CN114861168A - Anti-escape attack behavior deception honeypot construction method - Google Patents

Anti-escape attack behavior deception honeypot construction method Download PDF

Info

Publication number
CN114861168A
CN114861168A CN202210548403.4A CN202210548403A CN114861168A CN 114861168 A CN114861168 A CN 114861168A CN 202210548403 A CN202210548403 A CN 202210548403A CN 114861168 A CN114861168 A CN 114861168A
Authority
CN
China
Prior art keywords
honeypot
program
container
daemon
escape
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210548403.4A
Other languages
Chinese (zh)
Inventor
黄龙飞
刘可渔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Pan Yu Network Technology Co ltd
Original Assignee
Shanghai Pan Yu Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Pan Yu Network Technology Co ltd filed Critical Shanghai Pan Yu Network Technology Co ltd
Priority to CN202210548403.4A priority Critical patent/CN114861168A/en
Publication of CN114861168A publication Critical patent/CN114861168A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • G06F9/4451User profiles; Roaming
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to the technical field of network security, in particular to an anti-escape attack behavior deception honeypot construction method. The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.

Description

Anti-escape attack behavior deception honeypot construction method
Technical Field
The invention relates to the technical field of network security, in particular to an anti-escape attack behavior deception honeypot construction method.
Background
With the development of high speed networks, resources in the networks are also multiplied, and how to improve the security of the resources exposed in the networks is a problem which needs to be solved urgently at present. The honeypot technology is essentially a technology for cheating attackers, and the attackers are induced to attack the attackers by arranging hosts, network services or information as baits, so that the attack behaviors can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are inferred, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced by technical and management means.
In the existing network security technology, the existing operating system and the existing virtualization tool software may have bugs, and an attacker can utilize the existing bugs to realize honeypot escape through an attack tool. Resulting in a decrease in the security and stability of the network environment.
Disclosure of Invention
Aiming at the problems in the background technology, an anti-escape attack behavior deception honeypot construction method is provided. The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.
The invention provides an anti-escape attack behavior deception honeypot construction method, which comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Preferably, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Preferably, the mirror module provides programs, libraries, resources, and configuration files required by the honeypot runtime, and also contains configuration parameters prepared for the honeypot runtime.
Preferably, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Preferably, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is configured to acquire user behavior data in advance, establish a white list, compare a process in the system with the white list, and determine whether the process is an allowed work process.
Preferably, the acquisition unit collects the normal behavior data and the abnormal behavior data, respectively extracts the characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
Preferably, the daemon process performs the check on the white list of the currently executed process, and only the programs in the white list can be started.
Preferably, the white list verification method comprises: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
Preferably, when a legal program is installed and configured or any program is started, the daemon adopts sha256 to verify a host file, and data before a Hash function needs to be input and numbers obtained after the Hash function is processed are required to be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
Preferably, the daemon process checks the starting code parameters of other programs at the same time, the starting parameters are randomly generated and fixed by the system, if an attacker starts the communication program through a program with code overflow, the communication program cannot be started normally because the attacker does not know the starting code parameters, and meanwhile, the honeypot writes in an alarm log.
Compared with the prior art, the invention has the following beneficial technical effects:
the invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
Example one
As shown in fig. 1, the method for constructing the anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the program is written into the alarm log and locked in the honeypot container when the verification fails.
Example two
As shown in fig. 1, the method for constructing an anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Further, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Further, the mirror module provides programs, libraries, resources and configuration files required by the honeypot container operation, and also contains configuration parameters prepared for the honeypot container operation.
Further, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Further, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is used for acquiring user behavior data in advance, establishing a white list, comparing a process in the system with the white list, and judging whether the process is an allowed work process.
Further, the acquisition unit collects normal behavior data and abnormal behavior data, respectively extracts characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
EXAMPLE III
As shown in fig. 1, the method for constructing the anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Further, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Further, the mirror module provides programs, libraries, resources and configuration files required by the honeypot container operation, and also contains configuration parameters prepared for the honeypot container operation.
Further, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Further, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is used for acquiring user behavior data in advance, establishing a white list, comparing a process in the system with the white list, and judging whether the process is an allowed work process.
Further, the acquisition unit collects normal behavior data and abnormal behavior data, respectively extracts characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
Further, the daemon process checks the white list of the currently executed process, and only the program in the white list can be started.
Further, the white list checking method comprises the following steps: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
Furthermore, when a legal program is installed and configured or any program is started, the daemon adopts sha256 to verify a host file, and data before a Hash function needs to be input and numbers obtained after the Hash function is processed are required to be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
Furthermore, the daemon process can check the starting code parameters of other programs at the same time, the starting parameters are randomly generated and fixed by the system, if an attacker starts the communication program through a program with code overflow, the communication program cannot be started normally because the starting code parameters are unknown, and meanwhile, the honeypot writes in an alarm log.
The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to attack behaviors is strong, honeypot escape risks are effectively prevented, and the safety and the stability of a network environment are improved.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited thereto, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (10)

1. An anti-escape attack behavior deception honeypot construction method is characterized by comprising the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
2. The anti-escape attack behavior deception honeypot building method according to claim 1, wherein the management platform comprises a mirror module, a honeypot container, a mirror warehouse, a daemon module, a control module and a check module.
3. The anti-escape attack cheating honeypot building method according to claim 2, wherein the mirror module further comprises configuration parameters prepared for the honeypot container runtime in addition to the programs, libraries, resources, configuration files required for the honeypot container runtime.
4. An escape-proof attack cheating honeypot building method according to claim 2, wherein a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
5. The anti-escape honeypot construction method adopting attack behavior deception according to claim 2, wherein the verification module comprises a data acquisition unit, a white list repository, a verification unit and a feedback unit, and is configured to acquire user behavior data in advance, establish a white list, compare a process in the system with the white list, and determine whether the process is an allowed work process.
6. The anti-escape honeypot construction method adopting attack behavior deception as claimed in claim 5, wherein the collection unit collects normal behavior data and abnormal behavior data, respectively extracts the characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
7. The method as claimed in claim 6, wherein the daemon process checks the white list of the currently executed processes, and only the programs in the white list can be started.
8. The anti-escape attack behavior deception honeypot building method according to claim 7, wherein the white list verification method comprises: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
9. The method for constructing the honeypot by the anti-escape attack behavior deception according to claim 1, wherein when a legal program is installed and configured or any program is started, a daemon process adopts sha256 to check a host file, and data before a Hash function is required to be input and numbers obtained after the Hash function is processed must be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
10. The method as claimed in claim 1, wherein the daemon process checks the boot code parameters of other programs, the boot parameters are randomly generated and fixed by the system, if an attacker boots the communication program through a program with code overflow, the communication program cannot be started normally because the boot code parameters are unknown, and the honeypot writes an alarm log.
CN202210548403.4A 2022-05-20 2022-05-20 Anti-escape attack behavior deception honeypot construction method Pending CN114861168A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210548403.4A CN114861168A (en) 2022-05-20 2022-05-20 Anti-escape attack behavior deception honeypot construction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210548403.4A CN114861168A (en) 2022-05-20 2022-05-20 Anti-escape attack behavior deception honeypot construction method

Publications (1)

Publication Number Publication Date
CN114861168A true CN114861168A (en) 2022-08-05

Family

ID=82638342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210548403.4A Pending CN114861168A (en) 2022-05-20 2022-05-20 Anti-escape attack behavior deception honeypot construction method

Country Status (1)

Country Link
CN (1) CN114861168A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086081A (en) * 2022-08-08 2022-09-20 北京永信至诚科技股份有限公司 Escape prevention method and system for honeypots

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086081A (en) * 2022-08-08 2022-09-20 北京永信至诚科技股份有限公司 Escape prevention method and system for honeypots

Similar Documents

Publication Publication Date Title
CN109711171B (en) Method, device and system for positioning software bugs, storage medium and electronic device
US10657251B1 (en) Multistage system and method for analyzing obfuscated content for malware
CN109361670B (en) Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots
US7540030B1 (en) Method and system for automatic cure against malware
US10581879B1 (en) Enhanced malware detection for generated objects
US9973531B1 (en) Shellcode detection
US7870612B2 (en) Antivirus protection system and method for computers
US10225280B2 (en) System and method for verifying and detecting malware
RU2568295C2 (en) System and method for temporary protection of operating system of hardware and software from vulnerable applications
US9264441B2 (en) System and method for securing a network from zero-day vulnerability exploits
RU2680736C1 (en) Malware files in network traffic detection server and method
US11070570B2 (en) Methods and cloud-based systems for correlating malware detections by endpoint devices and servers
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
WO2014113501A1 (en) Systems and methods for identifying and reporting application and file vulnerabilities
CN111651754B (en) Intrusion detection method and device, storage medium and electronic device
KR101972825B1 (en) Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method
CN112653654A (en) Security monitoring method and device, computer equipment and storage medium
CN110880983A (en) Penetration testing method and device based on scene, storage medium and electronic device
CN109241730B (en) Container risk defense method, device, equipment and readable storage medium
CN112653655A (en) Automobile safety communication control method and device, computer equipment and storage medium
CN114861168A (en) Anti-escape attack behavior deception honeypot construction method
CN115086081B (en) Escape prevention method and system for honeypots
CN115544503A (en) File-free attack detection method, device, equipment and storage medium
CN113824678B (en) System, method, and non-transitory computer readable medium for processing information security events
US11763004B1 (en) System and method for bootkit detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination