CN114465747B - Active deception defense method and system based on dynamic port disguise - Google Patents
Active deception defense method and system based on dynamic port disguise Download PDFInfo
- Publication number
- CN114465747B CN114465747B CN202111146929.1A CN202111146929A CN114465747B CN 114465747 B CN114465747 B CN 114465747B CN 202111146929 A CN202111146929 A CN 202111146929A CN 114465747 B CN114465747 B CN 114465747B
- Authority
- CN
- China
- Prior art keywords
- service
- port
- honeypot
- request
- service request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an active deception defense method and system based on dynamic port camouflage, which relates to the technical field of network defense, and the method comprises the following steps: deploying honeypots based on a plurality of network nodes, the network nodes including real nodes connected to protected objects; configuring a basic port and a plurality of open ports of the honeypot, and configuring a plurality of virtual services of the honeypot based on the basic port, the open ports and a preset server; acquiring a service request of an access terminal; analyzing the service request to obtain an analysis result: and selecting the protected object or the honeypot to perform service response on the service request according to the analysis result. The method and the device have the effect of defending the deception attacker through active deception.
Description
Technical Field
The application relates to the technical field of network defense, in particular to an active deception defense method and system based on dynamic port camouflage.
Background
A network attack refers to any act of unauthorized entry or attempt to access another person's computer network, including attacks on the entire network, as well as attacks on servers or individual computers in the network. In recent years, network attack events are frequent, which poses a serious threat to network security, and in network attack, although attack objects and attack modes are many, an IP address is the most effective breach for most attackers, so that corresponding defense measures need to be taken at a port.
In the related art, honeypot technology is generally adopted for defense, honeypot technology is essentially a technology for cheating attackers, the attackers are induced to attack the attackers by arranging some baits, the baits generally use open-service servers or hosts, attack behaviors can be captured and analyzed after the attacks are induced, tools and methods used by the attackers are known, attack intentions and motivations are presumed, the defenders can clearly know the security threats faced by the attackers, and the security protection capability of a real system is enhanced through technical and management means.
With respect to the related art among the above, the inventors consider that the following drawbacks exist: the method is characterized in that the method adopts the honeypot technology to defend, and the method is passive defense, namely a fixed port is opened and a fixed service is configured to conduct attack induction, but due to the wide use of the honeypot technology, an attacker may conduct heuristic attack before attack to explore the state of the defender, and the honeypot in the passive defense state is single in feedback, so that the honeypot is easy to identify and poor in flexibility.
Disclosure of Invention
In order to overcome the defect of poor honeypot flexibility for defending network attacks, the application provides an active spoofing defense method and system based on dynamic port camouflage.
In a first aspect, the present application provides an active spoofing defense method based on dynamic port masquerading, including the following steps:
deploying honeypots based on network nodes connected to the protected objects;
configuring an integrated port of the honeypot, and configuring a plurality of virtual services of the honeypot based on the integrated port and a preset server;
acquiring a service request of an access terminal;
analyzing the service request to obtain an analysis result;
and selecting the protected object or the honeypot to perform service response on the service request according to the analysis result.
By adopting the technical scheme, the honeypot is deployed at the network node connected with the protected object to form a protection system, and the honeypot usually comprises the basic port and the related service corresponding to the basic port, so that the basic port can be configured to be opened, and the related service corresponding to the basic port is configured to be used as the virtual service; the honeypot also comprises a plurality of open ports which can be opened, but the services corresponding to the open ports cannot be simulated, if the honeypot is only provided with the services for the basic ports, the attack direction can easily detect the existence of the honeypot by carrying out a plurality of times of probing attacks on the plurality of ports.
Therefore, the honeypot is combined with the preset server, and the service in the server is configured to serve as the virtual service corresponding to the open port, so that the disguise of the honeypot port is completed. The method comprises the steps of obtaining a service request after configuring a port and a service, analyzing the service request, mainly analyzing the rationality of the service request, and selecting whether to perform normal service response through a protected object or perform disguised service response through a honeypot according to the rationality of the service request. In the process of carrying out masquerading service response by the honeypot, because the plurality of ports of the honeypot are all configured with virtual services, even if an attacker carries out probing attack on the plurality of ports, any port can flexibly and actively carry out feedback to confuse the attacker, thereby achieving the effect of inducing attack.
Optionally, the integrated port includes a base port and a plurality of open ports, and the configuring a plurality of virtual services of the honeypot based on the integrated port and a preset server includes the following steps:
configuring a first virtual service of the honeypot according to the basic port;
establishing communication connection between the honeypot and a preset server;
respectively acquiring the port type of each open port;
and configuring corresponding second virtual service in the server according to the port type.
By adopting the technical scheme, the related services carried by the basic port of the honeypot are firstly configured as the first virtual service, then the corresponding services are configured in the server as the second virtual service according to the port type of the open port of the honeypot, and only the services corresponding to the open port in the server are configured, so that unnecessary interference caused by other unrelated services can be reduced, and the disguising effect of the port of the honeypot is reduced.
Optionally, the analyzing the service request to obtain an analysis result includes the following steps:
acquiring request information of the service request, wherein the request information comprises a destination address;
judging the destination address is the comprehensive port or the target port of the protected object;
if the destination address is the comprehensive port, obtaining a first analysis result, wherein the first analysis result is that the service request is defined as an unreasonable request;
and if the destination address is the target port of the protected object, performing comprehensive analysis on the access terminal and the protected object corresponding to the destination address according to the request information to obtain a second analysis result.
By adopting the technical scheme, after the service request is obtained, the rationality of the service request needs to be analyzed, firstly, the destination address of the service request is analyzed and judged, if the destination address is a port of a honeypot, the service request can be service attack of randomly selected ports, and therefore the service request is defined as an unreasonable request; if the destination address is a port of the protected object, the service request may be a normal service request, but a service attack in which the service request is a randomly selected port cannot be excluded, so that it is necessary to further perform comprehensive analysis on the access terminal initiating the request and the protected object of the service requested by the access terminal, so that the rationality of the service request can be more accurately determined.
Optionally, the request information further includes basic information corresponding to an access end, and performing comprehensive analysis on the access end and the protected object corresponding to the destination address according to the request information to obtain a second analysis result includes the following steps:
retrieving the basic information according to a preset access terminal blacklist to obtain a retrieval result, wherein the access terminal blacklist stores the basic information of the access terminal with historical suspicious access behaviors;
judging whether the access terminal exists in the access terminal blacklist or not according to the retrieval result;
if the access terminal exists in the access terminal blacklist, obtaining a second analysis result as that the service request is defined as an unreasonable request;
if the access terminal does not exist in the access terminal blacklist, judging whether the security level of the target protected object exceeds a preset security alert line;
if the security level of the target protection object exceeds a preset security alert line, obtaining a second analysis result, namely that the service request is defined as an unreasonable request;
and if the security level of the target protection object does not exceed a preset security alert line, obtaining a second analysis result, and defining the service request as a reasonable request.
By adopting the technical scheme, when the destination address of the service request is the port of the protected object, whether the access terminal sending the request exists in the access terminal blacklist needs to be judged firstly, and if the access terminal sending the request is in the blacklist, the service request sent by the access terminal is directly determined to be an unreasonable request; if the access terminal sending the request is not in the blacklist, the security levels of different protected objects are different due to different importance of different protected objects, and a part of protected objects with high security level can not directly open the service, so that further judgment can be carried out according to the security level of the protected object of the service request carried out by the access terminal; and if the safety warning line is not exceeded, the service request is determined to be a reasonable request.
Optionally, the selecting the protected object or the honeypot to perform the service response to the service request according to the analysis result includes the following steps:
judging whether the service request is a reasonable request or not according to the analysis request;
if the service request is the reasonable request, selecting the protection object to perform service response on the service request;
and if the service request is the unreasonable request, selecting the honeypot to perform service response on the service request.
By adopting the technical scheme, if the service request is a reasonable request, normal service response is carried out through the protected object; if the service request is an unreasonable request, the service request is possibly a service attack of a randomly selected port, and therefore the honeypot and the configured virtual service perform virtual service response on the service request to induce the access terminal to continue attacking the honeypot.
Optionally, the selecting the honeypot to perform the service response to the service request includes the following steps:
establishing a communication connection between the access terminal and the honeypot;
identifying a server type of the server;
switching a response mode of the honeypot based on the server type;
judging whether the service request accesses the basic port or the open port according to the destination address;
if the service request accesses the basic port, performing service response on the service request through the honeypot based on the first virtual service;
and if the service request accesses the open port, inquiring a corresponding second virtual service in the server according to the accessed open port, and performing service response on the service request through the honeypot based on the second virtual service.
By adopting the technical scheme, when the service request is judged to be an unreasonable request, a virtual path between the access terminal and the honeypot is established, and the response mode of the honeypot needs to be switched according to the type of the preset server before the honeypot performs service response so as to perform necessary protection on the server needing to be protected. After the response mode is switched, whether the target of the access request is specifically a basic port or an open port of the honeypot is judged, and if the target is the basic port, service response is carried out based on the configured first virtual service; and if the port is the open port, performing service response based on the corresponding second virtual service configured in the server.
Optionally, the server types include an idle server and a temporary server, and the response mode for switching the honeypots based on the server types includes the following steps:
judging the type of the server is the idle server or the temporary server;
if the server type is the idle server, switching the response mode of the honeypot into a read-write mode;
and if the server type is the temporary server, switching the response mode of the honeypot to a read-only mode.
By adopting the technical scheme, the idle server is a server without actual use value, and the temporary server is a server with actual use value, so when the preset server type of the server is the idle server, the service request can not be limited, the honeypot is switched to a read-write mode, and the access terminal can read and/or write data through the service request; when the preset server type of the server is a temporary server, the honeypot needs to be switched to a read-only mode for protecting the temporary server, and at this time, the access terminal can only read data but cannot write data through a service request.
Optionally, after selecting the honeypot to perform the service response to the service request, the method further includes the following steps:
respectively counting the access times of the integrated port;
sequencing the integrated ports according to the sequence of the access times from large to small to obtain a sequencing result;
adjusting the priority of the virtual service based on the ranking result.
By adopting the technical scheme, most of service requests sent to the comprehensive ports of the honeypot are service attacks, so that the access times of the comprehensive ports can reflect the interest degree of the access terminals to different ports, the comprehensive ports are sequenced according to the access times, the priority of virtual services is correspondingly adjusted, when the access terminals send service attacks to the interested ports again, the honeypot can more quickly respond to the services, and the effect of inducing the attacks can be enhanced.
In a second aspect, the present application further provides an active spoofing defense system based on dynamic port masquerading, including:
the masquerading module is deployed with honeypots, establishes communication connection with a protected object, an access terminal and a server respectively, and is used for acquiring a service request of the access terminal and carrying out service response according to the service request;
the analysis module is used for analyzing the service request;
and the configuration module is used for acquiring a first virtual service of the honeypot and a second virtual service of the server and configuring the first virtual service and the second virtual service.
By adopting the technical scheme, the masquerading module is deployed with the honeypot, and as the honeypot usually comprises the basic port and the related service corresponding to the basic port, the basic port can be opened by configuring the basic port through the configuration module, and the related service corresponding to the basic port is configured to be used as the virtual service; the honeypot also comprises a plurality of open ports which can be opened, but the services corresponding to the open ports cannot be simulated, if the honeypot is only provided with the services for the basic ports, the attack direction can easily detect the existence of the honeypot by carrying out a plurality of times of probing attacks on the plurality of ports.
Therefore, the honeypot is combined with the preset server, and the service in the server is configured through the configuration module to serve as the virtual service corresponding to the open port, namely the disguise of the honeypot port is completed. The method comprises the steps of obtaining a service request after configuring a port and a service, analyzing the service request through an analysis module, mainly analyzing the rationality of the service request, and selecting whether to perform normal service response through a protected object or perform disguised service response through a honeypot deployed by a disguising module according to the rationality of the service request. In the process of carrying out disguised service response in the honeypot, because the plurality of ports of the honeypot are all configured with virtual services, even if an attacker makes a tentative attack on the plurality of ports, any port can flexibly and actively make feedback to confuse the attacker, so that the effect of inducing the attack is achieved.
In summary, the present application includes at least one of the following beneficial technical effects:
1. combining the honeypot with a preset server, and using the service in the server as a virtual service corresponding to the open port by configuration, namely completing the disguise of the honeypot port. The method comprises the steps of obtaining a service request after configuring a port and a service, analyzing the service request, mainly analyzing the rationality of the service request, and selecting whether to perform normal service response through a protected object or perform disguised service response through a honeypot according to the rationality of the service request. In the process of carrying out disguised service response in the honeypot, because the plurality of ports of the honeypot are all configured with virtual services, even if an attacker makes a tentative attack on the plurality of ports, any port can flexibly and actively make feedback to confuse the attacker, so that the effect of inducing the attack is achieved.
2. Because the idle server is a server without actual use value and the temporary server is a server with actual use value, when the preset server type of the server is the idle server, the limitation on the service request can be avoided, the honeypot is switched to a read-write mode, and the access end can read and/or write data through the service request; when the preset server type of the server is a temporary server, the honeypot needs to be switched to a read-only mode for protecting the temporary server, and at the moment, the access terminal can only read data and cannot write data through a service request.
Drawings
Fig. 1 is a schematic flowchart of an active spoofing defense method based on dynamic port masquerading according to an embodiment of the present application.
Fig. 2 is a schematic flow chart of configuring virtual services of honeypots according to an embodiment of the present application.
Fig. 3 is a schematic flowchart illustrating a process of analyzing a service request and obtaining an analysis result according to an embodiment of the present application.
Fig. 4 is a schematic flowchart of performing comprehensive analysis on the access terminal and the protected object to further obtain an analysis result according to an embodiment of the present application.
Fig. 5 is a schematic flowchart of selecting different objects according to an analysis result to perform a service response according to an embodiment of the present application.
Fig. 6 is a schematic flow chart of a service response through a honeypot according to an embodiment of the present application.
Fig. 7 is a flow chart illustrating a response mode of switching honeypots according to an embodiment of the present disclosure.
Fig. 8 is a flowchart illustrating an exemplary process of adjusting the virtual service priority according to an embodiment of the present application.
Detailed Description
The present application is described in further detail below with reference to figures 1-8.
The embodiment of the application discloses an active deception defense method based on dynamic port disguise.
Referring to fig. 1, the active spoofing defense method based on dynamic port masquerading includes the following steps:
and 101, deploying honeypots based on network nodes connected to the protected objects.
The network nodes comprise connecting nodes and virtual nodes, wherein the connecting nodes are used for being in communication connection with a plurality of protected objects, at least one virtual node is usually configured, a virtual network is constructed based on all the virtual nodes, at least one virtual node is selected as a virtual gateway, the virtual gateway only needs to realize access response of the gateway and does not need to realize other functions of the gateway, and honeypots are deployed in the virtual network. The virtual network constructed by the virtual nodes virtualizes any equipment according to a preset strategy, wherein the any equipment comprises a host, a switch and the like, and the virtual network is managed through a configuration file. The protected object may be a host or a switch, or may be other hardware devices or software systems.
And 102, configuring an integrated port of the honeypot, and configuring a plurality of virtual services of the honeypot based on the integrated port and a preset server.
Wherein, the honeypot is usually only equipped with specific service information for a specific port, if the honeypot is equipped with 22 ports, the honeypot can open the SSH service through configuration. Besides, the honeypot can open other ports, such as 80 ports, 23 ports and the like, but the honeypot does not support the services of the other ports, such as 80 ports, 23 ports and the like, and therefore the corresponding services need to be provided through the server.
103, acquiring a service request of the access terminal.
The method includes the steps of calibrating a trusted access terminal, setting a white list of the access terminal, and recording a device identifier or a network identifier of the trusted access terminal into the white list of the access terminal.
And 104, analyzing the service request to obtain an analysis result.
Wherein the analysis is mainly directed to the rationality of the service request.
And 105, selecting a protection object or a honeypot to perform service response on the service request according to the analysis result.
The implementation principle of the embodiment is as follows:
the honeypot is deployed at a network node connected with a protection object to form a protection system, and the honeypot usually comprises a basic port and related services corresponding to the basic port, so that the basic port can be configured to be open, and the related services corresponding to the basic port are configured to be used as virtual services; the honeypot also comprises a plurality of open ports which can be opened, but the services corresponding to the open ports cannot be simulated, if the honeypot is only provided with the services for the basic ports, the attack direction can easily detect the existence of the honeypot by carrying out a plurality of times of probing attacks on the plurality of ports.
Therefore, the honeypot is combined with the preset server, and the service in the server is configured to serve as the virtual service corresponding to the open port, so that the camouflage of the honeypot port is finished. The method comprises the steps of obtaining a service request after configuring a port and a service, analyzing the service request, mainly analyzing the rationality of the service request, and selecting whether to perform normal service response through a protected object or perform disguised service response through a honeypot according to the rationality of the service request. In the process of carrying out masquerading service response by the honeypot, because the plurality of ports of the honeypot are all configured with virtual services, even if an attacker carries out probing attack on the plurality of ports, any port can flexibly and actively carry out feedback to confuse the attacker, thereby achieving the effect of inducing attack.
In step 102 of the embodiment shown in fig. 1, the integrated port of the honeypot includes a base port and a plurality of open ports, and the honeypot has associated services adapted to the base port, and the services adapted to the open ports need to be provided by a server, so that the services of the base port and the services of the open ports are configured separately when configuring the virtual services, which is described in detail with reference to the embodiment shown in fig. 2.
Referring to fig. 2, configuring virtual services of honeypots comprises the steps of:
and 201, configuring the first virtual service of the honeypot according to the basic port.
If the honeypot is equipped with the SSH service, the honeypot can trap SSH attacks, the trapped port is a 22 port, and the 22 port is the basic port, and the SSH service is configured to serve as the first virtual service.
And 202, establishing a communication connection between the honeypot and a preset server.
203, respectively obtaining the port type of each open port.
The port types of the open port include 23 ports, 80 ports and 445 ports.
And 204, configuring a corresponding second virtual service in the server according to the port type.
If the port type refers to the port exemplified in the detailed description of step 203, it is necessary to configure the FTP service, the HTTP service, and the SMB service in the server, and use the FTP service, the HTTP service, and the SMB service as the second virtual service.
The implementation principle of the embodiment is as follows:
the method includes the steps that firstly, relevant services carried by a basic port of the honeypot are configured to serve as first virtual services, then corresponding services are configured in a server to serve as second virtual services through port types of an open port of the honeypot, and only the services corresponding to the open port in the server are configured, so that unnecessary interference caused by other irrelevant services can be reduced, and the disguising effect of the port of the honeypot is reduced.
In step 104 of the embodiment shown in fig. 1, in the process of analyzing the service request, it is mainly necessary to analyze and determine the rationality of the service request, which is specifically described in detail with the embodiment shown in fig. 3.
Referring to fig. 3, analyzing the service request and obtaining the analysis result includes the following steps:
301, request information of the service request is obtained.
The request information includes information such as a detailed path, a destination address, and a request target object.
302, determining that the destination address is a comprehensive port or a target port of the protected object, and if the destination address is the comprehensive port, executing step 303; if the destination address is the target port of the protected object, go to step 304.
Wherein the destination address of a normal trusted service request is usually directed to the target port of the protected object.
303, obtaining a first analysis result.
The integrated port of the honeypot is a virtual disguised port, and if a destination address of a service request directly points to the integrated port, a first analysis result can be obtained, and the service request is defined as an unreasonable request.
And 304, comprehensively analyzing the protected objects corresponding to the access terminal and the destination address according to the request information to obtain a second analysis result.
The implementation principle of the embodiment is as follows:
after the service request is obtained, the rationality of the service request needs to be analyzed, firstly, the destination address of the service request is analyzed and judged, if the destination address is a port of a honeypot, the service request can be service attack of randomly selecting the port, and therefore the service request is defined as an unreasonable request; if the destination address is a port of the protected object, the service request may be a normal service request, but it cannot be excluded that the service request is a service attack of randomly selecting a port.
In step 304 of the embodiment shown in fig. 3, since the service attack that the service request is a randomly selected port cannot be excluded, it is necessary to further perform comprehensive analysis on the access terminal initiating the request and the protected object of the service requested by the access terminal, so that the rationality of the service request can be determined more accurately, which is specifically described in detail with the embodiment shown in fig. 4.
Referring to fig. 4, the step of performing comprehensive analysis on the access terminal and the protected object to further obtain an analysis result includes the following steps:
and 401, retrieving the basic information according to a preset access terminal blacklist to obtain a retrieval result.
The access terminal blacklist stores basic information of access terminals with historical suspicious access behaviors, and the access terminals with the historical suspicious access behaviors can be judged and screened out through the historical access behaviors of all the access terminals.
402, judging whether an access terminal exists in the access terminal blacklist according to the retrieval result, and executing a step 403 if the access terminal exists in the access terminal blacklist; if no access point exists in the access point blacklist, step 404 is executed.
403, obtaining a second analysis result as defining the service request as an unreasonable request.
404, determining whether the security level of the target protected object exceeds a preset security alert line, and if the security level of the target protected object exceeds the preset security alert line, executing step 405; if the security level of the target protected object does not exceed the preset security alert line, step 406 is executed.
Because different protected objects have different security levels and part of core protected objects with high security levels do not have open services, whether a target protected object requested by a service request is a core protected object or not is judged through setting of a security alert line.
And 405, obtaining a second analysis result as that the service request is defined as an unreasonable request.
406, obtaining a second analysis result as a service request defined as a reasonable request.
The implementation principle of the embodiment is as follows:
when the destination address of the service request is a port of a protected object, whether an access terminal sending the request exists in an access terminal blacklist needs to be judged first, and if the access terminal sending the request is in the blacklist, the service request sent by the access terminal is directly determined to be an unreasonable request; if the access terminal sending the request is not in the blacklist, the security levels of different protected objects are different due to different importance of different protected objects, and a part of protected objects with high security level can not directly open the service, so that further judgment can be carried out according to the security level of the protected object of the service request carried out by the access terminal; and if the safety warning line is not exceeded, the service request is determined to be a reasonable request.
In the steps of the embodiments shown in fig. 2 to fig. 4, two different analysis results, namely a first analysis result and a second analysis result, are obtained by analyzing the rationality of the service request, and different objects need to be selected according to the different analysis results for performing the service response, which is specifically described in detail with the embodiment shown in fig. 5.
Referring to fig. 5, selecting different objects for service response according to the analysis result includes the following steps:
501, judging whether the service request is a reasonable request according to the analysis request, and if the service request is the reasonable request, executing step 502; if the service request is not a legitimate request, step 503 is executed.
The protection object is selected for service response to the service request 502.
And 503, selecting the honeypots to perform service response on the service requests.
The implementation principle of the embodiment is as follows:
if the service request is a reasonable request, normal service response is carried out through the protected object; if the service request is an unreasonable request, the service request is possibly a service attack of a randomly selected port, and therefore the honeypot and the configured virtual service perform virtual service response on the service request to induce the access terminal to continue attacking the honeypot.
In step 503 of the embodiment shown in fig. 5, since it is determined by analysis that the service request may be a service attack of an attacker, a service response needs to be performed on the service request by the honeypot to continuously induce the attacker to perform the service attack on the honeypot, so as to protect the protected object, and a specific process of performing the service response on the service request by the honeypot is described in detail by using the embodiment shown in fig. 6.
Referring to fig. 6, the service response by the honeypot includes the steps of:
601, establishing a communication connection between the access terminal and the honeypot.
A server type of the server is identified 602.
The server types comprise idle servers without actual use values and temporary servers with actual use values, and the temporary servers are usually temporarily used in a defense system to provide service support for honeypots.
603, switching the response mode of the honeypots based on the server type.
604, judging whether the service request accesses the basic port or the open port according to the destination address, and if the service request accesses the basic port, executing step 605; if the service request accesses an open port, go to step 606.
A service response is made to the service request based on the first virtual service and through the honeypot 605.
And 606, querying a corresponding second virtual service in the server according to the accessed open port, and performing service response on the service request through the honeypot based on the second virtual service.
The implementation principle of the embodiment is as follows:
and when the service request is judged to be an unreasonable request, establishing a virtual path between the access terminal and the honeypot, and switching a response mode before the honeypot performs service response. After the response mode is switched, whether the target of the access request is specifically a basic port or an open port of the honeypot is judged, and if the target is the basic port, service response is carried out based on the configured first virtual service; and if the port is the open port, performing service response based on the corresponding second virtual service configured in the server.
In step 603 of the embodiment shown in fig. 6, before the honeypot responds to the service, the response mode of the honeypot needs to be switched according to the type of the preset server, so as to perform necessary protection on the server that needs to be protected, which is described in detail with the embodiment shown in fig. 7.
Referring to fig. 7, the response mode of switching honeypots includes the following steps:
701, judging that the server type is an idle server or a temporary server, and if the server type is the idle server, executing a step 702; if the server type is a temporary server, step 703 is executed.
702, switching the response mode of the honeypot to a read-write mode.
The server used is an idle server which has no practical use value, so that the authority of the server in the response process can be unlimited, and the data can be read and written, so that the induction of service attack can be facilitated.
703, switching the response mode of the honeypot to a read-only mode.
Since the adopted server is a temporary server which has practical use value, proper authority limit is required to be carried out in the response process, and only data reading is allowed but data writing is not allowed.
The implementation principle of the embodiment is as follows:
since the idle server is a server without actual use value and the temporary server is a server with actual use value, when the preset server type of the server is the idle server, the service request can be not limited; when the preset server type of the server is a temporary server, the honeypot needs to be switched to a read-only mode for protecting the temporary server, and at this time, the access terminal can only read data but cannot write data through a service request.
After step 503 of the embodiment shown in fig. 5, after the honeypot has performed multiple service responses, data statistics may be performed, and corresponding adjustment may be performed according to the result of the data statistics, which is specifically described in detail with the embodiment shown in fig. 8.
Referring to fig. 8, adjusting virtual service priority includes the steps of:
801, counting the access times of the integrated ports respectively.
And 802, sequencing the comprehensive ports according to the sequence of the access times from large to small to obtain a sequencing result.
803, adjusting the priority of the virtual service based on the ranking result.
The sequencing result is that the comprehensive ports with more access times are sequenced in the front, and the comprehensive ports with less access times are sequenced in the back, so that the priority of the virtual service corresponding to the comprehensive ports with the front sequencing is improved, and the priority of the virtual service corresponding to the comprehensive ports with the back sequencing is reduced.
The implementation principle of the embodiment is as follows:
since most of the service requests sent to the integrated ports of the honeypot are service attacks, the access times of the integrated ports can reflect the interest degree of the access terminals to different ports, the integrated ports are sorted according to the access times, the priority of the virtual service is correspondingly adjusted, and when the access terminals send the service attacks to the ports interested in the access terminals again, the honeypot can more quickly respond to the services, so that the effect of inducing the attacks can be enhanced.
The embodiment of the present application further discloses an active spoofing defense system based on dynamic port masquerading, which includes:
the masquerading module is deployed with honeypots, establishes communication connection with the protected object, the access terminal and the server respectively, and is used for acquiring a service request of the access terminal and carrying out service response according to the service request;
the analysis module is used for analyzing the service request;
and the configuration module is used for acquiring the first virtual service of the honeypot and the second virtual service of the server and configuring the first virtual service and the second virtual service.
The implementation principle of the embodiment is as follows:
the masquerading module is deployed with a honeypot, and the honeypot usually comprises a basic port and related services corresponding to the basic port, so that the basic port can be opened by configuring the basic port through the configuration module, and the related services corresponding to the basic port are configured to serve as virtual services; the honeypot also comprises a plurality of open ports which can be opened, but the services corresponding to the open ports cannot be simulated, if the honeypot is only provided with the services for the basic ports, the attack direction can easily detect the existence of the honeypot by carrying out a plurality of times of probing attacks on the plurality of ports.
Therefore, the honeypot is combined with the preset server, and the service in the server is configured through the configuration module to serve as the virtual service corresponding to the open port, namely the camouflage of the honeypot port is finished. The method comprises the steps of obtaining a service request after a port and a service are configured, analyzing the service request through an analysis module, mainly analyzing the reasonability of the service request, and selecting whether to carry out normal service response through a protected object or disguised service response through a honeypot deployed by a disguise module according to the reasonability of the service request. In the process of carrying out disguised service response in the honeypot, because the plurality of ports of the honeypot are all configured with virtual services, even if an attacker makes a tentative attack on the plurality of ports, any port can flexibly and actively make feedback to confuse the attacker, so that the effect of inducing the attack is achieved.
The above are preferred embodiments of the present application, and the scope of protection of the present application is not limited thereto, so: equivalent changes in structure, shape and principle of the present application shall be covered by the protection scope of the present application.
Claims (7)
1. An active deception defense method based on dynamic port disguise is characterized by comprising the following steps:
deploying honeypots based on network nodes connected to the protected objects;
configuring an integrated port of the honeypot, the integrated port comprising a base port and a plurality of open ports;
configuring a first virtual service of the honeypot according to the basic port;
establishing communication connection between the honeypot and a preset server;
respectively acquiring the port type of each open port;
configuring a corresponding second virtual service in the server according to the port type;
acquiring a service request of an access terminal;
acquiring request information of the service request, wherein the request information comprises a destination address;
judging the destination address is the comprehensive port or the target port of the protected object;
if the destination address is the comprehensive port, obtaining a first analysis result, wherein the first analysis result is that the service request is defined as an unreasonable request;
if the destination address is the target port of the protected object, comprehensively analyzing the access terminal and the protected object corresponding to the destination address according to the request information to obtain a second analysis result;
and selecting the protected object or the honeypot to perform service response on the service request according to the analysis result.
2. The active spoofing defense method based on dynamic port masquerading as in claim 1, wherein the request information further includes basic information of a corresponding access terminal;
the step of comprehensively analyzing the protected objects corresponding to the access terminal and the destination address according to the request information to obtain a second analysis result comprises the following steps:
retrieving the basic information according to a preset access terminal blacklist to obtain a retrieval result, wherein the access terminal blacklist stores the basic information of access terminals with historical suspicious access behaviors;
judging whether the access terminal exists in the access terminal blacklist or not according to the retrieval result;
if the access terminal exists in the access terminal blacklist, obtaining a second analysis result, and defining the service request as an unreasonable request;
if the access terminal does not exist in the access terminal blacklist, judging whether the security level of the corresponding target protected object exceeds a preset security alert line;
if the security level of the target protection object exceeds a preset security alert line, obtaining a second analysis result, namely that the service request is defined as an unreasonable request;
and if the security level of the target protected object does not exceed a preset security alert line, obtaining a second analysis result, and defining the service request as a reasonable request.
3. An active spoofing defense method based on dynamic port masquerading according to any one of claims 1-2, characterized in that the step of selecting the protected object or the honeypot to service the service request according to the analysis result comprises the following steps:
judging whether the service request is a reasonable request or not according to the analysis result;
if the service request is the reasonable request, selecting the protection object to perform service response on the service request;
and if the service request is the unreasonable request, selecting the honeypot to perform service response on the service request.
4. The active spoofing defense method based on dynamic port masquerading as in claim 3, wherein the step of selecting the honeypot to service the service request comprises the following steps:
establishing a communication connection between the access terminal and the honeypot;
identifying a server type of the server;
switching a response mode of the honeypot based on the server type;
judging whether the service request accesses the basic port or the open port according to the destination address;
if the service request accesses the basic port, performing service response on the service request through the honeypot based on the first virtual service;
and if the service request accesses the open port, inquiring corresponding second virtual service in the server according to the accessed open port, and performing service response on the service request through the honeypot based on the second virtual service.
5. The active spoofing defense method based on dynamic port masquerading as in claim 4, wherein the server types comprise idle servers and temporary servers;
the response mode for switching the honeypots based on the server types comprises the following steps:
judging whether the server type is the idle server or the temporary server;
if the server type is the idle server, switching the response mode of the honeypot into a read-write mode;
and if the server type is the temporary server, switching the response mode of the honeypot to a read-only mode.
6. The active spoofing defense method based on dynamic port masquerading as in claim 3, wherein the step of selecting the honeypot to service the service request further comprises the following steps:
respectively counting the access times of the comprehensive ports;
sequencing the comprehensive ports according to the sequence of the access times from large to small to obtain a sequencing result;
adjusting the priority of the virtual service based on the ranking result.
7. An active spoofing defense system based on dynamic port masquerading, comprising:
the masquerading module is deployed with a honeypot, establishes communication connection with a protected object, an access terminal and a server respectively, and is used for acquiring a service request of the access terminal and carrying out service response according to the service request, wherein a comprehensive port of the honeypot comprises a basic port and a plurality of open ports;
the analysis module is used for analyzing the service request; the specific steps of analyzing the service request are as follows:
acquiring request information of the service request, wherein the request information comprises a destination address;
judging the destination address is the comprehensive port or the target port of the protected object;
if the destination address is the comprehensive port, obtaining a first analysis result, wherein the first analysis result is that the service request is defined as an unreasonable request;
if the destination address is the target port of the protected object, comprehensively analyzing the access terminal and the protected object corresponding to the destination address according to the request information to obtain a second analysis result;
the configuration module is used for acquiring a first virtual service of the honeypot and a second virtual service of the server and configuring the first virtual service and the second virtual service;
the specific steps of configuring the first virtual service and the second virtual service are as follows:
configuring a first virtual service of the honeypot according to the basic port;
establishing communication connection between the honeypots and a preset server;
respectively acquiring the port type of each open port;
and configuring corresponding second virtual service in the server according to the port type.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111146929.1A CN114465747B (en) | 2021-09-28 | 2021-09-28 | Active deception defense method and system based on dynamic port disguise |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111146929.1A CN114465747B (en) | 2021-09-28 | 2021-09-28 | Active deception defense method and system based on dynamic port disguise |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465747A CN114465747A (en) | 2022-05-10 |
| CN114465747B true CN114465747B (en) | 2022-10-11 |
Family
ID=81406514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111146929.1A Active CN114465747B (en) | 2021-09-28 | 2021-09-28 | Active deception defense method and system based on dynamic port disguise |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465747B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006131124A1 (en) * | 2005-06-10 | 2006-12-14 | Gatesweeper Solutions Inc. | Anti-hacker system with honey pot |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| CN112788043A (en) * | 2021-01-18 | 2021-05-11 | 广州锦行网络科技有限公司 | Honeypot system service self-adaption method and self-adaption service honeypot system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017087964A1 (en) * | 2015-11-20 | 2017-05-26 | Acalvio Technologies, Inc. | Modification of a server to mimic a deception mechanism |
| CN110290098B (en) * | 2018-03-19 | 2020-12-25 | 华为技术有限公司 | Method and device for defending network attack |
| CN111385236B (en) * | 2018-12-27 | 2022-04-29 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| US11750651B2 (en) * | 2019-09-04 | 2023-09-05 | Oracle International Corporation | Honeypots for infrastructure-as-a-service security |
| CN112866244B (en) * | 2021-01-15 | 2021-09-07 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
-
2021
- 2021-09-28 CN CN202111146929.1A patent/CN114465747B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006131124A1 (en) * | 2005-06-10 | 2006-12-14 | Gatesweeper Solutions Inc. | Anti-hacker system with honey pot |
| CN107343011A (en) * | 2017-09-04 | 2017-11-10 | 北京经纬信安科技有限公司 | A kind of endogenous intimidation defense equipment based on dynamic object defence |
| CN112788043A (en) * | 2021-01-18 | 2021-05-11 | 广州锦行网络科技有限公司 | Honeypot system service self-adaption method and self-adaption service honeypot system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465747A (en) | 2022-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US7509675B2 (en) | Non-invasive monitoring of the effectiveness of electronic security services | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| Osanaiye | Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing | |
| US20120023572A1 (en) | Malicious Attack Response System and Associated Method | |
| CN108337219B (en) | Method for preventing Internet of things from being invaded and storage medium | |
| CN111641620A (en) | Novel cloud honeypot method and framework for detecting evolution DDoS attack | |
| CN113422779B (en) | Active security defense system based on centralized management and control | |
| CN111835694A (en) | Network security vulnerability defense system based on dynamic camouflage | |
| EP2903238A2 (en) | A router-based honeypot for detecting advanced persistent threats | |
| CN112434304A (en) | Method, server and computer readable storage medium for defending network attack | |
| Proença et al. | How to use software-defined networking to improve security-a survey | |
| CN114465747B (en) | Active deception defense method and system based on dynamic port disguise | |
| CN114157479B (en) | Intranet attack defense method based on dynamic spoofing | |
| Prasad et al. | Flooding attacks to internet threat monitors (ITM): modeling and counter measures using botnet and honeypots | |
| Mendes et al. | Analysis of iot botnet architectures and recent defense proposals | |
| CN109274638A (en) | A kind of method and router of attack source access automatic identification processing | |
| Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis | |
| CN114024740A (en) | Threat trapping method based on secret tag bait | |
| CN115987531A (en) | Intranet safety protection system and method based on dynamic deception parallel network | |
| Nikoi et al. | Enhancing the Design of a Secured Campus Network using Demilitarized Zone and Honeypot at Uew-kumasi Campus | |
| CN111683063A (en) | Message processing method, system, device, storage medium and processor | |
| CN115225297B (en) | Method and device for blocking network intrusion | |
| Anuar et al. | Honeypot through Web (Honeyd@ WEB): The Emerging of Security Application Integration. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |