CN114285622B - Active trapping security defense method, system, electronic equipment and storage medium - Google Patents
Active trapping security defense method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114285622B CN114285622B CN202111567572.4A CN202111567572A CN114285622B CN 114285622 B CN114285622 B CN 114285622B CN 202111567572 A CN202111567572 A CN 202111567572A CN 114285622 B CN114285622 B CN 114285622B
- Authority
- CN
- China
- Prior art keywords
- host
- attack
- identification information
- security
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 230000006399 behavior Effects 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 10
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000011022 operating instruction Methods 0.000 claims description 4
- 230000000875 corresponding effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000002955 isolation Methods 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006835 compression Effects 0.000 description 3
- 238000007906 compression Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000001926 trapping method Methods 0.000 description 2
- 241000287828 Gallus gallus Species 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses an active trapping security defense method, an active trapping security defense system, electronic equipment and a storage medium, and relates to the technical field of terminal security. The method comprises the following steps: monitoring a decoy file on a first target host; if the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host. The scheme does not need the internal network and the external network to isolate, is convenient for trapping the information of the attacker, and can further realize the security defense.
Description
Technical Field
The present invention relates to the field of terminal security technologies, and in particular, to an active security trapping method, system, electronic device, and storage medium.
Background
One of the tasks of network security protection is to ensure the security of electronic data and prevent the electronic data from being stolen by network attackers. Along with the iterative updating of the network threat means, vulnerabilities and vulnerabilities available to network attackers on electronic devices such as computers and smart phones always exist, so that the requirements on safety protection of data generated or stored on the electronic devices are higher.
Most of the existing security protection means isolate the internal (internal local area network) and external (external wide area network) networks for protecting data.
The inventor finds in the process of realizing the invention: the data security protection method for isolating the internal network and the external network is inconvenient for the data such as files which are relatively low in importance level and need to be kept secret, although the data security protection method for isolating the internal network and the external network can be used for protecting the data such as files with higher importance level; in addition, in some scenarios where an attacker attack needs to be induced, the intranet and extranet isolation also results in an inability to effectively trap the attacker.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide an active security trapping method, system, electronic device and storage medium, which do not require intranet and extranet isolation, and are convenient for trapping information of an attacker, so as to further implement security protection.
In a first aspect, an active trapping security defense method provided by an embodiment of the present invention includes the steps of: monitoring a decoy file on a first target host; if the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host.
With reference to the first aspect, in a first implementation manner of the first aspect, the bait file includes: the system comprises a source data file and an executable shell, wherein the source data file is encapsulated in the executable shell, and the executable shell is used for triggering and capturing a defending strategy of the user host identification information and the attack host identification information when receiving the preset operation instruction.
With reference to the first aspect, in a second implementation manner of the first aspect, the preset operation instruction includes: a shelling operation instruction; the source data file is an executable program file, and the preset operation instruction further comprises: opening or running an operation instruction;
if it is monitored that the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information comprises: if the user host monitors that the decolouring operation instruction is executed on the decoy file by the user host, the user host identification information is sent to a server; after the decoy file unshelling operation is detected to be successful, continuously detecting whether an attack host inputs an operation instruction for executing opening or running on the source data file; if yes, the identification information of the attack host is sent to a server.
With reference to the first aspect, in a third implementation manner of the first aspect, after the sending the user host identification information and the attack host identification information to the server, the method further includes: establishing a mapping relation between the acquired attack host identification information and/or user host identification information and the source data file type in the corresponding attack event; and storing the mapping relation to form an attack database.
With reference to the first aspect and/or the first to third implementation manners of the first aspect, in a fourth implementation manner of the first aspect, after the attack host identification information is sent to a server, the server compares the acquired attack host identification information with attack host identification information captured in a previous attack event; and determining whether the current attack event and the previous attack event are the same attack behavior according to the comparison result.
With reference to the first aspect and/or any one of the first to fourth implementation manners of the first aspect, in a fifth implementation manner of the first aspect, after the server compares the attack host identification information obtained with attack host identification information captured in a previous attack event, the method further includes: and establishing an attack portrait of the same attack host according to the comparison result, and storing the attack portrait into the attack database.
With reference to the first aspect and the first to fifth implementation manners of the first aspect, in a sixth implementation manner of the first aspect, after forming the attack database, the method further includes: generating a security alarm and a defense strategy according to the data stored in the attack database, and issuing the security alarm and the defense strategy to a second target host; the second target host and the first target host are in the same local area network; monitoring whether a data file with the same type as the source data file stored in the attack database is operated on the second target host; if yes, acquiring the identification information of the execution host of the operation behavior; matching the identification information of the execution host with the identification information of the attack host and/or the user host stored in the attack database; if the matching is successful, issuing an instruction for executing the security alarm and defense strategy to a second target host, so that the second target host blocks the operation and/or alarm according to the security alarm and defense strategy;
or if the matching is successful, blocking the operation and/or the alarm according to the security alarm and the defense strategy.
In a second aspect, a further embodiment of the present invention provides an active trap security defense system, the system comprising: a monitor module for monitoring the bait file on the first target host; the trigger program module is used for triggering a defending strategy for capturing the user host identification information and the attack host identification information if the user host is monitored to execute a preset operation instruction on the decoy file; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the active trap security defense-method according to any embodiment of the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the active trap security defense method of any embodiment of the first aspect.
The embodiment of the invention provides an active trapping security defense method, an active trapping security defense system, electronic equipment and a storage medium, wherein the method comprises the following steps: monitoring a decoy file on a first target host; if the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host. Thus, without the need of internal and external network isolation, by setting the decoy file on the target host, when the user host executes the preset operation instruction on the decoy file, for example, access opening and other operations, the defending strategy for capturing the user host identification information and the attack host identification information can be automatically triggered, and not only the information of the attack host and the controlled host (user host) for identifying the identity of an attacker, such as IP, MAC and the like, can be captured, but also the security defending can be timely performed. Therefore, the scheme does not need to isolate an internal network from an external network, and is convenient for capturing the identity information of the attack host and the controlled host, thereby further realizing security defense.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an embodiment of an active trap security defense method of the present invention;
FIG. 2 is a flow chart of another embodiment of the active trapping security defense method of the present invention;
FIG. 3 is a flow chart of an active trapping security defense method according to another embodiment of the present invention;
figure 4 is a schematic diagram of an embodiment of an active trapping security defense system according to the present invention;
figure 5 is a schematic diagram of an architecture of another embodiment of the active trap security defense system of the present invention;
figure 6 is a schematic diagram of an architecture of an active trap security defense system according to yet another embodiment of the present invention;
fig. 7 is a schematic block diagram of an architecture of one embodiment of an electronic device of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a schematic flow chart of an embodiment of an active trapping security defense method according to the present invention, and referring to fig. 1, the active trapping security defense method according to the embodiment of the present invention can be applied to a network security defense scenario; it should be noted that the method may be solidified in a certain manufactured product in the form of software, and the method flow of the present application may be reproduced when the user is using the product.
Referring to fig. 1, the active trapping security defense method provided in this embodiment may include the steps of:
110. and monitoring the decoy file on the first target host.
In this embodiment, the purpose of setting the decoy file is to make an attacker steal, so as to capture information such as identity of the attacker. The bait file comprises: the system comprises a source data file and an executable Shell, wherein the source data file is encapsulated in the executable Shell (Shell), and the executable Shell is used for triggering and capturing the user host identification information and a defense strategy for attacking the host identification information when receiving the preset operation instruction.
The source data file is an executable program file, for example, [ exe, [ docx, [ xls ], [ dll ], etc., wherein the source data file is essentially shelled by adding a code like a protection layer to the executable program file, so that the source data file loses its original purpose, the code like a protection layer is visually called a shell, and the corresponding action can be performed after receiving a user instruction.
Illustratively, the source data file is shelled, for example, by compressing and encrypting the source data file, which needs to be described as follows: it is this compression encryption that is not the compression of the tools RAR, zip, which are commonly used, but rather the compression of executable program files, including the above-mentioned exe, etc., with a "shell" tool, after which a shell-added program is formed to protect the source data file.
120. And if the user host monitors that the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information.
The first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host, namely, a commonly-called broiler chicken in the technical field of network security.
In this embodiment, the preset operation instruction may be an open operation instruction, or may be a decompression operation instruction. If the user host monitors that the user host executes the preset operation instruction on the decoy file, the user host can confirm that the decoy file is stolen by an attacker, namely, the initial purpose of setting the decoy file is achieved, and the attacker opens the decoy file.
In some embodiments, the preset operation instruction includes: a shelling operation instruction; the source data file is an executable program file, and the preset operation instruction further comprises: the operating instructions are opened or run.
Referring to fig. 2, if it is monitored that a user host executes a preset operation instruction on the decoy file, triggering a defending policy for capturing the user host identification information and the attack host identification information (step 120) includes: 121. and if the user host monitors that the decoiling operation instruction is executed on the decoiling file by the user host, the user host identification information is sent to a server.
In this embodiment, the act of opening the bait file needs to be performed in a networking state, so, in order to ensure that the opening of the bait file is performed on a networking host, as an optional embodiment, after a user host is monitored to execute a preset operation instruction on the bait file, a shell of the bait file automatically initiates a networking act request, and if networking is successful, the user host identification information is sent to a server.
122. And after the decoy file uncoating operation is detected to be successful, continuously detecting whether an attack host inputs an instruction for executing opening or running operation on the source data file.
If so, step 123 is executed to send the identification information of the attack host to the server.
Referring to FIG. 3, in some embodiments, after sending the user host identification information and attack host identification information to a server, the method further comprises: establishing a mapping relation between the acquired attack host identification information and/or user host identification information and the source data file type in the corresponding attack event; and storing the mapping relation to form an attack database. Thus, an administrator can form a defending alarm strategy according to the data in the attack database and send the defending alarm strategy to the protected host computer to detect and discover suspected attackers.
In addition, after the attack host-identification information is sent to the server, the method further includes: the server compares the acquired attack host identification information with attack host identification information captured in a previous attack event; and determining whether the current attack event and the previous attack event are the same attack behavior according to the comparison result.
Or after the attack host identification information is sent to the server, the attack host identification information can be used as a judgment basis for other threat behaviors.
The identification information includes: IP, MAC, hostname and/or protocol, etc. may identify the user host or information of the attack host identity and attack means.
In another optional embodiment, after the server compares the attack host identification information acquired according to the attack host identification information captured in the previous attack event, the method further includes: and establishing an attack portrait of the same attack host according to the comparison result, and storing the attack portrait into the attack database. By establishing an attack portrait of an attack host, namely labeling the attack behavior of a network attacker, the characteristics of knowing the network attack behavior of the attacker can be mastered intuitively, so that personalized defense can be conveniently carried out, and the effectiveness of security defense can be improved.
With continued reference to FIG. 3, in some embodiments, after forming the attack database, the method further comprises: generating a security alarm and a defense strategy according to the data stored in the attack database, and issuing the security alarm and the defense strategy to a second target host; the second target host and the first target host are in the same local area network, and the second target host can comprise a plurality of target hosts.
Monitoring whether a data file with the same type as the source data file stored in the attack database is operated on the second target host; if yes, acquiring the identification information of the execution host of the operation behavior; matching the identification information of the execution host with the identification information of the attack host and/or the user host stored in the attack database; and if the matching is successful, issuing an instruction for executing the security alarm and defense strategy to the second target host, so that the second target host blocks the operation and/or alarm according to the security alarm and defense strategy.
In this embodiment, the server may also directly block the operation and/or alarm, so in an alternative embodiment, if the matching is successful, the operation and/or alarm is blocked according to the security alarm and the defense strategy.
It will be appreciated that in some network security defense schemes, single point defense strategies based on separate hosts are typically costly to maintain and may compromise one host once it is breached.
In this embodiment, the attack host is trapped according to the bait file of the first target host in the local area network, and the identification information and/or the attack portrait of the trapped attack host are stored to form an attack database, and a defending and alarming strategy is formed, so that as long as the trap file of one target host in the local area network is triggered, other target hosts in the local area network can defend the attacker according to the attack database corresponding to the attacker issued by the server, forming clustered defending, thereby having low maintenance cost and improving defending effectiveness.
According to the active trapping security defense method provided by the embodiment of the invention, the internal network and the external network are not required to be isolated, and by setting the decoy file on the target host, when a user host executes a preset operation instruction on the decoy file, for example, access opening and other operations, the defense strategy for capturing the user host identification information and the attack host identification information can be automatically triggered, so that the information of the attack host and the controlled host (user host) for identifying the identity of an attacker, such as IP (Internet protocol) and MAC (media access control) can be captured, and the security defense can be timely performed.
According to the above description, the scheme does not need to isolate the intranet from the extranet, and is convenient for capturing the identity information of the attacking host and the controlled host, thereby further realizing security defense.
Example two
Figure 4 is a schematic block diagram of an architecture of one embodiment of the active trapping security defense system of the present invention. Referring to fig. 4, the system of the present embodiment includes:
a listener module 210 for listening to the bait file on the first target host;
a trigger program module 220, configured to trigger a defending policy for capturing the user host identification information and the attack host identification information if it is monitored that a user host executes a preset operation instruction on the decoy file; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host.
The system of the present embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and are not described here again.
In some embodiments, the bait file comprises: the system comprises a source data file and an executable shell, wherein the source data file is encapsulated in the executable shell, and the executable shell is used for triggering and capturing a defending strategy of the user host identification information and the attack host identification information when receiving the preset operation instruction.
In still other embodiments, referring to fig. 5, the preset operating instructions comprise: a shelling operation instruction;
the source data file is an executable program file, and the preset operation instruction further comprises: opening or running an operation instruction;
the trigger program module 220 includes: a first transmitting program unit 221, configured to transmit the user host identification information to a server if it is monitored that there is a user host executing a decoiling operation instruction on the decoiling file;
a detecting program unit 222, configured to continuously detect whether an attack host inputs an instruction to execute an opening or running operation on the source data file after detecting that the decoiler operation of the decoiler file is successful;
the second sending program unit 223 is configured to send the identification information of the attack host to a server if the attack host exists.
Referring to fig. 6, in some embodiments, the system further comprises a defense center, which is essentially a server for: establishing a mapping relation between the acquired attack host identification information and/or user host identification information and the source data file type in the corresponding attack event; and storing the mapping relation to form an attack database.
In still other embodiments, the server is further configured to: comparing the acquired attack host identification information with attack host identification information captured in a previous attack event; and determining whether the current attack event and the previous attack event are the same attack behavior according to the comparison result.
With continued reference to fig. 6, in some embodiments, the server is further configured to establish an attack figure of the same attack host according to the comparison result, and store the attack figure in the attack database.
In some embodiments, the server is further configured to: after an attack database is formed, generating a security alarm and a defense strategy according to data stored in the attack database, and issuing the security alarm and the defense strategy to a second target host; the second target host and the first target host are in the same local area network; monitoring whether a data file with the same type as the source data file stored in the attack database is operated on the second target host;
if yes, acquiring the identification information of the execution host of the operation behavior; matching the identification information of the execution host with the identification information of the attack host and/or the user host stored in the attack database; and if the matching is successful, issuing an instruction for executing the security alarm and defense strategy to the second target host, so that the second target host blocks the operation and/or alarm according to the security alarm and defense strategy.
Or if the matching is successful, blocking the operation and/or the alarm according to the security alarm and the defense strategy.
The system of this embodiment has similar implementation principles and technical effects to those of the corresponding method embodiment in the first embodiment, and the details are not described in detail, so that reference may be made to each other, and the details are not repeated here.
Fig. 7 is a schematic block diagram of an architecture of an embodiment of an electronic device according to the present invention, and based on the method provided in the first embodiment and the system provided in the second embodiment, the embodiment of the present invention further provides an electronic device, as shown in fig. 7, where a flow of any one of the embodiments of the present invention may be implemented.
The electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for executing the active trap security defense-method as described in any of the previous embodiments.
The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of the executable program code may be referred to as the description of the first embodiment of the present invention, which is not repeated herein.
Embodiments of the present invention also provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the active trap security defense-method of any of the previous embodiments.
In summary, the active trapping security defense method and system provided by the embodiment of the invention do not need the isolation of the internal network and the external network, and are convenient for capturing the identity information of the attack host and the controlled host, thereby further realizing security defense; for example, security personnel may lock the attacker address location based on the IP of the attacking host, or perform association analysis on other threat behaviors to obtain detailed attack figures.
Furthermore, in this embodiment, an attack database may be further established, and a security alarm and a defense policy may be formed according to the attack database, and the security alarm and the defense policy may be issued to other protected hosts to protect the data security of the hosts in other networks.
Furthermore, the technical scheme provided by the invention can realize clustered defense, has low maintenance cost and can improve the effectiveness of the defense.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
For convenience of description, the above system is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (14)
1. An active trapping security defense method, comprising the steps of:
monitoring a decoy file on a first target host;
if the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host;
the bait file comprises: the system comprises a source data file and an executable shell, wherein the source data file is packaged in the executable shell, the executable shell is used for triggering and capturing a defending strategy of user host identification information and attack host identification information when receiving the preset operation instruction, and the preset operation instruction comprises: and shelling operation instructions.
2. The active trap security defense-method of claim 1 wherein the source data file is an executable program file, the preset operating instructions further comprising: opening or running an operation instruction;
if it is monitored that the user host executes the preset operation instruction on the decoy file, triggering a defending strategy for capturing the user host identification information and the attack host identification information comprises: if the user host monitors that the decolouring operation instruction is executed on the decoy file by the user host, the user host identification information is sent to a server;
after the decoy file unshelling operation is detected to be successful, continuously detecting whether an attack host inputs an operation instruction for executing opening or running on the source data file;
if yes, the identification information of the attack host is sent to a server.
3. The active trap security defense-method of claim 2 wherein after sending the user host identification information and attack host identification information to a server, the method further comprises: the server establishes a mapping relation between the acquired attack host identification information and/or user host identification information and the source data file type in the corresponding attack event;
and storing the mapping relation to form an attack database.
4. The active trap security defense-method of claim 3 wherein after sending the attack host-identification information to a server, the method further comprises: the server compares the acquired attack host identification information with attack host identification information captured in a previous attack event;
and determining whether the current attack event and the previous attack event are the same attack behavior according to the comparison result.
5. The active trap security-defense-method of claim 4 wherein after the server compares the attack host-identification information obtained with attack host-identification information captured in a previous attack event, the method further comprises: and the server establishes an attack portrait of the same attack host according to the comparison result, and stores the attack portrait into the attack database.
6. An active trapping security defense method according to claim 3, wherein after the attack database is formed, the method further comprises: generating a security alarm and a defense strategy according to the data stored in the attack database, and issuing the security alarm and the defense strategy to a second target host; the second target host and the first target host are in the same local area network;
monitoring whether a data file with the same type as the source data file stored in the attack database is operated on the second target host;
if yes, acquiring the identification information of the execution host of the operation behavior;
matching the identification information of the execution host with the identification information of the attack host and/or the user host stored in the attack database;
if the matching is successful, issuing an instruction for executing the security alarm and defense strategy to a second target host, so that the second target host blocks the operation and/or alarm according to the security alarm and defense strategy; or,
if the matching is successful, blocking the operation and/or the alarm according to the security alarm and the defense strategy.
7. An active trap security defense system, the system comprising:
a monitor module for monitoring the bait file on the first target host;
the trigger program module is used for triggering a defending strategy for capturing the user host identification information and the attack host identification information if the user host is monitored to execute a preset operation instruction on the decoy file; the first target host and the user host are in the same local area network, and the user host is a controlled object of the attack host;
the bait file comprises: the system comprises a source data file and an executable shell, wherein the source data file is packaged in the executable shell, the executable shell is used for triggering and capturing a defending strategy of user host identification information and attack host identification information when receiving the preset operation instruction, and the preset operation instruction comprises: and shelling operation instructions.
8. The active trap security defense-system of claim 7 wherein the source data file is an executable program file, the preset operating instructions further comprising: opening or running an operation instruction;
the trigger program module includes: the first sending program unit is used for sending the user host identification information to a server if the user host is monitored to execute a shelling operation instruction on the decoy file;
the detection program unit is used for continuously detecting whether an attack host inputs an operation instruction for executing opening or running on the source data file after detecting that the decoiler operation of the decoiler file is successful;
and the second sending program unit is used for sending the identification information of the attack host to the server if the attack host exists.
9. The active trapping security defense system of claim 8 wherein the server is configured to:
establishing a mapping relation between the acquired attack host identification information and/or user host identification information and the source data file type in the corresponding attack event;
and storing the mapping relation to form an attack database.
10. The active trap security defense system of claim 9 wherein the server is further operable to:
comparing the acquired attack host identification information with attack host identification information captured in a previous attack event;
and determining whether the current attack event and the previous attack event are the same attack behavior according to the comparison result.
11. The active trapping security defense system of claim 10 wherein the server is further configured to establish an attack representation of the same attack host based on the comparison, and store the attack representation in the attack database.
12. The active trap security defense system of claim 10 wherein the server is further operable to:
after an attack database is formed, generating a security alarm and a defense strategy according to data stored in the attack database, and issuing the security alarm and the defense strategy to a second target host; the second target host and the first target host are in the same local area network;
monitoring whether a data file with the same type as the source data file stored in the attack database is operated on the second target host;
if yes, acquiring the identification information of the execution host of the operation behavior;
matching the identification information of the execution host with the identification information of the attack host and/or the user host stored in the attack database;
if the matching is successful, issuing an instruction for executing the security alarm and defense strategy to a second target host, so that the second target host blocks the operation and/or alarm according to the security alarm and defense strategy; or,
if the matching is successful, blocking the operation and/or the alarm according to the security alarm and the defense strategy.
13. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the active trap security defense-method of any one of the preceding claims 1 to 6.
14. A computer readable storage medium storing one or more programs executable by one or more processors to implement the active trap security defense-method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567572.4A CN114285622B (en) | 2021-12-09 | 2021-12-09 | Active trapping security defense method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567572.4A CN114285622B (en) | 2021-12-09 | 2021-12-09 | Active trapping security defense method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285622A CN114285622A (en) | 2022-04-05 |
| CN114285622B true CN114285622B (en) | 2024-01-26 |
Family
ID=80873358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111567572.4A Active CN114285622B (en) | 2021-12-09 | 2021-12-09 | Active trapping security defense method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285622B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3373553B1 (en) * | 2017-03-09 | 2024-05-08 | Argus Cyber Security Ltd | System and method for providing cyber security to an in-vehicle network |
| US10498763B2 (en) * | 2017-08-31 | 2019-12-03 | International Business Machines Corporation | On-demand injection of software booby traps in live processes |
-
2021
- 2021-12-09 CN CN202111567572.4A patent/CN114285622B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110493238A (en) * | 2019-08-26 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | Defence method, device, honey pot system and honey jar management server based on honey jar |
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
Non-Patent Citations (1)
| Title |
|---|
| 《一款基于主动防御机制的伪装诱捕与威胁感知产品》;孙瑞勇,李峰,孙晓鹏,王绍密;《信息科技》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285622A (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8522349B2 (en) | Detecting and defending against man-in-the-middle attacks | |
| KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| Nadeem et al. | Intercept the cloud network from brute force and DDoS attacks via intrusion detection and prevention system | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US20170111391A1 (en) | Enhanced intrusion prevention system | |
| CN112351017B (en) | Transverse penetration protection method, device, equipment and storage medium | |
| CN111565202B (en) | Intranet vulnerability attack defense method and related device | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN113141335B (en) | Network attack detection method and device | |
| Vidalis et al. | Assessing identity theft in the Internet of Things | |
| CN110866248B (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN105868625B (en) | Method and device for intercepting restart deletion of file | |
| Lin et al. | A study on digital forensics standard operation procedure for wireless cybercrime | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN114285608B (en) | Network attack trapping method and device, electronic equipment and storage medium | |
| CN114285622B (en) | Active trapping security defense method, system, electronic equipment and storage medium | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| CN114338113B (en) | Data encryption and decryption methods and devices, electronic equipment and storage medium | |
| US10609030B1 (en) | Systems and methods for identifying untrusted devices in peer-to-peer communication | |
| CN112118204B (en) | Method and system for sensing illegal access of Windows file system | |
| CN112817833A (en) | Method and device for monitoring database | |
| CN115589330B (en) | Safety detection device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |