CN113691504A - Network trapping method and system based on software defined network - Google Patents
Network trapping method and system based on software defined network Download PDFInfo
- Publication number
- CN113691504A CN113691504A CN202110888959.3A CN202110888959A CN113691504A CN 113691504 A CN113691504 A CN 113691504A CN 202110888959 A CN202110888959 A CN 202110888959A CN 113691504 A CN113691504 A CN 113691504A
- Authority
- CN
- China
- Prior art keywords
- network
- honeypot
- information
- host
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention discloses a network trapping method and system based on a software defined network, and belongs to the technical field of network space safety. The invention is based on the software defined network technology, detects whether the network flow is illegal information, and transfers the network flow of an attacker to the generated honeypot, thereby realizing the trapping of the attack flow. The method of the invention not only can deploy the trapping nodes in the switching nodes and the terminal nodes in the network, but also can realize the dynamic adjustment to generate the honeypots and change the trapping environment, and has the advantages of realizing the whole network perception, small calculated amount and less occupied resources.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to a network trapping method and a network trapping system for a software defined network.
Background
The security control response function built in the current network security product is relatively single, only provides a limited number of response operations (e.g., logging, rejection, discarding and isolating, etc.), and has little innovation or technical development other than a simple automated response concept. For example, after identifying some security threats (spearphishing attacks, network or asset hazards, detection, etc.), the network administrator prevents the attacker from taking further action. While these response measures have some effect in detecting and thwarting the attempts of a single attacker, the rejection and discarding of such responses provides a wealth of information available to the skilled adversary, particularly the Advanced Persistent Threat (APT). An attacker can quickly identify when an attack is detected and quickly adjust its attack strategy to proceed. In order to maintain the advantages of the attacker and increase the economic burden of the attack on the attacker, the passive defense strategy described above needs to be modified.
The protection effectiveness of simply preventing attackers is very limited, and the spoofing technology is an important technology for realizing future cyber-space defense. The network trapping technology simulates a scene which is very consistent with a real network environment through a cloned network, a host, a storage space and a data set, and a high-fidelity trapping environment is constructed. By attracting and interacting with the attacker, the attacker is tricked into the trapping environment in order to extract behavioral information about the attacker and the target that may be leaked. Even if an attacker discovers the presence of tricky actions, it is difficult to determine how much of the information obtained is valuable.
However, the trapping node in the prior art cannot cover the whole network, and when the network traffic does not pass through the trapping node, attack and trapping attack cannot be found; when the network environment is complex and large in scale, in order to improve the coverage rate of the trapping nodes, a large amount of new host resources are needed to be used as the trapping nodes, and the existing terminal equipment cannot be utilized; in addition, the honeypot system is difficult to dynamically adjust according to the attack behavior, and the decoy environment is changed in real time.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a network trapping method and system based on a software defined network, which can effectively simulate false network resources to trap an attacker, migrate the attack traffic in the network into a honeypot, and make the attacker insensitive in the migration process, trap the attack behavior of the attacker, and facilitate further analysis.
The purpose of the invention is realized as follows:
a network trapping method based on a software defined network comprises the following steps:
step S101, configuring a control strategy, wherein the strategy content comprises: the method comprises the following steps of detecting a data packet, a honeypot configuration information list, an IP address white list in a network and a network attack or intrusion behavior rule;
step S102, simulating false network resources, including host online information, port opening information and service access information; the online information and the port opening information of the host are simulated based on the honeypot and randomly and dynamically change; simulating the service access information based on the real network flow after the modification;
step S103, when the access host sends a request to a certain address in the network, receiving a data packet sent by the access host;
step S104, detecting the data packet received in step S103, and judging whether the data packet is illegal data, wherein the detection steps are as follows:
1) if the detection mode is the strict mode, entering the step 2); if the detection mode is a non-strict mode, entering the step 3);
2) checking whether the source IP address of the data packet is in an address white list, if so, entering a step 3), otherwise, judging that the data packet is illegal data, and entering a step 106;
3) matching the data packet with a network attack or intrusion behavior rule, judging whether the data packet belongs to an attack or intrusion behavior, if so, judging that the data packet is illegal data, and entering step S106, otherwise, judging that the data packet is normal data, and entering step S105;
step S105, the flow is forwarded normally, and the accessed host interacts with the accessed host;
step S106, judging whether a honeypot with an IP address as the destination IP address of the data packet exists, if so, entering step S108, otherwise, entering step S107;
step S107, generating honeypots by using a container technology according to the destination IP address of the data packet, the type and the service of the operating system of the accessed host, adding the generated honeypot configuration information into a honeypot configuration information list, and turning to step S108;
step S108, using a software defined network, and transferring the flow to a honeypot with an IP address as a destination IP address of the data packet in a mode of sending a flow table to the switch by the controller;
and step S109, trapping the network traffic sent by the access host into the honeypot, and interacting the honeypot and the access host to finish network trapping.
Further, the specific manner of step S108 is as follows:
sending migration information to a controller of a software defined network in a JSON object format, the migration information comprising: the method comprises the steps of accessing a source IP address of a host, a destination IP address of the accessed host, an ID (identity) of a switch connected with a honeypot, a port of the switch connected with the honeypot and an MAC (media access control) address of the honeypot;
the controller issues a flow table to the switch according to the migration information;
and the switch transfers the flow to the honeypot with the IP address as the destination IP address of the data packet according to the flow table.
A network trapping system based on a software defined network comprises a network trap module, an SDN controller module, a trapping environment module and a control module, wherein the network trap module is deployed at a switching node and a terminal host server node in the network to realize full-network trapping perception; wherein:
the network trap module receives a data packet sent by the access host according to a strategy configured by a user, detects whether the data packet is illegal data, feeds back information to the SDN controller module according to a data packet detection result, issues a flow table and adjusts a routing strategy; environmental information is fed back to the trapping environment module according to the data packet detection result and the honeypot condition, the honeypot is dynamically adjusted, and the trapping environment is changed in real time; the system is also used for simulating false network resources to cheat an attacker, wherein the false network resources comprise host online information, port opening information and service access information;
the trapping environment module receives the environment information sent by the network trap module, dynamically adjusts and generates honeypots according to the destination IP addresses of illegal data packets and the honeypot configuration information list, and changes the trapping environment; reporting the interaction state between the honeypot and the access host to the control module;
the control module configures a control strategy according to the selection and control of a user; the system is also used for receiving interaction state information between the honeypot and the access host sent by the trapping environment module, so that the access condition of the access host to the honeypot is analyzed, and information for adjusting the routing strategy is sent to the SDN controller module according to the access condition;
the SDN controller module is used for receiving the information for adjusting the routing strategy sent by the network trap module, processing the information, issuing a flow table to a switch in the network, and transferring the flow from the access host to the target host into the honeypot so as to enable the honeypot to interact with the access host; and the flow table is also used for receiving the information for adjusting the routing strategy sent by the control module and deleting the flow table from the access host to the honeypot without abnormal interaction behavior within a period of time.
The invention has the beneficial effects that:
1. the method is based on Software Defined Network (SDN) technology, simulates false network resources to trick attackers, detects whether network flow is illegal information, and migrates the network flow of the attackers to a generated honeypot to realize trapping of the attack flow.
2. The invention not only can deploy trapping nodes in the switching nodes and the terminal nodes in the network, but also can realize dynamic adjustment to generate honeypots and change the trapping environment.
3. The invention can realize the whole network perception, and has small calculation amount and less occupied resources.
Drawings
Fig. 1 is a flow chart of a network trapping method in an embodiment of the present invention.
Fig. 2 is a schematic diagram of a network trapping system in an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention will be further described with reference to the accompanying drawings and specific examples. It is to be understood that the following text is merely illustrative of one or more embodiments of the invention and does not strictly limit the scope of the invention as specifically claimed.
As shown in fig. 2, a network trapping system based on a software defined network includes a network trap module, an SDN controller module, a trapping environment module, and a control module.
The network trap module can receive a data packet sent by the access host and detect whether illegal data exist according to a strategy configured by a user; information can be fed back to the SDN controller module according to the data packet detection result, a flow table is issued, and routing strategy adjustment is carried out; the honeypot can be dynamically adjusted according to the data packet detection result and the honeypot condition and the information fed back to the trapping environment module, so that the trapping environment can be changed in real time; the method can simulate false network resources to trick attackers, including host online information, port open information and service access information. The module can be deployed in a switching node and a terminal host server node in a network, and can realize full-network trapping perception under the condition of limited resource consumption.
The trapping environment module receives environment generation adjustment information sent by the network trap module, dynamically adjusts and generates honeypots according to the destination IP addresses of illegal data packets and the honeypot configuration information list, and changes the trapping environment; the status of the interaction between the honeypot and the visiting host can be reported to the control module.
The control module can configure a control strategy according to the selection and control of a user; the interaction state information between the honeypot and the access host sent by the trapping environment module can be received, the access condition of the access host to the honeypot is timely mastered and analyzed, and the information for adjusting the routing strategy is sent to the SDN controller module according to the access condition.
The SDN controller module can receive the information for adjusting the routing strategy sent by the network trap module, process the information and then send a flow table to a switch in the network, and migrate the flow from the access host to the target host into the honeypot, so that the honeypot and the access host are interacted; the method can receive the information for adjusting the routing strategy sent by the control module, and delete the flow table from the access host to the honeypot without abnormal interaction behavior or interaction behavior within a period of time.
Based on the system, the network trapping method based on the software defined network can be realized. As shown in fig. 1, the process of the method is as follows:
s101, the control module configures a control strategy, and the strategy content comprises: 1. detecting a pattern of data packets (strict or non-strict pattern); 2. a honeypot configuration information list; 3. an IP address white list in the network; 4. network attack or intrusion behavior rules.
S102, simulating service access information by the network trap module based on the real network flow after the modification; the trapping environment module simulates the online information and the port opening information of the host based on the honeypot technology and changes randomly and dynamically so as to trap attackers with high fidelity.
S103, the access host accesses a certain host in the network, and the network trap module receives a data packet;
and S104, detecting the network data packet by the network trap module. When the network data packet is not illegal flow, turning to S105; when the network data packet is illegal flow, entering S106;
s105, the accessing host accesses the target host normally;
s106, judging whether a honeypot with an IP address as the destination IP address of the data packet exists or not, if so, entering S108, and if not, entering S107;
and S107, the network trap module sends information for adjusting the routing strategy to the SDN controller module and sends information for generating and adjusting the trapping environment to the trapping environment module. The trapping environment module receives the information for generating and adjusting the trapping environment sent by the network trap module, and dynamically generates or adjusts the honeypots; then, the process proceeds to S108;
and S108, the SDN controller module receives the information for adjusting the routing strategy sent by the network trap module, issues a corresponding flow table to the switch, and transfers the network flow from the access host to the destination host to a honeypot generated by the trapping environment module.
S109, the honeypots in the trapping environment module interact with the access host, and interactive state information is reported to the control module; the control module grasps and analyzes the interaction state of the access host and the honeypot.
Therefore, trapping and processing of network traffic of the access host are completed, and meanwhile, the routing strategy can be adjusted in real time according to the interaction state.
The invention is based on the software defined network technology, detects whether the network flow is illegal information, and transfers the network flow of an attacker to the generated honeypot, thereby realizing the trapping of the attack flow. The invention not only can deploy trapping nodes in the switching nodes and the terminal nodes in the network, but also can realize dynamic adjustment to generate honeypots, change the trapping environment, and has the advantages of realization of whole network perception, small calculated amount and less occupied resources.
Claims (3)
1. A network trapping method based on a software defined network is characterized by comprising the following steps:
step S101, configuring a control strategy, wherein the strategy content comprises: the method comprises the following steps of detecting a data packet, a honeypot configuration information list, an IP address white list in a network and a network attack or intrusion behavior rule;
step S102, simulating false network resources, including host online information, port opening information and service access information; the online information and the port opening information of the host are simulated based on the honeypot and randomly and dynamically change; simulating the service access information based on the real network flow after the modification;
step S103, when the access host sends a request to a certain address in the network, receiving a data packet sent by the access host;
step S104, detecting the data packet received in step S103, and judging whether the data packet is illegal data, wherein the detection steps are as follows:
1) if the detection mode is the strict mode, entering the step 2); if the detection mode is a non-strict mode, entering the step 3);
2) checking whether the source IP address of the data packet is in an address white list, if so, entering a step 3), otherwise, judging that the data packet is illegal data, and entering a step 106;
3) matching the data packet with a network attack or intrusion behavior rule, judging whether the data packet belongs to an attack or intrusion behavior, if so, judging that the data packet is illegal data, and entering step S106, otherwise, judging that the data packet is normal data, and entering step S105;
step S105, the flow is forwarded normally, and the accessed host interacts with the accessed host;
step S106, judging whether a honeypot with an IP address as the destination IP address of the data packet exists, if so, entering step S108, otherwise, entering step S107;
step S107, generating honeypots by using a container technology according to the destination IP address of the data packet, the type and the service of the operating system of the accessed host, adding the generated honeypot configuration information into a honeypot configuration information list, and turning to step S108;
step S108, using a software defined network, and transferring the flow to a honeypot with an IP address as a destination IP address of the data packet in a mode of sending a flow table to the switch by the controller;
and step S109, trapping the network traffic sent by the access host into the honeypot, and interacting the honeypot and the access host to finish network trapping.
2. The network trapping method based on the software-defined network of claim 1, wherein the specific manner of step S108 is as follows:
sending migration information to a controller of a software defined network in a JSON object format, the migration information comprising: the method comprises the steps of accessing a source IP address of a host, a destination IP address of the accessed host, an ID (identity) of a switch connected with a honeypot, a port of the switch connected with the honeypot and an MAC (media access control) address of the honeypot;
the controller issues a flow table to the switch according to the migration information;
and the switch transfers the flow to the honeypot with the IP address as the destination IP address of the data packet according to the flow table.
3. A network trapping system based on a software defined network is characterized by comprising a network trap module, an SDN controller module, a trapping environment module and a control module, wherein the network trap module is deployed at a switching node and a terminal host server node in the network to realize full-network trapping perception; wherein:
the network trap module receives a data packet sent by the access host according to a strategy configured by a user, detects whether the data packet is illegal data, feeds back information to the SDN controller module according to a data packet detection result, issues a flow table and adjusts a routing strategy; environmental information is fed back to the trapping environment module according to the data packet detection result and the honeypot condition, the honeypot is dynamically adjusted, and the trapping environment is changed in real time; the system is also used for simulating false network resources to cheat an attacker, wherein the false network resources comprise host online information, port opening information and service access information;
the trapping environment module receives the environment information sent by the network trap module, dynamically adjusts and generates honeypots according to the destination IP addresses of illegal data packets and the honeypot configuration information list, and changes the trapping environment; reporting the interaction state between the honeypot and the access host to the control module;
the control module configures a control strategy according to the selection and control of a user; the system is also used for receiving interaction state information between the honeypot and the access host sent by the trapping environment module, so that the access condition of the access host to the honeypot is analyzed, and information for adjusting the routing strategy is sent to the SDN controller module according to the access condition;
the SDN controller module is used for receiving the information for adjusting the routing strategy sent by the network trap module, processing the information, issuing a flow table to a switch in the network, and transferring the flow from the access host to the target host into the honeypot so as to enable the honeypot to interact with the access host; and the flow table is also used for receiving the information for adjusting the routing strategy sent by the control module and deleting the flow table from the access host to the honeypot without abnormal interaction behavior within a period of time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110888959.3A CN113691504B (en) | 2021-08-04 | 2021-08-04 | Network trapping method and system based on software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110888959.3A CN113691504B (en) | 2021-08-04 | 2021-08-04 | Network trapping method and system based on software defined network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113691504A true CN113691504A (en) | 2021-11-23 |
| CN113691504B CN113691504B (en) | 2022-06-10 |
Family
ID=78578710
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110888959.3A Active CN113691504B (en) | 2021-08-04 | 2021-08-04 | Network trapping method and system based on software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113691504B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095264A (en) * | 2021-11-24 | 2022-02-25 | 北京永信至诚科技股份有限公司 | High-interaction traceability method, equipment and hardware of honeypot system |
| CN114844666A (en) * | 2022-03-16 | 2022-08-02 | 西安交通大学 | Network flow analysis and reconstruction method and device |
| CN114978731A (en) * | 2022-05-30 | 2022-08-30 | 北京计算机技术及应用研究所 | Honey trapping implementation system and method based on diversity expansion |
| CN115051875A (en) * | 2022-08-02 | 2022-09-13 | 软极网络技术(北京)有限公司 | Attack detection method based on novel honeypot |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| US20190132360A1 (en) * | 2017-11-02 | 2019-05-02 | Korea Advanced Institute Of Science And Technology | Honeynet method, system and computer program for mitigating link flooding attacks of software defined network |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| US20210051175A1 (en) * | 2019-08-15 | 2021-02-18 | Uchicago Argonne, Llc | Software defined networking moving target defense honeypot |
| CN112769771A (en) * | 2020-12-24 | 2021-05-07 | 中国人民解放军战略支援部队信息工程大学 | Network protection method, system and system architecture based on false topology generation |
-
2021
- 2021-08-04 CN CN202110888959.3A patent/CN113691504B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| US20190132360A1 (en) * | 2017-11-02 | 2019-05-02 | Korea Advanced Institute Of Science And Technology | Honeynet method, system and computer program for mitigating link flooding attacks of software defined network |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| US20210051175A1 (en) * | 2019-08-15 | 2021-02-18 | Uchicago Argonne, Llc | Software defined networking moving target defense honeypot |
| CN112769771A (en) * | 2020-12-24 | 2021-05-07 | 中国人民解放军战略支援部队信息工程大学 | Network protection method, system and system architecture based on false topology generation |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095264A (en) * | 2021-11-24 | 2022-02-25 | 北京永信至诚科技股份有限公司 | High-interaction traceability method, equipment and hardware of honeypot system |
| CN114844666A (en) * | 2022-03-16 | 2022-08-02 | 西安交通大学 | Network flow analysis and reconstruction method and device |
| CN114978731A (en) * | 2022-05-30 | 2022-08-30 | 北京计算机技术及应用研究所 | Honey trapping implementation system and method based on diversity expansion |
| CN114978731B (en) * | 2022-05-30 | 2023-06-30 | 北京计算机技术及应用研究所 | System and method for realizing honeypot trapping based on diversity expansion |
| CN115051875A (en) * | 2022-08-02 | 2022-09-13 | 软极网络技术(北京)有限公司 | Attack detection method based on novel honeypot |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113691504B (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113691504B (en) | Network trapping method and system based on software defined network | |
| US9729567B2 (en) | Network infrastructure obfuscation | |
| US7409714B2 (en) | Virtual intrusion detection system and method of using same | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| CN106850690B (en) | Honeypot construction method and system | |
| EP3414663A1 (en) | Automated honeypot provisioning system | |
| US11681804B2 (en) | System and method for automatic generation of malware detection traps | |
| CN110881052A (en) | Network security defense method, device and system and readable storage medium | |
| Xia et al. | An active defense solution for ARP spoofing in OpenFlow network | |
| CN111683106B (en) | Active protection system and method | |
| CN107483386A (en) | Analyze the method and device of network data | |
| Ahuja et al. | Ascertain the efficient machine learning approach to detect different ARP attacks | |
| CN113904852A (en) | Honeypot dynamic deployment method and device, electronic equipment and readable storage medium | |
| Schmitt et al. | Intelligent threat hunting in software-defined networking | |
| CN116471064A (en) | Network safety protection system, method and device based on active defense strategy | |
| Yang et al. | DecIED: Scalable k-anonymous deception for iec61850-compliant smart grid systems | |
| Köksal et al. | Distributed denial‐of‐service attack mitigation in network functions virtualization‐based 5G networks using management and orchestration | |
| Nogues et al. | Labelled network capture generation for anomaly detection | |
| CN112003853B (en) | Network security emergency response system supporting ipv6 | |
| JP2022541250A (en) | Inline malware detection | |
| Rodrigues et al. | Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach | |
| Machida et al. | Novel deception techniques for malware detection on industrial control systems | |
| Mihanjo et al. | Isolation of DDoS Attacks and Flash Events in Internet Traffic Using Deep Learning Techniques | |
| Feng et al. | A Novel Deception Defense-Based Honeypot System for Power Grid Network | |
| Bikbulatov et al. | Simulation of DDoS attack on software defined networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |