CN112383538A - Hybrid high-interaction industrial honeypot system and method - Google Patents

Abstract

A hybrid high-interaction industrial honeypot system and method comprises an internal honeypot and an external honeypot which are used for scene simulation, wherein the external honeypot and the internal honeypot are used for finishing data processing; the outer-net honeypot is connected with the inner-net honeypot through the gateway, the gateway is respectively connected with the firewall and the honeypot management platform, the honeypot management platform is connected with the database, the database is used for storing data of the honeypot management platform, and the database is connected with the display terminal through the data analysis platform. The invention has the characteristics of multiple scenes and high interactivity.

Description

Hybrid high-interaction industrial honeypot system and method

Technical Field

The invention relates to the technical field of industrial control safety, in particular to a hybrid high-interaction industrial honeypot system and method.

Background

Industrial systems and facilities are important components of national key infrastructure, network attack behaviors to industrial scenes are more and more frequent in recent years, and due to the particularity of the industrial systems and facilities, only passive defense can be adopted for external attack. With the development of the honeypot technology, a new defense strategy is provided, attack trapping and network defense can be actively carried out, attacks are blocked in a virtual scene, and the operation of an actual system and actual equipment is not influenced. At present, honeypots aiming at industrial scenes have the problems of single simulation scene, low interactivity, easiness in identification and the like.

Disclosure of Invention

In order to solve the adverse effects and meet the requirements of energy conservation and consumption reduction, the invention provides a hybrid high-interaction industrial honeypot system and method, which have the characteristics of multiple scenes and high interactivity.

A hybrid high-interaction industrial honeypot system comprises an internal honeypot and an external honeypot which are used for scene simulation, wherein the external honeypot and the internal honeypot are used for finishing data processing;

the outer-net honeypot is connected with the inner-net honeypot through the gateway, the gateway is respectively connected with the firewall and the honeypot management platform, the honeypot management platform is connected with the database, the database is used for storing data of the honeypot management platform, and the database is connected with the display terminal through the data analysis platform.

The external honey pot is connected with the gateway through an eth0 net port, the gateway is connected with the internal honey pot through an eth1 net port, the gateway is connected with the firewall through an eth2 net port, and the gateway is connected with the honey pot management platform through an eth3 net port;

the eth0 network port is communicated with the eth1 network port, so that the data of the external honeypot and the internal honeypot are forwarded to each other, and the external honeypot data and the internal honeypot data are submitted to the honeypot management platform through the eth3 network port respectively.

The eth3 net mouth and the eth0, eth2 and eth3 net mouths are in a one-way isolation state, and data of the honeypot management platform, the database and the data analysis platform cannot be redirected to an external honeypot, an internal honeypot and the internet.

The external honey pot is used for simulating an industrial information large area and an internet large area, comprises all devices and services exposed on the internet and is combined with an industrial scene, and comprises a Windows host and a server, a Linux host and a server, a portal system and an OA system which are connected to the internet;

the intranet honey pot is used for simulating an industrial production control network scene and is a network environment isolated from the Internet, and comprises an operator station, a Docker for simulating an industrial control protocol, a hardware virtualization service for simulating industrial equipment, a virtual PLC and a real PLC adopted for improving the authenticity of the system;

the gateway is used for realizing network isolation between the internal honeypot and the external honeypot and completing data forwarding logic between the internal honeypot and the external honeypot, internet flow and a management platform at the rear end;

the management platform is used for monitoring the states of the external honeypots and the internal honeypots, preventing uncontrollable attack and simultaneously adjusting honeypot equipment in real time to improve the performance of the equipment, and is also integrated with a data processing method for carrying out basic processing on original data;

the database is used for storing flow data, log data and probe data acquired from the honeypot equipment;

the data analysis platform is used for analyzing the database data to obtain information such as attack pictures, detection models, threat scores and the like.

The display terminal is used for displaying the attack behaviors captured by the honeypots in real time.

A processing method of a hybrid high-interaction industrial honeypot system comprises the following steps;

the method comprises the following steps: carrying out data acquisition;

the data acquisition layer 101 is formed by the outer honeypot and the inner honeypot, the data acquisition layer 101 captures original data through the outer honeypot and the inner honeypot, the data are forwarded by the gateway, and the data are processed through the management platform, wherein the management platform comprises a flow acquisition module, a log extraction module and a probe monitoring module;

the traffic acquisition module captures traffic on the equipment through tcpdump software running on the external honeypot and the internal honeypot equipment, and forwards traffic data to the management platform through the gateway through an eth0 network port and an eth1 network port respectively;

the log extraction module sorts the device logs by taking hours as units through EventLog management software running on the device, packages the device logs and sends the device logs to a management platform through a gateway, and the management platform cleans log data to form a system log;

the probe monitoring module is used for evaluating and collecting the state of a single device in real time through probes in the internal honeypot and the external honeypot and sending the state to the management platform through the gateway, and the management platform adjusts the state of the honeypot in real time according to probe data;

step two: data storage analysis;

the data analysis platform and the database form a storage analysis layer 102, the storage analysis layer 102 is used for performing fine-grained processing on the acquired data by extracting flow data, log data and probe data in the database by the data analysis platform and taking the data as samples, and performing correlation analysis on the flow data, the log data and system state data so as to generate a complete industrial control safety knowledge base, an industrial control malicious behavior fingerprint base and a threat scoring system;

step three: displaying the attack situation;

the display terminal is used for forming a situation display module, the situation display module is used for displaying malicious behaviors obtained by detection of the data analysis platform on a screen through the display terminal and generating a report for risks, attack processes are displayed on the screen, each attack process comprises an attack path diagram and detailed information, the detailed information comprises an attacker IP, equipment login time, a process, a port and utilized vulnerabilities, display contents comprise images and schedule data, when a mouse clicks each piece of equipment, all attacked behaviors can be seen, and when the mouse hovers on the attack path, the detailed information of each attack stage can be popped up.

The probe monitoring module in the first step is used for monitoring the real-time change of the system state, summarizing 10 dimensional information such as a server, an operating system, software, a database, storage, middleware, application service, a battery, address management, fault management and the like, representing network attack behaviors, and storing the information as a system state database by taking time as a dimension;

when the attack action aiming at the industrial internet occurs, the attack action is reflected as flow data, log data and equipment state change, all data are collected by honeypot equipment through flow monitoring, probe monitoring and log arrangement, and are preprocessed to become attack action data and transmitted to a database through a gateway to form an attack database.

The specific process of running on the management platform in the first step is as follows:

(1) monitoring Web ports and industrial control ports of the external honeypot equipment and the internal honeypot equipment to capture honeypot system flow;

(2) cleaning data of original data, generating a matching rule base according to data such as industrial equipment fingerprints and IP white lists, filtering normal asset detection flow in flow data, sorting by using residual data packets as attack flow, and storing in a database;

(3) based on the source IP, taking the conversation as a unit and taking the time as a sequencing standard, the method specifically comprises the following steps: the data packet is converged by a quintuple vector consisting of a source IP address, a destination IP address, a protocol, a source port and a destination port and is arranged into a stream;

(4) and storing the data stream of each source IP into the same column of the database, and respectively extracting characteristics of the data stream in the database to be used as an attack flow characteristic database.

The specific processing process of the log extraction module in the first step is as follows:

(1) data summarization is carried out on an operation log, a safety log and a network log of a single honeypot device;

(2) establishing a log standardized analysis rule, segmenting disordered log entries, extracting in a field mode, and describing log events by concise custom key fields;

(3) and summarizing and storing to form a honeypot log database.

In the second step, a complete attack portrait is generated according to the log data, the attack behavior is traced and evidence is obtained, and a complete attack path is deduced, which specifically comprises the following steps:

the primary attack portrait description parameters comprise an attacker IP, an attack influence range, an invasion complexity, a utilization vulnerability and an attack tool fingerprint, wherein the attack influence range comprises the number of affected honeypots and the affected degree of a single machine;

tracing and evidence obtaining provide attack sources and detailed information through automatic script and log data arrangement, and the method comprises the following steps: whether the IP address can reach (Boolean type), the IP prefix, the URL, the country, the operating system and the identifier, the attack mode characteristic is used as an electronic evidence, when an attacker hides the real IP address to prevent tracing, the attacker can be identified by comparing the characteristic, and the attack mode overall trend graph is extracted, wherein the attack mode overall trend graph comprises the following steps: quantifying log data in three modes of continuous activity, transient peak value and data outbreak, and extracting attack mode characteristics according to multiple dimensions such as frequency, ratio, entropy value, total amount, mean square error and the like;

attack path deduction is that attack processes are displayed in a vector form, a correspondence table of honeypot equipment and vectors is established, each equipment is represented in a vector (i, j), wherein i represents a network range, j represents an equipment number, and attack evolution is represented in an arrow form, for example, (1,1) - > (1,2) represents that an attack is propagated from equipment No. 1 to equipment No. 2 in a first network interval;

the data analysis platform analyzes the attack data by using the script, summarizes the total newly discovered vulnerabilities of the artificial deployment vulnerabilities and the interaction process by combining the probe data, analyzes the specific influence degree of each vulnerability, and counts the utilization frequency of each vulnerability or risk to generate a system risk library.

The display terminal in the third step displays the attack situation, the display content is an attack data change broken line graph in a period of time, an internal and external IP proportion pie graph is displayed, and the states of all honeypot devices are displayed in real time;

the display terminal generates a vulnerability risk report for each device and reports the report to an administrator, and by combining with concrete scenes such as real industrial networks, devices and services, vulnerability repair, risk investigation and network isolation are carried out, so that the safety of industrial assets is improved.

The invention has the beneficial effects that:

by the method, the possibility that a real industrial system is attacked by a network can be avoided, meanwhile, the honeypot system can solve the problem that malicious samples of the industrial internet are insufficient by simulating the real system to trap the network attack, reference data can be provided for industrial control security research, and then a machine learning classification detection model established by a security analysis platform in the honeypot system is formed by relying on real attack data training, can be used for identifying actual malicious behaviors of the industrial internet and has high credibility.

Drawings

FIG. 1 is an overall topology diagram of an industrial honeypot system provided by the present invention.

FIG. 2 is a data processing flow structure diagram of an industrial honeypot system provided by the present invention.

Fig. 3 is a schematic diagram of a flow collection module provided by the present invention.

Fig. 4 is a schematic diagram of a log collection module provided by the present invention.

FIG. 5 is a flow diagram of a storage analysis system provided by the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings.

As shown in fig. 1-5: the logic isolation state between the net ports simulates the one-way isolation state of an industrial scene, the internal net honeypot can forward data to the external net honeypot, and the data volume of the external net honeypot which can forward the data to the internal net honeypot is set to be 1byte, so that the evolution process of attacking from the external net to the internal net is simulated, and the network has higher authenticity.

The external honey pot system and the internal honey pot system both adopt an anti-recognition technology, and the safety of honey pots is improved by periodically modifying information such as protocol features, MAC addresses and function codes through a honey pot management platform.

The honeypot system adopts a mode of mixing real equipment and virtual equipment, the intranet honeypot simultaneously adopts real PLC and virtual PLC, the interactivity of the system can be improved to the greatest extent, the system is closer to a real attack interaction scene, and meanwhile the probability of discovering the honeypot system can be reduced by the mixed mode.

Collecting the flow of the honeypot system through Tcpdump software, and screening scanning flow and attack flow;

extracting log data through EventLog and analyzing the log data to form a complete attack portrait and a malicious IP pool;

the data analysis platform performs correlation analysis on the flow data and the log data to form an industrial control malicious behavior fingerprint database;

the data analysis platform makes a scoring standard aiming at the intrusion behavior;

visualizing the malicious behavior data and generating a vulnerability risk report through a display terminal;

the hybrid industrial honeypot system model comprises a host honeypot and a service honeypot; the method comprises the following steps that (1) Windows hosts and servers, Linux hosts and servers, upper computers and lower computers in the host honeypot simulation industry are used; the service honeypot simulates services of various industrial control protocols, enterprise portals, financial systems and the like;

setting a physical isolation environment, a logic isolation environment and a network isolation environment of an industrial scene by using a gateway;

holes are arranged in the honeypots in the external network, deceptive files are constructed, the sweetness of the honeypot system is increased, and the successful interaction probability is improved;

the intranet honeypot and the PC host and the server of the intranet honeypot both adopt real equipment, adopt hardware virtualization to avoid real hardware damage, utilize Docker to deploy virtual industrial control service, and service system software adopts real software, so that the proportion of low-low interaction parts in the system is reduced to the maximum extent, and the system interactivity is improved.

Controlling the quantity of data sent by the honeypots to the outside through a firewall, and blocking redundant outgoing data for protecting the system performance when the quantity of the data sent by the honeypots to the outside reaches a threshold value;

probes are deployed in an external honeypot and an internal honeypot, the real-time state of each honeypot device is monitored, and real-time system state data are collected;

the system safety is improved by adopting an anti-identification technology for the external honeypot and the internal honeypot;

monitoring flow data in the external honeypot equipment and the internal honeypot equipment, sending the flow data to a management platform to filter asset detection flow, and classifying the rest data to form vulnerability scanning flow and malicious attack flow;

the management platform gathers flow data packets into a call flow according to quintuple data, extracts data characteristics and stores the data characteristics as a flow characteristic database;

the data analysis platform acquires log data of a database, sorts the data to generate a complete attack portrait and traces the source of the attack, and the log data is used as electronic evidence obtaining data;

the management platform arranges the log original data by an automatic script, divides entries, describes log time by key fields and generates an intuitive log database;

the data analysis platform is used for analyzing flow data, log data and probe data in a correlation mode, classifying attack behaviors, penetration behaviors and implantation behaviors according to correlation rules, sequencing the data and generating an industrial control malicious behavior database;

extracting data of an industrial control malicious behavior database by a data analysis platform, extracting characteristics of the data, establishing a multi-mode detection model by using an RNN (radio network), an SVM (support vector machine) algorithm based on graph mapping and a KNN (K nearest neighbor) algorithm, and training by using characteristic data to generate an industrial control malicious behavior detection model;

analyzing an industrial scene by using a data analysis platform automation script, and providing an attack threat scoring standard in the industrial field by combining the influence degree of specific attack behaviors on a system;

the honeypot system is marked by using the management platform, the log and the equipment mark are associated by using the data analysis platform, and an attack vector diagram and attack detailed information are generated and visualized by using each attack of the display terminal;

the display terminal displays various data such as attack frequency, IP distribution, equipment state and the like in real time;

the data analysis platform counts system risks and vulnerabilities, generates a system risk library, generates a vulnerability risk report aiming at each safety problem, reports the vulnerability risk report to an administrator through a display terminal and disposes the vulnerability risk report in an actual industrial scene;

fig. 3 is a detailed flowchart of a flow collection module of the data collection layer 101, and fig. 1 shows that the Web ports and the industrial control ports of the external honeypot device and the internal honeypot device monitor, capture honeypot system flow, perform data cleaning on original data, generate a matching rule base according to data such as industrial device fingerprints and an IP white list, filter normal asset detection flow in flow data, sort the flow by using a residual data packet as attack flow, and store the flow in the database.

The flow arrangement rule of the flow acquisition module is based on a source IP, takes a session as a unit and takes time as a sequencing standard, and the flow arrangement rule specifically operates as follows: the data packets are converged by a quintuple vector consisting of a source IP address, a destination IP address, a protocol, a source port and a destination port, the data packets are arranged into streams, the data streams of each source IP are stored in the same column of the database, and the characteristics of the data streams in the database are respectively extracted to serve as an attack flow characteristic database.

FIG. 4 is a detailed flow chart of the log extraction module of the data collection layer 101, which extracts the operation logs, security logs and weblogs of all the single honeypot devices in FIG. 1 for data summarization, makes a log standardized parsing rule, divides the disordered log entries, extracts the log entries in a field manner, describes log events by simple custom key fields, summarizes and stores the log events to form a honeypot log database,

and generating a complete attack portrait according to the log data, tracing and obtaining evidence of the attack behavior, and deducing a complete attack path.

The primary attack portrait generated in the log analysis comprises an attacker IP, the attack influence range, the invasion complexity, the utilization vulnerability and the attack tool fingerprint, wherein the attack influence range comprises the number of affected honeypots and the affected degree of a single machine.

The attack tracing and evidence obtaining in the log analysis provide attack source and detailed information through automatic script and log data arrangement, and the method comprises the following steps: whether the IP address can reach (Boolean type), the IP prefix, the URL, the country, the operating system and the identifier, the attack mode characteristic is used as an electronic evidence, when an attacker hides the real IP address to prevent tracing, the attacker can be identified by comparing the characteristic, and the attack mode overall trend graph is extracted, wherein the attack mode overall trend graph comprises the following steps: the method comprises three modes of continuous activity, transient peak value and data outbreak, log data are quantized, and attack mode features are extracted according to multiple dimensions such as frequency, ratio, entropy value, total amount, mean square error and the like.

In the embodiment, the deduced attack path is described in a vector form, a correspondence table between honeypot devices and the vector is established, each device is represented in a vector (i, j), wherein i represents a network range where the device is located, j represents a device number, and attack evolution is represented in an arrow form, for example, (1,1) - > (1,2) represents that an attack propagates from device No. 1 to device No. 2 in a first network interval.

The probe monitoring module is used for monitoring the real-time change of the system state, summarizing 10 dimensional information such as a server, an operating system, software, a database, storage, middleware, application service, a battery, address management, fault management and the like, representing network attack behaviors, and storing the time as a system state database by taking time as a dimension.

Fig. 5 shows that the storage analysis system corresponds to the data analysis platform in fig. 1, and transmits an attack flow characteristic database, a honeypot log database, and a system state database, which are obtained by processing by the data acquisition system 101, to the data analysis platform through an eth3 network port, associates all data, analyzes each attack influence degree through the system state database, makes a threat scoring standard, performs learning training with a machine learning classification detection model of the data analysis platform, and detects an attack behavior.

The data association rule of the storage analysis system is as follows: comparing the system state database, comparing the communication flow with the log data, inquiring the log data matched with the flow data in time and space, if the matching is successful, associating the communication flow with the log information into data generated by the same action, and marking the data as an attack action; if no log data associated with the flow exists, marking the log data as a penetration behavior; and if the flow data matched with the log does not exist, marking the flow data as an implantation behavior, and reordering the attack behavior data, the penetration behavior data and the implantation behavior data to form an industrial control malicious behavior database.

The threat score formulation standard is the threat degree to the system, low-risk, medium-risk and high-risk operations can be distinguished by taking the score as a reference in a classification detection model, and it needs to be supplemented that any attack is fatal in an industrial production scene.

The initial threat score in this embodiment is: industrial control detection is carried out for 2 minutes, vulnerability scanning is carried out for 6 minutes, the authority of a common user is obtained for 6 minutes, the authority of a system is increased for 10 minutes, a back door is implanted for 10 minutes, a PLC is controlled for 10 minutes, worm attack is carried out for 10 minutes, hardware is damaged for 10 minutes, and file operation is carried out for 10 minutes;

the industrial control malicious behavior detection model is a detection model constructed by utilizing a 3-machine learning algorithm, data features are extracted from a malicious behavior database to serve as sample data, and the detection method with high reliability is obtained by training the model, wherein the high reliability comes from balancing detection results of different models.

The situation display module comprises malicious behavior display and report generation corresponding to the display terminal shown in fig. 1, the attack processes are displayed on the output device, each attack process comprises an attack path diagram and detailed information, the detailed information comprises an attacker IP, device login time, a process, a port, utilized bugs and the like, the display content comprises images and schedule data, when a mouse clicks each device, all attacked behaviors can be seen, and when the mouse hovers on the attack path, the detailed information of each attack stage can be popped up.

The attack situation is also displayed in the invention, the display content is an attack data change broken line graph in a period of time, the internal and external IP proportional pie graphs are displayed, and the states of all honeypot devices are displayed in real time.

The report generation is to analyze attack data by using a script, combine probe data, summarize vulnerabilities which are always newly discovered in the artificial deployment vulnerabilities and the interaction process, analyze the specific influence degree of each vulnerability, count the utilization frequency of each vulnerability or risk, generate a system risk library, form a vulnerability risk report for each device, report the vulnerability risk report to a manager, combine specific scenes such as real industrial networks, devices and services, perform vulnerability repair, risk investigation and network isolation, and improve the safety of industrial assets.

Claims (10)

1. The hybrid high-interaction industrial honeypot system is characterized in that industrial scenes are simulated through an external honeypot and an internal honeypot, and a complete data processing flow is formed by combining a management platform, a data analysis platform, a display terminal and other equipment.

The outer-net honeypot is connected with the inner-net honeypot through the gateway, the gateway is respectively connected with the firewall and the honeypot management platform, the honeypot management platform is connected with the database, the database is used for storing data of the honeypot management platform, and the database is connected with the display terminal through the data analysis platform.

2. The hybrid high-interaction industrial honeypot system of claim 1, wherein the external honeypot is connected to the gateway through an eth0 portal, the gateway is connected to the internal honeypot through an eth1 portal, the gateway is connected to the firewall through an eth2 portal, and the gateway is connected to the honeypot management platform through an eth3 portal;

the eth0 net port and the eth1 net port simulate the one-way isolation state of an industrial scene, the forwarding rules of the data of the external honey pot and the internal honey pot are realized, and the external honey pot data and the internal honey pot data are submitted to a honey pot management platform through the eth3 net port respectively.

3. The hybrid high-interaction industrial honeypot system of claim 2 wherein the eth3 net port and the eth0, eth1 and eth2 net ports are in a single-direction isolated state, and data of the honeypot management platform, the database and the data analysis platform cannot be redirected to the extranet honeypot, the intranet honeypot and the internet.

4. The hybrid high-interaction industrial honeypot system of claim 1 in which the extranet honeypot is used to simulate industrial information and internet communities, including all devices and services exposed on the internet, in conjunction with industrial scenarios, the extranet honeypot contains Windows hosts and servers, Linux hosts and servers, and web portal systems and OA systems connected to the internet;

the intranet honey pot is used for simulating an industrial production control network scene and is a network environment isolated from the Internet, and comprises an operator station, a Docker for simulating an industrial control protocol, a hardware virtualization service for simulating industrial equipment, a virtual PLC and a real PLC adopted for improving the authenticity of the system;

the gateway is used for realizing network isolation between the internal honeypot and the external honeypot and completing data forwarding logic between the internal honeypot and the external honeypot, internet flow and a management platform at the rear end;

the management platform is used for monitoring the states of the external honeypots and the internal honeypots, preventing uncontrollable attack and simultaneously adjusting honeypot equipment in real time to improve the performance of the equipment, and is also integrated with a data processing method for carrying out basic processing on original data;

the database is used for storing flow data, log data and probe data acquired from the honeypot equipment;

the data analysis platform is used for analyzing the database data to obtain information such as attack pictures, detection models, threat scores and the like;

the display terminal is used for displaying the attack behaviors captured by the honeypots in real time.

5. The hybrid high-interaction industrial honeypot system processing method as claimed in claim 1, comprising the steps of;

the method comprises the following steps: carrying out data acquisition;

the external-network honeypot, the internal-network honeypot and the management platform form a data acquisition layer 101, the data acquisition layer 101 traps attacks and acquires attack data through the external-network honeypot and the internal-network honeypot, the data is forwarded by using the gateway, the data is processed through the management platform, and the management platform comprises a flow acquisition module, a log extraction module and a probe monitoring module;

the traffic acquisition module captures traffic on the equipment through tcpdump software running on the external honeypot and the internal honeypot equipment, and forwards traffic data to the management platform through the gateway through an eth0 network port and an eth1 network port respectively;

the log extraction module sorts the device logs by taking hours as units through EventLog management software running on the device, packages the device logs and sends the device logs to a management platform through a gateway, and the management platform cleans log data to form a system log;

the probe monitoring module is used for evaluating and collecting the state of a single device in real time through probes in the internal honeypot and the external honeypot and sending the state to the management platform through the gateway, and the management platform adjusts the state of the honeypot in real time according to probe data;

step two: data storage analysis;

the data analysis platform and the database form a storage analysis layer 102, the storage analysis layer 102 is used for performing fine-grained processing on the acquired data by extracting flow data, log data and probe data in the database by the data analysis platform and taking the data as samples, and performing correlation analysis on the flow data, the log data and system state data so as to generate a complete industrial control safety knowledge base, an industrial control malicious behavior fingerprint base and a threat scoring system;

step three: displaying the attack situation;

the display terminal is used for forming a situation display module, the situation display module is used for displaying malicious behaviors obtained by detection of the data analysis platform on a screen through the display terminal and generating a report for risks, attack processes are displayed on the screen, each attack process comprises an attack path diagram and detailed information, the detailed information comprises an attacker IP, equipment login time, a process, a port and utilized vulnerabilities, display contents comprise images and schedule data, when a mouse clicks each piece of equipment, all attacked behaviors can be seen, and when the mouse hovers on the attack path, the detailed information of each attack stage can be popped up.

6. The processing method of the hybrid high-interaction industrial honeypot system as claimed in claim 5, wherein in the first step, the probe monitoring module is used for monitoring the real-time change of the system state, summarizing 10 dimensional information of the server, the operating system, the software, the database, the storage, the middleware, the application service, the battery, the address management and the fault management, so as to represent the network attack behavior, and storing the dimensional information as the system state database by taking time as a dimension;

when the attack action aiming at the industrial internet occurs, the attack action is reflected as flow data, log data and equipment state change, all data are collected by honeypot equipment through flow monitoring, probe monitoring and log arrangement, and are preprocessed to become attack action data and transmitted to a database through a gateway to form an attack database.

7. The processing method of the hybrid high-interaction industrial honey pot system according to claim 5, wherein the specific processes run on the management platform in the first step are as follows:

(1) monitoring Web ports and industrial control ports of the external honeypot equipment and the internal honeypot equipment to capture honeypot system flow;

(2) cleaning data of original data, generating a matching rule base according to data such as industrial equipment fingerprints and IP white lists, filtering normal asset detection flow in flow data, sorting by using residual data packets as attack flow, and storing in a database;

(3) based on the source IP, taking the conversation as a unit and taking the time as a sequencing standard, the method specifically comprises the following steps: the data packet is converged by a quintuple vector consisting of a source IP address, a destination IP address, a protocol, a source port and a destination port and is arranged into a stream;

(4) and storing the data stream of each source IP into the same column of the database, and respectively extracting characteristics of the data stream in the database to be used as an attack flow characteristic database.

8. The processing method of the hybrid high-interaction industrial honey pot system according to claim 5, wherein the log extraction module in the first step comprises the following specific processing procedures:

(1) data summarization is carried out on an operation log, a safety log and a network log of a single honeypot device;

(2) establishing a log standardized analysis rule, segmenting disordered log entries, extracting in a field mode, and describing log events by concise custom key fields;

(3) and summarizing and storing to form a honeypot log database.

9. The processing method of the hybrid high-interaction industrial honeypot system according to claim 5, wherein in the second step, a complete attack image is generated according to the log data, the source tracing and evidence obtaining are performed on the attack behavior, and a complete attack path is deduced, specifically:

the primary attack portrait description parameters comprise an attacker IP, an attack influence range, an invasion complexity, a utilization vulnerability and an attack tool fingerprint, wherein the attack influence range comprises the number of affected honeypots and the affected degree of a single machine;

tracing and evidence obtaining provide attack sources and detailed information through automatic script and log data arrangement, and the method comprises the following steps: whether the IP address can be reached or not, the IP prefix, the URL, the country, the operating system and the identifier, the attack mode characteristic is used as an electronic evidence, when an attacker hides the real IP address to prevent tracing, the attacker can be identified by comparing the characteristic, and the attack mode overall trend graph is extracted, wherein the attack mode overall trend graph comprises the following steps: quantifying log data in three modes of continuous activity, transient peak value and data outbreak, and extracting attack mode characteristics in multiple dimensions of frequency, ratio, entropy value, total amount and mean square error;

the attack path deduction is that an attack process is displayed in a vector form, a corresponding relation table of honeypot equipment and vectors is established, and each equipment is represented in a vector (i, j) form, wherein i represents a network range where the equipment is located, j represents an equipment number, and attack evolution is represented in an arrow form;

the data analysis platform analyzes the attack data by using the script, summarizes the total newly discovered vulnerabilities of the artificial deployment vulnerabilities and the interaction process by combining the probe data, analyzes the specific influence degree of each vulnerability, and counts the utilization frequency of each vulnerability or risk to generate a system risk library.

10. The processing method of the hybrid high-interaction industrial honeypot system as claimed in claim 5, wherein the display terminal in the third step displays attack situation, the display contents are attack data change broken line graph in a period of time, internal and external IP scale pie graph display, and each honeypot device status real-time display graph;

the display terminal generates a vulnerability risk report for each device and reports the report to an administrator, and by combining with concrete scenes such as real industrial networks, devices and services, vulnerability repair, risk investigation and network isolation are carried out, so that the safety of industrial assets is improved.

Images