CN112187825A - Honeypot defense method, system, equipment and medium based on mimicry defense - Google Patents
Honeypot defense method, system, equipment and medium based on mimicry defense Download PDFInfo
- Publication number
- CN112187825A CN112187825A CN202011091422.6A CN202011091422A CN112187825A CN 112187825 A CN112187825 A CN 112187825A CN 202011091422 A CN202011091422 A CN 202011091422A CN 112187825 A CN112187825 A CN 112187825A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- mimicry
- defense
- honeypots
- subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a honey pot defense method, a honey pot defense system, equipment and a medium based on mimicry defense, which are applied to the technical field of network security, wherein a virtualization management subsystem is arranged in a control application layer in the honey pot system, the virtualization management subsystem comprises a mirror image management module, a honey pot management module, a virtual network management module and a control scheduler which are sequentially connected, the mirror image management module constructs a mimicry honey pot mirror image through a KVM virtual machine mirror image technology to obtain a plurality of virtual high-interaction honey pots and a mimicry honey pot system, and the honey pots are all mimicry honey pots; the honeypot management module is used for managing honeypots and monitoring honeypot states; the virtual network management module controls the honeypot system to perform data access and network communication; and the control scheduler dynamically switches the mimicry honeypots and the network according to the output judgment result of the mimicry honeypots. According to the invention, the mimicry defense is combined with the honeypot system, so that the safety and controllability of the network space security defense are improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a honeypot defense method, a system, equipment and a medium based on mimicry defense.
Background
The internet is always threatened by various network security, and network attack modes are infinite, means are variable and attack targets are different. Even a minor design neglect may create serious system vulnerabilities during the defense process, and an attacker exploiting these vulnerabilities to attack the system may create serious harm. While the defender needs to make the defense of the system or the node be completely lost to ensure the complete safety. While the defender is unaware of attackers who may come from anywhere in the network, the system or node is completely exposed to the attackers through the network. In such an attack and defense gaming environment, attackers take an absolute dominant active position, while defenders can only take a passive position.
Therefore, active defense techniques are gradually drawing attention and attention from the academic and industrial circles. The strategic objective of the active real-time protection model and the active real-time protection technology is to judge the current network security situation through means of situation awareness, risk assessment, security detection and the like, and implement an active security protection system for network active defense according to the judgment result. The active defense technology is not only a certain defense technology or a certain class of defense technology, but also a defense system, and aims to predict and identify unknown attack behaviors and attack means, automatically perform defense response, or reinforce possible weak points in advance to complete prospective defense. Common active defense technical means comprise an intrusion detection technology, a honeypot technology, a mimicry defense technology, a moving target defense and the like.
Intrusion detection techniques can be divided into two categories of active defense techniques, rule-based anomaly and anomaly-based detection. The intrusion detection technology based on the rule abnormity mainly aims at the characteristics or behaviors of the known malicious programs to carry out rule matching, and defense means such as blocking, tracing and the like are developed before the attack is triggered. And the intrusion detection technology based on the anomaly detection can detect the unknown attacks. The honeynet technology is a mainstream active defense technology and is used for luring attackers to detect, attack or trap false network resources. The network resource collection is formed by combining a honeypot system with a firewall, intrusion detection equipment, an alarm module, an intrusion behavior recording module and the like, and can realize active capture of attackers. The mimicry defense technology is an endogenous safety architecture technology, has natural immunity to unknown bugs, backdoors and even some unknown viruses and trojans in the architecture, and can form the capability of resisting known or unknown attacks of a network space by effectively fusing with the existing passive defense means. In a word, the mimicry defense has complementarity, fusion and controllability to the existing network space security defense system.
Disclosure of Invention
The technical purpose is as follows: aiming at the defect that the active defense capability of a honeynet technology to unknown attacks in a network space is low in the prior art, the invention discloses a honeypot defense method, a system, equipment and a medium based on mimicry defense.
The technical scheme is as follows: in order to achieve the technical purpose, the invention adopts the following technical scheme.
A honeypot defense method based on mimicry defense comprises the following steps:
s1, constructing a mimicry honeypot: constructing a heterogeneous honeypot mirror image, and generating a mimicry honeypot and a mimicry honeypot system from the heterogeneous honeypot mirror image through a KVM virtual machine mirror image technology;
s2, mimicry honeypot data acquisition: after the mimicry honeypot receives the external flow, collecting a response result of the mimicry honeypot;
s3, monitoring the simulated honeypot response result: judging all the response results, and outputting a judgment result which comprises mimicry honeypot information judged to be attacked;
s4, mimicry honeypot management: and dynamically switching the mimicry honeypots and the mimicry honeypot systems according to the judgment result, wherein the step of switching the mimicry honeypots judged to be attacked into the non-attacked mimicry honeypots, the step of performing rollback operation on the mimicry honeypots judged to be attacked, and the step of scheduling and switching the mimicry honeypot systems corresponding to the mimicry honeypots is included.
Preferably, the mirror management module in step S1 constructs a heterogeneous honeypot mirror, and the specific process includes:
constructing an isomeric honeypot environment: manufacturing heterogeneous honey pot environments with the same upper application and different bottom infrastructure to realize the heterogeneity;
mirroring the heterogeneous honeypot environment: and carrying out mirroring processing on the heterogeneous honeypot environment, and converting the heterogeneous honeypot environment into a qcow2 mirror format.
Preferably, the bottom infrastructure comprises an operating system, a database, Web middleware, system services and comprehensive services, and when the heterogeneous honeypot environment is constructed, different operating systems, databases, Web middleware, system services and comprehensive services are adopted in the bottom infrastructure, so that the heterogeneity among the mimicry honeypots generated by different heterogeneous honeypot environments is ensured.
Preferably, the simulation honeypot data collection in the step S2 specifically includes:
s21, the man-in-the-middle program receives external traffic: in a virtualization management subsystem of a control application layer, a middleware program of a virtual network management module receives external flow;
s22, receiving flow access by the mimicry honeypot: the man-in-the-middle program receives external flow and sends the external flow to each node in the corresponding mimicry honeypot system through the virtual network bridge, wherein each node is a mimicry honeypot;
s23, mimicry honeypot data acquisition: after the mimicry honeypot receives the external flow, a virtual network management module in the virtualization management subsystem controls a data acquisition subsystem of the acquisition layer to acquire a response result of the mimicry honeypot.
A honeypot defense system based on mimicry defense, comprising: the system comprises a presentation layer, a control application layer, a data layer and an acquisition layer;
the acquisition layer comprises a plurality of mimicry honeypot systems and a data acquisition subsystem, wherein the data acquisition subsystem is used for acquiring internal information of the mimicry honeypots in the mimicry honeypot systems, and the internal information comprises response results;
the data layer comprises a data preprocessing subsystem, a data analysis subsystem and a data storage subsystem; the data preprocessing subsystem receives the internal information of the mimicry honeypot sent by the data acquisition subsystem and performs primary processing on the internal information of the mimicry honeypot, and the data preprocessing subsystem sends a primary processing result to the data analysis subsystem and the data storage subsystem; the data storage subsystem is used for realizing storage, retrieval and updating of data in the database; the data analysis subsystem is used for analyzing the access flow of the mimicry honeypot and acquiring an analysis result;
the control application layer comprises a service center subsystem and a virtualization management subsystem which are connected with each other, wherein the service center subsystem is used for service configuration, data combination and management scheduling configuration, and specifically comprises the steps of inquiring and managing data of the data storage subsystem and reading a mimicry honeypot access flow analysis result in the analysis data analysis subsystem; the virtualization management subsystem is used for realizing the configuration and management of the mimicry honeypot virtualization resources;
the presentation layer comprises a graphical interface interactive system, the graphical interface interactive system is connected with the service center subsystem, and the graphical interface interactive system is used for a user to operate, view data and configure the system.
Preferably, the virtualization management subsystem comprises a mirror image management module, a honeypot management module, a virtual network management module and a control scheduler, which are connected in sequence, wherein the mirror image management module is used for constructing a pseudo-honeypot mirror image through a KVM virtual machine mirror image technology and acquiring a plurality of virtual highly-interactive pseudo-honeypots and pseudo-honeypot systems; the honeypot management module is used for managing honeypots and monitoring honeypot states; the virtual network management module is used for controlling the mimicry honeypot system to carry out data access and network communication; and the control scheduler is used for dynamically switching the mimicry honeypots and the mimicry honeypot system according to the output judgment result of the mimicry honeypots.
Preferably, the mirror image management module comprises a mimicry honeypot mirror image function module, an import/export function module and an instantiation function module which are connected in sequence; the mimicry honeypot mirror image function module is used for constructing a mimicry honeypot environment and mirroring the mimicry honeypot environment, wherein the mimicry honeypot environment comprises a Web application environment, an operating system, a database, Web middleware, system services and comprehensive services; the import and export function module is used for realizing import and export of the mirror image, modification of the mimicry honeypot environment and multiplexing of the honeypot environment among the plurality of mimicry honeypot systems; the instantiation functional module is used for instantiating the manufactured mirror image through a KVM virtual machine mirror image technology to obtain a plurality of virtual high-interaction honeypots and mimicry honeypot systems.
Preferably, the service center subsystem comprises a behavior capturing module, a threat analyzing module, a trapping situation analyzing module and a system management module, wherein the behavior capturing module is used for capturing relevant data from external illegal attack behaviors, and the relevant data specifically comprises honeypot access, command execution, original flow and file change; the threat analysis module is used for deeply analyzing all attack sessions captured by the honeypot through the behavior analysis engine so as to display the interactive commands of the honeypot and an attacker through an attack time axis; the trapping situation analysis module is used for constructing a trapping analysis model by utilizing a correlation analysis technology and monitoring the overall trapping attack situation in real time; for system management modules
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of defending honeypots based on mimicry defense as described in any one of the above when executing the program.
A computer readable storage medium having stored thereon computer executable instructions for performing a method of stateful defense based honeypot defense as described in any of the above.
Has the advantages that: the invention integrates the mimicry defense into the honeypot system, and performs rollback treatment on the attacked mimicry honeypot by analyzing the response information of the mimicry honeypot, thereby improving the safety, complementarity, integration and controllability of the network space security defense.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention;
FIG. 2 is a schematic diagram of a virtual network management module according to the present invention;
FIG. 3 is a schematic diagram of the operation of the proposed honeypot network topology of the present invention;
FIG. 4 is a schematic diagram of the man-in-the-middle program response switch of the present invention;
FIG. 5 is a schematic diagram of the operation of the data acquisition subsystem of the present invention;
FIG. 6 is a schematic diagram of the operation of the data pre-processing subsystem of the present invention;
FIG. 7 is a functional block diagram of the data preprocessing subsystem of FIG. 6;
FIG. 8 is a general process flow diagram of the present invention.
Detailed Description
The invention discloses a honeypot defense method, a system, equipment and a medium based on mimicry defense, and the scheme is further explained and explained by combining the drawings and the embodiment.
As shown in fig. 1, a honeypot defense system based on mimicry defense includes: the system comprises a presentation layer, a control application layer, a data layer and an acquisition layer;
the acquisition layer comprises a data acquisition subsystem, and the data acquisition subsystem is used for acquiring data in a plurality of honeypots; the data acquisition subsystem is implemented as shown in fig. 5, and is mainly deployed in an acquisition monitoring program deployed in the honeypot or an application program carried in the honeypot, so that data acquisition is performed on the conditions of access, command execution, file change, application change and the like of the honeypot. In addition, the system also realizes flow sub-packet storage of all access flows of the honeypots, realizes encapsulation storage of the access flows through the flow acquisition module, and forwards the original flow data to the flow analysis engine to perform special analysis on threat behaviors of the flow analysis engine. The acquisition layer mainly acquires data in the honeypots, and the acquisition method mainly comprises three types of built-in acquisition services, buried point application services and flow acquisition services. The built-in acquisition service is to preset software service in the honeypot device and acquire data of the change of the internal condition of the honeypot; the embedded point application service is used for embedding points in an application software environment of the honeypot and collecting application data in the honeypot; the flow collection service receives external flow distributed by the man-in-the-middle program, and collects, modifies and distributes all data of the honeypots; the man-in-the-middle program receives external flow and distributes the external flow to the mimicry honeypot system, and the flow collection service collects all the flow flowing to the mimicry honeypot system, namely the flow distributed by the man-in-the-middle program.
A built-in acquisition monitoring program: a hidden acquisition monitoring program is arranged in the honeypot, and is used for acquiring information such as system running state, system logs, service gas transportation condition, file change, command execution condition and the like in the honeypot.
Application deployment: software environments such as Web applications and databases with high interaction need to be opened to the outside in the high-interaction honeypots. In order to obtain the most accurate internal running information of the application, code modification and recompilation are required to be performed on the open-source software environment, and the application information is interfaced into the built-in acquisition service.
Flow acquisition: and the flow acquisition module acquires and retains all original flows accessing the honeypot, encapsulates the original flows into a flow packet in a PCAP format, and can be used for playback and analysis. And all the original flow can be forwarded to a flow analysis module in the data analysis subsystem for analysis of malicious behaviors.
The data layer comprises a data preprocessing subsystem, a data analysis subsystem and a data storage subsystem; the data preprocessing subsystem receives honeypot data sent by the data acquisition subsystem and performs primary processing on the honeypot data, and the data preprocessing subsystem sends the honeypot data subjected to the primary processing to the data analysis subsystem and the data storage subsystem; the data preprocessing subsystem is a plate for performing preliminary processing on the data acquired by the data acquisition subsystem, and the related processed data are shown in fig. 6 and 7.
The data storage subsystem is used for realizing storage, retrieval and updating of data in the database; the data analysis subsystem is used for analyzing the access flow of the mimicry honeypot and acquiring an analysis result; the data analysis subsystem comprises the following modules:
(1) a flow analysis module: and carrying out flow analysis on the access flows of all honeypots based on an analysis strategy, outputting a threat alarm, and splitting and storing the flows into PCAP packets.
(2) A behavior analysis module: collecting, analyzing and capturing relevant data from external illegal attack behaviors such as honeypot access, command execution, original flow, file change and the like. The system not only can monitor the connection of honeypot simulation service, directly acquires external connection data, includes: the attack IP, the attack port, the destination IP, the destination port, the protocol type and other network information can also capture complete attack behaviors, namely, a complete process from the scanning of an attacker to the authentication and infiltration of the attacker, to the uploading of a file sample after the successful infiltration and to the external connection.
(3) A threat analysis module: the system deeply analyzes all attack sessions captured by the honeypot through the behavior analysis engine so as to analyze the interaction commands of the honeypot and the attacker through the attack time axis. When the analysis strategy is hit, corresponding risk analysis is given, so that a user can know the existing risk in time. The original attack traffic packet, file sample and other contents support downloading. The system carries out correlation analysis on the attacks captured by the honeypots by using a correlation analysis engine, and can identify the contents of attack IP, MAC addresses, geographic positions, execution commands, credential information, penetration request data, file operation information, process information and the like. And by constructing a killing chain, each link invaded by an attacker is visually presented, a replay attack path is supported, and corresponding risk analysis and processing suggestions are provided.
(4) An output arbitration module: and (3) carrying out real-time data acquisition on the heterogeneous honeypots with the same bottom layer architecture and different structures on the upper layer, analyzing the data acquisition, and determining whether actions possibly causing honeypot collapse occur. The number of the heterogeneous honeypots in the comparison is at least 3, and the comparison content mainly comprises behavior records and alarm data. And after analysis and comparison, judging results, randomly sending the feedback results of the honey pots which are not subjected to the sink-down to the man-in-the-middle program, and informing a honey pot management module in the virtualization management subsystem whether the simulated honey pots need to be rolled back or not.
The control application layer comprises a service center subsystem and a virtualization management subsystem which are connected with each other, wherein the service center subsystem is used for service configuration, data combination and management scheduling configuration, and specifically comprises the steps of inquiring and managing data of the data storage subsystem and reading and analyzing a mimicry honeypot access flow analysis result in the data analysis subsystem;
the service center subsystem comprises a behavior capturing module, a threat analysis module, a trapping situation analysis module and a system management module, wherein the behavior capturing module is used for capturing relevant data from external illegal attack behaviors, and specifically comprises honeypot access, command execution, original flow and file change; the threat analysis module is used for deeply analyzing all attack sessions captured by the honeypot through the behavior analysis engine so as to display the interactive commands of the honeypot and an attacker through an attack time axis; the trapping situation analysis module is used for constructing a trapping analysis model by utilizing a correlation analysis technology and monitoring the overall trapping attack situation in real time; and the system management module is used for realizing the management of the honeypot nodes and the dynamic display of the honeypot network by the user. The specific contents are as follows:
(1) behavior capture: the calling analysis system collects the captured related data of external illegal attack behaviors such as honeypot access, command execution, original flow, file change and the like. The system not only can monitor the connection of honeypot simulation service, directly acquires external connection data, includes: the attack IP, the attack port, the destination IP, the destination port, the protocol type and other network information can also capture complete attack behaviors, namely, a complete process from the scanning of an attacker to the authentication and infiltration of the attacker, to the uploading of a file sample after the successful infiltration and to the external connection.
(2) Threat analysis: the system deeply analyzes all attack sessions captured by the honeypot through the behavior analysis engine to display the interaction commands of the honeypot and the attacker through an attack time axis. When the analysis strategy is hit, corresponding risk analysis is given, so that a user can know the existing risk in time. The original attack traffic packet, file sample and other contents support downloading. The system carries out correlation analysis on the attacks captured by the honeypots by using a correlation analysis engine, and can identify the contents of attack IP, MAC addresses, geographic positions, execution commands, credential information, penetration request data, file operation information, process information and the like. And by constructing a killing chain, each link invaded by an attacker is visually presented, a replay attack path is supported, and corresponding risk analysis and processing suggestions are provided.
(3) And (3) trap situation analysis: the system utilizes the correlation analysis technology to construct a trapping analysis model, visually and dynamically analyzes and displays the global attack source situation, the national attack source situation, the honeypot network topology, the attack type ratio, the honeypot trapping flow trend, the latest trapping behavior, the alarm information and the like, monitors the overall trapping attack situation in real time from multiple dimensions and multiple visual angles, effectively improves the readability, and enables the attack and defense dynamics to be clear at a glance.
(4) And (3) system management: the system provides a honeypot management module, supports checking deployment information, network connection, process state and the like of honeypots, supports operations of running, restarting, suspending, stopping and the like of deployed honeypot nodes, setting operations of regularly accessing honeypot nodes to generate service flow, regularly updating time of simulation web pages, updating data in a camouflage service system and the like, and facilitates management of honeypot nodes by users. The system provides a network topology visualization window, can manually draw a honeypot network deployment drawing, generates a honeypot topology, and realizes dynamic display of the honeypot network. The system provides a white list function, can configure the white list of the attack IP and the suspicious file by itself, and after the configuration is successful, the system can not record the attack IP and the suspicious file information, thereby being convenient for planning an alarm mechanism by itself.
The virtual management subsystem is used for realizing the configuration and management of virtual resources, the honeypot part in the mimicry honeypot technology mainly realizes the high-interaction honeypot, and the virtual honeypot is realized by virtualizing the physical hardware based on the KVM virtual technology. After resources are converted into virtual machines and honeypot is carried out, network configuration management is carried out, and dynamic control scheduling is realized according to the technical requirements of mimicry honeypot. In order to realize the functions, the virtualization management subsystem needs to have 4 main parts, namely a mirror image management module, a honeypot management module, a virtual network management module and a control scheduler.
The virtual management subsystem comprises a mirror image management module, a honeypot management module, a virtual network management module and a control scheduler which are sequentially connected, wherein the mirror image management module is used for constructing a mimicry honeypot mirror image through a KVM virtual machine mirror image technology, and acquiring a plurality of virtual high-interaction honeypots and mimicry honeypot systems, and the honeypots are all mimicry honeypots; the mirror image management is realized based on a KVM mirror image technology and mainly comprises three main functions of heterogeneous honeypot mirror images, import and export and instantiation, and the mirror image management module comprises a mimicry honeypot mirror image function module, an import and export function module and an instantiation function module which are sequentially connected.
(1) Heterogeneous honeypot mirroring: the implementation of the mimicry honeypot technology firstly needs to manufacture heterogeneous honeypots with the same upper-layer application and different bottom-layer infrastructure. The design considers that the same Web application is constructed on the upper layer, and different operating systems and middleware are adopted on the bottom layer, so that the isomerism is realized. The mimicry honeypot environment comprises a Web application environment, an operating system, a database, Web middleware, system services and comprehensive services; in some embodiments, the Web application environment includes Emulation OA, Docker warehouse, and WordPress; operating systems include Windows and Linux; the database comprises MS SQL, MySQL, MongoDB and Redis; web middleware includes Weblogic, Tomcat, and Struct 2; the system service comprises SSH, Telnet and RDP; the integrated services include the RESP protocol, the HTTP protocol, and the Mongo Wire protocol. When the heterogeneous honeypot environment is constructed, different operating systems, databases, Web middleware, system services and comprehensive services are adopted in a bottom infrastructure, and the heterogeneity of the mimicry honeypots generated by different heterogeneous honeypot environments is guaranteed.
In some embodiments, the construction environment of the heterogeneous honeypot is as shown in table 1:
as can be seen from table 1, in the above environment, the externally unified Web application is the CMS system (Catfish version v4.8.54, runtime library PHP v5.4.16). The specific environment (operating system, database, Web middleware) in the honeypot is heterogeneously processed. After the heterogeneous honeypot environment is built, the heterogeneous honeypot environment is mirrored and converted into a qcow2 mirror format in the KVM technology, so that the heterogeneous honeypot environment is convenient to reuse.
(2) Importing and exporting: and the function of importing and exporting the mirror image is realized, and the function is used for modifying the basic environment of the honeypot and multiplexing the honeypot environment among a plurality of mimicry honeypot systems.
(3) Instantiation: the process of manufacturing the honeypot mirror image essentially belongs to the work in the development stage, and in the stage of system configuration and operation, the mirror image manufactured in advance needs to be instantiated, namely, the mirror image is changed into a plurality of virtual high-interaction honeypot hosts, and networking is carried out through a virtual network management module. The instantiated process is to convert system resources (CPU, memory, hard disk, network card, etc.) into virtual machines through KVM. By instantiating the function, the prefabricated mirror image can be converted into a high-interaction honeypot.
The honeypot management module is used for managing honeypots and monitoring honeypot states; the concrete operations performed by the honeypot management module include: honeypot deletion, honeypot start, suspend, stop, honeypot snapshot, honeypot rollback, honeypot timed access, and honeypot setting. And (4) deleting the honeypots: the honeypot is stopped, deleted and occupied resources of the honeypot are released. Starting, suspending and stopping the honeypot: the honeypots in the suspended and stopped states are supported to be recovered to the active state; the honeypots in the active state are suspended and suspended, and the honeypots after being suspended are not accessible; and the shutdown of the honeypot in the active state is stopped. And (3) honeypot snapshot: a snapshot saving is taken of the current state of the honeypot and the honeypot can be reset to some snapshot state that has been saved. And (4) rolling back the honeypot: and performing rollback operation on a certain history snapshot stored in the honeypot, and resetting the history snapshot to a history state. Timing access of honeypots: after the honeypot is built, if the information is not accessed for a long time, an attacker can be easily suspected after logging in. The module provides access to a Web interface or access traffic to an operating system. Setting a honeypot: for a created honeypot, its settings can be modified, e.g., to start and stop its applications and their corresponding ports.
As shown in fig. 2, the virtual network management module is used for controlling the honeypot system to perform data access and network communication, and is described in detail as follows:
(1) and a physical network card en192 connected to the switch or the routing device, and if the vlan function is required to be used, the port connected to the physical network line needs to be set to trunk attribute, and all allocated vlans are allowed to penetrate through. The default segment for non-vlan 1 is PVID stamped by the switch configuration.
(2) Openvswitch docking integrates virtual network cards of all the general honeypots and physical network cards of host machines, and ensures that the general honeypots can be accessed externally.
(3) The bottom layer of each honeypot node in the general honeypot group is a virtual machine, and the virtual machine is accessed to openvswitch corresponding to a virtual network card to realize connectivity of a honeypot network. The network card of each virtual machine is a tun/tap device when viewed from the host, and one end of the network card is accessed into the virtual machine through a drive, namely the physical network card. One end of the virtual machine is the virtual network card and is accessed into ovs. The virtual machine (honeypot) can be accessed externally. In addition, all the traffic of the honeypots interacting with the outside is sent from the "physical network card" in the honeypot to the virtual machine network card of the host, and then sent to the physical network card ens192 through ovs to be forwarded out. ovs, flow of all honeypots is transferred, flow control of honeypots can be carried out through flow rules, honeypots are prevented from being used for lateral expansion after being trapped, and real assets are effectively protected.
(4) The virtual bridge: internal network communication is provided for honeypot nodes in the mimicry honeypot group, and the fact that the host machine and the network of each mimicry honeypot can communicate through the internal network is guaranteed.
(5) Mimicry honeypot nodes: the mimicry honeypot nodes can communicate with each other through the bridge and with a host machine where the bridge is located, but the mimicry honeypot nodes cannot be directly accessed by the outside.
The implementation process of the middleware program is shown in fig. 3 and fig. 4, and is described in detail as follows:
and the man-in-the-middle program receives the external flow and respectively sends the flow to all nodes in the mimicry honey pot group through the virtual network bridge. And the data acquisition subsystem is used for acquiring important state information in the honeypot and sending the important state information to the output arbitration module of the data analysis subsystem. After the output judgment module analyzes and judges, the response result of the honeypots is randomly selected from the honeypots which are not lost and returned to the attacker.
Assuming that when the mimicry honeypot A is trapped by the attack (analyzed and judged by the output judging module), the man-in-the-middle program will switch to send the corresponding information of the mimicry honeypot B (or C, the switching action depends on the fact that the output judging module can analyze the unchecked honeypot and perform switching feedback according to the result) back to the attacker, and the mimicry honeypot A can be quickly rolled back to the initial state and re-participate in the response to the request of the attacker. Similarly, when the mimicry honeypot B is damaged, the man-in-the-middle program only returns the response information of the mimicry honeypot C to the terminal, and quickly rolls back the mimicry honeypot B to the initial state. The simulated honeypots after rollback still receive the messages distributed by the middleman and participate in executing the request of the attacker. If an extreme condition is met, namely a plurality of honeypots are all identified as being attacked by the output judging module, the operation is to perform rollback operation on the plurality of honeypots, and the context information is reset. The rollback action is initiated by the output arbitration module and executed by the honeypot management module. And the man-in-the-middle program distributes the input instruction of the attacker and switches the feedback result.
And the control scheduler dynamically switches the mimicry honeypots according to the analysis result of the output arbitration module. And (4) taking the simulated honeypots which are already attacked to be offline, switching to honeypots which are not attacked to be attacked, and scheduling and switching the network of the simulated honeypots. And rolling back the off-line mimicry honeypots by the honeypot management module.
The presentation layer comprises a graphical interface interactive system, the graphical interface interactive system is connected with the service center subsystem, and the graphical interface interactive system is used for a user to operate, view data and configure the system.
As shown in fig. 8, a honey pot defense method based on mimicry defense is applied to the honey pot defense system based on mimicry defense, and includes the following steps:
s1, constructing a mimicry honeypot: in a virtualization management subsystem of a control application layer, a mirror image management module constructs a heterogeneous honeypot mirror image, and the heterogeneous honeypot mirror image is used for generating a pseudo honeypot and a pseudo honeypot system through a KVM virtual machine mirror image technology;
s2, mimicry honeypot data acquisition: in a virtualization management subsystem for controlling an application layer, a virtual network management module controls a data acquisition subsystem of an acquisition layer to acquire a response result of a mimicry honeypot;
s3, monitoring the simulated honeypot response result: after receiving external flow, all the mimicry honeypots output respective response results to a data analysis subsystem through a data preprocessing subsystem of a data layer, an output arbitration module in the data analysis subsystem arbitrates all the response results, analyzes and judges the attacked mimicry honeypots and then outputs arbitration results, and the arbitration results are sent to a control scheduler in a service center subsystem of a control application layer;
s4, mimicry honeypot management: and the control scheduler dynamically switches the simulated honeypots and the simulated honeypot systems according to the judgment result, and comprises the steps of switching the simulated honeypots which are attacked to be trapped to the simulated honeypots which are not attacked, executing rollback operation on the attacked simulated honeypots through a honeypot management module, and scheduling and switching the simulated honeypot systems corresponding to the simulated honeypots.
In step S1, the image management module constructs a heterogeneous honeypot image, which includes the following steps:
constructing an isomeric honeypot environment: manufacturing heterogeneous honey pot environments with the same upper application and different bottom infrastructure to realize the heterogeneity; the upper application comprises a Web application environment, and the Web application environment comprises an emulation OA, a Docker warehouse and a WordPress; the bottom infrastructure comprises an operating system, a database, Web middleware, system services and comprehensive services, wherein the operating system comprises Windows and Linux, and the database comprises MS SQL, MySQL, MongoDB and Redis; web middleware includes Weblogic, Tomcat, and Struct 2; the system service comprises SSH, Telnet and RDP; the integrated services include the RESP protocol, the HTTP protocol, and the Mongo Wire protocol.
Mirroring the heterogeneous honeypot environment: and carrying out mirroring processing on the heterogeneous honeypot environment, and converting the heterogeneous honeypot environment into a qcow2 mirror format.
The concrete process of the mimicry honeypot data acquisition in the step S2 is as follows:
s21, the man-in-the-middle program receives external traffic: in a virtualization management subsystem of a control application layer, a middleware program of a virtual network management module receives external flow;
s22, receiving flow access by the mimicry honeypot: the man-in-the-middle program receives external flow and sends the external flow to each node in the corresponding mimicry honeypot system through the virtual network bridge, wherein each node is a mimicry honeypot; the selection basis corresponding to the mimicry honeypot system is the target address of the flow;
s23, mimicry honeypot data acquisition: after the mimicry honeypot receives the external flow, a virtual network management module in the virtualization management subsystem controls a data acquisition subsystem of the acquisition layer to acquire a response result of the mimicry honeypot.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of defending honeypots based on mimicry defense as described in any one of the above when executing the program. The memory can be various types of memory, such as random access memory, read only memory, flash memory, and the like. The processor may be various types of processors, such as a central processing unit, a microprocessor, a digital signal processor, or an image processor.
A computer readable storage medium having stored thereon computer executable instructions for performing a method of stateful defense based honeypot defense as described in any of the above.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.
Claims (10)
1. A honeypot defense method based on mimicry defense is characterized by comprising the following steps:
s1, constructing a mimicry honeypot: constructing a heterogeneous honeypot mirror image, and generating a mimicry honeypot and a mimicry honeypot system from the heterogeneous honeypot mirror image through a KVM virtual machine mirror image technology;
s2, mimicry honeypot data acquisition: after the mimicry honeypot receives the external flow, collecting a response result of the mimicry honeypot;
s3, monitoring the simulated honeypot response result: judging all the response results, and outputting a judgment result which comprises mimicry honeypot information judged to be attacked;
s4, mimicry honeypot management: and dynamically switching the mimicry honeypots and the mimicry honeypot systems according to the judgment result, wherein the step of switching the mimicry honeypots judged to be attacked into the non-attacked mimicry honeypots, the step of performing rollback operation on the mimicry honeypots judged to be attacked, and the step of scheduling and switching the mimicry honeypot systems corresponding to the mimicry honeypots is included.
2. The honey pot defense method based on mimicry defense of claim 1, characterized in that: the mirror management module in the step S1 constructs a heterogeneous honeypot mirror, and the specific process is as follows:
constructing an isomeric honeypot environment: manufacturing heterogeneous honey pot environments with the same upper application and different bottom infrastructure to realize the heterogeneity;
mirroring the heterogeneous honeypot environment: and carrying out mirroring processing on the heterogeneous honeypot environment, and converting the heterogeneous honeypot environment into a qcow2 mirror format.
3. The honey pot defense method based on mimicry defense of claim 2, characterized in that: the bottom-layer infrastructure comprises an operating system, a database, Web middleware, system services and comprehensive services, and when the heterogeneous honeypot environment is constructed, different operating systems, databases, Web middleware, system services and comprehensive services are adopted in the bottom-layer infrastructure, so that the heterogeneity of the mimicry honeypots generated by different heterogeneous honeypot environments is ensured.
4. The honey pot defense method based on mimicry defense of claim 1, characterized in that: the concrete process of the mimicry honeypot data acquisition in the step S2 is as follows:
s21, the man-in-the-middle program receives external traffic: in a virtualization management subsystem of a control application layer, a middleware program of a virtual network management module receives external flow;
s22, receiving flow access by the mimicry honeypot: the man-in-the-middle program receives external flow and sends the external flow to each node in the corresponding mimicry honeypot system through the virtual network bridge, wherein each node is a mimicry honeypot;
s23, mimicry honeypot data acquisition: after the mimicry honeypot receives the external flow, a virtual network management module in the virtualization management subsystem controls a data acquisition subsystem of the acquisition layer to acquire a response result of the mimicry honeypot.
5. A honeypot defense system based on mimicry defense, comprising: the system comprises a presentation layer, a control application layer, a data layer and an acquisition layer;
the acquisition layer comprises a plurality of mimicry honeypot systems and a data acquisition subsystem, wherein the data acquisition subsystem is used for acquiring internal information of the mimicry honeypots in the mimicry honeypot systems, and the internal information comprises response results;
the data layer is used for receiving the internal information of the mimicry honeypot sent by the data acquisition subsystem, carrying out primary processing on the internal information of the mimicry honeypot, analyzing the access flow of the mimicry honeypot and obtaining an analysis result;
the control application layer comprises a service center subsystem and a virtualization management subsystem which are connected with each other, wherein the service center subsystem is used for service configuration, data combination and management scheduling configuration, and specifically comprises the steps of inquiring and managing data of the data storage subsystem and reading a mimicry honeypot access flow analysis result in the analysis data analysis subsystem; the virtualization management subsystem is used for realizing the configuration and management of the mimicry honeypot virtualization resources;
the presentation layer comprises a graphical interface interactive system, the graphical interface interactive system is connected with the service center subsystem, and the graphical interface interactive system is used for a user to operate, view data and configure the system.
6. A mimicry defense based honeypot defense system as claimed in claim 5, wherein: the virtual management subsystem comprises a mirror image management module, a honeypot management module, a virtual network management module and a control scheduler which are sequentially connected, wherein the mirror image management module is used for constructing a mimicry honeypot mirror image through a KVM virtual machine mirror image technology and acquiring a plurality of virtual high-interaction mimicry honeypots and mimicry honeypot systems; the honeypot management module is used for managing honeypots and monitoring honeypot states; the virtual network management module is used for controlling the mimicry honeypot system to carry out data access and network communication; and the control scheduler is used for dynamically switching the mimicry honeypots and the mimicry honeypot system according to the output judgment result of the mimicry honeypots.
7. A mimicry defense based honeypot defense system as claimed in claim 6, wherein: the mirror image management module comprises a mimic honeypot mirror image function module, an import and export function module and an instantiation function module which are connected in sequence;
the mimicry honeypot mirror image function module is used for constructing a mimicry honeypot environment and mirroring the mimicry honeypot environment, wherein the mimicry honeypot environment comprises a Web application environment, an operating system, a database, Web middleware, system services and comprehensive services;
the import and export function module is used for realizing import and export of the mirror image, modification of the mimicry honeypot environment and multiplexing of the honeypot environment among the plurality of mimicry honeypot systems; the instantiation functional module is used for instantiating the manufactured mirror image through a KVM virtual machine mirror image technology to obtain a plurality of virtual high-interaction honeypots and mimicry honeypot systems.
8. A mimicry defense based honeypot defense system as claimed in claim 5, wherein: the service center subsystem comprises a behavior capturing module, a threat analysis module, a trapping situation analysis module and a system management module, wherein the behavior capturing module is used for capturing relevant data from external illegal attack behaviors, and specifically comprises honeypot access, command execution, original flow and file change; the threat analysis module is used for deeply analyzing all attack sessions captured by the honeypot through the behavior analysis engine so as to display the interactive commands of the honeypot and an attacker through an attack time axis; the trapping situation analysis module is used for constructing a trapping analysis model by utilizing a correlation analysis technology and monitoring the overall trapping attack situation in real time; and the system management module is used for realizing the management of the honeypot nodes and the dynamic display of the honeypot network by the user.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method of defending honeypots based on mimicry defense as claimed in any one of claims 1 to 4 when executing the program.
10. A computer-readable storage medium having stored thereon computer-executable instructions for performing a method of honey defense based on mimicry defense as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011091422.6A CN112187825B (en) | 2020-10-13 | 2020-10-13 | Honeypot defense method, system, equipment and medium based on mimicry defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011091422.6A CN112187825B (en) | 2020-10-13 | 2020-10-13 | Honeypot defense method, system, equipment and medium based on mimicry defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112187825A true CN112187825A (en) | 2021-01-05 |
| CN112187825B CN112187825B (en) | 2022-08-02 |
Family
ID=73951120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011091422.6A Active CN112187825B (en) | 2020-10-13 | 2020-10-13 | Honeypot defense method, system, equipment and medium based on mimicry defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112187825B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112383573A (en) * | 2021-01-18 | 2021-02-19 | 南京联成科技发展股份有限公司 | Security intrusion playback equipment based on multiple attack stages |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN112860378A (en) * | 2021-02-23 | 2021-05-28 | 哈尔滨工业大学(威海) | Method, system, equipment and storage medium for calculating minimum virtual resources required by playback flow |
| CN112929208A (en) * | 2021-01-25 | 2021-06-08 | 浙江大学 | Isomerous body decision method of mimicry virtual switch |
| CN113422779A (en) * | 2021-07-02 | 2021-09-21 | 南京联成科技发展股份有限公司 | Active security defense system based on centralized management and control |
| CN113609483A (en) * | 2021-07-16 | 2021-11-05 | 山东云海国创云计算装备产业创新中心有限公司 | Server virus processing method, device, equipment and readable medium |
| CN113660246A (en) * | 2021-08-11 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Honeypot switching method, system, computer and readable storage medium |
| CN113872973A (en) * | 2021-09-29 | 2021-12-31 | 武汉众邦银行股份有限公司 | Simulation honeypot realization method and device based on iptables |
| CN114095234A (en) * | 2021-11-17 | 2022-02-25 | 北京知道创宇信息技术股份有限公司 | Honeypot generation method, honeypot generation device, server and computer-readable storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114338203A (en) * | 2021-12-31 | 2022-04-12 | 河南信大网御科技有限公司 | Intranet detection system and method based on mimicry honeypots |
| CN114531297A (en) * | 2022-03-08 | 2022-05-24 | 四川中电启明星信息技术有限公司 | Container safety risk assessment method facing edge calculation |
| CN114785594A (en) * | 2022-04-22 | 2022-07-22 | 国家工业信息安全发展研究中心 | Security defense method and system for industrial control system |
| CN115174218A (en) * | 2022-07-04 | 2022-10-11 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN115174227A (en) * | 2022-07-05 | 2022-10-11 | 云南电网有限责任公司 | Method for honey pot mirroring technology of main power station of power grid |
| CN115296909A (en) * | 2022-08-04 | 2022-11-04 | 北京天融信网络安全技术有限公司 | Method, device and medium for obtaining target honeypot system and attack response method |
| CN115499322A (en) * | 2022-11-14 | 2022-12-20 | 网络通信与安全紫金山实验室 | Management system and method of mimicry equipment cluster and electronic equipment |
| CN115834140A (en) * | 2022-10-31 | 2023-03-21 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN107872467A (en) * | 2017-12-26 | 2018-04-03 | 中国联合网络通信集团有限公司 | Honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN110784361A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Virtualized cloud honey network deployment method, device, system and computer-readable storage medium |
-
2020
- 2020-10-13 CN CN202011091422.6A patent/CN112187825B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN107872467A (en) * | 2017-12-26 | 2018-04-03 | 中国联合网络通信集团有限公司 | Honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN110784361A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Virtualized cloud honey network deployment method, device, system and computer-readable storage medium |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112383573A (en) * | 2021-01-18 | 2021-02-19 | 南京联成科技发展股份有限公司 | Security intrusion playback equipment based on multiple attack stages |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN112929208A (en) * | 2021-01-25 | 2021-06-08 | 浙江大学 | Isomerous body decision method of mimicry virtual switch |
| CN112839052B (en) * | 2021-01-25 | 2023-02-03 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN112860378A (en) * | 2021-02-23 | 2021-05-28 | 哈尔滨工业大学(威海) | Method, system, equipment and storage medium for calculating minimum virtual resources required by playback flow |
| CN113422779B (en) * | 2021-07-02 | 2022-06-21 | 南京联成科技发展股份有限公司 | Active security defense system based on centralized management and control |
| CN113422779A (en) * | 2021-07-02 | 2021-09-21 | 南京联成科技发展股份有限公司 | Active security defense system based on centralized management and control |
| CN113609483B (en) * | 2021-07-16 | 2024-05-03 | 山东云海国创云计算装备产业创新中心有限公司 | Method, device, equipment and readable medium for processing server virus |
| CN113609483A (en) * | 2021-07-16 | 2021-11-05 | 山东云海国创云计算装备产业创新中心有限公司 | Server virus processing method, device, equipment and readable medium |
| CN113660246A (en) * | 2021-08-11 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Honeypot switching method, system, computer and readable storage medium |
| CN113660246B (en) * | 2021-08-11 | 2023-02-28 | 杭州安恒信息技术股份有限公司 | Honeypot switching method, system, computer and readable storage medium |
| CN113872973A (en) * | 2021-09-29 | 2021-12-31 | 武汉众邦银行股份有限公司 | Simulation honeypot realization method and device based on iptables |
| CN113872973B (en) * | 2021-09-29 | 2023-07-07 | 武汉众邦银行股份有限公司 | Method and device for realizing mimicry honeypot based on iptables |
| CN114095234A (en) * | 2021-11-17 | 2022-02-25 | 北京知道创宇信息技术股份有限公司 | Honeypot generation method, honeypot generation device, server and computer-readable storage medium |
| CN114095234B (en) * | 2021-11-17 | 2023-10-13 | 北京知道创宇信息技术股份有限公司 | Honeypot generation method, device, server and computer readable storage medium |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
| CN114338203A (en) * | 2021-12-31 | 2022-04-12 | 河南信大网御科技有限公司 | Intranet detection system and method based on mimicry honeypots |
| CN114338203B (en) * | 2021-12-31 | 2023-10-03 | 河南信大网御科技有限公司 | Intranet detection system and method based on mimicry honeypot |
| CN114531297A (en) * | 2022-03-08 | 2022-05-24 | 四川中电启明星信息技术有限公司 | Container safety risk assessment method facing edge calculation |
| CN114785594A (en) * | 2022-04-22 | 2022-07-22 | 国家工业信息安全发展研究中心 | Security defense method and system for industrial control system |
| CN115174218A (en) * | 2022-07-04 | 2022-10-11 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN115174218B (en) * | 2022-07-04 | 2024-04-09 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN115174227A (en) * | 2022-07-05 | 2022-10-11 | 云南电网有限责任公司 | Method for honey pot mirroring technology of main power station of power grid |
| CN115296909A (en) * | 2022-08-04 | 2022-11-04 | 北京天融信网络安全技术有限公司 | Method, device and medium for obtaining target honeypot system and attack response method |
| CN115296909B (en) * | 2022-08-04 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Method, device, medium and attack response method for obtaining target honeypot system |
| CN115834140A (en) * | 2022-10-31 | 2023-03-21 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
| CN115834140B (en) * | 2022-10-31 | 2023-11-10 | 中国国家铁路集团有限公司 | Railway network security management method and device, electronic equipment and storage medium |
| CN116132090A (en) * | 2022-11-09 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
| CN116132090B (en) * | 2022-11-09 | 2024-04-02 | 中国电子科技集团公司第三十研究所 | Spoofing defending system for Web security protection |
| CN115499322A (en) * | 2022-11-14 | 2022-12-20 | 网络通信与安全紫金山实验室 | Management system and method of mimicry equipment cluster and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112187825B (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112187825B (en) | Honeypot defense method, system, equipment and medium based on mimicry defense | |
| Baykara et al. | A novel honeypot based security approach for real-time intrusion detection and prevention systems | |
| US10534906B1 (en) | Detection efficacy of virtual machine-based analysis with application specific events | |
| US10560434B2 (en) | Automated honeypot provisioning system | |
| US9954872B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| Roschke et al. | Intrusion detection in the cloud | |
| US7770223B2 (en) | Method and apparatus for security management via vicarious network devices | |
| US10805340B1 (en) | Infection vector and malware tracking with an interactive user display | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| WO2014063110A1 (en) | Network infrastructure obfuscation | |
| CN113014571B (en) | Method, device and storage medium for processing access request | |
| CN113676449B (en) | Network attack processing method and device | |
| US11425150B1 (en) | Lateral movement visualization for intrusion detection and remediation | |
| CN113422779A (en) | Active security defense system based on centralized management and control | |
| Song et al. | Cooperation of intelligent honeypots to detect unknown malicious codes | |
| CN110198300B (en) | Honeypot operating system fingerprint hiding method and device | |
| CN115242466A (en) | Intrusion active trapping system and method based on high-simulation virtual environment | |
| CN112688933A (en) | Attack type analysis method, device, equipment and medium for IPv6 | |
| Zhang et al. | Xen-based virtual honeypot system for smart device | |
| Janagam et al. | Analysis of network intrusion detection system with machine learning algorithms (deep reinforcement learning algorithm) | |
| WO2020255185A1 (en) | Attack graph processing device, method, and program | |
| Hirata et al. | INTERCEPT+: SDN support for live migration-based honeypots | |
| Frederick | Testing a low-interaction honeypot against live cyber attackers | |
| JP6286314B2 (en) | Malware communication control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |