CN111400703B - Honeypot system with signature function in industrial control field - Google Patents

Honeypot system with signature function in industrial control field Download PDF

Info

Publication number
CN111400703B
CN111400703B CN202010094294.4A CN202010094294A CN111400703B CN 111400703 B CN111400703 B CN 111400703B CN 202010094294 A CN202010094294 A CN 202010094294A CN 111400703 B CN111400703 B CN 111400703B
Authority
CN
China
Prior art keywords
module
unit
data
signature
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010094294.4A
Other languages
Chinese (zh)
Other versions
CN111400703A (en
Inventor
陈夏裕
袁键
徐乐晨
施靖萱
章明飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd filed Critical Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority to CN202010094294.4A priority Critical patent/CN111400703B/en
Publication of CN111400703A publication Critical patent/CN111400703A/en
Application granted granted Critical
Publication of CN111400703B publication Critical patent/CN111400703B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a honeypot system with a signature function in the field of industrial control, and belongs to the technical field of industrial control safety. The honey pot signature generation system comprises an industrial control honey pot system unit, a honey pot management unit and a signature generation unit. The industrial control honey pot unit, the honey pot management unit and the signature generation unit are mutually independent. The industrial control honey pot unit is connected with the honey pot management unit. The honeypot management unit is connected with the signature generation unit. The invention can collect various attack information aiming at the industrial control system, thereby being capable of pertinently upgrading the industrial control system and saving extra resource consumption. And the method can also better defend advanced sustainable threat attacks with extremely high threat to industrial control systems. And a visual interface is applied, so that an operator can intuitively and clearly know the specific behaviors in the honeypot. In addition, each unit in the invention is mutually independent, and the safety of the system is further improved.

Description

Honeypot system with signature function in industrial control field
Technical Field
The invention relates to a honeypot system with a signature function in the field of industrial control, and belongs to the technical field of industrial control safety.
Background
The industrial control system is responsible for supervising and controlling the operation of various large facilities of enterprises and even countries, and plays a vital role in the industries of electric power, water conservancy, metallurgy and the like. With the increasing integration of internet technology with industrial control systems, industrial control systems have gradually shifted from past isolated modes of operation to networked modes of operation. However, since the security system of the industrial control system is not perfect, the industrial control system is very vulnerable to various malicious attacks while developing to the network, which becomes an important factor for restricting the development of 4.0 of the industrial industry in China.
Honeypots currently applied to the field of various industrial control systems can record and defend various information of an attacker, but face advanced continuous threat and are relatively weak, and lack a hierarchical early warning mechanism for different kinds of attacks, so that limited network resources are wasted greatly. Therefore, it is important to upgrade the technology of the existing honeypot.
Disclosure of Invention
The invention aims to provide a honeypot system with a signature function in the industrial control field. The system can identify various threats, classify attacks according to established rules, display various attack information in stages, and generate signatures for the attack information. Therefore, the recognition capability of the honeypot system to the advanced persistent threat can be greatly improved, and the protection capability of the honeypot system to various attacks can be improved.
The system comprises a honeypot unit, a honeypot management unit, a signature generation unit and an isolation and data exchange unit. The honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent. The honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit. The honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems.
The honeypot unit comprises an attack monitoring and recording module, an information sorting and backup module and a local storage module; the attack monitoring and recording module is connected with the information sorting and backup module and is responsible for timely responding to the invasion of an attacker and generating various information related to the attacker; the information sorting and backup module is connected with the local storage module and is responsible for sorting and backing up information of an attacker and uploading the information to the honey pot management unit while storing the information in the local storage module; the local storage module is responsible for receiving the information sent by the information sorting and backup module and backing up the information.
The attack monitoring and recording module comprises a port monitoring module, an attacker information capturing module and a log recording module; the port monitoring module is responsible for monitoring ports used by common industrial control protocols (such as Modbus, S7 and the like) so as to find out scanning of the honeypot by an attacker; the attacker information capturing module is responsible for recording various information of the attacker, wherein the various information of the attacker comprises a port scanned by the attacker, an attack mode used and an IP address of the attacker; the log recording module is responsible for recording information of an attacker and locally backing up the information, so that extra loss caused by information loss is avoided.
The information sorting and backup module comprises a honeypot external IP address acquisition module, a data classification module and a data encryption and pushing module. The honey pot external IP address acquisition module is responsible for acquiring the IP address of the honey pot communicated with the server so as to transmit information; the data classification module is responsible for classifying the acquired information according to rules, so that the acquired information has readability; the data encryption and pushing module is responsible for encrypting the classified information and pushing the classified information to the isolation and data exchange unit, and the control module of the unit is responsible for transmitting the information to the data buffer zone of the honeypot management unit.
The isolation and data exchange unit comprises a data exchange area and a control module. The control module controls data exchange between the honeypot unit and the honeypot management unit. After receiving the information from the information arrangement and backup module, the control module disconnects the honeypot unit and establishes connection with the honeypot management unit at the same time. The data exchange area will now transfer the data to a data buffer in the honeypot management unit. The data processing unit in the honeypot management unit can unpack the data and restore the data into the original data.
The honeypot management unit comprises a data buffer area, a data processing unit and a cloud data storage unit. The data buffer area is connected with the data processing unit and is responsible for receiving various data transmitted by the honeypot unit; the data processing unit is connected with the data buffer area and is responsible for classifying the received data; the cloud data storage unit is connected with the data processing unit and is responsible for uploading processed data to the cloud for backup.
The data buffer is responsible for temporarily storing the data transmitted by the honeypot unit, decrypting it, and then sending it to the data processing unit. Meanwhile, the data buffer area can ensure that low-speed data processing is consistent with high-speed data transmission, and the loss of data which is not processed in time is avoided.
The data processing unit is responsible for integrating the received data and graphically processing the data so as to more intuitively observe the behavior of an attacker.
The signature generation unit is connected with the honeypot unit and the honeypot management unit and comprises a protocol identification module, a warning grade conversion module, a signature generation module, a signature comparison module and a storage module. Different signatures are generated according to the protocol used by an attacker and the change of the attack stage, and then the generated signatures can be compared with the original signatures, so that the type and the stage of the attack can be rapidly determined, and the attack can be rapidly identified and responded.
The protocol identification module is responsible for identifying the protocol used by an attacker, can identify the change of a specific protocol, and further accurately judges the stage of the attack. Protocols that the module may recognize include Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP.
The warning level conversion module is responsible for identifying the stage of attack and adjusting the warning level according to different stages of attack. The module uses five tuples to complete the conversion of the alert level, m= (S, S) 0 P, I, O), S represents the set of all states that the system may be in; s is(s) 0 Representing an initial state (i.e., a normal state); i represents the set of all entered elements (referring to the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP); p represents the set of inputs (including the current state of the system and the received protocol) required to cause the state to migrate; o represents the warning level output by the system last.
The signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different.
The signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack can be rapidly judged, and the honeypot can rapidly respond.
The storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
The invention has the following advantages: the invention can collect various attack information aiming at the industrial control system, thereby being capable of pertinently upgrading the industrial control system and saving extra resource consumption. Meanwhile, the method can better defend advanced sustainable threat attacks with extremely high threat to the industrial control system. In addition, the visual interface is applied, so that an operator can intuitively and clearly know one action in the honey pot. The units in the invention are mutually independent, and the safety of the system is further improved.
Drawings
Fig. 1 is an overall structure diagram of an industrial control honey pot with a signature function.
Fig. 2 is a diagram showing the state transition of the alert level of the signature module of the industrial control honey pot with the signature function.
FIG. 3 is a diagram of two different signature examples generated by a signature module of an industrial control honey pot with signature functionality.
Fig. 4 is a signature generation flow chart of a signature module of an industrial control honey pot with signature function.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the present invention will be described more fully hereinafter with reference to the accompanying drawings. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the invention discloses an industrial control honey pot system with a signature function, which comprises a honey pot unit, a honey pot management unit, a signature generation unit and an isolation and data exchange unit. The honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent. The honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit. The honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems.
As shown in fig. 2, the alert level conversion module is responsible for identifying the stage of the attack and adjusting the alert level according to the stage of the attack. The module uses five tuples to complete the conversion of the alert level, m= (S, S0, P, I, O), S representing the set of all states the system may be in; s0 represents an initial state (i.e., a normal state); v denotes the set of all entered elements (referring to the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP); p represents the set of inputs (including the current state of the system and the received protocol) required to cause the state to migrate; o represents the warning level output by the system last.
As shown in fig. 3, the signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different. Where fig. 3 (a) shows the signature generated by the system for an attack using the S7 protocol and in the first stage, and fig. 3 (b) shows the signature generated by the system for an attack using the Modbus attack and in the third stage.
As shown in fig. 4, the signature generating unit is connected with the honeypot unit and the honeypot management unit, and comprises a protocol identification module, a warning level conversion module, a signature generating module, a signature comparison module and a storage module. Different signatures are generated according to the protocol used by an attacker and the change of the attack stage, and then the generated signatures can be compared with the original signatures, so that the type and the stage of the attack can be rapidly determined, and the attack can be rapidly responded.
The protocol identification module is responsible for identifying a protocol used by an attacker and accurately judging the stage of the attack according to the change of input information. The protocols that the module can recognize are Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP.
The signature generation module will sign the attack according to the protocol used by the attacker and the alert level. The content of the signature is protocol, port, level, event, payload. The module will sign all attacks and if an attack is at a different level of vigilance, its signature will be different.
The signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack can be judged quickly, and the honeypot can respond quickly.
The storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
The foregoing has outlined rather broadly the more detailed description of the embodiments of the invention in order that the detailed description of the principles and embodiments of the invention may be implemented in conjunction with the present application; meanwhile, the embodiments of the present invention may vary in specific embodiments and application ranges, and the present description should not be construed as limiting the present invention in view of the above.

Claims (7)

1. The industrial control honey pot system with the signature function is characterized by comprising a honey pot unit, a honey pot management unit, a signature generation unit and an isolation and data exchange unit; the honeypot unit, the honeypot management unit, the signature generation unit and the isolation and data exchange unit are mutually independent; the honey pot unit is connected with the isolation and data exchange unit, the honey pot management unit is connected with the isolation and data exchange unit, and the signature generation unit is connected with the honey pot management unit; the honeypot unit, the honeypot management unit, the isolation and data exchange unit and the signature generation unit respectively run independent operating systems;
the signature generation unit comprises a protocol identification module, a warning grade conversion module, a characteristic extraction and signature generation module, a signature comparison module and a storage module, wherein the signature generation unit is responsible for generating different signatures according to the protocol used by an attacker and the change of an attack stage, and then comparing the generated signatures with the existing signatures in the honeypot management unit so as to quickly determine the type and the stage of the attack and further quickly identify and respond the attack;
the protocol identification module is responsible for identifying a protocol used by an attacker and accurately judging the stage of the attack, and the protocol which can be identified by the protocol identification module is Modbus, S7 and SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP;
the warning level conversion module is responsible for identifying the stage of attack and adjusting the warning level according to different stages of attack; the alert level conversion module uses five tuples to complete the conversion of alert level, m= (S, S) 0 P, I, O), S represents the set of all states that the system may be in; s is(s) 0 Representing an initial state, i.e., a normal state; i represents a set of all elements entered, including the inputs of protocols Modbus, S7, SNMP, HTTP, telnet, SMB, SMTP, HTTPS, SSH, FTP, TCP; p represents the set of inputs required to migrate the state, including the current state of the system and the receivedA protocol; o represents the warning grade output by the system finally;
the feature extraction and signature generation module signs all attacks according to protocols and alert levels used by an attacker, wherein the content of the signature is protocols, ports represent used protocols, levels represent alert levels, events represent attack names and payload, and the signature of the feature extraction and signature generation module signs all attacks, and if one attack is in different alert levels, the signature of the attack is also different; the signature comparison module is responsible for comparing the newly generated signature with the signature in the storage module and returning the result to the honeypot unit, so that the type of attack is rapidly judged, and the honeypot is rapidly responded; the storage module is responsible for storing the generated signature and carrying out additional backup on the generated signature at the same time, so that the consequences caused by the loss of the signature are avoided.
2. The industrial control honey pot system with signature function as set forth in claim 1, wherein the honey pot unit comprises an attack monitoring and recording module, an information sorting and backup module and a local storage module; the attack monitoring and recording module is connected with the information sorting and backup module and is responsible for timely responding to the invasion of an attacker and generating various information related to the attacker; the information sorting and backup module is connected with the local storage module and is responsible for sorting and backing up information of an attacker and uploading the information to the honey pot management unit while storing the information in the local storage module; the local storage module is responsible for receiving the information sent by the information sorting and backup module and backing up the information.
3. The industrial control honey pot system with signature function as set forth in claim 2 wherein the attack monitoring and recording module comprises a port monitoring module, an attacker information capturing module and a log recording module; the port monitoring module is responsible for monitoring ports used by a common industrial control protocol so as to find out scanning of the honeypot by an attacker, wherein the industrial control protocol comprises Modbus and S7; the attacker information capturing module is responsible for recording various information of the attacker, wherein the various information of the attacker comprises a port scanned by the attacker, an attack mode used and an IP address of the attacker; the log recording module is responsible for recording information of an attacker and locally backing up the information, so that extra loss caused by information loss is avoided.
4. The industrial control honey pot system with the signature function as set forth in claim 2, wherein the information arrangement and backup module comprises a honey pot external IP address acquisition module, a data classification module and a data encryption and pushing module; the honey pot external IP address acquisition module is responsible for acquiring the IP address of the honey pot communicated with the server so as to transmit information; the data classification module is responsible for classifying the acquired information according to rules, so that the acquired information has readability; the data encryption and pushing module is responsible for encrypting the classified information and pushing the classified information to the isolation and data exchange unit, and the control module of the unit is responsible for transmitting the information to the data buffer zone of the honeypot management unit.
5. The industrial control honey pot system with signature function as set forth in claim 1 wherein the isolation and data exchange unit comprises a data exchange area and a control module; the control module controls data exchange between the honeypot unit and the honeypot management unit; after receiving the information from the information arrangement and backup module, the control module disconnects the honey pot unit and establishes connection with the honey pot management unit at the same time; at this time, the data exchange area transmits the data to the data buffer area in the honeypot management unit; the data processing unit in the honeypot management unit can unpack the data and restore the data into the original data.
6. The industrial control honey pot system with the signature function according to claim 1, wherein the honey pot management unit comprises a data buffer area, a data processing unit and a cloud data storage unit; the data buffer area is connected with the data processing unit and is responsible for receiving various data transmitted by the honeypot unit; the data processing unit is connected with the data buffer area and is responsible for classifying the received data; the cloud data storage unit is connected with the data processing unit and is responsible for uploading processed data to the cloud for backup.
7. An industrial control honey pot system with signature function as set forth in claim 6 wherein the data buffer is responsible for temporarily storing data transmitted by the honey pot unit, decrypting it and then sending it to the data processing unit; meanwhile, the data buffer area ensures that low-speed data processing is consistent with high-speed data transmission, and data which are not processed in time are prevented from being lost; the data processing unit is responsible for integrating the received data and performing graphical processing on the data so as to observe the behavior of an attacker more intuitively.
CN202010094294.4A 2020-02-15 2020-02-15 Honeypot system with signature function in industrial control field Active CN111400703B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010094294.4A CN111400703B (en) 2020-02-15 2020-02-15 Honeypot system with signature function in industrial control field

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010094294.4A CN111400703B (en) 2020-02-15 2020-02-15 Honeypot system with signature function in industrial control field

Publications (2)

Publication Number Publication Date
CN111400703A CN111400703A (en) 2020-07-10
CN111400703B true CN111400703B (en) 2023-08-01

Family

ID=71428475

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010094294.4A Active CN111400703B (en) 2020-02-15 2020-02-15 Honeypot system with signature function in industrial control field

Country Status (1)

Country Link
CN (1) CN111400703B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX2007013025A (en) * 2005-04-18 2008-01-11 Univ Columbia Systems and methods for detecting and inhibiting attacks using honeypots.
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
CN105227559A (en) * 2015-10-13 2016-01-06 南京联成科技发展有限公司 The information security management framework that a kind of automatic detection HTTP actively attacks
US10986126B2 (en) * 2017-07-25 2021-04-20 Palo Alto Networks, Inc. Intelligent-interaction honeypot for IoT devices

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system

Also Published As

Publication number Publication date
CN111400703A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN107683597B (en) Network behavior data collection and analysis for anomaly detection
CN103607399B (en) Private IP network network safety monitoring system and method based on darknet
US20060034305A1 (en) Anomaly-based intrusion detection
EP1315066A1 (en) Computer security system
JP6258562B2 (en) Relay device, network monitoring system, and program
CN113315771B (en) Safety event alarm device and method based on industrial control system
CN113507461B (en) Network monitoring system and network monitoring method based on big data
US10873467B2 (en) Method and system for compression and optimization of in-line and in-transit information security data
US20220263846A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
CN111400703B (en) Honeypot system with signature function in industrial control field
CN112822204A (en) NAT detection method, device, equipment and medium
CN112583763B (en) Intrusion detection device and intrusion detection method
CN111641659A (en) Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked
Rasheed et al. Detection algorithm for internet worms scanning that used user datagram protocol
EP3576365B1 (en) Data processing device and method
CN113347186B (en) Reflection attack detection method and device and electronic equipment
CN115208690A (en) Screening processing system based on data classification and classification
CN112968891A (en) Network attack defense method and device and computer readable storage medium
CN110995733A (en) Intrusion detection system in industrial control field based on remote measuring technology
KR20190083178A (en) Device and method for continuous signal traffic detection of network traffic through hierarchical structure learning
US11985154B2 (en) Comprehensible threat detection
CN112417462B (en) Network security vulnerability tracking method and system
US20230156034A1 (en) Real-time threat detection for encrypted communications
Mittal et al. A support vector approach for formulating IDS rules using honeypot data
CN116545649A (en) Operation and maintenance cloud desktop monitoring system adopting real-time flow analysis and countermeasure method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant