CN114039761A - Intrusion detection rule generation method and system based on honeypot attack alarm - Google Patents
Intrusion detection rule generation method and system based on honeypot attack alarm Download PDFInfo
- Publication number
- CN114039761A CN114039761A CN202111298920.2A CN202111298920A CN114039761A CN 114039761 A CN114039761 A CN 114039761A CN 202111298920 A CN202111298920 A CN 202111298920A CN 114039761 A CN114039761 A CN 114039761A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- intrusion
- attack
- intrusion detection
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Burglar Alarm Systems (AREA)
- Alarm Systems (AREA)
Abstract
The invention particularly relates to an intrusion detection rule generation method and system based on honeypot attack alarm. The method comprises the following steps: s1, generating TCP intrusion attack alarm data by the honeypot alarm module; s2, selecting the TCP intrusion attack alarm data to be generated with the intrusion detection rule on the honeypot alarm module, and leading the TCP intrusion attack alarm data into a difference analysis module; s3, the difference analysis module performs difference analysis on the imported TCP intrusion attack warning data to generate a difference result; s4, importing the difference result generated by the difference analysis module into the rule generation module; and S5, the rule generating module generates an intrusion detection rule according to the imported common characteristics. By utilizing the characteristic of honeypot attraction attack, the intrusion data accessing honeypots can be easily converted into intrusion detection rules, so that the function of honeypots is expanded, a real service system can be indirectly protected by honeypots, and the intrusion detection rules can be used as first security defense to provide more real-time protection.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to an intrusion detection rule generation method and system based on honeypot attack alarm.
Background
With the popularization and development of networks, the network security problem is increasingly completed, and in the face of new attack methods or attack tools which are continuously appeared, the traditional passive defense network protection technology cannot adapt to the requirement of network security more and more, and the honeypot technology is increasingly valued by network security personnel as an active defense network protection technology.
At present, because the harmfulness of intrusion data can not be judged in the traditional intrusion detection, effective and real-time follow-up and updating of intrusion detection rules can not be performed frequently.
Disclosure of Invention
In order to solve the defect that the intrusion detection rule in the prior art cannot be effectively followed up and updated in real time, the invention provides an intrusion detection rule generation method and system based on honeypot attack alarm.
The technical scheme of the invention is as follows:
the invention provides an intrusion detection rule generation system based on honeypot attack alarm, which comprises a honeypot alarm module, a difference analysis module and a rule generation module.
An intrusion detection rule generating method based on honeypot attack alarm comprises the following steps:
s1, generating TCP intrusion attack alarm data by the honeypot alarm module;
s2, selecting the TCP intrusion attack alarm data to be generated with the intrusion detection rule on the honeypot alarm module, and leading the TCP intrusion attack alarm data into a difference analysis module;
s3, the difference analysis module performs difference analysis on the imported TCP intrusion attack warning data to generate a difference result;
s4, importing the difference result generated by the difference analysis module into the rule generation module;
and S5, the rule generating module generates an intrusion detection rule according to the imported common characteristics.
Preferably, the TCP intrusion attack warning data items include attack IP, honeypot IP, attack source port, honeypot port, and attack Payload.
Preferably, the step of analyzing the differences in S3 includes the following steps:
the first step is as follows: obtaining common characteristics of the imported data by using a difference algorithm;
the second step is that: and removing invalid characteristic data items related to the IP and the port in the common characteristic to obtain a difference result.
Further, preferably, the step S5 of generating the intrusion detection rule includes: wildcards are inserted into the plurality of common features to indicate that arbitrary data can be placed between the common features.
The invention achieves the following beneficial effects:
by utilizing the characteristic of honeypot attraction attack, the intrusion data accessing honeypots can be easily converted into intrusion detection rules, so that the function of honeypots is expanded, a real service system can be indirectly protected by honeypots, and the intrusion detection rules can be used as first security defense to provide more real-time protection.
Drawings
FIG. 1 is a block diagram of intrusion detection rule generation method steps according to an embodiment of the invention;
fig. 2 is a schematic block diagram of an intrusion detection rule generating system for a honeypot attack alarm according to an embodiment of the present invention.
Detailed Description
To facilitate an understanding of the present invention by those skilled in the art, specific embodiments thereof are described below with reference to the accompanying drawings.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "or/and" includes any and all combinations of one or more of the associated listed items.
Example 1:
as shown in fig. 2, the present invention provides an intrusion detection rule generating system based on honeypot attack alarm, which comprises a honeypot alarm module, a difference analysis module and a rule generating module.
As shown in fig. 1, an intrusion detection rule generating method based on a honeypot attack alarm includes the following steps:
firstly, generating TCP intrusion attack alarm data through a honeypot alarm module;
secondly, selecting TCP intrusion attack alarm data to be generated into an intrusion detection rule on the honeypot alarm module, and introducing the TCP intrusion attack alarm data into a difference analysis module;
thirdly, carrying out difference analysis on the imported TCP intrusion attack warning data through a difference analysis module to generate a difference result;
fourthly, importing the difference result generated by the difference analysis module into the rule generation module;
fifthly, generating an intrusion detection rule according to the imported common characteristics through a rule generation module;
one embodiment is as follows:
the TCP intrusion attack alarm data items in the first step comprise an attack IP, a honeypot IP, an attack source port, a honeypot port and an attack Payload;
in yet another embodiment:
the differential analysis in the third step comprises the steps of:
obtaining common characteristics of the imported data by using a difference algorithm;
removing invalid characteristic data items related to IP and ports in the common characteristics to obtain a difference result;
in another embodiment:
in the fifth step, the generating the intrusion detection rule includes: wildcards are inserted into the plurality of common features to indicate that arbitrary data can be placed between the common features.
The intrusion detection rule generating method based on the honeypot attack alarm according to the embodiment 1 is specifically exemplified as follows:
the TCP intrusion attack warning data is set, wherein the TCP intrusion attack warning data comprises (1) AABBCC, (2) AAXCC and (3) AAAACC;
wherein the attack IP, the honeypot IP, the attack source port and the honeypot port are omitted.
Selecting attack alarm data to be generated into an intrusion detection rule on the honeypot alarm module: (1) AABBCC, (2) AAXCC, (3) AAAACC import difference analysis module;
the difference analysis module performs difference analysis on the imported data to generate difference results (AA, CC);
the rule generating module generates an intrusion detection rule (AA & CC) according to the imported common characteristics;
taking Snort intrusion detection rules as an example, the actual generated intrusion detection rules are: alert tcpanyany- > anyanyany (sid: [ alert ID ]; 1000071; pcre: "AA × CC"; rev:1; priority:10;);
by utilizing the characteristic of honeypot attraction attack, the intrusion data accessing honeypots can be easily converted into intrusion detection rules, so that the function of honeypots is expanded, a real service system can be indirectly protected by honeypots, and the intrusion detection rules can be used as first security defense to provide more real-time protection.
In the description of the present application, it is to be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
It will be understood that when an element is referred to as being "mounted on" another element, it can be directly on the other element or intervening elements may also be present. When a component is referred to as being "disposed on" another component, it can be directly on the other component or intervening components may also be present. When an element is referred to as being "secured to" another element, it can be directly secured to the other element or intervening elements may also be present.
The above-described embodiments of the present invention do not limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.
Claims (4)
1. An intrusion detection rule generation method based on honeypot attack alarm is characterized by comprising the following steps: the method comprises the following steps:
s1, generating TCP intrusion attack alarm data by the honeypot alarm module;
s2, selecting the TCP intrusion attack alarm data to be generated with the intrusion detection rule on the honeypot alarm module, and leading the TCP intrusion attack alarm data into a difference analysis module;
s3, the difference analysis module performs difference analysis on the imported TCP intrusion attack warning data to generate a difference result;
s4, importing the difference result generated by the difference analysis module into the rule generation module;
and S5, the rule generating module generates an intrusion detection rule according to the imported common characteristics.
2. The intrusion detection rule generating method based on the honeypot attack alarm according to claim 1, characterized in that: the TCP intrusion attack alarm data items comprise attack IPs, honeypot IPs, attack source ports, honeypot ports and attack Payload.
3. The intrusion detection rule generating method based on the honeypot attack alarm according to claim 2, characterized in that: the difference analysis in S3 includes the following steps:
the first step is as follows: obtaining common characteristics of the imported data by using a difference algorithm;
the second step is that: and removing invalid characteristic data items related to the IP and the port in the common characteristic to obtain a difference result.
4. The method for generating the intrusion detection rule based on the honeypot attack alarm according to any one of claims 1 to 3, characterized in that: the step S5 of generating the intrusion detection rule includes: wildcards are inserted into the plurality of common features to indicate that arbitrary data can be placed between the common features.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111298920.2A CN114039761A (en) | 2021-11-04 | 2021-11-04 | Intrusion detection rule generation method and system based on honeypot attack alarm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111298920.2A CN114039761A (en) | 2021-11-04 | 2021-11-04 | Intrusion detection rule generation method and system based on honeypot attack alarm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114039761A true CN114039761A (en) | 2022-02-11 |
Family
ID=80136412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111298920.2A Pending CN114039761A (en) | 2021-11-04 | 2021-11-04 | Intrusion detection rule generation method and system based on honeypot attack alarm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114039761A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| EP2882159A1 (en) * | 2013-12-06 | 2015-06-10 | Cyberlytic Limited | Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107231258A (en) * | 2017-06-01 | 2017-10-03 | 国网电子商务有限公司 | A kind of network alarm data processing method and device |
| CN111224973A (en) * | 2019-12-31 | 2020-06-02 | 南京联成科技发展股份有限公司 | Network attack rapid detection system based on industrial cloud |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
-
2021
- 2021-11-04 CN CN202111298920.2A patent/CN114039761A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| EP2882159A1 (en) * | 2013-12-06 | 2015-06-10 | Cyberlytic Limited | Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107231258A (en) * | 2017-06-01 | 2017-10-03 | 国网电子商务有限公司 | A kind of network alarm data processing method and device |
| CN111224973A (en) * | 2019-12-31 | 2020-06-02 | 南京联成科技发展股份有限公司 | Network attack rapid detection system based on industrial cloud |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
| CN111800395A (en) | Threat information defense method and system | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| US9038177B1 (en) | Method and system for implementing multi-level data fusion | |
| US20090276843A1 (en) | Security event data normalization | |
| US20100100619A1 (en) | Method and apparatus for visualizing network security state | |
| US20100325685A1 (en) | Security Integration System and Device | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN111181959A (en) | Method and device for constructing threat information knowledge graph based on mail data | |
| CA2762677A1 (en) | Multiple hypothesis tracking | |
| US20070177607A1 (en) | Method for protecting SIP-based applications | |
| CN113609234B (en) | Method and system for constructing network entity behavior association | |
| CN107579986A (en) | A kind of method of network security detection in complex network | |
| CN102792306B (en) | The method of kidnapping for detection of computer resource | |
| CN114157484A (en) | Data security storage system based on cloud computing | |
| US11595418B2 (en) | Graphical connection viewer for discovery of suspect network traffic | |
| CN114339767B (en) | Signaling detection method and device, electronic equipment and storage medium | |
| CN114338171A (en) | Black product attack detection method and device | |
| Ali et al. | Deceptive phishing detection system: from audio and text messages in instant messengers using data mining approach | |
| CN114039761A (en) | Intrusion detection rule generation method and system based on honeypot attack alarm | |
| Athavale et al. | Framework for threat analysis and attack modelling of network security protocols | |
| JP2023126177A (en) | Method and apparatus for detecting anomaly of infrastructure in network | |
| CN113037779B (en) | Intelligent self-learning white list method and system in active defense system | |
| CN114697052B (en) | Network protection method and device | |
| CN113343231A (en) | Data acquisition system of threat information based on centralized management and control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |