CN114598512B - Network security guarantee method and device based on honeypot and terminal equipment - Google Patents
Network security guarantee method and device based on honeypot and terminal equipment Download PDFInfo
- Publication number
- CN114598512B CN114598512B CN202210176034.0A CN202210176034A CN114598512B CN 114598512 B CN114598512 B CN 114598512B CN 202210176034 A CN202210176034 A CN 202210176034A CN 114598512 B CN114598512 B CN 114598512B
- Authority
- CN
- China
- Prior art keywords
- attack
- network security
- data
- determining
- tool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004891 communication Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 20
- 230000000903 blocking effect Effects 0.000 claims description 9
- 235000012907 honey Nutrition 0.000 claims description 9
- 238000007405 data analysis Methods 0.000 claims description 5
- 238000005192 partition Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application is applicable to the technical field of network security, and provides a network security guarantee method, device and terminal equipment based on honeypots, wherein the method comprises the following steps: analyzing the flow data through the honeypot to obtain characteristic data of the flow data; when the feature data are matched with the corresponding attack tools, determining vulnerability features according to the attack tools; and updating the configuration parameters of the configuration file according to the vulnerability characteristics to block network security attacks. According to the method and the device, the traffic data are analyzed through the honeypot, the characteristic data of the real-time traffic data are obtained, when the corresponding attack tool is matched, the vulnerability characteristics of the attack tool are rapidly determined according to the attack tool, the identification efficiency of the attack tool is improved, the configuration parameters of the configuration file are updated according to the vulnerability characteristics, and therefore network security attack initiated by the attack tool is blocked, and the stability of network security is improved.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a network security guarantee method and device based on honeypots, terminal equipment and a readable storage medium.
Background
In the process of rapid development of network technology, computer networks also have a certain crisis, such as being under network security attack. When an attacker attacks, the target object is typically attacked by existing known attack tools (e.g., port scanner, vulnerability scanner).
In order to ensure network security, users typically install an anti-attack program for ensuring network security. However, the related network security guarantee method has the problems of low recognition efficiency of attack tools and low precision, so that the network security state is unstable.
Disclosure of Invention
The embodiment of the application provides a network security guarantee method, a network security guarantee device, terminal equipment and a readable storage medium based on honeypots, which can solve the problems of low identification efficiency and low stability of the related network security guarantee method.
In a first aspect, an embodiment of the present application provides a network security guarantee method based on honeypots, including:
analyzing the flow data through the honeypot to obtain characteristic data of the flow data;
when the feature data are matched with the corresponding attack tools, determining vulnerability features according to the attack tools;
and updating configuration parameters of the configuration file according to the vulnerability characteristics to block network security attacks.
In one embodiment, the characteristic data includes a traffic characteristic fingerprint, a communication protocol;
analyzing the flow data through the honeypot to obtain characteristic data of the flow data, wherein the characteristic data comprises:
determining a communication protocol corresponding to the flow data through the honeypot;
and analyzing and determining the flow characteristic fingerprint of the flow data.
In one embodiment, when the feature data is matched with a corresponding attack tool, determining the vulnerability feature according to the attack tool includes:
matching the characteristic data with attack characteristics in a pre-established network security database;
when the attack characteristics corresponding to the characteristic data are matched, determining an attack tool corresponding to the attack characteristics; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints;
and determining vulnerability characteristics according to the attack tool.
In one embodiment, the determining vulnerability characteristics according to the attack tool includes:
determining the type of the attack tool;
and determining the vulnerability characteristics of the attack tool according to the types.
In one embodiment, updating the configuration parameters of the configuration file according to the vulnerability characteristics to block network security attacks includes:
determining the IP address of the attacking user terminal according to the attacking tool;
and updating configuration parameters of a configuration file according to the vulnerability characteristics and the characteristic data so as to block network security attacks from the IP address.
In one embodiment, the method further comprises:
generating corresponding alarm information according to the characteristic data and the attack tool;
and displaying the alarm information and sending the alarm information to the target user terminal.
In one embodiment, the method further comprises:
when a security control instruction is received, determining a target IP address carried by the security control instruction;
and according to the security control instruction, disconnecting the communication connection relation with the target IP address and blocking the network security attack of the target IP address.
In a second aspect, an embodiment of the present application provides a network security protection apparatus based on honeypots, including:
the data analysis module is used for analyzing the flow data through the honeypot to obtain characteristic data of the flow data;
the matching module is used for determining vulnerability characteristics according to the attack tools when the characteristic data are matched with the corresponding attack tools;
and the parameter configuration module is used for updating the configuration parameters of the configuration file according to the vulnerability characteristics so as to block network security attacks.
In one embodiment, the characteristic data includes a traffic characteristic fingerprint, a communication protocol;
the data analysis module comprises:
the protocol determining unit is used for determining a communication protocol corresponding to the flow data through the honeypot;
and the matching unit is used for analyzing and determining the flow characteristic fingerprint of the flow data.
In one embodiment, the matching module includes:
the comparison unit is used for matching the characteristic data with attack characteristics in a pre-established network security database;
a tool determining unit configured to determine an attack tool corresponding to an attack feature when the attack feature corresponding to the feature data is matched; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints;
and the characteristic determining unit is used for determining the vulnerability characteristics according to the attack tool.
In one embodiment, the feature determining unit includes:
a type determination subunit configured to determine a type of the attack tool;
and the characteristic determining subunit is used for determining the vulnerability characteristics of the attack tool according to the type.
In one embodiment, the parameter configuration module includes:
the IP address determining unit is used for determining the IP address of the attack user terminal according to the attack tool;
and the parameter configuration unit is used for updating the configuration parameters of the configuration file according to the vulnerability characteristics and the characteristic data so as to block the network security attack from the IP address.
In one embodiment, the apparatus further comprises:
the information generation module is used for generating corresponding alarm information according to the characteristic data and the attack tool;
and the display module is used for displaying the alarm information and sending the alarm information to the target user terminal.
In one embodiment, the apparatus further comprises:
the receiving module is used for determining a target IP address carried by the safety control instruction when the safety control instruction is received;
and the control module is used for disconnecting the communication connection relation with the target IP address according to the security control instruction and blocking the network security attack of the target IP address.
In a third aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the honeypot-based network security protection method according to any one of the first aspects when the processor executes the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a honeypot-based network security assurance method as in any one of the first aspects above.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a terminal device, causes the terminal device to perform the honeypot-based network security protection method of any one of the above first aspects.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Compared with the prior art, the embodiment of the application has the beneficial effects that: the honey pot is used for analyzing the flow data to obtain the characteristic data of the real-time flow data, when the corresponding attack tool is matched according to the characteristic data, the vulnerability characteristics of the attack tool are rapidly determined according to the attack tool, the identification efficiency of the attack tool is improved, the configuration parameters of the configuration file are updated according to the vulnerability characteristics, and therefore network security attack initiated by the attack tool is blocked, and the stability of network security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network security guarantee method based on honeypots provided in an embodiment of the application;
fig. 2 is a schematic flowchart of a step S101 of a honeypot-based network security protection method provided in an embodiment of the present application;
fig. 3 is a schematic flow chart of step S102 of the honeypot-based network security protection method provided in the embodiment of the present application;
fig. 4 is a schematic flow chart of step S103 of the honeypot-based network security protection method provided in the embodiment of the present application;
FIG. 5 is a schematic structural diagram of a honeypot-based network security assurance device provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a terminal device provided in an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
The network security guarantee method based on the honeypot can be applied to terminal equipment such as a server, industrial control equipment, a mobile phone, a tablet personal computer, a personal digital assistant (personal digital assistant, PDA) and the like, and the specific type of the terminal equipment is not limited.
Fig. 1 shows a schematic flow chart of a honeypot-based network security assurance method provided in the present application, which can be applied to the industrial control device described above by way of example and not limitation.
S101, analyzing flow data through a honey pot to obtain characteristic data of the flow data.
Specifically, a honey pot program is pre-stored in the current terminal equipment, and flow data in the current terminal equipment is analyzed in real time through a honey pot, so that characteristic data of the real-time flow data are obtained.
By analyzing the traffic data, the feature data can be obtained to determine whether abnormal traffic data occurs in the current terminal equipment, so as to determine whether the current network or equipment is from network security attack of other user terminals.
The honeypot program is a software application system (specifically, a network monitoring system) and is commonly used for attracting hackers to conduct network attacks when the hacks are intruded. After the attack is detected, the attack mode of the attack tool, the attack method, the attack vulnerability characteristics and the like are determined through monitoring and analyzing the flow data.
S102, when the feature data are matched with the corresponding attack tools, determining vulnerability features according to the attack tools.
Specifically, feature data of the flow data are matched with attack features in a pre-established network security database, and when the attack features matched with the feature data of the flow data are detected, an attack tool corresponding to the attack features is determined, so that corresponding vulnerability features are determined according to the attack tool, and network security of the current terminal equipment is guaranteed based on the vulnerability features.
S103, updating configuration parameters of the configuration file according to the vulnerability characteristics so as to block network security attacks.
Specifically, the configuration parameters of the configuration file of the current network or equipment are updated according to the vulnerability characteristics of the attack tool, so that the network security attack is blocked.
Wherein, the configuration parameters of the updated configuration file include, but are not limited to: 1. blocking all traffic data from the IP address corresponding to the attack tool; 2. and calling different customized countermeasures according to the vulnerability characteristics, and performing limited countermeasures on the attack tool so as to prevent continuous attack of the attack tool and the like.
In one embodiment, the characteristic data includes a traffic characteristic fingerprint, a communication protocol;
as shown in fig. 2, the analyzing the flow data by the honeypot to obtain the characteristic data of the flow data includes:
s1011, determining a communication protocol corresponding to the flow data through a honeypot;
s1012, analyzing and determining flow characteristic fingerprints of the flow data.
In particular, the feature data includes, but is not limited to, a traffic feature fingerprint, a communication protocol; the flow data is analyzed in real time through the honey pot program, a communication protocol corresponding to the flow data is determined, the flow data (by converting the flow data into 16-system data) is respectively written into different subscription titles (topics) of different message queues (kafka) based on different communication protocols, and the flow characteristic fingerprints of the flow data are determined through analysis.
Specifically, multiple message queue (kafka) nodes (Boeker) need to register on the same Zookeeper, which is specifically an open source distributed application coordination service. Wherein each node (Boeker) includes a plurality of partitions (partitions) for storing traffic data.
As shown in fig. 3, in one embodiment, when the feature data is matched with a corresponding attack tool, determining the vulnerability feature according to the attack tool includes:
s1021, matching the characteristic data with attack characteristics in a pre-established network security database;
s1022, when the attack characteristics corresponding to the characteristic data are matched, determining attack tools corresponding to the attack characteristics; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints;
s1023, determining vulnerability characteristics according to the attack tool.
In particular, all known attack tools existing are pre-analyzed to obtain attack signatures for each attack tool, including but not limited to attack communication protocols and attack traffic signature fingerprints. And a network security database is pre-established according to the attack tools and the attack characteristics (the network security database comprises a plurality of attack tools and the attack characteristics corresponding to each attack tool). When the characteristic data of the flow data is determined, the characteristic data is matched with attack characteristics stored in a pre-established network security database through logic rules, and when the attack characteristics corresponding to the characteristic data are matched, an attack tool corresponding to the attack characteristics is determined, so that the corresponding vulnerability characteristics are determined according to the attack tool.
In one embodiment, the determining vulnerability characteristics according to the attack tool includes:
determining the type of the attack tool;
and determining the vulnerability characteristics of the attack tool according to the types.
Specifically, after determining the attack tool, analyzing the attack tool, determining the type of the attack tool, and determining the vulnerability characteristics of the attack tool based on the type of the attack tool. Types of attack tools include, but are not limited to, port scanners, vulnerability scanners, etc.; vulnerability characteristics refer to program vulnerabilities (bugs) that exist in an attack tool that may be countered by the attack tool.
As shown in fig. 4, in one embodiment, updating the configuration parameters of the configuration file according to the vulnerability characteristics to block a network security attack includes:
s1031, determining an IP address of an attack user terminal according to the attack tool;
s1032, updating configuration parameters of the configuration file according to the vulnerability characteristics and the characteristic data so as to block network security attacks from the IP address.
Specifically, after determining the attack tool, determining the IP address of the attack user terminal using the attack tool through the traceability program, and updating the configuration parameters of the configuration file according to the vulnerability characteristics and the characteristic data so as to block the network security attack with the characteristic data from the IP address.
Configuration parameters of the configuration file are updated through the IP address, the vulnerability characteristics and the characteristic data, so that vulnerability characteristics based on attack tools are counteracted, and network security is effectively guaranteed.
In one embodiment, the method further comprises:
generating corresponding alarm information according to the characteristic data and the attack tool;
and displaying the alarm information and sending the alarm information to the target user terminal.
Specifically, corresponding alarm information (including but not limited to characteristic data of the flow data, the attack tool and an IP address of the attack user terminal) is generated according to the characteristic data of the flow data and the attack tool, and the alarm information is displayed through a display device and sent to the target user terminal. The target user terminal is a terminal (such as a mobile phone, a tablet computer, a PC and the like) of a manager, which is in communication connection with the current terminal equipment.
In one embodiment, the method further comprises:
when a security control instruction is received, determining a target IP address carried by the security control instruction;
and according to the security control instruction, disconnecting the communication connection relation with the target IP address and blocking the network security attack of the target IP address.
Specifically, when the security control instruction is received, determining a target IP address carried by the security control instruction, and disconnecting the communication connection relation with the target IP address according to the security control instruction, so as to refuse to receive the flow data of the target IP address, and realize blocking the network security attack of the target IP address.
In one embodiment, the method further includes recording a traffic log in real time when the attack tool corresponding to the feature data is not matched, so as to display the traffic log when a traffic log display instruction is received.
According to the embodiment, the honey pot is used for analyzing the flow data to obtain the characteristic data of the real-time flow data, when the corresponding attack tool is matched according to the characteristic data, the vulnerability characteristics of the attack tool are rapidly determined according to the attack tool, the identification efficiency of the attack tool is improved, the configuration parameters of the configuration file are updated according to the vulnerability characteristics, and therefore network security attack initiated by the attack tool is blocked, and the stability of network security is improved.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
Corresponding to the honeypot-based network security protection method described in the above embodiments, fig. 5 shows a block diagram of the honeypot-based network security protection apparatus provided in the embodiment of the present application, and for convenience of explanation, only the portion relevant to the embodiment of the present application is shown.
Referring to fig. 5, the honeypot-based network security assurance device 100 includes:
the data analysis module 101 is configured to analyze flow data through a honeypot to obtain feature data of the flow data;
the matching module 102 is configured to determine vulnerability characteristics according to the attack tool when the vulnerability characteristics are matched to the corresponding attack tool according to the feature data;
and the parameter configuration module 103 is configured to update the configuration parameters of the configuration file according to the vulnerability characteristics so as to block the network security attack.
In one embodiment, the characteristic data includes a traffic characteristic fingerprint, a communication protocol;
the data analysis module comprises:
the protocol determining unit is used for determining a communication protocol corresponding to the flow data through the honeypot;
and the matching unit is used for analyzing and determining the flow characteristic fingerprint of the flow data.
In one embodiment, the matching module includes:
the comparison unit is used for matching the characteristic data with attack characteristics in a pre-established network security database;
a tool determining unit configured to determine an attack tool corresponding to an attack feature when the attack feature corresponding to the feature data is matched; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints;
and the characteristic determining unit is used for determining the vulnerability characteristics according to the attack tool.
In one embodiment, the feature determining unit includes:
a type determination subunit configured to determine a type of the attack tool;
and the characteristic determining subunit is used for determining the vulnerability characteristics of the attack tool according to the type.
In one embodiment, the parameter configuration module includes:
the IP address determining unit is used for determining the IP address of the attack user terminal according to the attack tool;
and the parameter configuration unit is used for updating the configuration parameters of the configuration file according to the vulnerability characteristics and the characteristic data so as to block the network security attack from the IP address.
In one embodiment, the apparatus further comprises:
the information generation module is used for generating corresponding alarm information according to the characteristic data and the attack tool;
and the display module is used for displaying the alarm information and sending the alarm information to the target user terminal.
In one embodiment, the apparatus further comprises:
the receiving module is used for determining a target IP address carried by the safety control instruction when the safety control instruction is received;
and the control module is used for disconnecting the communication connection relation with the target IP address according to the security control instruction and blocking the network security attack of the target IP address.
According to the embodiment, the honey pot is used for analyzing the flow data to obtain the characteristic data of the real-time flow data, when the corresponding attack tool is matched according to the characteristic data, the vulnerability characteristics of the attack tool are rapidly determined according to the attack tool, the identification efficiency of the attack tool is improved, the configuration parameters of the configuration file are updated according to the vulnerability characteristics, and therefore network security attack initiated by the attack tool is blocked, and the stability of network security is improved.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein again.
Fig. 6 is a schematic structural diagram of a terminal device according to this embodiment. As shown in fig. 6, the terminal device 6 of this embodiment includes: at least one processor 60 (only one shown in fig. 6), a memory 61, and a computer program 62 stored in the memory 61 and executable on the at least one processor 60, the processor 60 implementing the steps in any of the various honeypot-based network security method embodiments described above when executing the computer program 62.
The terminal device 6 may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The terminal device may include, but is not limited to, a processor 60, a memory 61. It will be appreciated by those skilled in the art that fig. 6 is merely an example of the terminal device 6 and is not meant to be limiting as to the terminal device 6, and may include more or fewer components than shown, or may combine certain components, or different components, such as may also include input-output devices, network access devices, etc.
The processor 60 may be a central processing unit (Central Processing Unit, CPU), the processor 60 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may in some embodiments be an internal storage unit of the terminal device 6, such as a hard disk or a memory of the terminal device 6. The memory 61 may in other embodiments also be an external storage device of the terminal device 6, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital Card (SD), a Flash memory Card (Flash Card) or the like, which are provided on the terminal device 6. Further, the memory 61 may also include both an internal storage unit and an external storage device of the terminal device 6. The memory 61 is used for storing an operating system, application programs, boot loader (BootLoader), data, other programs, etc., such as program codes of the computer program. The memory 61 may also be used for temporarily storing data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The embodiment of the application also provides a terminal device, which comprises: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, which when executed by the processor performs the steps of any of the various method embodiments described above.
Embodiments of the present application also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements steps that may implement the various method embodiments described above.
Embodiments of the present application provide a computer program product which, when run on a mobile terminal, causes the mobile terminal to perform steps that may be performed in the various method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (8)
1. The network security assurance method based on honeypots is characterized by comprising the following steps:
installing a honeypot in the current equipment in advance, and analyzing real-time flow data in the current terminal equipment through the honeypot to obtain characteristic data of the flow data, wherein the characteristic data comprises flow characteristic fingerprints and a communication protocol;
analyzing the real-time flow data in the current terminal equipment through the honeypot to obtain characteristic data of the flow data, wherein the characteristic data comprises the following steps: analyzing the flow data in real time through the honeypot, determining a communication protocol corresponding to the flow data, converting the flow data into 16-system data, respectively writing the flow data into different subscription titles of different message queues based on different communication protocols, and analyzing and determining flow characteristic fingerprints of the flow data, wherein nodes of a plurality of message queues are registered on the same Zookeeper, each node is a distributed application coordination service of open source codes, and each node comprises a plurality of partitions for storing the flow data;
when the feature data is matched with a corresponding attack tool, determining vulnerability features according to the attack tool, wherein the vulnerability features comprise: matching the characteristic data with attack characteristics in a pre-established network security database; when the attack characteristics corresponding to the characteristic data are matched, determining an attack tool corresponding to the attack characteristics; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints; and determining vulnerability characteristics according to the attack tool, wherein the pre-established network security database is established by the following steps: pre-analyzing all known attack tools to obtain the attack characteristics of each attack tool; the network security database is pre-established according to the attack tool and the attack characteristics;
updating configuration parameters of a configuration file according to the vulnerability characteristics to block network security attacks, wherein the updating of the configuration parameters of the configuration file comprises: updating parameters for blocking all traffic data from the IP address corresponding to the attack tool, and calling different customized countermeasures according to the vulnerability characteristics.
2. The honeypot-based network security assurance method of claim 1, wherein the determining vulnerability characteristics from the attack tools comprises:
determining the type of the attack tool;
and determining the vulnerability characteristics of the attack tool according to the types.
3. The honeypot-based network security assurance method of claim 1, wherein updating configuration parameters of a configuration file according to the vulnerability characteristics to block network security attacks comprises:
determining the IP address of the attacking user terminal according to the attacking tool;
and updating configuration parameters of a configuration file according to the vulnerability characteristics and the characteristic data so as to block network security attacks from the IP address.
4. The honeypot-based network security assurance method of claim 1, further comprising:
generating corresponding alarm information according to the characteristic data and the attack tool;
and displaying the alarm information and sending the alarm information to the target user terminal.
5. The honeypot-based network security assurance method of claim 1, further comprising:
when a security control instruction is received, determining a target IP address carried by the security control instruction;
and according to the security control instruction, disconnecting the communication connection relation with the target IP address and blocking the network security attack of the target IP address.
6. A honeypot-based network security assurance device, comprising:
the data analysis module is used for installing a honey pot in the current equipment in advance, analyzing real-time flow data in the current terminal equipment through the honey pot to obtain characteristic data of the flow data, wherein the characteristic data comprises flow characteristic fingerprints and a communication protocol;
analyzing the real-time flow data in the current terminal equipment through the honeypot to obtain characteristic data of the flow data, wherein the characteristic data comprises the following steps: analyzing the flow data in real time through the honeypot, determining a communication protocol corresponding to the flow data, converting the flow data into 16-system data, respectively writing the flow data into different subscription titles of different message queues based on different communication protocols, and analyzing and determining flow characteristic fingerprints of the flow data, wherein nodes of a plurality of message queues are registered on the same Zookeeper, each node is a distributed application coordination service of open source codes, and each node comprises a plurality of partitions for storing the flow data;
the matching module is used for determining vulnerability characteristics according to the attack tools when the characteristic data are matched with the corresponding attack tools, and comprises the following steps: matching the characteristic data with attack characteristics in a pre-established network security database; when the attack characteristics corresponding to the characteristic data are matched, determining an attack tool corresponding to the attack characteristics; the network security database comprises a plurality of attack tools and attack characteristics corresponding to each attack tool, wherein the attack characteristics comprise attack communication protocols and attack flow characteristic fingerprints; and determining vulnerability characteristics according to the attack tool, wherein the pre-established network security database is established by the following steps: pre-analyzing all known attack tools to obtain the attack characteristics of each attack tool; the network security database is pre-established according to the attack tool and the attack characteristics;
the parameter configuration module is used for updating the configuration parameters of the configuration file according to the vulnerability characteristics so as to block network security attacks, and the configuration parameters of the updated configuration file comprise: updating parameters for blocking all traffic data from the IP address corresponding to the attack tool, and calling different customized countermeasures according to the vulnerability characteristics.
7. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 5 when executing the computer program.
8. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210176034.0A CN114598512B (en) | 2022-02-24 | 2022-02-24 | Network security guarantee method and device based on honeypot and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210176034.0A CN114598512B (en) | 2022-02-24 | 2022-02-24 | Network security guarantee method and device based on honeypot and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114598512A CN114598512A (en) | 2022-06-07 |
| CN114598512B true CN114598512B (en) | 2024-02-06 |
Family
ID=81805200
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210176034.0A Active CN114598512B (en) | 2022-02-24 | 2022-02-24 | Network security guarantee method and device based on honeypot and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598512B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944961B (en) * | 2022-07-01 | 2023-04-18 | 广东瑞普科技股份有限公司 | Network security protection method, device and system and electronic equipment |
| CN116170352A (en) * | 2023-02-01 | 2023-05-26 | 北京首都在线科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN116170242A (en) * | 2023-04-26 | 2023-05-26 | 烽台科技(北京)有限公司 | Network attack processing method, device, server and storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN109314698A (en) * | 2016-02-23 | 2019-02-05 | 区块链控股有限公司 | Preemptive Response Security System for Protecting Computer Networks and Systems |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN111767548A (en) * | 2020-06-28 | 2020-10-13 | 杭州迪普科技股份有限公司 | Vulnerability capturing method, device, equipment and storage medium |
| CN111885067A (en) * | 2020-07-28 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Flow-oriented integrated honeypot threat data capturing method |
| CN111885060A (en) * | 2020-07-23 | 2020-11-03 | 上海交通大学 | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method |
| CN112383546A (en) * | 2020-11-13 | 2021-02-19 | 腾讯科技(深圳)有限公司 | Method for processing network attack behavior, related device and storage medium |
| WO2021033506A1 (en) * | 2019-08-21 | 2021-02-25 | 株式会社日立製作所 | Network monitoring device, network monitoring method, and storage medium having network monitoring program stored thereon |
| CN112615863A (en) * | 2020-12-18 | 2021-04-06 | 成都知道创宇信息技术有限公司 | Method, device, server and storage medium for resisting attack host |
| CN113676497A (en) * | 2021-10-22 | 2021-11-19 | 广州锦行网络科技有限公司 | Data blocking method and device, electronic equipment and storage medium |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
-
2022
- 2022-02-24 CN CN202210176034.0A patent/CN114598512B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109314698A (en) * | 2016-02-23 | 2019-02-05 | 区块链控股有限公司 | Preemptive Response Security System for Protecting Computer Networks and Systems |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN109361670A (en) * | 2018-10-21 | 2019-02-19 | 北京经纬信安科技有限公司 | Utilize the device and method of the targeted Dynamical Deployment capture malice sample of honey jar |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| WO2021033506A1 (en) * | 2019-08-21 | 2021-02-25 | 株式会社日立製作所 | Network monitoring device, network monitoring method, and storage medium having network monitoring program stored thereon |
| CN111767548A (en) * | 2020-06-28 | 2020-10-13 | 杭州迪普科技股份有限公司 | Vulnerability capturing method, device, equipment and storage medium |
| CN111885060A (en) * | 2020-07-23 | 2020-11-03 | 上海交通大学 | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method |
| CN111885067A (en) * | 2020-07-28 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Flow-oriented integrated honeypot threat data capturing method |
| CN112383546A (en) * | 2020-11-13 | 2021-02-19 | 腾讯科技(深圳)有限公司 | Method for processing network attack behavior, related device and storage medium |
| CN112615863A (en) * | 2020-12-18 | 2021-04-06 | 成都知道创宇信息技术有限公司 | Method, device, server and storage medium for resisting attack host |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
| CN113676497A (en) * | 2021-10-22 | 2021-11-19 | 广州锦行网络科技有限公司 | Data blocking method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114598512A (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114598512B (en) | Network security guarantee method and device based on honeypot and terminal equipment | |
| US11936666B1 (en) | Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US10176321B2 (en) | Leveraging behavior-based rules for malware family classification | |
| US9256831B2 (en) | Match engine for detection of multi-pattern rules | |
| CN109766694B (en) | Program protocol white list linkage method and device of industrial control host | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| US20210352092A1 (en) | Attack signature generation | |
| EP3462699B1 (en) | System and method of identifying a malicious intermediate language file | |
| CN111464513A (en) | Data detection method, device, server and storage medium | |
| WO2017032287A1 (en) | Information acquisition method and device | |
| US20220159026A1 (en) | Anomalous asset detection based on open ports | |
| CN116599747A (en) | Network and information security service system | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112953957B (en) | Intrusion prevention method, system and related equipment | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| CN114666101A (en) | Attack tracing detection system, method, device and medium | |
| EP3799367B1 (en) | Generation device, generation method, and generation program | |
| US20210359977A1 (en) | Detecting and mitigating zero-day attacks | |
| CN114003904A (en) | Information sharing method, device, computer equipment and storage medium | |
| CN113259299B (en) | Label management method, reporting method, data analysis method and device | |
| CN117221009B (en) | Network security situation prediction method, device, server and storage medium | |
| Li | M-ISDS: A Mobilized Intrusion and Spam Detection System | |
| CN116582347A (en) | Security detection method, security detection device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |