CN114499982A - Honey net dynamic configuration strategy generating method, configuration method and storage medium - Google Patents

Honey net dynamic configuration strategy generating method, configuration method and storage medium Download PDF

Info

Publication number
CN114499982A
CN114499982A CN202111633998.5A CN202111633998A CN114499982A CN 114499982 A CN114499982 A CN 114499982A CN 202111633998 A CN202111633998 A CN 202111633998A CN 114499982 A CN114499982 A CN 114499982A
Authority
CN
China
Prior art keywords
honey net
strategy
honey
network
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111633998.5A
Other languages
Chinese (zh)
Other versions
CN114499982B (en
Inventor
郑敏娇
马宇峰
吴波
杨勤泗
李然
张晓�
孟进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202111633998.5A priority Critical patent/CN114499982B/en
Publication of CN114499982A publication Critical patent/CN114499982A/en
Application granted granted Critical
Publication of CN114499982B publication Critical patent/CN114499982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a generation method, a configuration method and a storage medium of a dynamic configuration strategy of a honey net, wherein the generation method comprises the following steps: constructing a security knowledge graph containing a honeynet dynamic configuration strategy; acquiring state and event information in a service network and a honey network; sensing a security situation based on the security knowledge graph and the acquired state and event information, and predicting the next attack behavior; and obtaining a dynamic configuration strategy of the honey net based on the security knowledge map and the predicted next attack behavior. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively so as to improve the flexibility of the dynamic honeynet and improve the ability of the honeynet to actively trap attackers, so that the honeynet can continuously induce the attackers to carry out deep attack while being not easy to be found by the attackers, the purposes of delaying, tempting, tracing, evidence obtaining and the like are achieved, and a real target system is protected from being attacked.

Description

Honey net dynamic configuration strategy generating method, configuration method and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a generation method, a configuration method and a storage medium of a dynamic configuration strategy of a honey net.
Background
Knowledge Graph (Knowledge Graph) is an important direction for the development of artificial intelligence, and mainly solves the problem of cognitive intelligence. It is formally proposed by Google in 2012, 5/17, and is intended to optimize the search capability of Google and improve the search quality and use experience of users. Besides semantic understanding, the knowledge graph can be used for showing the mutual relation among the entities. Essentially, the definition of a knowledge graph is "a Semantic Network (Semantic Network) that exposes relationships between entities". The knowledge forming process comprises three steps of knowledge extraction, knowledge representation and knowledge fusion, and each piece of knowledge can be represented as an SPO triple (Subject-predict-Object). Knowledge graphs have been deployed in many places including intelligent search, deep question and answer, and social networks. Meanwhile, a plurality of experts and scholars continuously explore the utilization of the Chinese herbal medicine in other emerging fields. The safety knowledge graph is the practical application of the knowledge graph in the field of network safety, and comprises a safety knowledge ontology framework constructed based on ontology, and a structured intelligent safety domain knowledge base which is formed by processing, processing and integrating multisource heterogeneous network safety domain information in modes of threat modeling and the like. The relatively representative work abroad is an STUCCO project proposed by Stanford university, the project aims at constructing a network threat information platform based on a knowledge graph, and provides an automatic network security entity labeling method, a supervised entity extraction method based on security related corpus labeling, a network security entity relation extraction method combining semi-supervised natural language processing and bootstrapping algorithm, a security knowledge graph body construction method based on network threat information and a GraphPrints analysis method based on network anomaly detection; domestic research on network security knowledge-graphs is followed: jia flame et al propose a network security knowledge map construction method based on conditional random fields and a relationship deduction method based on quintuple; starting from the process of map construction, the method provides a new entity extraction method aiming at the characteristic that most of the words in the field of network security are mixed in Chinese and English, and has good effect.
The honeynet system is used as a highly controllable attack trapping and analyzing network, an attacker is induced to attack the honeynet system by simulating a real network environment, on one hand, the safety of a real host can be protected, on the other hand, the attacker can be induced to attack the honeynet and capture the behavior of the honeynet, and then the captured information is analyzed to obtain the information of the attacker and the attack technology thereof, so that the attack intention is discovered. Most of the original honey nets are based on static configuration, and the properties of the honey nets cannot be dynamically adjusted when the network situation changes, so that the ability of the honey nets to cheat attackers is greatly limited. In order to improve the deception capability of the honey net, the properties of the honey net can be adjusted in real time according to the network situation. Therefore, the dynamic configuration strategy gradually becomes the optimization direction of the development of the honeynet. Hecher et al have proposed a method for deploying the honey net automatically in the dynamic network, said method utilizes the mode such as combining with passive detection technology of active detection to monitor the network traffic, through storing the configuration file in the data sheet in advance, scan the change of network traffic, and distinguish the scene according to this, judge under what kind of situation to establish the honey net or limit and scan the bandwidth. Fan and the like provide a flexible diversified virtual honey net management framework aiming at the problem that the current deployment of different honey nets lacks a unified management platform, the framework can be adaptive to network environment change, a configuration file is dynamically created to generate and manage the virtual honey nets, the tool can effectively utilize various heterogeneous honey pots to carry out automatic deployment, and the problems of complex deployment, difficulty in migration and the like exist. Fraunholz D and the like provide a dynamic honeypot configuration, deployment and maintenance strategy based on machine learning aiming at the problem that the honeypots are required to be manually deployed and maintained by managers at present, and the identification mechanism of each device in a network is taken as a characteristic, and the honeypot automatic configuration and maintenance are realized through a clustering algorithm. Seungwon et al propose a software defined mesh (SDH) based on SDN idea, which can discover the bottleneck of links by calculating relevant parameters of each link in the mesh, and dynamically adjust the mesh topology by using an SDN controller, thereby presenting a dynamically generated false mesh topology to an attacker in the mesh. The game theory is adopted to analyze the strategy and the income of attackers and defenders in the honeypot trapping model, the suggestion of improving the active trapping ability of honeypots is given, and the relevant theoretical support is provided for constructing a honeypot trapping system based on the active defense idea. Akiyama M, Yagi T, Yada T and the like propose a malicious URL redirection detection system based on honeypots, which is specially used for detecting and tracking malicious URL redirection behaviors, and can dynamically generate a corresponding defense strategy according to behavior characteristics of a malicious user after detecting attack behaviors, and adjust access control rules of honeypots.
The dynamic configuration scheme of the honey net can adjust the state of the honey net based on the observed service network state information, and discusses the aspects of a flow control mechanism, topology construction and the like of the honey net, so that the disguising capability and the decoying capability of the honey net are effectively improved.
However, the existing honey net dynamic configuration scheme focuses on the dynamic configuration of honey net topology and access rules, and lacks the dynamic configuration of attributes of honey pot nodes in the honey net; in addition, the existing honey net dynamic configuration scheme is to mine network situation information of a certain aspect, does not perform real-time correlation analysis on network situation information of multiple dimensions, lacks reliable network security situation prediction means, and causes the existing honey net technical scheme to have insufficient intelligence and dynamics. The lack of dynamic allocation of attributes of honeypot nodes makes a honeynet more likely to encounter bottlenecks when facing network attacks on some host levels; the network security situation is difficult to accurately judge, so that the honeynet system is difficult to effectively restrain an attacker through dynamic configuration, the attack behavior information is difficult to collect, and even the honeynet can be disabled, and the capability of the honeynet cheating the attacker is severely limited.
The inventor finds that although the research work of the knowledge graph technology in the field of network security is still in an early stage, the relationship-based reasoning capability and the efficient analysis response capability play a great role in other fields, and therefore, the knowledge graph-based dynamic configuration strategy for the honeynets can effectively solve the problems.
Disclosure of Invention
The invention provides a honey net dynamic configuration strategy generation method, a configuration method and a storage medium, which aim to solve the problems that the existing honey net dynamic configuration scheme is insufficient in intelligence and dynamic and the capacity of a honey net cheating attacker is severely limited.
In a first aspect, a method for generating a dynamic configuration policy of a honey net is provided, including:
constructing a security knowledge graph containing a honeynet dynamic configuration strategy;
acquiring state and event information in a service network and a honey network;
sensing a security situation based on the security knowledge graph and the acquired state and event information, and predicting the next attack behavior;
and obtaining a dynamic configuration strategy of the honey net based on the security knowledge map and the predicted next attack behavior.
Further, the dynamic configuration strategy of the honey network comprises a node strategy, a topology strategy and a rule strategy;
the node strategy is used for controlling the running state of each node application service in the honey net; the topology strategy is used for controlling the online and interconnection conditions of honeypot nodes in the honey net; the rule policy is used for adjusting the access control rule in the honey net.
Further, the process of constructing the security knowledge graph containing the dynamic configuration strategy of the honeynet comprises the following steps:
performing data extraction on the network security data to construct a knowledge map database;
constructing a knowledge graph structure model containing six types of entities and the relationship among the entities based on a knowledge graph database, and establishing a safety knowledge graph; the six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and honeynet strategies.
Further, the network security data comprises external security knowledge, service network data and honey net basic data;
extracting vulnerability information based on external security knowledge; extracting node information and attack log information based on service network data and honey net basic data
Further, the relationship between the six types of entities includes: the nodes form a network system, a vulnerability exists in the network system, the vulnerability exists in the nodes, an attack behavior aims at the nodes, the attack behavior aims at the network system, the attack behavior utilizes the vulnerability, the attack behavior belongs to an attack mode, a honey net strategy deals with the attack behavior, the honey net strategy deals with the attack mode, a honey net strategy issuing node and a honey net strategy issuing network system.
Further, the predicting the next attack behavior based on the security knowledge graph and the obtained state and event information perception security situation specifically comprises:
extracting entity information identified in the security knowledge graph from the acquired state and event information based on the security knowledge graph;
extracting a graph model representing situation information based on the extracted entity information and the structure of the safety knowledge graph;
mapping the extracted graph models with different dimensions to the same vector space by adopting a graph embedding algorithm, evaluating the whole threat and realizing the perception of the security situation;
and (3) finding out real threat behaviors in the network based on a graph model with the maximum contribution degree to the overall situation, and predicting the next attack behavior by adopting Bayesian analysis transition probability in combination with the security knowledge graph.
Further, the obtaining of the dynamic configuration strategy of the honey net based on the security knowledge graph and the predicted next attack behavior specifically includes:
based on the security knowledge graph and the predicted next attack behavior, a graph search algorithm is adopted to find a honey net strategy entity corresponding to the next attack behavior;
and obtaining a dynamic configuration strategy of the honey net based on the found honey net strategy entity.
In a second aspect, a method for dynamically configuring a honeynet is provided, including:
generating a honey net dynamic configuration strategy by adopting the honey net dynamic configuration strategy generation method;
and according to the generated honey net dynamic configuration strategy, dynamically configuring the attributes of the honey net and each honey pot node in the honey net.
Further, still include:
and acquiring the dynamically configured honey net data, feeding the dynamically configured honey net data back to the safety knowledge graph, and performing iterative correction on the safety knowledge graph.
In a third aspect, a computer-readable storage medium is provided, which stores a computer program, which when loaded by a processor, implements the method for generating a dynamic configuration policy of a honeynet as described above.
In a fourth aspect, a computer-readable storage medium is provided, which stores a computer program, which when loaded by a processor, implements the method for dynamic configuration of a honey net as described above.
Compared with the prior art, the invention has the following advantages:
the existing honey net dynamic configuration scheme is to mine the network situation information of a certain aspect to guide the dynamic configuration of the honey net, and does not perform real-time correlation analysis on the network situation information of multiple dimensions, so that the intelligence and the dynamic property of the existing honey net technical scheme are insufficient, and the ability of a honey net cheating attacker is also severely limited. Meanwhile, the network situation data has multiple sources and complex relationships, and when the network situation data is processed by adopting the traditional data mining and attack analysis means, the network situation data is difficult to process based on the complex incidence relationships, so that the method has great limitation, and the intelligent upper limit of the honey net is not high enough.
In addition, the existing honey net dynamic configuration strategy is mainly applied to configuring a honey net system attached to a service network when the honey net is deployed for the first time, and after the honey net is attacked, relevant dynamic configuration strategies are not researched to induce attackers in real time according to the behaviors of the attackers, so that the flexibility is not high enough, and the honey net is difficult to deal with more complex network security conditions and more experienced network attackers.
The technical scheme of the invention can collect situation information in a service network and a honey net in real time, simultaneously performs correlation analysis and feature extraction on the collected network situation information with multiple dimensions based on the constructed security knowledge map, and uses the extracted features to guide the honey net to dynamically configure each attribute of the honey net, thereby improving the intelligence and the camouflage and decoy capability of the honey net. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively so as to improve the flexibility of the dynamic honeynet and improve the ability of the honeynet to actively trap attackers, so that the honeynet can continuously induce the attackers to carry out deep attack while being not easy to be found by the attackers, the purposes of delaying, tempting, tracing, evidence obtaining and the like are achieved, and a real target system is protected from being attacked.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for generating a dynamic configuration policy of a honeynet according to an embodiment of the present invention;
FIG. 2 is a diagram of a knowledge-graph structural model provided by an embodiment of the invention;
fig. 3 is a schematic diagram of vulnerability information after formatting processing according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an attack event after the formatting process according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
Example 1
As shown in fig. 1 and fig. 2, the present embodiment provides a method for generating a policy for dynamic configuration of a honeynet, including:
s1: and constructing a security knowledge graph containing the dynamic configuration strategy of the honey net.
Specifically, the safety knowledge graph constructed by the invention is a knowledge graph in the network safety field facing the honey net configuration, and relates to six-dimensional ontologies, namely:
G=<EN,EW,V,AT,AM,S>
the system comprises a node dimension EN, a network dimension EW, a vulnerability dimension V, an attack behavior dimension AT, an attack mode dimension AM and a honey net strategy dimension S, and also comprises a relation set R among the dimensions. The node dimension takes an IP address as a unique main key, records contents such as deployed services, installed software, open ports, an operating system, found bugs and the like, and adds the contents into a map as nodes of network topology; the network dimension takes the entrance IP as a unique main key, records contents such as interconnected and intercommunicated node IP and node access rules and the like as edges of network topology and adds the edges into the map; the vulnerability dimension comprises the category of the vulnerability, the release time, the CVE number and other information; the attack behavior dimension mainly records various attack events under the network environment, including attack detection systems from a network firewall, an IDS intrusion detection system and the like and early warning log information from a honeynet, wherein the information content includes an attacker IP, an attacked IP, attack time, utilized vulnerability types and the like; the attack mode dimension mainly records the dependency relationship and the time sequence relationship among the attack behaviors; the honey net strategy maintaining record records honey net configuration strategies adopted for coping with attacks, including attack behaviors and modes, including honey net network topology, node composition, service and software deployed on nodes, system information and the like, and is mainly expressed by extensible markup language.
The construction and the expansion of the safety knowledge graph are carried out according to the flows of data extraction and graph construction.
The data extraction source comprises external safety knowledge, service network data and honey net basic data. The external security knowledge mainly comprises vulnerability platforms represented by NVD, CVE, CNVD, CNNVD and the like, security information represented by security customers and FreeBuf, security forums similar to CSDN and blog gardens and the like, stored data generally exist in a non-formatted form, and when the data is extracted, the data needs to be crawled by virtue of a crawler and then formatted, and as shown in figure 3, the stored data is vulnerability information after being formatted.
Meanwhile, node information and attack log information need to be extracted aiming at service network data and honeynet basic data. The attack event mainly depends on a security event record mainly comprising an attack detection report, a network firewall, an IDS intrusion detection system report and a node user application program log, and needs to be formatted, so that the security event record is changed into an attack event list as shown in FIG. 4 to prepare for generating a knowledge graph.
And constructing a knowledge map database based on the extracted data, wherein the map construction mainly comprises the process of fusing and reasoning formatted data in the knowledge map database to realize the correlation analysis of information and storing the information into a structured safety field knowledge base. As shown in fig. 2, in this embodiment, a knowledge graph structure model including the relationships between six types of entities and eleven types of entities is constructed based on a knowledge graph database, and a security knowledge graph is established. The six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and a honey net strategy; the relationships among the eleven types of entities include: the nodes form a network system, a vulnerability exists in the network system, the vulnerability exists in the nodes, an attack behavior aims at the nodes, the attack behavior aims at the network system, the attack behavior utilizes the vulnerability, the attack behavior belongs to an attack mode, a honey net strategy deals with the attack behavior, the honey net strategy deals with the attack mode, a honey net strategy issuing node and a honey net strategy issuing network system.
In the process of constructing the security knowledge graph, the explicit association relationship of the entities is usually relatively easy to determine, for example, the association relationship discovery can be completed by aligning the reference relationships among entities such as IP, ports, network segments, alarms, files, logs and the like, and the implicit relationship can be obtained by resolving through a more complex data mining method. As shown in fig. 2, a safety knowledge graph structure model specifically constructed in the embodiment is illustrated, wherein a square represents a specific category, and a circle represents a specific entity node in the graph. Solid lines represent the relationship between classes, and dashed lines are used to represent the attributes of the entity node and some associations of the attributes.
And after the safety knowledge map structure model is constructed, writing data into the database by adopting a traditional database and database combination storage method. Such as: the security information is stored in a MySQL database, and the entities and the relations in the security knowledge graph are stored by using a Neo4j graph database.
After the security knowledge graph is initially constructed, correction should be continued, and a final security knowledge graph can be obtained by, for example, combining a Common Vulnerability Scoring Standard (CVSS) and bayesian analysis of threat transfer probabilities of a preceding attack behavior and a subsequent attack behavior in the graph, resolving a threat transfer loop between multiple nodes, and the like. The security knowledge graph is continuously updated and corrected iteratively according to data in the using process.
S2: and acquiring state and event information in a service network and a honey network. Various states and event information in the service network and the honey net can be sensed and collected by deploying sensors in the service network and the honey net.
S3: and sensing the security situation based on the security knowledge graph and the acquired state and event information, and predicting the next attack behavior.
The method specifically comprises the following steps:
s31: and extracting the model entity. And extracting entity information identified in the security knowledge graph from the acquired state and event information according to the security knowledge graph, wherein the entity information comprises node information, vulnerability information, attack behavior information and the like.
S32: and constructing a model for representing the situation. Since the information originates from different sensors, and the relevance is unknown, the relevance needs to be discovered according to the security knowledge graph, and a graph model representing situation information is extracted based on the extracted entity information and the structure of the security knowledge graph.
S33: and sensing the security situation. When security situation perception is carried out, because the different perceptrons can generate a large amount of data, discrimination is needed, real threat behaviors are found from a large amount of information, the graph models with different dimensionalities extracted in the last step are mapped into the same vector space by adopting a graph embedding algorithm, the whole threat is evaluated, and the perception of the security situation is realized.
S34: and (5) attack prediction. In the process of sensing the security situation in the last step, the threat degree weight of a certain node in the security knowledge graph can be calculated, so that a graph model with the maximum contribution degree to the overall situation can be found, the real threat behaviors in the network can be found, and the next attack behaviors can be predicted by adopting Bayesian analysis transfer probability in combination with the contents of attack modes and the like in the security knowledge graph.
S4: and obtaining a dynamic configuration strategy of the honey net based on the security knowledge map and the predicted next attack behavior.
The honey net dynamic configuration strategy is a strategy for guiding the honey net and the state adjustment of each honey pot node in the honey net, and when the honey net dynamic configuration strategy is generated, a honey net strategy entity corresponding to the next attack action is found by adopting a graph search algorithm based on a security knowledge graph and the predicted next attack action; and obtaining a dynamic configuration strategy of the honey net based on the found honey net strategy entity. The honey net dynamic configuration strategy comprises a node strategy, a topology strategy and a rule strategy; the node strategy is used for controlling the running state of each node application service in the honey network; the topology strategy is used for controlling the online and interconnection conditions of honeypot nodes in the honey network; the rule policy is used to adjust the access control rules within the honey net.
Example 2
The embodiment provides a method for dynamically configuring a honey net, which comprises the following steps:
generating a dynamic honey net configuration strategy by adopting the method for generating the dynamic honey net configuration strategy in the embodiment 1;
and according to the generated honey net dynamic configuration strategy, the attributes of the honey net and each honey pot node in the honey net are dynamically configured, so that the state of the honey net can meet the current security situation requirement, and the camouflage effect is achieved.
Preferably, the method further comprises the following steps: and acquiring the dynamically configured honey net data, feeding the dynamically configured honey net data back to the safety knowledge graph, and performing iterative correction on the safety knowledge graph.
Example 3
The present embodiment provides a computer-readable storage medium, which stores a computer program, and when the computer program is loaded by a processor, the computer program implements the method for generating the dynamic configuration policy of the honeynet according to embodiment 1.
Example 4
The present embodiment provides a computer-readable storage medium, which stores a computer program, which, when loaded by a processor, implements the dynamic honey mesh configuration method according to embodiment 2.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
The technical scheme of the invention can collect situation information in a service network and a honey net in real time, simultaneously carry out correlation analysis and feature extraction on the collected network situation information of multiple dimensions based on the constructed safety knowledge map, and use the extracted features for guiding the honey net to dynamically configure various attributes of the honey net, such as a honey net topological structure, application service types and versions deployed in the honey net, an operating system version of a honey net node and the like, so that the intelligence and the disguise and cheat-luring capability of the honey net are improved. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively so as to improve the flexibility of the dynamic honeynet and improve the ability of the honeynet to actively trap attackers, so that the honeynet can continuously induce the attackers to carry out deep attack while being not easy to be found by the attackers, the purposes of delaying, tempting, tracing, evidence obtaining and the like are achieved, and a real target system is protected from being attacked.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (10)

1. A method for generating a dynamic configuration strategy of a honey net is characterized by comprising the following steps:
constructing a security knowledge graph containing a honeynet dynamic configuration strategy;
acquiring state and event information in a service network and a honey network;
sensing a security situation based on the security knowledge graph and the acquired state and event information, and predicting the next attack behavior;
and obtaining a dynamic configuration strategy of the honey net based on the security knowledge map and the predicted next attack behavior.
2. The generation method of honey net dynamic configuration strategy according to claim 1, characterized in that, the honey net dynamic configuration strategy comprises node strategy, topology strategy and rule strategy;
the node strategy is used for controlling the running state of each node application service in the honey net; the topology strategy is used for controlling the online and interconnection conditions of honeypot nodes in the honey net; the rule policy is used for adjusting the access control rule in the honey net.
3. The generation method of the dynamic honey net configuration strategy according to the claim 1 or 2, characterized in that the construction of the security knowledge graph containing the dynamic honey net configuration strategy comprises the following steps:
performing data extraction on the network security data to construct a knowledge map database;
constructing a knowledge graph structure model containing six types of entities and the relationship among the entities based on a knowledge graph database, and establishing a safety knowledge graph; the six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and honeynet strategies.
4. The generation method of the dynamic configuration strategy of the honeynet according to claim 3, wherein the network security data comprises external security knowledge, service network data and honeynet basic data;
extracting vulnerability information based on external security knowledge; and extracting node information and attack log information based on the service network data and the honey network basic data.
5. The method as claimed in claim 3, wherein the relationship between the six types of entities comprises: the nodes form a network system, a vulnerability exists in the network system, the vulnerability exists in the nodes, an attack behavior aims at the nodes, the attack behavior aims at the network system, the attack behavior utilizes the vulnerability, the attack behavior belongs to an attack mode, a honey net strategy deals with the attack behavior, the honey net strategy deals with the attack mode, a honey net strategy issuing node and a honey net strategy issuing network system.
6. The method for generating a dynamic policy for honey network configuration according to claim 1 or 2, wherein the predicting the next attack behavior based on the security knowledge graph and the obtained state and event information perception security situation specifically comprises:
extracting entity information identified in the security knowledge graph from the acquired state and event information based on the security knowledge graph;
extracting a graph model representing situation information based on the extracted entity information and the structure of the safety knowledge graph;
mapping the extracted graph models with different dimensions to the same vector space by adopting a graph embedding algorithm, evaluating the whole threat and realizing the perception of the security situation;
and (3) finding out real threat behaviors in the network based on a graph model with the maximum contribution degree to the overall situation, and predicting the next attack behavior by adopting Bayesian analysis transition probability in combination with the security knowledge graph.
7. The method for generating a dynamic honey net configuration policy according to claim 1 or 2, wherein the obtaining of the dynamic honey net configuration policy based on the security knowledge graph and the predicted next step attack behavior specifically comprises:
based on the security knowledge graph and the predicted next attack behavior, a graph search algorithm is adopted to find a honey net strategy entity corresponding to the next attack behavior;
and obtaining a dynamic configuration strategy of the honey net based on the found honey net strategy entity.
8. A method for dynamically configuring a honeynet is characterized by comprising the following steps:
generating a honey net dynamic configuration strategy by adopting the honey net dynamic configuration strategy generation method of any one of claims 1 to 7;
and according to the generated honey net dynamic configuration strategy, dynamically configuring the attributes of the honey net and each honey pot node in the honey net.
9. The dynamic configuration method of honeynets of claim 8, further comprising:
and acquiring the dynamically configured honey net data, feeding the dynamically configured honey net data back to the safety knowledge graph, and performing iterative correction on the safety knowledge graph.
10. A computer-readable storage medium, in which a computer program is stored which, when being loaded by a processor, carries out the method according to any one of claims 1 to 9.
CN202111633998.5A 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium Active CN114499982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111633998.5A CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111633998.5A CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Publications (2)

Publication Number Publication Date
CN114499982A true CN114499982A (en) 2022-05-13
CN114499982B CN114499982B (en) 2023-10-17

Family

ID=81496523

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111633998.5A Active CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Country Status (1)

Country Link
CN (1) CN114499982B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978731A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Honey trapping implementation system and method based on diversity expansion
CN115242438A (en) * 2022-06-15 2022-10-25 国家计算机网络与信息安全管理中心 Potential victim group positioning method based on heterogeneous information network
CN117040926A (en) * 2023-10-08 2023-11-10 北京网藤科技有限公司 Industrial control network security feature analysis method and system applying knowledge graph
CN118101332A (en) * 2024-04-22 2024-05-28 广州大学 Self-adaptive honey point deployment method based on attack graph

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112491892A (en) * 2020-11-27 2021-03-12 杭州安恒信息安全技术有限公司 Network attack inducing method, device, equipment and medium
CN113691550A (en) * 2021-08-27 2021-11-23 西北工业大学 Behavior prediction system of network attack knowledge graph
CN113783896A (en) * 2021-11-10 2021-12-10 北京金睛云华科技有限公司 Network attack path tracking method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112491892A (en) * 2020-11-27 2021-03-12 杭州安恒信息安全技术有限公司 Network attack inducing method, device, equipment and medium
CN113691550A (en) * 2021-08-27 2021-11-23 西北工业大学 Behavior prediction system of network attack knowledge graph
CN113783896A (en) * 2021-11-10 2021-12-10 北京金睛云华科技有限公司 Network attack path tracking method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王硕: "面向多阶段渗透攻击的网络欺骗防御方法研究", 《中国博士学位论文全文数据库信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978731A (en) * 2022-05-30 2022-08-30 北京计算机技术及应用研究所 Honey trapping implementation system and method based on diversity expansion
CN115242438A (en) * 2022-06-15 2022-10-25 国家计算机网络与信息安全管理中心 Potential victim group positioning method based on heterogeneous information network
CN115242438B (en) * 2022-06-15 2023-09-01 国家计算机网络与信息安全管理中心 Potential victim group positioning method based on heterogeneous information network
CN117040926A (en) * 2023-10-08 2023-11-10 北京网藤科技有限公司 Industrial control network security feature analysis method and system applying knowledge graph
CN117040926B (en) * 2023-10-08 2024-01-26 北京网藤科技有限公司 Industrial control network security feature analysis method and system applying knowledge graph
CN118101332A (en) * 2024-04-22 2024-05-28 广州大学 Self-adaptive honey point deployment method based on attack graph
CN118101332B (en) * 2024-04-22 2024-07-09 广州大学 Self-adaptive honey point deployment method based on attack graph

Also Published As

Publication number Publication date
CN114499982B (en) 2023-10-17

Similar Documents

Publication Publication Date Title
Durkota et al. Optimal network security hardening using attack graph games
Vishwakarma et al. A honeypot with machine learning based detection framework for defending IoT based botnet DDoS attacks
Navarro et al. A systematic survey on multi-step attack detection
US12034767B2 (en) Artificial intelligence adversary red team
Aljawarneh et al. Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model
Miehling et al. A POMDP approach to the dynamic defense of large-scale cyber networks
CN114499982B (en) Honey net dynamic configuration strategy generation method, configuration method and storage medium
Martins et al. Host-based IDS: A review and open issues of an anomaly detection system in IoT
Dilek et al. Applications of artificial intelligence techniques to combating cyber crimes: A review
Li et al. LNNLS‐KH: A Feature Selection Method for Network Intrusion Detection
Anuar et al. Identifying false alarm for network intrusion detection system using hybrid data mining and decision tree
Ning et al. Intrusion detection techniques
Chkirbene et al. A combined decision for secure cloud computing based on machine learning and past information
Masarat et al. A novel framework, based on fuzzy ensemble of classifiers for intrusion detection systems
Njogu et al. A comprehensive vulnerability based alert management approach for large networks
Kebande et al. Active machine learning adversarial attack detection in the user feedback process
Wang et al. Source-based defense against DDoS attacks in SDN based on sFlow and SOM
Shi et al. A framework of intrusion detection system based on Bayesian network in IoT
Anastasiadis et al. A novel high-interaction honeypot network for internet of vehicles
Shah et al. Intelligent intrusion detection system through combined and optimized machine learning
Stamp Living-off-the-land abuse detection using natural language processing and supervised learning
Mohan et al. ADAPT: Attack detection and prevention via deep learning techniques
Wutyi et al. Heuristic rules for attack detection charged by NSL KDD dataset
Beqiri Neural networks for intrusion detection systems
Daund et al. Intrusion Detection in Wireless Sensor Networks using Hybrid Deep Belief Networks and Harris Hawks Optimizer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant