CN114531258B - Network attack behavior processing method and device, storage medium and electronic equipment - Google Patents
Network attack behavior processing method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114531258B CN114531258B CN202011226055.6A CN202011226055A CN114531258B CN 114531258 B CN114531258 B CN 114531258B CN 202011226055 A CN202011226055 A CN 202011226055A CN 114531258 B CN114531258 B CN 114531258B
- Authority
- CN
- China
- Prior art keywords
- access
- target
- behavior
- attack
- network protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The invention discloses a method and a device for processing network attack behaviors, a storage medium and electronic equipment. The method comprises the following steps: acquiring an access request to a target service system; under the condition that the access behavior is determined to be the network attack behavior and the target attack identification distributed for the source network protocol address is identified from the access request, the target address requested to be accessed by the access request is obtained, and the target attack identification is used for indicating that the source network protocol address executes the network attack behavior on the target service system; under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address; and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record. The invention solves the technical problem of low network security caused by the fact that honeypots cannot be upgraded and modified in time.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a method and an apparatus for processing a network attack behavior, a storage medium, and an electronic device.
Background
For some important computer systems running in the internet, many malicious subjects (such as attackers) often launch different attack behaviors to the important computer systems so as to try to acquire important running data or user information and the like.
In order to overcome the above problems, an alternative approach commonly used at present is to adopt the conventional honeypot technology to confuse the malicious subject who initiates the attack behavior, so as to induce the malicious subject to attack the counterfeit honeypot, thereby facilitating the defense to clearly understand the security threat to be faced, so as to enhance the security protection capability of the important computer system. The traditional honeypot technology is a cheating system containing a bug, and provides an easily attacked target for an attacker by simulating one or more vulnerable hosts in a real scene, wherein the target is a service forged by honeypots and does not have real business value.
However, honeypots in the conventional honeypot technology are generated through templates, and the framework and the content of the honeypots are fixed and unchangeable. Therefore, when the applied service system changes, the honeypot cannot be upgraded and modified in time, so that the honeypot cannot continue to confuse more network attack behaviors, and the network security is reduced.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method and a device for processing network attack behaviors, a storage medium and electronic equipment, which at least solve the technical problem of low network security caused by the fact that honeypots cannot be upgraded and modified in time.
According to an aspect of the embodiments of the present invention, a method for processing a network attack behavior is provided, including: acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior; under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for the source network protocol address is identified from the access request, acquiring a destination address requested to be accessed by the access request, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on the target service system; when the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system; and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
According to another aspect of the embodiments of the present invention, there is further provided a device for processing a network attack behavior, including: a first obtaining unit, configured to obtain an access request for a target service system, where the access request carries a source network protocol address requesting to execute an access behavior; a second obtaining unit, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has performed a network attack behavior on the target service system; a third obtaining unit, configured to obtain a behavior record obtained after the source network protocol address accesses the decoy address when the destination address is a decoy address configured for the target service system, where the decoy address includes a target vulnerability file configured for the target service system, and the target vulnerability file is used to instruct the source network protocol address to access decoy data generated by simulating service data in the target service system; and the generating unit is used for generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the above processing method of network attack behavior when running.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the processing method of the network attack behavior by using the computer program.
In the embodiment of the present invention, when the access behavior of the obtained access request to the target service system is determined to be a network attack behavior, and a target attack identifier allocated to a source network Protocol Address (IP Address for short) that triggers the access request is identified from the access request, a destination Address of the access request is obtained. And under the condition that the target address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source IP address accesses the decoy address, and then generating a behavior track of the network attack behavior of the source IP address based on the behavior record. That is to say, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and the content of the honeypot can be timely upgraded and modified along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a network environment for an alternative network attack behavior processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart of an alternative network attack behavior processing method according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a system to which an alternative network attack behavior processing method is applied according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an alternative network attack behavior processing method according to an embodiment of the invention;
FIG. 5 is a schematic diagram of an alternative network attack behavior processing method according to an embodiment of the invention;
FIG. 6 is a schematic structural diagram of an alternative network attack behavior processing apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the following technical terms are referred to in the present embodiment, and the meanings thereof are as follows:
and (3) honeypot: a computer system operating on the internet; it is designed primarily to attract and trap those trying to break into other people's computer systems, the honeypot system is a spoofing system containing vulnerabilities that provides an attacker with an easily attacked target by simulating one or more vulnerable hosts, the honeypot does not provide a truly valuable service to the outside world, and therefore all access to the honeypot is considered suspicious, and another purpose of the honeypot is to delay the attacker's attack on the true target, letting the attacker spend time on the honeypot.
And command injection: the method is characterized in that special input (such as special character and character string combinations) is constructed to be transmitted into a Web application program as parameters, most of the character and character string combinations are commands additionally executed after a closed program, and other abnormal command input combinations are carried, and the operation required by an attacker is executed by executing command injection, wherein the main reason is that the program does not finely filter data input from the outside, so that a malicious attacker invades a system.
Honeynets (honeynets) are a new concept developed gradually in honeypot technology, sometimes also referred to as trap networks. When a plurality of honeypots are connected together by a network, a large false service system is formed, a part of hosts are utilized to attract the invasion of attackers, and the invasion process is monitored, so that the attack behaviors of the attackers are collected on one hand, and the corresponding safety protection strategies can be updated on the other hand. This kind of analog network consisting of a plurality of honeypots is called honeynet.
According to an aspect of the embodiments of the present invention, a method for processing a network attack behavior is provided, and optionally, as an optional implementation manner, the method for processing a network attack behavior may be applied, but not limited to, in a network architecture environment as shown in fig. 1, where the network architecture environment includes a user terminal 102, a network 104, a router 106, a switch 108, a honeynet 110, and a network 112 where a target service system is located. The user terminal 102 is configured to trigger an access behavior to a target service system, and the network 104 is configured to transmit interaction information, so as to implement an interaction process between network hardware devices. In addition, through the router 106 and the switch 108, the internal deployed honey net 110 is mapped to a service port of a network 112 where a target service system is located, and an attacker is introduced into a dense net in a disguised or learned mode to delay the attack behavior and delay the attack time.
It should be noted that, in this embodiment, a bait address of a target service system is deployed in a network environment, so that an attacker actively accesses a target vulnerability file in the bait address in the form of an access request, and further attracts the attacker to actively acquire, based on the target vulnerability file, bait data generated by simulating the target service system, thereby implementing a behavior record based on which access processing is performed on the bait data, capturing behavior characteristics of the attacker, and further acquiring a behavior attack of a network attack behavior executed by the attacker. The target vulnerability file is correspondingly constructed by combining a target business system. That is to say, in this embodiment, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and content of the honeypot can be updated and modified in time along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related art.
Optionally, in this embodiment, the user terminal 102 may be a terminal device configured with a target client, and may include but is not limited to at least one of the following: mobile phones (such as Android phones, iOS phones, etc.), notebook computers, tablet computers, palm computers, MID (Mobile Internet Devices), PAD, desktop computers, smart televisions, etc. The target client may be a video client, an instant messaging client, a browser client, an educational client, etc. The network 104 may include, but is not limited to: a wired network, a wireless network, wherein the wired network comprises: a local area network, a metropolitan area network, and a wide area network, the wireless network comprising: bluetooth, WIFI, and other networks that enable wireless communication. The network 112 where the honey net 110 and the target service system are located may be a single server, or may be a server cluster composed of a plurality of servers, or a cloud server. The above is only an example, and this is not limited in this embodiment.
Optionally, as an optional implementation manner, as shown in fig. 2, the method for processing the network attack behavior includes:
s202, obtaining an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s204, under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for a source network protocol address is identified from the access request, a destination address requested to be accessed by the access request is obtained, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on a target service system;
s206, under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and S208, generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Optionally, in this embodiment, the processing method of network attack behavior may be applied to different service systems, and the target vulnerability file in the bait address is directly modified and adjusted to be suitable for different online service systems in time, so that malicious network attacks on the real service system are reduced by actively attracting an attacker to interact with the bait data generated by the simulated online service system, thereby achieving the purpose of protecting the security of the service data in the service system. The service system herein may include, but is not limited to: an instant messaging service system (simulating user account information to obtain decoy data), a financial payment system (simulating user account information and transaction data to obtain decoy data), and the like. The above is an example, and the target service system to be protected in the network environment is not limited in this embodiment.
It should be noted that, by deploying the bait address of the target service system in the network environment, the attacker can actively access the target vulnerability file in the bait address in the form of an access request, and then attract the attacker to actively acquire the bait data generated for the target service system based on the target vulnerability file, so as to implement behavior recording based on the access processing of the bait data, capture the behavior characteristics of the attacker, and further acquire the behavior attack of the network attack behavior executed by the attacker. The target vulnerability file is correspondingly constructed by combining a target business system. That is to say, in this embodiment, for different types of service systems, the target vulnerability file in the bait address can be directly modified, so that the honeypot used for attracting an attacker to attack can be quickly adjusted and modified, and the honeypot is not generated by using a template any more, so that the framework and content of the honeypot can be updated and modified in time along with the change of the applied service system, thereby ensuring the network security of the service system and further overcoming the problem that the network security of the service system cannot be ensured in the related art.
For example, the above processing method of network attack behavior may be applied to, but not limited to, a processing system as shown in fig. 3, where the processing system may include: attack detection module 302, honeypot module 304, data processing module 306, and presentation module 308.
The attack detection module 302 includes an identifier module 3022, where the identifier module 3022 may store, but is not limited to, a regular expression for identifying a network attack behavior, where the regular expression carries target attack characters, such as malicious characters for attacking service data in a target service system to be currently protected. And if the attack behavior is detected, allocating an attack identifier for the unique identifier to the attack behavior.
Among other things, the honeypot module 304 includes a bait submodule 3042 and a scenario submodule 3044, where the bait submodule 3042 may, but is not limited to, entice an attacker (i.e., a source IP address that triggers an attack access behavior) in at least one of the following manners: 1) Sensitive information (such as a bait address) such as a false IP address or a port generated by a simulated target business system is deployed on an open source website to attract an attacker to visit; 2) Hijacking a specific Common Gateway Interface (CGI), and returning sensitive information to the CGI when an attacker accesses the CGI. The scenario submodule 3044 may be used for, but is not limited to, disguising a vulnerability file, so as to catch information of an attacker in the process or confuse the attacker to bypass the limitation, thereby acquiring behavior characteristics of more attackers. The scenario submodule 3044 herein may include, but is not limited to, 4 units: 1) A command injection vulnerability simulation unit for detecting command injection attacks; 2) The information acquisition unit is used for acquiring behavior information of an attacker; 3) A pseudo service unit for simulating service data in a counterfeit target business system; 4) And a redirection unit for generating a redirected access according to the command injection attack of the attacker.
Therein, the data processing module (also referred to as a data washing and correlation module) 306 includes a logging submodule 3062 and a clustering submodule 3064. Here, the log submodule 3062 can be used for obtaining the behavior record generated in the above process, but is not limited thereto. Here, the clustering submodule 3064 may be, but is not limited to, configured to analyze and aggregate the behavior records to cluster and form an analysis traceability report of the source IP address being tracked.
The console 3082 is included in the presentation module 308, which can trigger a notification to the user to inform that the tracing is successful, but is not limited to the case of tracing to relevant information of the attacker. Meanwhile, unknown attacks detected in the processing process are analyzed, so that unknown vulnerabilities (such as 0 day) and source tracing alarms are displayed on a display interface. It should be noted that 0day is used in the related art to indicate a cracked version that appears after the software is released.
In the example shown in fig. 3, the structure is an optional structure in the present embodiment, and this is not limited in this embodiment.
Optionally, in this embodiment, the target attack identity may be, but is not limited to, an attack history identification identity generated by using the source IP address. And allocating an attack identifier with a unique identifier to a source IP address which initiates network attack behaviors to mark the source IP address as a malicious attack subject, and adding the attack identifier to a response returned to the source IP address so as to continuously track the source IP address. However, the attacker may recognize the attack identifier of the tag and actively remove the attack identifier, or change the source IP address used for access to implement continuous attack, so in this embodiment, in order to avoid missing the identification, the unique identifier is recognized, if the attack identifier is not recognized, a new identifier is generated for the unique identifier again, and if the attack identifier is recognized, the operation of attracting the honeypot is continued.
Optionally, in this embodiment, the above-mentioned bait address may be, but is not limited to, a false address constructed according to the service data of the target service system to be protected, and when accessing the bait address, the attacker will not obtain real service data, but obtain the bait data generated in advance through simulation. Furthermore, based on the processing process of the attacking party on the bait data, the behavior characteristics of the attacking party can be further ascertained, the source IP address which is under the network attack is traced, and the attack path is timely determined.
Further, in the present embodiment, in the case where it is determined that the source IP address access is a decoy address, it is determined whether it is a command injection attack. If the injection command carries a monitoring interface (such as a rebound shell command), the target IP address specified by the attacker can be connected, and the bait data is continuously utilized to interact with the target IP address, so that the deception attacker is confused, and the purpose of delaying the attack time is achieved.
This is explained in particular with reference to the example shown in fig. 4. It is assumed that a user terminal (hereinafter, simply referred to as a user) 402 and an attacker terminal (hereinafter, simply referred to as an attacker) 404 access normal traffic (traffic in a target traffic system) through a network 406, a router 408 and a switch 410.
In step S402, the traffic for accessing the normal service is split, and the TCP packet is reassembled, so as to generate http traffic. Then, whether attack behavior is contained therein, whether spoofing confusion is required for using the honeypot in the present embodiment, and the like are analyzed by the attack detection module 412. If simple regular matching is carried out on the content of the attack behavior, whether the attack behavior exists is judged.
In case it is determined that there is an attack, as shown in step S404, a unique identifier is generated for the source IP address requested to be accessed, and the unique identifier is injected to the client of the attacker through a bypass packet (as shown in step S406-2). And sends a Reset packet to the server side (step S406-1 shown in the figure), blocking the connection.
After marking, if an attack is detected, the attacker is attracted to a decoy address (simulating a good or false page) by redirecting/leaking some information such as error reporting, as in step S408.
In step S410, if the attacker is lured to fail, the trace of the attacker can be known by the injected mark, and the attacker can be offline calculated by the behavior log (i.e., the behavior record), so as to check whether the attacker has another attack behavior according to the calculation result.
In step S412, if the attacker is successfully attracted, the attacker can continue to cheat through script simulation, and thus the attack is delayed and even the relevant information of the attacker is caught.
If a bounce shell command is added to the command injection of the attacker, a terminal similar to the target service system is simulated at the back end to be connected to the specified IP address, so that the attacker continues to cheat the target service system by using the simulated data, as shown in steps S414-S416.
Further as shown in steps S418-S424, a behavior record of the behavior may be obtained and saved (e.g., logged) in the background, and the data may be used for performing a tracing calculation. And generating a tracing report of the source IP address corresponding to the attacker by adding auxiliary calculation of the security personnel 420, and displaying the result on a display interface.
Fig. 4 illustrates an alternative exemplary process, which is not limited in this embodiment.
According to the embodiment provided by the application, the target vulnerability files of different types of service systems in the bait addresses can be directly modified, the honeypots used for attracting an attacker to attack can be rapidly adjusted and modified, and the honeypots are not generated by using templates, so that the framework and the content of the honeypots can be updated and modified in time along with the change of the applied service systems, the network security of the service systems is guaranteed, and the problem that the network security of the service systems cannot be guaranteed in the related technology is solved.
As an alternative, in the case that the destination address is a decoy address constructed for the target service system, the behavior record obtained after the source network protocol address accesses the decoy address includes:
s1, acquiring an access parameter carried in an access request;
s2, under the condition that the access parameters do not contain the access identification parameters configured in advance, informing a source network protocol address that the access content cannot be acquired;
s3, under the condition that the access request contains the access identification parameter and the parameter value of the access identification parameter is a target value, providing corresponding object decoy data to the source network protocol address;
and S4, acquiring a behavior record generated when the source network protocol address processes the target bait data.
Optionally, in this embodiment, the access identification parameter may include, but is not limited to, one of the following: command prompts CMD, ID, IP. Here, for example, other parameters may also be set, which is not limited in this embodiment.
For example, under the condition that the source IP address is determined to be the decoy address corresponding to the access target vulnerability file, whether the source IP address carries the access identification parameter, such as the command prompt CMD, is checked. And if the access identification parameter does not exist, returning an error report to prompt that the parameter value of the CMD cannot be obtained. If the access identification parameter is found and exists, then the command injection attack can be detected.
According to the embodiment provided by the application, the honeypot sends the access identification parameter to the attacker through setting the access identification parameter, but does not inform the specific parameter value of the access identification parameter, so that the honeypot is trapped in the process of continuous testing, and the purpose of delaying the attack is achieved.
As an optional solution, in a case that the access request includes an access identification parameter, and a parameter value of the access identification parameter is a target value, providing the corresponding object decoy data to the source network protocol address includes: under the condition that the parameter value of the access identification parameter is a target value, extracting command information contained in the access identification parameter, wherein the target value indicates that the access behavior is a command injection attack behavior; the object bait data is provided to the source network protocol address in accordance with the command information.
Optionally, in this embodiment, after obtaining the access parameter carried in the access request, the method further includes: in the event that the parameter value of the access identification parameter indicates that the access behavior is not a target value, a default command response is returned to the source network protocol address.
It should be noted that, in this embodiment, the parameter value of the access identification parameter may be, but is not limited to, a behavior type identifier for indicating whether an access request of an attacker carries a command injection attack. That is to say, when the access request does not carry the access identification parameter, or the parameter value indication of the access identification parameter carried in the access request is not the target value, it indicates that the current access request is not the command injection attack, and returns a default command response, such as a command ID, to the attacker, so as to confuse the attacker to identify this as a hidden test file. And under the condition that the parameter value of the access identification parameter carried in the access request is indicated as a target value, the current access request is indicated as a command injection attack behavior, and the special character injected by the command is extracted to analyze the attack behavior.
Optionally, in this embodiment, providing the object decoy data to the source network protocol address according to the command information includes: and establishing a communication link between the simulation terminal and a target network protocol address associated with the monitoring interface, and providing object bait data through the communication link.
It should be noted that, the above listening interface may be, but is not limited to, a bounce shell command is added to a special character injected by the command, and is used to guide the user to access a specified target IP address, so that the user leaks more important service information. In order to avoid the above problem, in the honeypot provided in this embodiment, an analog terminal that simulates a target service system is configured at the back end, and a connection is made to the target IP address specified by the bounce shell based on fake service data (e.g., decoy data) constructed in the analog terminal.
According to the embodiment provided by the application, whether the network attack behavior of the source IP address sending the access request is the command injection attack behavior is determined based on the parameter value of the access identification parameter, and under the condition that the network attack behavior is determined to be the command injection attack behavior, the injected command information is extracted, and the special characters maliciously added in the command information are identified, so that corresponding obfuscation processing is performed on the command information. Further, under the condition that the command of the command injection attack behavior also carries a monitoring interface, the terminal is simulated at the back end so as to continue to finish the deception by utilizing the simulated terminal.
As an optional scheme, after obtaining the access request to the target service system, the method further includes:
s1, comparing an access request with a regular expression carrying target attack characters;
s2, determining that the access behavior corresponding to the access request is a network attack behavior under the condition that the comparison result indicates that the access request carries the target attack character.
According to the embodiment provided by the application, under the condition that the access request for accessing the target service system is obtained, the access request is compared with the regular expression carrying the target attack character, so that service data flow is pre-filtered by using the regular expression, authorized access is performed on non-attack behaviors, the data processing amount of honeypots is reduced, and the processing efficiency of network attack behaviors is improved.
As an optional solution, after obtaining the access request to the target service system, the method includes:
s1, identifying an attack type identifier in an access request;
s2, under the condition that the attack type identification is not identified in the access request, generating a target attack identification based on the source network protocol address, and adding the target attack identification into access response information corresponding to the access request;
s3, under the condition that the attack type identification is identified in the access request, a locally stored target attack identification which is distributed for the source network protocol address in advance is obtained; comparing the attack type identification with the target attack identification; under the condition that the comparison result indicates that the attack class identification is matched with the target attack identification, determining to identify the target attack identification from the access request; under the condition that the comparison result indicates that the attack type identification is not matched with the target attack identification, the target attack identification is regenerated based on the source network protocol address to obtain an updated target attack identification; and storing the updated target attack identification, and adding the updated target attack identification to the access response information corresponding to the access request.
Optionally, in this embodiment, the manner for regenerating the target attack identity based on the source network protocol address may include, but is not limited to, a salt encryption manner. Such as adding some special characters (also called "salt") to the source IP address, and then performing irreversible encryption to enhance its security. The special character may be, but is not limited to, MD5 associated with the access request. Here, this is an example, and this is not limited in this embodiment.
According to the embodiment provided by the application, the attack identification used for the unique identification is distributed to the source IP address of the access request so as to realize accurate tracking of the source IP address, so that the behavior record of the source IP address is conveniently acquired, and further the attack characteristics of an attacker can be analyzed and ascertained so as to prevent a target service system from receiving similar attacks.
As an optional scheme, before obtaining the access request to the target service system, at least one of the following is further included:
1) Deploying sensitive information containing a bait address in a target platform, wherein the target platform is not provided with access rights;
2) Hijacking a target general interface associated with a target service system; in the case where the access behavior accesses the target generic interface, sensitive information containing the decoy address is returned to the source network protocol address.
Optionally, in this embodiment, the sensitive information may be, but is not limited to, an IP address or a port number forged for the honeypot, etc. to entice an attacker to perform an access attack. The sensitive information can be deployed on an open source platform without limitation, so that an attacker can obtain the sensitive information conveniently. The specific content of the sensitive information is not limited in this embodiment.
Through the embodiment provided by the application, the sensitive information is directly deployed on the open-source target platform without additional application of host resources, so that the aim of simplifying the deployment operation of the honeypots is fulfilled.
As an optional solution, generating a behavior trace of the network attack behavior of the source network protocol address according to the behavior record includes:
s1, extracting access behavior attribute information of a source network protocol address in a target time period from a behavior record, wherein the access behavior attribute information comprises: access time, access path and access frequency to the same address;
and S2, tracing the network attack behavior triggered by the source network protocol address according to the access behavior attribute information to generate a behavior track.
By the embodiment provided by the application, under the condition that the behavior record of the source IP address (attacker) is obtained in the manner, the attack behavior characteristics of the source IP address can be analyzed according to the access behavior attribute information in the behavior record of the access behavior executed by the source IP address in the target time period, so that the network attack behavior is tracked and traced based on the attack behavior characteristics, a behavior track is conveniently obtained, and the network attack behavior is comprehensively intercepted or forbidden.
The description is made with reference to the example shown in fig. 5:
s502, acquiring a request flow;
s504, judging whether the access request to be processed currently (the request carries the source IP address triggering the access behavior) in the request flow has a unique identifier (such as a cookie parameter), if not, executing the step S506-1, generating and distributing the unique identifier for the access request, and warehousing the unique identifier and dropping a log (namely writing the log). If yes, judging whether the identification generated for the source IP address is the same as the identification carried in the currently received access request or not through data association. If not, the generated identifier (for example, a hash function may be used to generate the identifier based on at least one specific input parameter, such as IP, user-agent, etc.) is injected into the response packet of the access request. If so, step S506-2 is performed.
S506-2, determine whether the access request accesses the decoy page, if not, then drop the log, in step S508-1, if yes, then execute step S508-2.
S508-2, whether the access request accesses a decoy directory (namely a decoy address indicated by the target vulnerability file) in the decoy page is judged. If the bait directory is not accessed, in step S510-1, the HTTP status code 200 is returned and the normal page content is attached. If the path with the bug files is accessed, returning the path with the bug files, and judging whether the access request carries the unique identifier when the attacker accesses the path with the bug files. If the identity is not carried, generating a new identity, injecting a response Head HTTP Head, and emptying an HTTP body response packet to make an attacker not access; if the identifier is carried, step S510-2 is executed.
S510-2, judging whether the specified parameters (such as cmd, id and ip) are carried in the data. If the parameter does not carry the specified parameter, step S512-1 is executed to prompt an error report and the parameter value of cmd cannot be obtained (i.e., there is no error in the returned parameter). If the specified parameters are carried, step S512-2 is executed.
S512-2, judging whether the specified parameters have the type identification of the command injection attack. If there is no type identifier with command injection (such as non-aggressive behavior, or aggressive behavior, but not command injection aggressive type), in step S514-1, a default value is returned, that is, a default id command is returned. If the type identifier of the command injection is included, in step S514-2, the command information carried therein is extracted, in step S516, whether the command is a known command is determined, and in step S518, the response content of the command is obtained (for example, the command may be id, whoami, cat, head, uname, history, less, etc., and does not include an execution script language such as python, php, sh, etc.) in case the command is a known command.
And S520, judging whether the injected command carries a rebound shell command or not, if the injected command does not carry the rebound shell command, executing the step S522-1, returning to the step of being unrecognizable, and if the injected command carries the rebound shell command, executing the step S522-2, connecting a target IP address specified in the command injection through the simulation terminal to perform interaction, and providing decoy data to the target IP address to capture attacker information. The communication connection may be, but is not limited to, allowing it to be connected for a certain period of time (e.g., 10 s) and then disconnected to ensure information security.
The above-mentioned example shown in fig. 5 is an alternative embodiment in this embodiment, and the means and the execution sequence involved therein are not limited in this embodiment.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art will appreciate that the embodiments described in this specification are presently preferred and that no acts or modules are required by the invention.
According to another aspect of the embodiment of the present invention, there is also provided a network attack behavior processing apparatus for implementing the network attack behavior processing method. As shown in fig. 6, the apparatus includes:
1) A first obtaining unit 602, configured to obtain an access request to a target service system, where the access request carries a source network protocol address requesting to execute an access behavior;
2) A second obtaining unit 604, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has executed a network attack behavior on the target service system;
3) A third obtaining unit 606, configured to obtain, when the destination address is a bait address constructed for the target service system, a behavior record obtained after the source network protocol address accesses the bait address, where the bait address includes a target vulnerability file constructed for the target service system, and the target vulnerability file is used to indicate that the source network protocol address accesses decoy data generated by simulating service data in the target service system;
4) The generating unit 608 is configured to generate a behavior trace of the network attack behavior of the source network protocol address according to the behavior record.
Optionally, in this embodiment, the processing apparatus for network attack behavior may be applied to, but not limited to, different service systems, and the target vulnerability file in the bait address is directly modified and adjusted to be suitable for different online service systems in time, so as to reduce malicious network attacks on a real service system by actively attracting an attacker to interact with the bait data generated by the simulated online service system, thereby achieving the purpose of protecting the security of the service data in the service system. The service system herein may include, but is not limited to: an instant messaging service system (simulating user account information to obtain bait data), a financial payment system (simulating user account information and transaction data to obtain bait data), and the like. The above is an example, and the target service system to be protected in the network environment is not limited in this embodiment.
For specific embodiments, reference may be made to the above method examples, which are not described herein again.
According to another aspect of the embodiment of the present invention, there is further provided an electronic device for implementing the network attack behavior processing method, where the electronic device may be illustrated as an example by a server shown in fig. 1. As shown in fig. 7, the electronic device comprises a memory 702 and a processor 704, the memory 702 having stored therein a computer program, the processor 704 being arranged to perform the steps of any of the above-described method embodiments by means of the computer program.
Optionally, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s2, under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for a source network protocol address is identified from the access request, a destination address requested to be accessed by the access request is obtained, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on a target service system;
s3, under the condition that the destination address is a decoy address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the decoy address, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
and S4, generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 is a diagram illustrating a structure of the electronic device. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
The memory 702 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for processing network attack behaviors in the embodiment of the present invention, and the processor 704 executes various functional applications and data processing by running the software programs and modules stored in the memory 702, that is, implements the above-described method for processing network attack behaviors. The memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 702 can further include memory located remotely from the processor 704, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 702 may be, but not limited to, specifically configured to store behavior records of the source IP address, and information such as bait data. As an example, as shown in fig. 7, the memory 702 may include, but is not limited to, a first obtaining unit 602, a second obtaining unit 604, a third obtaining unit 606, and a generating unit 608 in the processing apparatus of the network attack behavior. In addition, the network attack behavior processing apparatus may further include, but is not limited to, other module units in the network attack behavior processing apparatus, which is not described in this example again.
Optionally, the transmitting device 706 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 706 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 706 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In addition, the electronic device further includes: a display 708 for displaying the behavior trace obtained by the analysis; and a connection bus 710 for connecting the respective module parts in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. The nodes may form a Peer-To-Peer (P2P) network, and any type of computing device, such as a server, a terminal, and other electronic devices, may become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the processing method of the network attack behavior. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
s2, under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed for a source network protocol address is identified from the access request, a destination address requested to be accessed by the access request is obtained, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on a target service system;
s3, under the condition that the destination address is a bait address constructed for the target service system, acquiring a behavior record obtained after the source network protocol address accesses the bait address, wherein the bait address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access bait data generated by simulating service data in the target service system;
and S4, generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be an indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.
Claims (11)
1. A method for processing network attack behaviors is characterized by comprising the following steps:
acquiring an access request to a target service system, wherein the access request carries a source network protocol address requesting to execute an access behavior;
under the condition that the access behavior is determined to be a network attack behavior and a target attack identifier distributed to the source network protocol address is identified from the access request, acquiring a destination address requested to be accessed by the access request, wherein the target attack identifier is used for indicating that the source network protocol address executes the network attack behavior on the target service system;
under the condition that the destination address is a decoy address constructed for the target service system, acquiring access parameters carried in the access request, wherein the decoy address comprises a target vulnerability file constructed for the target service system, and the target vulnerability file is used for indicating the source network protocol address to access decoy data generated by simulating service data in the target service system;
under the condition that the access parameters do not contain the access identification parameters configured in advance, informing the source network protocol address that the access content can not be acquired;
providing corresponding object decoy data to the source network protocol address under the condition that the access request contains the access identification parameter and the parameter value of the access identification parameter is a target value;
acquiring a behavior record generated when the source network protocol address processes the object decoy data;
and generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
2. The method of claim 1, wherein, in the case that the access identification parameter is included in the access request and a parameter value of the access identification parameter is a target value, providing corresponding object decoy data to the source network protocol address comprises:
under the condition that the parameter value of the access identification parameter is the target value, extracting command information contained in the access identification parameter, wherein the target value indicates that the access behavior is a command injection attack behavior; and providing the object bait data to the source network protocol address according to the command information.
3. The method of claim 2, wherein providing the object decoy data to the source network protocol address in accordance with the command information comprises:
and under the condition that the command information carries a monitoring interface, constructing a simulation terminal by using the associated data of the service data in the target service system, establishing a communication link between the simulation terminal and a target network protocol address associated with the monitoring interface, and providing the object decoy data through the communication link.
4. The method according to claim 2, further comprising, after the obtaining the access parameter carried in the access request:
returning a default command response to the source network protocol address if the parameter value of the access identification parameter indicates that the access behavior is not the target value.
5. The method of claim 1, further comprising, after said obtaining the request for access to the target business system:
comparing the access request with a regular expression carrying target attack characters;
and determining that the access behavior corresponding to the access request is a network attack behavior under the condition that the comparison result indicates that the access request carries the target attack character.
6. The method of claim 1, after said obtaining the request for access to the target business system, comprising:
identifying an attack class identifier in the access request;
under the condition that the attack class identification is not identified in the access request, generating the target attack identification based on the source network protocol address, and adding the target attack identification into access response information corresponding to the access request;
under the condition that the attack type identification is identified in the access request, the target attack identification which is locally stored and is allocated to the source network protocol address in advance is obtained; comparing the attack class identification with the target attack identification; determining that the target attack identification is identified from the access request under the condition that the comparison result indicates that the attack type identification is matched with the target attack identification; under the condition that the comparison result indicates that the attack class identification is not matched with the target attack identification, the target attack identification is regenerated based on the source network protocol address to obtain the updated target attack identification; and storing the updated target attack identification, and adding the updated target attack identification into access response information corresponding to the access request.
7. The method of any of claims 1 to 6, further comprising, prior to said obtaining a request for access to a target business system, at least one of:
deploying sensitive information containing the decoy address in a target platform, wherein the target platform is not provided with access rights;
hijacking a target general interface associated with the target service system; in the event that the access behavior accesses the target generic interface, returning sensitive information including the decoy address to the source network protocol address.
8. The method of any one of claims 1 to 6, wherein generating a behavior trace of a network attack behavior of the source network protocol address from the behavior record comprises:
extracting access behavior attribute information of the source network protocol address in a target time period from the behavior record, wherein the access behavior attribute information comprises: access time, access path and access frequency to the same address;
and tracking and tracing the network attack behavior triggered by the source network protocol address according to the access behavior attribute information to generate the behavior track.
9. A network attack behavior processing apparatus, comprising:
a first obtaining unit, configured to obtain an access request to a target service system, where the access request carries a source network protocol address requesting to execute an access behavior;
a second obtaining unit, configured to obtain a destination address requested to be accessed by the access request when it is determined that the access behavior is a network attack behavior and a target attack identifier allocated to the source network protocol address is identified from the access request, where the target attack identifier is used to indicate that the source network protocol address has executed a network attack behavior on the target service system;
the device is further configured to, when the destination address is a decoy address constructed for the target service system, obtain an access parameter carried in the access request, where the decoy address includes a target vulnerability file constructed for the target service system, and the target vulnerability file is used to instruct the source network protocol address to access decoy data generated by simulating service data in the target service system;
the device is further configured to notify that the source network protocol address cannot acquire access content when the access parameter does not include a preconfigured access identification parameter;
the device is further configured to provide corresponding object decoy data to the source network protocol address when the access request includes the access identification parameter and a parameter value of the access identification parameter is a target value;
the device is also used for acquiring a behavior record generated when the source network protocol address processes the object bait data;
and the generating unit is used for generating a behavior track of the network attack behavior of the source network protocol address according to the behavior record.
10. A computer-readable storage medium, comprising a stored program, wherein the program when executed performs the method of any one of claims 1 to 8.
11. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 8 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011226055.6A CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011226055.6A CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114531258A CN114531258A (en) | 2022-05-24 |
| CN114531258B true CN114531258B (en) | 2023-04-18 |
Family
ID=81618659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011226055.6A Active CN114531258B (en) | 2020-11-05 | 2020-11-05 | Network attack behavior processing method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114531258B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208679B (en) * | 2022-07-14 | 2023-12-08 | 软极网络技术(北京)有限公司 | Attacker IP defending method and defending system based on honey array cooperation |
| CN115001875A (en) * | 2022-08-05 | 2022-09-02 | 上海斗象信息科技有限公司 | Honeypot-based network trapping method, device, server and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9009829B2 (en) * | 2007-06-12 | 2015-04-14 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for baiting inside attackers |
| US9553885B2 (en) * | 2015-06-08 | 2017-01-24 | Illusive Networks Ltd. | System and method for creation, deployment and management of augmented attacker map |
| IL249827A0 (en) * | 2016-12-28 | 2017-03-30 | Mimran Dudu | A method for modeling attack patterns in honeypots |
| CN106921671B (en) * | 2017-03-22 | 2019-12-06 | 杭州迪普科技股份有限公司 | network attack detection method and device |
| CN107370756B (en) * | 2017-08-25 | 2020-04-07 | 北京神州绿盟信息安全科技股份有限公司 | Honey net protection method and system |
| CN109088901A (en) * | 2018-10-31 | 2018-12-25 | 杭州默安科技有限公司 | Deception defence method and system based on SDN building dynamic network |
| CN109347881B (en) * | 2018-11-30 | 2021-11-23 | 东软集团股份有限公司 | Network protection method, device, equipment and storage medium based on network spoofing |
| CN110011982B (en) * | 2019-03-19 | 2020-08-25 | 西安交通大学 | Intelligent attack decoy system and method based on virtualization |
| CN110677408B (en) * | 2019-07-09 | 2021-07-09 | 腾讯科技(深圳)有限公司 | Attack information processing method and device, storage medium and electronic device |
| CN111556061B (en) * | 2020-04-29 | 2022-07-12 | 上海沪景信息科技有限公司 | Network disguising method, device, equipment and computer readable storage medium |
| CN111651757B (en) * | 2020-06-05 | 2024-04-09 | 深圳前海微众银行股份有限公司 | Method, device, equipment and storage medium for monitoring attack behaviors |
| CN111565199B (en) * | 2020-07-14 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Network attack information processing method and device, electronic equipment and storage medium |
-
2020
- 2020-11-05 CN CN202011226055.6A patent/CN114531258B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114531258A (en) | 2022-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110677408B (en) | Attack information processing method and device, storage medium and electronic device | |
| US9773109B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US11265334B1 (en) | Methods and systems for detecting malicious servers | |
| Tsikerdekis et al. | Approaches for preventing honeypot detection and compromise | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| CN106664297B (en) | Method for detecting attacks on an operating environment connected to a communication network | |
| US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
| US20210344690A1 (en) | Distributed threat sensor analysis and correlation | |
| CN113676449B (en) | Network attack processing method and device | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| CN110381041B (en) | Distributed denial of service attack situation detection method and device | |
| CN112615863A (en) | Method, device, server and storage medium for resisting attack host | |
| CN107483386A (en) | Analyze the method and device of network data | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| CN112242974A (en) | Attack detection method and device based on behaviors, computing equipment and storage medium | |
| CN114826663A (en) | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium | |
| CN115150124A (en) | Fraud defense system | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| US20210344726A1 (en) | Threat sensor deployment and management | |
| CN115001789B (en) | Method, device, equipment and medium for detecting collapse equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |