CN112003842A - High-interaction honeypot system and honeypot protection method - Google Patents
High-interaction honeypot system and honeypot protection method Download PDFInfo
- Publication number
- CN112003842A CN112003842A CN202010805588.3A CN202010805588A CN112003842A CN 112003842 A CN112003842 A CN 112003842A CN 202010805588 A CN202010805588 A CN 202010805588A CN 112003842 A CN112003842 A CN 112003842A
- Authority
- CN
- China
- Prior art keywords
- module
- honeypot
- message
- hook
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000004044 response Effects 0.000 claims abstract description 117
- 230000005540 biological transmission Effects 0.000 claims abstract description 29
- 230000003993 interaction Effects 0.000 claims abstract description 20
- 238000012544 monitoring process Methods 0.000 claims description 81
- 238000012545 processing Methods 0.000 claims description 37
- 230000002159 abnormal effect Effects 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 235000012907 honey Nutrition 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
- Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
- Jellies, Jams, And Syrups (AREA)
Abstract
The application relates to a high-interaction honeypot system and a honeypot protection method, wherein the high-interaction honeypot system comprises: the honeypot service module and the agent module; the honeypot service module is arranged in the container and/or the virtual machine and used for providing honeypot service, the honeypot service module and the agent module are isolated from each other, and the honeypot service module and the agent module are isolated from each other; the agent module comprises a message transmission port, a resolver and an encoder which are sequentially coupled, the resolver and the encoder are both coupled with the honeypot service module, the message transmission port is used for transmitting messages between the client and the honeypot service module, the resolver is used for resolving the messages according to a preset resolving format, and the encoder is used for encoding the messages after resolution according to a preset encoding format, wherein the messages comprise: a request message sent to the honeypot service module, and a response message sent to the client. The problem that the security performance of high interaction honeypot is low has been solved to this application, has promoted the security of high interaction honeypot.
Description
Technical Field
The application relates to the technical field of honeypots, in particular to a high-interaction honeypot system and a honeypot protection method.
Background
Honeypot technology induces an attacker to attack a decoy host by deploying some hosts as decoys and distributing some false information. However, since the bait host in the honeypot system is directly exposed to the attacker, the security problem of the bait host is related to the security of the whole honeypot system. Once the bait host is lost, it is likely to become a springboard for an attacker, and the actual service security is damaged.
For high interaction honeypots, it is usually located in a real host, with bait services and monitoring programs deployed in the host to trick an attacker into the intrusion. Compared with a low-interaction honeypot, the high-interaction honeypot directly deploys real services, so that the problems of insufficient interaction degree and poor disguise capability of the prior low-interaction honeypot are solved, and the following problems are introduced at the same time:
(1) safety problem
Because the deployment mode is that the real service is directly deployed in the real host, once the real service is broken by an attacker, the attacker enters the host, the attacker can use the host as a springboard to carry out the next step of intrusion work, and the honeypot host can not collect the attack data of the attacker but threatens the normal operation of other internal service systems.
(2) Problem of invisibility
Since the monitor is deployed with the real service, after the attacker invades into the honeypot host, the monitor is exposed, and once the attacker discovers the monitor, the attacker can shut down the monitor or directly abandon and bypass the honeypot node.
(3) Real-time monitoring of problems
The monitoring program is communicated with the real service, the monitoring program can only monitor the file, process and network behaviors of the program, but cannot monitor the interaction between an attacker and the real service, and only can manually analyze and acquire data packets. If the communication adopts encryption, the captured data is all ciphertext and cannot be analyzed.
At present, no effective solution is provided for the problem of low safety performance of the high-interaction honeypots in the related technology.
Disclosure of Invention
The embodiment of the application provides a high-interaction honeypot system and a honeypot protection method, and aims to at least solve the problem of low safety performance of high-interaction honeypots in the related art.
In a first aspect, an embodiment of the present application provides a high-interaction honeypot system, including: the honeypot service module and the agent module; wherein,
the honeypot service module is arranged in a container and/or a virtual machine and used for providing honeypot service, the honeypot service module and the agent module are isolated from each other, and the honeypot service module and the agent module are isolated from each other;
the agent module comprises a message transmission port, a resolver and an encoder which are sequentially coupled, the resolver and the encoder are both coupled with the honeypot service module, the message transmission port is used for transmitting messages between a client and the honeypot service module, the resolver is used for resolving the messages according to a preset resolving format, the encoder is used for encoding the resolved messages according to a preset encoding format, and the messages comprise: a request message sent to the honeypot service module, and a response message sent to the client.
In some embodiments, the proxy module further comprises: a hook module comprising a plurality of sequentially coupled hooks, wherein the hooks comprise at least one of: the first hook is used for modifying the message and sending the modified message to the encoder; a second hook for intercepting the message; a third hook for intercepting the message, generating a request message or a response message corresponding to the message, and transmitting the generated message to the encoder; wherein one end of the hook module is coupled with the parser, and the other end is coupled with the encoder;
the hook module is used for judging whether the message carries abnormal information or not and processing the message under the condition that the message carries the abnormal information.
In some embodiments, the proxy module further comprises: a data processing module; the data processing module is coupled with the honeypot service module and is used for acquiring monitoring data from the honeypot service module and determining the working state of the honeypot service module according to the monitoring data, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information.
In some embodiments, the proxy module further comprises: a flow collection module; wherein the traffic collection module is respectively coupled to the message transmission port, the parser, and the data processing module; the traffic collection module is configured to collect traffic information of the request message or traffic information of the response message, and send the traffic information of the request message or the traffic information of the response message to the data processing module.
In some embodiments, one end of the data processing module is further coupled to the parser for obtaining protocol information of the request message or protocol information of the response message.
In some of these embodiments, the high interaction honeypot system further comprises: a monitoring module; wherein the monitoring module and the honeypot service module are arranged in the container and/or the virtual machine, one end of the monitoring module is coupled with the honeypot service module, and the other end of the monitoring module is coupled with the agent module; the monitoring module is used for monitoring the honeypot service module, generating monitoring data and sending the monitoring data to the agent module, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information.
In some embodiments, the agent module further comprises a judging module and a restarting module; wherein, judge the module with it is coupled to restart the module, judge the module be used for judging agent the module with whether there is the anomaly in the connection between the monitoring module, judge agent the module with under the condition that there is the anomaly in the connection between the monitoring module, confirm that honeypot service module falls, and to restart the module and send and carry the information that honeypot service module fell, restart the module according to honeypot service module falls the information that falls, restart container and/or virtual machine that honeypot service module located.
In a second aspect, an embodiment of the present application provides a honeypot protection method, which is applied to the high-interaction honeypot system described in the above first aspect, and the method includes:
acquiring a request message sent from a client to a honeypot service module or a response message sent from the honeypot service module to the client;
analyzing the request message or the response message according to an analyzer in a preset analysis format;
encoding the analyzed request message or the analyzed response message according to an encoder in a preset encoding format;
and sending the coded request message to the honeypot service module or sending the coded response message to the client.
In some embodiments, after parsing the request message or the response message according to a preset parsing format, the method further includes:
judging whether a request message initiated from the client carries abnormal information or not, and processing the message by using a hook under the condition that the request message carries the abnormal information, wherein the hook comprises at least one of the following components: the first hook is used for modifying the request message and sending the modified request message to the encoder; the second hook is used for intercepting the request message; the third hook is used for intercepting the request message, generating a response message for responding to the request message and sending the response message to the encoder;
or, judging whether a response message returned from the honeypot service module carries abnormal information, and processing the message by using a hook under the condition that the response message carries the abnormal information, wherein the hook comprises at least one of the following: the first hook is used for modifying the response message and sending the modified response message to the encoder; the second hook is used for intercepting the response message; and the third hook is used for intercepting the response message, generating a response message for responding to the corresponding request message and sending the response message to the encoder.
In some of these embodiments, the high interaction honeypot system includes a monitoring module; the method further comprises the following steps:
judging whether the connection between the agent module and the monitoring module is abnormal or not;
determining that the honeypot service module falls down if the connection between the agent module and the monitoring module is judged to be abnormal;
and restarting the container and/or the virtual machine where the honeypot service module is located.
Compared with the related technology, the high-interaction honeypot system and the honeypot protection method provided by the embodiment of the application are realized through the honeypot service module and the agent module; the honeypot service module is arranged in the container and/or the virtual machine and used for providing honeypot service, the honeypot service module and the agent module are isolated from each other, and the honeypot service module and the agent module are isolated from each other; the agent module comprises a message transmission port, a resolver and an encoder which are sequentially coupled, the resolver and the encoder are both coupled with the honeypot service module, the message transmission port is used for transmitting messages between the client and the honeypot service module, the resolver is used for resolving the messages according to a preset resolving format, and the encoder is used for encoding the messages after resolution according to a preset encoding format, wherein the messages comprise: the request message sent to the honeypot service module and the response message sent to the client solve the problem of low safety performance of the high-interaction honeypot in the related technology, and improve the safety of the high-interaction honeypot.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a block diagram of a high interaction honeypot system according to an embodiment of the application;
FIG. 2 is a block diagram of the mechanism of a high interaction honeypot system in accordance with a preferred embodiment of the present application;
FIG. 3 is a flow chart of a honeypot protection method according to an embodiment of the present application;
FIG. 4 is a flow chart of a honeypot protection method according to a preferred embodiment of the present application;
fig. 5 is a block diagram of a hardware structure of a terminal of a honeypot protection method according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any creative effort belong to the protection scope of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The embodiment provides a high-interaction honeypot system. Fig. 1 is a block diagram of a high-interaction honeypot system according to an embodiment of the present application, and as shown in fig. 1, the system includes: the honeypot service module is arranged in the container and/or the virtual machine and used for providing honeypot service, and the honeypot service module and the proxy module are isolated from each other; the agent module comprises a message transmission port, a resolver and an encoder which are sequentially coupled, the resolver and the encoder are both coupled with the honeypot service module, the message transmission port is used for transmitting messages between the client and the honeypot service module, the resolver is used for resolving the messages according to a preset resolving format, and the encoder is used for encoding the messages after being resolved according to a preset encoding format, wherein the messages comprise at least one of the following components: a request message sent to the honeypot service module, and a response message sent to the client.
The honeypot node comprises a plurality of honeypot service modules, and each honeypot service module is arranged in a corresponding container and/or virtual machine. In this embodiment, the honeypot service module may be disposed in a Docker container, or may be disposed in a virtual machine in which a network isolation policy is set, so as to implement isolation from the agent module.
And the agent module is used for realizing the flow agent function in the high-interaction honeypot system. The agent module provides an external network to perform message interaction with the honey pot service module through a message transmission port, and the message transmission port is used for monitoring a request message initiated by an external client, sending the request message to the honey pot service module and sending a response message to the client. The agent module can be provided with a plurality of message transmission ports, each message transmission port is provided with a honey pot service module corresponding to the message transmission port, and different message transmission ports can correspond to the same honey pot service module.
The request message to the honeypot service module comprises a message initiated from the client, and the response message to the client comprises a message returned from the honeypot service module. For the request message initiated by the client, the analyzer is used for analyzing the protocol format data of the request message into a preset message structure body so as to identify the protocol data in the request message and prepare for the subsequent agent module to process the request message. The encoder is used for encoding the request message analyzed by the analyzer into original protocol format data so as to send the encoded request message to the honeypot service module. For the response message returned by the honeypot service module, the analyzer is used for analyzing the protocol format data of the response message into a preset message structure body so as to identify the protocol data in the response message and prepare for the subsequent agent module to process the response message. The encoder is used for encoding the response message analyzed by the analyzer into original protocol format data so as to send the encoded response message to the client.
High-interaction honeypots in the related art typically deploy honeypot services in bait hosts, which also risk failing once an attacker breaks through the services. In the high-interaction honeypot system provided by the embodiment, honeypot services are arranged in containers and/or virtual machines, and message interaction is performed between the agent module and an attacker, so that on one hand, even if the attacker extracts the authority by utilizing the loopholes of the honeypot services, the attacker can only obtain the highest authority of the container and/or the virtual machine where the current honeypot service module is located, but not the complete authority of the whole honeypot node, the attacker is prevented from escaping from the honeypot node, and the safety of a bait host is ensured; on the other hand, the agent module can keep a transparent effect in the whole process when an attacker attacks the honeypot service, so that the attacker is prevented from discovering the existence of the high-interaction honeypot system, and the concealment of the high-interaction honeypot system is improved.
Through the high-interaction honeypot system that this embodiment provided, the problem that the high-interaction honeypot security performance that exists is low among the correlation technique has been solved, has promoted the security of high-interaction honeypot.
In some embodiments, an emulator is also provided in the agent module, and the emulator may be provided at the same location as the parser or the encoder. When the analyzer analyzes the message, the starting simulator is simulated into a service end of a corresponding protocol to decrypt the protocol for the protocol which cannot be directly analyzed due to the encrypted transmission. When the encoder encodes the message, if the protocol is an encryption protocol, the simulator is started to simulate as a client, and the data is encrypted and then sent to the honeypot service module. So set up, can solve the relatively poor problem of high mutual honeypot system to encrypting protocol display effect, promote the readability of agreement.
The high-interaction honeypot system provided by the application optimizes the same protocol format for different types of honeypot service modules, and avoids repeated development workload. The proxy module can forward the flow through Nginx (HTTP and reverse proxy web server) ports, and the message processing result is realized through a log output mode.
In some embodiments, the honeypot service module may also limit resources by a Control group (Cgroup), so as to achieve a security isolation effect.
FIG. 2 is a block diagram of the mechanism of a high interaction honeypot system according to the preferred embodiment of the present application, as shown in FIG. 2, in some of which the agent module further comprises: the hook module comprises a plurality of hooks which are coupled in sequence, wherein the hooks comprise at least one of the following: the first hook is used for modifying the message and sending the modified message to the encoder; the second hook is used for intercepting the message; the third hook is used for intercepting the message, generating a request message or a response message corresponding to the message and sending the generated message to the encoder; wherein, one end of the hook module is coupled with the resolver, and the other end is coupled with the encoder; the hook module is used for judging whether the message carries abnormal information or not and processing the message under the condition that the message carries the abnormal information.
The exception information includes dangerous instructions that an attacker may send, which if not modified or intercepted, may affect the availability of the entire honeypot system. The honeypot service module does not set passwords at first usually, but more attackers often set passwords to the honeypot service module after attacking, and the honeypot service module that will sink is controlled to be used only for oneself. The hook module processes the request message, so that when the agent module establishes connection with the honeypot service module again, the problem that the connection cannot be established due to incorrect passwords can be avoided.
In the process that the hook module processes a request message initiated by a client, the hook module is used for judging whether the request message initiated by the client carries abnormal information or not and processing the message under the condition that the request message carries the abnormal information, wherein the first hook is used for modifying the request message and sending the modified request message to an encoder; the second hook is used for intercepting the request message; and the third hook is used for intercepting the request message, generating a response message for responding to the request message and sending the response message to the encoder.
In the process that the hook module processes the response message returned by the honeypot service module, the hook module is used for judging whether the response message returned by the honeypot service module carries abnormal information or not and processing the message under the condition that the response message carries the abnormal information, wherein the first hook is used for modifying the response message and sending the modified response message to the encoder; the second hook is used for intercepting the response message; and the third hook is used for intercepting the response message, generating the response message for responding to the corresponding request message and sending the response message to the encoder.
In this embodiment, when a request message or a response message parsed by the parser enters the hook module, the hook captures the message and tries to match the passed message, if the matching is successful, a decision is made on the message according to a preset policy, otherwise, the request message or the response message is directly sent to the encoder. In some embodiments, a stack structure may be created when the hook module processes a message, a plurality of hooks form a hook chain through the stack structure, the most recently installed hook is placed at the beginning of the hook chain, and the earliest installed hook is placed at the end of the hook chain, and in case that the current hook processes the message, the current hook will transfer the generated hook information to the next hook, that is, the hook that joins later will obtain the control right of the message first. When the request message passes through one hook, the hook module pushes the current hook into the stack; when the response message is processed, the hook module searches for the request message corresponding to the response message, and the hook is taken out from the stack according to the corresponding request message, so that when the request message or the response message passes through the hook module, the sequence of the hook chain through which the request message passes is opposite to the sequence of the hook chain through which the response message passes.
In some embodiments, the hook module is further provided with a fourth hook for recording the message. When a request message enters the hook module, the sequence passing through the hook chain is the fourth hook, the third hook, the second hook and the first hook in sequence, when a response message corresponding to the request message enters the hook module, the sequence passing through the hook chain is changed into the first hook, the second hook, the third hook and the fourth hook, and the setting is carried out in such a way that the fourth hook can record the original request message initiated by an attacker and record the modified response message.
By arranging the hook module, dangerous instructions initiated by an attacker can be intercepted or filtered, so that the safety of the high-interaction honeypot service system is further improved.
In some embodiments, the agent module further comprises: a data processing module; the data processing module is coupled with the honeypot service module and used for acquiring monitoring data from the honeypot service module and determining the working state of the honeypot service module according to the monitoring data, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information. So set up for agent's module can monitor honeypot service module's operating condition.
In some embodiments, for the honeypot service module arranged in the Docker container, the agent module can directly monitor the condition inside the Docker container from the outside of the Docker container without separately installing an environment monitoring module inside the Docker container, so that the high-interaction honeypot system achieves a hidden effect.
In some embodiments, the agent module further comprises: a flow collection module; the flow collection module is respectively coupled with the message transmission port, the resolver and the data processing module; the flow collecting module is used for collecting the flow information of the request message or the flow information of the response message and sending the flow information of the request message or the flow information of the response message to the data processing module. According to the arrangement, the flow collection module can collect the incoming and outgoing flow from the message transmission port opened in the agent module, record the flow information and send the flow information to the data processing module.
In some embodiments, one end of the data processing module is further coupled to the parser for obtaining protocol information of the request message or protocol information of the response message.
In some embodiments, the data processing module can format the captured monitoring data, traffic information, and protocol information, combine the scattered information into a continuous event, and send the event to the honey center server in a message of a preset format.
In some embodiments, the agent module is further provided with a data sending module, the data sending module is coupled with the data processing module, and the data sending module is used for sending the standard message received from the data processing module to the honey center server.
In some embodiments, the high interaction honeypot system further comprises: a monitoring module; the monitoring module and the honeypot service module are arranged in the container and/or the virtual machine, one end of the monitoring module is coupled with the honeypot service module, and the other end of the monitoring module is coupled with the agent module; the monitoring module is used for monitoring the honeypot service module, generating monitoring data and sending the monitoring data to the agent module, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information.
In this embodiment, the monitoring module is configured to monitor the honeypot service module disposed in the container and/or the virtual machine to monitor a honeypot service environment including, but not limited to, a honeypot service process, a honeypot service file, and a honeypot service environment, and in a case where any one of the honeypot service process, the honeypot service file, and the honeypot service environment changes, the monitoring module generates corresponding monitoring data and sends the monitoring data to the agent module.
In some embodiments, the agent module further comprises a judging module and a restarting module; wherein, the judge module with restart the module and couple, judge whether the module is used for judging the connection between agent's module and the monitoring module and has unusual, judge the connection between agent's module and the monitoring module and have the unusual circumstances, confirm that honeypot service module sinks to send to restarting the module and carry the information that honeypot service module sinks, restart the module and fall the information that sinks according to honeypot service module, restart the container and/or the virtual machine that honeypot service module located.
After an attacker discovers the monitoring module, the monitoring module may be damaged, and the agent module may judge the working state of the current honeypot service module by judging the survival of the monitoring module. For example, when the honeypot service environment in a honeypot service module is abnormally uninstalled or closed, the agent module determines that the container and/or the virtual machine where the current honeypot service module is located is not operating normally, and then resets and restarts the container and/or the virtual machine, so as to prevent an attacker from escaping from monitoring by uninstalling or deleting the monitoring module.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For the modules implemented by hardware, the honeypot service modules and the agent modules are located in different processors, and the modules in the agent modules may be located in different processors in any combination.
The embodiment provides a honeypot protection method which is applied to a high-interaction honeypot system as described in FIG. 1. Fig. 3 is a flowchart of a honeypot protection method according to an embodiment of the present application, and as shown in fig. 3, the flowchart includes the following steps:
step S301, a request message sent from the client to the honeypot service module or a response message sent from the honeypot service module to the client is obtained.
Step S302, parsing the request message or the response message according to the parser in the preset parsing format.
Step S303, the parsed request message or response message is encoded according to an encoder in a preset encoding format.
And step S304, sending the coded request message to a honeypot service module or sending the coded response message to a client.
Through the steps, compared with the traditional high-interaction honeypot, the method and the device can realize the relatively transparent agent module for the attacker between the attacker and the honeypot service, capture and process the request message and the response message in an agent protocol data mode, solve the problem of low safety performance of the high-interaction honeypot in the related technology, and improve the safety of the high-interaction honeypot.
In some embodiments, when the parser is parsing the message, for a protocol that cannot directly parse the traffic packet using encrypted transmission, the server side that launches the emulator to emulate the corresponding protocol is used to decrypt the protocol. When the encoder encodes the message, if the protocol is an encryption protocol, the simulator is started to simulate as a client, and the data is encrypted and then sent to the honeypot service module. So set up, can solve the relatively poor problem of high mutual honeypot system to encrypting protocol display effect, promote the readability of agreement.
In some embodiments, after parsing the request message or the response message according to the preset parsing format, the method further includes:
judging whether a request message initiated from a client carries abnormal information or not, and processing the message by using a hook under the condition that the request message carries the abnormal information, wherein the hook comprises at least one of the following components: the first hook is used for modifying the request message and sending the modified request message to the encoder; the second hook is used for intercepting the request message; and the third hook is used for intercepting the request message, generating a response message for responding to the request message and sending the response message to the encoder.
Or, judging whether a response message returned from the honeypot service module carries abnormal information, and processing the message by using a hook under the condition that the response message carries the abnormal information, wherein the hook comprises at least one of the following components: the first hook is used for modifying the response message and sending the modified response message to the encoder; the second hook is used for intercepting the response message; and the third hook is used for intercepting the response message, generating the response message for responding to the corresponding request message and sending the response message to the encoder.
By setting the hook matching request message or the hook matching response message and making a decision on the matched message, the dangerous instructions initiated by an attacker can be intercepted or filtered, so that the safety of the high-interaction honeypot service system is further improved.
In some embodiments, the high-interaction honeypot system comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for judging whether the connection between the agent module and the monitoring module is abnormal or not; determining that the honeypot service module falls down when the connection between the agent module and the monitoring module is judged to be abnormal; and restarting the container and/or the virtual machine where the honeypot service module is located. After an attacker discovers the monitoring module, the monitoring module may be damaged, and the present embodiment may determine the working state of the current honeypot service module by determining the survival of the monitoring module. For example, when the honeypot service environment in a honeypot service module is abnormally unloaded or closed, the container and/or the virtual machine where the current honeypot service module is located is judged to be abnormally operated, and then the container and/or the virtual machine is reset and restarted, so that an attacker is prevented from escaping monitoring by unloading or deleting the monitoring module.
A honeypot protection method according to a preferred embodiment will be described below, fig. 4 is a flowchart of the honeypot protection method according to the preferred embodiment of the present application, and as shown in fig. 4, the flowchart includes the following steps:
step S401, after the agent module is started, the corresponding message transmission port is opened according to the configuration information.
Step S402, starting the corresponding honeypot service container.
Step S403, wait for the connection between the external client and the proxy module.
In step S404, when a new connection from the outside is established, the agent module creates a connection with the honeypot service module.
Step S405, waits for an external client to initiate a request message.
Step S406, after receiving the request message, the request message firstly enters a flow collection module, the flow collection module generates flow data, the flow data is submitted to a data processing module, and the original request message is delivered to a resolver or a simulator.
Step S407, the parser or the simulator parses the received request message, formats the request message into a standard message in a preset format, and then sends the standard message to the hook module.
In step S408, the hook module matches the standard message provided by the parser or the emulator.
In step S409, determine whether matching is successful? If the matching is judged to be successful, executing step S410; otherwise, step S413 is performed.
Step S410, determine whether the hook policy decides to modify the current request message? In case that it is determined that the hook policy decides to modify the current request message, modifying the current request message, and performing step S413; otherwise, step S411 is executed.
Step S411, determine whether the hook policy decides to intercept the current request message? Executing step S412 under the condition that the hook strategy determines to intercept the current request message; otherwise, step S413 is performed.
Step S412, determine whether the hook policy decides to reply to the customized response message? And under the condition that the hook strategy determines to reply to the customized response message, generating a corresponding response message, submitting the response message to a server response queue, and executing the step S423.
In step S413, the encoder or the emulator encodes the request message submitted by the hook into a message in a preset protocol format.
And step S414, sending the coded request message to the honeypot service module.
Step S415, determine whether the client is disconnected? Under the condition that the client is judged to be disconnected, the process is ended; otherwise, return to step S405.
Step S416, wait for the server to return a response message.
Step S417, after receiving the response message, using the parser or the simulator to parse the response message, formatting the response message into a standard message with a preset format, and then delivering the standard message to the hook module.
In step S418, the hook module matches the standard message provided by the parser or the emulator.
Step S419, determine whether matching is successful? If the matching is judged to be successful, executing step S420; otherwise, step S423 is performed.
Step S420, determine whether the hook policy decides to reply to the customized response message? If the hook policy determines to reply to the customized response message, generating a corresponding response message, submitting the response message to a server response queue, and executing step S423; otherwise, step S421 is executed.
Step S421, determine whether the hook policy decides to intercept the current response message? Executing step S422 when the hook strategy determines to intercept the current response message; otherwise, step S423 is performed.
Step S422, determine whether the hook policy decides to modify the current response message? If the hook policy determines to modify the current response message, modifying the current response message, and executing step S423; otherwise, return to step S416.
In step S423, the encoder or the emulator encodes the response message submitted by the hook into a message in a preset protocol format.
In step S424, the traffic collection module records the response message.
Step S425 sends the encoded response message to the client.
Step S426, determine whether the server is disconnected? Under the condition that the server is judged to be disconnected, the process is ended; otherwise, return to step S416.
In step S427, after the honeypot service module is started, the agent module establishes a connection with the monitoring module.
In step S428, the monitoring module continuously monitors the file, network, and process change events of the honeypot service module, generates monitoring data, and reports the monitoring data to the agent module in real time.
Step S429, determine whether the connection between the agent module and the monitoring module is disconnected? In the case that the agent module judges that the connection with the monitoring module is disconnected, executing step S430; otherwise, return to step S428.
Step S430, determine whether the agent module can establish a connection with the monitoring module? In the case where it is determined that the agent module can establish connection with the monitoring module, return to step S428; otherwise, step S431 is executed.
And step S431, judging that the container sinks, and rolling back the container.
And step S432, the data processing module associates and merges the messages according to the monitoring data reported by the monitoring module, the protocol information of the analyzer and the flow information recorded by the flow collecting module to generate attack data, and submits the processed attack data to the data sending module.
And step S433, the data sending module reports the attack data to the honey center server.
It should be noted that the steps shown in the above-mentioned flow chart or the flow chart of the drawing can be executed in a computer system such as a set of computer executable instructions.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
step S301, a request message sent from the client to the honeypot service module or a response message sent from the honeypot service module to the client is obtained.
Step S302, parsing the request message or the response message according to the parser in the preset parsing format.
Step S303, the parsed request message or response message is encoded according to an encoder in a preset encoding format.
And step S304, sending the coded request message to a honeypot service module or sending the coded response message to a client.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking the operation on the terminal as an example, fig. 5 is a hardware structure block diagram of the terminal of the honeypot protection method according to the embodiment of the present application. As shown in fig. 5, the terminal may include one or more processors 502 (only one is shown in fig. 5) (the processor 502 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 504 for storing data, and optionally, a transmission device 506 for communication functions and an input-output device 508. It will be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
The memory 504 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the honeypot protection method in the embodiment of the present invention, and the processor 502 executes various functional applications and data processing by running the computer programs stored in the memory 504, so as to implement the method described above. The memory 504 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 504 may further include memory located remotely from the processor 502, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 506 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 506 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 506 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, in combination with the honeypot protection method in the foregoing embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the honeypot protection methods of the embodiments described above.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A high interaction honeypot system, comprising: the honeypot service module and the agent module; wherein,
the honeypot service module is arranged in a container and/or a virtual machine and used for providing honeypot service, the honeypot service module and the agent module are isolated from each other, and the honeypot service module and the agent module are isolated from each other;
the agent module comprises a message transmission port, a resolver and an encoder which are sequentially coupled, the resolver and the encoder are both coupled with the honeypot service module, the message transmission port is used for transmitting messages between a client and the honeypot service module, the resolver is used for resolving the messages according to a preset resolving format, the encoder is used for encoding the resolved messages according to a preset encoding format, and the messages comprise: a request message sent to the honeypot service module, and a response message sent to the client.
2. The high interaction honeypot system of claim 1 wherein the broker module further comprises: a hook module comprising a plurality of sequentially coupled hooks, wherein the hooks comprise at least one of: the first hook is used for modifying the message and sending the modified message to the encoder; a second hook for intercepting the message; a third hook for intercepting the message, generating a request message or a response message corresponding to the message, and transmitting the generated message to the encoder; wherein one end of the hook module is coupled with the parser, and the other end is coupled with the encoder;
the hook module is used for judging whether the message carries abnormal information or not and processing the message under the condition that the message carries the abnormal information.
3. The high interaction honeypot system of claim 1 wherein the broker module further comprises: a data processing module; the data processing module is coupled with the honeypot service module and is used for acquiring monitoring data from the honeypot service module and determining the working state of the honeypot service module according to the monitoring data, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information.
4. The high interaction honeypot system of claim 3 wherein the broker module further comprises: a flow collection module; wherein the traffic collection module is respectively coupled to the message transmission port, the parser, and the data processing module; the traffic collection module is configured to collect traffic information of the request message or traffic information of the response message, and send the traffic information of the request message or the traffic information of the response message to the data processing module.
5. The high-interaction honeypot system of claim 3 wherein one end of the data processing module is further coupled to the parser for retrieving protocol information of the request message or protocol information of the response message.
6. The high interaction honeypot system of claim 1 further comprising: a monitoring module; wherein the monitoring module and the honeypot service module are arranged in the container and/or the virtual machine, one end of the monitoring module is coupled with the honeypot service module, and the other end of the monitoring module is coupled with the agent module; the monitoring module is used for monitoring the honeypot service module, generating monitoring data and sending the monitoring data to the agent module, wherein the monitoring data comprises at least one of the following data: honeypot service process change information, honeypot service file change information and honeypot service environment change information.
7. The high interaction honeypot system of claim 6 wherein the broker module further comprises a determination module and a restart module; wherein, judge the module with it is coupled to restart the module, judge the module be used for judging agent the module with whether there is the anomaly in the connection between the monitoring module, judge agent the module with under the condition that there is the anomaly in the connection between the monitoring module, confirm that honeypot service module falls, and to restart the module and send and carry the information that honeypot service module fell, restart the module according to honeypot service module falls the information that falls, restart container and/or virtual machine that honeypot service module located.
8. A honeypot protection method applied to the high-interaction honeypot system of any one of claims 1 to 7, comprising:
acquiring a request message sent from a client to a honeypot service module or a response message sent from the honeypot service module to the client;
analyzing the request message or the response message according to an analyzer in a preset analysis format;
encoding the analyzed request message or the analyzed response message according to an encoder in a preset encoding format;
and sending the coded request message to the honeypot service module or sending the coded response message to the client.
9. The honeypot protection method of claim 8, wherein after parsing the request message or the response message according to a preset parsing format, the method further comprises:
judging whether a request message initiated from the client carries abnormal information or not, and processing the message by using a hook under the condition that the request message carries the abnormal information, wherein the hook comprises at least one of the following components: the first hook is used for modifying the request message and sending the modified request message to the encoder; the second hook is used for intercepting the request message; the third hook is used for intercepting the request message, generating a response message for responding to the request message and sending the response message to the encoder;
or, judging whether a response message returned from the honeypot service module carries abnormal information, and processing the message by using a hook under the condition that the response message carries the abnormal information, wherein the hook comprises at least one of the following: the first hook is used for modifying the response message and sending the modified response message to the encoder; the second hook is used for intercepting the response message; and the third hook is used for intercepting the response message, generating a response message for responding to the corresponding request message and sending the response message to the encoder.
10. The honeypot protection method of claim 8, the high interaction honeypot system comprising a monitoring module; characterized in that the method further comprises:
judging whether the connection between the agent module and the monitoring module is abnormal or not;
determining that the honeypot service module falls down if the connection between the agent module and the monitoring module is judged to be abnormal;
and restarting the container and/or the virtual machine where the honeypot service module is located.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010805588.3A CN112003842B (en) | 2020-08-12 | 2020-08-12 | High-interaction honeypot system and honeypot protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010805588.3A CN112003842B (en) | 2020-08-12 | 2020-08-12 | High-interaction honeypot system and honeypot protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112003842A true CN112003842A (en) | 2020-11-27 |
| CN112003842B CN112003842B (en) | 2022-09-13 |
Family
ID=73463137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010805588.3A Active CN112003842B (en) | 2020-08-12 | 2020-08-12 | High-interaction honeypot system and honeypot protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112003842B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114024728A (en) * | 2021-10-28 | 2022-02-08 | 杭州默安科技有限公司 | Honeypot building method and application method |
| US20230179606A1 (en) * | 2021-12-03 | 2023-06-08 | International Business Machines Corporation | Tracking a potential attacker on an external computer system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| US20160164894A1 (en) * | 2014-12-03 | 2016-06-09 | Guardicore Ltd. | Automatic network attack detection and remediation using information collected by honeypots |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN109768993A (en) * | 2019-03-05 | 2019-05-17 | 中国人民解放军32082部队 | A kind of high covering Intranet honey pot system |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
-
2020
- 2020-08-12 CN CN202010805588.3A patent/CN112003842B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| US20160164894A1 (en) * | 2014-12-03 | 2016-06-09 | Guardicore Ltd. | Automatic network attack detection and remediation using information collected by honeypots |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN109768993A (en) * | 2019-03-05 | 2019-05-17 | 中国人民解放军32082部队 | A kind of high covering Intranet honey pot system |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
Non-Patent Citations (1)
| Title |
|---|
| 秦玉杰: "一种基于分布式蜜罐技术的勒索蠕虫病毒监测方法", 《网络信息与安全》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114024728A (en) * | 2021-10-28 | 2022-02-08 | 杭州默安科技有限公司 | Honeypot building method and application method |
| CN114024728B (en) * | 2021-10-28 | 2024-04-02 | 杭州默安科技有限公司 | Honeypot building method and application method |
| US20230179606A1 (en) * | 2021-12-03 | 2023-06-08 | International Business Machines Corporation | Tracking a potential attacker on an external computer system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112003842B (en) | 2022-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10530810B2 (en) | Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network | |
| EP1999925B1 (en) | A method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor | |
| CN112995151B (en) | Access behavior processing method and device, storage medium and electronic equipment | |
| US20080301810A1 (en) | Monitoring apparatus and method therefor | |
| US20090319659A1 (en) | Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof | |
| CN112738071B (en) | Method and device for constructing attack chain topology | |
| CN101589595A (en) | A containment mechanism for potentially contaminated end systems | |
| JPH09214493A (en) | Network system | |
| CN112600852B (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| CN110417717B (en) | Login behavior identification method and device | |
| CN111651754B (en) | Intrusion detection method and device, storage medium and electronic device | |
| CN112003842B (en) | High-interaction honeypot system and honeypot protection method | |
| CN107645480B (en) | Data monitoring method, system and device | |
| CN112333203A (en) | RDP conversation method of high-interaction honeypot system based on man-in-the-middle technology | |
| EP3230886B1 (en) | Operating system fingerprint detection | |
| CN114938312B (en) | Data transmission method and device | |
| CN110912887A (en) | Bro-based APT monitoring system and method | |
| EP3618396B1 (en) | Protection method and system for http flood attack | |
| CN113162922B (en) | Client data acquisition method and device, storage medium and electronic equipment | |
| CN116760607A (en) | Method and device for establishing honeypot trapping node, medium and equipment | |
| CN116319028A (en) | Rebound shell attack interception method and device | |
| CN112003839B (en) | Equipment anti-identity recognition method and device, electronic device and storage medium | |
| Abimbola et al. | NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data | |
| CN115189951B (en) | Pseudo service simulation detection attack penetration method, pseudo service simulation detection attack penetration device and computer equipment | |
| KR102571147B1 (en) | Security apparatus and method for smartwork environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |