CN113328992B - Dynamic honey net system based on flow analysis - Google Patents

Dynamic honey net system based on flow analysis Download PDF

Info

Publication number
CN113328992B
CN113328992B CN202110437933.7A CN202110437933A CN113328992B CN 113328992 B CN113328992 B CN 113328992B CN 202110437933 A CN202110437933 A CN 202110437933A CN 113328992 B CN113328992 B CN 113328992B
Authority
CN
China
Prior art keywords
honey
honeypot
flow
honey net
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110437933.7A
Other languages
Chinese (zh)
Other versions
CN113328992A (en
Inventor
李桐
刘一涛
刘刚
单垚
王刚
周小明
宋进良
李凤来
姚羽
刘扬
王磊
李广翱
杨巍
刘莹
陈得丰
杨智斌
耿洪碧
任帅
陈剑
李欢
张彬
王琛
佟昊松
孙茜
孙赫阳
何立帅
赵玲玲
李菁菁
姜力行
杨滢璇
范维
杨璐羽
刘芮彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Original Assignee
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Liaoning Electric Power Co Ltd, Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd filed Critical State Grid Liaoning Electric Power Co Ltd
Priority to CN202110437933.7A priority Critical patent/CN113328992B/en
Publication of CN113328992A publication Critical patent/CN113328992A/en
Application granted granted Critical
Publication of CN113328992B publication Critical patent/CN113328992B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of industrial control network security, and particularly relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system using a Docker container and a dynamic adjustment method based on flow analysis honey net. The invention comprises a deception environment layer, a data processing layer and a honey net management layer. The invention can improve the activity of the honeypot in each subnet with less iteration cost when the interaction depth of the honeypot is higher; and in the low interaction depth, sequencing is carried out according to the visit quantity of each honeypot based on the adjustment method of the honeypot state, the honeypots with the maximum liveness and the minimum liveness are updated by using the ages of the honeypots, each honeypot reflects the flow condition of the area where the honeypot is located, and the trapping ability of the honeynet can be improved more quickly and comprehensively. The method has the advantages of realizing an industrial control dynamic honey net system structure, improving the data collection capacity of the honey net, capturing more malicious flow data and providing data support for network security analysis of the industrial environment.

Description

Dynamic honey net system based on flow analysis
Technical Field
The invention belongs to the technical field of industrial control network security, and particularly relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system using a Docker container and a dynamic adjustment method based on flow analysis honey net.
Background
In recent years, due to the requirement of industrial control systems for intelligent and automatic control, a communication mode and technology of a network need to be introduced, and more industrial systems are widely integrated with an enterprise management information system by adopting general software and hardware in cooperation with network facilities, so that an industrial control network is more and more open. Because the traditional enterprises in the industrial production field only pay attention to the investment in the industrial production technology, the investment on industrial control safety is less, some enterprises do not pay attention to the safety protection of an industrial system, and the investment is not more, and a plurality of factors provide a good opportunity for attackers on a network.
Compared with the traditional network security, the industrial control network security needs to ensure the production efficiency and the network security at the same time, and the security scheme of the traditional network has a lot of difficulties in being realized in the industrial control network. Due to the limitations of various conditions in industrial environments, honeypot technology has gained widespread use and good development in industrial control security. In order to make honeypots more deceptive, honeynet technology arose. The honeynet comprises a plurality of honeypots which are communicated with each other to form an independently operated large-scale false service system, wherein part of service logic simulates real services, other services can operate false services, and the system has high cheating capability after being started, so that an attacker can show more attack behaviors in the system.
The configuration file of the traditional static honey net is determined before starting, does not change in the running process, lacks flexibility, replies the same parameter information in each interaction with an attacker, and is easy to cause the doubt of the attacker, thereby refusing to communicate with the honey net and losing value of the honey net.
Based on this, the dynamic deployment and configuration of the honey net gradually become mainstream, and how to optimize the dynamic adjustment method of the honey net becomes a trend.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a dynamic honey net system based on flow analysis, and aims to achieve the aim of optimizing the dynamic adjustment of the honey net.
The technical scheme adopted by the invention for realizing the purpose is as follows:
a dynamic honey net system based on flow analysis comprises a three-layer structure for dividing and building, and is characterized in that: a deception environment layer, a data processing layer and a honey net management layer.
Furthermore, the deception environment layer is a bottom layer, the data processing layer is a middle layer, and the honey net management layer is an upper layer.
Further, the deception environment layer is the deception environment realization of the dynamic honey net, namely the simulation of the protocol; the data processing layer is used for realizing the functions of log collection and dynamic adjustment; the honey net management layer is used for realizing the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
Further, the deception environment layer comprises a plurality of virtual honeypots and Docker containers, and each honeypot Docker container is allocated with an IP address and a unique identification ID according to a protocol type and used for managing honeypots in a honeypot management layer; the honeypots communicate with each other according to a pre-configured communication list to form a dynamic and constantly changing honeynet;
the log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals, and attack data are stored; during construction, selecting a ModbusTcp and S7comm multi-protocol as a simulation environment to realize communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack, wherein the basic process of communication is to establish connection between a client and a server in a TCP three-way handshake mode, send a request message after connection, and the server replies a response PDU (protocol data Unit) until no communication message exists at two ends or the client closes the connection when sending a closing request; firstly, initializing, and configuring basic information such as the size of a device memory, a device ID, an initial address, an IP address and the like; then the server opens the socket connection and enters a waiting state until receiving a request from the client or the scanner; after receiving the request, splitting and analyzing the message according to a protocol, responding to the corresponding request, and generating a log record in the whole honeypot operation process; and monitoring the port flow when the honeypot equipment operates.
Furthermore, the data processing layer is responsible for processing flow data in the honey net and analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet; the data processing layer provides log service at the same time and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information generated in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots; and the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
Further, the log collection is performed by the Docker container in a directory mount manner, and the log collection method includes the following steps:
step (1): establishing a log storage directory/var/constants in a honey net host, wherein the log storage directory/var/constants comprises a plurality of subdirectories and is used for storing log data corresponding to each honeypot in the honey net, and the subdirectories are shared with the log directory in the container in a mounting mode; when the logs are written into the directories in the container by the virtual honeypots, the honeynet host shares the files, and therefore the log collection of the virtual honeypots by the honeynet host is achieved;
step (2): and the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
Further, the implementation of the management layer of the honey net, namely the implementation of dynamic adjustment, comprises a honey net state monitoring service and a flow forwarding service; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deceptive environment, and the management basis is honey net configuration generated by the dynamic adjustment module; the Docker configuration module is responsible for maintaining the port mapping rules and the network access rules of all honeypots; and the dynamic adjustment service utilizes the analyzed industrial control protocol message to realize a honey net adjustment algorithm and adjust the honey net according to the real-time flow data of the honey net.
Further, the adjusting process includes the following steps:
step 1, capturing flow data in a honey net according to a fixed time interval;
step 2, taking a data packet interacted with the honey net node as basic data of the model, taking an IP source of the data packet as a statistical consideration, and calculating the access depth; the calculation formula is as follows:
Figure BDA0003033900900000031
in the formula, | M i I represents the total amount of packets from the same IP source address, | M i bp I represents the number of large data packets receiving the same IP source address;
and 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG, MATURE and OLD, and defining upper and lower age threshold values b, a of the YOUNG state;
step 4, setting the initial value of the honeypot age after deployment of the honeynet as 1;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 6, increasing the age of the maximum visit amount by 1, and decreasing the age of the honeypot of the minimum visit amount by 1;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age more than b;
step 8, removing the honeypot in the OLD stage and recording the IP which is not used any more;
step 9, recording the configuration of the honeypots in the MATURE stage, wherein the configuration is used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
step 10, traversing the honeypot configuration file in the honeypot, modifying the honeypot configuration interacted with the removed IP according to the removed IP record, and adding the IP of a new honeypot;
step 12, when the scanning depth is larger than a set threshold value or meets a user-defined adjusting method, calculating the allure capability of the honey net; the decoy ability of the honey net represents the deceptive effect of the whole honey net as follows: d i Indicates honey net at t i The ability to trick at a moment in time,
Figure BDA0003033900900000041
indicating a single honeypot at t i The data packet size captured at a moment in time, and>
Figure BDA0003033900900000042
is shown at t 1 To t i Average size of data packets captured in between;
Figure BDA0003033900900000043
and 13, when the decoy ability is reduced to a set threshold value, the honeynet adjusts the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14, counting the number of TCP connection and ICMP messages of each honeypot and the weight of the TCP connection and ICMP messages, and calculating the activity of the corresponding honeypot; if the flow grabbing time is T = T 1 ,t 2 ,...,t n Then to t n Calculating the activity of the honeypot at the moment by the following formula;
Figure BDA0003033900900000044
step 15, establishing two hash tables potActiveMap and maxActiveMap to store the corresponding relation between the IP and the activity as well as between the protocol and the activity, and filling the hash tables potActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, and when the random number is smaller than the rho: 2, adjusting according to the configuration of the honeypot with the maximum activity degree, and adding the adjusted configuration file into the result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file.
Further, the honey net state monitoring service is used for supporting the whole dynamic adjustment service, and calculating the decoy capability of the honey net, the visit amount and activity of the honey pot, the scanning breadth and the scanning depth; the flow forwarding service is used for forwarding the flow to a specific honey net environment or a honey pot in a honey net gateway of a management layer to realize response aiming at specific flow data.
Further, the traffic forwarding service performs secondary filtering on traffic data by using a policy engine on the basis of Snort rule matching, and forwards the traffic data of a specific structure to a certain honeynet to respond according to a filtering result; firstly, performing preposed flow analysis, classifying the flow entering the honey net in a honey net gateway according to rules, and enabling different types of flow to enter different honey nets or honey pots; the preposed flow analysis is used for filtering and forwarding the attack flow, matching the analyzed flow data according to a defined rule set, and forwarding the flow according to the matching result; secondly, the flow forwarding of the honey net gateway is optimized on the honey net layer, and the flows with different characteristics are forwarded to the honey nets with different configurations and interaction degrees, so that communication levels of an attacker and the honey nets are deeper, and data collection is performed for data analysis work of the malicious attacker;
the policy engine comprises a rule set, a controller and a classifier;
the rule set is written by a manager of the honey network into the characteristics of the flow to be matched, and the rule set comprises the following steps: IP address, port number, data part size rule, function code field with threat peculiar to industrial control protocol and corresponding value are written into rule set;
the controller is used for coordinating the rule set and the classifier, ensuring the format of the rule set to be correct, and calling iptables to forward the matching result of the classifier;
the classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result;
the rule matching of the industrial control honey network aims at the traffic data which is encapsulated by a TCP protocol in the industrial control protocol and has high threat; the rule matching finally outputs a plurality of rule behaviors, each rule behavior is divided according to the function of the function code, and the writing of the rule is simplified according to the field value analyzed by the industrial control protocol; the action of the drop rule is to discard the data packets meeting the rule and reject all the following connection requests with the same rule; ftm2S7c indicates forwarding of the current S7comm protocol connection to a honey net with a higher degree of interactivity; ftm1S7c represents forwarding of the S7comm connection to the normal medium interactivity honey mesh environment; the second rule is triggered by most S7comm connections, corresponds to a honey net environment with medium interaction degree, and generally only provides the query function of basic information such as equipment type, coil quantity, equipment model and the like; the triggering of the first rule is that the function code with larger threat is matched, so that the interaction degree is higher, the safety protection is more comprehensive, and the honeynet responding to the function code in the protocol is connected;
the rule matching algorithm is as follows: firstly, reading a pcap flow data file, and judging the validity of a data part for each message; if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning; reading a byte of the message each time by using a determined finite state automaton, and updating the current state to the state' in the reading process; if the state after reading a certain character does not exist, updating status' to FAIL; if the data part of the message is successfully matched with the forwarding rule, returning the rule;
the basic flow of the traffic forwarding is as follows: when the communication connection between the external address and the honey net is established, firstly, judging whether the data part of the current connection is valid, if no valid payload exists, directly forwarding the connection to the low-interaction honey net environment; otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop and the connection rejection frequency of the same IP is smaller than the threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection frequency; if the rejection times of the same IP exceed the threshold value, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2proc or ftm1proc, forwarding the flow to the honey nets with different interaction degrees according to the function code connected at this time.
The invention has the following beneficial effects and advantages:
the dynamic honeynet system based on the flow analysis has the innovation points that the dynamic honeynet adjusting system based on the flow analysis is provided, the activity of honeypots in each subnet can be improved with less iteration cost when the interaction depth of the honeynet is high, the adjustment method based on the states of the honeypots can sort according to the access amount of each honeypot when the interaction depth is low, the honeypots are updated by the ages of the honeypots with the maximum activity and the minimum activity, the flow condition of the region where each honeypot is located is reflected by each honeypot, and the luring ability of the honeynet can be improved more quickly and comprehensively. Meanwhile, on the basis of deep analysis of an industrial control protocol and an industrial network architecture, the industrial control dynamic honey net architecture is realized, the data collection capacity of the honey net is improved, more malicious flow data can be captured, and data support is provided for network security analysis of the industrial environment.
The invention not only considers the situation that the activeness of a plurality of honeypots is the same, takes the visit amount of the honeypots as the basis of dynamic adjustment, but also considers the weight of a single honeypot in the honeynet, gives the definition of the honeypot state and the honeypot age, and provides the dynamic adjustment method based on the honeypot state, thereby improving the adjustment efficiency of the honeynet of the section, selecting different methods to adjust the honeynet according to the scanning depth of the honeynet, fully utilizing the advantages of the sub-algorithm, and having better adaptability.
The system of the invention designs a strong rule matching algorithm of a network intrusion detection/defense system based on a Snort rule engine and having the characteristics of multiple platforms, real-time flow analysis, network IP data packet recording and the like, thereby realizing the forwarding of industrial control flow data, realizing a dynamic honey net system based on a Docker container, and improving the expansibility of the honey net by applying a dynamic adjustment algorithm to deploy and adjust honey pots.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic structural view of the present invention;
fig. 2 shows the change of the ability of the system to spoof using the algorithm of the present invention and two previous adjustment algorithms based on the 4sic traffic data set.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
The solution of some embodiments of the invention is described below with reference to fig. 1 and 2.
Example 1
The invention relates to a dynamic honey net system based on flow analysis, in particular to an industrial control dynamic honey net system based on threat information flow analysis and a Docker container. As shown in fig. 1 and fig. 2, fig. 1 is a schematic structural diagram of the present invention, and fig. 2 is a variation of the honeynet spoofing ability of the system of the present invention based on 4sic (industrial network security conference peak meeting) traffic data set using the algorithm of the present invention and two existing adjustment algorithms.
The invention aims to realize optimization of a honey net dynamic adjustment method, and provides an industrial control dynamic honey net system using a Docker container based on a honey net dynamic adjustment method of flow analysis. For the sake of understanding, the technical implementation of the present invention and its features are explained below.
The dynamic honeynet arranges a plurality of industrial control honeypots in a Docker container to form a trapping environment, dynamically adjusts the honeypots based on flow analysis, attracts attackers to perform more scanning and attacking activities, captures flow data, records attack logs, further performs behavior analysis on malicious attackers, and provides safety alarm for an industrial control system. The invention designs and realizes the industrial control dynamic honey net with dynamic adjustment capability and high expansibility by combining the architecture of an industrial control network and utilizing virtualization and Docker container technology according to the design idea of a third generation honey net system.
The system is divided and built according to a three-layer structure according to the functional requirements and the deployment mode of the dynamic honey net, wherein the three-layer structure is a deception environment layer, a data processing layer and a honey net management layer.
The method specifically comprises the following steps:
the bottom layer is a deception environment layer which is the deception environment realization of the dynamic honey net, namely the simulation of the protocol;
the middle layer is a data processing layer and is used for realizing the functions of log collection and dynamic adjustment;
the upper layer is a honey net management layer and is the realization of the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
Implementation of the spoofed environment layer: the system consists of a plurality of virtual honeypots which are realized in a Docker container mode, and each container distributes an IP address and a unique identification ID according to a protocol type, so that honeypots can be managed conveniently in a honeynet management layer. By utilizing the characteristic of light weight of the Docker container, a large number of virtual honeypots can be deployed in one system under the condition of not occupying too many system resources, and the honeypots are communicated with each other according to a pre-configured communication list to form a dynamic and constantly changing honey net. And log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals, and attack data are stored. During construction, a multi-protocol ModbusTcp and an S7comm are selected as a simulation environment, communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack is realized, the basic process of the communication is that a client establishes connection with a server in a TCP three-way handshake mode, a request message is sent after the connection, the server replies a response PDU (transmission of request data), and the connection is closed when no communication message exists at two ends or the client sends a closing request. The method comprises the steps of initializing, configuring basic information such as the size of a device memory, a device ID, an initial address, an IP address and the like, then opening socket connection by a server side, and entering a waiting state until a request from a client side or a scanner is received. After receiving the request, the message is split and analyzed according to the protocol, the corresponding request is replied correspondingly, and meanwhile, a log record is generated in the whole honeypot operation process. The honey pot device also monitors the port flow during operation.
Two types of data collected by the spoofed environment layer include: the honeypot monitors all the network flow data passing through and log data generated by the honeypot receiving the attack.
The data processing layer is realized by: the data processing layer is responsible for processing flow data in the honey net, analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet, and the analysis part is used as an important basis for dynamically adjusting the honey pot. The data processing layer provides log service at the same time, and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information occurring in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots. And the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
In addition to two kinds of data collected by the spoofing environment layer, in order to monitor the running state of each honeypot inside the Docker container, the system state of the Docker container and the operation of an attacker on the system are captured by an open source tool. In order to increase the concealment of honeypots and honeynets and reduce abnormal communication flow between a single honeypot and the outside, log files are recorded in a Docker container where the honeypot is located. Based on this, the Docker container honeypot of the present invention collects logs by way of directory mount, and first establishes a log storage directory/var/logs in the honeynet host, wherein the log storage directory/var/logs includes a plurality of subdirectories for storing log data corresponding to each honeypot in the honeynet, and the subdirectories are shared with the log directory in the container by way of mount, and when a virtual honeypot writes logs into the directory in the container, the honeynet host can share the files, thereby realizing the log collection of the virtual honeypot by the honeynet host. And finally, the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
The implementation of the honey comb management layer is as follows: the realization of the dynamic adjustment module provides a system with a honey net state monitoring service and a flow forwarding service; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deception environment, and the management basis is honey net configuration generated by the dynamic adjustment module. In addition, the Docker configuration module is responsible for maintaining port mapping rules and network access rules of all honeypots, so that the security of a honey net environment is ensured, and the influence of an attacker on a host where the honey net is located is avoided. The dynamic adjustment service utilizes the analyzed industrial control protocol message to realize the honey net adjustment algorithm of the invention, and adjusts the honey net according to the real-time flow data of the honey net.
The whole adjusting method flow comprises the following steps:
step 1, capturing flow data in the honey net according to a fixed time interval.
And 2, taking a data packet interacted with the honey net node as basic data of the model, taking an IP (Internet protocol) source of the data packet as a statistical consideration, and calculating the access depth. The calculation formula is as follows:
Figure BDA0003033900900000091
in the formula, | M i L represents the total amount of packets from the same IP source address, | M i bp And | represents the number of large packets receiving the same IP source address.
And 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG (new honeypot), match (MATURE honeypot), and OLD honeypot), and defines upper and lower age thresholds b, a of the YOUNG state;
step 4, setting the initial value of the honeypot age after deployment of the honeynet as 1;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 6, increasing the age of the maximum visit amount by 1, and decreasing the age of the honeypot of the minimum visit amount by 1;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age greater than b;
step 8, removing the honeypot in the OLD stage and recording the IP which is not used any more;
step 9, recording the configuration of the honeypots in the MATURE stage, wherein the configuration is used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
step 10, traversing the honeypot configuration file in the honeypot, modifying the honeypot configuration interacted with the removed IP according to the removed IP record, and adding the IP of a new honeypot;
and 12, calculating the allure capability of the honey net when the scanning depth is larger than a set threshold or meets the user-defined adjusting method. The decoy ability of the honey net represents the deceptive effect of the whole honey net as follows: d i Indicates honey net at t i The ability to trick at a moment in time,
Figure BDA0003033900900000101
indicating a single honeypot at t i The data packet size captured at a moment in time, and>
Figure BDA0003033900900000102
is shown at t 1 To t i Average size of the captured packets;
Figure BDA0003033900900000103
and 13, when the decoy ability is reduced to a set threshold value, the honeynet can adjust the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14, counting the number of TCP connection and ICMP messages and the TCP connection and ICMP messages of each honeypotCalculating the activity of the corresponding honeypots; if the flow grabbing time is T = T 1 ,t 2 ,...,t n Then to t n Calculating the activity of the honeypot at the moment by the following formula;
Figure BDA0003033900900000104
step 15, establishing two hash tables PotActiveMap (honeypot activity hash table), maxActiveMap (hash table with highest activity of each protocol) to store the corresponding relation between IP and activity and between protocol and activity, and filling the hash tables PotActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, and when the random number is smaller than the rho: 2, adjusting the configuration of the honeypots according to the maximum activity degree, and adding the adjusted configuration files into a result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file.
The honey net state monitoring service is used for supporting the whole dynamic adjustment service, calculating the cheating ability of the honey net, the visit quantity and the activity of the honey pot, the scanning breadth and the scanning depth, and providing a basis for dynamic adjustment.
In addition, before each dynamic adjustment, firstly, the relevant parameters of the honey net and the honey pot are initialized, random selection is carried out in the realized industrial control honey net type, and then the honey net is started to capture the flow according to a Dockerfile (configuration file name) configuration file corresponding to the honey net type. On the basis of the deception environment, a honey net configuration file is generated according to an adjustment algorithm configured in the honey net starting stage through analysis of flow data captured by the honey net, and a Docker configuration management module adjusts a Docker container in the deception environment by using a new configuration file. After the initial adjustment, if the decoy ability of the honeynet still does not reach the threshold value, the adjustment is continued according to the adjustment algorithm until the decoy ability meets the specified threshold value.
The flow forwarding service forwards the flows with different characteristics to the honeynets with different configurations and interaction degrees in the honeynet gateway of the management layer, so that communication levels of an attacker and the honeynets can be deeper, and data collection is performed for data analysis work of discovering malicious attackers. The method comprises the steps of firstly carrying out preposed flow analysis, mainly using a filter and a forwarding responsible for attacking flow, carrying out matching classification on analyzed flow data according to a rule set defined below, and then carrying out flow forwarding according to a matching result, wherein different types of flow enter different honey nets or honey pots, so that the capturing capability of the honey nets on malicious flow can be improved. In an industrial control protocol, instructions including modification operations and write operations are often regarded as flow data with extremely high levels and high risk degrees, if a honeynet receives a certain type of the flows, the flow data can be regarded as data with high threat degrees, and from the perspective of active defense of the honeynet, the data with high threat degrees are also often data with high value, and further information collection and analysis are needed.
And then, the flow forwarding of the gateway of the honey net is optimized on the surface of the honey net, and the flow with different characteristics is forwarded to the honey net with different configurations and interaction degrees, so that the communication hierarchy of an attacker and the honey net can be deeper, and the data collection is carried out for the data analysis work of the malicious attacker. The flow forwarding mechanism of the industrial control honey net realized by the system is that on the basis of Snort rule matching, a policy engine is utilized to carry out secondary filtering on flow data, and the flow data with a specific structure is forwarded to a certain honey net to respond according to a filtering result.
The policy engine mainly comprises three parts, namely a rule set, a controller and a classifier. The rule set is defined by manager of honey network, and the characteristics of flow to be matched are written in according to fixed format, except for the rules of common IP address, port number, data part size and the like, and aiming at different industrial control protocols, the function code field which is specific to some industrial control protocols and has higher threat and the corresponding value thereof can be written in the rule set. The classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result. The controller is used for coordinating the rule set and the classifier, and needs to ensure that the format of the rule set is correct and call iptables (an IP address table) to forward the matching result of the classifier.
The industrial control honey net rule in the invention matches the traffic data which is encapsulated by a TCP protocol in an industrial control protocol and has higher threat. And finally outputting a plurality of rule behaviors through rule matching, wherein each rule behavior is divided according to the function of the function code, and the writing of the rules is simplified according to the field value analyzed by the industrial control protocol. The action of drop rules is to drop packets that meet the rules and reject all subsequent connection requests with the same rules. This rule should be used with caution because frequent disconnections during the scanning and attacking phases tend to leave the attacker doubting the authenticity of the connection, which is detrimental to the subsequent trapping activity. ftm2S7c indicates forwarding of the current S7comm protocol connection to a honey net with a higher degree of interactivity, while ftm1S7c indicates forwarding of the S7comm connection to a honey net environment of normal moderate interactivity. The second rule can be triggered by most S7comm connections, corresponds to a honey net environment with medium interaction degree, and generally only provides the query function of basic information such as equipment type, coil quantity, equipment model and the like. The triggering of the first rule is that the function code with a larger threat is matched, so that a connection needs to be made through a honeynet which has higher interaction degree and more comprehensive security protection and is more likely to respond to the function code in the protocol.
The following rules are protocol types supported by the rule matching structure, and because all industrial control honeypot protocols realized at present are based on TCP, the protocol types supported by the rule matching are also only TCP protocols realized. The RTN and OTN respectively represent a rule header and a rule body, the former specifies basic information of traffic to be matched by the rule, such as an IP address, a port and a data flow direction, and the latter mainly includes matching content and alarm information, wherein the matching content can match specific fields in the protocol, which is the key point for matching the ModbusTcp and the S7comm protocol.
And (3) a rule matching algorithm: firstly, reading a pcap (file format type) flow data file, and judging the validity of a data part for each message. And if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning. The specific matching method is that a certain finite state automaton is used to read one byte of the message each time, and the current state "status" (current state) is updated to "status'" (new state) in the reading process. If the state after reading a certain character does not exist, status' is updated to FAIL (failure). If the data portion of the message successfully matches the forwarding rule, the rule is returned.
The basic flow for forwarding the industrial control flow is as follows:
when the communication connection is established between the external address and the honey net, firstly, whether the data part of the current connection is effective is judged, and if no effective load exists, the connection is directly forwarded to the honey net environment with low interaction. Otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop (discarding rule) and the connection rejection times of the same IP are smaller than a threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection times; if the rejection times of the same IP exceed the threshold value, in order to reduce the recognition of the honey net by the IP through a delay judgment mode, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2proc (needing to be forwarded to the honey net with higher interaction degree) or ftm1proc (needing to be forwarded to the honey net with medium interaction degree), forwarding the flow to the honey nets with different interaction degrees according to the function code of the connection.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (7)

1. A dynamic honeynet system based on flow analysis is characterized in that: the method comprises the following steps of dividing and building a three-layer structure, wherein the three-layer structure comprises the following steps: a deception environment layer, a data processing layer and a honey net management layer; the implementation of the management layer of the honey net, namely the implementation of dynamic adjustment, comprises a honey net state monitoring service and a flow forwarding service; the dynamic adjustment module is the core of the whole dynamic honey net, the Docker configuration module is used for managing honey pots in a deceptive environment, and the management basis is honey net configuration generated by the dynamic adjustment module; the Docker configuration module is responsible for maintaining the port mapping rules and the network access rules of all honeypots; the dynamic adjustment service utilizes the analyzed industrial control protocol message to realize a honey net adjustment algorithm and adjusts the honey net according to the real-time flow data of the honey net; the adjusting process comprises the following steps:
step 1, capturing flow data in a honey net according to a fixed time interval;
step 2, taking a data packet interacted with the honey net node as basic data of the model, taking an IP source of the data packet as a statistical consideration, and calculating the scanning depth; the calculation formula is as follows:
Figure FDA0003932902960000011
in the formula, | M i L represents the total amount of packets from the same IP source address,
Figure FDA0003932902960000012
indicating the number of large packets receiving the same IP source address;
and 3, when the scanning depth is smaller than a set threshold or meets the user-defined adjusting method, defining the age of the honeypot into three stages according to the visit quantity of the honeypot: YOUNG, MATURE and OLD, and defining upper and lower age threshold values b, a of the YOUNG state;
step 4, setting the initial value of the honeypot age after deployment of the honeynet as 1;
step 5, packet capturing flow data statistics and analysis are carried out on the flow of the honey network: sorting honeypot visit volumes according to the same protocol;
step 6, increasing the age of the maximum visit amount by 1, and decreasing the age of the honeypot of the minimum visit amount by 1;
step 7, updating the age stage of the honeypots: entering OLD stage with age less than a, entering MATURE stage with age greater than b;
step 8, removing the honeypot in the OLD stage and recording the IP which is not used any more;
step 9, recording the configuration of the honeypots in the MATURE stage, wherein the configuration is used for generating new honeypots to be added into the honeynet, and the initial value of the age is 1;
step 10, traversing the honeypot configuration file in the honeypot, modifying the honeypot configuration interacted with the removed IP according to the removed IP record, and adding the IP of a new honeypot;
step 12, when the scanning depth is larger than a set threshold value or meets a user-defined adjusting method, calculating the allure capability of the honey net; the decoy ability of the honey net represents the deceptive effect of the whole honey net as follows: d i Indicating honey net at t i The ability to trick at a moment in time,
Figure FDA0003932902960000021
indicating a single honeypot at t i The size of the data packet captured at a time, and
Figure FDA0003932902960000022
is shown at t 1 To t i Average size of data packets captured in between;
Figure FDA0003932902960000023
and 13, when the decoy ability is reduced to a set threshold value, the honeynet adjusts the configuration of honeypots according to an adjusting algorithm to improve the decoy ability:
step 14, counting the number of TCP connection and ICMP messages of each honeypot and the weight of the TCP connection and ICMP messages, and calculating the activity of the corresponding honeypot; if the flow grabbing time is T = T 1 ,t 2 ,…,t n Then go to t n Calculating the activity of the honeypot at the moment by the following formula;
Figure FDA0003932902960000024
step 15, establishing two hash tables potActiveMap and maxActiveMap to store the corresponding relation between the IP and the activity as well as between the protocol and the activity, and filling the hash tables potActiveMap;
step 16, updating the hash table maxActiveMap, and selecting the maximum TCP connection number as a result with the same activity;
step 17, traversing the configuration files of the honeypots, comparing each honeypot with the alignment degree rho through a random number, when the random number is smaller than the rho, adjusting according to the configuration of the honeypot with the maximum activity degree, and adding the adjusted configuration files into a result set; otherwise, adding the original configuration file into the result set, and finally obtaining and returning a new honey net configuration file;
the flow forwarding service is to perform secondary filtering on flow data by using a policy engine on the basis of Snort rule matching, and forward the flow data of a specific structure to a certain honeynet to respond according to a filtering result; firstly, performing preposed flow analysis, classifying the flow entering the honey net in a honey net gateway according to rules, and enabling different types of flow to enter different honey nets or honey pots; the preposed flow analysis is used for filtering and forwarding attack flow, matching the analyzed flow data according to a defined rule set, and forwarding the flow according to a matching result; secondly, the flow forwarding of the honey net gateway is optimized on the honey net layer, and the flows with different characteristics are forwarded to the honey nets with different configurations and interaction degrees, so that communication levels of an attacker and the honey nets are deeper, and data collection is performed for data analysis work of the malicious attacker;
the policy engine comprises a rule set, a controller and a classifier;
the rule set is written by a manager of the honey network into the characteristics of the flow to be matched, and the rule set comprises the following steps: IP address, port number, data part size rule, function code field with threat peculiar to industrial control protocol and corresponding value are written into rule set;
the controller is used for coordinating the rule set and the classifier, ensuring the format of the rule set to be correct, and calling iptables to forward the matching result of the classifier;
the classifier is used for matching the flow data with the flow characteristics in the rule set and forwarding the flow data according to the matching result;
the rule matching of the industrial control honey network aims at the traffic data which is encapsulated by a TCP protocol in the industrial control protocol and has high threat; the rule matching finally outputs a plurality of rule behaviors, each rule behavior is divided according to the function of the function code, and the writing of the rule is simplified according to the field value analyzed by the industrial control protocol; the action of the drop rule is to discard the data packets meeting the rule and reject all the following connection requests with the same rule; ftm2S7c indicates forwarding of the current S7comm protocol connection to a honeynet with a higher degree of interactivity; ftm1S7c denotes forwarding of the S7comm connection to the normal medium interactivity honey mesh environment; the second rule is triggered by most S7comm connections, corresponds to a honey network environment with medium interaction degree, and only provides the inquiry functions of equipment type, coil quantity and equipment model; the triggering of the first rule is that the function code with a larger threat is matched, so that the interaction degree is higher, the safety protection is more comprehensive, and the honey net responding to the function code in the protocol is connected;
the rule matching algorithm is as follows: firstly, reading a pcap flow data file, and judging the validity of a data part for each message; if the data part of the current message is effective, generating a matching rule according to the strategy engine and returning; reading a byte of the message each time by using a determined finite state automaton, and updating the current state to the state' in the reading process; if the state after reading a certain character does not exist, updating status' to FAIL; if the data part of the message is successfully matched with the forwarding rule, returning the rule;
the basic flow of the traffic forwarding is as follows: when the communication connection between the external address and the honey net is established, firstly, judging whether the data part of the current connection is valid, if no valid payload exists, directly forwarding the connection to the low-interaction honey net environment; otherwise, analyzing the data part connected this time, and using the strategy engine to match the rules, the controller transmitting according to the matching result: if the matching is drop and the connection rejection frequency of the same IP is smaller than the threshold value, immediately closing the connection, ending the communication, identifying the source IP and recording the connection disconnection frequency; if the rejection times of the same IP exceed the threshold value, the flow from the IP is diverted to a low-interaction honey net environment; and if the matching result is ftm2s7c or ftm1s7c, forwarding the flow to the honey nets with different interaction degrees according to the function code connected at this time.
2. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer is a bottom layer, the data processing layer is a middle layer, and the honey net management layer is an upper layer.
3. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer is the deception environment realization of the dynamic honey net, namely the simulation of a protocol; the data processing layer is used for realizing the functions of log collection and dynamic adjustment; the honey net management layer is used for realizing the flow forwarding service in the dynamic adjustment process of the honey net honey pot management layer.
4. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the deception environment layer comprises a plurality of virtual honeypots and a Docker container, and each honeypot Docker container is used for allocating an IP address and a unique identification ID according to a protocol type and managing honeypots in a honeypot management layer; the honeypots are communicated with each other according to a pre-configured communication list to form a dynamic and constantly changing honeynet;
the log files collected in each virtual honeypot are sent to a log server of a processing layer at fixed intervals to store attack data; during construction, selecting a ModbusTcp and S7comm multi-protocol as a simulation environment to realize communication between the ModbusTcp and the S7comm protocol based on a TCP/IP protocol stack, wherein the basic process of communication is to establish connection between a client and a server in a TCP three-way handshake mode, send a request message after connection, and the server replies a response PDU (protocol data Unit) until no communication message exists at two ends or the client closes the connection when sending a closing request; firstly, initializing, and configuring the size of a device memory, a device ID, an initial address and an IP address; then the server opens the socket connection and enters a waiting state until receiving a request from the client or the scanner; after receiving the request, splitting and analyzing the message according to a protocol, responding to the corresponding request, and generating a log record in the whole honeypot operation process; and monitoring the port flow when the honeypot equipment runs.
5. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the data processing layer is responsible for processing flow data in the honey net and analyzing the flow data according to the type of the industrial control protocol in the captured pcap packet; the data processing layer provides log service at the same time and is used for collecting running information of the honeypots at the lower layer, wherein the running information specifically comprises basic information of attackers and scanners, error information generated in the running process of the honeypots and unknown fields which cannot be analyzed and encountered by the honeypots; and the server stores the logs in a classified manner according to the types for subsequent attacker portrayal.
6. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the Docker container collects logs in a directory mounting mode and comprises the following steps:
step (1): establishing a log storage directory/var/logs in a honey net host, wherein the log storage directory/var/logs comprises a plurality of subdirectories used for storing log data corresponding to each honeypot in the honey net, and the subdirectories are shared with the log directories in the container in a mounting mode; when the virtual honeypot writes logs into the directory in the container, the honeynet host shares the files, so that the honeynet host collects the logs of the virtual honeypot;
step (2): and the honey net host sends the log files in the honey net collected by the honey net host to a log server for storage and further analysis.
7. The dynamic honeynet system based on traffic analysis as claimed in claim 1, wherein: the honey net state monitoring service is used for supporting the whole dynamic adjustment service, and calculating the decoy capability of the honey net, the visit quantity and the activity of a honey pot, the scanning breadth and the scanning depth; the flow forwarding service is used for forwarding the flow to a specific honey net environment or a honey pot in a honey net gateway of a management layer to realize response aiming at specific flow data.
CN202110437933.7A 2021-04-23 2021-04-23 Dynamic honey net system based on flow analysis Active CN113328992B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110437933.7A CN113328992B (en) 2021-04-23 2021-04-23 Dynamic honey net system based on flow analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110437933.7A CN113328992B (en) 2021-04-23 2021-04-23 Dynamic honey net system based on flow analysis

Publications (2)

Publication Number Publication Date
CN113328992A CN113328992A (en) 2021-08-31
CN113328992B true CN113328992B (en) 2023-03-24

Family

ID=77413606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110437933.7A Active CN113328992B (en) 2021-04-23 2021-04-23 Dynamic honey net system based on flow analysis

Country Status (1)

Country Link
CN (1) CN113328992B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422490A (en) * 2021-11-16 2022-04-29 云南电网有限责任公司信息中心 Numerical control drainage method and system based on openness
CN114143068B (en) * 2021-11-25 2024-03-01 广东电网有限责任公司 Electric power internet of things gateway equipment container safety protection system and method thereof
CN114285660B (en) * 2021-12-28 2023-11-07 赛尔网络有限公司 Honey net deployment method, device, equipment and medium
CN114666096A (en) * 2022-02-24 2022-06-24 中国人民解放军国防科技大学 Intelligent honey net system based on dynamic service chain and implementation method thereof
CN114978731B (en) * 2022-05-30 2023-06-30 北京计算机技术及应用研究所 System and method for realizing honeypot trapping based on diversity expansion
CN114978767A (en) * 2022-07-05 2022-08-30 云南电网有限责任公司 Centralized monitoring system based on multisource honeypots
CN114978768B (en) * 2022-07-13 2023-04-18 上海大学 Conpot-based networked control system honeypot
CN115174270B (en) * 2022-09-05 2022-11-29 杭州安恒信息技术股份有限公司 Behavior abnormity detection method, device, equipment and medium
CN116029876B (en) * 2023-03-21 2023-06-23 浙江之科智慧科技有限公司 Intelligent campus integrated management device and method
CN118032327A (en) * 2024-04-15 2024-05-14 山东能源数智云科技有限公司 Equipment intelligent lubrication monitoring method and device based on artificial intelligence

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850690A (en) * 2017-03-30 2017-06-13 国家电网公司 A kind of honey jar building method and system
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN107979562A (en) * 2016-10-21 2018-05-01 北京计算机技术及应用研究所 A kind of mixed type honey jar Dynamic Deployment System based on cloud platform
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109889488A (en) * 2018-12-29 2019-06-14 江苏博智软件科技股份有限公司 A kind of industry control network honey net safety protective system based on cloud deployment
CN112182564A (en) * 2020-08-20 2021-01-05 东北大学 Industrial control honeypot interaction system based on time series prediction
CN112578761A (en) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10986127B1 (en) * 2018-09-14 2021-04-20 Rapid7, Inc. Dynamic management of deception systems

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979562A (en) * 2016-10-21 2018-05-01 北京计算机技术及应用研究所 A kind of mixed type honey jar Dynamic Deployment System based on cloud platform
CN106850690A (en) * 2017-03-30 2017-06-13 国家电网公司 A kind of honey jar building method and system
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109889488A (en) * 2018-12-29 2019-06-14 江苏博智软件科技股份有限公司 A kind of industry control network honey net safety protective system based on cloud deployment
CN112182564A (en) * 2020-08-20 2021-01-05 东北大学 Industrial control honeypot interaction system based on time series prediction
CN112578761A (en) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Dynamic Deploying Distributed Low-interaction Honeynet;Haifeng Wang;《JOURNAL OF COMPUTERS》;20120331;全文 *
蜜网智能动态部署算法研究;王海峰;《计算机应用研究》;20110331;全文 *

Also Published As

Publication number Publication date
CN113328992A (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN113328992B (en) Dynamic honey net system based on flow analysis
CN111294365B (en) Attack flow protection system, method and device, electronic equipment and storage medium
CN110011982B (en) Intelligent attack decoy system and method based on virtualization
CN101019405B (en) Method and system for mitigating denial of service in a communication network
US7770223B2 (en) Method and apparatus for security management via vicarious network devices
US8245300B2 (en) System and method for ARP anti-spoofing security
Abdelsayed et al. An efficient filter for denial-of-service bandwidth attacks
CN103428224B (en) A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks
EP3905622A1 (en) Botnet detection method and system, and storage medium
CN112134891B (en) Configuration method, system and monitoring method for generating multiple honey can nodes by single host based on linux system
Aiello et al. Basic classifiers for DNS tunneling detection
CN103561004A (en) Cooperative type active defense system based on honey nets
CN112165459B (en) Application method for automatically switching to host honeypot based on alarm honeypot information analysis
CN111970300A (en) Network intrusion prevention system based on behavior inspection
Trabelsi et al. Improved session table architecture for denial of stateful firewall attacks
CN111818077A (en) Industrial control mixed honeypot system based on SDN technology
CN114268505B (en) Method and device for adjusting fraud policy of honeynet, electronic equipment and storage medium
Kim et al. SWAT: Small world-based attacker traceback in ad-hoc networks
Shamsolmoali et al. C2DF: High rate DDOS filtering method in cloud computing
CN113114636A (en) Process flow auditing method and system of controlled host
CN106357661B (en) A kind of distributed refusal service attack defending method based on interchanger rotation
CN112632044A (en) Database security audit method
CN213693762U (en) Network intrusion prevention system
CN115208690A (en) Screening processing system based on data classification and classification
CN115499241A (en) Method and system for draining fluid from intranet to honeypot based on eBPF XDP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant