CN112738120A - Honeypot-based data processing method, device and system and electronic equipment - Google Patents

Honeypot-based data processing method, device and system and electronic equipment Download PDF

Info

Publication number
CN112738120A
CN112738120A CN202011643982.8A CN202011643982A CN112738120A CN 112738120 A CN112738120 A CN 112738120A CN 202011643982 A CN202011643982 A CN 202011643982A CN 112738120 A CN112738120 A CN 112738120A
Authority
CN
China
Prior art keywords
flow
target host
honeypot
behavior
actual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011643982.8A
Other languages
Chinese (zh)
Inventor
胡逸漪
陈鹏
刘旭
章丽娟
陈振兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Roarpanda Network Technology Co ltd
Original Assignee
Shanghai Roarpanda Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Roarpanda Network Technology Co ltd filed Critical Shanghai Roarpanda Network Technology Co ltd
Priority to CN202011643982.8A priority Critical patent/CN112738120A/en
Publication of CN112738120A publication Critical patent/CN112738120A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Abstract

The application provides a honeypot-based data processing method, device and system and electronic equipment, relates to the technical field of data processing, and solves the technical problem that honeypots occupy more internal resources. The method comprises the following steps: acquiring actual flow aiming at a target host; and forwarding the actual flow to the cloud service through the specified link, so that the cloud service restores the flow behavior received by the target host through the honeypot according to the actual flow, detects whether the flow behavior conforms to the preset abnormal behavior, and sends prompt feedback when the flow behavior conforms to the preset abnormal behavior.

Description

Honeypot-based data processing method, device and system and electronic equipment
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a honeypot-based data processing method, apparatus, system, and electronic device.
Background
With the gradual implementation of the digitization process, computers carry a vital role in social activities, however, computer networks always present a high security risk, for example, hackers may try to log in to corporate computer networks to steal, delete or change information, or distribute computer viruses, worms, trojan horse programs, etc. to other computers, which are inadvertently downloaded or executed by computer users, resulting in the whole computer network being paralyzed. By utilizing the honeypot technology, the host or the service can be effectively disguised, the attack behavior is actively attracted, and the core data can be effectively protected.
At present, the honeypot technology has a single use scene, and needs to allocate more internal resources to implement the honeypot technology, particularly server resources, network resources and the like, which is not favorable for flexibly deploying an overall system structure.
Disclosure of Invention
The application aims to provide a honeypot-based data processing method, device and system and electronic equipment so as to relieve the technical problem that honeypots occupy more internal resources.
In a first aspect, an embodiment of the present application provides a data processing method based on a honeypot, which is applied to a traffic forwarding module disposed on a target host, and the method includes:
acquiring actual flow aiming at the target host;
forwarding the actual flow to a cloud service through a specified link, so that the cloud service restores flow behaviors received by the target host through a honeypot according to the actual flow, detects whether the flow behaviors accord with preset abnormal behaviors or not, and sends prompt feedback when the flow behaviors accord with the preset abnormal behaviors.
In one possible implementation, the step of forwarding the actual traffic to a cloud service through a designated link, so that the cloud service restores, according to the actual traffic, traffic behavior received by the target host through a honeypot includes:
and transmitting the actual flow subjected to bidirectional asymmetric encryption and compression to cloud service by using a private link based on an encryption tunnel, so that the cloud service decrypts the encrypted actual flow by using a decryption key, and restores the flow behavior received by the target host through a honeypot according to the decrypted and decompressed actual flow.
In one possible implementation, the step of obtaining actual traffic for the target host includes:
and copying and acquiring the actual flow aiming at the target host in a mirroring mode.
In a second aspect, an embodiment of the present application provides a honeypot-based data processing method, which is applied to a cloud server, and the method includes:
receiving actual flow aiming at a target host, which is forwarded by a flow forwarding module through a specified link; the flow forwarding module is arranged on the target host;
restoring the flow behavior received by the target host through a honeypot according to the actual flow;
and detecting whether the flow behavior accords with a preset abnormal behavior, and sending prompt feedback if the flow behavior accords with the preset abnormal behavior.
In one possible implementation, the step of restoring, by the honeypot, the traffic behavior received by the target host according to the actual traffic includes:
inputting the actual flow into a honey net consisting of a plurality of groups of honeypots with different functions, and restoring the flow behavior received by the target host through the honey net; and adjusting the number and the types of the plurality of groups of honeypots with different functions according to the size of the actual flow, and deploying the honeypots through a container and a virtual machine.
In a third aspect, an embodiment of the present application provides a honeypot-based data processing method, where the method includes:
the flow forwarding module acquires actual flow aiming at a target host; the flow forwarding module is arranged on the target host;
the traffic forwarding module forwards the actual traffic to a cloud service through a specified link;
the cloud server receives the actual flow forwarded by the flow forwarding module;
the cloud service restores the flow behavior received by the target host through a honeypot according to the actual flow;
the cloud service detects whether the flow behavior conforms to a preset abnormal behavior, and if so, a prompt feedback is sent.
In a fourth aspect, an embodiment of the present application provides a honeypot-based data processing apparatus, which is applied to a traffic forwarding module disposed on a target host, and the apparatus includes:
an acquisition unit configured to acquire an actual flow rate for the target host;
and the forwarding unit is used for forwarding the actual flow to a cloud service through a specified link, so that the cloud service restores the flow behavior received by the target host through a honeypot according to the actual flow, detects whether the flow behavior conforms to a preset abnormal behavior, and sends prompt feedback when the flow behavior conforms to the preset abnormal behavior.
In a fifth aspect, an embodiment of the present application provides a honeypot-based data processing apparatus, which is applied to a cloud server, and the apparatus includes:
the receiving unit is used for receiving the actual flow which is forwarded by the flow forwarding module through the specified link and aims at the target host; the flow forwarding module is arranged on the target host;
the restoring unit is used for restoring the flow behavior received by the target host through a honeypot according to the actual flow;
and the detection unit is used for detecting whether the flow behavior accords with a preset abnormal behavior or not, and sending prompt feedback if the flow behavior accords with the preset abnormal behavior.
In a sixth aspect, an embodiment of the present application provides a honeypot-based data processing system, including: the cloud server according to the fifth aspect and at least one traffic forwarding module according to the fourth aspect.
In a seventh aspect, this application provides an electronic device, which includes a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor executes the computer program to implement the method in the first aspect, the second aspect, or the third aspect.
The embodiment of the application brings the following beneficial effects:
according to the data processing method, the data processing device, the data processing system and the electronic equipment based on the honeypots, the actual flow of a target host can be obtained, then the actual flow is forwarded to the cloud service through the designated link, so that the cloud service restores the flow behavior received by the target host through the honeypots according to the actual flow, detects whether the flow behavior meets the preset abnormal behavior or not, and sends prompt feedback when the flow behavior meets the preset abnormal behavior. In the scheme, the actual flow is forwarded to the cloud service through the designated link, and various flow behaviors actually suffered in the protected network can be really restored through the honeypot on the cloud service, so that more resources do not need to be occupied, and the technical problem that more internal resources are occupied by the honeypot is solved.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the detailed description of the present application or the technical solutions in the prior art, the drawings needed to be used in the detailed description of the present application or the prior art description will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of a honeypot-based data processing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a remote proxy honeypot system based on a honeypot data processing method according to an embodiment of the present application;
fig. 3 is a schematic diagram of tunneling of a honeypot-based data processing method according to an embodiment of the present application;
FIG. 4 is another schematic flow chart of a honeypot-based data processing method according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a conventional honeypot system based on a honeypot data processing method according to an embodiment of the present application;
FIG. 6 is another schematic flow chart of a honeypot-based data processing method according to an embodiment of the present disclosure;
fig. 7 is a schematic flow chart of a flow forwarding program of a honeypot-based data processing method according to an embodiment of the present application;
FIG. 8 is a schematic structural diagram of a honeypot-based data processing apparatus according to an embodiment of the present disclosure;
FIG. 9 is another schematic structural diagram of a honeypot-based data processing apparatus according to an embodiment of the present disclosure;
FIG. 10 is a block diagram of a honeypot based data processing system according to an embodiment of the present application;
fig. 11 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "comprising" and "having," and any variations thereof, as referred to in the embodiments of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The honeypot technology is essentially a technology for cheating an attacker, and the attacker is induced to attack the host, network service or information by arranging the host, the network service or the information as bait, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker can be further known, the attack intention and motivation can be conjectured, the defender can clearly know the security threat existing in the current system, and the security protection capability of the actual system can be enhanced by a technical management means.
At present, hardware equipment is integrated into a network of a defending party in a traditional honeypot, honeypot service is deployed at important nodes of a computer network, once behavior that the honeypot is maliciously attacked occurs, the honeypot can be quickly traced to the last attacking node, and corresponding attack evidence is reserved. The traditional honeypots are single in use mode, virtual honeypots in the form of hardware physical honeypots or virtual machines need to be deployed on internal nodes of each network respectively, more internal resources, particularly server resources, and more network resources such as IP positions and the like can be occupied, the overall resources of the system are not favorable for flexible deployment, and the operation cost of the system is increased.
Based on this, the embodiment of the application provides a honeypot-based data processing method, device and system and electronic equipment, and the technical problem that honeypots occupy more internal resources can be solved through the method.
Embodiments of the present application are further described below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a data processing method based on honeypots according to an embodiment of the present application. The method is applied to a flow forwarding module arranged on a target host. As shown in fig. 1, the method includes:
step S110, an actual flow rate for the target host is acquired.
For example, as shown in fig. 2, the actual traffic of the target host can be obtained in real time using a traffic forwarding module that is attached to the target host.
Step S120, forwarding the actual flow to the cloud service through the designated link, so that the cloud service restores the flow behavior received by the target host through the honeypot according to the actual flow, detects whether the flow behavior conforms to the preset abnormal behavior, and sends prompt feedback when the flow behavior conforms to the preset abnormal behavior.
Wherein the specified link is a link that transmits actual traffic encryption to the cloud service.
For example, as shown in fig. 2, the forwarded actual traffic may be encrypted and transmitted to the cloud service through the designated link that is anonymously hidden, and then various traffic behaviors actually suffered in the protected network may be truly restored through the cloud service, and once the honeypot detects that there is an abnormal behavior in the traffic behaviors, the data may be immediately stored and an alarm may be timely fed back to the network security maintenance personnel.
In the embodiment, the actual flow can be forwarded to the cloud service through the encrypted designated link, various flow behaviors actually suffered in the protected network can be restored in time, an alarm prompt can be rapidly made on abnormal behaviors, more resources do not need to be occupied, and the operation cost is saved.
The above steps are described in detail below.
In some embodiments, the step S120 may include the following steps:
and a), transmitting the actual flow after bidirectional asymmetric encryption and compression to the cloud service by using a private link based on an encryption tunnel, so that the cloud service decrypts the encrypted actual flow by using a decryption key, and restores the flow behavior received by the target host through the honeypot according to the decrypted and decompressed actual flow.
It should be noted that the construction of the private link mainly depends on the encryption tunneling technology, including VPN remote access technology, and the used tunneling protocols include PPTP, L2TP and IPSec protocol, where PPTP and L2TP protocols operate at the second layer of the OSI model, also called as the second layer tunneling protocol, and IPSec protocol is the third layer tunneling protocol.
For example, as shown in fig. 3, the specified tunnel may be encrypted by an encryption tunneling technique, and the data transmitted by using the tunnel may be data frames or packets of different protocols, and the data frames or packets of other protocols may be re-encapsulated in a new packet header and transmitted by using the tunneling protocol. The new header may provide routing information, so that the encapsulated payload data may be transmitted over the internet, while the encapsulated data packet may be routed between the two endpoints of the tunnel over the common internet. Therefore, from the two ends of the tunnel, the package is used for creating, maintaining and revoking a certain tunnel, so that the information is concealed and abstracted, and the data in the tunnel is compressed through the bidirectional asymmetric encryption of the self-signed certificate, so that the data is compressed, the network transmission burden is reduced, the rapidness and the real-time performance of data transmission are ensured, and the bidirectional asymmetric encryption is used for greatly ensuring the safety of data transmission and enhancing the difficulty of data decryption.
Further, after the cloud service receives the encrypted traffic transmitted from the private link, the cloud service decrypts the data by using the corresponding decryption key. Besides the differences of the systems, the protocols and the like, the honeypots have the differences of high-interaction honeypots and low-interaction honeypots and have lower protection levels, so that attack events of all levels are easily recovered from actual traffic. Therefore, after decryption and decompression are completed, the actual flow can restore the flow behavior received by the target host through the honeypot, and once the abnormal flow behavior is found, the system can store the abnormal behavior information in the form of a log.
In some embodiments, the step S110 may include the following steps:
and b), copying and acquiring the actual flow aiming at the target host in a mirroring mode.
For example, a host carrying a critical service, a device storing critical data, and a host device (e.g., a core network switching device) located at a critical network location may be selected as critical hosts or devices in the protected network. The data traffic of all the ports of the important hosts or devices is forwarded to a designated port through an upper layer switch, and the designated port is called as a mirror port or a destination port, so that the actual traffic of the target host is copied and acquired in a mirror mode, the monitoring function of the network is further realized, and meanwhile, the normal throughput of the source port is not influenced, and the normal communication of other network devices is not influenced.
Fig. 4 is a schematic flowchart of a data processing method based on honeypots according to an embodiment of the present application. The method is applied to the cloud server. As shown in fig. 4, the method includes:
step S410, receiving the actual traffic for the target host forwarded by the traffic forwarding module through the designated link.
The flow forwarding module is arranged on the target host.
For example, as shown in fig. 2, the actual traffic of the target host forwarded by the traffic forwarding module through the specified link may be obtained. For another example, as shown in fig. 5, compared with the conventional honeypot system, the honeypot system based on the cloud service provided in this embodiment does not need to be intrusively integrated into a network environment, and supports simultaneous access of software and hardware, so that honeypot positions with different functions can be flexibly deployed, and the operation cost is saved.
And step S420, restoring the flow behavior received by the target host through the honeypot according to the actual flow.
For example, as shown in fig. 2, various traffic behaviors actually suffered by the target host in the protected network can be truly restored through the honeypot.
Step S430, detecting whether the traffic behavior conforms to a preset abnormal behavior, and if the traffic behavior conforms to the preset abnormal behavior, sending a prompt feedback.
It should be noted that, corresponding exception handling logic is set in each honeypot according to different requirements, and once the flow behavior is found to meet the preset exception behavior, information of the exception behavior is stored in a log form and an alarm is given in time to the network security maintenance personnel.
In the embodiment, the actual flow of the target host can be forwarded to the cloud server through the designated link, various flow behaviors actually received by the target host can be really restored by using the honeypot, an alarm prompt can be given to the abnormal behavior in time, more resources do not need to be occupied, and the overall cost is saved.
The above steps are described in detail below.
In some embodiments, the step S420 may include the following steps:
and c), inputting the actual flow into a honey net consisting of a plurality of groups of honeypots with different functions, and restoring the flow behavior received by the target host through the honey net.
The number and the types of the multiple groups of honeypots with different functions are adjusted according to the actual flow and are deployed through the container and the virtual machine.
It should be noted that, the number and the type of honeypots with different functions can be flexibly adjusted according to the actual flow, when the actual flow is larger, the number of honeypots used can be adjusted to be larger, and when the actual flow is smaller, the number of honeypots used can be correspondingly reduced.
For example, when the system detects a large-flow attack, the number of honeypots can be temporarily adjusted and increased through a container technology, or the honeypots can be mechanically applied to the insides of the honeypots, so that the protection and calculation power of the whole system can be enhanced, the throughput of data is improved, and for example, at low-flow operation time periods such as night, part of containers can be cancelled, a certain bandwidth is reduced, corresponding calculation power distribution is reduced, the whole cost at the low-flow operation time periods can be saved, and the number and types of the honeypots with different functions can be dynamically adjusted.
In the embodiment, the honey net composed of a plurality of groups of honeypots with different functions can be rapidly deployed and adjusted through the container technology, so that the flexibility and the practicability of the whole system are improved, and the operation cost of the whole system is saved.
Fig. 6 is a schematic flowchart of a data processing method based on honeypots according to an embodiment of the present application. As shown in fig. 6, the method includes:
in step S610, the traffic forwarding module obtains an actual traffic for the target host.
The flow forwarding module is arranged on the target host. For example, as shown in fig. 7, actual traffic is forwarded in real time using a traffic forwarding module attached to the target host.
In step S620, the traffic forwarding module forwards the actual traffic to the cloud service through the designated link.
For example, as shown in fig. 7, the actual traffic forwarded may be encrypted for transmission to the cloud server over the designated link that is anonymously obscured.
In step S630, the cloud server receives the actual traffic forwarded by the traffic forwarding module.
For example, as shown in fig. 7, the cloud server may receive actual traffic forwarded by the traffic forwarding module and transmit the actual traffic to a honey net composed of a plurality of groups of honeypots with different functions.
And step S640, the cloud service restores the flow behavior received by the target host through the honeypot according to the actual flow.
For example, as shown in fig. 7, after receiving encrypted traffic transmitted from a designated link, the cloud server decrypts data using a corresponding decryption key in the protected network, and then actual traffic restored by the cloud server is load-balanced and directed to honeypots of the cloud server, and the cloud service control end injects a complete traffic packet into a group of honeypots, and pretends to be honeypots having different functions of multiple operating systems (such as Windows, Linux, industrial control systems, and the like), multiple services (such as mysql, redis, and the like), or multiple protocols, and these honeypots are customized by a containerization docker technology or a virtual machine technology, thereby reducing the cost of actually deploying honeypots.
Step S650, the cloud service detects whether the traffic behavior conforms to a preset abnormal behavior, and if the traffic behavior conforms to the preset abnormal behavior, a prompt feedback is sent.
For example, as shown in fig. 7, different abnormal behavior processing logics are built in each honeypot, once an abnormal flow behavior is found, information of the abnormal behavior is stored in a log form and timely alarms and feeds back to network security maintenance personnel, meanwhile, the data terminal collects log data output by each honeypot, combs out abnormal behavior information in the log in detail, and then by deleting the log data again, misjudgment data can be eliminated in time, and real attack information is classified according to attack categories, malicious degrees, behavior modes and the like and then is stored respectively. Furthermore, once the data terminal determines that valuable data are captured by the honeypot, the cloud server control terminal can immediately position the traffic packets corresponding to the valuable data, so that the corresponding traffic packets cannot be discarded and can be further stored for evidence analysis, meanwhile, the process of honeypot capture attack can be displayed by using a visual web, and the function of real-time alarm prompt is realized.
In the embodiment, by constructing an overall system architecture combining the honeypot trapping technology and the cloud service, the actual flow of the target host can be forwarded to the cloud service, and then the flow behavior can be restored through the honeypot on the cloud server, and a prompt alarm is sent to the flow behavior conforming to the preset abnormal behavior, so that the safety of communication data is improved, and internal resources and operation cost are saved.
Fig. 8 provides a schematic diagram of a honeypot based data processing apparatus. The device can be applied to a traffic forwarding module arranged on a target host. As shown in fig. 8, the honeypot based data processing apparatus 800 includes:
an obtaining unit 801, configured to obtain an actual flow rate for a target host;
the forwarding unit 802 is configured to forward the actual traffic to the cloud service through the designated link, so that the cloud service restores, according to the actual traffic, a traffic behavior received by the target host through the honeypot, detects whether the traffic behavior conforms to a preset abnormal behavior, and sends a prompt feedback when the traffic behavior conforms to the preset abnormal behavior.
In some embodiments, the forwarding unit 802 is specifically configured to:
and transmitting the actual flow subjected to bidirectional asymmetric encryption and compression to the cloud service by using a private link based on the encryption tunnel, so that the cloud service decrypts the encrypted actual flow by using a decryption key, and restores the flow behavior received by the target host through the honeypot according to the decrypted and decompressed actual flow.
In some embodiments, the obtaining unit 801 is specifically configured to:
and copying and acquiring the actual flow aiming at the target host in a mirroring mode.
The honeypot-based data processing device provided by the embodiment of the application has the same technical characteristics as the honeypot-based data processing method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
Fig. 9 provides a schematic diagram of a honeypot based data processing apparatus. The device can be applied to a cloud server. As shown in fig. 9, honeypot-based data processing apparatus 900 includes:
a receiving unit 901, configured to receive an actual traffic, which is forwarded by a traffic forwarding module through a specified link and is addressed to a target host; the flow forwarding module is arranged on the target host;
the restoring unit 902 is configured to restore, according to the actual flow, the flow behavior received by the target host through the honeypot;
the detecting unit 903 is configured to detect whether the traffic behavior meets a preset abnormal behavior, and send a prompt feedback if the traffic behavior meets the preset abnormal behavior.
In some embodiments, the reduction unit 902 is specifically configured to:
inputting actual flow into a honey net consisting of a plurality of groups of honeypots with different functions, and restoring flow behaviors received by a target host through the honey net; the number and the types of the multiple groups of honeypots with different functions are adjusted according to the actual flow and are deployed through the container and the virtual machine.
The honeypot-based data processing device provided by the embodiment of the application has the same technical characteristics as the honeypot-based data processing method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
FIG. 10 provides a block diagram of a honeypot based data processing system. As shown in FIG. 10, honeypot based data processing system 1000 includes: the cloud server shown in fig. 9 and at least one traffic forwarding module shown in fig. 8.
The honeypot-based data processing system provided by the embodiment of the application has the same technical characteristics as the honeypot-based data processing method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
As shown in fig. 11, an electronic device 1100 according to an embodiment of the present application includes a processor 1102 and a memory 1101, where the memory stores a computer program that is executable on the processor, and the processor implements the steps of the method according to the foregoing embodiment when executing the computer program.
Referring to fig. 11, the electronic device further includes: a bus 1103 and a communication interface 1104, the processor 1102, the communication interface 1104, and the memory 1101 being connected by the bus 1103; the processor 1102 is operable to execute executable modules, such as computer programs, stored in the memory 1101.
The Memory 1101 may include a Random Access Memory (RAM), and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is implemented through at least one communication interface 1104 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like may be used.
The bus 1103 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 11, but that does not indicate only one bus or one type of bus.
The memory 1101 is used for storing a program, and the processor 1102 executes the program after receiving an execution instruction, and the method performed by the apparatus defined by the process disclosed in any of the foregoing embodiments of the present application may be applied to the processor 1102, or implemented by the processor 1102.
The processor 1102 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 1102. The Processor 1102 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1101, and the processor 1102 reads the information in the memory 1101, and completes the steps of the above method in combination with the hardware thereof.
The honeypot-based data processing device provided by the embodiment of the application can be specific hardware on equipment, or software or firmware installed on the equipment, and the like. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, method and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
For another example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the scope of the embodiments of the present application. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A data processing method based on honeypots is applied to a traffic forwarding module arranged on a target host, and the method comprises the following steps:
acquiring actual flow aiming at the target host;
forwarding the actual flow to a cloud service through a specified link, so that the cloud service restores flow behaviors received by the target host through a honeypot according to the actual flow, detects whether the flow behaviors accord with preset abnormal behaviors or not, and sends prompt feedback when the flow behaviors accord with the preset abnormal behaviors.
2. The honeypot-based data processing method of claim 1, wherein the step of forwarding the actual traffic to a cloud service through a specified link so that the cloud service restores traffic behavior received by the target host through honeypots according to the actual traffic comprises:
and transmitting the actual flow subjected to bidirectional asymmetric encryption and compression to cloud service by using a private link based on an encryption tunnel, so that the cloud service decrypts the encrypted actual flow by using a decryption key, and restores the flow behavior received by the target host through a honeypot according to the decrypted and decompressed actual flow.
3. The honeypot-based data processing method of claim 1, wherein the step of obtaining actual traffic for the target host comprises:
and copying and acquiring the actual flow aiming at the target host in a mirroring mode.
4. A honeypot-based data processing method is applied to a cloud server, and comprises the following steps:
receiving actual flow aiming at a target host, which is forwarded by a flow forwarding module through a specified link; the flow forwarding module is arranged on the target host;
restoring the flow behavior received by the target host through a honeypot according to the actual flow;
and detecting whether the flow behavior accords with a preset abnormal behavior, and sending prompt feedback if the flow behavior accords with the preset abnormal behavior.
5. The honeypot-based data processing method of claim 4, wherein the step of restoring the traffic behavior received by the target host through honeypots according to the actual traffic comprises:
inputting the actual flow into a honey net consisting of a plurality of groups of honeypots with different functions, and restoring the flow behavior received by the target host through the honey net; and adjusting the number and the types of the plurality of groups of honeypots with different functions according to the size of the actual flow, and deploying the honeypots through a container and a virtual machine.
6. A honeypot-based data processing method, the method comprising:
the flow forwarding module acquires actual flow aiming at a target host; the flow forwarding module is arranged on the target host;
the traffic forwarding module forwards the actual traffic to a cloud service through a specified link;
the cloud server receives the actual flow forwarded by the flow forwarding module;
the cloud service restores the flow behavior received by the target host through a honeypot according to the actual flow;
the cloud service detects whether the flow behavior conforms to a preset abnormal behavior, and if so, a prompt feedback is sent.
7. A honeypot-based data processing apparatus, applied to a traffic forwarding module provided on a target host, the apparatus comprising:
an acquisition unit configured to acquire an actual flow rate for the target host;
and the forwarding unit is used for forwarding the actual flow to a cloud service through a specified link, so that the cloud service restores the flow behavior received by the target host through a honeypot according to the actual flow, detects whether the flow behavior conforms to a preset abnormal behavior, and sends prompt feedback when the flow behavior conforms to the preset abnormal behavior.
8. A honeypot-based data processing device is applied to a cloud server, and comprises:
the receiving unit is used for receiving the actual flow which is forwarded by the flow forwarding module through the specified link and aims at the target host; the flow forwarding module is arranged on the target host;
the restoring unit is used for restoring the flow behavior received by the target host through a honeypot according to the actual flow;
and the detection unit is used for detecting whether the flow behavior accords with a preset abnormal behavior or not, and sending prompt feedback if the flow behavior accords with the preset abnormal behavior.
9. A honeypot based data processing system, comprising: the cloud server of claim 8 and at least one traffic forwarding module of claim 7.
10. An electronic device comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and wherein the processor implements the steps of the method of any of claims 1 to 6 when executing the computer program.
CN202011643982.8A 2020-12-31 2020-12-31 Honeypot-based data processing method, device and system and electronic equipment Pending CN112738120A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011643982.8A CN112738120A (en) 2020-12-31 2020-12-31 Honeypot-based data processing method, device and system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011643982.8A CN112738120A (en) 2020-12-31 2020-12-31 Honeypot-based data processing method, device and system and electronic equipment

Publications (1)

Publication Number Publication Date
CN112738120A true CN112738120A (en) 2021-04-30

Family

ID=75609251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011643982.8A Pending CN112738120A (en) 2020-12-31 2020-12-31 Honeypot-based data processing method, device and system and electronic equipment

Country Status (1)

Country Link
CN (1) CN112738120A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114915493A (en) * 2022-06-22 2022-08-16 云南电网有限责任公司 Trapping deployment method based on power monitoring system network attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547250A (en) * 2018-11-26 2019-03-29 深信服科技股份有限公司 Cloud honey net device and cloud honey net configuration method, system, equipment, computer media
CN110784361A (en) * 2019-10-31 2020-02-11 国网河南省电力公司电力科学研究院 Virtualized cloud honey network deployment method, device, system and computer-readable storage medium
CN110881052A (en) * 2019-12-25 2020-03-13 成都知道创宇信息技术有限公司 Network security defense method, device and system and readable storage medium
CN111641620A (en) * 2020-05-21 2020-09-08 黄筱俊 Novel cloud honeypot method and framework for detecting evolution DDoS attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547250A (en) * 2018-11-26 2019-03-29 深信服科技股份有限公司 Cloud honey net device and cloud honey net configuration method, system, equipment, computer media
CN110784361A (en) * 2019-10-31 2020-02-11 国网河南省电力公司电力科学研究院 Virtualized cloud honey network deployment method, device, system and computer-readable storage medium
CN110881052A (en) * 2019-12-25 2020-03-13 成都知道创宇信息技术有限公司 Network security defense method, device and system and readable storage medium
CN111641620A (en) * 2020-05-21 2020-09-08 黄筱俊 Novel cloud honeypot method and framework for detecting evolution DDoS attack

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114915493A (en) * 2022-06-22 2022-08-16 云南电网有限责任公司 Trapping deployment method based on power monitoring system network attack

Similar Documents

Publication Publication Date Title
US9838434B2 (en) Creating and managing a network security tag
EP2951714B1 (en) Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment
EP3145130B1 (en) Network system, communication control method, and communication control program
US7308715B2 (en) Protocol-parsing state machine and method of using same
CN107347047B (en) Attack protection method and device
US7475420B1 (en) Detecting network proxies through observation of symmetric relationships
WO2009134906A2 (en) Network security appliance
CN107104929B (en) Method, device and system for defending network attack
US20150215327A1 (en) Method and system for extrusion and intrusion detection in a cloud computing environment using network communications devices
CN103907330A (en) System and method for redirected firewall discovery in a network environment
CN107370715B (en) Network security protection method and device
EP3590061A1 (en) Managing data encrypting application
Januário et al. Security challenges in SCADA systems over Wireless Sensor and Actuator Networks
CN112738120A (en) Honeypot-based data processing method, device and system and electronic equipment
US20040243843A1 (en) Content server defending system
Bernardo et al. Multi-layer security analysis and experimentation of high speed protocol data transfer for GRID
EP3462709B1 (en) A network interface device
CN111654474B (en) Safety detection method and device
US10616094B2 (en) Redirecting flow control packets
EP2827547A1 (en) Secure data storage in a network cloud
Ajayi et al. Transpacific Testbed for Real-Time Experimentation
CN107066874B (en) Method and device for interactively verifying information between container systems
CN117811840B (en) Multi-network target range cooperative data transmission method, device, equipment and medium
Mikki et al. NetworkMonitoring System (NMS)
Mandal Covert Channel over ICMP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination