CN111651757A - Attack behavior monitoring method, device, equipment and storage medium - Google Patents
Attack behavior monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111651757A CN111651757A CN202010510412.5A CN202010510412A CN111651757A CN 111651757 A CN111651757 A CN 111651757A CN 202010510412 A CN202010510412 A CN 202010510412A CN 111651757 A CN111651757 A CN 111651757A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- attack
- monitoring
- data
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 88
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000006399 behavior Effects 0.000 claims abstract description 140
- 239000000523 sample Substances 0.000 claims abstract description 87
- 230000008569 process Effects 0.000 claims description 17
- 238000004088 simulation Methods 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 9
- 230000016571 aggressive behavior Effects 0.000 abstract description 2
- 206010001488 Aggression Diseases 0.000 abstract 1
- 208000012761 aggressive behavior Diseases 0.000 abstract 1
- 235000012907 honey Nutrition 0.000 description 11
- 230000006854 communication Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 6
- 238000012806 monitoring device Methods 0.000 description 6
- 238000005422 blasting Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 1
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for monitoring an aggressive behavior, which relate to the field of financial science and technology, and comprise the following steps: acquiring honeypot data through honeypot probes corresponding to the monitored host; determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; and monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application. The invention realizes the lightweight setting of the system architecture between the front-end host and the back-end honeypot server, and improves the accuracy of monitoring the attack behavior of the attacker through honeypot application.
Description
Technical Field
The invention relates to the technical field of computers in financial technology (Fintech), in particular to a method, a device, equipment and a storage medium for monitoring an attack behavior.
Background
With the development of computer technology, more and more technologies are applied in the financial field, the traditional financial industry is gradually changing to financial technology (Fintech), and the computer technology is no exception, but due to the requirements of the financial industry on safety and real-time performance, higher requirements are also put forward on the computer technology.
The honeypot technology is a technology for cheating an attacker, the attacker is induced to attack the host, network service or information serving as bait by arranging the host, the network service or the information, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, the attack intention and motivation are presumed, the defender can clearly know the facing security threat, and the security protection capability of the actual system is enhanced through technical and management means. At present, honeypot applications need to be deployed at each honeypot node, the honeypot applications are directly deployed to hosts which need intrusion detection, each host has at least one honeypot node, and each honeypot application occupies a large amount of hardware resources, such as a Central Processing Unit (CPU) and a hard disk space.
Therefore, the existing honeypot application occupies a large amount of hardware resources of the host, and due to the limitation of the hardware resources of each host, the honeypot application cannot be deployed in the host too much, so that the accuracy of monitoring the attack behavior of an attacker through the honeypot application is low.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for monitoring an attack behavior, and aims to solve the technical problems that the accuracy of monitoring the attack behavior of an attacker through honeypot application is low, and the setting of the honeypot application occupies more hardware resources of a host.
In order to achieve the above object, the present invention provides a method for monitoring an attack behavior, wherein the method for monitoring the attack behavior comprises the steps of:
acquiring honeypot data through honeypot probes corresponding to the monitored host;
determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
and monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application.
Optionally, the step of monitoring, by the target honeypot application, an attack behavior that attacks the monitored host according to the honeypot data includes:
executing, by the target honeypot application, an attack operation corresponding to the honeypot data;
and acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of attacking the monitored host according to the attack data.
Optionally, after the step of monitoring, by the target honeypot application, an attack behavior that attacks the monitored host according to the honeypot data, the method further includes:
and executing honeypot backtracking operation according to the attack data to determine the attack intention of the attacker attacking the monitored host.
Optionally, the step of performing honeypot backtracking operation according to the attack data to determine an attack intention of an attacker attacking the monitored host includes:
executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker attacking the monitored host in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker;
and determining the attack intention of the attacker according to the attack behavior information and the identity information.
Optionally, after the step of determining the attack intention of the attacker according to the attack behavior information and the identity information, the method further includes:
and outputting alarm information containing the attack intention so as to prompt the user of the corresponding attack intention of the monitored host through the alarm information.
Optionally, the method for monitoring an attack behavior further includes:
when a first control instruction for controlling the honeypot probe is detected, controlling the corresponding honeypot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following instructions: the method comprises the steps of starting a probe starting instruction of the honeypot probe, closing the honeypot probe and setting instructions for setting the service quantity of the honeypot probe corresponding to the simulation service.
Optionally, the method for monitoring an attack behavior further includes:
when a second control instruction for controlling the honeypot application is detected, controlling the honeypot application according to the second control instruction, wherein the second control instruction at least comprises one of the following instructions: the honeypot application starting instruction comprises an adding instruction for adding honeypot applications, a reducing instruction for reducing honeypot applications, a honeypot starting instruction for starting honeypot applications and a pausing instruction for pausing honeypot applications.
In addition, to achieve the above object, the present invention further provides an attack behavior monitoring device, including:
the acquisition module is used for acquiring honeypot data through honeypot probes corresponding to the monitored host;
the determining module is used for determining the service type corresponding to the honeypot data and determining target honeypot applications corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
and the monitoring module is used for monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application.
In addition, in order to achieve the above object, the present invention further provides a device for monitoring an attack behavior, where the device for monitoring an attack behavior includes a memory, a processor, and a program for monitoring an attack behavior stored in the memory and operable on the processor, and the program for monitoring an attack behavior when executed by the processor implements a method for monitoring an attack behavior corresponding to a federated learning server.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, on which a monitoring program of an attack behavior is stored, and the monitoring program of the attack behavior, when executed by a processor, implements the steps of the monitoring method of the attack behavior as described above.
Acquiring honeypot data through honeypot probes corresponding to a monitored host, determining a service type corresponding to the honeypot data, and determining target honeypot applications corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; and monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application. The honeypot probe is arranged in the monitored host at the front end, the honeypot application is arranged in the honeypot server at the back end, hardware resources of the front-end host are prevented from being largely occupied by the honeypot application, lightweight setting of a system framework between the front-end host and the back-end honeypot server is realized, a plurality of honeypot applications do not need to be arranged in each host, honeypot data can be obtained through the honeypot probe, the problem that the accuracy of monitoring the attack behavior of an attacker through the honeypot applications is low due to the fact that too many honeypot applications cannot be arranged in the hosts is solved, and the accuracy of monitoring the attack behavior of the attacker through the honeypot applications is improved.
Drawings
Fig. 1 is a schematic flow chart of a first embodiment of the method for monitoring the attack behavior of the present invention;
FIG. 2 is a flow chart of a third embodiment of the method for monitoring the attack behavior of the present invention;
FIG. 3 is a block diagram of a preferred embodiment of an apparatus for monitoring aggression in accordance with the present invention;
fig. 4 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a method for monitoring an attack behavior, and referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of the method for monitoring the attack behavior.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different from that shown or described herein.
The method for monitoring the attack behavior comprises the following steps:
step S10, acquiring honeypot data through honeypot probes corresponding to the monitored host.
Step S20, determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, where one honeypot application corresponds to a plurality of honeypot probes.
In the embodiment of the invention, at least one honeypot application is arranged in the honeypot server, each honeypot application corresponds to a plurality of honeypot probes, and each monitored host is provided with one honeypot probe. The honeypot server is the back-end with respect to the monitored host, and the monitored host is the front-end with respect to the honeypot server. The honeypot probes are used for simulating services of honeypot applications, each honeypot probe is provided with a port corresponding to different services, and the ports can simulate the services corresponding to the honeypot applications. For example, SSH (Secure Shell protocol) services are simulated by establishing 22 ports in the honeypot probe, that is, honeypot data corresponding to the SSH services is sent to the honeypot application through the 22 ports. SSH is a security protocol built on an application layer basis, which is currently a more reliable protocol dedicated to providing security for telnet sessions and other web services. In this embodiment, the service types corresponding to the honeypot application include, but are not limited to, SSH service, web service, database service, and windows remote desktop service. It can be understood that the service type corresponding to the honeypot application can be standardized services such as SSH service, web service, database service, and windows remote desktop service, and the service type corresponding to the honeypot application can also be customized by the user corresponding to the honeypot server according to needs.
After the monitored host receives the access request, the honeypot probe in the monitored main body acquires honeypot data corresponding to the access request and sends the honeypot data to the honeypot server. The honeypot data includes, but is not limited to, probe information, an IP address corresponding to the access request, a traffic type corresponding to the access request, and a service type corresponding to the access request. The probe information comprises a probe mark and a name of a monitored host corresponding to the probe, and the probe mark can be a probe name and can uniquely identify a certain honeypot probe. In this embodiment, the traffic types corresponding to the access request include, but are not limited to, HTTP (hypertext Transfer Protocol) traffic, HTTPs (hypertext Transfer Protocol over secure session Layer) traffic, TCP (Transmission Control Protocol) traffic, and UDP (User Datagram Protocol) traffic. It can be understood that, because the ports corresponding to different services are set in the honey probe, the honey probe acquires the type identifier in the access request when acquiring the access request, determines the corresponding sending port according to the type identifier, and sends the honey data to the honey server through the sending port. It should be noted that the type identifiers corresponding to different ports are different, and in this embodiment, the representation form of the type identifiers is not limited, and the type identifiers may be in the form of numbers and/or letters. The service type corresponding to the honeypot data can be known through the type identifier, that is, the port in the embodiment corresponds to the service type.
After the honeypot server acquires honeypot data through honeypot probes corresponding to the monitored host, the honeypot server determines the service type corresponding to the honeypot data and determines the target honeypot application corresponding to the monitored host according to the service type. It should be noted that the honeypot applications corresponding to different service types are different, and in this embodiment, a mapping relationship between a service type and a honeypot application is stored in advance, so that the honeypot application corresponding to the monitored host can be determined according to the mapping relationship and the service type corresponding to the honeypot data, and the honeypot application corresponding to the monitored host is recorded as the target honeypot application.
And step S30, monitoring the attack behavior of the monitored host according to the honeypot data through the target honeypot application.
After the honeypot server determines the target honeypot application, the honeypot server monitors the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application, wherein the attack behavior is the attack behavior corresponding to the access request.
Further, after the honeypot server determines the target honeypot application, the honeypot server detects whether the target honeypot application is in an online state; if the target honeypot application is detected to be in an online state, the honeypot server monitors the attack behavior of attacking the monitored host according to honeypot data through the target honeypot application; and if the target honeypot application is detected not to be in the online state, namely the target honeypot application is in the offline state, the honeypot server controls the target honeypot application to be converted into the online state from the offline state.
Further, step S30 includes:
and a step a of executing attack operation corresponding to the honeypot data through the target honeypot application.
And b, acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of attacking the monitored host according to the attack data.
Specifically, the honeypot server executes an attack operation corresponding to honeypot data, namely executes an access request, through a target honeypot application, acquires attack data corresponding to the attack operation, and monitors an attack behavior attacking the monitored host according to the acquired attack data. It can be understood that, in the process of monitoring the attack behavior of attacking the monitored host according to the honeypot data by the target honeypot application, the honeypot server can simulate the execution process of the access request through the target honeypot application, that is, simulate the attack process of the attack operation, obtain the execution result, and return the execution result to the terminal corresponding to the access request, that is, return the execution result to the attacker, where the execution result is the access data corresponding to the access request. If the access request is to acquire the data in the database A, the honeypot server returns the data in the database A with the preset number and the false data to the terminal corresponding to the access request. In the attack process of simulating the attack operation through the target honeypot application, attack data is obtained and stored, the attack data includes but is not limited to a source IP address (an IP address corresponding to an access request), an account number used by an attacker, a password used by the attacker, an attack code, a source port (a port corresponding to a terminal of the attacker), attack time, a target IP address, a target port, a file uploaded during the attack, an attack service type and an attack behavior flow type, and the target IP address and the target port are the IP address and the port of a device to be attacked by the attack operation. After the honeypot server acquires the attack data, the honeypot server can monitor the attack behavior of attacking the monitored host through the attack data, namely, all attacker operation information and records can be finally played back in a simulated mode through the attack data. It can be understood that the source of the attacker, the used login information (account and password), the attack code and the like can be determined through the attack data, so that the effect of monitoring the attack behavior is achieved.
If the honeypot server determines that the target honeypot application is the honeypot application corresponding to the database service, the honeypot server identifies database connection behaviors based on honeypot data through the target honeypot application, enters a database simulation sub-module, establishes connection with an attacker, feeds back corresponding operation data according to an access request of the attacker, and simultaneously records all link data, such as a source IP address, an account used for logging in the database, and a password and an attack code used for logging in the database. It should be noted that implementation logics corresponding to other types of services are consistent, and therefore, a monitoring process of a honeypot application corresponding to a target honeypot application, such as an SSH service, a web service, a windows remote desktop service, and the like, is not repeatedly described.
An attacker conducts violence detection on a login system, namely, a request behavior of trying different account passwords to log in for a plurality of times on a single IP address is identified as a blasting attack behavior, and an unauthorized attack behavior is conducted if a login request is constructed to access a page or data which is designed by a honeypot server and cannot be accessed by unauthorized users, such as accessing a database which cannot be accessed by unauthorized users; the behavior of data is obtained in a mode of injecting web malicious codes such as SQL (Structured Query Language) and the like, and is classified into injection attack behaviors and the like corresponding to web services.
After the honeypot server receives honeypot data through honeypot application, a normal application interaction function can be simulated according to the honeypot data, for example, an attacker conducts detection or attack behaviors through a honeypot probe at the front end, relevant flow is sent to the honeypot application at the back end through the honeypot probe, interaction operation of the attacker on honeypot on an application layer is achieved, for example, a hacker attacks a honeypot simulated web service, the honeypot application is used for receiving a web request of the hacker forwarded by the honeypot probe, returning a web page with a hacker simulated vulnerability, and supporting the attack behavior of the hacker aiming at the web page, for example, a management platform capable of simulating the web attack of the hacker can log in the management platform through blasting, the hacker can be allowed to simulate blasting successfully, enter the simulated and attacked web page, and provide false web page data.
In this embodiment, honeypot data is acquired through honeypot probes corresponding to the monitored host, a service type corresponding to the honeypot data is determined, and target honeypot applications corresponding to the monitored host are determined according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes; and monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application. The honeypot probe is arranged in the monitored host at the front end, the honeypot application is arranged in the honeypot server at the back end, hardware resources of the front-end host are prevented from being largely occupied by the honeypot application, lightweight setting of a system framework between the front-end host and the back-end honeypot server is realized, a plurality of honeypot applications do not need to be arranged in each host, honeypot data can be obtained through the honeypot probe, the problem that the accuracy of monitoring the attack behavior of an attacker through the honeypot applications is low due to the fact that too many honeypot applications cannot be arranged in the hosts is solved, and the accuracy of monitoring the attack behavior of the attacker through the honeypot applications is improved.
Further, at present, the honeypot application can directly capture all traffic of the attack source, because the communication process is directly oriented to the attacker, the honeypot application sends the captured traffic of the attack source to the honeypot server at the back end, and at this time, the honeypot server distinguishes data sent by each honeypot application through an IP (Internet Protocol) address of the honeypot application. When a plurality of attackers attack the same honeypot application at the same time, information such as attack codes, attack frequencies and the like of the attackers is detected by the honeypot server, the attack behavior is only one IP address, the conditions such as a plurality of external IP addresses, various attack codes, attack frequencies and the like cannot be really restored, and only one IP address can be monitored, so that honeypot data distortion is caused, and the honeypot server cannot execute malicious modeling, alarming and other works according to normal logic. In the embodiment, the ports corresponding to different service types are arranged in the honeypot probe, and honeypot data of different types are sent to the corresponding honeypot application through the ports, so that honeypot data distortion is avoided, and the accuracy of monitoring the attack behavior of an attacker through the honeypot application is further improved.
Further, a second embodiment of the method for monitoring an attack behavior of the present invention is provided. The second embodiment of the method for monitoring an attack behavior is different from the first embodiment of the method for monitoring an attack behavior in that, referring to fig. 2, the method for monitoring an attack behavior further includes:
and step S40, executing honeypot backtracking operation according to the attack data to determine the attack intention of the attacker attacking the monitored host.
And after the honeypot server obtains the attack data, the honeypot server executes honeypot backtracking operation according to the attack data so as to determine the attack intention of the attacker corresponding to the monitored main body. The attack intention is used to represent the ultimate purpose of the attacker, and the attack intention may include the source IP address, the attack type and the attack payload (load), for example, the attacker forcibly logs in a certain database, and in this case, the attack intention may be to acquire the data stored in the database or to tamper with the data stored in the database. Specifically, the honeypot server can execute honeypot backtracking operation according to attack data when detecting a backtracking instruction, wherein the backtracking instruction can be triggered by the honeypot server at regular time or triggered by a user corresponding to the honeypot server as needed.
For convenience of understanding, for example, the honeypot server at the back end uses the IP address as a unique key value, shows all traffic behaviors of the IP address corresponding to the time axis, and classifies the traffic behaviors according to different service detection and attack traffic in the time axis, which is a simple attack case: 1. an attacker scans and discovers a management platform of a site A, and the flow reflects the flow behavior of the attacker requesting the site A; 2. an attacker conducts blasting action of the management table aiming at the A, the flow reflects a large amount of account password retry operation aiming at the management table of the A, the blasting is successful, the attacker logs in the management table of the A, at the moment, the honeypot application can record and embody that the attacker logs in the management table of the A by using an account xx password xx, and all page operation actions are recorded; 3. the attacker attacks A further, finds out other vulnerabilities of A, such as SSRF ((Server-Side Request for Forgery, Server end Request) vulnerability, and attacks other servers of the intranet through the SSRF vulnerability, and can record and see SSRF attack flow at this time, 4. the attacker further detects the intranet Server through the vulnerability in 3, the intranet can simulate various service systems, such as an account management system, a deposit system and the like, the attacker can obtain the part of service through the vulnerability in 3, when the attacker detects and logs in a relevant system, various operations can be recorded, particularly data derived, read and modified by the attacker can be recorded in detail, so that target data of the attacker can be conveniently identified, 5. all attack processes of the attacker can be identified through the step display of 1-4, and all attack codes of the attacker can be captured, finally, the attack intention can be finally identified according to the operation behavior of the system and the data which are specifically accessed.
It can be understood that the honeypot server can analyze and play back the attack behavior of the attacker through the attack data, so that the honeypot server can know the attack behavior of the attacker.
Further, the step S40 includes:
and c, executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker attacking the monitored host in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker.
And after the honeypot server detects the backtracking instruction, the honeypot server executes honeypot backtracking operation according to the attack data and acquires identity information of an attacker attacking the monitored host in the process of executing the honeypot backtracking operation. It should be noted that, in the process of performing the backtracking operation, the honeypot server executes the identity information capture logic, acquires the identity information of the attacker through the capture logic, and acquires the attack behavior information of the attacker, where the capture logic is pre-stored in the honeypot server. The identity information includes, but is not limited to, an identity of the attacker, an IP address of the attacker, and a social account number. The attacker can be uniquely determined by the identity of the attacker. It should be noted that, in the process of performing the backtracking operation in the honeypot server, the vulnerability detection or scanning detection operation of the attacker is simulated, and the process of opening the target file in the honeypot by the attacker is simulated, so as to obtain the identity information of the attacker.
The attack behavior information includes, but is not limited to, an IP address corresponding to the access request, a traffic type corresponding to the access request, a service type corresponding to the access request, an account number used by the attacker, a password used by the attacker, an attack code, attack time, and a file uploaded during the attack. It is understood that the IP address corresponding to the access request is the IP address of the attacker. It should be noted that the attack behavior information may include honeypot data, but is not limited to honeypot data, and the attack behavior information may also include attack data, but is not limited to attack data.
And d, determining the attack intention of the attacker according to the attack behavior information and the identity information.
After the honeypot server acquires the attack behavior information and the identity information, the honeypot server associates the attack behavior information and the identity information to obtain associated information, and determines the attack intention of an attacker through the associated information, wherein what resource the attacker wants to attack can be determined through the attack intention. Specifically, the honeypot server can use the IP address of the attacker in the identity information and the attack behavior information as fingerprint information to associate the identity information and the attack behavior information.
Further, the method for monitoring the attack behavior further comprises the following steps:
and e, outputting alarm information containing the attack intention so as to prompt the user of the corresponding attack intention of the monitored host through the alarm information.
After the honeypot server determines the attack intention of an attacker, the honeypot server outputs alarm information containing the attack intention so as to prompt the user of the monitored host computer to be invaded by the attacker through the alarm information and tell the user the corresponding attack intention of the attacker through the alarm information. Specifically, the honeypot server can output the alarm information in the form of voice and/or text and the like. Further, the honeypot server can also send the alarm information to the mobile terminal, so that the mobile terminal outputs the alarm information after receiving the alarm information, and prompts an attacker of the mobile terminal to attack the attack intention corresponding to the monitored host through the alarm information.
According to the embodiment, the honeypot backtracking operation is executed according to the attack data to determine the attack intention of the attacker attacking the monitored host, so that a user can conveniently know the attack behavior of the attacker according to the attack intention, operation and maintenance personnel can conveniently prevent the attack behavior of the attacker according to the attack intention, and the safety of a corresponding network is improved.
Further, a third embodiment of the method for monitoring an attack behavior according to the present invention is provided. The third embodiment of the method for monitoring an attack behavior differs from the first and/or second embodiment of the method for monitoring an attack behavior in that the method for monitoring an attack behavior further comprises:
step f, after a first control instruction for controlling the honeypot probe is detected, controlling the corresponding honeypot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following instructions: the method comprises the steps of starting a probe starting instruction of the honeypot probe, closing the honeypot probe and setting instructions for setting the service quantity of the honeypot probe corresponding to the simulation service.
The honeypot server detects whether a first control instruction for controlling the honeypot probe is detected, wherein the first control instruction is triggered by a user corresponding to the honeypot server as required, or the honeypot server receives the first control instruction sent by other terminal equipment. And when the honeypot server detects a first control instruction for controlling the honeypot probes, the honeypot server controls the corresponding honeypot probes according to the first control instruction. It should be noted that, in the first control instruction, a probe identifier of the honeypot probe to be controlled is carried, and which honeypot probe to be controlled is specific can be determined through the probe identifier. Wherein the first control instruction at least comprises one of the following: the method comprises the steps of starting a probe starting instruction of the honey probe, closing the honey probe and setting instructions for setting the service quantity of the corresponding simulation service of the honey probe. It can be understood that the honeypot server can start the honeypot probe in the closed state through the probe start instruction, so that the honeypot probe in the closed state is in the start state, and only the honeypot probe in the start state can acquire honeypot data. The honeypot server can close the honeypot probe according to the closing instruction; the honeypot server can set the service quantity of the simulation service corresponding to each honeypot probe according to the setting instruction, for example, the service quantity of the simulation service corresponding to the honeypot probe A can be set to be 2, the SSH service and the web service are respectively, the service quantity of the simulation service corresponding to the honeypot probe B can be set to be 3, and the SSH service, the web service and the windows remote desktop service are respectively.
Further, the method for monitoring the attack behavior further comprises the following steps:
step g, after a second control instruction for controlling the honeypot application is detected, controlling the honeypot application according to the second control instruction, wherein the second control instruction at least comprises one of the following instructions: the honeypot application starting instruction comprises an adding instruction for adding honeypot applications, a reducing instruction for reducing honeypot applications, a honeypot starting instruction for starting honeypot applications and a pausing instruction for pausing honeypot applications.
Further, the honey server detects whether a second control instruction for controlling the honey application is detected, wherein the second control instruction is triggered by the honey server according to needs by a corresponding user, or the honey server receives the second control instruction sent by other terminal equipment. And when the honeypot server detects a second control instruction for controlling the honeypot application, the honeypot server controls the corresponding honeypot application according to the second control instruction. It should be noted that, in the second control instruction, an application identifier of the honeypot application to be controlled is carried, and which honeypot application to be controlled is specific can be determined through the application identifier. Wherein the second control instruction at least comprises one of the following: an add instruction to add the honeypot application, a reduce instruction to reduce the honeypot application, a honeypot start instruction to start the honeypot application, and a pause instruction to pause the honeypot application. In particular, the honeypot server may increase the number of honeypot applications according to the increase instruction, such as increasing the number of honeypot applications from 2 to 4 according to the increase instruction; the honeypot server reduces the number of honeypot applications according to the reduction instruction, such as reducing the number of honeypot applications from 3 to 2 according to the reduction instruction; the honeypot server starts the honeypot application in the closed state according to the honeypot starting instruction, so that the honeypot application is in the starting state; and the honeypot server suspends the honeypot application in the running state according to the suspension instruction. Further, the honeypot server can also delete honeypot applications or uninstall honeypot applications.
The honeypot probe is controlled through the first control instruction, honeypot application is controlled through the second control instruction, and therefore the flexibility of setting of the honeypot probe and the honeypot application is improved.
In addition, the present invention further provides a device for monitoring an attack behavior, and referring to fig. 3, the device for monitoring an attack behavior includes:
the acquisition module 10 is used for acquiring honeypot data through honeypot probes corresponding to the monitored host;
a determining module 20, configured to determine a service type corresponding to the honeypot data, and determine, according to the service type, a target honeypot application corresponding to the monitored host, where one honeypot application corresponds to multiple honeypot probes;
and the monitoring module 30 is configured to monitor an attack behavior attacking the monitored host according to the honeypot data through the target honeypot application.
Further, the monitoring module 30 includes:
a first execution unit, configured to execute, by the target honeypot application, an attack operation corresponding to the honeypot data;
and the first acquisition unit is used for acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of attacking the monitored host according to the attack data.
Further, the device for monitoring the attack behavior further comprises:
and the execution module is used for executing honeypot backtracking operation according to the attack data so as to determine the attack intention of the attacker attacking the monitored host.
Further, the execution module includes:
the second execution unit is used for executing honeypot backtracking operation according to the attack data;
the second acquisition unit is used for acquiring identity information of an attacker attacking the monitored host in the honeypot backtracking operation process and acquiring attack behavior information of the attacker;
and the determining unit is used for determining the attack intention of the attacker according to the attack behavior information and the identity information.
Further, the device for monitoring the attack behavior further comprises:
and the output module is used for outputting alarm information containing the attack intention so as to prompt the user of the corresponding attack intention of the monitored host through the alarm information.
Further, the device for monitoring the attack behavior further comprises:
the first control module is used for controlling the honeypot probe according to a first control instruction after the first control instruction for controlling the honeypot probe is detected, wherein the first control instruction at least comprises one of the following instructions: the method comprises the steps of starting a probe starting instruction of the honeypot probe, closing the honeypot probe and setting instructions for setting the service quantity of the honeypot probe corresponding to the simulation service.
Further, the device for monitoring the attack behavior further comprises:
the second control module is used for controlling the honeypot application according to a second control instruction after the second control instruction for controlling the honeypot application is detected, wherein the second control instruction at least comprises one of the following instructions: the honeypot application starting instruction comprises an adding instruction for adding honeypot applications, a reducing instruction for reducing honeypot applications, a honeypot starting instruction for starting honeypot applications and a pausing instruction for pausing honeypot applications.
The specific implementation of the device for monitoring the attack behavior of the present invention is basically the same as the embodiments of the method for monitoring the attack behavior, and is not described herein again.
In addition, the invention also provides equipment for monitoring the attack behavior. As shown in fig. 4, fig. 4 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present invention.
It should be noted that fig. 4 is a schematic structural diagram of a hardware operating environment of a monitoring device for an attack behavior. The monitoring equipment of the attack behavior of the embodiment of the invention can be terminal equipment such as a PC, a portable computer and the like.
As shown in fig. 4, the device for monitoring the attack behavior may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the attack activity monitoring device shown in fig. 4 does not constitute a limitation of the attack activity monitoring device and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 4, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a monitoring program of attack behavior. The operating system is a program for managing and controlling hardware and software resources of the monitoring device of the attack behavior, a monitoring program supporting the attack behavior and the running of other software or programs.
In the monitoring device for the attack behavior shown in fig. 4, the user interface 1003 is mainly used for connecting to the terminal device, and performing data communication with the terminal device, such as sending an alarm message to the terminal device; the network interface 1004 is mainly used for the background server and performs data communication with the background server; the processor 1001 may be configured to call the monitoring program of the attack behavior stored in the memory 1005 and execute the steps of the method of monitoring the attack behavior as described above.
The specific implementation of the device for monitoring the attack behavior of the present invention is basically the same as the embodiments of the method for monitoring the attack behavior, and is not described herein again.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a monitoring program of an attack behavior is stored on the computer-readable storage medium, and when the monitoring program of the attack behavior is executed by a processor, the steps of the monitoring method of the attack behavior as described above are implemented.
The specific implementation manner of the computer-readable storage medium of the present invention is substantially the same as that of each embodiment of the above-mentioned attack behavior monitoring method, and is not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for monitoring an attack behavior is characterized by comprising the following steps:
acquiring honeypot data through honeypot probes corresponding to the monitored host;
determining a service type corresponding to the honeypot data, and determining a target honeypot application corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
and monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application.
2. The method for monitoring offensive behavior of claim 1 wherein the step of monitoring offensive behavior of the monitored host from the honeypot data by the target honeypot application comprises:
executing, by the target honeypot application, an attack operation corresponding to the honeypot data;
and acquiring attack data corresponding to the attack operation so as to monitor the attack behavior of attacking the monitored host according to the attack data.
3. The method for monitoring offensive behavior of claim 1 wherein the step of monitoring offensive behavior of the monitored host based on the honeypot data by the target honeypot application is followed by the step of:
and executing honeypot backtracking operation according to the attack data to determine the attack intention of the attacker attacking the monitored host.
4. The method for monitoring the attack behavior according to claim 3, wherein the step of performing honeypot backtracking operation according to the attack data to determine the attack intention of the attacker attacking the monitored host comprises:
executing honeypot backtracking operation according to the attack data, acquiring identity information of an attacker attacking the monitored host in the honeypot backtracking operation process, and acquiring attack behavior information of the attacker;
and determining the attack intention of the attacker according to the attack behavior information and the identity information.
5. The method for monitoring the attack behavior according to claim 4, wherein after the step of determining the attack intention of the attacker according to the attack behavior information and the identity information, the method further comprises:
and outputting alarm information containing the attack intention so as to prompt the user of the corresponding attack intention of the monitored host through the alarm information.
6. The method for monitoring offensive behavior according to any one of claims 1 to 5, further comprising:
when a first control instruction for controlling the honeypot probe is detected, controlling the corresponding honeypot probe according to the first control instruction, wherein the first control instruction at least comprises one of the following instructions: the method comprises the steps of starting a probe starting instruction of the honeypot probe, closing the honeypot probe and setting instructions for setting the service quantity of the honeypot probe corresponding to the simulation service.
7. The method for monitoring offensive behavior according to any one of claims 1 to 5, further comprising:
when a second control instruction for controlling the honeypot application is detected, controlling the honeypot application according to the second control instruction, wherein the second control instruction at least comprises one of the following instructions: the honeypot application starting instruction comprises an adding instruction for adding honeypot applications, a reducing instruction for reducing honeypot applications, a honeypot starting instruction for starting honeypot applications and a pausing instruction for pausing honeypot applications.
8. An apparatus for monitoring an offensive behavior, the apparatus comprising:
the acquisition module is used for acquiring honeypot data through honeypot probes corresponding to the monitored host;
the determining module is used for determining the service type corresponding to the honeypot data and determining target honeypot applications corresponding to the monitored host according to the service type, wherein one honeypot application corresponds to a plurality of honeypot probes;
and the monitoring module is used for monitoring the attack behavior of attacking the monitored host according to the honeypot data through the target honeypot application.
9. A device for monitoring offensive behavior, characterized in that the device for monitoring offensive behavior comprises a memory, a processor and a program for monitoring offensive behavior stored on the memory and executable on the processor, and the program for monitoring offensive behavior realizes the steps of the method for monitoring offensive behavior described in any one of claims 1 through 7 when executed by the processor.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a monitoring program of an attack behavior, which when executed by a processor implements the steps of the monitoring method of an attack behavior according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010510412.5A CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010510412.5A CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111651757A true CN111651757A (en) | 2020-09-11 |
| CN111651757B CN111651757B (en) | 2024-04-09 |
Family
ID=72347299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010510412.5A Active CN111651757B (en) | 2020-06-05 | 2020-06-05 | Method, device, equipment and storage medium for monitoring attack behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111651757B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111865815A (en) * | 2020-09-24 | 2020-10-30 | 中国人民解放军国防科技大学 | Flow classification method and system based on federal learning |
| CN112637244A (en) * | 2021-01-08 | 2021-04-09 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN112699009A (en) * | 2021-01-12 | 2021-04-23 | 树根互联技术有限公司 | Data detection method and device, server and storage medium |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113438199A (en) * | 2021-05-07 | 2021-09-24 | 中国银行股份有限公司 | Database attack defense method, device and system |
| CN113645253A (en) * | 2021-08-27 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
| CN113676449A (en) * | 2021-07-13 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Network attack processing method and device |
| CN114024774A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Method and device for generating attacker portrait and electronic equipment |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114500086A (en) * | 2022-02-22 | 2022-05-13 | 山东云天安全技术有限公司 | Honeypot security state determination method, electronic device and computer-readable storage medium |
| CN114531258A (en) * | 2020-11-05 | 2022-05-24 | 腾讯科技(深圳)有限公司 | Network attack behavior processing method and device, storage medium and electronic equipment |
| CN114826663A (en) * | 2022-03-18 | 2022-07-29 | 烽台科技(北京)有限公司 | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium |
| CN115189905A (en) * | 2022-05-09 | 2022-10-14 | 济南大学 | Network communication and safety control all-in-one machine and working method thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190245832A1 (en) * | 2017-06-09 | 2019-08-08 | Tencent Technology (Shenzhen) Company Limited | Data response method, terminal device, and server |
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
| CN110958250A (en) * | 2019-12-04 | 2020-04-03 | 百度在线网络技术(北京)有限公司 | Port monitoring method and device and electronic equipment |
| CN110990115A (en) * | 2019-11-21 | 2020-04-10 | 博智安全科技股份有限公司 | Containerized deployment management system and method for honeypots |
-
2020
- 2020-06-05 CN CN202010510412.5A patent/CN111651757B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190245832A1 (en) * | 2017-06-09 | 2019-08-08 | Tencent Technology (Shenzhen) Company Limited | Data response method, terminal device, and server |
| CN110990115A (en) * | 2019-11-21 | 2020-04-10 | 博智安全科技股份有限公司 | Containerized deployment management system and method for honeypots |
| CN110958250A (en) * | 2019-12-04 | 2020-04-03 | 百度在线网络技术(北京)有限公司 | Port monitoring method and device and electronic equipment |
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111865815B (en) * | 2020-09-24 | 2020-11-24 | 中国人民解放军国防科技大学 | Flow classification method and system based on federal learning |
| CN111865815A (en) * | 2020-09-24 | 2020-10-30 | 中国人民解放军国防科技大学 | Flow classification method and system based on federal learning |
| CN114531258A (en) * | 2020-11-05 | 2022-05-24 | 腾讯科技(深圳)有限公司 | Network attack behavior processing method and device, storage medium and electronic equipment |
| CN112637244A (en) * | 2021-01-08 | 2021-04-09 | 江苏天翼安全技术有限公司 | Threat detection method for common and industrial control protocols and ports |
| CN112699009A (en) * | 2021-01-12 | 2021-04-23 | 树根互联技术有限公司 | Data detection method and device, server and storage medium |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112995151B (en) * | 2021-02-08 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113438199A (en) * | 2021-05-07 | 2021-09-24 | 中国银行股份有限公司 | Database attack defense method, device and system |
| CN113676449A (en) * | 2021-07-13 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Network attack processing method and device |
| CN113645253B (en) * | 2021-08-27 | 2023-05-26 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
| CN113645253A (en) * | 2021-08-27 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114024774A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Method and device for generating attacker portrait and electronic equipment |
| CN114500086A (en) * | 2022-02-22 | 2022-05-13 | 山东云天安全技术有限公司 | Honeypot security state determination method, electronic device and computer-readable storage medium |
| CN114826663A (en) * | 2022-03-18 | 2022-07-29 | 烽台科技(北京)有限公司 | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium |
| CN114826663B (en) * | 2022-03-18 | 2023-12-01 | 烽台科技(北京)有限公司 | Honeypot identification method, device, equipment and storage medium |
| CN115189905A (en) * | 2022-05-09 | 2022-10-14 | 济南大学 | Network communication and safety control all-in-one machine and working method thereof |
| CN115189905B (en) * | 2022-05-09 | 2023-05-23 | 济南大学 | Network communication and safety control integrated machine and working method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111651757B (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| US10560434B2 (en) | Automated honeypot provisioning system | |
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| JP5972401B2 (en) | Attack analysis system, linkage device, attack analysis linkage method, and program | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN105376245A (en) | Rule-based detection method of ATP attack behavior | |
| US20210281599A1 (en) | Cyber Security System and Method Using Intelligent Agents | |
| CN105939326A (en) | Message processing method and device | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| US20170318054A1 (en) | Authentication incident detection and management | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN110855659A (en) | redis honeypot deployment system | |
| CN113676449A (en) | Network attack processing method and device | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| Yassin et al. | SQLIIDaaS: A SQL injection intrusion detection framework as a service for SaaS providers | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| Wu et al. | A novel approach to trojan horse detection by process tracing | |
| Hatada et al. | Finding new varieties of malware with the classification of network behavior | |
| CN111680294A (en) | Database monitoring method, device and equipment based on high-interaction honeypot technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |