CN114416668B - Method and system for generating PKG (public key gateway) decoy file - Google Patents
Method and system for generating PKG (public key gateway) decoy file Download PDFInfo
- Publication number
- CN114416668B CN114416668B CN202210317728.1A CN202210317728A CN114416668B CN 114416668 B CN114416668 B CN 114416668B CN 202210317728 A CN202210317728 A CN 202210317728A CN 114416668 B CN114416668 B CN 114416668B
- Authority
- CN
- China
- Prior art keywords
- file
- script
- module
- template frame
- frame
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Human Computer Interaction (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to a method and a system for generating a PKG decoy file in the technical field of network security red and blue countermeasure exercises, which comprises the following steps: acquiring a file to be simulated, a program compression original file and a script original file from an installation package configuration file; acquiring a decompressed file of a program compression original file, inserting the decompressed file into a binary capture file, and compressing the decompressed file and the binary capture file to obtain a program compression modified file; generating a trapping script, and inserting the trapping script into the original script file to obtain a script modification file; constructing a document template frame of a decoy document, wherein the document template frame comprises a base template frame and a core template frame; the method has the advantages of high simulation performance and breaking through the bottleneck that attacker information cannot be acquired in the existing Mac OS system.
Description
Technical Field
The invention relates to the technical field of network security red and blue countermeasure exercises, in particular to a method and a system for generating a PKG decoy file.
Background
The concept of Red and blue confrontation originally originated from the 20 th century 60 th generation of the united states drill, which is a large-scale practice performed by specially directing army, and the practice is generally divided into Red army and blue army, wherein blue army generally refers to army simulating confrontation in army and specially playing a fictitious enemy, and Red army represents our front army to perform targeted training, which is also called Red teaching, and the concept of network security Red and blue confrontation is originated from the method.
The Mac OS is a unix-based graphical operating system developed by apple manufacturers, and the Mac OS system and the windows system are not intercommunicated, because the windows bottom layer is an NT operating system, the Mac OS bottom layer is the unix system, the NT operating system is a single item completely independent of the unix operating system, and the Mac OS is difficult to operate compared with the windows, but viruses or bugs of the Mac OS are far less than those of the windows.
In current market share data of global desktop operating systems, Windows accounts for 77.26%, and Mac OS accounts for 17.69%, so current decoy files are Windows-based, but most network security practitioners use eighty percent of Mac OS operating systems, while currently there is no decoy file about Mac OS operating systems to capture attacker information in Mac OS systems and accurately locate individuals.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method and a system for generating a PKG decoy file, which have the advantage of high simulation performance and break through the bottleneck that the information of an attacker cannot be acquired in the conventional Mac OS system.
In order to solve the technical problems, the invention is solved by the following technical scheme:
a PKG decoy file generation method comprises the following steps:
acquiring a file to be simulated, a program compression original file and a script original file from an installation package configuration file;
acquiring a decompressed file of the original program compression file, inserting a binary capture file into the decompressed file, and compressing the decompressed file and the binary capture file to obtain a program compression modified file;
generating a trapping script, and inserting the trapping script into the original script file to obtain a script modification file;
constructing a document template frame of a decoy document, wherein the document template frame comprises a base template frame and a core template frame;
and copying the file to be simulated into the basic template frame, and copying the program compression modification file and the script modification file into a core template frame to obtain a bait file.
Optionally, the binary capture file includes request command data, get collection command data, transfer command data, and execute command data.
Optionally, the generating of the trap script includes the following steps:
and acquiring a social software list, and acquiring the social information script of each social software according to the social software list.
Optionally, the file template frame for constructing the decoy file comprises the following steps:
acquiring a plurality of installation package configuration files, and acquiring a plurality of sub-folders of each installation package configuration file, wherein the sub-folders under the same installation package configuration file are different from one another;
and counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files, setting a proportion threshold, acquiring the subfile names with the proportion higher than the proportion threshold, and storing the acquired subfile names into the basic template frame or the core template frame.
Optionally, the file to be simulated includes a program installation flow file, a resource file, and a program installation text file.
A PKG decoy file generation system, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a file to be simulated, a program compression original file and a script original file from an installation package configuration file and also used for acquiring a decompressed file of the program compression original file;
the inserting and compressing module is used for inserting the binary capture file into the decompressed file and compressing the decompressed file and the binary capture file to obtain a program compression modified file;
the trapping script generating module is used for generating a trapping script and inserting the trapping script into the original script file to obtain a script modification file;
the building module is used for building a file template frame of the decoy file, wherein the file template frame comprises a basic template frame and a core template frame;
and the packaging compression module is used for copying the simulation file into the basic template frame and copying the program compression modification file and the script modification file into the core template frame to obtain the bait file.
Optionally, the system further comprises a binary capture file generation module, and the binary capture file generation module is configured to generate request command data, obtain collection command data, transmit command data, and execute command data.
Optionally, the trapping script generating module is further configured to obtain a social software list, and obtain the social information script of each social software according to the social software list.
Optionally, the building module further includes a second obtaining module, a statistical module, and an analyzing and comparing module;
the second acquisition module is used for acquiring a plurality of installation package configuration files and acquiring a plurality of sub-folders of each installation package configuration file, and the sub-folders under the same installation package configuration file are different;
the statistical module is used for counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files;
the analysis and comparison module is used for setting a proportion threshold value, acquiring the subfile names with the proportion higher than the proportion threshold value, and storing the acquired subfile names into the basic template frame or the core template frame.
A computer-readable storage medium storing a computer program which, when executed by a processor, implements a PKG decoy file generation method as recited in any one of the above.
Compared with the prior art, the technical scheme provided by the invention has the following beneficial effects:
the real installation package configuration file is decompressed to obtain a file to be simulated, a program compression original file and a script original file which are required by the bait file, and the program compression modified file is obtained by inserting a binary capture file into the program compression original file, so that when the installed bait file is attacked by an attacker, attacker information is obtained through the binary capture file, on the other hand, a trapping script is inserted into the script original file, the attacker information can be timely obtained when the attacker attacks, the function of obtaining the attacker information in a standby mode is achieved, the file to be simulated is copied into a file template frame, the finally formed bait file has high similarity with the real installation package configuration file, the purpose of the attacker is achieved, and the setting of the file template frame is used for standardizing the frame structure of the bait file, the consistency of the bait file structure is realized on the basis that the bait file basically puzzles attackers, and the bait file is simpler to manufacture.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a method for generating a PKG decoy file according to an embodiment of the present invention;
fig. 2 is a diagram of a text template framework of a decoy file according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, which are illustrative of the present invention and are not to be construed as being limited thereto.
Example one
As shown in fig. 1, a method for generating a PKG decoy file includes the following steps: the installation package configuration file is decompressed to obtain a file to be simulated, a program compression original file and a script original file, when the bait file is manufactured, the bait file is required to have high similarity with the real installation package configuration file to confuse an attacker, and when the bait file is attacked by the attacker, the attacker is required to be captured, so that a worker is informed of the intrusion of the attacker through capture information, and an intrusion alarm prompt is given.
Wherein, improve the high similarity of decoy file and installation package configuration file, then need to construct the file template frame of decoy file, specifically, include the following steps: acquiring a plurality of installation package configuration files, decompressing each installation package configuration file to obtain a plurality of subfolders, wherein the subfolders under the same installation package configuration file are different; and counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files, setting a proportion threshold, acquiring the subfile names with the proportion higher than the proportion threshold, and storing the acquired subfile names into the basic template frame or the core template frame.
In practical application, file structures in each installation package configuration file are slightly different, and a standard installation package configuration file structure does not exist, so that in the bait file manufacturing process, workers can conveniently and uniformly manufacture the bait files without independently manufacturing corresponding bait files aiming at different installation package configuration files, the applicability of the finally manufactured bait files is improved, and a fixed architecture structure of the bait files, namely a file template frame, is introduced.
Specifically, since it is necessary to ensure high consistency between the bait file and the real installation package configuration file, the file template framework needs to refer to a structure of the real installation package configuration file, further, the staff member collects a certain number of real installation package configuration files, and the collected real installation package configuration files are installation package configuration files of different applications, so that the finally obtained file template framework has better applicability, and then decompresses a plurality of real installation package configuration files to obtain a plurality of sub-folders, for example, the sub-folders are Distribution files, Contents files, Resources files, Bom files, PackageInfo files, Payload files, and Scripts, etc., it should be noted that the sub-folders include but are not limited to the listed files, and then the sub-folders with the same name account for the proportion of all the decompressed sub-folders, for example, the sub-folder with the name of Distribution file accounts for the proportion of all the obtained by decompression, then, a proportion threshold is set, for example, the proportion threshold can be set to 90%, that is, when 90% of installation package configuration files have subfolders with the same name, the subfolders are represented in the frame necessarily existing in the bait file, so that the bait file is closer to the real installation package configuration file, and the proportion threshold can be freely adjusted according to the requirements of workers, and is not limited herein.
As shown in fig. 2, in this embodiment, taking the finally screened subfolders as Distribution files, Resources files, PackageInfo files, Payload files, and Scripts as examples, at this time, a Distribution frame, a Resources frame, a PackageInfo frame, a Payload frame, and a Scripts frame are added to the file template frame, and since the file template frame includes a base template frame and a core template frame, the Distribution frame, the Resources frame, and the PackageInfo frame are drawn into the base template frame, and the Payload frame and the Scripts frame are drawn into the core template frame.
Furthermore, after the file template framework is constructed, the file to be simulated obtained through decompression is copied into the basic template framework, and the file to be simulated comprises a program installation flow file, a resource file and a program installation text file, so that the program installation flow file needs to be copied into the Distribution framework, the resource file needs to be copied into the Resources framework, and the program installation text file needs to be copied into the PackageInfo framework, so that the bait file is highly similar to the configuration file of the real installation package through the copied program installation flow file, the copied resource file and the copied program installation text file.
It should be noted that the program installation flow file is an installation flow file of the installation package configuration file, and is used for providing an installation sequence of the installation package configuration file during installation; the resource file comprises information such as installation interface description, installation authorization and an installation background picture of the installation package configuration file; the program installation text file contains installation information, and provides an installation location, an installation path, and the like for installing the installation package configuration file in the Mac OS system.
After the highly-simulated part of the decoy file is manufactured, in order to enable the decoy file to have the capability of trapping attackers, the program compression original file needs to be decompressed to obtain a decompressed file, the binary capture file is inserted into the decompressed file, and the decompressed file and the binary capture file are compressed to obtain a program compression modified file.
In practical application, after an attacker clicks a bait file, the request code in the binary capture file is triggered to send a request to a server to request for obtaining attacker information, then the server receives the request and sends feedback information, and after receiving the feedback information of the server, the execution code executes a command in the feedback information, taking the command agreeing to obtain the attacker information as an example, the binary capture file starts to obtain the information of the attacker, including an attacker attack path, attacker account information, attacker login position information and the like, and then, the acquired attacker information is uploaded to a server side, so that a worker can further master the attacker condition.
In the Mac OS system, since all files executable on the bottom layer need to exist in a binary format, the format of the capture file needs to be set to a binary format so as to be executable in the Mac OS system.
On the other hand, the program compression original file is an APP program compressed by gzip, and is an APP program after being decompressed, so that the finally obtained program compression modification file is an APP program and binary capture file packaging compression file, and an attacker can click the program as well as click the real APP program.
In addition, a trapping script needs to be generated and inserted into the original script file to obtain a script modification file, which specifically comprises the following steps: and acquiring a social software list, and acquiring the social information script of each social software according to the social software list.
The script original file is two scripts compressed by gzip, which are respectively a script executed before installation and a script executed after installation, and is used as a standby obtaining mechanism, a trapping script is added to the script original file, and the trapping script is used for obtaining an account number of social software of an attacker and an associated account number bound with the social account number through an attack path of the attacker, for example, a QQ account number, a mobile phone number bound with the QQ account number, a mailbox, and the like.
Specifically, when an attacker clicks the decoy file, the social information script contained in the file starts to capture the social information of the attacker, so that the social information is uploaded to the server, the information of the attacker is provided for workers, a reminding and informing effect is achieved, and the workers can conveniently perform the next operation.
And finally, copying the program compression modification file and the script modification file into a core template framework, specifically copying the program compression modification file into a Payload framework, copying the script modification file into a Scripts framework to obtain a file updating framework, namely a bait file, and compressing the file updating framework to obtain a compression package of the bait file, so that a worker can use the compression package conveniently.
On the other hand, in the red-blue countermeasure, the attacker can use the bait file to achieve the purpose of inducing the attacker, and if the attacker needs to use the bait file to perform reverse trapping on the attacker, the attacker can send the compressed packet of the bait file to the attacker through the mail or social software, so that the purpose of reverse trapping of the attacker is achieved.
Example two
A PKG decoy file generation system, comprising: the first module of acquireing for decompress installation package configuration file, obtain treating the emulation file, program compression primitive file and script primitive file, still be used for decompressing program compression primitive file, obtain decompressing the file, during the preparation bait file, need make the bait file both possess with real installation package configuration file's high similarity, be used for puzzleing the attacker, need make the bait file when being attacked by the attacker again, catch the attacker, thereby inform the staff through catching information, there is the attacker invasion, make invasion warning suggestion.
The method comprises the steps that a file template frame of a bait file needs to be constructed if the high similarity between the bait file and an installation package configuration file is improved, so that a construction module constructs the file template frame of the bait file, wherein the file template frame comprises a basic template frame and a core template frame, and the construction module further comprises a second acquisition module, a statistical module and an analysis comparison module; the second acquisition module is used for acquiring a plurality of installation package configuration files and decompressing each installation package configuration file to obtain a plurality of subfolders, and the subfolders under the same installation package configuration file are different; the statistical module is used for counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files; the analysis and comparison module is used for setting a proportion threshold value, acquiring the subfile names with the proportion higher than the proportion threshold value, and storing the acquired subfile names into the basic template frame or the core template frame.
In practical application, the file structures in each installation package configuration file are slightly different, and a standard installation package configuration file structure does not exist, so that in the bait file manufacturing process, workers can conveniently and uniformly manufacture the bait files without independently manufacturing corresponding bait files aiming at different installation package configuration files, the applicability of the finally manufactured bait files is improved, and a fixed framework structure of the bait files, namely a file template framework, is introduced.
Specifically, since it is necessary to ensure high consistency between the bait file and the real installation package configuration file, the file template framework needs to refer to a structure of the real installation package configuration file, further, the staff member collects a certain number of real installation package configuration files, and the collected real installation package configuration files are installation package configuration files of different applications, so that the finally obtained file template framework has better applicability, and then decompresses a plurality of real installation package configuration files to obtain a plurality of sub-folders, for example, the sub-folders are Distribution files, Contents files, Resources files, Bom files, PackageInfo files, Payload files, and Scripts, etc., it should be noted that the sub-folders include but are not limited to the listed files, and then the sub-folders with the same name account for the proportion of all the decompressed sub-folders, for example, the sub-folder with the name of Distribution file accounts for the proportion of all the obtained by decompression, then, a proportion threshold is set, for example, the proportion threshold can be set to 90%, that is, when 90% of installation package configuration files have subfolders with the same name, the subfolders are represented in the frame necessarily existing in the bait file, so that the bait file is closer to the real installation package configuration file, and the proportion threshold can be freely adjusted according to the requirements of workers, and is not limited herein.
In this embodiment, taking the finally screened subfolders as Distribution files, Resources files, PackageInfo files, Payload files and Scripts as examples, at this time, a Distribution frame, a Resources frame, a PackageInfo frame, a Payload frame and a Scripts frame are added to the file template frame, and since the file template frame includes a basic template frame and a core template frame, the Distribution frame, the Resources frame and the PackageInfo frame are divided into the basic template frame, and the Payload frame and the Scripts frame are divided into the core template frame.
Furthermore, after the file template framework is constructed, the packing compression module is used for copying the simulation file into the basic template framework, and the files to be simulated comprise the program installation flow file, the resource file and the program installation text file, so that the program installation flow file needs to be copied into the Distribution framework, the resource file needs to be copied into the Resources framework, and the program installation text file needs to be copied into the PackageInfo framework, so that the bait file is highly similar to the configuration file of the real installation package through the copied program installation flow file, the resource file and the program installation text file.
After the highly-simulated part of the bait file is manufactured, in order to realize that the bait file has the catching capacity for an attacker, a compression module is required to be inserted to insert a binary capture file into a decompressed file, and the decompressed file and the binary capture file are compressed to obtain a program compression modification file.
In practical application, after an attacker clicks a bait file, the request code in the binary capture file is triggered to send a request to a server to request for obtaining attacker information, then the server receives the request and sends feedback information, and after receiving the feedback information of the server, the execution code executes a command in the feedback information, taking the command agreeing to obtain the attacker information as an example, the binary capture file starts to obtain the information of the attacker, including an attacker attack path, attacker account information, attacker login position information and the like, and then, the obtained attacker information is uploaded to a server side so that a worker can further master the attacker condition.
In addition, the trapping script generating module is used for generating a trapping script and inserting the trapping script into the script original file to obtain a script modification file, and particularly, the trapping script generating module is also used for obtaining a social software list and obtaining a social information script of each social software according to the social software list, wherein, the script original file is two scripts which are compressed by gzip, and is respectively a script which is executed before installation and a script which is executed after installation, and is used as a standby acquisition mechanism, the trapping script is added in the script original file, the trapping script is used for acquiring an account number of social software of an attacker and an associated account number bound with the social account number through an attack path of the attacker, for example, the QQ account, a mobile phone number bound to the QQ account, a mailbox, and the like, and the social software may also be a WeChat, but is not limited to the software listed in this embodiment.
And finally, the compression module is packaged, the program compression modification file and the script modification file are copied into the core template frame to obtain a file updating frame, namely the bait file, and the file updating frame is compressed to generate a compression packet of the bait file, so that the bait file is convenient for workers to use and borrow.
On the other hand, in the red-blue confrontation, the attacker can use the bait file to achieve the purpose of inducing the attacker, and if the attacker needs to use the bait file to perform anti-trapping on the attacker, the attacker can send the compressed packet of the bait file to the attacker through a mail or social software, so that the anti-trapping purpose of the attacker is achieved.
EXAMPLE III
A computer-readable storage medium storing a computer program which, when executed by a processor, implements a PKG decoy file generation method as described in one embodiment.
More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wire segments, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless section, wire section, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules, or units is only one type of division of logical functions, and there may be other divisions in actual implementation, for example, multiple units, modules, or components may be combined or integrated into another device, or some features may be omitted, or not executed.
The units may or may not be physically separate, and components displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium. The computer program, when executed by a Central Processing Unit (CPU), performs the above-described functions defined in the method of the present application. It should be noted that the computer readable medium mentioned above in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions within the technical scope of the present invention are intended to be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. A PKG decoy file generation method is characterized by comprising the following steps:
acquiring a file to be simulated, a program compression original file and a script original file from an installation package configuration file;
acquiring a decompressed file of the original program compression file, inserting a binary capture file into the decompressed file, and compressing the decompressed file and the binary capture file to obtain a program compression modified file;
generating a trapping script, and inserting the trapping script into an original script file to obtain a script modification file;
constructing a document template frame of a decoy document, wherein the document template frame comprises a base template frame and a core template frame, and the core template frame comprises a Payload frame and a Scripts frame;
and copying the file to be simulated into the basic template frame, copying the program compression modification file into a Payload frame, and copying the script modification file into a Scripts frame to obtain a bait file.
2. The method of claim 1, wherein the binary capture file comprises request command data, get collect command data, transmit command data, and execute command data.
3. The PKG decoy file generation method of claim 1, wherein generating a trap script comprises the steps of:
and acquiring a social software list, and acquiring the social information script of each social software according to the social software list.
4. The method of claim 1, wherein the step of constructing a document template framework for the decoy document comprises the steps of:
acquiring a plurality of installation package configuration files, and acquiring a plurality of sub-folders of each installation package configuration file, wherein the sub-folders under the same installation package configuration file are different;
and counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files, setting a proportion threshold, acquiring the subfile names with the proportion higher than the proportion threshold, and storing the acquired subfile names into the basic template frame or the core template frame.
5. The method as claimed in claim 1, wherein the files to be simulated include program installation process files, resource files, and program installation text files.
6. A PKG decoy file generation system, comprising:
the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a file to be simulated, a program compression original file and a script original file from an installation package configuration file and also used for acquiring a decompressed file of the program compression original file;
the inserting and compressing module is used for inserting the binary capture file into the decompressed file and compressing the decompressed file and the binary capture file to obtain a program compression modified file;
the trapping script generating module is used for generating a trapping script and inserting the trapping script into the original script file to obtain a script modification file;
the system comprises a construction module, a storage module and a processing module, wherein the construction module is used for constructing a document template frame of a bait document, the document template frame comprises a basic template frame and a core template frame, and the core template frame comprises a Payload frame and a Scripts frame;
and the packing compression module is used for copying the simulation file into the basic template frame, copying the program compression modification file into the Payload frame, and copying the script modification file into the Scripts frame to obtain the bait file.
7. The system of claim 6, further comprising a binary capture file generation module, wherein the binary capture file generation module is configured to generate the request command data, obtain the collection command data, transmit the command data, and execute the command data.
8. The PKG decoy file generation system of claim 6, wherein the trap script generation module is further configured to obtain a list of social software, and obtain the social information script of each social software according to the list of social software.
9. The system of claim 6, wherein said building module further comprises a second acquisition module, a statistics module, and an analysis and comparison module;
the second acquisition module is used for acquiring a plurality of installation package configuration files and acquiring a plurality of sub-folders of each installation package configuration file, and the sub-folders under the same installation package configuration file are different;
the statistical module is used for counting the ratio of the number of the subfolders with the same attribute to the number of the acquired installation package configuration files;
the analysis and comparison module is used for setting a proportion threshold value, acquiring the subfile names with the proportion higher than the proportion threshold value, and storing the acquired subfile names into the basic template frame or the core template frame.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the PKG decoy file generation method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210317728.1A CN114416668B (en) | 2022-03-29 | 2022-03-29 | Method and system for generating PKG (public key gateway) decoy file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210317728.1A CN114416668B (en) | 2022-03-29 | 2022-03-29 | Method and system for generating PKG (public key gateway) decoy file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114416668A CN114416668A (en) | 2022-04-29 |
| CN114416668B true CN114416668B (en) | 2022-07-08 |
Family
ID=81264170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210317728.1A Active CN114416668B (en) | 2022-03-29 | 2022-03-29 | Method and system for generating PKG (public key gateway) decoy file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114416668B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106445608A (en) * | 2010-01-27 | 2017-02-22 | 中兴通讯股份有限公司 | Software installation pack installing method and installing device |
| CN108459852A (en) * | 2018-01-30 | 2018-08-28 | 美通云动(北京)科技有限公司 | Script processing method and device, storage medium, electronic equipment |
| CN110297643A (en) * | 2019-06-04 | 2019-10-01 | 平安科技(深圳)有限公司 | Method, apparatus, equipment and the storage medium of application program injection dynamic base |
| JP2020173740A (en) * | 2019-04-15 | 2020-10-22 | 株式会社インタープレジゼント | Targeted email open detection and preventive training system thereof |
| CN112685913A (en) * | 2021-01-12 | 2021-04-20 | 上海交通大学 | Infrared decoy bullet efficiency simulation method and system based on Unity |
| CN113037777A (en) * | 2021-04-09 | 2021-06-25 | 广州锦行网络科技有限公司 | Honeypot bait distribution method and device, storage medium and electronic equipment |
| CN113515464A (en) * | 2021-09-14 | 2021-10-19 | 广州锦行网络科技有限公司 | Honeypot testing method and device based on linux system |
| CN113626811A (en) * | 2021-07-19 | 2021-11-09 | 武汉大学 | Lured-software early detection method and system based on decoy file |
| CN113672502A (en) * | 2021-08-03 | 2021-11-19 | 广州方硅信息技术有限公司 | Program multi-system testing method and corresponding device, equipment and medium |
-
2022
- 2022-03-29 CN CN202210317728.1A patent/CN114416668B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106445608A (en) * | 2010-01-27 | 2017-02-22 | 中兴通讯股份有限公司 | Software installation pack installing method and installing device |
| CN108459852A (en) * | 2018-01-30 | 2018-08-28 | 美通云动(北京)科技有限公司 | Script processing method and device, storage medium, electronic equipment |
| JP2020173740A (en) * | 2019-04-15 | 2020-10-22 | 株式会社インタープレジゼント | Targeted email open detection and preventive training system thereof |
| CN110297643A (en) * | 2019-06-04 | 2019-10-01 | 平安科技(深圳)有限公司 | Method, apparatus, equipment and the storage medium of application program injection dynamic base |
| CN112685913A (en) * | 2021-01-12 | 2021-04-20 | 上海交通大学 | Infrared decoy bullet efficiency simulation method and system based on Unity |
| CN113037777A (en) * | 2021-04-09 | 2021-06-25 | 广州锦行网络科技有限公司 | Honeypot bait distribution method and device, storage medium and electronic equipment |
| CN113626811A (en) * | 2021-07-19 | 2021-11-09 | 武汉大学 | Lured-software early detection method and system based on decoy file |
| CN113672502A (en) * | 2021-08-03 | 2021-11-19 | 广州方硅信息技术有限公司 | Program multi-system testing method and corresponding device, equipment and medium |
| CN113515464A (en) * | 2021-09-14 | 2021-10-19 | 广州锦行网络科技有限公司 | Honeypot testing method and device based on linux system |
Non-Patent Citations (2)
| Title |
|---|
| "Web Server Protection against Application Layer DDoS Attacks Using Machine Learning and Traffic Authentication";Jema David Ndibwile et al.;《Annual Computer Software and Applications Conference》;20150924;全文 * |
| "一种基于诱饵文件的勒索软件及时检测方法";杨铮 等;《武汉大学学报》;20201031;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114416668A (en) | 2022-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111565199B (en) | Network attack information processing method and device, electronic equipment and storage medium | |
| US11736509B2 (en) | Malware spread simulation for cloud security | |
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| CN109684052B (en) | Transaction analysis method, device, equipment and storage medium | |
| US20200184847A1 (en) | A system and method for on-premise cyber training | |
| CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
| CN112953971B (en) | Network security flow intrusion detection method and system | |
| CN111327451A (en) | System for identifying and assisting in the creation and implementation of network service configurations using Hidden Markov Models (HMMs) | |
| CN112511512A (en) | Vulnerability scanning engine and risk management system of threat detection engine | |
| CN112073437B (en) | Multi-dimensional security threat event analysis method, device, equipment and storage medium | |
| CN112351031A (en) | Generation method and device of attack behavior portrait, electronic equipment and storage medium | |
| CN110046297B (en) | Operation and maintenance violation identification method and device and storage medium | |
| CN113225339B (en) | Network security monitoring method and device, computer equipment and storage medium | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN113518042A (en) | Data processing method, device, equipment and storage medium | |
| CN113364804A (en) | Method and device for processing flow data | |
| CN114584359B (en) | Security trapping method, device and computer equipment | |
| EP3655878A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| CN114490280A (en) | Log processing method, device, equipment and medium | |
| Shen et al. | An experiment study on federated learning testbed | |
| CN117176802B (en) | Full-link monitoring method and device for service request, electronic equipment and medium | |
| CN113704569A (en) | Information processing method and device and electronic equipment | |
| CN114416668B (en) | Method and system for generating PKG (public key gateway) decoy file | |
| CN116996408A (en) | Data transmission monitoring method and device, electronic equipment and storage medium | |
| CN110947182A (en) | Event handling method, device, game terminal and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 1st Floor, Building 3, No. 2616, Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100 Patentee after: HANGZHOU MOAN TECHNOLOGY CO.,LTD. Address before: 311100 10th floor, Block E, building 1, 1378 Wenyi West Road, Cangqian street, Yuhang District, Hangzhou City, Zhejiang Province Patentee before: HANGZHOU MOAN TECHNOLOGY CO.,LTD. |