receiving the service command, collect various commands and actions received by the PLC under normal conditions, then collect service data through the traffic engine unit, and obtain a response prediction model through the learning algorithm model, thereby truly simulating the PLC industrial control honeypot, after an attacker accesses the simulated PLC industrial control honeypot, the response prediction model will interact with a hacker through the learned commands and actions, so that the hacker considers the hacked industrial control honeypot to be a true PLC device, thereby achieving the purpose of threat trapping, and simultaneously recording the hacking behavior and method of the attacker, firstly, the source of the hacker can be tracked, the old can be provided for future investigation and evidence collection, secondly, the hacking technique of the attacker can be mastered, a powerful means for protecting the hacking behavior of the attacker can be provided later, and thirdly, the honeypot can be attacked through the trapping cheating, and the real service is protected from being attacked from the side.
Example 2
Corresponding to embodiment 1, this embodiment provides an intelligent learning type self-response industrial internet honeypot induction system, which includes
Sample data processing module
The flow engine unit regularly collects the request sequence of attackers in honeypots within a period of time (such as 3 months) and the service request sequence of the industrial environment under normal conditions within a period of time, and encodes different request commands such as a command of representing "open" by a character "A", thereby generating a coding sequence corresponding to the request. According to the request sequences of attackers and service request sequences under industrial environment, devices in the industrial Internet are selected to be detected one by one under the condition of supervision, meanwhile, the devices responding to the requests and response contents are recorded into an original response table, response behaviors in the original response table are coded, for example, a character B represents a response of opening the devices, and the like, the response codes are spliced into a request command sequence, if a certain request does not respond, the codes corresponding to 'no response' are spliced into the request command sequence, and therefore a request response sequence is generated and serves as a model training sample data set;
response prediction model training module
Training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model; the specific training process of the response prediction model comprises the following steps:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, performing recursion on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or a candidate child node set is empty;
threat trapping module
Obtaining request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, directly returning 'no response' if the request subsequence is not searched, returning a response code with a maximum probability value on the node if the request subsequence is searched, selecting one code as a result according to a preset standard when a plurality of codes with the maximum probability value exist, searching response content corresponding to the response code, returning the response content to the attacker, simultaneously recording the request response sequence, splicing a historical request response sequence when next request data is received, and returning response content corresponding to the response code with the maximum probability value through the model. Until the attack is finished, adding the obtained original attack request response sequence into the sample data set in the step S01;
and the learning module is used for updating and iterating the response prediction model by using the updated sample data set.
For example, there is a PLC in the industrial control environment, under normal conditions, the PLC will perform corresponding actions after receiving the service command, collect various commands and actions received by the PLC under normal conditions, then collect service data through the traffic engine unit, and obtain a response prediction model through the learning algorithm model, thereby truly simulating the PLC industrial control honeypot, after an attacker accesses the simulated PLC industrial control honeypot, the response prediction model will interact with a hacker through the learned commands and actions, so that the hacker considers the hacked industrial control honeypot to be a true PLC device, thereby achieving the purpose of threat trapping, and simultaneously recording the hacking behavior and method of the attacker, firstly, the source of the hacker can be tracked, the old can be provided for future investigation and evidence collection, secondly, the hacking technique of the attacker can be mastered, a powerful means for protecting the hacking behavior of the attacker can be provided later, and thirdly, the honeypot can be attacked through the trapping cheating, and the real service is protected from being attacked from the side.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An intelligent learning type self-response industrial internet honeypot induction method is characterized in that:
s01, sample data processing
Regularly acquiring a service request command of an industrial environment under a normal condition within a set time period, and encoding different request commands so as to generate a request encoding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
s02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence of the request data is located on a probability suffix tree according to a current response prediction model, giving feedback to the request data, simultaneously recording a request response sequence, splicing historical request response sequences when next request data of the current attacker is received, repeatedly executing a step of searching a node where a request subsequence of the request data is located on the probability suffix tree according to the current response prediction model, and giving feedback to the request data until the attack is finished.
2. The intelligent learning type self-response industrial internet honeypot induction method as claimed in claim 1, wherein: the method further comprises the step S04 of adding the original attack request response sequence acquired in the step S03 into the sample data set in the step S01; steps S01-S03 are repeated.
3. The intelligent learning type self-response industrial internet honeypot induction method as claimed in claim 1 or 2, characterized in that: in step S02, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
4. The intelligent learning type self-response industrial internet honeypot induction method according to claim 1 or 2, characterized in that: in step S03, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the "no response" is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to the attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
5. The intelligent learning type self-response industrial internet honeypot induction method according to claim 4, characterized in that: and when the probability value is maximum, selecting one of the codes as a result according to a preset standard, and returning response content corresponding to the code.
6. The utility model provides an intelligence learning formula is from responding to industry internet honeypot induction system which characterized in that: comprises that
The sample data processing module is used for periodically acquiring a service request command of an industrial environment under a normal condition within a set time period and coding different request commands so as to generate a request coding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
the response prediction model training module is used for training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model;
and the threat trapping module is used for acquiring the request data of the current attacker, searching the node of the request subsequence on the probability suffix tree according to the current response prediction model, feeding back the request data, simultaneously recording the request response sequence, splicing the historical request response sequence when receiving the next request data, returning the response result through the current response prediction model until the attack is finished, and then adding the acquired original attack request response sequence into the sample data set to obtain the updated sample data set.
7. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6, wherein: the system also comprises a learning module which updates and iterates the response prediction model by using the updated sample data set.
8. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6 or 7, wherein: the specific training process of the response prediction model comprises the following steps:
s021, presetting probability suffix tree depth L and probability threshold Pmin
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
9. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6 or 7, wherein: in the threat trapping module, searching a node where the request subsequence is located on the probability suffix tree according to a current response prediction model, if the request subsequence is not searched, directly returning 'no response', if the request subsequence is searched, returning a response code with the maximum probability value on the node, searching response content corresponding to the response code, returning the response content to an attacker, simultaneously recording the request response sequence, splicing the historical request response sequence when next request data is received, and returning the response content corresponding to the response code with the maximum probability value through the model.
10. The intelligent learning type self-response industrial internet honeypot induction system of claim 9, wherein: and when the probability value is maximum, selecting one of the codes as a result according to a preset standard, and returning response content corresponding to the code.
CN202010109410.5A 2020-02-22 2020-02-22 Intelligent learning type self-response industrial internet honeypot induction method and system Active CN111343174B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010109410.5A CN111343174B (en) 2020-02-22 2020-02-22 Intelligent learning type self-response industrial internet honeypot induction method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010109410.5A CN111343174B (en) 2020-02-22 2020-02-22 Intelligent learning type self-response industrial internet honeypot induction method and system

Publications (2)

Publication Number Publication Date
CN111343174A true CN111343174A (en) 2020-06-26
CN111343174B CN111343174B (en) 2022-04-26

Family

ID=71188124

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010109410.5A Active CN111343174B (en) 2020-02-22 2020-02-22 Intelligent learning type self-response industrial internet honeypot induction method and system

Country Status (1)

Country Link
CN (1) CN111343174B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931874A (en) * 2020-10-09 2020-11-13 北京元支点信息安全技术有限公司 Adjoint bait generation method and device based on deep learning and data clustering
CN113765883A (en) * 2021-07-28 2021-12-07 辽宁谛听信息科技有限公司 Industrial control network honeypot identification method based on successive probability discrimination algorithm
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN115134098A (en) * 2021-03-12 2022-09-30 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium
CN116915518A (en) * 2023-09-14 2023-10-20 国网浙江省电力有限公司电力科学研究院 Intelligent learning type self-response networking honeypot induction method and system
CN117081855A (en) * 2023-10-13 2023-11-17 深圳市前海新型互联网交换中心有限公司 Honeypot optimization method, honeypot protection method and honeypot optimization system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338467A (en) * 2013-07-10 2013-10-02 南京邮电大学 User behavior learning method based on PST in wireless network
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN110602032A (en) * 2019-06-19 2019-12-20 上海云盾信息技术有限公司 Attack identification method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103338467A (en) * 2013-07-10 2013-10-02 南京邮电大学 User behavior learning method based on PST in wireless network
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN110602032A (en) * 2019-06-19 2019-12-20 上海云盾信息技术有限公司 Attack identification method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吕雪峰: "面向工业控制过程的异常检测技术研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931874A (en) * 2020-10-09 2020-11-13 北京元支点信息安全技术有限公司 Adjoint bait generation method and device based on deep learning and data clustering
CN115134098A (en) * 2021-03-12 2022-09-30 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium
CN115134098B (en) * 2021-03-12 2024-03-01 北京沃东天骏信息技术有限公司 Hacker information acquisition method and device, electronic equipment and storage medium
CN113765883A (en) * 2021-07-28 2021-12-07 辽宁谛听信息科技有限公司 Industrial control network honeypot identification method based on successive probability discrimination algorithm
CN113765883B (en) * 2021-07-28 2023-05-12 辽宁谛听信息科技有限公司 Industrial control network honeypot identification method based on successive probability discrimination algorithm
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN116915518A (en) * 2023-09-14 2023-10-20 国网浙江省电力有限公司电力科学研究院 Intelligent learning type self-response networking honeypot induction method and system
CN116915518B (en) * 2023-09-14 2023-12-01 国网浙江省电力有限公司电力科学研究院 Intelligent learning type self-response networking honeypot induction method and system
CN117081855A (en) * 2023-10-13 2023-11-17 深圳市前海新型互联网交换中心有限公司 Honeypot optimization method, honeypot protection method and honeypot optimization system
CN117081855B (en) * 2023-10-13 2024-02-02 深圳市前海新型互联网交换中心有限公司 Honeypot optimization method, honeypot protection method and honeypot optimization system

Also Published As

Publication number Publication date
CN111343174B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
CN111343174B (en) Intelligent learning type self-response industrial internet honeypot induction method and system
CN109902709B (en) Method for generating malicious sample of industrial control system based on counterstudy
Hussain et al. A two-fold machine learning approach to prevent and detect IoT botnet attacks
CN111818103B (en) Traffic-based tracing attack path method in network target range
CN108985061B (en) Webshell detection method based on model fusion
CN112351031B (en) Method and device for generating attack behavior portraits, electronic equipment and storage medium
CN110958263B (en) Network attack detection method, device, equipment and storage medium
CN114285599B (en) Industrial control honey pot construction method based on controller deep memory simulation and industrial control honey pot
CN110855649A (en) Method and device for detecting abnormal process in server
CN114422224A (en) Attack tracing-oriented threat information intelligent analysis method and system
CN109685200A (en) Industrial protocol construction method and building system are calculated based on the mist for generating confrontation network
CN114422271B (en) Data processing method, device, equipment and readable storage medium
KR20190028880A (en) Method and appratus for generating machine learning data for botnet detection system
CN110086788A (en) Deep learning WebShell means of defence based on cloud WAF
CN113722717A (en) Security vulnerability testing method, device, equipment and readable storage medium
Shan et al. NeuPot: A neural network-based honeypot for detecting cyber threats in industrial control systems
Khan et al. Lightweight testbed for cybersecurity experiments in scada-based systems
CN115622793A (en) Attack type identification method and device, electronic equipment and storage medium
Whalen et al. Hidden markov models for automated protocol learning
CN112764791B (en) Incremental update malicious software detection method and system
CN115496180A (en) Training method, generating method and device of network traffic characteristic sequence generating model
CN115063652A (en) Black box attack method based on meta-learning, terminal equipment and storage medium
CN114282218A (en) Attack detection method and device, electronic equipment and storage medium
CN117610026B (en) Honey point vulnerability generation method based on large language model
Anastasiadis et al. A Novel High-Interaction Honeypot Network for Internet of Vehicles

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant