CN111343174A - Intelligent learning type self-response industrial internet honeypot induction method and system - Google Patents
Intelligent learning type self-response industrial internet honeypot induction method and system Download PDFInfo
- Publication number
- CN111343174A CN111343174A CN202010109410.5A CN202010109410A CN111343174A CN 111343174 A CN111343174 A CN 111343174A CN 202010109410 A CN202010109410 A CN 202010109410A CN 111343174 A CN111343174 A CN 111343174A
- Authority
- CN
- China
- Prior art keywords
- response
- request
- probability
- sequence
- prediction model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2308—Concurrency control
- G06F16/2315—Optimistic concurrency control
- G06F16/2322—Optimistic concurrency control using timestamps
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Signal Processing (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biomedical Technology (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Artificial Intelligence (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Fuzzy Systems (AREA)
- Probability & Statistics with Applications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an intelligent learning type self-response industrial internet honeypot induction method and system, which comprises sample data processing, wherein a service request command of an industrial environment under a normal condition within a set time period, equipment for responding to the request command and response content are periodically acquired, and a request response sequence is processed and generated to serve as a model training sample data set; response prediction model training; threat trapping, namely acquiring request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, feeding back the request data and recording the data until the attack is finished, and then adding the acquired original attack request response sequence into a sample data set; the above process is repeated. The method truly simulates various industrial control systems and services through deep learning of data interaction of various industrial control systems, can deceive attackers, cannot expose the attackers, and provides powerful guarantee for the safety of the industrial internet.
Description
Technical Field
The invention relates to the technical field of industrial internet security services, in particular to an intelligent learning type self-response industrial internet honeypot induction method and system.
Background
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
Honeypot technology is generally divided into low-interaction honeypots and high-interaction honeypots according to the degree of interaction provided by a deceptive environment, the low-interaction honeypots generally simulate partial features of software, and the high-interaction honeypots are interactions existing in real systems. At present, the deception defense technology is mostly applied to 0-day bug, threat trapping and intranet security defense. But most fraud defense techniques employ low interaction emulation modules with fixed reply logic and limited level of interaction. The limited level of interaction is therefore insufficient to pass inspection, fail to capture a true attack, and is easily discovered by an attacker, forming anti-spoofing. While the malware of devices in the industrial internet is relatively simple, the effectiveness of industrial internet fraud defense will be compromised if the response is not processed correctly.
Application number 201711290075.8 discloses an industrial internet-oriented industrial control protocol honeypot with a self-learning function and application thereof, which utilizes the industrial internet-oriented honeypot with the self-learning function, not only can discover threats existing in an industrial control network timely and quickly, but also can continuously deeply and vividly simulate industrial control equipment through self-learning so as to improve deceptiveness and enhance the ability of collecting and early warning industrial control threats. However, in the technology, a self-learning method is not explicitly disclosed, and the self-learning process is only directed to the current access request, and no association is made between the previous access request and the response result, and in addition, the technology is only directed to the IP of the attacker, the geographic location corresponding to the IP, and the like, which are basic attributes of the attacker, and cannot realize the complete behavior of capturing the attacker as a decoy for later-stage trapping.
Disclosure of Invention
The invention aims to solve the technical problem that the prior art lacks a method for threatening the trapping and executing the real attack behavior, provides an intelligent learning type self-response industrial internet honeypot induction method, and correspondingly provides various intelligent learning type self-response industrial internet honeypot induction systems.
The invention solves the technical problems through the following technical means:
an intelligent learning type self-response industrial internet honeypot induction method,
s01, sample data processing
Regularly acquiring a service request command of an industrial environment under a normal condition within a set time period, and encoding different request commands so as to generate a request encoding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
s02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence of the request data is located on a probability suffix tree according to a current response prediction model, giving feedback to the request data, simultaneously recording a request response sequence, splicing historical request response sequences when next request data of the current attacker is received, repeatedly executing a step of searching a node where a request subsequence of the request data is located on the probability suffix tree according to the current response prediction model, and giving feedback to the request data until the attack is finished.
And training the probability suffix tree by using the service data in the real industrial environment to obtain a honeypot simulating a real industrial control system, thereby achieving the purpose of trapping attackers. In addition, the acquired new attack data updates the sample data set in time, so that the response prediction model is updated in real time, and the honeypot simulation effect is better.
Preferably, the method further includes step S04, adding the original attack request response sequence acquired in step S03 to the sample data set in step S01; steps S01-S03 are repeated.
Preferably, in step S02, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
Preferably, in step S03, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the "no response" is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to the attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
Preferably, when there are a plurality of codes with the maximum probability value, one of the codes is selected as a result according to a preset standard, and then response content corresponding to the code is returned.
Correspondingly, the invention also provides an intelligent learning type self-response industrial internet honeypot induction system, which comprises
The sample data processing module is used for periodically acquiring a service request command of an industrial environment under a normal condition within a set time period and coding different request commands so as to generate a request coding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
the response prediction model training module is used for training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model;
and the threat trapping module is used for acquiring the request data of the current attacker, searching the node of the request subsequence on the probability suffix tree according to the current response prediction model, feeding back the request data, simultaneously recording the request response sequence, splicing the historical request response sequence when receiving the next request data, returning the response result through the current response prediction model until the attack is finished, and then adding the acquired original attack request response sequence into the sample data set to obtain the updated sample data set.
Preferably, the method further comprises a learning module, which performs update iteration on the response prediction model by using the updated sample data set.
Preferably, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
Preferably, in the threat trapping module, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the 'no response' is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to an attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
Preferably, when there are a plurality of codes with the maximum probability value, one of the codes is selected as a result according to a preset standard, and then response content corresponding to the code is returned.
The invention has the advantages that: the probability suffix tree is trained by utilizing the service data in the real industrial environment to obtain the honeypot simulating the real industrial control system, an attacker can be deceived to execute complete attack behaviors without exposure, meanwhile, the invasion behaviors and the attack types of the attacker can be recorded, the sample data set is updated in time by the obtained new attack data, the response prediction model is updated in real time, and the honeypot simulation effect is better.
Drawings
Fig. 1 is a schematic structural diagram of a probabilistic suffix tree in an intelligent learning type self-response industrial internet honeypot induction method according to embodiment 1 of the present invention;
fig. 2 is a block diagram of a honeypot induction method for an intelligent learning type self-response industrial internet according to embodiment 2 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, an intelligent learning type self-response industrial internet honeypot induction method,
s01, sample data processing
The flow engine unit regularly collects a request sequence of an attacker in a honeypot within a period of time (such as 3 months) and a service request sequence of an industrial environment under a normal condition within a period of time, and then the coding unit codes different request commands, such as a character 'A' representing an 'open' command and the like, so as to generate a coding sequence corresponding to the request. According to the request sequences of attackers and service request sequences under industrial environment, devices in the industrial Internet are selected to be detected one by one under the condition of supervision, meanwhile, the devices responding to the requests and response contents are recorded into an original response table, response behaviors in the original response table are coded, for example, a character B represents a response of opening the devices, and the like, the response codes are spliced into a request command sequence, if a certain request does not respond, the codes corresponding to 'no response' are spliced into the request command sequence, and therefore a request response sequence is generated and serves as a model training sample data set;
for the regular updating of the sample data set, the flow engine unit is synchronized with the industrial internet central database periodically to acquire a new original request, and the internet of things knowledge table is searched to acquire the latest knowledge of the internet of things equipment.
S02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model; as shown in fig. 2, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, performing recursion on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or a candidate child node set is empty;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, directly returning 'no response' if the request subsequence is not searched, returning a response code with a maximum probability value on the node if the request subsequence is searched, selecting one code as a result according to a preset standard when a plurality of codes with the maximum probability value exist, searching response content corresponding to the response code, returning the response content to the attacker, simultaneously recording the request response sequence, splicing a historical request response sequence when next request data is received, and returning response content corresponding to the response code with the maximum probability value through the model. Until the attack is finished, adding the obtained original attack request response sequence into the sample data set in the step S01;
and S04, repeating the steps S01-S03 to finish the update iteration of the response prediction model.
For example, there is a PLC in the industrial control environment, under normal conditions, the PLC will perform corresponding actions after receiving the service command, collect various commands and actions received by the PLC under normal conditions, then collect service data through the traffic engine unit, and obtain a response prediction model through the learning algorithm model, thereby truly simulating the PLC industrial control honeypot, after an attacker accesses the simulated PLC industrial control honeypot, the response prediction model will interact with a hacker through the learned commands and actions, so that the hacker considers the hacked industrial control honeypot to be a true PLC device, thereby achieving the purpose of threat trapping, and simultaneously recording the hacking behavior and method of the attacker, firstly, the source of the hacker can be tracked, the old can be provided for future investigation and evidence collection, secondly, the hacking technique of the attacker can be mastered, a powerful means for protecting the hacking behavior of the attacker can be provided later, and thirdly, the honeypot can be attacked through the trapping cheating, and the real service is protected from being attacked from the side.
Example 2
Corresponding to embodiment 1, this embodiment provides an intelligent learning type self-response industrial internet honeypot induction system, which includes
Sample data processing module
The flow engine unit regularly collects the request sequence of attackers in honeypots within a period of time (such as 3 months) and the service request sequence of the industrial environment under normal conditions within a period of time, and encodes different request commands such as a command of representing "open" by a character "A", thereby generating a coding sequence corresponding to the request. According to the request sequences of attackers and service request sequences under industrial environment, devices in the industrial Internet are selected to be detected one by one under the condition of supervision, meanwhile, the devices responding to the requests and response contents are recorded into an original response table, response behaviors in the original response table are coded, for example, a character B represents a response of opening the devices, and the like, the response codes are spliced into a request command sequence, if a certain request does not respond, the codes corresponding to 'no response' are spliced into the request command sequence, and therefore a request response sequence is generated and serves as a model training sample data set;
response prediction model training module
Training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model; the specific training process of the response prediction model comprises the following steps:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, performing recursion on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or a candidate child node set is empty;
threat trapping module
Obtaining request data of a current attacker, searching a node where a request subsequence is located on a probability suffix tree according to a current response prediction model, directly returning 'no response' if the request subsequence is not searched, returning a response code with a maximum probability value on the node if the request subsequence is searched, selecting one code as a result according to a preset standard when a plurality of codes with the maximum probability value exist, searching response content corresponding to the response code, returning the response content to the attacker, simultaneously recording the request response sequence, splicing a historical request response sequence when next request data is received, and returning response content corresponding to the response code with the maximum probability value through the model. Until the attack is finished, adding the obtained original attack request response sequence into the sample data set in the step S01;
and the learning module is used for updating and iterating the response prediction model by using the updated sample data set.
For example, there is a PLC in the industrial control environment, under normal conditions, the PLC will perform corresponding actions after receiving the service command, collect various commands and actions received by the PLC under normal conditions, then collect service data through the traffic engine unit, and obtain a response prediction model through the learning algorithm model, thereby truly simulating the PLC industrial control honeypot, after an attacker accesses the simulated PLC industrial control honeypot, the response prediction model will interact with a hacker through the learned commands and actions, so that the hacker considers the hacked industrial control honeypot to be a true PLC device, thereby achieving the purpose of threat trapping, and simultaneously recording the hacking behavior and method of the attacker, firstly, the source of the hacker can be tracked, the old can be provided for future investigation and evidence collection, secondly, the hacking technique of the attacker can be mastered, a powerful means for protecting the hacking behavior of the attacker can be provided later, and thirdly, the honeypot can be attacked through the trapping cheating, and the real service is protected from being attacked from the side.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An intelligent learning type self-response industrial internet honeypot induction method is characterized in that:
s01, sample data processing
Regularly acquiring a service request command of an industrial environment under a normal condition within a set time period, and encoding different request commands so as to generate a request encoding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
s02. response prediction model training
Taking the request response sequence in the step S01 as the input of a probability suffix tree algorithm for training to obtain a response prediction model;
s03, threat trapping
Obtaining request data of a current attacker, searching a node where a request subsequence of the request data is located on a probability suffix tree according to a current response prediction model, giving feedback to the request data, simultaneously recording a request response sequence, splicing historical request response sequences when next request data of the current attacker is received, repeatedly executing a step of searching a node where a request subsequence of the request data is located on the probability suffix tree according to the current response prediction model, and giving feedback to the request data until the attack is finished.
2. The intelligent learning type self-response industrial internet honeypot induction method as claimed in claim 1, wherein: the method further comprises the step S04 of adding the original attack request response sequence acquired in the step S03 into the sample data set in the step S01; steps S01-S03 are repeated.
3. The intelligent learning type self-response industrial internet honeypot induction method as claimed in claim 1 or 2, characterized in that: in step S02, the specific training process of the response prediction model is as follows:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
4. The intelligent learning type self-response industrial internet honeypot induction method according to claim 1 or 2, characterized in that: in step S03, the node where the request subsequence is located on the probability suffix tree is searched according to the current response prediction model, if the request subsequence is not searched, the "no response" is directly returned, if the request subsequence is searched, the response code with the maximum probability value on the node is returned, the response content corresponding to the response code is searched, the response content is returned to the attacker, the request response sequence is recorded at the same time, when the next request data is received, the historical request response sequence is spliced, and the response content corresponding to the response code with the maximum probability value is returned through the model.
5. The intelligent learning type self-response industrial internet honeypot induction method according to claim 4, characterized in that: and when the probability value is maximum, selecting one of the codes as a result according to a preset standard, and returning response content corresponding to the code.
6. The utility model provides an intelligence learning formula is from responding to industry internet honeypot induction system which characterized in that: comprises that
The sample data processing module is used for periodically acquiring a service request command of an industrial environment under a normal condition within a set time period and coding different request commands so as to generate a request coding sequence corresponding to a request sequence; acquiring equipment responding to the request sequence and response content, coding to form a response coding sequence, and splicing the response coding sequence into the request coding sequence to generate a request response sequence serving as a model training sample data set;
the response prediction model training module is used for training the request response sequence as the input of a probability suffix tree algorithm to obtain a response prediction model;
and the threat trapping module is used for acquiring the request data of the current attacker, searching the node of the request subsequence on the probability suffix tree according to the current response prediction model, feeding back the request data, simultaneously recording the request response sequence, splicing the historical request response sequence when receiving the next request data, returning the response result through the current response prediction model until the attack is finished, and then adding the acquired original attack request response sequence into the sample data set to obtain the updated sample data set.
7. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6, wherein: the system also comprises a learning module which updates and iterates the response prediction model by using the updated sample data set.
8. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6 or 7, wherein: the specific training process of the response prediction model comprises the following steps:
s021, presetting probability suffix tree depth L and probability threshold Pmin;
S022, initializing a root node according to the request response sequence, wherein the probability vector value of the root node is the probability of each symbol appearing in the sequence, and the probability is more than PminThe symbols of (a) are used as a candidate child node set;
s023, aiming at each candidate child node, calculating the probability of the candidate child node appearing in the subsequence, wherein the probability is more than PminAs a new set of candidate child nodes;
s024, recursion is carried out on the process from S021 to S023 until the tree depth on the current branch reaches a preset probability suffix tree depth L or the candidate child node set is empty.
9. The intelligent learning type self-response industrial internet honeypot induction system as claimed in claim 6 or 7, wherein: in the threat trapping module, searching a node where the request subsequence is located on the probability suffix tree according to a current response prediction model, if the request subsequence is not searched, directly returning 'no response', if the request subsequence is searched, returning a response code with the maximum probability value on the node, searching response content corresponding to the response code, returning the response content to an attacker, simultaneously recording the request response sequence, splicing the historical request response sequence when next request data is received, and returning the response content corresponding to the response code with the maximum probability value through the model.
10. The intelligent learning type self-response industrial internet honeypot induction system of claim 9, wherein: and when the probability value is maximum, selecting one of the codes as a result according to a preset standard, and returning response content corresponding to the code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010109410.5A CN111343174B (en) | 2020-02-22 | 2020-02-22 | Intelligent learning type self-response industrial internet honeypot induction method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010109410.5A CN111343174B (en) | 2020-02-22 | 2020-02-22 | Intelligent learning type self-response industrial internet honeypot induction method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111343174A true CN111343174A (en) | 2020-06-26 |
CN111343174B CN111343174B (en) | 2022-04-26 |
Family
ID=71188124
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010109410.5A Active CN111343174B (en) | 2020-02-22 | 2020-02-22 | Intelligent learning type self-response industrial internet honeypot induction method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111343174B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111931874A (en) * | 2020-10-09 | 2020-11-13 | 北京元支点信息安全技术有限公司 | Adjoint bait generation method and device based on deep learning and data clustering |
CN113765883A (en) * | 2021-07-28 | 2021-12-07 | 辽宁谛听信息科技有限公司 | Industrial control network honeypot identification method based on successive probability discrimination algorithm |
CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
CN115134098A (en) * | 2021-03-12 | 2022-09-30 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
CN116915518A (en) * | 2023-09-14 | 2023-10-20 | 国网浙江省电力有限公司电力科学研究院 | Intelligent learning type self-response networking honeypot induction method and system |
CN117081855A (en) * | 2023-10-13 | 2023-11-17 | 深圳市前海新型互联网交换中心有限公司 | Honeypot optimization method, honeypot protection method and honeypot optimization system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103338467A (en) * | 2013-07-10 | 2013-10-02 | 南京邮电大学 | User behavior learning method based on PST in wireless network |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
-
2020
- 2020-02-22 CN CN202010109410.5A patent/CN111343174B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103338467A (en) * | 2013-07-10 | 2013-10-02 | 南京邮电大学 | User behavior learning method based on PST in wireless network |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
Non-Patent Citations (1)
Title |
---|
吕雪峰: "面向工业控制过程的异常检测技术研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111931874A (en) * | 2020-10-09 | 2020-11-13 | 北京元支点信息安全技术有限公司 | Adjoint bait generation method and device based on deep learning and data clustering |
CN115134098A (en) * | 2021-03-12 | 2022-09-30 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
CN115134098B (en) * | 2021-03-12 | 2024-03-01 | 北京沃东天骏信息技术有限公司 | Hacker information acquisition method and device, electronic equipment and storage medium |
CN113765883A (en) * | 2021-07-28 | 2021-12-07 | 辽宁谛听信息科技有限公司 | Industrial control network honeypot identification method based on successive probability discrimination algorithm |
CN113765883B (en) * | 2021-07-28 | 2023-05-12 | 辽宁谛听信息科技有限公司 | Industrial control network honeypot identification method based on successive probability discrimination algorithm |
CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
CN116915518A (en) * | 2023-09-14 | 2023-10-20 | 国网浙江省电力有限公司电力科学研究院 | Intelligent learning type self-response networking honeypot induction method and system |
CN116915518B (en) * | 2023-09-14 | 2023-12-01 | 国网浙江省电力有限公司电力科学研究院 | Intelligent learning type self-response networking honeypot induction method and system |
CN117081855A (en) * | 2023-10-13 | 2023-11-17 | 深圳市前海新型互联网交换中心有限公司 | Honeypot optimization method, honeypot protection method and honeypot optimization system |
CN117081855B (en) * | 2023-10-13 | 2024-02-02 | 深圳市前海新型互联网交换中心有限公司 | Honeypot optimization method, honeypot protection method and honeypot optimization system |
Also Published As
Publication number | Publication date |
---|---|
CN111343174B (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111343174B (en) | Intelligent learning type self-response industrial internet honeypot induction method and system | |
CN109902709B (en) | Method for generating malicious sample of industrial control system based on counterstudy | |
Hussain et al. | A two-fold machine learning approach to prevent and detect IoT botnet attacks | |
CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
CN108985061B (en) | Webshell detection method based on model fusion | |
CN112351031B (en) | Method and device for generating attack behavior portraits, electronic equipment and storage medium | |
CN110958263B (en) | Network attack detection method, device, equipment and storage medium | |
CN114285599B (en) | Industrial control honey pot construction method based on controller deep memory simulation and industrial control honey pot | |
CN110855649A (en) | Method and device for detecting abnormal process in server | |
CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
CN109685200A (en) | Industrial protocol construction method and building system are calculated based on the mist for generating confrontation network | |
CN114422271B (en) | Data processing method, device, equipment and readable storage medium | |
KR20190028880A (en) | Method and appratus for generating machine learning data for botnet detection system | |
CN110086788A (en) | Deep learning WebShell means of defence based on cloud WAF | |
CN113722717A (en) | Security vulnerability testing method, device, equipment and readable storage medium | |
Shan et al. | NeuPot: A neural network-based honeypot for detecting cyber threats in industrial control systems | |
Khan et al. | Lightweight testbed for cybersecurity experiments in scada-based systems | |
CN115622793A (en) | Attack type identification method and device, electronic equipment and storage medium | |
Whalen et al. | Hidden markov models for automated protocol learning | |
CN112764791B (en) | Incremental update malicious software detection method and system | |
CN115496180A (en) | Training method, generating method and device of network traffic characteristic sequence generating model | |
CN115063652A (en) | Black box attack method based on meta-learning, terminal equipment and storage medium | |
CN114282218A (en) | Attack detection method and device, electronic equipment and storage medium | |
CN117610026B (en) | Honey point vulnerability generation method based on large language model | |
Anastasiadis et al. | A Novel High-Interaction Honeypot Network for Internet of Vehicles |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |