CN114531258A - Network attack behavior processing method and device, storage medium and electronic equipment - Google Patents
Network attack behavior processing method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114531258A CN114531258A CN202011226055.6A CN202011226055A CN114531258A CN 114531258 A CN114531258 A CN 114531258A CN 202011226055 A CN202011226055 A CN 202011226055A CN 114531258 A CN114531258 A CN 114531258A
- Authority
- CN
- China
- Prior art keywords
- target
- access
- behavior
- attack
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network attack behavior processing method and device, a storage medium and electronic equipment. The method comprises the following steps: acquiring an access request to a target service system; under the condition that the access behavior is determined to be network attack behavior and a target attack identifier distributed for a source network protocol address is identified from the access request, a destination address requested to be accessed by the access request is obtained, and the target attack identifier is used for indicating that the source network protocol address executes network attack behavior on a target service system; under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address; and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record. The invention solves the technical problem of low network security caused by the fact that honeypots cannot be upgraded and modified in time.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a method and an apparatus for processing a network attack behavior, a storage medium, and an electronic device.
Background
For some important computer systems running in the internet, many malicious subjects (such as attackers) often launch different attack behaviors to the important computer systems so as to try to acquire important running data or user information and the like.
In order to overcome the above problems, an alternative approach commonly used at present is to adopt the conventional honeypot technology to confuse the malicious subject who initiates the attack behavior, so as to induce the malicious subject to attack the counterfeit honeypot, thereby facilitating the defense to clearly understand the security threat to be faced, so as to enhance the security protection capability of the important computer system. The traditional honeypot technology is a cheating system containing a bug, and provides an easily attacked target for an attacker by simulating one or more vulnerable hosts in a real scene, wherein the target is a service forged by honeypots and does not have real business value.
However, honeypots in traditional honeypot technology are all generated through templates, and the framework and the content of the honeypots are fixed and unchangeable. Therefore, when the applied service system changes, the honeypot cannot be upgraded and modified in time, so that the honeypot cannot continue to confuse more network attack behaviors, and the network security is reduced.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method and a device for processing network attack behaviors, a storage medium and electronic equipment, which at least solve the technical problem of low network security caused by the fact that honeypots cannot be upgraded and modified in time.
According to an aspect of the embodiments of the present invention, a method for processing a network attack behavior is provided, including: acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior; under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for the source network protocol address is identified from the access request, acquiring a destination address requested to be accessed by the access request, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on the target service system; when the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system; and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
According to another aspect of the embodiments of the present invention, there is also provided a device for processing a network attack behavior, including: a first obtaining unit, configured to obtain an access request to a target service system, where the access request carries a source network protocol address requesting to execute an access behavior; a second obtaining unit, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has performed a network attack behavior on the target service system; a third obtaining unit, configured to obtain a behavior record obtained after the source network protocol address accesses the decoy address when the destination address is a decoy address configured for the target service system, where the decoy address includes a target vulnerability file configured for the target service system, and the target vulnerability file is used to instruct the source network protocol address to access decoy data generated by simulating service data in the target service system; and the generating unit is used for generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the above processing method of network attack behavior when running.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the processing method of the network attack behavior by using the computer program.
In the embodiment of the present invention, when the access behavior of the obtained access request to the target service system is determined to be a network attack behavior, and a target attack identifier allocated to a source network Protocol Address (IP Address for short) that triggers the access request is identified from the access request, a destination Address of the access request is obtained. And under the condition that the target address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source IP address accesses the decoy address, and then generating a behavior track of the network attack behavior of the source IP address based on the behavior record. That is to say, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and the content of the honeypot can be timely upgraded and modified along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a network environment for an alternative network attack behavior processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart of an alternative network attack behavior processing method according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a system to which an alternative network attack behavior processing method is applied according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an alternative network attack behavior processing method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an alternative network attack behavior processing method according to an embodiment of the invention;
FIG. 6 is a schematic structural diagram of an alternative network attack behavior processing apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the following technical terms are referred to in the present embodiment, and the meanings thereof are as follows:
and (4) honeypot: a computer system operating on the internet; it is designed primarily to attract and trap those trying to break into other people's computer systems, the honeypot system is a spoofing system containing vulnerabilities that provides an attacker with an easily attacked target by simulating one or more vulnerable hosts, the honeypot does not provide a truly valuable service to the outside world, and therefore all access to the honeypot is considered suspicious, and another purpose of the honeypot is to delay the attacker's attack on the true target, letting the attacker spend time on the honeypot.
And command injection: the method refers to that special input (such as special character and character string combination) is constructed to be transmitted into a Web application program as a parameter, and the character and character string combination is mostly a command additionally executed after a closed program, and carries with some combination of other abnormal command input, and the operation required by an attacker is executed by executing command injection, and the main reason is that the program does not carefully filter data which can be input from outside, so that the malicious attacker invades the system.
Honeynets (honeynets) are a new concept developed gradually in honeypot technology, sometimes also referred to as trap networks. When a plurality of honeypots are connected together by a network, a large false service system is formed, a part of hosts are utilized to attract the invasion of attackers, and the invasion process is monitored, so that the attack behaviors of the attackers are collected on one hand, and the corresponding safety protection strategies can be updated on the other hand. This kind of simulated network consisting of a plurality of honeypots is called honeynet.
According to an aspect of the embodiments of the present invention, a method for processing a network attack behavior is provided, and optionally, as an optional implementation manner, the method for processing a network attack behavior may be applied, but not limited to, in a network architecture environment as shown in fig. 1, where the network architecture environment includes a user terminal 102, a network 104, a router 106, a switch 108, a honeynet 110, and a network 112 where a target service system is located. The user terminal 102 is configured to trigger an access behavior to a target service system, and the network 104 is configured to transmit interaction information, so as to implement an interaction process between network hardware devices. In addition, through the router 106 and the switch 108, the internal deployed honey net 110 is mapped to a service port of a network 112 where a target service system is located, and an attacker is introduced into a dense net in a disguised or learned mode to delay the attack behavior and delay the attack time.
It should be noted that, in this embodiment, a bait address of a target service system is deployed in a network environment, so that an attacker actively accesses a target vulnerability file in the bait address in the form of an access request, and further attracts the attacker to actively acquire, based on the target vulnerability file, decoy data generated by the target service system in a simulated manner, thereby implementing a behavior record based on which access processing is performed on the decoy data, capturing behavior characteristics of the attacker, and further acquiring a behavior attack of a network attack behavior executed by the attacker. The target vulnerability file is correspondingly constructed by combining a target business system. That is to say, in this embodiment, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and content of the honeypot can be updated and modified in time along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related art.
Optionally, in this embodiment, the user terminal 102 may be a terminal device configured with a target client, and may include but is not limited to at least one of the following: mobile phones (such as Android phones, iOS phones, etc.), notebook computers, tablet computers, palm computers, MID (Mobile Internet Devices), PAD, desktop computers, smart televisions, etc. The target client may be a video client, an instant messaging client, a browser client, an educational client, etc. The network 104 may include, but is not limited to: a wired network, a wireless network, wherein the wired network comprises: a local area network, a metropolitan area network, and a wide area network, the wireless network comprising: bluetooth, WIFI, and other networks that enable wireless communication. The network 112 where the honey net 110 and the target service system are located may be a single server, or may be a server cluster composed of a plurality of servers, or a cloud server. The above is merely an example, and this is not limited in this embodiment.
Optionally, as an optional implementation manner, as shown in fig. 2, the method for processing the network attack behavior includes:
s202, obtaining an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s204, under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for a source network protocol address is identified from the access request, a destination address requested to be accessed by the access request is obtained, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on a target service system;
s206, under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and S208, generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Optionally, in this embodiment, the processing method of network attack behavior may be applied to different service systems, and the target vulnerability file in the bait address is directly modified and adjusted to be suitable for different online service systems in time, so that malicious network attacks on the real service system are reduced by actively attracting an attacker to interact with the bait data generated by the simulated online service system, thereby achieving the purpose of protecting the security of the service data in the service system. The service system herein may include, but is not limited to: an instant messaging service system (simulating user account information to obtain decoy data), a financial payment system (simulating user account information and transaction data to obtain decoy data), and the like. The above is an example, and the target service system to be protected in the network environment is not limited in this embodiment.
It should be noted that, by deploying the decoy address of the target service system in the network environment, the attacker actively accesses the target vulnerability file in the decoy address in the form of an access request, and then attracts the attacker to actively acquire the decoy data generated for the target service system based on the target vulnerability file, so as to implement behavior record based on access processing of the decoy data, capture the behavior characteristics of the attacker, and further acquire the behavior attack of the network attack behavior executed by the attacker. The target vulnerability file is correspondingly constructed by combining a target business system. That is to say, in this embodiment, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and content of the honeypot can be updated and modified in time along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related art.
For example, the above processing method of network attack behavior may be applied to, but not limited to, a processing system as shown in fig. 3, where the processing system may include: attack detection module 302, honeypot module 304, data processing module 306, and presentation module 308.
The attack detection module 302 includes an identifier module 3022, where the identifier module 3022 may store, but is not limited to, a regular expression for identifying a network attack behavior, where the regular expression carries target attack characters, such as malicious characters for attacking service data in a target service system to be currently protected. And if the attack behavior is detected, allocating an attack identifier for the unique identifier to the attack behavior.
Among other things, the honeypot module 304 includes a bait submodule 3042 and a scenario submodule 3044, where the bait submodule 3042 may, but is not limited to, entice an attacker (i.e., a source IP address that triggers an attack access behavior) in at least one of the following manners: 1) sensitive information (such as a bait address) such as a false IP address or a port generated by a simulated target business system is deployed on an open source website to attract an attacker to visit; 2) hijacking a specific Common Gateway Interface (CGI), and returning sensitive information to the CGI when an attacker accesses the CGI. The scenario submodule 3044 may be used for, but is not limited to, disguising a vulnerability file, so as to catch information of an attacker in the process or confuse the attacker to bypass the limitation, thereby acquiring behavior characteristics of more attackers. The scenario submodule 3044 herein may include, but is not limited to, 4 units: 1) a command injection vulnerability simulation unit for detecting command injection attacks; 2) the information acquisition unit is used for acquiring behavior information of an attacker; 3) a pseudo service unit for simulating service data in a counterfeit target business system; 4) a redirection unit for generating a redirected access upon injecting an attack according to an attacker's command.
Therein, the data processing module (also referred to as a data washing and correlation module) 306 includes a logging submodule 3062 and a clustering submodule 3064. Here, the log submodule 3062 can be used for obtaining the behavior record generated in the above process, but is not limited thereto. Here, the clustering submodule 3064 may be, but is not limited to, configured to analyze and aggregate the behavior records to cluster and form an analysis traceability report of the source IP address being tracked.
The console 3082 is included in the presentation module 308, which can trigger a notification to the user to inform that the tracing is successful, but is not limited to the case of tracing to relevant information of the attacker. Meanwhile, unknown attacks detected in the processing process are analyzed, so that unknown vulnerabilities (such as 0day) and source tracing alarms are displayed on a display interface. It should be noted that 0day is used in the related art to indicate a cracked version that appears after the software is released.
In the example shown in fig. 3, the structure is an optional structure in the present embodiment, and this is not limited in this embodiment.
Optionally, in this embodiment, the target attack identity may be, but is not limited to, an attack history identification identity generated by using the source IP address. And allocating an attack identifier with a unique identifier to a source IP address which initiates network attack behaviors to mark the source IP address as a malicious attack subject, and adding the attack identifier to a response returned to the source IP address so as to continuously track the source IP address. However, the attacker may recognize the attack identifier of the tag and actively remove the attack identifier, or change the source IP address used for access to implement continuous attack, so in this embodiment, in order to avoid missing the identification, the unique identifier is recognized, if the attack identifier is not recognized, a new identifier is generated for the unique identifier again, and if the attack identifier is recognized, the operation of attracting the honeypot is continued.
Alternatively, in this embodiment, the above-mentioned decoy address may be, but is not limited to, a false address constructed according to the service data of the target service system to be protected, and when accessing the decoy address, the attacker will not obtain the real service data, but obtain the decoy data generated in advance through simulation. Furthermore, based on the processing process of the attacking party on the bait data, the behavior characteristics of the attacking party can be further ascertained, the source IP address which is under the network attack is traced, and the attack path is timely determined.
Further, in the present embodiment, in the case where it is determined that the source IP address access is a decoy address, it is determined whether it is a command injection attack. If the injection command carries a monitoring interface (such as a rebound shell command), the target IP address specified by the attacker can be connected, and the bait data is continuously utilized to interact with the target IP address, so that the deception attacker is confused, and the purpose of delaying the attack time is achieved.
This is explained in particular with reference to the example shown in fig. 4. It is assumed that a user terminal (hereinafter, simply referred to as a user) 402 and an attacker terminal (hereinafter, simply referred to as an attacker) 404 access normal traffic (traffic in a target traffic system) through a network 406, a router 408, and a switch 410.
In step S402, the traffic for accessing the normal service is split, and the TCP packet is reassembled, so as to generate http traffic. Then, whether attack behavior is contained therein, whether spoofing confusion is required for using the honeypot in the embodiment, and the like are analyzed by the attack detection module 412. If simple regular matching is carried out on the content of the attack behavior, whether the attack behavior exists is judged.
In case it is determined that there is an attack, as in step S404, a unique identifier is generated for the source IP address requested to be accessed, and the unique identifier is injected to the client of the attacker through a bypass packet (as in step S406-2 shown in the figure). And sends a Reset packet to the server side (step S406-1 shown in the figure), blocking the connection.
After marking, if an attack is detected, the attacker is attracted to a decoy address (simulating a good or false page) by redirecting/leaking some information such as error reporting, as in step S408.
In step S410, if the attacker is lured to fail, the trace of the attacker can be known by the injected mark, and the attacker can be offline calculated by the behavior log (i.e., the behavior record), so as to check whether the attacker has another attack behavior according to the calculation result.
In step S412, if the attacker is successfully attracted, the attacker can continue to cheat through script simulation, and thus the attack is delayed and even the relevant information of the attacker is caught.
If the bounce shell command is added to the command injection of the attacker, a terminal similar to the target service system is simulated at the back end to be connected to the specified IP address, so that the simulated data is used for continuously cheating the attacker.
Further as shown in steps S418-S424, a behavior record of the behavior may be obtained and saved (e.g., logged) in the background, and the data may be used for performing a tracing calculation. And the security personnel 420 performs auxiliary calculation to generate a source tracing report of the source IP address corresponding to the attacker, and displays the result on a display interface.
Fig. 4 illustrates an alternative exemplary process, which is not limited in this embodiment.
According to the embodiment provided by the application, the target vulnerability files of different types of service systems in the bait addresses can be directly modified, the honeypots used for attracting an attacker to attack can be rapidly adjusted and modified, and the honeypots are not generated by using templates, so that the framework and the content of the honeypots can be updated and modified in time along with the change of the applied service systems, the network security of the service systems is guaranteed, and the problem that the network security of the service systems cannot be guaranteed in the related technology is solved.
As an alternative, in the case that the destination address is a decoy address constructed for the target service system, the behavior record obtained after the source network protocol address accesses the decoy address includes:
s1, obtaining the access parameter carried in the access request;
s2, when the access parameter does not contain the access identification parameter configured in advance, the source network protocol address is informed that the access content can not be obtained;
s3, when the access request contains the access identification parameter and the parameter value of the access identification parameter is the target value, providing the corresponding object decoy data to the source network protocol address;
and S4, acquiring the behavior record generated when the source network protocol address processes the target bait data.
Optionally, in this embodiment, the access identification parameter may include, but is not limited to, one of the following: command prompt CMD, ID, IP. Here, other parameters may also be set for example, which is not limited in this embodiment.
For example, under the condition that the source IP address is determined to be the decoy address corresponding to the access target vulnerability file, whether the source IP address carries the access identification parameter, such as the command prompt CMD, is checked. And if the access identification parameter does not exist, returning an error report to prompt that the parameter value of the CMD cannot be obtained. If the access identification parameter is found and exists, then the command injection attack can be detected.
According to the embodiment provided by the application, the honeypot sends the access identification parameter to the attacker through setting the access identification parameter, but does not inform the specific parameter value of the access identification parameter, so that the honeypot is trapped in the process of continuous testing, and the purpose of delaying the attack is achieved.
As an optional solution, in a case that the access request includes an access identification parameter, and a parameter value of the access identification parameter is a target value, providing the corresponding object decoy data to the source network protocol address includes: under the condition that the parameter value of the access identification parameter is a target value, extracting command information contained in the access identification parameter, wherein the target value indicates that the access behavior is a command injection attack behavior; the object decoy data is provided to the source network protocol address in accordance with the command information.
Optionally, in this embodiment, after obtaining the access parameter carried in the access request, the method further includes: in the event that the parameter value of the access identification parameter indicates that the access behavior is not a target value, a default command response is returned to the source network protocol address.
It should be noted that, in this embodiment, the parameter value of the access identification parameter may be, but is not limited to, a behavior type identifier for indicating whether an access request of an attacker carries a command injection attack. That is to say, when the access request does not carry the access identification parameter, or the parameter value indication of the access identification parameter carried in the access request is not the target value, it indicates that the current access request is not the command injection attack, and returns a default command response, such as a command ID, to the attacker, so as to confuse the attacker to identify this as a hidden test file. And under the condition that the parameter value of the access identification parameter carried in the access request is indicated as a target value, the current access request is indicated as a command injection attack behavior, and the special character injected by the command is extracted to analyze the attack behavior.
Optionally, in this embodiment, providing the object decoy data to the source network protocol address according to the command information includes: and establishing a communication link between the simulation terminal and a target network protocol address associated with the monitoring interface, and providing object bait data through the communication link.
It should be noted that, the above listening interface may be, but is not limited to, a bounce shell command is added to a special character injected by the command, and is used to guide the user to access a specified target IP address, so that the user leaks more important service information. In order to avoid the above problem, in the honeypot provided in this embodiment, an analog terminal that simulates a target service system is configured at the back end, and a connection is made to the target IP address specified by the bounce shell based on fake service data (e.g., decoy data) constructed in the analog terminal.
According to the embodiment provided by the application, whether the network attack behavior of the source IP address sending the access request is the command injection attack behavior is determined based on the parameter value of the access identification parameter, and under the condition that the network attack behavior is determined to be the command injection attack behavior, the injected command information is extracted, and the special characters maliciously added in the command information are identified, so that corresponding obfuscation processing is performed on the command information. Further, under the condition that the command of the command injection attack behavior also carries a monitoring interface, the terminal is simulated at the back end so as to continue to finish cheating by utilizing the simulated terminal.
As an optional scheme, after obtaining the access request to the target service system, the method further includes:
s1, comparing the access request with the regular expression carrying the target attack character;
and S2, determining that the access behavior corresponding to the access request is a network attack behavior under the condition that the comparison result indicates that the access request carries the target attack character.
According to the embodiment provided by the application, under the condition that the access request for accessing the target service system is obtained, the access request is compared with the regular expression carrying the target attack character, so that service data flow is pre-filtered by using the regular expression, authorized access is performed on non-attack behaviors, the data processing amount of honeypots is reduced, and the processing efficiency of network attack behaviors is improved.
As an optional solution, after obtaining the access request to the target service system, the method includes:
s1, identifying the attack class identification in the access request;
s2, under the condition that the attack type identification is not identified in the access request, generating a target attack identification based on the source network protocol address, and adding the target attack identification into the access response information corresponding to the access request;
s3, under the condition that the attack type identification is identified in the access request, acquiring a locally stored target attack identification which is allocated to the source network protocol address in advance; comparing the attack type identification with the target attack identification; under the condition that the comparison result indicates that the attack class identification is matched with the target attack identification, determining to identify the target attack identification from the access request; under the condition that the comparison result indicates that the attack type identification is not matched with the target attack identification, the target attack identification is regenerated based on the source network protocol address to obtain an updated target attack identification; and storing the updated target attack identification, and adding the updated target attack identification to the access response information corresponding to the access request.
Optionally, in this embodiment, the above manner of regenerating the target attack identity based on the source network protocol address may include, but is not limited to, a salt encryption manner. Such as adding some special characters (also called "salt") to the source IP address, followed by irreversible encryption to enhance its security. Wherein the special character may be, but is not limited to, MD5 associated with the access request. Here, this is an example, and this is not limited in this embodiment.
According to the embodiment provided by the application, the attack identification used for the unique identification is distributed to the source IP address of the access request so as to realize accurate tracking of the source IP address, so that the behavior record of the source IP address is conveniently acquired, and further the attack characteristics of an attacker can be analyzed and ascertained so as to prevent a target service system from receiving similar attacks.
As an optional scheme, before obtaining the access request to the target service system, at least one of the following is further included:
1) deploying sensitive information containing a bait address in a target platform, wherein the target platform is not provided with access rights;
2) hijacking a target general interface associated with a target service system; in the case where the access behavior accesses the target generic interface, sensitive information containing the decoy address is returned to the source network protocol address.
Optionally, in this embodiment, the sensitive information may be, but is not limited to, an IP address or a port number forged for the honeypot, etc. to entice an attacker to perform an access attack. The sensitive information can be deployed on an open source platform without limitation, so that an attacker can obtain the sensitive information conveniently. The specific content of the sensitive information is not limited in this embodiment.
Through the embodiment provided by the application, the sensitive information is directly deployed on the open-source target platform without additional application of host resources, so that the aim of simplifying deployment operation of the honeypots is fulfilled.
As an alternative, generating a behavior trace of the network attack behavior of the source network protocol address according to the behavior record includes:
s1, extracting access behavior attribute information of the source network protocol address in the target time period from the behavior record, wherein the access behavior attribute information includes: access time, access path and access frequency to the same address;
and S2, tracing and tracing the network attack behavior triggered by the source network protocol address according to the access behavior attribute information to generate a behavior track.
By the embodiment provided by the application, under the condition that the behavior record of the source IP address (attacker) is obtained in the manner, the attack behavior characteristics of the source IP address can be analyzed according to the access behavior attribute information in the behavior record of the access behavior executed by the source IP address in the target time period, so that the network attack behavior is tracked and traced based on the attack behavior characteristics, a behavior track is conveniently obtained, and the network attack behavior is comprehensively intercepted or forbidden.
The description is made with reference to the example shown in fig. 5:
s502, acquiring a request flow;
s504, determine whether a unique identifier (e.g., cookie parameter) exists in the current to-be-processed access request (the request carries the source IP address triggering the access behavior) in the request traffic, if not, execute step S506-1, generate and allocate the unique identifier for the access request, and store the unique identifier in a storage, and drop a log (i.e., write a log). If the source IP address exists, whether the identifier generated for the source IP address is the same as the identifier carried in the currently received access request is judged through data association. If not, the generated identifier (for example, a hash function may be used to generate the identifier based on at least one specific input parameter, such as IP, user-agent, etc.) is injected into the response packet of the access request. If so, step S506-2 is performed.
S506-2, determine whether the access request accesses the decoy page, if not, then drop the log, in step S508-1, if yes, then execute step S508-2.
S508-2, whether the access request accesses a decoy directory (namely a decoy address indicated by the target vulnerability file) in the decoy page is judged. If the bait directory is not accessed, in step S510-1, the HTTP status code 200 is returned and the normal page content is attached. If the path with the bug files is accessed, returning the path with the bug files, and judging whether the access request carries the unique identifier when the attacker accesses the path with the bug files. If the identity is not carried, generating a new identity, injecting a response Head HTTP Head, and emptying an HTTP body response packet to make an attacker not access; if the identification is carried, step S510-2 is executed.
S510-2, judging whether the specified parameters (such as cmd, id and ip) are carried in the data. If the specified parameter is not carried, step S512-1 is executed to prompt an error report and the parameter value of cmd cannot be obtained (i.e. the returned parameter has no error). If the specified parameters are carried, step S512-2 is executed.
S512-2, judging whether the specified parameters have the type identification of the command injection attack. If there is no type identifier with command injection (such as non-aggressive behavior, or aggressive behavior, but not command injection aggressive type), in step S514-1, a default value is returned, that is, a default id command is returned. If the type identifier of the command injection is included, in step S514-2, the command information carried therein is extracted, in step S516, whether the command is a known command is determined, and in step S518, the response content of the command is obtained (for example, the command may be id, whoami, cat, head, uname, history, less, etc., and does not include an execution script language such as python, php, sh, etc.) in case the command is a known command.
And S520, judging whether the injected command carries a rebound shell command or not, if the injected command does not carry the rebound shell command, executing the step S522-1, returning to the step of being unidentifiable, and if the injected command carries the rebound shell command, executing the step S522-2, connecting a target IP address specified in the command injection through the simulation terminal for interaction, and providing decoy data for the target IP address to capture attacker information. The communication connection may be, but is not limited to, allowing it to be connected for a certain period of time (e.g., 10s), and then disconnected to ensure information security.
The above-mentioned example shown in fig. 5 is an alternative embodiment in this embodiment, and the means and the execution sequence involved therein are not limited in this embodiment.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiment of the present invention, there is also provided a network attack behavior processing apparatus for implementing the network attack behavior processing method. As shown in fig. 6, the apparatus includes:
1) a first obtaining unit 602, configured to obtain an access request to a target service system, where the access request carries a source network protocol address requesting to execute an access behavior;
2) a second obtaining unit 604, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has executed a network attack behavior on the target service system;
3) a third obtaining unit 606, configured to obtain, when the destination address is a bait address constructed for the target service system, a behavior record obtained after the source network protocol address accesses the bait address, where the bait address includes a target vulnerability file constructed for the target service system, and the target vulnerability file is used to indicate that the source network protocol address accesses bait data generated by simulating service data in the target service system;
4) and a generating unit 608, configured to generate a behavior trace of the network attack behavior of the source network protocol address according to the behavior record.
Optionally, in this embodiment, the processing apparatus for network attack behavior may be applied to different service systems, and directly modify and adjust the target vulnerability file in the bait address to make the target vulnerability file suitable for different online service systems in time, and reduce malicious network attacks on the real service system by actively attracting an attacker to interact with the bait data generated by the simulated online service system, so as to achieve the purpose of protecting the security of the service data in the service system. The service system herein may include, but is not limited to: an instant messaging service system (simulating user account information to obtain decoy data), a financial payment system (simulating user account information and transaction data to obtain decoy data), and the like. The above is an example, and the target service system to be protected in the network environment is not limited in this embodiment.
For specific embodiments, reference may be made to the above method examples, which are not described herein again.
According to another aspect of the embodiment of the present invention, there is further provided an electronic device for implementing the network attack behavior processing method, where the electronic device may be illustrated as an example by a server shown in fig. 1. As shown in fig. 7, the electronic device comprises a memory 702 and a processor 704, wherein the memory 702 stores a computer program, and the processor 704 is configured to execute the steps of any of the above method embodiments by the computer program.
Optionally, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, obtaining an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s2, under the condition that the access behavior is determined to be network attack behavior and the target attack identification distributed for the source network protocol address is identified from the access request, the destination address requested to be accessed by the access request is obtained, wherein the target attack identification is used for indicating that the source network protocol address has executed network attack behavior on the target service system;
s3, under the condition that the destination address is a bait address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the bait address, wherein the bait address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and S4, generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 is a diagram illustrating a structure of the electronic device. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
The memory 702 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for processing network attack behaviors in the embodiment of the present invention, and the processor 704 executes various functional applications and data processing by running the software programs and modules stored in the memory 702, that is, implements the above-described method for processing network attack behaviors. The memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 702 can further include memory located remotely from the processor 704, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 702 may be, but not limited to, specifically configured to store behavior records of the source IP address, and information such as bait data. As an example, as shown in fig. 7, the memory 702 may include, but is not limited to, a first obtaining unit 602, a second obtaining unit 604, a third obtaining unit 606, and a generating unit 608 in the processing apparatus for network attack behavior. In addition, the network attack behavior processing apparatus may further include, but is not limited to, other module units in the network attack behavior processing apparatus, which is not described in this example again.
Optionally, the transmitting device 706 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 706 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 706 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In addition, the electronic device further includes: a display 708 for displaying the behavior trace obtained by the analysis; and a connection bus 710 for connecting the respective module parts in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. Nodes can form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, can become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the processing method of the network attack behavior. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, obtaining an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s2, under the condition that the access behavior is determined to be a network attack behavior and the target attack identification distributed for the source network protocol address is identified from the access request, the target address requested to be accessed by the access request is obtained, wherein the target attack identification is used for indicating that the source network protocol address has executed the network attack behavior on the target service system;
s3, under the condition that the destination address is a bait address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the bait address, wherein the bait address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and S4, generating the behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (12)
1. A method for processing network attack behaviors is characterized by comprising the following steps:
acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed to the source network protocol address is identified from the access request, acquiring a destination address requested to be accessed by the access request, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on the target service system;
under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
2. The method of claim 1, wherein in the case that the destination address is a decoy address constructed for the target service system, obtaining the behavior record obtained after the source network protocol address accesses the decoy address comprises:
obtaining an access parameter carried in the access request;
under the condition that the access parameters do not contain the access identification parameters configured in advance, informing the source network protocol address that the access content can not be acquired;
under the condition that the access request contains the access identification parameter and the parameter value of the access identification parameter is a target value, providing corresponding object decoy data to the source network protocol address;
and acquiring the behavior record generated when the source network protocol address processes the object decoy data.
3. The method of claim 2, wherein, in the case that the access identification parameter is included in the access request and a parameter value of the access identification parameter is a target value, providing corresponding object decoy data to the source network protocol address comprises:
under the condition that the parameter value of the access identification parameter is the target value, extracting command information contained in the access identification parameter, wherein the target value indicates that the access behavior is a command injection attack behavior; and providing the object decoy data to the source network protocol address according to the command information.
4. The method of claim 3, wherein providing the object decoy data to the source network protocol address in accordance with the command information comprises:
and under the condition that the command information carries a monitoring interface, constructing a simulation terminal by using the associated data of the service data in the target service system, establishing a communication link between the simulation terminal and a target network protocol address associated with the monitoring interface, and providing the object decoy data through the communication link.
5. The method according to claim 3, further comprising, after the obtaining the access parameter carried in the access request:
returning a default command response to the source network protocol address if the parameter value of the access identification parameter indicates that the access behavior is not the target value.
6. The method of claim 1, further comprising, after said obtaining the request for access to the target business system:
comparing the access request with a regular expression carrying target attack characters;
and determining that the access behavior corresponding to the access request is a network attack behavior under the condition that the comparison result indicates that the access request carries the target attack character.
7. The method of claim 1, after said obtaining the request for access to the target business system, comprising:
identifying an attack class identifier in the access request;
under the condition that the attack class identification is not identified in the access request, generating the target attack identification based on the source network protocol address, and adding the target attack identification into access response information corresponding to the access request;
under the condition that the attack type identification is identified in the access request, acquiring the locally stored target attack identification which is pre-allocated to the source network protocol address; comparing the attack class identification with the target attack identification; determining to identify the target attack identification from the access request under the condition that the comparison result indicates that the attack class identification is matched with the target attack identification; under the condition that the comparison result indicates that the attack class identification is not matched with the target attack identification, the target attack identification is regenerated based on the source network protocol address to obtain the updated target attack identification; and storing the updated target attack identification, and adding the updated target attack identification to the access response information corresponding to the access request.
8. The method according to any of claims 1 to 7, further comprising, prior to said obtaining a request for access to a target business system, at least one of:
deploying sensitive information containing the decoy address in a target platform, wherein the target platform is not provided with access rights;
hijacking a target general interface associated with the target service system; in the event that the access behavior accesses the target generic interface, returning sensitive information including the decoy address to the source network protocol address.
9. The method of any one of claims 1 to 7, wherein generating a behavior trace of a network attack behavior of the source network protocol address from the behavior record comprises:
extracting access behavior attribute information of the source network protocol address in a target time period from the behavior record, wherein the access behavior attribute information comprises: access time, access path and access frequency to the same address;
and tracking and tracing the network attack behavior triggered by the source network protocol address according to the access behavior attribute information to generate the behavior track.
10. A network attack behavior processing apparatus, comprising:
a first obtaining unit, configured to obtain an access request to a target service system, where the access request carries a source network protocol address requesting to execute an access behavior;
a second obtaining unit, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has executed a network attack behavior on the target service system;
a third obtaining unit, configured to obtain, when the destination address is a bait address constructed for the target service system, a behavior record obtained after the source network protocol address accesses the bait address, where the bait address includes a target vulnerability file constructed for the target service system, and the target vulnerability file is used to indicate that the source network protocol address accesses bait data generated by simulating service data in the target service system;
and the generating unit is used for generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
11. A computer-readable storage medium, comprising a stored program, wherein the program when executed performs the method of any of claims 1 to 9.
12. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 9 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011226055.6A CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011226055.6A CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114531258A true CN114531258A (en) | 2022-05-24 |
| CN114531258B CN114531258B (en) | 2023-04-18 |
Family
ID=81618659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011226055.6A Active CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114531258B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001875A (en) * | 2022-08-05 | 2022-09-02 | 上海斗象信息科技有限公司 | Honeypot-based network trapping method, device, server and storage medium |
| CN115208679A (en) * | 2022-07-14 | 2022-10-18 | 软极网络技术(北京)有限公司 | Attack IP defense method and system based on honeypool cooperation |
| CN115801324A (en) * | 2022-10-21 | 2023-03-14 | 北京百度网讯科技有限公司 | Attack trapping method and device, electronic equipment and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100077483A1 (en) * | 2007-06-12 | 2010-03-25 | Stolfo Salvatore J | Methods, systems, and media for baiting inside attackers |
| US20160359882A1 (en) * | 2015-06-08 | 2016-12-08 | Illusive Networks Ltd. | Managing dynamic deceptive environments |
| CN106921671A (en) * | 2017-03-22 | 2017-07-04 | 杭州迪普科技股份有限公司 | The detection method and device of a kind of network attack |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107370756A (en) * | 2017-08-25 | 2017-11-21 | 北京神州绿盟信息安全科技股份有限公司 | A kind of sweet net means of defence and system |
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110381045A (en) * | 2019-07-09 | 2019-10-25 | 腾讯科技(深圳)有限公司 | Treating method and apparatus, storage medium and the electronic device of attack operation |
| CN111556061A (en) * | 2020-04-29 | 2020-08-18 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
-
2020
- 2020-11-05 CN CN202011226055.6A patent/CN114531258B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100077483A1 (en) * | 2007-06-12 | 2010-03-25 | Stolfo Salvatore J | Methods, systems, and media for baiting inside attackers |
| US20160359882A1 (en) * | 2015-06-08 | 2016-12-08 | Illusive Networks Ltd. | Managing dynamic deceptive environments |
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN106921671A (en) * | 2017-03-22 | 2017-07-04 | 杭州迪普科技股份有限公司 | The detection method and device of a kind of network attack |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107370756A (en) * | 2017-08-25 | 2017-11-21 | 北京神州绿盟信息安全科技股份有限公司 | A kind of sweet net means of defence and system |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| CN109347881A (en) * | 2018-11-30 | 2019-02-15 | 东软集团股份有限公司 | Network protection method, apparatus, equipment and storage medium based on network cheating |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110381045A (en) * | 2019-07-09 | 2019-10-25 | 腾讯科技(深圳)有限公司 | Treating method and apparatus, storage medium and the electronic device of attack operation |
| CN111556061A (en) * | 2020-04-29 | 2020-08-18 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN111651757A (en) * | 2020-06-05 | 2020-09-11 | 深圳前海微众银行股份有限公司 | Attack behavior monitoring method, device, equipment and storage medium |
| CN111565199A (en) * | 2020-07-14 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208679A (en) * | 2022-07-14 | 2022-10-18 | 软极网络技术(北京)有限公司 | Attack IP defense method and system based on honeypool cooperation |
| CN115208679B (en) * | 2022-07-14 | 2023-12-08 | 软极网络技术(北京)有限公司 | Attacker IP defending method and defending system based on honey array cooperation |
| CN115001875A (en) * | 2022-08-05 | 2022-09-02 | 上海斗象信息科技有限公司 | Honeypot-based network trapping method, device, server and storage medium |
| CN115801324A (en) * | 2022-10-21 | 2023-03-14 | 北京百度网讯科技有限公司 | Attack trapping method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114531258B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110677408B (en) | Attack information processing method and device, storage medium and electronic device | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| US9773109B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
| US12058148B2 (en) | Distributed threat sensor analysis and correlation | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
| US11265334B1 (en) | Methods and systems for detecting malicious servers | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| CN112995151B (en) | Access behavior processing method and device, storage medium and electronic equipment | |
| CN113676449B (en) | Network attack processing method and device | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| CN107579997A (en) | Wireless network intrusion detection system | |
| CN114826663B (en) | Honeypot identification method, device, equipment and storage medium | |
| US12041094B2 (en) | Threat sensor deployment and management | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN113098835A (en) | Honeypot implementation method based on block chain, honeypot client and honeypot system | |
| CN112242974A (en) | Attack detection method and device based on behaviors, computing equipment and storage medium | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN115001789B (en) | Method, device, equipment and medium for detecting collapse equipment | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN115150124A (en) | Fraud defense system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |