CN114567472A

CN114567472A - Data processing method and device, electronic equipment and storage medium

Info

Publication number: CN114567472A
Application number: CN202210160832.4A
Authority: CN
Inventors: 王绍东; 薛征宇; 毛敏其; 杨承林; 刘旭
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2022-02-22
Filing date: 2022-02-22
Publication date: 2022-05-31

Abstract

The embodiment of the invention is suitable for the technical field of computers, and provides a data processing method, a data processing device, electronic equipment and a storage medium, wherein the data processing method comprises the following steps: generating a first response packet based on the honeypot feature if the first access request is received; wherein, the relevant parameters of the honeypot characteristics dynamically change along with time; sending the first response packet to the first peer device; the first peer device characterizes a sender of the first access request.

Description

Data processing method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a data processing method and apparatus, an electronic device, and a storage medium.

Background

Currently, the related art protects business systems by deploying honeypots. But basically an attacker will use an anti-honeypot feature plug-in that quickly identifies the honeypot, resulting in honeypot failure.

Disclosure of Invention

In order to solve the above problem, embodiments of the present invention provide a data processing method, an apparatus, an electronic device, and a storage medium, so as to at least solve the problem that an attacker in the related art can quickly identify a honeypot by using an anti-honeypot feature plug-in.

The technical scheme of the invention is realized as follows:

in a first aspect, an embodiment of the present invention provides a data processing method, where the method includes:

generating a first response packet based on the honeypot feature if the first access request is received; wherein the relevant parameters of the honeypot characteristics dynamically change over time;

sending the first response packet to a first peer device; the first peer device characterizes a sender of the first access request.

In the above solution, the honeypot feature includes attacker identity tracing code, and the relevant parameters of the honeypot feature include at least one of: cross-domain request frequency, cross-domain request site, source manufacturer and code confusion mode;

accordingly, the relevant parameters of the honeypot characteristics dynamically change over time, including at least one of:

dynamically changing the cross-domain request frequency of the attacker identity tracing code of the honeypot along with time;

dynamically changing the attacker identity tracing code cross-domain request site of the honeypot with time;

dynamically changing attacker identity tracing codes from different manufacturers over time;

and code obfuscating the attacker identity tracing code of the honeypot, wherein the code obfuscating mode dynamically changes along with time.

In the above scheme, when the relevant parameters of the honeypot features include a code obfuscation mode; the code obfuscating the attacker identity tracing code of the honeypot at least comprises any one of the following items:

obfuscating an identifier in the attacker identity tracing code;

inserting a junk code into the attacker identity tracing code;

coding and obfuscating numerical value data in the attacker identity tracing code;

converting the execution logic of the attacker identity tracing code into a circulating logic;

and deleting the line wrapping character and/or the indentation character in the attacker identity tracing code.

In the above solution, the parameter related to the honeypot feature includes a position point of the honeypot feature in the first response packet, and the parameter related to the honeypot feature dynamically changes with time, including:

altering a location point of the honeypot feature in the first response packet to dynamically change the location point of the honeypot feature in the first response packet.

In the foregoing solution, the generating a first response packet based on the honeypot feature includes:

determining a document object model of the first response package;

determining a location point for inserting the honeypot feature in the document object model;

and inserting the honeypot feature at the position point to obtain the first response packet.

In the above solution, before generating the first response packet based on the honeypot feature, the method further includes:

acquiring configuration parameters selected by a user;

generating the honeypot feature based on the configuration parameter.

In a second aspect, an embodiment of the present invention provides a data processing apparatus, including:

the generating module is used for generating a first response packet based on the honeypot characteristics under the condition that the first access request is received; wherein the relevant parameters of the honeypot characteristics dynamically change over time;

the sending module is used for sending the first response packet to the first peer device; the first peer device characterizes a sender of the first access request.

In a third aspect, an embodiment of the present invention provides an electronic device, including a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the data processing method provided in the first aspect of the embodiment of the present invention.

In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. Which when executed by a processor performs the steps of the data processing method as provided by the first aspect of an embodiment of the invention.

In a fifth aspect, an embodiment of the present invention provides a cloud computing platform, which includes a data processing software module for implementing a honeypot, where the data processing software module is configured to implement the steps of the data processing method provided in the first aspect of the embodiment of the present invention.

In the embodiment of the invention, under the condition of receiving the first access request, a first response packet is generated based on the honeypot characteristics, and the first response packet is sent to the first peer device. Wherein the relevant parameters of the honeypot profile change dynamically over time, and the first peer device characterizes the sender of the first access request. The embodiment of the invention enhances the concealment of the honeypots and increases the difficulty of attackers in identifying the honeypots by dynamically changing the honeypot characteristics carried in the response packets of the honeypots. Even if the attacker previously identifies the honeypot characteristics corresponding to the honeypot, the changed honeypot characteristics cannot be matched with the characteristics adopted by the attacker for identifying the honeypot before because the honeypot characteristics are dynamically changed, so that the attacker cannot identify the honeypot.

Drawings

Fig. 1 is a schematic diagram of an attack traffic trend provided in an embodiment of the present invention;

fig. 2 is a schematic diagram of another attack traffic trend provided by the embodiment of the present invention;

fig. 3 is a schematic flow chart of an implementation of a data processing method according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart illustrating another implementation of a data processing method according to an embodiment of the present invention;

FIG. 5 is a schematic flow chart of another implementation of a data processing method according to an embodiment of the present invention;

FIG. 6 is a diagram illustrating a structure of a document object model according to an embodiment of the present invention;

FIG. 7 is a flow chart illustrating another implementation of a data processing method according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;

fig. 9 is a schematic diagram of an electronic device according to an embodiment of the invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The honeypot is a virtual system, is equivalent to an information collection system, simulates a real service system of an enterprise through the honeypot, and is used for luring hackers to attack in the future when invading a bait. After the attacker invades, tools and information used by the hacker are collected through monitoring and analysis, and then the defense system of the attacker is consolidated.

Most honeypots currently delay the attacker time by deploying and opening corresponding dummy applications or systems on a Docker or virtual machine, inducing the attacker to access the dummy applications or systems. When the honeypot features are identity tracing codes, the attackers can be traced by capturing fingerprints of the attackers, wherein the fingerprints can be virtual network identity information such as social accounts or equipment information of the attack equipment. At present, the main means of honeypot tracing is to insert honeypot features (such as identity tracing codes) into open honeypot applications, induce attackers who have logged in third-party applications to access the applications and then get fingerprints captured by the honeypot features, and send the fingerprints to a defender, so that the attackers are traced to personal identities by security experts.

However, honeypots typically insert honeypot features at the same location in response packets and insert the same honeypot feature every time, so anti-honeypot feature plug-ins that are easily used by attackers identify honeypot features and perform interception of honeypot features, resulting in honeypot failure.

In view of the above-mentioned shortcomings of the related art, embodiments of the present invention provide a data processing method, which at least can prevent an attacker from easily recognizing honeypot features in honeypot response packets. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.

Fig. 1 is a schematic diagram of an attack traffic trend according to an embodiment of the present invention, where a network device may be a virtual device installed on a host where a service system is located, for example, a firewall in the form of a virtual machine; the network device may also be a hardware server, such as a gateway or a proxy server. The network equipment is used for forwarding an access request sent by an attacker or a real user to the service system and forwarding a response packet sent by the service system to the attacker or the real user.

Fig. 2 is a schematic diagram of another attack traffic trend provided by the embodiment of the present invention, fig. 2 has fewer network devices than fig. 1, an attacker can directly access the honeypot, and a response packet of the honeypot can also be directly sent to the attacker.

Fig. 3 is a schematic flow chart of an implementation of a data processing method according to an embodiment of the present invention, where an execution subject of the data processing method is the honeypot in fig. 1 or fig. 2. The embodiment of the present invention may be applied to any one of the scenarios shown in fig. 1 or fig. 2, and the present application is not limited thereto.

Referring to fig. 3, the data processing method includes:

s301, under the condition that the first access request is received, generating a first response packet based on honeypot characteristics; wherein the relevant parameters of the honeypot profile are dynamically changing over time.

In the related art, after receiving an access request, a honeypot generates a response packet according to the access request, where the response packet generated by the honeypot carries honeypot characteristics (such as an identity tracing code for identifying an identity). The relevant parameters of the honeypot features in the response packet generated by the honeypot each time are the same, so that the honeypot features in the response packet are easily identified by an attacker. Specifically explained below, the means by which attackers identify honeypot signatures is typically: presetting the value or range of the parameter, then matching the parameter, and if the parameter is matched, considering that the honeypot is accessed. Therefore, if the parameters of the fixed honeypot features are kept unchanged, an attacker can determine the relevant parameters of the honeypot features in the attack and defense countermeasures, write the values of the relevant parameters into codes of honeypot detection, and if the relevant parameters are maintained subsequently, the attacker can easily identify the honeypot as the honeypot, so that honeypot failure occurs. Therefore, the specific means adopted by the application are as follows: the relevant parameters of the honeypot features are set to be dynamically changed, so that the relevant parameters of the honeypot features are difficult to determine in attack and defense confrontation of attackers, and the attackers can be separated from detection in the subsequent dynamic change process after the relevant parameters are determined, so that the honeypot is difficult to detect.

The meaning of the relevant parameters is some parameters needed in generating the honeypot feature and/or the insertion location of the honeypot feature. Such as: for the honeypot feature being an identity tracing code, some parameters needed in generating the honeypot feature are: cross-domain request frequency, request sites, source tracing codes of different honeypot manufacturers and code obfuscation modes. In the embodiment of the invention, the relevant parameters of the honeypot features dynamically change along with time, so that the difficulty of identifying the honeypot features in the response packet by an attacker is increased.

For example, the location point of the honeypot feature in the response packet is changed every set time, so that an attacker cannot recognize the honeypot feature at the fixed location point of the response packet.

Referring to FIG. 4, in an embodiment, prior to generating the first response packet based on the honeypot signature, the method further comprises:

s401, obtaining the configuration parameters selected by the user.

S402, generating the honeypot characteristics based on the configuration parameters.

The embodiment of the invention can provide some configuration parameters for the user to select, and finally generate the honeypot characteristics according to the configuration parameters selected by the user. Alternatively, a combination of certain configuration parameters is set in advance, and when an instruction to generate the honeypot feature is received, the honeypot feature is automatically generated based on the combination of the preset configuration parameters.

Here, the configuration parameters may be configured for relevant parameters of the identity tracing code of the attacker, such as cross-domain request frequency (e.g., one minute request sending frequency), request sites (e.g., third-party application sites such as Baidu post bar, Xinlang microblog, and the like), tracing codes and code obfuscation modes of different honeypot manufacturers, and the like. Of course, the configuration parameters can also be configured for other relevant parameters of honeypot features besides the attacker identity tracing code.

The user can adjust the configuration parameters once at intervals, thereby realizing the effect of dynamically changing the honey pot characteristic related parameters along with time.

The relevant parameters of the honeypot characteristics dynamically change with time (the change instruction can be automatically triggered at regular time or manually triggered by a user). Through the honeypot characteristics of dynamic change, avoid the attacker to obtain the honeypot characteristics through simple analysis, can resist the attacker analysis, can improve the disguise of honeypot to a certain extent, prevent that the honeypot from being discerned the back and leading to honeypot drainage failure.

The honeypot features comprise attacker identity tracing codes, and relevant parameters of the honeypot features comprise at least one of the following: cross-domain request frequency, cross-domain request site, source manufacturer and code confusion mode;

dynamically changing the cross-domain request site of the attacker identity tracing code of the honeypot along with time;

The method and the device can flexibly select one or more related parameters to dynamically change, do not limit the time interval of dynamic change, and can further increase the concealment of the honeypot without changing the related parameters according to a fixed time interval.

In one embodiment, when the relevant parameters of the honeypot feature include a code obfuscation mode; the code obfuscating the attacker identity tracing code of the honeypot at least comprises any one of the following items:

obfuscating an identifier in the attacker identity tracing code;

inserting a junk code into the attacker identity tracing code;

The embodiment of the invention describes the relevant technical means of dynamic change by taking code obfuscation as an example. Code obfuscation, also known as floral instructions, is the act of transforming the code of a computer program into a functionally equivalent, but difficult to read and understand, form. Code obfuscation may be used for program source code, or for intermediate code into which a program is compiled. Code obfuscation includes: the names of various elements in the code, such as variables, functions, classes, are rewritten to meaningless names. Such as overwriting as a single letter, or a short nonsense letter combination, or even a symbol such as "__," so that the reader cannot guess what he is going to use by name. Rewriting part of the logic in the code changes it into functional equivalence. For example, a for loop is rewritten into a while loop, a loop is rewritten into a recursion, and intermediate variables are reduced. The format of the code is disturbed, such as deleting spaces, squeezing lines of code into a line, or breaking a line of code into lines, etc.

Obfuscating an identifier in the attacker identity tracing code, including: identifiers such as constant names, variable names, and function names are obfuscated.

By deleting indentation and/or line feed characters in the identity tracing code of the attacker, the code volume is reduced, and the reading difficulty is increased.

Performing coding obfuscation on numerical value class data in the attacker identity tracing code, including: and carrying out encoding confusion on numbers, character strings, arrays and Boolean, wherein the encoding confusion comprises the modes of hexadecimal encoding, Unicode encoding, Base64 encoding, character string splitting, character string encryption and the like.

Converting the execution logic of the attacker identity tracing code into a loop logic, comprising: the reading and analyzing difficulty of the code is increased by flattening the prior flow of the original code and then changing the prior flow into a circulating flow.

Code obfuscation is carried out on the identity tracing code of the attacker of the honeypot, the complexity of the identity tracing code of the attacker is continuously changed, and the reading and analyzing difficulty of the code is increased, so that the difficulty of identifying the honeypot features in the response packet by the attacker is increased, the attacker is prevented from deleting the honeypot features quickly, and the anti-honeypot feature plug-in of the attacker cannot play a role all the time.

In one embodiment, the parameter related to the honeypot signature includes a location point of the honeypot signature in the first response packet, and the parameter related to the honeypot signature dynamically changes over time, including:

and changing the position point of the honeypot characteristic in the first response packet to dynamically change the position point of the honeypot characteristic in the first response packet.

Here, the position point of the honeypot feature may be changed at regular time or may be changed at irregular time, and for example, the position points of the honeypot feature of the first response packet transmitted at each time may be different. By changing the position point of the honeypot feature in the response packet, an attacker cannot identify the honeypot feature at the fixed position point of the response packet, and the attacker is prevented from deleting the honeypot feature through a simple script.

Referring to fig. 5, in an embodiment, the generating the first response packet based on the honeypot feature includes:

s501, determining a document object model of the first response packet.

Here, the first response packet may be parsed to obtain a Document Object Model (DOM). The DOM is a display form of a hypertext Markup Language (HTML) or Extensible Markup Language (XML) structure, and the purpose of modifying the HTML/XML can be achieved by modifying the DOM through programming. A complete set of methods is provided in JavaScript to acquire, traverse and operate the DOM.

S502, determining the position point of the honeypot feature inserted into the document object model.

The DOM employs a tree structure, each part of which is called a node, including element nodes and attribute nodes, and the document object model is used to manipulate these nodes.

Referring to fig. 6, fig. 6 is a schematic structural diagram of a document object model according to an embodiment of the present invention. The document object model shown in fig. 6 is tree-shaped, and the head includes element nodes meta and title; the element nodes a, img, div, etc. are included in the body. The element node further includes an attribute node, for example, a div element node includes an attribute node id and a class.

The position point refers to a node in the document object model, and the position point can be inserted with the honeypot feature as long as the code can be normally executed after the honeypot feature is inserted.

S503, inserting the honeypot characteristics into the position points to obtain the first response packet.

It should be understood that the honeypot feature only needs to be inserted at one location point, for example, the honeypot feature is inserted in the middle of the < div > element node, and then the document object model is encapsulated to obtain the first response package.

Referring to FIG. 7, in one embodiment, the determining the location points for inserting the honeypot features in the document object model includes:

s701, determining at least two position points in the document object model.

S702, determining a position point for inserting the honeypot feature from the at least two position points.

A plurality of position points into which honeypot features can be inserted can be determined in the document object model, and one position point can be selected to be inserted into honeypot features in a random selection mode.

Based on the determined position points which can be inserted with the honeypot features, the position points which are inserted with the honeypot features in the first response packet can be replaced irregularly, the concealment of the honeypot features is improved, and the difficulty of an attacker in identifying the honeypot features is increased.

S302, sending the first response packet to a first peer device; the first peer device characterizes a sender of the first access request.

After the first response packet is obtained, the first response packet is sent to the access party, even if the attacker previously detects the honeypot characteristics in the response packet sent by the honeypot, because the relevant parameters of the honeypot characteristics in the first response packet are dynamically changed, the honeypot characteristics in the first response packet sent at the current time are different from the honeypot characteristics carried in the response packet sent by the honeypot before, for example, the insertion position of the honeypot characteristics can be different, and the concealment of the honeypot is strong. For example, when the attacker determines that a certain honeypot feature corresponds to a honeypot, the honeypot feature is dynamically changed, so that the changed honeypot feature cannot be matched with the feature adopted by the attacker for identifying the honeypot before, the time for identifying the honeypot by the attacker can be prolonged, and the difficulty for identifying the honeypot feature is increased.

In the embodiment of the invention, under the condition of receiving the first access request, a first response packet is generated based on the honeypot characteristics, and the first response packet is sent to the first peer device. Wherein the relevant parameters of the honeypot profile change dynamically over time, and the first peer device characterizes the sender of the first access request. The embodiment of the invention enhances the concealment of the honeypots and increases the difficulty of attackers in identifying the honeypots by dynamically changing the honeypot characteristics carried in the response packets of the honeypots. Even if the attacker previously identifies the honeypot characteristics corresponding to the honeypot, the attacker cannot identify the honeypot according to conventional experience because the honeypot characteristics are dynamically changed and the changed honeypot characteristics cannot be matched with the characteristics adopted by the previous attacker for identifying the honeypot.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.

In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

Referring to fig. 8, fig. 8 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention, and as shown in fig. 8, the apparatus includes a generating module and a sending module.

In one embodiment, the honeypot feature comprises attacker identity tracing code, and the relevant parameters of the honeypot feature comprise at least one of the following: cross-domain request frequency, cross-domain request site, source manufacturer and code confusion mode;

correspondingly, the device further comprises: a change module for dynamically changing relevant parameters of the honeypot characteristics over time, the change module for performing at least one of:

In one embodiment, when the relevant parameters of the honeypot feature include a code obfuscation mode; the change module performs code obfuscation on attacker identity tracing codes of the honeypots, and at least performs any one of the following:

obfuscating an identifier in the attacker identity tracing code;

inserting a junk code into the attacker identity tracing code;

In an embodiment, the parameter related to the honeypot signature includes a location point of the honeypot signature in the first response packet, and the change module is configured to:

In one embodiment, the generating module generates the first response packet based on the honeypot feature, including:

determining a document object model of the first response package;

In an embodiment, the generating module is further configured to:

acquiring configuration parameters selected by a user;

generating the honeypot feature based on the configuration parameter.

In practical applications, the generating module and the sending module may be implemented by a Processor in an electronic device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA).

It should be noted that: in the above embodiment, when performing data processing, the device is only illustrated by dividing the modules, and in practical applications, the processing may be distributed to different modules according to needs, that is, the internal structure of the device is divided into different modules to complete all or part of the processing described above. In addition, the apparatus provided in the above embodiments and the data processing method embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.

The data processing device may be in the form of an image file, and after the image file is executed, the image file may be run in the form of a container or a virtual machine, so as to implement the data processing method described in the present application. Certainly, the present invention is not limited to the form of an image file, and as long as some software forms capable of implementing the data processing method described in the present application are within the protection scope of the present application, for example, the software forms may also be software modules implemented in a hypervisor (virtual machine monitor) in a cloud computing platform.

Based on the hardware implementation of the program module, in order to implement the method according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, in which a honeypot is disposed, and the method for implementing the honeypot is implemented by a processor of the electronic device. Fig. 9 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 9, the electronic device includes:

the communication interface can carry out information interaction with other equipment such as network equipment and the like;

and the processor is connected with the communication interface to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes on the electronic equipment side when running a computer program. And the computer program is stored on the memory.

Of course, in practice, the various components in an electronic device are coupled together by a bus system. It will be appreciated that a bus system is used to enable communications among the components. The bus system includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as a bus system in fig. 9.

The memory in the embodiments of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.

It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Double Data Rate Synchronous Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Random Access Memory (DRAM), Synchronous Random Access Memory (DRAM), Direct Random Access Memory (DRmb Access Memory). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

The embodiment of the invention also provides a cloud computing platform which comprises a data processing software module for realizing the honeypot, wherein the data processing software module is used for realizing the steps of the data processing method provided by the embodiment of the invention.

The cloud computing platform is a business form which organizes a plurality of independent server physical hardware resources into pooled resources by adopting computing virtualization, network virtualization and storage virtualization technologies, is a software defined resource structure based on virtualization technology development and can provide resource capacity in forms of virtual machines, containers and the like. The fixed relation between hardware and an operating system is eliminated, the resource scheduling is unified by the communication of a network, and then required virtual resources and services are provided.

The current cloud computing platform supports several service modes:

SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full rights;

PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development, quality control or production server;

IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.

The method disclosed in the embodiments of the present application may be applied to a processor, or may be implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in a memory where a processor reads the programs in the memory and in combination with its hardware performs the steps of the method as previously described.

Optionally, when the processor executes the program, the corresponding process implemented by the electronic device in each method of the embodiment of the present application is implemented, and for brevity, no further description is given here.

In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a first memory storing a computer program, where the computer program is executable by a processor of an electronic device to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application or portions thereof that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A data processing method is applied to honeypots; characterized in that the method comprises:

2. The method of claim 1, wherein the honeypot signature comprises attacker identity tracing code, and wherein the relevant parameters of the honeypot signature comprise at least one of: cross-domain request frequency, cross-domain request site, source manufacturer and code confusion mode;

3. The method according to claim 2, characterized in that when the relevant parameters of the honeypot signature comprise code obfuscation means; the code obfuscating the attacker identity tracing code of the honeypot at least comprises any one of the following items:

obfuscating an identifier in the attacker identity tracing code;

inserting a junk code into the attacker identity tracing code;

and deleting the line feed character and/or the indentation character in the attacker identity tracing code.

4. The method of claim 1, wherein the honeypot signature's associated parameters include a location point of the honeypot signature in the first response packet, and wherein the honeypot signature's associated parameters dynamically change over time, including:

5. The method of claim 4, wherein generating the first response packet based on the honeypot signature comprises:

determining a document object model of the first response package;

6. The method of any one of claims 1 to 5, wherein prior to generating the first response packet based on the honeypot signature, the method further comprises:

acquiring configuration parameters selected by a user;

generating the honeypot feature based on the configuration parameter.

7. A data processing apparatus, comprising:

8. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the data processing method according to any one of claims 1 to 6 when executing the computer program.

9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to carry out the data processing method according to any one of claims 1 to 6.

10. A cloud computing platform comprising a data processing software module for implementing honeypots, the data processing software module being configured to implement the steps of the data processing method of any one of claims 1 to 6.