CN112039879A - Attack recording method, device and medium for high-interaction honeypot - Google Patents
Attack recording method, device and medium for high-interaction honeypot Download PDFInfo
- Publication number
- CN112039879A CN112039879A CN202010888587.XA CN202010888587A CN112039879A CN 112039879 A CN112039879 A CN 112039879A CN 202010888587 A CN202010888587 A CN 202010888587A CN 112039879 A CN112039879 A CN 112039879A
- Authority
- CN
- China
- Prior art keywords
- log file
- log
- intrusion detection
- bash
- ssh
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 230000008569 process Effects 0.000 claims abstract description 50
- 238000001514 detection method Methods 0.000 claims abstract description 24
- 238000013500 data storage Methods 0.000 claims abstract description 12
- 230000006870 function Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 12
- 230000003993 interaction Effects 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 238000004088 simulation Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 239000012792 core layer Substances 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 239000010410 layer Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses an attack recording method and device for a high-interaction honeypot and a computer readable storage medium, which are used for acquiring input characters of a bash process; and storing the input characters into a log file according to a preset data storage rule. And the inside of the bash records the intrusion operation of the intruder on the high-interaction honeypot. Because the command execution to the bash is difficult to be bypassed by an intruder in the intrusion process, the intrusion behavior can be completely recorded by acquiring the input characters of the bash process. When the file end identifier is detected, closing the log file; the log data in the log file are reported to the intrusion detection center, and the log data can reflect the intrusion behavior relatively comprehensively, so that the intrusion detection center performs intrusion detection according to the log data, the false alarm rate of the high-interaction honeypot can be effectively reduced, and the accuracy of intrusion detection is improved.
Description
Technical Field
The invention relates to the technical field of server security, in particular to an attack recording method and device for a high-interaction honeypot and a computer-readable storage medium.
Background
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
Traditional honeypots can be roughly divided into two types, one is a low-interaction honeypot implemented based on service simulation, and the other is a high-interaction honeypot implemented based on a real operating system. The low-interaction honeypot resource occupies less, but the simulation capability is poor. The high-interaction honeypot has higher simulation, but higher false alarm rate. For the implementation of the high-cross honey pot, intrusion detection is carried out by collecting operation data on an inner core layer, so that a large amount of normal activities of the system are often misreported, and the misreport rate of the intrusion detection is higher.
Therefore, how to reduce the false alarm rate of the high-interaction honeypot is a problem to be solved by the technical personnel in the field.
Disclosure of Invention
The embodiment of the invention aims to provide an attack recording method and device for a high-interaction honeypot and a computer readable storage medium, which can reduce the false alarm rate of the high-interaction honeypot.
In order to solve the above technical problem, an embodiment of the present invention provides an attack recording method for a high-interaction honeypot, including:
acquiring input characters of a bash process;
storing the input characters to a log file according to a preset data storage rule;
when a file end identifier is detected, closing the log file;
and reporting the log data in the log file to an intrusion detection center so that the intrusion detection center can carry out intrusion detection according to the log data.
Optionally, the acquiring the input character includes:
judging whether the bash process is a ssh sub-process or not;
when the bash process is an ssh sub-process, acquiring an input character by using a readline function;
and when the bash process is not the ssh sub-process, acquiring the input character by using a buffered _ getchar function.
Optionally, when the bash process is a ssh sub-process, after obtaining the input character by using a readline function, the method further includes:
utilizing the libpcap to capture ssh flow data;
correspondingly, reporting the log data in the log file to an intrusion detection center:
and reporting the log data and the ssh flow data to an intrusion detection center.
Optionally, the storing the input character into the log file according to a preset data storage rule includes:
judging whether a log file exists or not;
when the log file does not exist, creating the log file; setting log header information for the input characters, and writing the log header information and the input characters into the log file according to an additional mode;
and when a log file exists, writing the input character into the log file according to an additional mode.
Optionally, reporting the log data in the log file to an intrusion detection center includes:
analyzing the log file to obtain log data to be reported;
and reporting the serialized log data to an intrusion detection center so that the intrusion detection center can carry out intrusion detection according to the log data subjected to deserialization.
Optionally, the closing the log file when the file end identifier is detected includes:
and closing the log file when the line feed character exists in the acquired input character.
The embodiment of the invention also provides an attack recording device of the high-interaction honeypot, which comprises an acquisition unit, a storage unit, a closing unit and a reporting unit;
the acquisition unit is used for acquiring input characters of a bash process;
the storage unit is used for storing the input characters into a log file according to a preset data storage rule;
the closing unit is used for closing the log file when the file end identifier is detected;
and the reporting unit is used for reporting the log data in the log file to an intrusion detection center so as to facilitate the intrusion detection center to carry out intrusion detection according to the log data.
Optionally, the acquiring unit includes a judging subunit, a first processing subunit, and a second processing subunit;
the judging subunit is configured to judge whether the bash process is an ssh sub-process;
the first processing subunit is configured to, when the bash process is an ssh sub-process, obtain an input character by using a readline function;
and the second processing subunit is configured to, when the bash process is not the ssh sub-process, obtain an input character by using a buffered _ fetch function.
Optionally, a capturing unit is further included;
the capturing unit is used for capturing ssh flow data by utilizing the libpcap;
correspondingly, the reporting unit is specifically configured to report the log data and the ssh traffic data to an intrusion detection center.
Optionally, the storage unit includes a judgment subunit, a creation subunit, a setting subunit, and a writing subunit;
the judging subunit is used for judging whether a log file exists or not;
the creating subunit is configured to create a log file when the log file does not exist;
the setting subunit is configured to set log header information for the input character;
the writing subunit is configured to write the log header information and the input character into the log file according to an additional mode; and when a log file exists, writing the input character into the log file according to an additional mode.
Optionally, the reporting unit is specifically configured to parse the log file to obtain log data to be reported; and reporting the serialized log data to an intrusion detection center so that the intrusion detection center can carry out intrusion detection according to the log data subjected to deserialization.
Optionally, the closing unit is specifically configured to close the log file when the line break exists in the acquired input character.
The embodiment of the invention also provides an attack recording device of the high-interaction honeypot, which comprises the following steps:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the attack recording method for the high-interaction honeypot as described in any one of the above.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the attack recording method for a high-interaction honeypot are implemented as described in any one of the above.
According to the technical scheme, the input characters of the bash process are obtained; and storing the input characters into a log file according to a preset data storage rule. And the inside of the bash records the intrusion operation of the intruder on the high-interaction honeypot. Because the command execution to the bash is difficult to be bypassed by an intruder in the intrusion process, the intrusion behavior can be completely recorded by acquiring the input characters of the bash process. When the file end identifier is detected, closing the log file; the log data in the log file are reported to the intrusion detection center, and the log data can reflect the intrusion behavior relatively comprehensively, so that the intrusion detection center performs intrusion detection according to the log data, the false alarm rate of the high-interaction honeypot can be effectively reduced, and the accuracy of intrusion detection is improved.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of an attack recording method for a high-interaction honeypot according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an attack recording apparatus for a high-interaction honeypot according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a hardware structure of an attack recording apparatus for a high-interaction honeypot according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative work belong to the protection scope of the present invention.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Next, an attack recording method for a high-interaction honeypot provided by an embodiment of the present invention is described in detail. Fig. 1 is a flowchart of an attack recording method for a high-interaction honeypot according to an embodiment of the present invention, where the method includes:
s101: and acquiring input characters of the bash process.
In the traditional mode, when data are collected from a kernel layer for intrusion detection analysis, a large amount of normal activities of a system are misreported. Bash (GNU Bourne-Again Shell) is the default Shell of many Linux distribution versions, and in the embodiment of the invention, the input characters of the Bash process can be obtained in consideration of the fact that an intruder is difficult to bypass the execution of commands on the Bash in the intrusion process. Intrusion detection is carried out by means of input characters of the bash process, and the false alarm rate can be effectively reduced.
The bash process can be divided into two forms, one is a bash process supported by a Secure Shell (SSH), and the other is a non-SSH supported bash process. A bash process hosted by SSH can be considered an SSH sub-process. Therefore, in practical application, whether the bash process is the ssh sub-process or not can be judged; when the bash process is the ssh sub-process, acquiring an input character by using a readline function; when the bash process is not the ssh sub-process, the buffered _ getchar function is used to obtain the input character.
S102: and storing the input characters into a log file according to a preset data storage rule.
Initially, a log file needs to be created to store the input characters of the bash process. After the creation of the log file is completed, the acquired input characters may be subsequently stored directly in the log file. Therefore, in practical applications, it is possible to determine whether or not a log file exists.
When the log file does not exist, creating the log file; setting log header information for the input character, and writing the log header information and the input character into a log file according to an additional mode.
When a log file exists, the input character is written into the log file in the additional mode.
When the input characters are stored in a log file, log header information needs to be set for the input characters; the log header information may include information such as process id and timestamp.
S103: and when the file end identifier is detected, closing the log file.
In the embodiment of the present invention, a specific character may be used as the end identifier, and when it is detected that the end identifier exists in the input character, it indicates that the current input has ended, and at this time, the log file may be closed.
In practical application, the line break can be used as an end identifier, and when the line break exists in the acquired input characters, the log file is closed.
S104: and reporting the log data in the log file to an intrusion detection center so that the intrusion detection center can conveniently carry out intrusion detection according to the log data.
The log file comprises log header information and other data irrelevant to intrusion detection, so that when the data are uploaded to an intrusion detection center, the log file can be analyzed to obtain log data to be reported; and reporting the serialized log data to an intrusion detection center so that the intrusion detection center can conveniently carry out intrusion detection according to the log data subjected to deserialization.
According to the technical scheme, the input characters of the bash process are obtained; and storing the input characters into a log file according to a preset data storage rule. And the inside of the bash records the intrusion operation of the intruder on the high-interaction honeypot. Because the command execution to the bash is difficult to be bypassed by an intruder in the intrusion process, the intrusion behavior can be completely recorded by acquiring the input characters of the bash process. When the file end identifier is detected, closing the log file; the log data in the log file are reported to the intrusion detection center, and the log data can reflect the intrusion behavior relatively comprehensively, so that the intrusion detection center performs intrusion detection according to the log data, the false alarm rate of the high-interaction honeypot can be effectively reduced, and the accuracy of intrusion detection is improved.
In the embodiment of the invention, in order to facilitate security personnel to more comprehensively know the relevant information of the intruder, the original log data can be supplemented. Specifically, when the bash process is the ssh sub-process, the input characters are acquired by using a readline function, and then ssh traffic data can be captured by using the libpcap. Accordingly, the log data and ssh flow data can be reported to the intrusion detection center.
When the bash process is the ssh sub-process, the bash process inherits the environment variable of ssh, so that the captured ssh traffic data can include information such as a peer address (an intruder address), a peer port (an intruder port), a local address (an intruder login address), and a local port (an intruder login port).
By expanding the log data, the log data and the ssh flow data are reported to the intrusion detection center in a unified manner, so that security personnel can conveniently perform association analysis.
Fig. 2 is a schematic structural diagram of an attack recording apparatus for a high interaction honeypot according to an embodiment of the present invention, including an obtaining unit 21, a storage unit 22, a closing unit 23, and a reporting unit 24;
an obtaining unit 21, configured to obtain an input character of a bash process;
the storage unit 22 is used for storing the input characters into a log file according to a preset data storage rule;
a closing unit 23, configured to close the log file when the file end identifier is detected;
and the reporting unit 24 is configured to report the log data in the log file to an intrusion detection center, so that the intrusion detection center performs intrusion detection according to the log data.
Optionally, the acquiring unit includes a judging subunit, a first processing subunit and a second processing subunit;
the judgment subunit is used for judging whether the bash process is the ssh sub-process;
the first processing subunit is used for acquiring input characters by using a readline function when the bash process is the ssh sub-process;
and the second processing subunit is used for acquiring the input character by using the buffered _ fetch function when the bandwidth process is not the ssh sub-process.
Optionally, a capturing unit is further included;
a capturing unit for capturing ssh traffic data using libpcap;
correspondingly, the reporting unit is specifically configured to report the log data and the ssh traffic data to the intrusion detection center.
Optionally, the storage unit includes a judgment subunit, a creation subunit, a setting subunit, and a writing subunit;
the judging subunit is used for judging whether a log file exists or not;
a creating subunit configured to create a log file when the log file does not exist;
a setting subunit, configured to set log header information for an input character;
a write-in subunit, configured to write the log header information and the input character into the log file according to the additional mode; when a log file exists, the input character is written into the log file in the additional mode.
Optionally, the reporting unit is specifically configured to parse the log file to obtain log data to be reported; and reporting the serialized log data to an intrusion detection center so that the intrusion detection center can conveniently carry out intrusion detection according to the log data subjected to deserialization.
Optionally, the closing unit is specifically configured to close the log file when the line feed character exists in the acquired input character.
The description of the features in the embodiment corresponding to fig. 2 may refer to the related description of the embodiment corresponding to fig. 1, and is not repeated here.
According to the technical scheme, the input characters of the bash process are obtained; and storing the input characters into a log file according to a preset data storage rule. And the inside of the bash records the intrusion operation of the intruder on the high-interaction honeypot. Because the command execution to the bash is difficult to be bypassed by an intruder in the intrusion process, the intrusion behavior can be completely recorded by acquiring the input characters of the bash process. When the file end identifier is detected, closing the log file; the log data in the log file are reported to the intrusion detection center, and the log data can reflect the intrusion behavior relatively comprehensively, so that the intrusion detection center performs intrusion detection according to the log data, the false alarm rate of the high-interaction honeypot can be effectively reduced, and the accuracy of intrusion detection is improved.
Fig. 3 is a schematic diagram of a hardware structure of an attack recording apparatus 30 for a high-interaction honeypot according to an embodiment of the present invention, including:
a memory 31 for storing a computer program;
a processor 32 for executing a computer program for implementing the steps of the attack recording method for a high interaction honeypot as described in any of the embodiments above.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the attack recording method for a high-interaction honeypot according to any of the above embodiments are implemented.
The attack recording method, the attack recording device and the computer-readable storage medium for the high-interaction honeypots provided by the embodiment of the invention are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (10)
1. An attack recording method for a high-interaction honeypot is characterized by comprising the following steps:
acquiring input characters of a bash process;
storing the input characters to a log file according to a preset data storage rule;
when a file end identifier is detected, closing the log file;
and reporting the log data in the log file to an intrusion detection center so that the intrusion detection center can carry out intrusion detection according to the log data.
2. The attack recording method for the high-interaction honeypot according to claim 1, wherein the obtaining input characters comprises:
judging whether the bash process is a ssh sub-process or not;
when the bash process is an ssh sub-process, acquiring an input character by using a readline function;
and when the bash process is not the ssh sub-process, acquiring the input character by using a buffered _ getchar function.
3. The attack recording method for the high-interaction honeypot according to claim 2, wherein after the obtaining of the input character by using a readline function when the bash process is a ssh sub-process, the method further comprises:
utilizing the libpcap to capture ssh flow data;
correspondingly, reporting the log data in the log file to an intrusion detection center comprises:
and reporting the log data and the ssh flow data to an intrusion detection center.
4. The attack recording method for the high-interaction honeypot according to claim 1, wherein the storing the input characters into a log file according to a preset data storage rule comprises:
judging whether a log file exists or not;
when the log file does not exist, creating the log file; setting log header information for the input characters, and writing the log header information and the input characters into the log file according to an additional mode;
and when a log file exists, writing the input character into the log file according to an additional mode.
5. The attack recording method for the high-interaction honeypot according to claim 1, wherein reporting the log data in the log file to an intrusion detection center comprises:
analyzing the log file to obtain log data to be reported;
and reporting the serialized log data to an intrusion detection center so that the intrusion detection center can carry out intrusion detection according to the log data subjected to deserialization.
6. The attack recording method for the high-interaction honeypot according to claim 1, wherein the closing the log file when the file end identifier is detected comprises:
and closing the log file when the line feed character exists in the acquired input character.
7. An attack recording device of a high-interaction honeypot is characterized by comprising an acquisition unit, a storage unit, a closing unit and a reporting unit;
the acquisition unit is used for acquiring input characters of a bash process;
the storage unit is used for storing the input characters into a log file according to a preset data storage rule;
the closing unit is used for closing the log file when the file end identifier is detected;
and the reporting unit is used for reporting the log data in the log file to an intrusion detection center so as to facilitate the intrusion detection center to carry out intrusion detection according to the log data.
8. The attack recording device of the high-interaction honeypot according to claim 7, wherein the obtaining unit comprises a judging subunit, a first processing subunit and a second processing subunit;
the judging subunit is configured to judge whether the bash process is an ssh sub-process;
the first processing subunit is configured to, when the bash process is an ssh sub-process, obtain an input character by using a readline function;
and the second processing subunit is configured to, when the bash process is not the ssh sub-process, obtain an input character by using a buffered _ fetch function.
9. An attack recording device of a high-interaction honeypot is characterized by comprising:
a memory for storing a computer program;
processor for executing said computer program for carrying out the steps of the attack recording method of the high interaction honeypot according to any one of claims 1 to 6.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the attack recording method of the high interaction honeypot of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010888587.XA CN112039879A (en) | 2020-08-28 | 2020-08-28 | Attack recording method, device and medium for high-interaction honeypot |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010888587.XA CN112039879A (en) | 2020-08-28 | 2020-08-28 | Attack recording method, device and medium for high-interaction honeypot |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112039879A true CN112039879A (en) | 2020-12-04 |
Family
ID=73586318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010888587.XA Pending CN112039879A (en) | 2020-08-28 | 2020-08-28 | Attack recording method, device and medium for high-interaction honeypot |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039879A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114006775A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Intrusion event detection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234480A (en) * | 2017-12-29 | 2018-06-29 | 北京奇虎科技有限公司 | Intrusion detection method and device |
| US20190098024A1 (en) * | 2017-09-28 | 2019-03-28 | Microsoft Technology Licensing, Llc | Intrusion detection |
-
2020
- 2020-08-28 CN CN202010888587.XA patent/CN112039879A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190098024A1 (en) * | 2017-09-28 | 2019-03-28 | Microsoft Technology Licensing, Llc | Intrusion detection |
| CN108234480A (en) * | 2017-12-29 | 2018-06-29 | 北京奇虎科技有限公司 | Intrusion detection method and device |
Non-Patent Citations (2)
| Title |
|---|
| 汤阳春等: "Honeynet系统在网络安全中的应用", 《安徽电子信息职业技术学院学报》 * |
| 陆霞等: "NIDS在蜜罐系统中的应用", 《电脑知识与技术(学术交流)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114006775A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Intrusion event detection method and device |
| CN114006775B (en) * | 2021-12-31 | 2022-04-12 | 北京微步在线科技有限公司 | Intrusion event detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105659245A (en) | Context-aware network forensics | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| US20160112287A1 (en) | Storing and analyzing network traffic data | |
| CN107295021B (en) | Security detection method and system of host based on centralized management | |
| US20190260663A1 (en) | Deriving test profiles based on security and network telemetry information extracted from the target network environment | |
| CN109922073A (en) | Network security monitoring device, method and system | |
| CN112822147B (en) | Method, system and equipment for analyzing attack chain | |
| CN110971579A (en) | Network attack display method and device | |
| EP3496396A1 (en) | Method and device for storing warning image | |
| CN112148518A (en) | Log file processing method and device, computer equipment and storage medium | |
| KR102059688B1 (en) | Cyber blackbox system and method thereof | |
| Dweikat et al. | Digital Forensic Tools Used in Analyzing Cybercrime | |
| CN111641589A (en) | Advanced sustainable threat detection method, system, computer and storage medium | |
| CN112039879A (en) | Attack recording method, device and medium for high-interaction honeypot | |
| KR20120086926A (en) | A visualization system for Forensics audit data | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN114363053A (en) | Attack identification method and device and related equipment | |
| CN112565232B (en) | Log analysis method and system based on template and flow state | |
| CN113489703A (en) | Safety protection system | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| Ngobeni et al. | A forensic readiness model for wireless networks | |
| CN111884883A (en) | Quick auditing processing method for service interface | |
| CN112069505B (en) | Audit information processing method and electronic equipment | |
| CN112217828A (en) | Attack detection method and device, electronic equipment and storage medium | |
| Mukti et al. | Integration of Low Interaction Honeypot and ELK Stack as Attack Detection Systems on Servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201204 |
|
| RJ01 | Rejection of invention patent application after publication |