CN114499982B - Honey net dynamic configuration strategy generation method, configuration method and storage medium - Google Patents

Honey net dynamic configuration strategy generation method, configuration method and storage medium Download PDF

Info

Publication number
CN114499982B
CN114499982B CN202111633998.5A CN202111633998A CN114499982B CN 114499982 B CN114499982 B CN 114499982B CN 202111633998 A CN202111633998 A CN 202111633998A CN 114499982 B CN114499982 B CN 114499982B
Authority
CN
China
Prior art keywords
network
honey
knowledge graph
honeynet
dynamic configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111633998.5A
Other languages
Chinese (zh)
Other versions
CN114499982A (en
Inventor
郑敏娇
马宇峰
吴波
杨勤泗
李然
张晓�
孟进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202111633998.5A priority Critical patent/CN114499982B/en
Publication of CN114499982A publication Critical patent/CN114499982A/en
Application granted granted Critical
Publication of CN114499982B publication Critical patent/CN114499982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a honey network dynamic configuration strategy generation method, a configuration method and a storage medium, wherein the generation method comprises the following steps: constructing a safety knowledge graph containing a honey network dynamic configuration strategy; acquiring state and event information in a service network and a honey network; based on the safety knowledge graph and the acquired state and event information, perceiving a safety situation, and predicting the next attack behavior; and obtaining a honey network dynamic configuration strategy based on the safety knowledge graph and the predicted next attack behavior. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively, so that the flexibility of the dynamic honeynet is improved, the capability of the honeynet for actively trapping an attacker is improved, the honeynet is not easy to be found by the attacker, and meanwhile, the attacker can be continuously induced to conduct deep attack, thereby achieving the purposes of delaying, alluring, tracing, evidence obtaining and the like, and protecting a real target system from attack.

Description

Honey net dynamic configuration strategy generation method, configuration method and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method for generating a dynamic configuration policy of a honeynet, a configuration method, and a storage medium.
Background
Knowledge Graph (knowledgegraph) is an important direction of artificial intelligence development, and mainly solves the problem of cognitive intelligence. The method is formally proposed by Google in 5.17.2012, and is initially aimed at optimizing the searching capability of Google and improving the searching quality and the using experience of a user. The knowledge graph can be utilized to realize semantic understanding and also reflect the interrelationship among the entities. In essence, the definition of a knowledge graph is "a Semantic Network (Semantic Network) that reveals relationships between entities". It consists of a piece of knowledge, the knowledge forming process includes three steps of knowledge extraction, knowledge representation and knowledge fusion, and each piece of knowledge can be represented as an SPO triplet (Subject-prediction-Object). Knowledge graphs have been used in many places including smart searches, deep questions and answers, social networks, and the like. At the same time, many expert scholars are continually exploring their use in other emerging fields. The security knowledge graph is the actual application of the knowledge graph in the network security field, and comprises a security knowledge ontology architecture constructed based on ontologies, and a structured intelligent security field knowledge base which is formed by processing, processing and integrating multi-source heterogeneous network security field information in a threat modeling mode and the like. The foreign comparison is typically operated by STUCCO project proposed by Stenfu university, which aims to construct a network threat information platform based on a knowledge graph, and provides an automatic network security entity labeling method, a supervised entity extraction method based on security-related corpus labeling, a network security entity relation extraction method combining semi-supervised natural language processing and bootstrapping algorithm, a security knowledge graph ontology construction method based on network threat information and a graphPrints analysis method based on network anomaly detection; the domestic research on the network security knowledge graph is immediately followed: gu Yan et al propose a network security knowledge graph construction method based on a conditional random field and a relationship deduction method based on five tuples; dou Lili starting from the process of constructing the atlas, a novel entity extraction method is provided aiming at the characteristic that a large number of vocabularies in the network security field are Chinese and English mixed, and the effect is good.
The honeynet system serves as a highly controllable attack decoy and analysis network, attacks the honeynet by an attacker by simulating a real network environment, the safety of a real host can be protected, the attacker can be attracted to attack the honeynet and capture the behavior of the honeynet, and then the captured information is analyzed to obtain the information of the attacker and the attack technology of the attacker, so that the attack intention of the attacker is found. Most of the original honeynets are based on static configuration, and the attribute of the honeynets cannot be dynamically adjusted when the network situation changes, so that the capability of the honeynet spoofing attacker is greatly limited. In order to improve the deception capability of the honey network, the honey network can adjust the attribute of the honey network in real time according to the situation of the network. Thus, dynamic configuration strategies are increasingly becoming the direction of optimization for the development of honeynets. Hecher et al propose a method for automatically deploying a honeynet in a dynamic network, which monitors network traffic by combining active detection and passive detection techniques, etc., scans network traffic changes by storing configuration files in a data table in advance, and distinguishes scenes based on the changes, and determines under what conditions to create the honeynet or limit scanning bandwidth. Fan and the like provide a flexible diversified virtual honey management architecture aiming at the problem that the deployment of different honey networks lacks a unified management platform, the architecture can adapt to the change of network environment, a configuration file is dynamically created to generate and manage the virtual honey networks, and the tool can effectively utilize various heterogeneous honey pots to carry out automatic deployment, but has the problems of complex deployment, difficult migration and the like. Fraunholz D and the like provide a dynamic honey configuration, deployment and maintenance strategy based on machine learning aiming at the problem that the current honey pot is required to be manually deployed and maintained by a manager, and the method has strong subjectivity and randomness by taking an identification mechanism of each device in a network as a characteristic and realizing automatic configuration and maintenance of the honey pot through a clustering algorithm. Seungwon et al propose a Software Defined Honeynet (SDH) based on the ideas of SDN, which can discover the bottleneck of links by calculating the relevant parameters of each link in the honeynet, and dynamically adjust the honeynet topology using an SDN controller, so that a dynamically generated false honeynet topology can be presented to an attacker in the honeynet. Dan Leyi, jiang Lanlan et al propose the adoption of game theory to analyze the strategy and benefits of attacker and defender in the honeypot decoy model, and propose the improvement of the honeypot active decoy capability, and provide relevant theoretical support for constructing the honeypot decoy system based on the active defense concept. Akiyama M, yagi T, yada T and the like propose a malicious URL redirection detection system based on a honeypot, which is specially used for detecting and tracking malicious URL redirection behaviors, and can dynamically generate corresponding defense strategies according to behavior characteristics of a malicious user after detecting attack behaviors, so as to adjust access control rules of the honeypot.
The honey network dynamic configuration scheme can adjust the state of the honey network based on the observed business network state information, and discusses the aspects of flow control mechanism, topology construction and the like of the honey network, so that the camouflage capability and the decoy capability of the honey network are effectively improved.
However, existing honeynet dynamic configuration schemes focus on the dynamic configuration of the honeynet topology and access rules, lacking dynamic configuration of the honeypot node attributes in the honeynet; the existing honey network dynamic configuration schemes are used for mining network situation information in a certain aspect, do not perform real-time association analysis on the network situation information in multiple dimensions, and lack reliable network security situation prediction means, so that the intelligence and the dynamics of the existing honey network technical schemes are insufficient. The lack of dynamic configuration of the honey pot node attribute makes the honey net more likely to encounter bottlenecks when facing network attacks of some host levels; the network security situation is difficult to accurately judge, so that the honey network system is difficult to effectively contain an attacker through dynamic configuration, the attack behavior information of the attacker is difficult to collect, and even the honey network is possibly disabled, and therefore, the capability of the honey network cheating attacker is severely limited.
The inventor finds that although the knowledge graph technology is still in an early stage in the research work of the network security field, the reasoning capacity and the efficient analysis response capacity based on the relationship play a great role in other fields, so that the problem can be effectively solved by carrying out the honey network dynamic configuration strategy based on the knowledge graph.
Disclosure of Invention
The application provides a honey network dynamic configuration strategy generation method, a honey network dynamic configuration strategy generation method and a storage medium, which are used for solving the problems that the intelligence and the dynamics of the existing honey network dynamic configuration scheme are insufficient, and the capability of a honey network spoofing attacker is severely limited.
In a first aspect, a method for generating a dynamic configuration policy of a honeynet is provided, including:
constructing a safety knowledge graph containing a honey network dynamic configuration strategy;
acquiring state and event information in a service network and a honey network;
based on the safety knowledge graph and the acquired state and event information, perceiving a safety situation, and predicting the next attack behavior;
and obtaining a honey network dynamic configuration strategy based on the safety knowledge graph and the predicted next attack behavior.
Further, the dynamic configuration strategy of the honey network comprises a node strategy, a topology strategy and a rule strategy;
the node strategy is used for controlling the running state of application services of each node in the honey network; the topology strategy is used for controlling the on-line and interconnection conditions of the honey pot nodes in the honey network; the rule policy is used to adjust access control rules within the honeynet.
Further, the process of constructing the safety knowledge graph containing the dynamic configuration strategy of the honey network comprises the following steps:
extracting the network security data to construct a knowledge graph database;
constructing a knowledge graph structure model containing six types of entities and relations among the entities based on a knowledge graph database, and establishing a safety knowledge graph; six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and honeynet strategies.
Further, the network security data comprises external security knowledge, service network data and honey network basic data;
extracting vulnerability information based on external security knowledge; node information and attack log information are extracted based on business network data and honey network basic data
Further, the relationships between the six types of entities include: the nodes form a network system, the holes are in the nodes, the attack behaviors aim at the network system, the attack behaviors utilize the holes, the attack behaviors belong to an attack mode, the honeynet strategy is used for coping with the attack behaviors, the honeynet strategy is used for coping with the attack mode, the honeynet strategy is used for transmitting the nodes, and the honeynet strategy is transmitted to the network system.
Further, the step of predicting the next attack behavior based on the security knowledge graph and the acquired state and event information perceives the security situation, specifically includes:
extracting entity information identified in the security knowledge graph from the acquired state and event information based on the security knowledge graph;
extracting a graph model representing situation information based on the extracted entity information and the structure of the safety knowledge graph;
mapping the extracted graph models with different dimensions into the same vector space by adopting a graph embedding algorithm, and evaluating the whole threat to realize a perceived security situation;
based on the graph model with the greatest contribution degree to the overall state potential, the real threat behavior in the network is found, the transition probability is analyzed by combining the safety knowledge graph, and the next attack behavior is predicted.
Further, the obtaining a dynamic configuration strategy of the honeynet based on the security knowledge graph and the predicted next attack behavior specifically includes:
based on the safety knowledge graph and predicted next attack behaviors, a graph search algorithm is adopted to find a honeynet strategy entity which is corresponding to the next attack behaviors;
and obtaining a honey network dynamic configuration strategy based on the found honey network strategy entity.
In a second aspect, a method for dynamically configuring a honey network is provided, including:
generating a honey network dynamic configuration strategy by adopting the honey network dynamic configuration strategy generation method;
and dynamically configuring the honey net and the attribute of each honey pot node in the honey net according to the generated honey net dynamic configuration strategy.
Further, the method further comprises the following steps:
and acquiring the honey network data after dynamic configuration, feeding back the honey network data to the safety knowledge graph, and carrying out iterative correction on the safety knowledge graph.
In a third aspect, a computer readable storage medium is provided, storing a computer program which when loaded by a processor implements a honeynet dynamic configuration policy generation method as described above.
In a fourth aspect, a computer readable storage medium is provided, storing a computer program which when loaded by a processor implements a honey grid dynamic configuration method as described above.
Compared with the prior art, the application has the following advantages:
the existing honey network dynamic configuration scheme is to mine network situation information in a certain aspect to guide the dynamic configuration of the honey network, and does not perform real-time association analysis on the network situation information in multiple dimensions, so that the intelligence and the dynamics of the existing honey network technical scheme are insufficient, and the capability of honey network spoofing attackers is severely limited. Meanwhile, network situation data is multiple in sources and complex in relations, and when the traditional data mining and attack analysis means are adopted to process the network situation data, the network situation data is difficult to process based on the complex association relations, and the network situation data has great limitation, so that the upper limit of the intelligence of the honey network is not high enough.
In addition, the existing honey network dynamic configuration strategy is mainly applied to the initial deployment of the honey network, a honey network system attached to a service network is configured, after the honey network captures an attack, the relevant dynamic configuration strategy is not researched to induce an attacker in real time aiming at the behavior of the attacker, and the flexibility is not high enough, so that the honey network is difficult to cope with more complex network security conditions and network attackers with more experience.
The technical scheme of the application can collect situation information in the business network and the honey network in real time, and simultaneously, based on the constructed safety knowledge graph, the collected network situation information with multiple dimensions is subjected to association analysis and feature extraction, and the extracted features are used for guiding the honey network to dynamically configure each attribute of the honey network, so that the intelligence and camouflage capability of the honey network are improved. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively, so that the flexibility of the dynamic honeynet is improved, the capability of the honeynet for actively trapping an attacker is improved, the honeynet is not easy to be found by the attacker, and meanwhile, the attacker can be continuously induced to conduct deep attack, thereby achieving the purposes of delaying, alluring, tracing, evidence obtaining and the like, and protecting a real target system from attack.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for generating a dynamic configuration strategy of a honey network, which is provided by an embodiment of the application;
FIG. 2 is a schematic diagram of a knowledge graph structure model according to an embodiment of the present application;
FIG. 3 is a schematic diagram of vulnerability information after formatting according to an embodiment of the present application;
fig. 4 is a schematic diagram of an attack event after the formatting process according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail below. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, based on the examples herein, which are within the scope of the application as defined by the claims, will be within the scope of the application as defined by the claims.
Example 1
As shown in fig. 1 and fig. 2, the present embodiment provides a method for generating a dynamic configuration policy of a honeynet, including:
s1: and constructing a safety knowledge graph containing a honey network dynamic configuration strategy.
Specifically, the safety knowledge graph constructed by the application is a knowledge graph of the network safety field facing to the honey network configuration, and relates to a six-dimensional ontology, namely:
G=<EN,EW,V,AT,AM,S>
the system comprises a node dimension EN, a network dimension EW, a vulnerability dimension V, an attack behavior dimension AT, an attack mode dimension AM, a honeynet strategy dimension S and a relation set R among the dimensions. The node dimension takes the IP address as a unique main key, records contents such as deployed service, installation software, an open port, an operating system, a leak found and the like, and adds the contents as nodes of network topology into a map; the network dimension takes the entry IP as a unique main key, records the contents such as the interconnected node IP, the node access rule and the like, and adds the contents as the edges of the network topology into the map; the vulnerability dimension comprises the category, release time, CVE number and other information of the vulnerability; the attack behavior dimension mainly records various attack events in the network environment, including attack detection systems such as a network firewall and an IDS intrusion detection system and early warning log information from a honey network, and the information content comprises an attacker IP, an attacked IP, attack time, utilized vulnerability types and the like; the attack mode dimension mainly records the dependency relationship and time sequence relationship between attack behaviors; the honey network policy dimension record records honey network configuration policies adopted for coping with attacks, including attack behaviors and modes, and information such as honey network topology, node constitution, service and software deployed on the nodes, systems and the like, and is mainly expressed in an extensible markup language.
The construction and expansion of the safety knowledge graph are carried out according to the data extraction and graph construction flow.
The data extraction sources include external security knowledge, business network data, and honeynet base data. The external security knowledge mainly comprises security information represented by NVD, CVE, CNVD, CNNVD and the like, security information represented by secure guests and FreeBuf, security forums similar to CSDN and bloggery, and the like, the stored data generally exist in an unformatted form, and formatting processing is performed after crawling by a crawler when the data are extracted, as shown in FIG. 3, namely, the formatted vulnerability information.
Meanwhile, node information and attack log information are required to be extracted aiming at service network data and honey network basic data. The attack event mainly depends on an attack detection report, a network firewall, an IDS intrusion detection system report and a security event record mainly comprising a node user application program log, and the security event record needs to be formatted, so that an attack event list shown in fig. 4 is changed into a preparation for generating a knowledge graph.
And constructing a knowledge graph database based on the extracted data, wherein the graph construction mainly comprises the process of fusing and reasoning formatting data in the knowledge graph database to realize the association analysis of information and storing the information into a structured knowledge base in the safety field. In this embodiment, as shown in fig. 2, a knowledge-graph structure model including relationships between six types of entities and eleven types of entities is constructed based on a knowledge-graph database, and a security knowledge graph is established. Six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and honeynet strategies; the relationships between eleven types of entities include: the nodes form a network system, the holes are in the nodes, the attack behaviors aim at the network system, the attack behaviors utilize the holes, the attack behaviors belong to an attack mode, the honeynet strategy is used for coping with the attack behaviors, the honeynet strategy is used for coping with the attack mode, the honeynet strategy is used for transmitting the nodes, and the honeynet strategy is transmitted to the network system.
In the process of constructing the security knowledge graph, the explicit association relation of the entities is usually relatively easy to determine, for example, the association relation discovery can be completed by aligning the indicated relation among the entities such as IP, ports, network segments, alarms, files, logs and the like, and the implicit relation can be obtained by digestion through a more complex data mining method. As shown in fig. 2, a security knowledge graph structure model specifically constructed in this embodiment is shown, where a square indicates a specific category, and a circle indicates a specific physical node in the graph. The solid line represents the relationship between classes, and the dotted line represents the attribute of the entity node and some association relationship of each attribute.
After the safety knowledge graph structure model is built, the data is written into the database by adopting a composite storage method of a traditional database and a graph database. Such as: the security information is stored in a MySQL database, and entities and relations in the security knowledge graph are stored by using a Neo4j graph database.
After the safe knowledge graph is initially constructed, correction should be further performed, for example, by combining a general vulnerability scoring standard (Common Vulnerability Scoring System, CVSS) and threat transfer probabilities of a front attack behavior and a rear attack behavior in a Bayesian analysis graph, a threat transfer loop among multiple nodes is resolved, and the final safe knowledge graph can be obtained. The safety knowledge graph should be updated and corrected according to the continuous iteration of the data in the use process.
S2: and acquiring state and event information in the service network and the honey network. Various states and event information in the business network and the honey network can be sensed and collected by arranging some sensors in the business network and the honey network.
S3: based on the safety knowledge graph and the acquired state and event information, the safety situation is perceived, and the next attack behavior is predicted.
The method specifically comprises the following steps:
s31: and extracting the model entity. And extracting entity information identified in the security knowledge graph from the acquired state and event information according to the security knowledge graph, wherein the entity information comprises node information, vulnerability information, attack behavior information and the like.
S32: and constructing a model for representing the situation. The information is derived from different sensors, and the relevance is unknown, so that the relevance is required to be discovered according to the safety knowledge graph, and a graph model for representing situation information is extracted based on the extracted entity information and the structure of the safety knowledge graph.
S33: and perceiving a security situation. When the security situation is perceived, as a large amount of data is generated by the different perceptrons, real threat behaviors are found from a large amount of information, and the graph models of different dimensions extracted in the previous step are mapped into the same vector space by adopting a graph embedding algorithm, so that the whole threat is evaluated, and the perceived security situation is realized.
S34: attack prediction. In the process of perceiving the security situation in the previous step, the threat degree weight of a certain node in the security knowledge graph can be calculated, so that a graph model with the largest contribution degree to the overall situation can be found, the real threat behavior in the network can be found, and the next attack behavior can be predicted by adopting Bayesian analysis of transition probability in combination with the contents such as attack modes in the security knowledge graph.
S4: and obtaining a honey network dynamic configuration strategy based on the safety knowledge graph and the predicted next attack behavior.
The honey network dynamic configuration strategy is a strategy for guiding the honey network and the state adjustment of each honey pot node in the honey network, and when the honey network dynamic configuration strategy is generated, a honey network strategy entity for coping with the next attack action is found by adopting a graph searching algorithm based on a safety knowledge graph and the predicted next attack action; and obtaining a honey network dynamic configuration strategy based on the found honey network strategy entity. The honey network dynamic configuration strategy comprises a node strategy, a topology strategy and a rule strategy; the node strategy is used for controlling the running state of each node application service in the honey network; the topology strategy is used for controlling the on-line and interconnection conditions of the honey pot nodes in the honey network; the rule policy is used to adjust access control rules within the honeynet.
Example 2
The embodiment provides a honey network dynamic configuration method, which comprises the following steps:
generating a honey network dynamic configuration strategy by adopting the honey network dynamic configuration strategy generation method described in the embodiment 1;
according to the generated honey network dynamic configuration strategy, the honey network and the attribute of each honey pot node in the honey network are dynamically configured, so that the state of the honey network can meet the current security situation requirement, and the camouflage effect is achieved.
Preferably, the method further comprises: and acquiring the honey network data after dynamic configuration, feeding back the honey network data to the safety knowledge graph, and carrying out iterative correction on the safety knowledge graph.
Example 3
The present embodiment provides a computer-readable storage medium storing a computer program which, when loaded by a processor, implements the honeynet dynamic configuration policy generation method described in embodiment 1.
Example 4
The present embodiment provides a computer-readable storage medium storing a computer program which, when loaded by a processor, implements the honey grid dynamic configuration method as described in embodiment 2.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is to be understood that the same or similar parts in the above embodiments may be referred to each other, and that in some embodiments, the same or similar parts in other embodiments may be referred to.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
According to the technical scheme, the situation information in the business network and the honey network can be acquired in real time, meanwhile, the acquired network situation information with multiple dimensions is subjected to association analysis and feature extraction based on the constructed safety knowledge graph, and the extracted features are used for guiding the honey network to dynamically configure various properties of the honey network, such as a honey network topological structure, application service types and versions deployed in the honey network, an operating system version of a honey network node and the like, so that the intelligence and camouflage capability of the honey network are improved. Based on the characteristics extracted by the knowledge graph, different induction strategies can be adopted for various different types of network attacks respectively, so that the flexibility of the dynamic honeynet is improved, the capability of the honeynet for actively trapping an attacker is improved, the honeynet is not easy to be found by the attacker, and meanwhile, the attacker can be continuously induced to conduct deep attack, thereby achieving the purposes of delaying, alluring, tracing, evidence obtaining and the like, and protecting a real target system from attack.
While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (7)

1. The method for generating the dynamic configuration strategy of the honey network is characterized by comprising the following steps of:
constructing a safety knowledge graph containing a honey network dynamic configuration strategy;
acquiring state and event information in a service network and a honey network;
based on the safety knowledge graph and the acquired state and event information, perceiving a safety situation, and predicting the next attack behavior;
obtaining a honey network dynamic configuration strategy based on the safety knowledge graph and predicted next attack behavior;
the construction of the safety knowledge graph containing the honey network dynamic configuration strategy comprises the following steps:
extracting the network security data to construct a knowledge graph database;
constructing a knowledge graph structure model containing six types of entities and relations among the entities based on a knowledge graph database, and establishing a safety knowledge graph; six types of entities comprise nodes, network systems, vulnerabilities, attack behaviors, attack modes and honeynet strategies;
the method for predicting the next attack behavior based on the security knowledge graph and the acquired state and event information perceives the security situation, and specifically comprises the following steps:
extracting entity information identified in the security knowledge graph from the acquired state and event information based on the security knowledge graph;
extracting a graph model representing situation information based on the extracted entity information and the structure of the safety knowledge graph;
mapping the extracted graph models with different dimensions into the same vector space by adopting a graph embedding algorithm, and evaluating the whole threat to realize a perceived security situation;
based on a graph model with the greatest contribution to the overall state potential, finding out real threat behaviors in the network, adopting Bayesian analysis for transition probability in combination with a safety knowledge graph, and predicting the next attack behaviors;
the method for obtaining the honey network dynamic configuration strategy based on the security knowledge graph and the predicted next attack behavior specifically comprises the following steps:
based on the safety knowledge graph and predicted next attack behaviors, a graph search algorithm is adopted to find a honeynet strategy entity which is corresponding to the next attack behaviors;
and obtaining a honey network dynamic configuration strategy based on the found honey network strategy entity.
2. The method for generating the dynamic configuration policy of the honeynet according to claim 1, wherein the dynamic configuration policy of the honeynet includes a node policy, a topology policy and a rule policy;
the node strategy is used for controlling the running state of application services of each node in the honey network; the topology strategy is used for controlling the on-line and interconnection conditions of the honey pot nodes in the honey network; the rule policy is used to adjust access control rules within the honeynet.
3. The method for generating a dynamic configuration policy of a honeynet according to claim 1, wherein the network security data includes external security knowledge, service network data, and honeynet base data;
extracting vulnerability information based on external security knowledge; node information and attack log information are extracted based on the service network data and the honeynet basic data.
4. The method for generating a dynamic configuration policy for a honeynet of claim 1, wherein the relationships between the six types of entities include: the nodes form a network system, the holes are in the nodes, the attack behaviors aim at the network system, the attack behaviors utilize the holes, the attack behaviors belong to an attack mode, the honeynet strategy is used for coping with the attack behaviors, the honeynet strategy is used for coping with the attack mode, the honeynet strategy is used for transmitting the nodes, and the honeynet strategy is transmitted to the network system.
5. The honey network dynamic configuration method is characterized by comprising the following steps:
generating a honey network dynamic configuration strategy by adopting the honey network dynamic configuration strategy generation method according to any one of claims 1 to 4;
and dynamically configuring the honey net and the attribute of each honey pot node in the honey net according to the generated honey net dynamic configuration strategy.
6. The method for dynamically configuring a honeynet of claim 5, further comprising:
and acquiring the honey network data after dynamic configuration, feeding back the honey network data to the safety knowledge graph, and carrying out iterative correction on the safety knowledge graph.
7. A computer readable storage medium storing a computer program, which when loaded by a processor implements the method according to any one of claims 1 to 6.
CN202111633998.5A 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium Active CN114499982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111633998.5A CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111633998.5A CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Publications (2)

Publication Number Publication Date
CN114499982A CN114499982A (en) 2022-05-13
CN114499982B true CN114499982B (en) 2023-10-17

Family

ID=81496523

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111633998.5A Active CN114499982B (en) 2021-12-29 2021-12-29 Honey net dynamic configuration strategy generation method, configuration method and storage medium

Country Status (1)

Country Link
CN (1) CN114499982B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978731B (en) * 2022-05-30 2023-06-30 北京计算机技术及应用研究所 System and method for realizing honeypot trapping based on diversity expansion
CN115242438B (en) * 2022-06-15 2023-09-01 国家计算机网络与信息安全管理中心 Potential victim group positioning method based on heterogeneous information network
CN117040926B (en) * 2023-10-08 2024-01-26 北京网藤科技有限公司 Industrial control network security feature analysis method and system applying knowledge graph
CN118101332B (en) * 2024-04-22 2024-07-09 广州大学 Self-adaptive honey point deployment method based on attack graph

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112491892A (en) * 2020-11-27 2021-03-12 杭州安恒信息安全技术有限公司 Network attack inducing method, device, equipment and medium
CN113691550A (en) * 2021-08-27 2021-11-23 西北工业大学 Behavior prediction system of network attack knowledge graph
CN113783896A (en) * 2021-11-10 2021-12-10 北京金睛云华科技有限公司 Network attack path tracking method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422537A (en) * 2020-11-06 2021-02-26 广州锦行网络科技有限公司 Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN112491892A (en) * 2020-11-27 2021-03-12 杭州安恒信息安全技术有限公司 Network attack inducing method, device, equipment and medium
CN113691550A (en) * 2021-08-27 2021-11-23 西北工业大学 Behavior prediction system of network attack knowledge graph
CN113783896A (en) * 2021-11-10 2021-12-10 北京金睛云华科技有限公司 Network attack path tracking method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向多阶段渗透攻击的网络欺骗防御方法研究;王硕;《中国博士学位论文全文数据库信息科技辑》;全文 *

Also Published As

Publication number Publication date
CN114499982A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
CN114499982B (en) Honey net dynamic configuration strategy generation method, configuration method and storage medium
Navarro et al. A systematic survey on multi-step attack detection
Sohal et al. A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments
Durkota et al. Optimal network security hardening using attack graph games
Martins et al. Host-based IDS: A review and open issues of an anomaly detection system in IoT
Dilek et al. Applications of artificial intelligence techniques to combating cyber crimes: A review
Panda et al. Developing an efficient feature engineering and machine learning model for detecting IoT-botnet cyber attacks
US20210064762A1 (en) Intelligent adversary simulator
CN114422224B (en) Threat information intelligent analysis method and system for attack tracing
CN110474885A (en) Alert correlation analysis method based on time series and IP address
Ahmadian Ramaki et al. Causal knowledge analysis for detecting and modeling multi‐step attacks
Rose et al. IDERES: Intrusion detection and response system using machine learning and attack graphs
Shi et al. A framework of intrusion detection system based on Bayesian network in IoT
Nagaraju et al. Attack prevention in IoT through hybrid optimization mechanism and deep learning framework
Pashamokhtari et al. AdIoTack: Quantifying and refining resilience of decision tree ensemble inference models against adversarial volumetric attacks on IoT networks
Shah et al. Intelligent intrusion detection system through combined and optimized machine learning
CA3226148A1 (en) Cyber security system utilizing interactions between detected and hypothesize cyber-incidents
Mohan et al. ADAPT: Attack detection and prevention via deep learning techniques
CN114697141A (en) C4ISR situation perception analysis system and method based on state machine
Czeczot et al. Autonomous Threat Response at the Edge Processing Level in the Industrial Internet of Things
Kiruthika et al. Multi-objective fish swarm optimization with fuzzy association rule for botnet detection system
Daund et al. Intrusion Detection in Wireless Sensor Networks using Hybrid Deep Belief Networks and Harris Hawks Optimizer
Tidjon Formal modeling of intrusion detection systems
Dlamini et al. Digital Deception in cybersecurity: An information behaviour lens
Neshenko Illuminating Cyber Threats for Smart Cities: A Data-Driven Approach for Cyber Attack Detection with Visual Capabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant