CN112134854A - Method, device, equipment, storage medium and system for defending attack - Google Patents
Method, device, equipment, storage medium and system for defending attack Download PDFInfo
- Publication number
- CN112134854A CN112134854A CN202010902404.5A CN202010902404A CN112134854A CN 112134854 A CN112134854 A CN 112134854A CN 202010902404 A CN202010902404 A CN 202010902404A CN 112134854 A CN112134854 A CN 112134854A
- Authority
- CN
- China
- Prior art keywords
- attack behavior
- attack
- node
- behavior information
- honeypot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 239000000523 sample Substances 0.000 claims abstract description 71
- 238000012544 monitoring process Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims description 130
- 238000012545 processing Methods 0.000 claims description 18
- 230000002776 aggregation Effects 0.000 claims description 8
- 238000004220 aggregation Methods 0.000 claims description 8
- 230000009467 reduction Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 4
- 230000007123 defense Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 13
- 230000000875 corresponding effect Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 230000010365 information processing Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a device, equipment, a storage medium and a system for defending attacks, wherein the method comprises the following steps: receiving access requests of attackers forwarded by a plurality of probe nodes; collecting attack behavior information according to each access request; and extracting attack behavior characteristics according to the attack behavior information for defending attacks. The monitoring in a wider range can be realized based on a small amount of high-interaction honeypots, the cost is effectively reduced, the deployment and implementation are simple, the occupied resources are less, and the problems that in the prior art, a small amount of honeypot nodes are difficult to play a honeypot effect, and the protection range is not comprehensive enough are solved.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, a storage medium, and a system for defending against attacks.
Background
With the rapid development of internet technology, network information security is becoming more important, and at present, computer and network divulgence cases are occurring continuously, and the current situation of information security is very severe. Traditional security products such as firewalls, IDSs and the like are passive defense, that is, only known attack behaviors can be defended, but with the continuous improvement of attack means, traditional passive defense cannot meet security requirements, and active defense technology is more and more paid attention by people.
In the prior art, active defense is usually performed by honeypot technology. The honeypot technology is a technology for cheating an attacker, and the attacker is induced to attack the host, network service or information by arranging the host, network service or information as bait, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker can be known, the attack intention and motivation can be inferred, and the safety protection capability of a real system can be enhanced through technical and management means.
The traditional honeypots are divided into a low-interaction honeypot and a high-interaction honeypot, the low-interaction honeypot mainly carries out simple simulation on a system or application service, and the attack behaviors which can be captured are very limited; the high-interaction honeypots or honeynets generally simulate real system services, the resources required to be invested are large, the cost is high, a large number of high-interaction honeypots are usually difficult to deploy in the service network, a single few honeypot nodes are difficult to play the role of honeypots, and the protection range is not comprehensive enough.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment, a storage medium and a system for defending attacks, which aim to overcome the defects that the defense range in the prior art is not comprehensive enough and the like.
In a first aspect, an embodiment of the present invention provides a method for defending against attacks, including:
receiving access requests of attackers forwarded by a plurality of probe nodes;
collecting attack behavior information according to each access request;
and extracting attack behavior characteristics according to the attack behavior information for defending attacks.
In a second aspect, an embodiment of the present invention provides a method for defending against an attack, including:
receiving an access request initiated by an attacker;
and forwarding the access request to a honeypot node so that the honeypot node collects attacker behavior information according to the access request.
In a third aspect, an embodiment of the present invention provides an apparatus for defending against attacks, including:
the first receiving module is used for receiving the access requests of the attackers forwarded by the probe nodes;
the collecting module is used for collecting attack behavior information according to each access request;
and the processing module is used for extracting attack behavior characteristics according to the attack behavior information and is used for defending attacks.
In a fourth aspect, an embodiment of the present invention provides an apparatus for defending against attacks, including:
the second receiving module is used for receiving an access request initiated by an attacker;
and the forwarding module is used for forwarding the access request to the honeypot node so that the honeypot node collects attacker behavior information according to the access request and is used for defending against attacks.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method as described above in relation to the first aspect and the various possibilities of the first aspect, or to perform the method as described above in relation to the second aspect and the various possibilities of the second aspect.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which computer-executable instructions are stored, and when a processor executes the computer-executable instructions, the method according to the first aspect and various possible designs of the first aspect is implemented, or the method according to the second aspect and various possible designs of the second aspect is implemented.
In a seventh aspect, an embodiment of the present invention provides a defense system, including: a honeypot node and a plurality of probe nodes;
the probe node is connected with the honeypot node through a forwarding port;
the probe node is a node which is set in a preset network according to an IP section range configured by a user and is used for monitoring a target port service, receiving an access request of an attacker and forwarding the access request to the honeypot node;
the honeypot nodes are used for receiving access requests of attackers forwarded by the probe nodes, collecting attack behavior information and extracting attack behavior characteristics according to the attack behavior information so as to defend attacks.
According to the embodiment of the invention, a large number of probe nodes are arranged in a network system, the probe nodes forward the received access requests to the honeypot nodes, the honeypot nodes collect a large amount of attack behavior information according to the access requests, and can extract attack behavior characteristics according to the attack behavior information to form rules for active defense, so that a large-range monitoring can be realized based on a small number of high-interaction honeypots, the cost is effectively reduced, the deployment and implementation are simple, the occupied resources are less, and the problems that the honeypot function is difficult to play by a small number of honeypot nodes and the protection range is not comprehensive in the prior art are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of an attack defense system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for defending against attacks according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for defending against attacks according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for defending against attacks according to yet another embodiment of the present invention;
fig. 5 is a schematic diagram of an exemplary structure of a defense system according to an embodiment of the present invention.
FIG. 6 is a flowchart illustrating a method for defending against attacks according to yet another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for defending against attacks according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of an apparatus for defending against attacks according to another embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to another embodiment of the invention;
fig. 11 is a schematic structural diagram of a defense system according to an embodiment of the present invention.
With the above figures, certain embodiments of the invention have been illustrated and described in more detail below. The drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the invention by those skilled in the art with reference to specific embodiments.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
The attack defense method provided by the embodiment of the invention is suitable for the active defense scene of the network system. Fig. 1 is a schematic diagram of an architecture of a system for defending against attacks according to an embodiment of the present invention. The system can comprise honeypot nodes and a large number of probe nodes, wherein the probe nodes are IP section ranges configured by users, virtualization technology can be adopted, a large number of virtual nodes are virtualized in a network, and in practical application, a large number of probe nodes and a small number of honeypot nodes can be deployed according to actual requirements in order to save resource deployment cost. Of course, the probe nodes may be deployed using a physical machine, which is not limited by the present invention. For the probe node for acquiring the access request of the attacker, the function of the probe node is used for monitoring the target port and acquiring the attack request, and is also used for isolating and shielding the attacker and the honeypot node, so that the attacker is prevented from finding that the attacker is detected and trapped without attacking any more, and the analysis effect of configuration trapping attack of the honeypot node is reduced. Meanwhile, as no requirement is made on the information processing capacity of the device, a large number of probe nodes can be conveniently deployed, and compared with honeypot node devices, the device can achieve a better active defense function without consuming higher device resource cost. The probe node can simulate a normal server by monitoring a target port to be monitored, the probe node receives an access request of an attacker and forwards the access request to the honeypot node through a forwarding port, the access request of the attacker comprises an attack message, such as a scanning detection message, a brute force cracking message, a transverse moving message and the like, and the honeypot node collects attack behavior information of the attacker, such as user information, quintuple information, attack time and the like, after receiving the access request. The quintuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol. And extracting attack behavior characteristics according to the attack behavior information, and forming rules for further defending the attack. A large amount of probe nodes are virtualized, a small amount of honeypot nodes are combined, a large amount of attack behavior information can be effectively collected, so that attack behavior features are extracted, the cost is low, the protection range is comprehensive, the magnitude of honeypot nodes is effectively reduced, a user can flexibly deploy the types and the number of the probe nodes according to actual requirements, and the flexibility and the expandability of the system are improved.
Optionally, the system may further include a management server and a log server, the attack behavior information collected by the honeypot node may be sent to the management node for management and analysis, the management node may extract attack behavior characteristics according to the attack behavior information, a rule is formed for defending against an attack, the management node may also send the attack behavior characteristics to the log server, the log server may output the attack behavior characteristics, specifically, the attack behavior characteristics may be output to a terminal to be displayed to a relevant person, or may be sent to other servers so that other servers may actively defend against an attack based on the attack behavior characteristics, and specifically, the attack behavior characteristics may be set according to actual requirements.
An embodiment of the present invention provides a method for defending against an attack, which is used for a network system to defend against an attacker. The execution subject of the embodiment is a device for defending against attacks, and the device may be disposed in an electronic device, and specifically may be disposed in a honeypot node.
As shown in fig. 2, a schematic flow chart of a method for defending against attacks provided by this embodiment is shown, where the method includes:
and step 101, receiving an access request of an attacker forwarded by a plurality of probe nodes.
Specifically, a virtualization technology can be adopted according to an IP segment range configured by a user, a large number of probe nodes are virtualized in a network system, common port services are monitored, and a normal server is simulated. Taking a probe node as an example, when the probe node receives an access request of an attacker, the received access request is sent to the honeypot node based on a port forwarding technology. The forwarding can be carried out according to predefined rules, the honeypot nodes can be high-interaction honeypots, and the high-interaction honeypots only need a small amount of probe nodes based on the deployment of a large number of probe nodes. Because a large number of probe nodes are deployed and only a small number of honeypot nodes are deployed, the predefined rule can include which probe nodes receive the access request to be forwarded to the corresponding masquerading services of the honeypot nodes, namely the corresponding relation between the probe nodes and the corresponding masquerading services of the honeypot nodes. Meanwhile, corresponding service configuration is customized on the honeypot nodes according to user requirements, and the mapping relation between the probe nodes and the customized services in the honeypot nodes can be established through predefined rules, so that the flexibility of customizing the user required services is realized. Various general service modules can be pre-built in the honeypot nodes to improve the automation degree of information processing of the honeypot nodes, such as FTP, MYSQL, POP3, WEBLOGIC, NGINX and the like, and a user can automatically select one or more of the services according to the actual situation of business requirements, so that attack behaviors can be found more accurately under the condition of less resource occupation. When the honeypot node receives the access request forwarded by the probe node, the honeypot node can be automatically distributed to the corresponding built-in service module according to the request type to forge corresponding services, so that the honeypot node can quickly process the access requests of various types of attackers. After the probe node forwards the request, the honeypot node can receive the access request forwarded by the probe node. The access request may include attack messages of the attacker, such as scan probe messages, brute force messages, lateral movement messages, and the like.
And step 102, collecting attack behavior information according to each access request.
Specifically, after receiving the access requests forwarded by each probe node, the honeypot node may collect attack behavior information of an attacker based on the access requests, where the attack behavior information may include user information, quintuple information, attack time, and the like.
And 103, extracting attack behavior characteristics according to the attack behavior information for defending attacks.
Specifically, after the honeypot node collects the attack behavior information, the honeypot node may analyze and process the attack behavior information, and extract attack behavior features, which may include: extracted keywords, quintuple information, user information, attack time, and the like.
Illustratively, the attack behavior information can be subjected to secondary processing in ways of correlation, aggregation, noise reduction and the like, attack behavior characteristics which can reflect the offensiveness are extracted, the attack behavior is changed from unknown to known, and a rule is formed. The secondary processing of the attack behavior information is based on a big data technology, so that the information collected by different probe nodes and different time periods is correlated and aggregated, and the attack behavior or the attack subject can be more accurately and effectively extracted, thereby being beneficial to the accuracy of extracting the features of the attack behavior.
According to the attack defense method provided by the embodiment, a large number of probe nodes are virtualized in a network system, the probe nodes forward the received access requests to the honeypot nodes, the honeypot nodes collect a large amount of attack behavior information according to the access requests, attack behavior characteristics can be extracted according to the attack behavior information, rules are formed for active defense, monitoring in a larger range can be achieved based on a small number of high-interaction honeypots, cost is effectively reduced, deployment and implementation are simple, occupied resources are few, and the problems that in the prior art, the honeypot function is difficult to play by a small number of honeypot nodes, and the protection range is not comprehensive enough are solved.
The method provided by the above embodiment is further described in an additional embodiment of the present invention.
As shown in fig. 3, a schematic flow chart of the method for defending against attacks provided in this embodiment is shown.
As an implementable manner, on the basis of the embodiment shown in fig. 2, optionally, the access request includes attack packet information; the attack behavior information at least comprises one of user information, quintuple information and attack time of an attacker.
As another implementable manner, on the basis of the above embodiment, optionally, extracting the attack behavior feature according to the attack behavior information specifically includes:
and 2011, performing correlation, aggregation and noise reduction on the attack behavior information to obtain the attack behavior characteristics.
Specifically, the big data technology can be adopted to perform association, aggregation and noise reduction processing on the attack behavior information to obtain the attack behavior characteristics.
The association refers to association analysis, and specifically, to discover association or correlation existing in a large number of data sets (attack behavior information data sets), so as to describe a rule and a pattern of simultaneous occurrence of some attributes in one thing, and some implementable algorithms may be used for analysis processing, such as Apriori algorithm, FP-growth algorithm, and the like. Aggregation refers to the aggregation of some information. The noise reduction refers to the filtering of irrelevant or invalid data in the attack behavior information, and the effectiveness of the data is improved.
For example, the same or similar proportions of the message contents in the attack behavior information may be counted, and when the same or similar proportion of a certain message content is greater than a certain threshold, the message content or related keywords may be extracted as the attack behavior characteristics.
As another practicable manner, on the basis of the foregoing embodiment, optionally, the method may further include:
Specifically, when there is an attacker access request, whether the attacker is a real attacker can be determined based on the obtained attack behavior characteristics, and if yes, an alarm is given. The specific alarm mode can be set according to actual requirements.
For example, the warning information may be sent to the administrator by way of mail, and a warning prompt may also be sent to a terminal of a relevant person, and displayed to a terminal user, and so on.
As shown in fig. 4, a schematic flow chart of the method for defending against attacks provided in this embodiment is shown.
As another practicable manner, on the basis of the foregoing embodiment, optionally, after collecting the attack behavior information according to each access request, the method further includes:
the attack behavior information is sent to the management server, so that part of service modules can be separated out and sent to the server at the back end, the information processing burden of the honeypot nodes is relieved, and meanwhile, the information processing speed of the honeypot nodes can be improved.
Correspondingly, according to the attack behavior information, extracting attack behavior characteristics, including:
Specifically, a special management server may be further provided, and the honeypot node may be only responsible for collecting the attack behavior information, sending the collected attack behavior information to the management server, and processing, analyzing and processing the attack behavior information by the management server, and extracting attack behavior characteristics.
Optionally, the management server may store the extracted attack behavior feature, and may also send the attack behavior feature to another server, for example, to a log server, and the log server outputs the attack behavior feature.
Alternatively, the log server may employ a generic SYSLOG interface output.
The method for defending against the attack, provided by the embodiment of the invention, is simple in equipment deployment and implementation, and supports the deployment of a physical machine/a virtual machine and also supports the deployment of a cloud host.
As an exemplary implementation manner, as shown in fig. 5, an exemplary structural diagram of the defense system provided for the present embodiment is shown. The defense system of the embodiment of the invention mainly relates to a probe node virtualization module, a flow acquisition module, a port forwarding module, a camouflage service automation module, a data secondary analysis module, a log output module and an alarm module according to functional modules, and the modules can be deployed in corresponding equipment according to actual requirements. For example, the probe node virtualization module may be deployed in a probe node, the traffic collection module may be deployed in a probe node, the masquerading service automation module may be deployed in a honeypot node, the data secondary analysis module may be deployed in a management server or a honeypot node, the log output module may be deployed in a log server, and the like.
The probe node virtualization module mainly adopts a virtualization technology to virtualize a large number of probe nodes in a network according to an IP section range configured by a user. The probe node monitors the common port service and simulates a normal server.
The flow acquisition module is mainly used for acquiring the attack flow of an attacker, namely acquiring the access request of the attacker to each probe node, wherein the access request comprises a scanning detection message, a brute force cracking message, a transverse moving message and the like.
The port forwarding module has the main function of reducing the magnitude of honeypot nodes, because the high-interaction honeypot has higher cost and is inconvenient for large-scale deployment, the flow of a large number of probe nodes deployed in the front is forwarded to a small number of high-interaction honeypots at the rear end through a port forwarding technology, and a specific forwarding rule can be preset.
And the disguised service automation module is mainly used for increasing the flexibility and the expandability of the system. Namely, the user can autonomously select the service needing disguise according to the actual requirement of the service system, and the attack behavior can be more accurately found under the condition of smaller resource occupation. For this purpose, general service modules such as FTP, MYSQL, POP3, weblog, NGINX, etc. can be built in the system in advance.
The data secondary analysis module is mainly used for receiving basic data (namely attack behavior information) of the honeypot nodes, carrying out secondary processing through modes of association, aggregation, noise reduction and the like, abstracting characteristics (namely attack behavior characteristics) with more attack behaviors, changing the attack behaviors from unknown to known and forming rules. The log output module is used for outputting attack behavior characteristics, such as attack time, quintuple information, user information, keyword information and the like, and can specifically adopt a universal SYSLOG interface for output. The alarm module mainly responds at the first time after the attack behavior is found, for example, sending alarm information to an administrator in a mail mode.
It should be noted that the respective implementable modes in the embodiment may be implemented individually, or may be implemented in combination in any combination without conflict, and the present invention is not limited thereto.
Another embodiment of the present invention provides a method for defending against an attack, which is used for a network system to defend against an attacker. The execution subject of the embodiment is a device for defending against attacks, and the device may be disposed in an electronic device, and specifically, may be disposed in a probe node.
As shown in fig. 6, a schematic flow chart of a method for defending against an attack provided by this embodiment is shown, where the method includes:
The main execution body of the embodiment is a probe node, the probe node is deployed in different network segments, service areas or terminal areas in an intranet, and the main function of the probe node is mainly to intercept and acquire an attack access request and forward the attack access request to a honeypot node, so that the honeypot node analyzes and processes the attack access request, and takes corresponding measures to defend against the attack.
It should be noted that the specific operations of the above steps have been described in detail in the interaction process of the above embodiments, and the technical effects are similar and will not be described again.
A further embodiment of the present invention provides an apparatus for defending against attacks, which is used to execute the method of the above embodiment at the honeypot node side.
As shown in fig. 7, a schematic structural diagram of the device for defending against attacks provided in this embodiment is shown. The device corresponds to a honeypot node, and the device 50 for defending against attacks includes a first receiving module 51, a collecting module 52 and a processing module 53.
The first receiving module is used for receiving access requests of attackers forwarded by the probe nodes; the collecting module is used for collecting attack behavior information according to each access request; and the processing module is used for extracting attack behavior characteristics according to the attack behavior information and is used for defending attacks.
Regarding the apparatus in the present embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and the technical effects thereof are similar, and will not be elaborated herein.
The present invention further provides a supplementary explanation of the device provided in the above embodiment.
As a practical manner, on the basis of the foregoing embodiments, optionally, the processing module is specifically configured to:
and performing correlation, aggregation and noise reduction processing on the attack behavior information to obtain the attack behavior characteristics.
As another implementable manner, on the basis of the foregoing embodiment, optionally, the method further includes:
and the alarm module is used for carrying out alarm processing if the attacker launches the attack based on the attack behavior characteristics.
As another implementable manner, on the basis of the foregoing embodiment, optionally, the method further includes:
the sending module is used for sending the attack behavior information to the management server;
correspondingly, according to the attack behavior information, the specific operation of extracting the attack behavior characteristics can be executed by the management server, namely, the attack behavior information is associated, aggregated and subjected to noise reduction processing to obtain the attack behavior characteristics. The management server can also send the attack behavior characteristics to a log server, and the log server can store or output the attack behavior characteristics.
The specific manner in which the respective modules perform operations has been described in detail in relation to the apparatus in this embodiment, and will not be elaborated upon here.
It should be noted that the respective implementable modes in the embodiment may be implemented individually, or may be implemented in combination in any combination without conflict, and the present invention is not limited thereto.
In another embodiment of the present invention, a device for defending against attacks is provided, which is used to execute the method of the above-mentioned embodiment on the probe node side.
As shown in fig. 8, a schematic structural diagram of the device for defending against attacks provided in this embodiment is shown. The apparatus corresponds to a probe node, and the apparatus 70 for defending against attacks includes a second receiving module 71 and a forwarding module 72.
The second receiving module is used for receiving an access request initiated by an attacker; and the forwarding module is used for forwarding the access request to the honeypot node so that the honeypot node collects the behavior information of the attacker according to the access request.
The specific manner in which the respective modules perform operations has been described in detail in relation to the apparatus in this embodiment, and will not be elaborated upon here.
Yet another embodiment of the present invention provides an electronic device for performing the method provided by the above-mentioned honeypot node side embodiment.
As shown in fig. 9, is a schematic structural diagram of the electronic device provided in this embodiment. The electronic device 80 includes: at least one processor 81 and memory 82;
the memory stores computer-executable instructions; the at least one processor executes the memory-stored computer-executable instructions to cause the at least one processor to perform the method as provided by any of the above honeypot node-side embodiments.
Yet another embodiment of the present invention provides an electronic device for performing the method provided by the above-mentioned probe node side embodiment.
As shown in fig. 10, a schematic structural diagram of the electronic device provided in this embodiment is shown. The electronic device 90 includes: at least one processor 91 and memory 92;
the memory stores computer-executable instructions; the at least one processor executes computer-executable instructions stored by the memory to cause the at least one processor to perform the method as provided by any of the probe node side embodiments above.
Yet another embodiment of the present invention provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the processor executes the computer-executable instructions, the method provided by any one of the above honeypot node-side embodiments is implemented.
Yet another embodiment of the present invention provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the processor executes the computer-executable instructions, the method provided by any one of the above embodiments on the probe node side is implemented.
Another embodiment of the present invention provides a defense system, as shown in fig. 11, which is a schematic structural diagram of the defense system provided in this embodiment. The defense system includes: honeypot nodes and a plurality of probe nodes.
Each probe node is connected with the honeypot node through a forwarding port;
the probe node is a node which is set in a preset network according to an IP section range configured by a user and is used for monitoring the service of a target port, receiving an access request of an attacker and forwarding the access request to the honeypot node; the honeypot nodes are used for receiving the access requests of the attackers forwarded by the probe nodes, collecting attack behavior information and extracting attack behavior characteristics according to the attack behavior information.
In order to further reduce the equipment configuration cost and improve the configuration flexibility, the probe node can virtualize a large number of nodes in the network by adopting a virtual technology, so that the deployment of entity equipment is reduced.
In order to reduce the information processing burden of the high-interaction honeypot nodes, part of functions of the honeypot nodes in the defense system can be separated and processed by a back-end server.
Optionally, the defense system may further include: a management server and a log server;
the management server is used for receiving the attack behavior information sent by the honeypot nodes, extracting attack behavior characteristics based on the attack behavior information and sending the attack behavior characteristics to the log server;
and the log server is used for outputting the attack behavior characteristics.
According to the defense system of the embodiment, a large number of probe nodes are deployed, the probe nodes forward the received access requests to the honeypot nodes, the honeypot nodes collect a large amount of attack behavior information according to the access requests, attack behavior characteristics can be extracted according to the attack behavior information, rules are formed for active defense, monitoring in a larger range can be achieved based on a small number of high-interaction honeypots, cost is effectively reduced, deployment and implementation are simple, occupied resources are few, and the problems that in the prior art, the honeypot function is difficult to play and the protection range is not comprehensive are solved.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (11)
1. A method of defending against an attack, comprising:
receiving access requests of attackers forwarded by a plurality of probe nodes;
collecting attack behavior information according to each access request;
and extracting attack behavior characteristics according to the attack behavior information for defending attacks.
2. The method according to claim 1, wherein extracting the attack behavior feature according to the attack behavior information comprises:
and performing correlation, aggregation and noise reduction processing on the attack behavior information to obtain the attack behavior characteristics.
3. The method of claim 1, further comprising:
and if determining that an attacker launches the attack based on the attack behavior characteristics, carrying out alarm processing.
4. The method of any of claims 1-3, wherein after collecting attack behavior information according to each of the access requests, the method further comprises:
sending the attack behavior information to a management server;
the extracting attack behavior characteristics according to the attack behavior information comprises:
and the management server processes the attack behavior information and extracts attack behavior characteristics.
5. A method of defending against an attack, comprising:
receiving an access request initiated by an attacker;
and forwarding the access request to a honeypot node so that the honeypot node collects attacker behavior information according to the access request and is used for defending against attacks.
6. An apparatus for defending against attacks, comprising:
the first receiving module is used for receiving the access request of the attacker forwarded by each probe node;
the collecting module is used for collecting attack behavior information according to each access request;
and the processing module is used for extracting attack behavior characteristics according to the attack behavior information and is used for defending attacks.
7. An apparatus for defending against attacks, comprising:
the second receiving module is used for receiving an access request initiated by an attacker;
and the forwarding module is used for forwarding the access request to the honeypot node so that the honeypot node collects attacker behavior information according to the access request and is used for defending against attacks.
8. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of claims 1-5.
9. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, implement the method of any one of claims 1-5.
10. A defence system, characterized in that it comprises: a honeypot node and a plurality of probe nodes;
the probe node is connected with the honeypot node through a forwarding port;
the probe node is a node which is set in a preset network according to an IP section range configured by a user and is used for monitoring a target port service, receiving an access request of an attacker and forwarding the access request to the honeypot node;
the honeypot nodes are used for receiving access requests of attackers forwarded by the probe nodes, collecting attack behavior information and extracting attack behavior characteristics according to the attack behavior information so as to defend attacks.
11. The system of claim 10, wherein the probe node is a virtual node disposed in a predetermined network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010902404.5A CN112134854A (en) | 2020-09-02 | 2020-09-02 | Method, device, equipment, storage medium and system for defending attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010902404.5A CN112134854A (en) | 2020-09-02 | 2020-09-02 | Method, device, equipment, storage medium and system for defending attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112134854A true CN112134854A (en) | 2020-12-25 |
Family
ID=73848746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010902404.5A Pending CN112134854A (en) | 2020-09-02 | 2020-09-02 | Method, device, equipment, storage medium and system for defending attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112134854A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637226A (en) * | 2020-12-28 | 2021-04-09 | 成都知道创宇信息技术有限公司 | Site access response method and device and electronic equipment |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113242258A (en) * | 2021-05-27 | 2021-08-10 | 安天科技集团股份有限公司 | Host cluster threat detection method and device |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN113542262A (en) * | 2021-07-13 | 2021-10-22 | 北京华圣龙源科技有限公司 | Intelligent early warning method and device for information security threat of information system |
| CN113572785A (en) * | 2021-08-05 | 2021-10-29 | 中国电子信息产业集团有限公司第六研究所 | Honeypot defense method and device for nuclear power industrial control system |
| CN113676449A (en) * | 2021-07-13 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Network attack processing method and device |
| CN114374535A (en) * | 2021-12-09 | 2022-04-19 | 北京和利时系统工程有限公司 | Controller network attack defense method and system based on virtualization technology |
| CN114499915A (en) * | 2021-09-28 | 2022-05-13 | 北京卫达信息技术有限公司 | Trapping attack method, device and system combining virtual nodes and honeypots |
| CN114760123A (en) * | 2022-04-07 | 2022-07-15 | 南京经纬信安科技有限公司 | Honey needle and honey pot device and deployment method thereof |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN109889488A (en) * | 2018-12-29 | 2019-06-14 | 江苏博智软件科技股份有限公司 | A kind of industry control network honey net safety protective system based on cloud deployment |
| CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
-
2020
- 2020-09-02 CN CN202010902404.5A patent/CN112134854A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN109889488A (en) * | 2018-12-29 | 2019-06-14 | 江苏博智软件科技股份有限公司 | A kind of industry control network honey net safety protective system based on cloud deployment |
| CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637226A (en) * | 2020-12-28 | 2021-04-09 | 成都知道创宇信息技术有限公司 | Site access response method and device and electronic equipment |
| CN112738128B (en) * | 2021-01-08 | 2022-02-08 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
| CN112738128A (en) * | 2021-01-08 | 2021-04-30 | 广州锦行网络科技有限公司 | Novel honeypot networking method and honeypot system |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN112995151B (en) * | 2021-02-08 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113242258A (en) * | 2021-05-27 | 2021-08-10 | 安天科技集团股份有限公司 | Host cluster threat detection method and device |
| CN113242258B (en) * | 2021-05-27 | 2023-11-14 | 安天科技集团股份有限公司 | Threat detection method and device for host cluster |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN113676449A (en) * | 2021-07-13 | 2021-11-19 | 北京奇艺世纪科技有限公司 | Network attack processing method and device |
| CN113542262A (en) * | 2021-07-13 | 2021-10-22 | 北京华圣龙源科技有限公司 | Intelligent early warning method and device for information security threat of information system |
| CN113572785A (en) * | 2021-08-05 | 2021-10-29 | 中国电子信息产业集团有限公司第六研究所 | Honeypot defense method and device for nuclear power industrial control system |
| CN114499915A (en) * | 2021-09-28 | 2022-05-13 | 北京卫达信息技术有限公司 | Trapping attack method, device and system combining virtual nodes and honeypots |
| CN114374535A (en) * | 2021-12-09 | 2022-04-19 | 北京和利时系统工程有限公司 | Controller network attack defense method and system based on virtualization technology |
| CN114374535B (en) * | 2021-12-09 | 2024-01-23 | 北京和利时系统工程有限公司 | Controller network attack defense method and system based on virtualization technology |
| CN114760123A (en) * | 2022-04-07 | 2022-07-15 | 南京经纬信安科技有限公司 | Honey needle and honey pot device and deployment method thereof |
| CN114760123B (en) * | 2022-04-07 | 2024-04-05 | 南京经纬信安科技有限公司 | Honey needle and honey pot and deployment method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112134854A (en) | Method, device, equipment, storage medium and system for defending attack | |
| US11095670B2 (en) | Hierarchical activation of scripts for detecting a security threat to a network using a programmable data plane | |
| Khan et al. | A comprehensive study of email spam botnet detection | |
| CN112995151B (en) | Access behavior processing method and device, storage medium and electronic equipment | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN109617865A (en) | A kind of network security monitoring and defence method based on mobile edge calculations | |
| CN110381041B (en) | Distributed denial of service attack situation detection method and device | |
| CN113676449B (en) | Network attack processing method and device | |
| Zhao et al. | An SDN-based fingerprint hopping method to prevent fingerprinting attacks | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN104243408A (en) | Method, device and system for monitoring messages in domain name resolution service DNS system | |
| CN108134761A (en) | A kind of APT detection methods, system and device | |
| CN111083117A (en) | Botnet tracking and tracing system based on honeypots | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
| CN111641591A (en) | Cloud service security defense method, device, equipment and medium | |
| CN110149319A (en) | The method for tracing and device, storage medium, electronic device of APT tissue | |
| Qin et al. | Worm detection using local networks | |
| Umamaheswari et al. | Honeypot TB-IDS: trace back model based intrusion detection system using knowledge based honeypot construction model | |
| Bartwal et al. | Security orchestration, automation, and response engine for deployment of behavioural honeypots | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| Yen | Detecting stealthy malware using behavioral features in network traffic | |
| CN112751861A (en) | Malicious mail detection method and system based on dense network and network big data | |
| US8661102B1 (en) | System, method and computer program product for detecting patterns among information from a distributed honey pot system | |
| Yu et al. | A visualization analysis tool for DNS amplification attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201225 |
|
| WD01 | Invention patent application deemed withdrawn after publication |