CN113328992A - Dynamic honey net system based on flow analysis - Google Patents
Dynamic honey net system based on flow analysis Download PDFInfo
- Publication number
- CN113328992A CN113328992A CN202110437933.7A CN202110437933A CN113328992A CN 113328992 A CN113328992 A CN 113328992A CN 202110437933 A CN202110437933 A CN 202110437933A CN 113328992 A CN113328992 A CN 113328992A
- Authority
- CN
- China
- Prior art keywords
- honey net
- honeypot
- honey
- flow
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 202
- 238000005206 flow analysis Methods 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 44
- 230000000694 effects Effects 0.000 claims abstract description 32
- 238000012545 processing Methods 0.000 claims abstract description 26
- 238000004458 analytical method Methods 0.000 claims abstract description 21
- 230000003993 interaction Effects 0.000 claims abstract description 21
- 238000013480 data collection Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 28
- 238000004891 communication Methods 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 12
- 230000006399 behavior Effects 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000004088 simulation Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 5
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 claims description 4
- 238000007405 data analysis Methods 0.000 claims description 4
- 230000009471 action Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 230000003247 decreasing effect Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 230000008901 benefit Effects 0.000 abstract description 5
- 238000012163 sequencing technique Methods 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000009776 industrial production Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241000264877 Hippospongia communis Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of industrial control network security, and particularly relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system using a Docker container and a dynamic adjustment method based on flow analysis honey net. The invention comprises a deception environment layer, a data processing layer and a honey net management layer. The invention can improve the activity of the honeypot in each subnet with less iteration cost when the interaction depth of the honeypot is higher; and in the low interaction depth, sequencing is carried out according to the visit quantity of each honeypot based on the adjustment method of the honeypot state, the honeypots with the maximum liveness and the minimum liveness are updated by using the ages of the honeypots, each honeypot reflects the flow condition of the area where the honeypot is located, and the trapping ability of the honeynet can be improved more quickly and comprehensively. The method has the advantages of realizing an industrial control dynamic honey net system structure, improving the data collection capacity of the honey net, capturing more malicious flow data and providing data support for network security analysis of the industrial environment.
Description
Technical Field
The invention belongs to the technical field of industrial control network security, and particularly relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system using a Docker container and a dynamic adjustment method based on flow analysis honey net.
Background
In recent years, due to the requirement of industrial control systems for intelligent and automatic control, a communication mode and technology of a network need to be introduced, and more industrial systems are widely integrated with an enterprise management information system by adopting general software and hardware in cooperation with network facilities, so that an industrial control network is more and more open. Because the traditional enterprises in the industrial production field only pay attention to the investment in the industrial production technology, the investment on industrial control safety is less, some enterprises do not pay attention to the safety protection of an industrial system, and the investment is not more, and a plurality of factors provide a good opportunity for attackers on a network.
Compared with the traditional network security, the industrial control network security needs to ensure the production efficiency and the network security at the same time, and the security scheme of the traditional network has a lot of difficulties in being realized in the industrial control network. Due to the limitations of various conditions in industrial environments, honeypot technology has gained widespread use and good development in industrial control security. In order to make honeypots more deceptive, honeynet technology arose. The honeynet comprises a plurality of honeypots which are communicated with each other to form an independently operated large-scale false service system, wherein part of service logic simulates real services, other services can operate false services, and the system has high cheating capability after being started, so that an attacker can show more attack behaviors in the system.
The configuration file of the traditional static honey net is determined before starting, does not change in the running process, lacks flexibility, replies the same parameter information in each interaction with an attacker, and is easy to cause the doubt of the attacker, thereby refusing to communicate with the honey net and losing value of the honey net.
Based on this, the dynamic deployment and configuration of the honey net gradually become mainstream, and how to optimize the dynamic adjustment method of the honey net becomes a trend.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a dynamic honey net system based on flow analysis, and aims to achieve the aim of optimizing the dynamic adjustment of the honey net.
The technical scheme adopted by the invention for realizing the purpose is as follows:
a dynamic honey net system based on flow analysis comprises a three-layer structure for dividing and building, and is characterized in that: a deception environment layer, a data processing layer and a honey net management layer.
Furthermore, the deception environment layer is a bottom layer, the data processing layer is a middle layer, and the honey net management layer is an upper layer.
Further, the deception environment layer is the deception environment realization of the dynamic honey net, namely the simulation of the protocol; the data processing layer is used for realizing the functions of log collection and dynamic adjustment; the honey net management layer is used for realizing the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
Furthermore, the deception environment layer comprises a plurality of virtual honeypots and Docker containers, and each honeypot Docker container is allocated with an IP address and a unique identification ID according to a protocol type and used for managing honeypots in a honeypot management layer; the honeypots are communicated with each other according to a pre-configured communication list to form a dynamic and constantly changing honeynet;
the log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals to store attack data; during construction, selecting a ModbusTcp and S7comm multi-protocol as a simulation environment to realize communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack, wherein the basic process of communication is to establish connection between a client and a server in a TCP three-way handshake mode, send a request message after connection, and the server replies a response PDU (protocol data Unit) until no communication message exists at two ends or the client closes the connection when sending a closing request; firstly, initializing, and configuring basic information such as the size of a device memory, a device ID, an initial address, an IP address and the like; then the server opens the socket connection and enters a waiting state until receiving a request from the client or the scanner; after receiving the request, splitting and analyzing the message according to a protocol, responding to the corresponding request, and generating a log record in the whole honeypot operation process; and monitoring the port flow when the honeypot equipment runs.
Furthermore, the data processing layer is responsible for processing flow data in the honey net and analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet; the data processing layer provides log service at the same time and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information generated in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots; and the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
Further, the log collection is performed by the Docker container in a directory mount manner, and the log collection method includes the following steps:
step (1): establishing a log storage directory/var/logs in a honey net host, wherein the log storage directory/var/logs comprises a plurality of subdirectories used for storing log data corresponding to each honeypot in the honey net, and the subdirectories are shared with the log directories in the container in a mounting mode; when the virtual honeypot writes logs into the directory in the container, the honeynet host shares the files, so that the honeynet host collects the logs of the virtual honeypot;
step (2): and the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
Further, the implementation of the management layer of the honey net, namely the implementation of dynamic adjustment, comprises a honey net state monitoring service and a flow forwarding service; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deceptive environment, and the management basis is honey net configuration generated by the dynamic adjustment module; the Docker configuration module is responsible for maintaining the port mapping rules and the network access rules of all honeypots; and the dynamic adjustment service utilizes the analyzed industrial control protocol message to realize a honey net adjustment algorithm and adjust the honey net according to the real-time flow data of the honey net.
Further, the adjusting process includes the following steps:
step 1, capturing flow data in a honey net according to a fixed time interval;
in the formula, | MiI represents the total amount of packets from the same IP source address, | Mi bpI represents the number of large data packets receiving the same IP source address;
and 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG, MATURE and OLD, and defining upper and lower age threshold values b, a of the YOUNG state;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age greater than b;
step 9, the configuration of the honeypots in the MATURE stage is recorded and used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
and 13, when the decoy ability is reduced to a set threshold value, the honeynet adjusts the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14, counting the number of TCP connection and ICMP messages of each honeypot and the weight of the TCP connection and ICMP messages, and calculating the activity of the corresponding honeypot; if the flow grabbing time is T ═ T1,t2,...,tnThen go to tnCalculating the activity of the honeypot at the moment by the following formula;
step 15, establishing two hash tables PotActiveMap and maxActiveMap to store the corresponding relation between IP and activity and the corresponding relation between protocol and activity, and filling the hash tables PotActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, and when the random number is smaller than the rho: 2, adjusting according to the configuration of the honeypot with the maximum activity degree, and adding the adjusted configuration file into the result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file.
Further, the honey net state monitoring service is used for supporting the whole dynamic adjustment service, and calculating the decoy capability of the honey net, the visit amount and activity of the honey pot, the scanning breadth and the scanning depth; the flow forwarding service is used for forwarding the flow to a specific honey net environment or a honey pot in a honey net gateway of a management layer to realize response aiming at specific flow data.
Further, the traffic forwarding service performs secondary filtering on traffic data by using a policy engine on the basis of Snort rule matching, and forwards the traffic data of a specific structure to a certain honeynet to respond according to a filtering result; firstly, performing preposed flow analysis, classifying the flow entering the honey net in a honey net gateway according to rules, and enabling different types of flow to enter different honey nets or honey pots; the preposed flow analysis is used for filtering and forwarding attack flow, matching the analyzed flow data according to a defined rule set, and forwarding the flow according to a matching result; secondly, the flow forwarding of the gateway of the honey net is optimized on the surface of the honey net, and the flows with different characteristics are forwarded to the honey net with different configurations and interaction degrees, so that the communication level of an attacker and the honey net is deeper, and data collection is carried out for data analysis work of a malicious attacker;
the policy engine comprises a rule set, a controller and a classifier;
the rule set is written by a manager of the honey network into the characteristics of the flow to be matched, and the rule set comprises the following steps: IP address, port number, data part size rule, function code field with threat peculiar to industrial control protocol and corresponding value are written into rule set;
the controller is used for coordinating the rule set and the classifier, ensuring the format of the rule set to be correct, and calling iptables to forward the matching result of the classifier;
the classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result;
the rule matching of the industrial control honey network aims at the traffic data which is encapsulated by a TCP protocol in the industrial control protocol and has high threat; the rule matching finally outputs a plurality of rule behaviors, each rule behavior is divided according to the function of the function code, and the writing of the rule is simplified according to the field value analyzed by the industrial control protocol; the action of the drop rule is to discard the data packets meeting the rule and reject all the following connection requests with the same rule; ftm2S7c indicates forwarding of the current S7comm protocol connection to a honey net with a higher degree of interactivity; ftm1S7c represents forwarding of the S7comm connection to the normal medium interactivity honey mesh environment; the second rule is triggered by most S7comm connections, corresponds to a honey net environment with medium interaction degree, and generally only provides the query function of basic information such as equipment type, coil quantity, equipment model and the like; the triggering of the first rule is that the function code with a larger threat is matched, so that the interaction degree is higher, the safety protection is more comprehensive, and the honey net responding to the function code in the protocol is connected;
the rule matching algorithm is as follows: firstly, reading a pcap flow data file, and judging the validity of a data part for each message; if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning; reading a byte of the message each time by using a determined finite state automaton, and updating the current state to the state' in the reading process; if the state after reading a certain character does not exist, updating status' to FAIL; if the data part of the message is successfully matched with the forwarding rule, returning the rule;
the basic flow of the traffic forwarding is as follows: when the communication connection between the external address and the honey net is established, firstly, judging whether the data part of the current connection is valid, if no valid payload exists, directly forwarding the connection to the low-interaction honey net environment; otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop and the connection rejection frequency of the same IP is smaller than the threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection frequency; if the rejection times of the same IP exceed the threshold value, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2proc or ftm1proc, forwarding the flow to the honey nets with different interaction degrees according to the function code connected at this time.
The invention has the following beneficial effects and advantages:
the dynamic honeynet system based on the flow analysis has the innovation points that the dynamic honeynet adjusting system based on the flow analysis is provided, the activity of honeypots in each subnet can be improved with less iteration cost when the interaction depth of the honeynet is high, the adjustment method based on the states of the honeypots can sort according to the access amount of each honeypot when the interaction depth is low, the honeypots are updated by the ages of the honeypots with the maximum activity and the minimum activity, the flow condition of the region where each honeypot is located is reflected by each honeypot, and the luring ability of the honeynet can be improved more quickly and comprehensively. Meanwhile, on the basis of deep analysis of an industrial control protocol and an industrial network architecture, the industrial control dynamic honey net architecture is realized, the data collection capacity of the honey net is improved, more malicious flow data can be captured, and data support is provided for network security analysis of the industrial environment.
The invention not only considers the situation that the activeness of a plurality of honeypots is the same, takes the visit amount of the honeypots as the basis of dynamic adjustment, but also considers the weight of a single honeypot in the honeynet, gives the definition of the honeypot state and the honeypot age, and provides the dynamic adjustment method based on the honeypot state, thereby improving the adjustment efficiency of the honeynet of the section, selecting different methods to adjust the honeynet according to the scanning depth of the honeynet, fully utilizing the advantages of the sub-algorithm, and having better adaptability.
The system of the invention designs a strong rule matching algorithm of a network intrusion detection/defense system based on a Snort rule engine and having the characteristics of multiple platforms, real-time flow analysis, network IP data packet recording and the like, thereby realizing the forwarding of industrial control flow data, realizing a dynamic honey net system based on a Docker container, and improving the expansibility of the honey net by applying a dynamic adjustment algorithm to deploy and adjust honey pots.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic structural view of the present invention;
fig. 2 shows the change of the ability of the system to spoof using the algorithm of the present invention and two previous adjustment algorithms based on the 4sic traffic data set.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
The solution of some embodiments of the invention is described below with reference to fig. 1 and 2.
Example 1
The invention relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system based on threat information flow analysis and a Docker container. As shown in fig. 1 and fig. 2, fig. 1 is a schematic structural diagram of the present invention, and fig. 2 is a variation of the honeynet spoofing ability of the system of the present invention based on 4sic (industrial network security conference peak meeting) traffic data set using the algorithm of the present invention and two existing adjustment algorithms.
The invention aims to realize optimization of a honey net dynamic adjustment method, and provides an industrial control dynamic honey net system using a Docker container based honey net dynamic adjustment method based on flow analysis. For the sake of understanding, the technical implementation of the present invention and its features are explained below.
The dynamic honeynet arranges a plurality of industrial control honeypots in a Docker container to form a trapping environment, dynamically adjusts the honeypots based on flow analysis, attracts attackers to perform more scanning and attacking activities, captures flow data, records attack logs, further performs behavior analysis on malicious attackers, and provides safety alarm for an industrial control system. The invention designs and realizes the industrial control dynamic honey net with dynamic adjustment capability and high expansibility by combining the architecture of an industrial control network and utilizing virtualization and Docker container technology according to the design idea of a third generation honey net system.
The system is divided and built according to a three-layer structure according to the functional requirements and the deployment mode of the dynamic honey net, wherein the three-layer structure is a deception environment layer, a data processing layer and a honey net management layer.
The method specifically comprises the following steps:
the bottom layer is a deception environment layer which is the deception environment realization of the dynamic honey net, namely the simulation of the protocol;
the middle layer is a data processing layer and is used for realizing the functions of log collection and dynamic adjustment;
the upper layer is a honey net management layer and is the realization of the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
Implementation of the spoofed environment layer: the system consists of a plurality of virtual honeypots which are realized in a Docker container mode, and each container distributes an IP address and a unique identification ID according to a protocol type, so that honeypots can be managed conveniently in a honeynet management layer. By utilizing the characteristic of light weight of the Docker container, a large number of virtual honeypots can be deployed in one system under the condition of not occupying too many system resources, and the honeypots are communicated with each other according to a pre-configured communication list to form a dynamic and constantly changing honey net. And log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals, and attack data are stored. During construction, a multi-protocol ModbusTcp and an S7comm are selected as a simulation environment, communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack is realized, the basic process of communication is that a client establishes connection with a server in a TCP three-way handshake mode, a request message is sent after connection, the server replies a response PDU (request data transmission), and the connection is closed when no communication message exists at two ends or the client sends a closing request. The method comprises the steps of initializing, configuring basic information such as the size of a device memory, a device ID, an initial address, an IP address and the like, then opening socket connection by a server side, and entering a waiting state until a request from a client side or a scanner is received. After receiving the request, the message is split and analyzed according to the protocol, the corresponding request is replied correspondingly, and meanwhile, a log record is generated in the whole honeypot operation process. The honey pot device also monitors the port flow during operation.
Two types of data collected by the spoofed environment layer include: the honeypot monitors all the network traffic data passing through and log data generated by the honeypot receiving the attack.
The data processing layer is realized by: the data processing layer is responsible for processing flow data in the honey net, analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet, and the analysis part is used as an important basis for dynamically adjusting the honey pot. The data processing layer provides log service at the same time, and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information occurring in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots. And the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
In addition to two kinds of data collected by the spoofing environment layer, in order to monitor the running state of each honeypot inside the Docker container, the system state of the Docker container and the operation of an attacker on the system are captured by an open source tool. In order to increase the concealment of honeypots and honeynets and reduce abnormal communication flow between a single honeypot and the outside, log files are recorded in a Docker container where the honeypot is located. Based on this, the Docker container honeypot of the present invention collects logs by way of directory mount, and first establishes a log storage directory/var/logs in the honeynet host, wherein the log storage directory/var/logs includes a plurality of subdirectories for storing log data corresponding to each honeypot in the honeynet, and the subdirectories are shared with the log directory in the container by way of mount, and when a virtual honeypot writes logs into the directory in the container, the honeynet host can share the files, thereby realizing the log collection of the virtual honeypot by the honeynet host. And finally, the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
The implementation of the honey comb management layer is as follows: the realization of the dynamic adjustment module provides a honey net state monitoring service and a flow forwarding service for the system; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deception environment, and the management basis is honey net configuration generated by the dynamic adjustment module. In addition, the Docker configuration module is responsible for maintaining port mapping rules and network access rules of all honeypots, so that the security of a honey net environment is ensured, and the influence of an attacker on a host where the honey net is located is avoided. The dynamic adjustment service utilizes the analyzed industrial control protocol message to realize the honey net adjustment algorithm of the invention, and adjusts the honey net according to the real-time flow data of the honey net.
The whole adjusting method flow comprises the following steps:
step 1, capturing flow data in the honey net according to a fixed time interval.
And 2, taking a data packet interacted with the honey net node as basic data of the model, taking an IP (Internet protocol) source of the data packet as a statistical consideration, and calculating the access depth. The calculation formula is as follows:
in the formula, | MiI means from the sameTotal amount of packets of an IP source address, | Mi bpAnd | represents the number of large packets receiving the same IP source address.
And 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG (new honeypot), match (MATURE honeypot), and OLD honeypot), and defines upper and lower age thresholds b, a of the YOUNG state;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age greater than b;
step 9, the configuration of the honeypots in the MATURE stage is recorded and used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
and 12, calculating the allure capability of the honey net when the scanning depth is larger than a set threshold or meets the user-defined adjusting method. The decoy ability of the honey net represents the deceptive effect of the whole honey net as follows: diIndicates honey net at tiThe ability to trick at a moment in time,indicating a single honeypot at tiThe size of the data packet captured at a time, andis shown at t1To tiAverage size of data packets captured in between;
and 13, when the decoy ability is reduced to a set threshold value, the honeynet can adjust the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14, counting the number of TCP connection and ICMP messages of each honeypot and the weight of the TCP connection and ICMP messages, and calculating the activity of the corresponding honeypot; if the flow grabbing time is T ═ T1,t2,...,tnThen go to tnCalculating the activity of the honeypot at the moment by the following formula;
step 15, establishing two hash tables PotActiveMap (honeypot activity hash table), maxActiveMap (hash table with highest activity of each protocol) to store the corresponding relation between IP and activity and between protocol and activity, and filling the hash tables PotActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, and when the random number is smaller than the rho: 2, adjusting the configuration of the honeypots according to the maximum activity degree, and adding the adjusted configuration files into a result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file.
The honey net state monitoring service is used for supporting the whole dynamic adjustment service, calculating the cheating ability of the honey net, the visit quantity and the activity of the honey pot, the scanning breadth and the scanning depth, and providing a basis for dynamic adjustment.
In addition, before each dynamic adjustment, firstly, the relevant parameters of the honey net and the honey pot are initialized, random selection is carried out in the realized industrial control honey net type, and then the honey net is started to capture the flow according to a Dockerfile (configuration file name) configuration file corresponding to the honey net type. On the basis of a deception environment, a honey net configuration file is generated according to an adjustment algorithm configured in a honey net starting stage by analyzing flow data captured by a honey net, and a Docker configuration management module adjusts a Docker container in the deception environment by using a new configuration file. After the initial adjustment, if the decoy ability of the honeynet still does not reach the threshold value, the adjustment is continued according to the adjustment algorithm until the decoy ability meets the specified threshold value.
The flow forwarding service forwards the flows with different characteristics to the honey nets with different configurations and interaction degrees in the honey net gateway of the management layer, so that communication levels of an attacker and the honey nets can be deeper, and data collection is performed for data analysis work of discovering malicious attackers. The method comprises the steps of firstly carrying out preposed flow analysis, mainly using a filter and a forwarding responsible for attacking flow, matching and classifying analyzed flow data according to a rule set defined below, then carrying out flow forwarding according to a matching result, and enabling different types of flow to enter different honey nets or honey pots, so that the capturing capability of the honey nets on malicious flow can be improved. In an industrial control protocol, instructions including modification operations and write operations are often regarded as flow data with extremely high levels and high risk degrees, if a honey net receives one of the flows, the flow data can be regarded as data with high threat degrees, and from the viewpoint of active defense of the honey net, the data with high threat degrees are also often data with high value, and further information collection and analysis are needed.
And then, the flow forwarding of the gateway of the honey net is optimized on the surface of the honey net, and the flow with different characteristics is forwarded to the honey net with different configurations and interaction degrees, so that the communication hierarchy of an attacker and the honey net can be deeper, and the data collection is carried out for the data analysis work of the malicious attacker. The flow forwarding mechanism of the industrial control honey net realized by the system is that on the basis of Snort rule matching, a policy engine is utilized to carry out secondary filtering on flow data, and the flow data with a specific structure is forwarded to a certain honey net to respond according to a filtering result.
The policy engine mainly comprises a rule set, a controller and a classifier. The rule set is defined by manager of honey network, and the characteristics of flow to be matched are written in according to fixed format, except for the rules of common IP address, port number, data part size and the like, and aiming at different industrial control protocols, the function code field which is specific to some industrial control protocols and has higher threat and the corresponding value thereof can be written in the rule set. The classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result. The controller is used for coordinating the rule set and the classifier, and needs to ensure that the format of the rule set is correct and call iptables (an IP address table) to forward the matching result of the classifier.
The industrial control honey net rule in the invention matches the traffic data which is encapsulated by a TCP protocol in an industrial control protocol and has higher threat. And finally outputting a plurality of rule behaviors through rule matching, wherein each rule behavior is divided according to the function of the function code, and the writing of the rules is simplified according to the field value analyzed by the industrial control protocol. The action of drop rules is to drop packets that meet the rules and reject all subsequent connection requests with the same rules. This rule should be used with caution because frequent disconnections during the scanning and attacking phases tend to leave the attacker doubting the authenticity of the connection, which is detrimental to the subsequent trapping activity. ftm2S7c indicates forwarding of current S7comm protocol connections to a honey net with higher interactivity, while ftm1S7c indicates forwarding of S7comm connections to a honey net environment of normal moderate interactivity. The second rule can be triggered by most S7comm connections, corresponds to a honey net environment with medium interaction degree, and generally only provides the query function of basic information such as equipment type, coil quantity, equipment model and the like. The triggering of the first rule is that the function code with a larger threat is matched, so that a connection needs to be made through a honeynet which has higher interaction degree and more comprehensive security protection and is more likely to respond to the function code in the protocol.
The following rules are protocol types supported by the rule matching structure, and because all industrial control honeypot protocols realized at present are based on TCP, the protocol types supported by the rule matching are also only TCP protocols realized. The RTN and OTN respectively represent a rule header and a rule body, the former specifies basic information of traffic to be matched by the rule, such as an IP address, a port and a data flow direction, and the latter mainly includes matching content and alarm information, wherein the matching content can match specific fields in the protocol, which is the key point for matching the ModbusTcp and the S7comm protocol.
And (3) a rule matching algorithm: firstly, reading a pcap (file format type) flow data file, and judging the validity of a data part for each message. And if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning. The specific matching method is that a certain finite state automaton is used to read one byte of the message each time, and the current state "status" (current state) is updated to "status'" (new state) in the reading process. If the state after reading a certain character does not exist, status' is updated to FAIL (failure). If the data portion of the message successfully matches the forwarding rule, the rule is returned.
The basic flow for forwarding the industrial control flow is as follows:
when the communication connection is established between the external address and the honey net, firstly, whether the data part of the current connection is effective is judged, and if no effective load exists, the connection is directly forwarded to the honey net environment with low interaction. Otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop (discarding rule) and the connection rejection times of the same IP are smaller than a threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection times; if the rejection times of the same IP exceed the threshold value, in order to reduce the recognition of the honey net by the IP through a delay judgment mode, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2proc (needing to be forwarded to the honey net with higher interaction degree) or ftm1proc (needing to be forwarded to the honey net with medium interaction degree), forwarding the flow to the honey nets with different interaction degrees according to the function code of the connection.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (10)
1. A dynamic honeynet system based on flow analysis is characterized in that: the method comprises the following steps of dividing and building a three-layer structure, wherein the three-layer structure comprises the following steps: a deception environment layer, a data processing layer and a honey net management layer.
2. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer is a bottom layer, the data processing layer is a middle layer, and the honey net management layer is an upper layer.
3. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer is the deception environment realization of the dynamic honey net, namely the simulation of a protocol; the data processing layer is used for realizing the functions of log collection and dynamic adjustment; the honey net management layer is used for realizing the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
4. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer comprises a plurality of virtual honeypots and a Docker container, and each honeypot Docker container is used for allocating an IP address and a unique identification ID according to a protocol type and managing honeypots in a honeypot management layer; the honeypots are communicated with each other according to a pre-configured communication list to form a dynamic and constantly changing honeynet;
the log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals to store attack data; during construction, selecting a ModbusTcp and S7comm multi-protocol as a simulation environment to realize communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack, wherein the basic process of communication is to establish connection between a client and a server in a TCP three-way handshake mode, send a request message after connection, and the server replies a response PDU (protocol data Unit) until no communication message exists at two ends or the client closes the connection when sending a closing request; firstly, initializing, and configuring basic information such as the size of a device memory, a device ID, an initial address, an IP address and the like; then the server opens the socket connection and enters a waiting state until receiving a request from the client or the scanner; after receiving the request, splitting and analyzing the message according to a protocol, responding to the corresponding request, and generating a log record in the whole honeypot operation process; and monitoring the port flow when the honeypot equipment runs.
5. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the data processing layer is responsible for processing flow data in the honey net and analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet; the data processing layer provides log service at the same time and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information generated in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots; and the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
6. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the Docker container collects logs in a directory mounting mode and comprises the following steps:
step (1): establishing a log storage directory/var/logs in a honey net host, wherein the log storage directory/var/logs comprises a plurality of subdirectories used for storing log data corresponding to each honeypot in the honey net, and the subdirectories are shared with the log directories in the container in a mounting mode; when the virtual honeypot writes logs into the directory in the container, the honeynet host shares the files, so that the honeynet host collects the logs of the virtual honeypot;
step (2): and the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
7. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the implementation of the management layer of the honey net, namely the implementation of dynamic adjustment, comprises a honey net state monitoring service and a flow forwarding service; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deceptive environment, and the management basis is honey net configuration generated by the dynamic adjustment module; the Docker configuration module is responsible for maintaining the port mapping rules and the network access rules of all honeypots; and the dynamic adjustment service utilizes the analyzed industrial control protocol message to realize a honey net adjustment algorithm and adjust the honey net according to the real-time flow data of the honey net.
8. The dynamic honeynet system based on traffic analysis as claimed in claim 7, wherein: the adjusting process comprises the following steps:
step 1, capturing flow data in a honey net according to a fixed time interval;
step 2, taking a data packet interacted with the honey net node as basic data of the model, taking an IP source of the data packet as a statistical consideration, and calculating the access depth; the calculation formula is as follows:
in the formula, | MiI represents the total amount of packets from the same IP source address, | Mi bpI represents the number of large data packets receiving the same IP source address;
and 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG, MATURE and OLD, and defining upper and lower age threshold values b, a of the YOUNG state;
step 4, setting the initial value of the honeypot age after deployment of the honeynet as 1;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 6, increasing the age of the maximum visit amount by 1, and decreasing the age of the honeypot of the minimum visit amount by 1;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age greater than b;
step 8, removing the honeypot in the OLD stage and recording the IP which is not used any more;
step 9, the configuration of the honeypots in the MATURE stage is recorded and used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
step 10, traversing the honeypot configuration file in the honeypot, modifying the honeypot configuration interacted with the removed IP according to the removed IP record, and adding the IP of a new honeypot;
step 12, when the scanning depth is larger than a set threshold value or meets a user-defined adjusting method, calculating the allure capability of the honey net; the decoy ability of the honey net represents the deceptive effect of the whole honey net as follows: diIndicates honey net at tiThe ability to trick at a moment in time,indicating a single honeypot at tiThe size of the data packet captured at a time, andis shown at t1To tiAverage size of data packets captured in between;
and 13, when the decoy ability is reduced to a set threshold value, the honeynet adjusts the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14Counting the number of TCP connection and ICMP messages and the weight of the TCP connection and ICMP messages of each honeypot, and calculating the activity of the corresponding honeypot; if the flow grabbing time is T ═ T1,t2,...,tnThen go to tnCalculating the activity of the honeypot at the moment by the following formula;
step 15, establishing two hash tables PotActiveMap and maxActiveMap to store the corresponding relation between IP and activity and the corresponding relation between protocol and activity, and filling the hash tables PotActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, and when the random number is smaller than the rho: 2, adjusting according to the configuration of the honeypot with the maximum activity degree, and adding the adjusted configuration file into the result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file.
9. The dynamic honeynet system based on traffic analysis as claimed in claim 7, wherein: the honey net state monitoring service is used for supporting the whole dynamic adjustment service, and calculating the trapping ability of the honey net, the visit quantity and the activity of a honey pot, the scanning breadth and the scanning depth; the flow forwarding service is used for forwarding the flow to a specific honey net environment or a honey pot in a honey net gateway of a management layer to realize response aiming at specific flow data.
10. The dynamic honeynet system based on traffic analysis as claimed in claim 7, wherein: the flow forwarding service is to perform secondary filtering on flow data by using a policy engine on the basis of Snort rule matching, and forward the flow data with a specific structure to a certain honeynet to respond according to a filtering result; firstly, performing preposed flow analysis, classifying the flow entering the honey net in a honey net gateway according to rules, and enabling different types of flow to enter different honey nets or honey pots; the preposed flow analysis is used for filtering and forwarding attack flow, matching the analyzed flow data according to a defined rule set, and forwarding the flow according to a matching result; secondly, the flow forwarding of the gateway of the honey net is optimized on the surface of the honey net, and the flows with different characteristics are forwarded to the honey net with different configurations and interaction degrees, so that the communication level of an attacker and the honey net is deeper, and data collection is carried out for data analysis work of a malicious attacker;
the policy engine comprises a rule set, a controller and a classifier;
the rule set is written by a manager of the honey network into the characteristics of the flow to be matched, and the rule set comprises the following steps: IP address, port number, data part size rule, function code field with threat peculiar to industrial control protocol and corresponding value are written into rule set;
the controller is used for coordinating the rule set and the classifier, ensuring the format of the rule set to be correct, and calling iptables to forward the matching result of the classifier;
the classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result;
the rule matching of the industrial control honey network aims at the traffic data which is encapsulated by a TCP protocol in the industrial control protocol and has high threat; the rule matching finally outputs a plurality of rule behaviors, each rule behavior is divided according to the function of the function code, and the writing of the rule is simplified according to the field value analyzed by the industrial control protocol; the action of the drop rule is to discard the data packets meeting the rule and reject all the following connection requests with the same rule; ftm2S7c indicates forwarding of the current S7comm protocol connection to a honey net with a higher degree of interactivity; ftm1S7c represents forwarding of the S7comm connection to the normal medium interactivity honey mesh environment; the second rule is triggered by most S7comm connections, corresponds to a honey net environment with medium interaction degree, and generally only provides the query function of basic information such as equipment type, coil quantity, equipment model and the like; the triggering of the first rule is that the function code with a larger threat is matched, so that the interaction degree is higher, the safety protection is more comprehensive, and the honey net responding to the function code in the protocol is connected;
the rule matching algorithm is as follows: firstly, reading a pcap flow data file, and judging the validity of a data part for each message; if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning; reading a byte of the message each time by using a determined finite state automaton, and updating the current state to the state' in the reading process; if the state after reading a certain character does not exist, updating status' to FAIL; if the data part of the message is successfully matched with the forwarding rule, returning the rule;
the basic flow of the traffic forwarding is as follows: when the communication connection between the external address and the honey net is established, firstly, judging whether the data part of the current connection is valid, if no valid payload exists, directly forwarding the connection to the low-interaction honey net environment; otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop and the connection rejection frequency of the same IP is smaller than the threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection frequency; if the rejection times of the same IP exceed the threshold value, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2proc or ftm1proc, forwarding the flow to the honey nets with different interaction degrees according to the function code connected at this time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110437933.7A CN113328992B (en) | 2021-04-23 | 2021-04-23 | Dynamic honey net system based on flow analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110437933.7A CN113328992B (en) | 2021-04-23 | 2021-04-23 | Dynamic honey net system based on flow analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113328992A true CN113328992A (en) | 2021-08-31 |
CN113328992B CN113328992B (en) | 2023-03-24 |
Family
ID=77413606
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110437933.7A Active CN113328992B (en) | 2021-04-23 | 2021-04-23 | Dynamic honey net system based on flow analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113328992B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114143068A (en) * | 2021-11-25 | 2022-03-04 | 广东电网有限责任公司 | Electric power internet of things gateway equipment container safety protection system and method thereof |
CN114285660A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | Method, device, equipment and medium for deploying honeynets |
CN114422490A (en) * | 2021-11-16 | 2022-04-29 | 云南电网有限责任公司信息中心 | Numerical control drainage method and system based on openness |
CN114666096A (en) * | 2022-02-24 | 2022-06-24 | 中国人民解放军国防科技大学 | Intelligent honey net system based on dynamic service chain and implementation method thereof |
CN114978731A (en) * | 2022-05-30 | 2022-08-30 | 北京计算机技术及应用研究所 | Honey trapping implementation system and method based on diversity expansion |
CN114978768A (en) * | 2022-07-13 | 2022-08-30 | 上海大学 | Conpot-based networked control system honeypot and implementation method |
CN114978767A (en) * | 2022-07-05 | 2022-08-30 | 云南电网有限责任公司 | Centralized monitoring system based on multisource honeypots |
CN115174270A (en) * | 2022-09-05 | 2022-10-11 | 杭州安恒信息技术股份有限公司 | Behavior abnormity detection method, device, equipment and medium |
CN116029876A (en) * | 2023-03-21 | 2023-04-28 | 浙江之科智慧科技有限公司 | Intelligent campus integrated management device and method |
CN118032327A (en) * | 2024-04-15 | 2024-05-14 | 山东能源数智云科技有限公司 | Equipment intelligent lubrication monitoring method and device based on artificial intelligence |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
CN109889488A (en) * | 2018-12-29 | 2019-06-14 | 江苏博智软件科技股份有限公司 | A kind of industry control network honey net safety protective system based on cloud deployment |
CN112182564A (en) * | 2020-08-20 | 2021-01-05 | 东北大学 | Industrial control honeypot interaction system based on time series prediction |
CN112578761A (en) * | 2021-02-03 | 2021-03-30 | 山东云天安全技术有限公司 | Industrial control honey pot safety protection device and method |
US20210203696A1 (en) * | 2019-03-28 | 2021-07-01 | Rapid7, Inc. | Dynamic management of deception systems |
-
2021
- 2021-04-23 CN CN202110437933.7A patent/CN113328992B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
CN106850690A (en) * | 2017-03-30 | 2017-06-13 | 国家电网公司 | A kind of honey jar building method and system |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
CN109889488A (en) * | 2018-12-29 | 2019-06-14 | 江苏博智软件科技股份有限公司 | A kind of industry control network honey net safety protective system based on cloud deployment |
US20210203696A1 (en) * | 2019-03-28 | 2021-07-01 | Rapid7, Inc. | Dynamic management of deception systems |
CN112182564A (en) * | 2020-08-20 | 2021-01-05 | 东北大学 | Industrial control honeypot interaction system based on time series prediction |
CN112578761A (en) * | 2021-02-03 | 2021-03-30 | 山东云天安全技术有限公司 | Industrial control honey pot safety protection device and method |
Non-Patent Citations (2)
Title |
---|
HAIFENG WANG: "Dynamic Deploying Distributed Low-interaction Honeynet", 《JOURNAL OF COMPUTERS》 * |
王海峰: "蜜网智能动态部署算法研究", 《计算机应用研究》 * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114422490A (en) * | 2021-11-16 | 2022-04-29 | 云南电网有限责任公司信息中心 | Numerical control drainage method and system based on openness |
CN114143068B (en) * | 2021-11-25 | 2024-03-01 | 广东电网有限责任公司 | Electric power internet of things gateway equipment container safety protection system and method thereof |
CN114143068A (en) * | 2021-11-25 | 2022-03-04 | 广东电网有限责任公司 | Electric power internet of things gateway equipment container safety protection system and method thereof |
CN114285660B (en) * | 2021-12-28 | 2023-11-07 | 赛尔网络有限公司 | Honey net deployment method, device, equipment and medium |
CN114285660A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | Method, device, equipment and medium for deploying honeynets |
CN114666096A (en) * | 2022-02-24 | 2022-06-24 | 中国人民解放军国防科技大学 | Intelligent honey net system based on dynamic service chain and implementation method thereof |
CN114978731A (en) * | 2022-05-30 | 2022-08-30 | 北京计算机技术及应用研究所 | Honey trapping implementation system and method based on diversity expansion |
CN114978767A (en) * | 2022-07-05 | 2022-08-30 | 云南电网有限责任公司 | Centralized monitoring system based on multisource honeypots |
CN114978768A (en) * | 2022-07-13 | 2022-08-30 | 上海大学 | Conpot-based networked control system honeypot and implementation method |
CN115174270B (en) * | 2022-09-05 | 2022-11-29 | 杭州安恒信息技术股份有限公司 | Behavior abnormity detection method, device, equipment and medium |
CN115174270A (en) * | 2022-09-05 | 2022-10-11 | 杭州安恒信息技术股份有限公司 | Behavior abnormity detection method, device, equipment and medium |
CN116029876A (en) * | 2023-03-21 | 2023-04-28 | 浙江之科智慧科技有限公司 | Intelligent campus integrated management device and method |
CN116029876B (en) * | 2023-03-21 | 2023-06-23 | 浙江之科智慧科技有限公司 | Intelligent campus integrated management device and method |
CN118032327A (en) * | 2024-04-15 | 2024-05-14 | 山东能源数智云科技有限公司 | Equipment intelligent lubrication monitoring method and device based on artificial intelligence |
CN118032327B (en) * | 2024-04-15 | 2024-07-23 | 山东能源数智云科技有限公司 | Equipment intelligent lubrication monitoring method and device based on artificial intelligence |
Also Published As
Publication number | Publication date |
---|---|
CN113328992B (en) | 2023-03-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113328992B (en) | Dynamic honey net system based on flow analysis | |
CN111294365B (en) | Attack flow protection system, method and device, electronic equipment and storage medium | |
CN101019405B (en) | Method and system for mitigating denial of service in a communication network | |
US7770223B2 (en) | Method and apparatus for security management via vicarious network devices | |
US8245300B2 (en) | System and method for ARP anti-spoofing security | |
Abdelsayed et al. | An efficient filter for denial-of-service bandwidth attacks | |
CN112134857B (en) | Method for binding honeypots of honeypot system by multiple nodes | |
CN111756712B (en) | Method for forging IP address and preventing attack based on virtual network equipment | |
CN112134891B (en) | Configuration method, system and monitoring method for generating multiple honey can nodes by single host based on linux system | |
US20130305365A1 (en) | System and method for optimization of security traffic monitoring | |
CN103561004A (en) | Cooperative type active defense system based on honey nets | |
Aiello et al. | Basic classifiers for DNS tunneling detection | |
CN112165459B (en) | Application method for automatically switching to host honeypot based on alarm honeypot information analysis | |
CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
Trabelsi et al. | Improved session table architecture for denial of stateful firewall attacks | |
CN111818077A (en) | Industrial control mixed honeypot system based on SDN technology | |
CN114268505B (en) | Method and device for adjusting fraud policy of honeynet, electronic equipment and storage medium | |
Kim et al. | SWAT: Small world-based attacker traceback in ad-hoc networks | |
CN114745142B (en) | Abnormal flow processing method and device, computer equipment and storage medium | |
CN113114636A (en) | Process flow auditing method and system of controlled host | |
CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
CN213693762U (en) | Network intrusion prevention system | |
CN115208690A (en) | Screening processing system based on data classification and classification | |
Zaman et al. | TCP/IP model and intrusion detection systems | |
CN111835750B (en) | DDoS attack defense method based on ARIMA model in SDN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |