CN114500086A - Honeypot security state determination method, electronic device and computer-readable storage medium - Google Patents
Honeypot security state determination method, electronic device and computer-readable storage medium Download PDFInfo
- Publication number
- CN114500086A CN114500086A CN202210159871.2A CN202210159871A CN114500086A CN 114500086 A CN114500086 A CN 114500086A CN 202210159871 A CN202210159871 A CN 202210159871A CN 114500086 A CN114500086 A CN 114500086A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- protocol
- attacked
- determining
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Abstract
The invention provides a honeypot safety state determination method, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: responding to the honeypot to actively send an initial signal outwards, and judging whether a connection protocol to which the initial signal belongs is a TCP (transmission control protocol) protocol or not; if the initial signal is a first packet SYN message in a three-way handshake process before TCP connection establishment, determining that a connection protocol to which the initial signal belongs is the TCP protocol, and determining whether the honeypot is in an attacked state or not based on a detection mode corresponding to the TCP protocol; otherwise, determining that the connection protocol to which the initial signal belongs is a non-TCP protocol, and determining that the honeypot is in the attacked and trapped state under the condition that the honeypot meets the specified attacked and trapped condition. According to the technical scheme, the safety state of the honeypot can be accurately and effectively determined respectively according to different connection protocols, the possibility of inaccurate judgment caused by single judgment mode is avoided, and the reliability and the accuracy of honeypot safety state judgment are effectively improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a honeypot security state determination method, an electronic device, and a computer-readable storage medium.
Background
At present, in the field of network security, the security of an actual system is protected by erecting honeypots. Specifically, the honeypot can be a host used as a bait, a network service or information, and can be used for attracting an attacker to attack the honeypot, so that the attack behavior is captured and analyzed, and the safety protection capability of a real system is enhanced on the basis of the attack behavior. In the related art, the honeypot is often regarded as a device with a completely passive response, and once the honeypot takes an active action, the honeypot is determined to be attacked, and a subsequent safety protection means is triggered.
However, the honeypot itself may also perform some necessary interactions with the outside, not all communication activities with the outside are generated after being trapped, or responses may be performed after receiving external data, and the existing honeypot safety state determination method does not take these possibilities into consideration, and the determination result is likely to be wrong.
Therefore, how to accurately and reliably judge the safety state of the honeypot becomes a technical problem to be solved urgently at present.
Disclosure of Invention
The embodiment of the invention provides a honeypot safety state determination method, electronic equipment and a computer readable storage medium, and aims to solve the technical problem that the method for judging the honeypot safety state in the related art is lack of accuracy.
In a first aspect, an embodiment of the present invention provides a honeypot safety state determination method, including: responding to the honeypot to actively send an initial signal outwards, and judging whether a connection protocol to which the initial signal belongs is a TCP (transmission control protocol) protocol or not; if the initial signal is a first packet SYN message in a three-way handshake process before TCP connection establishment, determining that a connection protocol to which the initial signal belongs is the TCP protocol, and determining whether the honeypot is in an attacked state or not based on a detection mode corresponding to the TCP protocol; otherwise, determining that the connection protocol to which the initial signal belongs is a non-TCP protocol, and determining that the honeypot is in the attacked and trapped state under the condition that the honeypot meets the specified attacked and trapped condition.
In an embodiment of the application, optionally, the determining, based on the detection manner corresponding to the TCP protocol, whether the honeypot is in an attacked state includes: and if the long connection heartbeat packet corresponding to the TCP is detected, and/or if the connection time length of the long connection corresponding to the TCP is greater than a specified time length threshold value, determining that the honeypot is in an attacked state.
In an embodiment of the application, optionally, if the connection protocol to which the initial signal belongs is the non-TCP protocol, before the step of determining that the honeypot is in the attacked state when the honeypot meets the specified attacked condition, the method further includes: and selecting the corresponding specified attacked condition according to the protocol type of the non-TCP protocol.
In an embodiment of the present application, optionally, in a case that the honeypot meets a specified attacked and trapped condition, the step of determining that the honeypot is in an attacked and trapped state includes: and if the honeypot is detected to communicate by using the abnormal port outside the white list of the local open port, determining that the honeypot is in the attacked state.
In an embodiment of the present application, optionally, in a case that the honeypot meets a specified attacked and trapped condition, the step of determining that the honeypot is in an attacked and trapped state includes: responding to the honeypot to actively send the initial signal outwards, and detecting whether the honeypot has a long-term communication connection; and when detecting that the honeypot has long-term communication connection, determining that the honeypot is in an attacked and trapped state, wherein if the honeypot initiates a service to an external object and a heartbeat packet of a connection used by the service meets the long-term communication connection condition, determining that the honeypot has long-term communication connection.
In an embodiment of the present application, optionally, in a case that the honeypot meets a specified attacked and trapped condition, the step of determining that the honeypot is in an attacked and trapped state includes: determining the reliability of the honeypot based on the connection protocol to which the initial signal belongs, the long-term communication connection heartbeat number of the honeypot in a first specified time interval and the long-term communication connection heartbeat frequency of the honeypot in a second specified time interval; and when the credibility of the honeypot is less than the specified credibility, determining that the honeypot is in the attacked and trapped state.
In an embodiment of the present application, optionally, in a case that the honeypot meets a specified attacked and trapped condition, the step of determining that the honeypot is in an attacked and trapped state includes: determining the reliability of the honeypot based on the connection protocol to which the initial signal belongs, the outgoing flow accumulated value of the honeypot in a first specified time interval and the outgoing packet accumulated quantity of the honeypot in a second specified time interval; and when the credibility of the honeypot is less than the specified credibility, determining that the honeypot is in the attacked and trapped state.
In an embodiment of the present application, optionally, the manner of calculating the reliability includes: acquiring a protocol parameter corresponding to a connection protocol to which the initial signal belongs; correcting the cumulative value of outgoing flow of the honeypot within a first designated time interval to obtain a first numerical value, wherein,
d=(1-x)*d1+x*|d2-d1|
d represents the first value, x represents a first check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a first specified time interval, and d1Representing an aggregate outgoing flow value, d, of said honeypot over a first specified time interval2Representing a nominal outgoing flow value of the honeypot within a first specified time interval; correcting the cumulative number of the outgoing packages of the honeypots within a second designated time interval to obtain a second numerical value, wherein,
p=(1-y)*p1+y*|p2-p1|
p represents the second value, y represents a second check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a second designated time interval, p1Represents the cumulative number of outgoing packets, p, of said honeypots within a second specified time interval2Representing a nominal number of hair-outages of the honeypot within a second specified time interval; and after normalization processing is carried out on the protocol parameters, the first numerical values and the second numerical values, weighting summation is carried out to obtain the credibility of the honeypots.
In a second aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the first aspects above.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer-executable instructions for executing the method flow described in any one of the first aspect.
By the technical scheme, aiming at the technical problem that the method for judging the safety state of the honeypot in the related technology is lack of accuracy, the safety state of the honeypot can be accurately and effectively determined respectively according to different connection protocols, the possibility of inaccurate judgment caused by single judgment mode is avoided, and the reliability and the accuracy of judgment of the safety state of the honeypot are effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 shows a flowchart of a honeypot security state determination method according to an embodiment of the present invention.
FIG. 2 shows a flow diagram of a manner of determining honeypot trustworthiness in accordance with one embodiment of the present invention.
Detailed Description
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Example one
Fig. 1 shows a flowchart of a honeypot security state determination method according to an embodiment of the present invention.
As shown in fig. 1, a honeypot safety state determination method according to an embodiment of the present invention includes:
And 104, determining whether the honeypot is in the attacked state or not based on the detection mode corresponding to the TCP.
The handshake signals used when the TCP protocol establishes connection are synchronization Sequence Numbers (SYN), when both communication parties establish normal TCP network connection, the active party first sends out a SYN message, i.e. the first SYN message in the three-way handshake process before the TCP connection is established, the communication object uses SYN + ACK response to indicate that the message is received, and finally the active party responds with an ACK message. So that a reliable TCP connection can be established between the two. The TCP protocol includes, but is not limited to, Http protocol, telnet protocol, IMAP protocol, FTP protocol, SSH protocol, etc.
Based on the principle, in a possible design, when the honeypot adopts the TCP protocol to communicate with an external object, if the initial signal sent by the honeypot to the outside is the sync sequence number, it indicates that the honeypot sends packets to the outside absolutely actively, rather than making a reasonable response after receiving external data. Therefore, if the initial signal actively sent out by the honeypot is the synchronous sequence number, the connection protocol to which the initial signal belongs is the TCP protocol, the active packet sending behavior is determined to be caused by the attack and the honeypot is determined to be in the attacked state.
In another possible design, it is determined that the honeypot active packet sending behavior has a possibility of being caused by being trapped by attack, and then, whether the honeypot is in the trapped state is further determined by a detection mode corresponding to the TCP protocol, and the technical solution will be described in detail in embodiment three later.
And 106, determining that the honeypot is in the attacked and trapped state under the condition that the honeypot meets the specified attacked and trapped condition.
If the connection protocol to which the initial signal belongs is a non-TCP protocol, the connection protocol may be a UDP protocol, an ICMP protocol, an IGMP protocol, a GRE protocol, or other various protocols.
In an embodiment of the application, optionally, if the connection protocol to which the initial signal belongs is the non-TCP protocol, before the step of determining that the honeypot is in the attacked state when the honeypot meets the specified attacked condition, the method further includes: and selecting the corresponding specified attacked condition according to the protocol type of the non-TCP protocol.
In other words, due to the personalized features of the protocols, the respective designated attack conditions are different. Therefore, after the connection protocol to which the initial signal belongs is judged to be the non-TCP protocol, the designated attacked condition corresponding to the connection protocol can be selected based on the protocol type of the non-TCP protocol, and whether the honeypot is in the attacked state or not under the condition that the protocol is adopted can be verified.
Through the technical scheme, the safety state of the honeypot can be accurately and effectively determined respectively according to different connection protocols, the possibility of inaccurate judgment caused by single judgment mode is avoided, and the reliability and the accuracy of honeypot safety state judgment are effectively improved.
Various specified compromised conditions that may be faced by various non-TCP protocols are set forth below by way of various embodiments.
Example two
For a TCP protocol, determining whether the honeypot is in an attacked state or not based on a detection mode corresponding to the TCP protocol, including: and if the long connection heartbeat packet corresponding to the TCP is detected, and/or if the connection time length of the long connection corresponding to the TCP is greater than a specified time length threshold value, determining that the honeypot is in an attacked state.
When the honeypot establishes the long connection with the external object through the TCP protocol, the honeypot and the external object can indicate that the long connection continuously exists by sending the heartbeat packet, so that once the long-connection heartbeat packet is detected, the honeypot and the external object are indicated to establish the long connection for communication, the risk of data leakage to the external object is completely caused, and the honeypot can be determined to be in a damaged state.
EXAMPLE III
And if the honeypot is detected to communicate by using the abnormal port outside the white list of the local open port, determining that the honeypot is in the attacked state.
Specifically, for either type of non-TCP protocol, an open port white list may be set locally, and ports within the port white list are considered legitimate communication ports. If the honeypot communicates through the non-TCP protocol, an abnormal port outside a port white list is adopted to indicate that the communication behavior is not a safe legal communication behavior, so that the active packet of the honeypot belongs to a risk behavior, and the honeypot can be determined to be in a attacked state.
Example four
In one possible design, detecting whether the honeypot has a long-term communication connection in response to the honeypot actively sending the initial signal outward; and when the honeypot is detected to have long-term communication connection, determining that the honeypot is in an attacked state.
When the honeypot communicates through the non-TCP protocol, if the initial signal is actively sent outwards, normal interaction behavior is possible, but if the honeypot and the external object initiate service and then establish long-term communication connection, it is indicated that the honeypot is likely to be attacked by the external object and the data of the honeypot is continuously output to the external object. Thus, the safety status of the honeypot can be detected by detecting whether the honeypot has a long-term communication connection.
Specifically, after the two communication parties establish a long-term communication connection, the continuity of the connection is often indicated by transmitting a heartbeat packet, and then if the honeypot initiates a service to an external object and maintains the long-term communication connection with the external object, the honeypot inevitably maintains the heartbeat connection with the external object.
On the basis of this, in one possible design, the long-term communication connection condition may be set to be that there is a long-term communication connection with the external object, i.e. as long as there is a long-term communication connection between the honeypot and the external object, the honeypot has a risk of revealing data to the external object, at which point it is determined that the honeypot is in an attacked state.
In another possible design, the long-term communication connection condition may be set to be that the honeypot periodically sends heartbeat packets outwards, and if the honeypot meets the condition that the honeypot periodically interacts heartbeat packets with the external object outwards, it indicates that a stable long-term communication connection exists between the honeypot and the external object.
And if the honeypot initiates a service to an external object and the heartbeat packet used for the service and connected with the honeypot meet the long-term communication connection condition, determining that the honeypot has long-term communication connection. The two designs can effectively detect the safety state of the honeypot under the non-TCP protocol, and the reliability and the accuracy of judgment of the honeypot safety state are effectively improved.
EXAMPLE five
When the honeypot communicates through the non-TCP protocol, if the initial signal is actively sent outwards, normal interaction behavior is possible, but if the honeypot is in long-term communication connection with the external object after service initiation, the honeypot is likely to be attacked by the external object and continuously outputs own data to the external object. That is, the behavior of the honeypot communicating with the external object and interacting with the heartbeat package belongs to the risk behavior, and the related parameters of the heartbeat package can be used as the risk assessment conditions for the risk behavior.
Specifically, the reliability of the honeypot can be calculated based on the connection protocol to which the initial signal belongs, the number of long-term communication connection heartbeats of the honeypot in a first specified time interval and the frequency of the long-term communication connection heartbeats of the honeypot in a second specified time interval, and the reliability is used as a verification standard for whether the honeypot is in an attacked state or not.
The specific calculation mode can be selected as follows: and weighting and averaging the long-term communication connection heartbeat number of the honeypot in the first specified time interval and the long-term communication connection heartbeat frequency of the honeypot in the second specified time interval to obtain the confidence level.
It should be noted that in any of the above embodiments, the heartbeat of the honeypot communicating with the external object needs to be effectively identified before the step involving the heartbeat of the honeypot communicating with the external object, and the step associated with the heartbeat in each embodiment is executed after the heartbeat is identified.
Specifically, the length of a data packet in the communication process between the honeypot and the external object can be detected, the data packet with the specified length is identified as an object which is possibly a heartbeat packet, the packet sending time of the objects which are possibly the heartbeat packet is further obtained and compared, and if the packet sending time of the objects which are possibly the heartbeat packet is periodically distributed, the objects are the heartbeat packets which are regularly transmitted in the communication process between the honeypot and the external object. Therefore, the heartbeat in the communication process of the honeypot and the external object can be quickly and effectively identified, and a reliable basis is provided for determining the safety state of the honeypot.
EXAMPLE six
As shown in fig. 2, specifically, the way of determining the reliability of honeypots according to another embodiment of the present invention includes:
If the connection protocol to which the initial signal belongs is a non-TCP protocol, the honeypot reliability can be accurately calculated due to the fact that the non-TCP protocols are various, corresponding protocol parameters can be set for each non-TCP protocol based on the communication mode, the communication parameters and the like of each non-TCP protocol, and the protocol parameters represent characteristic values of the non-TCP protocol and are used for calculating the honeypot reliability.
d=(1-x)*d1+x*|d2-d1|
d represents the first value, x represents a first check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a first specified time interval, and d1Representing an aggregate outgoing flow value, d, of said honeypot over a first specified time interval2Representing the nominal outgoing flow value of the honeypot during a first specified time interval.
For each non-TCP protocol, a rated outgoing flow value in a first designated time interval is set, and the rated outgoing flow value is the average value of the outgoing flows of the non-TCP protocol in a plurality of historical first designated time intervals. Because the outgoing flow accumulated value of the honeypot in a single time within the first designated time interval has instability, when the safety state of the honeypot is judged based on the outgoing flow accumulated value, the outgoing flow accumulated value can be corrected based on the rated outgoing flow value, so that the influence of the instability of the outgoing flow of the honeypot in a single time can be reduced, and the reliability of judgment of the safety state of the honeypot can be improved.
In addition, the larger the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in the first specified time interval is, the smaller the data volume carried by the outgoing content in unit time is, and the smaller the proportion of the leaked effective information is, so that the ratio is inversely proportional to the unsafe degree of the honeypot outgoing data, and the influence caused by the unsafe degree of the honeypot outgoing data can be effectively reflected in the correction result by using the ratio as a correction coefficient, thereby being beneficial to improving the reliability of honeypot safety state judgment.
p=(1-y)*p1+y*|p2-p1|
p represents the second value, y represents a second check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a second designated time interval, p1Represents the cumulative number of outgoing packets, p, of said honeypots within a second specified time interval2Representing a nominal number of outgoing packages for the honeypot within a second specified time interval.
For each non-TCP protocol, a rated outgoing packet number in a second designated time interval is set, and the rated outgoing packet number is the average outgoing packet number of outgoing flow of the non-TCP protocol in a plurality of historical second designated time intervals.
Because the accumulated number of the outgoing packages of the honeypot in the second designated time interval at a time has instability, when the safety state of the honeypot is judged based on the accumulated number, the accumulated number can be corrected based on the rated outgoing packages, so that the influence of the instability of the single outgoing flow of the honeypot can be reduced, and the reliability of judgment of the safety state of the honeypot can be improved.
In addition, the larger the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value in the second designated time interval of the honeypot is, the smaller the data volume carried by the outgoing content in unit time is, and the smaller the proportion of the leaked effective information is, so that the ratio is inversely proportional to the unsafe degree of the honeypot outgoing data, and the influence caused by the unsafe degree of the honeypot outgoing data can be effectively reflected in the correction result by using the ratio as a correction coefficient, thereby being beneficial to improving the reliability of honeypot safety state judgment.
And 208, after normalization processing is carried out on the protocol parameters, the first numerical values and the second numerical values, weighting and summing are carried out to obtain the credibility of the honeypots.
And step 210, when the credibility of the honeypot is less than the specified credibility, determining that the honeypot is in the attacked state.
The normalization process may scale the protocol parameter, the first value, and the second value to fall within the same magnitude range, making it more reasonable to weight the three. And finally, carrying out weighted summation on the values after the protocol parameters, the first numerical values and the second numerical values are subjected to normalization processing to obtain the credibility of the honeypots. For each non-TCP protocol, a corresponding protocol parameter weight, a first numerical value weight and a second numerical value weight can be set for the protocol based on the actual information such as the communication mode, the communication parameters and the like of the protocol.
It should be added that each of the non-TCP protocols described above can be used independently of the specified trapped conditions described in the context of the various embodiments of the present application to quickly determine the security status of the honeypot.
Alternatively, each of the non-TCP protocols described above may also be used in combination with two or more specified compromised conditions described in the embodiments of the present application, so as to comprehensively and accurately determine the security status of the honeypot, and improve the reliability and accuracy of the honeypot security status determination.
An electronic device of an embodiment of the invention includes at least one memory; and a processor communicatively coupled to the at least one memory; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the scheme of any of the embodiments described above. Therefore, the electronic device has the same technical effects as any of the above embodiments, and is not described herein again.
The electronic device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
In addition, an embodiment of the present invention provides a computer-readable storage medium, which stores computer-executable instructions for executing the method flow described in any of the above embodiments.
The technical scheme of the invention is explained in detail in combination with the attached drawings, and by the technical scheme of the invention, the safety state of the honeypot can be accurately and effectively determined respectively according to different connection protocols, so that the possibility of inaccurate judgment caused by a single judgment mode is avoided, and the reliability and the accuracy of judgment of the safety state of the honeypot are effectively improved.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that although the terms first, second, etc. may be used to describe numerical values in embodiments of the present invention, these numerical values should not be limited by these terms. These terms are only used to distinguish one numerical value from another. For example, a first value may also be referred to as a second value, and similarly, a second value may also be referred to as a first value, without departing from the scope of embodiments of the present invention.
The word "if," as used herein, may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection," depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A honeypot safety state determination method is characterized by comprising the following steps:
responding to the honeypot to actively send an initial signal outwards, and judging whether a connection protocol to which the initial signal belongs is a TCP (transmission control protocol) protocol or not;
if the initial signal is a first packet SYN message in a three-way handshake process before TCP connection establishment, determining that a connection protocol to which the initial signal belongs is the TCP protocol, and determining whether the honeypot is in an attacked state or not based on a detection mode corresponding to the TCP protocol;
otherwise, determining that the connection protocol to which the initial signal belongs is a non-TCP protocol, and determining that the honeypot is in the attacked and trapped state under the condition that the honeypot meets the specified attacked and trapped condition.
2. The honeypot security state determination method of claim 1, wherein the determining whether the honeypot is in the attacked state based on the detection mode corresponding to the TCP protocol comprises:
and if the long connection heartbeat packet corresponding to the TCP is detected, and/or if the connection time length of the long connection corresponding to the TCP is greater than a specified time length threshold value, determining that the honeypot is in an attacked state.
3. The method according to claim 1, wherein if the connection protocol to which the initial signal belongs is the non-TCP protocol, before the step of determining that the honeypot is in the compromised state if the honeypot meets the specified compromised condition, the method further comprises:
and selecting the corresponding specified attacked condition according to the protocol type of the non-TCP protocol.
4. The honeypot safety state determination method according to claim 1 or 3, wherein the step of determining that the honeypot is in the attacked state in case that the honeypot meets the specified attacked condition comprises:
and if the honeypot is detected to communicate by using the abnormal port outside the white list of the local open port, determining that the honeypot is in the attacked state.
5. The honeypot safety state determination method according to claim 1 or 3, wherein the step of determining that the honeypot is in the attacked state in case that the honeypot meets the specified attacked condition comprises:
responding to the honeypot to actively send the initial signal outwards, and detecting whether the honeypot has a long-term communication connection;
and when detecting that the honeypot has long-term communication connection, determining that the honeypot is in an attacked and trapped state, wherein if the honeypot initiates a service to an external object and a heartbeat packet of a connection used by the service meets the long-term communication connection condition, determining that the honeypot has long-term communication connection.
6. The honeypot safety state determination method according to claim 1 or 3, wherein the step of determining that the honeypot is in the attacked state in case that the honeypot meets the specified attacked condition comprises:
determining the reliability of the honeypot based on the connection protocol to which the initial signal belongs, the long-term communication connection heartbeat number of the honeypot in a first specified time interval and the long-term communication connection heartbeat frequency of the honeypot in a second specified time interval;
and when the credibility of the honeypot is less than the specified credibility, determining that the honeypot is in the attacked and trapped state.
7. The honeypot safety state determination method according to claim 1 or 3, wherein the step of determining that the honeypot is in the attacked state in case that the honeypot meets the specified attacked condition comprises:
determining the reliability of the honeypot based on the connection protocol to which the initial signal belongs, the outgoing flow accumulated value of the honeypot in a first specified time interval and the outgoing packet accumulated quantity of the honeypot in a second specified time interval;
and when the credibility of the honeypot is less than the specified credibility, determining that the honeypot is in the attacked and trapped state.
8. The honeypot security state determination method of claim 7, wherein the manner of calculating the confidence level comprises:
acquiring a protocol parameter corresponding to a connection protocol to which the initial signal belongs;
correcting the cumulative value of outgoing flow of the honeypot within a first designated time interval to obtain a first numerical value, wherein,
d=(1-x)*d1+x*|d2-d1|
d represents the first numerical value, x represents a first check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a first specified time interval, d1representing an aggregate outgoing flow value, d, of said honeypot over a first specified time interval2Representing a nominal outgoing flow value of the honeypot within a first specified time interval;
correcting the cumulative number of the outgoing packages of the honeypots within a second designated time interval to obtain a second numerical value, wherein,
p=(1-y)*p1+y*|p2-p1|
p represents the second value, y represents a second check coefficient which is the ratio of the outgoing packet accumulated quantity to the outgoing flow accumulated value of the honeypot in a second designated time interval, p1Represents the cumulative number of outgoing packets, p, of said honeypots within a second specified time interval2Representing a nominal number of hair-outages of the honeypot within a second specified time interval;
and after normalization processing is carried out on the protocol parameters, the first numerical values and the second numerical values, weighting summation is carried out to obtain the credibility of the honeypots.
9. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 8.
10. A computer-readable storage medium having stored thereon computer-executable instructions for performing the method flow of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210159871.2A CN114500086B (en) | 2022-02-22 | 2022-02-22 | Honeypot safety state determination method, electronic device and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210159871.2A CN114500086B (en) | 2022-02-22 | 2022-02-22 | Honeypot safety state determination method, electronic device and computer-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500086A true CN114500086A (en) | 2022-05-13 |
| CN114500086B CN114500086B (en) | 2022-11-04 |
Family
ID=81482525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210159871.2A Active CN114500086B (en) | 2022-02-22 | 2022-02-22 | Honeypot safety state determination method, electronic device and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500086B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150121529A1 (en) * | 2012-09-28 | 2015-04-30 | Juniper Networks, Inc. | Dynamic service handling using a honeypot |
| CN106961414A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method based on honey jar, apparatus and system |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
| US20210006594A1 (en) * | 2018-03-19 | 2021-01-07 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
| CN113709130A (en) * | 2021-08-20 | 2021-11-26 | 江苏通付盾科技有限公司 | Risk identification method and device based on honeypot system |
| CN113973015A (en) * | 2021-10-26 | 2022-01-25 | 上海观安信息技术股份有限公司 | Honeypot isolation device, system and method |
-
2022
- 2022-02-22 CN CN202210159871.2A patent/CN114500086B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150121529A1 (en) * | 2012-09-28 | 2015-04-30 | Juniper Networks, Inc. | Dynamic service handling using a honeypot |
| CN106961414A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method based on honey jar, apparatus and system |
| US20210006594A1 (en) * | 2018-03-19 | 2021-01-07 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
| CN113709130A (en) * | 2021-08-20 | 2021-11-26 | 江苏通付盾科技有限公司 | Risk identification method and device based on honeypot system |
| CN113973015A (en) * | 2021-10-26 | 2022-01-25 | 上海观安信息技术股份有限公司 | Honeypot isolation device, system and method |
Non-Patent Citations (2)
| Title |
|---|
| 朱晓东: "《CPot蜜罐系统在图书馆网络中的应用》", 《现代图书情报技术》 * |
| 梁晓阳等: "《蜜桥:一种新的网络安全概念》", 《2008通信理论与技术新进展——第十三届全国青年通信学术会议论文集(上)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500086B (en) | 2022-11-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2464079A1 (en) | Method for authenticating communication traffic, communication system and protection apparatus | |
| JP4654092B2 (en) | Attack protection method, system and program for SIP server | |
| CN108809923A (en) | The system and method for traffic filtering when detecting ddos attack | |
| EP1429230A2 (en) | Improved secret hashing for TCP SYN/FIN correspondence | |
| US9106550B2 (en) | System and method for inferring traffic legitimacy through selective impairment | |
| CN105578463B (en) | A kind of method and device of dual link safety communication | |
| US20050108567A1 (en) | Detection of denial of service attacks against SIP (session initiation protocol) elements | |
| CN109040140B (en) | Slow attack detection method and device | |
| KR20120060655A (en) | Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof | |
| CN108737344B (en) | Network attack protection method and device | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| CN113242260B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN108418844B (en) | Application layer attack protection method and attack protection terminal | |
| CN114500086B (en) | Honeypot safety state determination method, electronic device and computer-readable storage medium | |
| Huang et al. | Detecting stepping-stone intruders by identifying crossover packets in SSH connections | |
| US10505936B2 (en) | Access control device and authentication control method | |
| Wang et al. | A multi-layer framework for puzzle-based denial-of-service defense | |
| CN114285621A (en) | Network threat monitoring method and device and electronic equipment | |
| KR20220014796A (en) | System and Method for Identifying Compromised Electronic Controller Using Intentionally Induced Error | |
| CN114285619A (en) | Network information display method and device and electronic equipment | |
| Khirwadkar | Defense against network attacks using game theory | |
| JP5009200B2 (en) | Network attack detection device and defense device | |
| KR101095878B1 (en) | SIP DoS Attack Detection and Prevention System and Method using Hidden Markov Model | |
| KR101037575B1 (en) | Method on detection of ddos attact and measurement of efficiency of detection on voip network | |
| CN111988333B (en) | Proxy software work abnormality detection method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method for determining the security status of honeypots, electronic devices, and computer-readable storage media Effective date of registration: 20230614 Granted publication date: 20221104 Pledgee: Ji'nan rural commercial bank Limited by Share Ltd. high tech branch Pledgor: Shandong Yuntian Safety Technology Co.,Ltd. Registration number: Y2023980043786 |