CN114861168A - Anti-escape attack behavior deception honeypot construction method - Google Patents
Anti-escape attack behavior deception honeypot construction method Download PDFInfo
- Publication number
- CN114861168A CN114861168A CN202210548403.4A CN202210548403A CN114861168A CN 114861168 A CN114861168 A CN 114861168A CN 202210548403 A CN202210548403 A CN 202210548403A CN 114861168 A CN114861168 A CN 114861168A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- program
- container
- daemon
- escape
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
- G06F9/4451—User profiles; Roaming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/485—Task life-cycle, e.g. stopping, restarting, resuming execution
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of network security, in particular to an anti-escape attack behavior deception honeypot construction method. The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an anti-escape attack behavior deception honeypot construction method.
Background
With the development of high speed networks, resources in the networks are also multiplied, and how to improve the security of the resources exposed in the networks is a problem which needs to be solved urgently at present. The honeypot technology is essentially a technology for cheating attackers, and the attackers are induced to attack the attackers by arranging hosts, network services or information as baits, so that the attack behaviors can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are inferred, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced by technical and management means.
In the existing network security technology, the existing operating system and the existing virtualization tool software may have bugs, and an attacker can utilize the existing bugs to realize honeypot escape through an attack tool. Resulting in a decrease in the security and stability of the network environment.
Disclosure of Invention
Aiming at the problems in the background technology, an anti-escape attack behavior deception honeypot construction method is provided. The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.
The invention provides an anti-escape attack behavior deception honeypot construction method, which comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Preferably, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Preferably, the mirror module provides programs, libraries, resources, and configuration files required by the honeypot runtime, and also contains configuration parameters prepared for the honeypot runtime.
Preferably, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Preferably, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is configured to acquire user behavior data in advance, establish a white list, compare a process in the system with the white list, and determine whether the process is an allowed work process.
Preferably, the acquisition unit collects the normal behavior data and the abnormal behavior data, respectively extracts the characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
Preferably, the daemon process performs the check on the white list of the currently executed process, and only the programs in the white list can be started.
Preferably, the white list verification method comprises: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
Preferably, when a legal program is installed and configured or any program is started, the daemon adopts sha256 to verify a host file, and data before a Hash function needs to be input and numbers obtained after the Hash function is processed are required to be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
Preferably, the daemon process checks the starting code parameters of other programs at the same time, the starting parameters are randomly generated and fixed by the system, if an attacker starts the communication program through a program with code overflow, the communication program cannot be started normally because the attacker does not know the starting code parameters, and meanwhile, the honeypot writes in an alarm log.
Compared with the prior art, the invention has the following beneficial technical effects:
the invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to the attack behavior is strong, the honeypot escape risk is effectively prevented, and the safety and the stability of the network environment are improved.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
Example one
As shown in fig. 1, the method for constructing the anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the program is written into the alarm log and locked in the honeypot container when the verification fails.
Example two
As shown in fig. 1, the method for constructing an anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Further, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Further, the mirror module provides programs, libraries, resources and configuration files required by the honeypot container operation, and also contains configuration parameters prepared for the honeypot container operation.
Further, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Further, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is used for acquiring user behavior data in advance, establishing a white list, comparing a process in the system with the white list, and judging whether the process is an allowed work process.
Further, the acquisition unit collects normal behavior data and abnormal behavior data, respectively extracts characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
EXAMPLE III
As shown in fig. 1, the method for constructing the anti-escape attack cheating honeypot provided by the invention comprises the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
Further, the management platform comprises a mirror image module, a honeypot container, a mirror image warehouse, a daemon module, a control module and a check module.
Further, the mirror module provides programs, libraries, resources and configuration files required by the honeypot container operation, and also contains configuration parameters prepared for the honeypot container operation.
Further, a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
Further, the checking module comprises a data acquisition unit, a white list repository, a checking unit and a feedback unit, and is used for acquiring user behavior data in advance, establishing a white list, comparing a process in the system with the white list, and judging whether the process is an allowed work process.
Further, the acquisition unit collects normal behavior data and abnormal behavior data, respectively extracts characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
Further, the daemon process checks the white list of the currently executed process, and only the program in the white list can be started.
Further, the white list checking method comprises the following steps: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
Furthermore, when a legal program is installed and configured or any program is started, the daemon adopts sha256 to verify a host file, and data before a Hash function needs to be input and numbers obtained after the Hash function is processed are required to be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
Furthermore, the daemon process can check the starting code parameters of other programs at the same time, the starting parameters are randomly generated and fixed by the system, if an attacker starts the communication program through a program with code overflow, the communication program cannot be started normally because the starting code parameters are unknown, and meanwhile, the honeypot writes in an alarm log.
The invention creates honeypot containers with different functions and daemon processes through the management platform, and deploys honeypots in the containers. When the daemon process finds that the system executes the work process stopped or starts an unknown process, the honeypot container is automatically closed. When a legal program is installed, configured or started, the daemon adopts a white list and sha256 to check. And (5) successfully verifying and normally starting the program. The verification fails and the program is written to the alarm log and locked in the honeypot container. The pertinence to attack behaviors is strong, honeypot escape risks are effectively prevented, and the safety and the stability of a network environment are improved.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited thereto, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (10)
1. An anti-escape attack behavior deception honeypot construction method is characterized by comprising the following steps:
s1, establishing a management platform; creating honeypot containers with different functions through a management platform, and arranging a plurality of trapping nodes in a system environment;
s2, isolating the trapping nodes one by the honey pot container, and arranging a daemon process in the honey pot container;
s3, deploying honeypots in a honeypot container one by one, and binding the honeypots with trapping nodes and a daemon process; operating the honeypot, honeypot vessel and system;
s4, when the daemon process finds that the work process executed by the system is stopped or an unknown process is started, the honeypot container is automatically closed; when a legal program is installed and configured or any program is started, the daemon process checks;
s5, verifying successfully, and starting the program normally; the verification fails and the program is written to the alarm log and locked in the honeypot container.
2. The anti-escape attack behavior deception honeypot building method according to claim 1, wherein the management platform comprises a mirror module, a honeypot container, a mirror warehouse, a daemon module, a control module and a check module.
3. The anti-escape attack cheating honeypot building method according to claim 2, wherein the mirror module further comprises configuration parameters prepared for the honeypot container runtime in addition to the programs, libraries, resources, configuration files required for the honeypot container runtime.
4. An escape-proof attack cheating honeypot building method according to claim 2, wherein a data interface is arranged on the honeypot container; the data interface is provided with a detection unit and a truncation unit; the daemon process is connected with the detection unit and the truncation unit.
5. The anti-escape honeypot construction method adopting attack behavior deception according to claim 2, wherein the verification module comprises a data acquisition unit, a white list repository, a verification unit and a feedback unit, and is configured to acquire user behavior data in advance, establish a white list, compare a process in the system with the white list, and determine whether the process is an allowed work process.
6. The anti-escape honeypot construction method adopting attack behavior deception as claimed in claim 5, wherein the collection unit collects normal behavior data and abnormal behavior data, respectively extracts the characteristic value sequences of the data packets, and stores the characteristic value sequences in a classified manner; the white list is a collection of characteristic value sequences of normal behavior data.
7. The method as claimed in claim 6, wherein the daemon process checks the white list of the currently executed processes, and only the programs in the white list can be started.
8. The anti-escape attack behavior deception honeypot building method according to claim 7, wherein the white list verification method comprises: and matching the characteristic value sequence of the currently executed process with the characteristic value sequence set of the pre-stored normal behavior data, and judging that the verification is qualified.
9. The method for constructing the honeypot by the anti-escape attack behavior deception according to claim 1, wherein when a legal program is installed and configured or any program is started, a daemon process adopts sha256 to check a host file, and data before a Hash function is required to be input and numbers obtained after the Hash function is processed must be in one-to-one correspondence; the length of each number is required to be fixed; and the content of the data cannot be pushed back by the number.
10. The method as claimed in claim 1, wherein the daemon process checks the boot code parameters of other programs, the boot parameters are randomly generated and fixed by the system, if an attacker boots the communication program through a program with code overflow, the communication program cannot be started normally because the boot code parameters are unknown, and the honeypot writes an alarm log.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210548403.4A CN114861168A (en) | 2022-05-20 | 2022-05-20 | Anti-escape attack behavior deception honeypot construction method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210548403.4A CN114861168A (en) | 2022-05-20 | 2022-05-20 | Anti-escape attack behavior deception honeypot construction method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114861168A true CN114861168A (en) | 2022-08-05 |
Family
ID=82638342
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210548403.4A Pending CN114861168A (en) | 2022-05-20 | 2022-05-20 | Anti-escape attack behavior deception honeypot construction method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114861168A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115086081A (en) * | 2022-08-08 | 2022-09-20 | 北京永信至诚科技股份有限公司 | Escape prevention method and system for honeypots |
-
2022
- 2022-05-20 CN CN202210548403.4A patent/CN114861168A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115086081A (en) * | 2022-08-08 | 2022-09-20 | 北京永信至诚科技股份有限公司 | Escape prevention method and system for honeypots |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109711171B (en) | Method, device and system for positioning software bugs, storage medium and electronic device | |
US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
CN109361670B (en) | Device and method for capturing malicious sample by utilizing targeted dynamic deployment of honeypots | |
US7540030B1 (en) | Method and system for automatic cure against malware | |
US10581879B1 (en) | Enhanced malware detection for generated objects | |
US9973531B1 (en) | Shellcode detection | |
US7870612B2 (en) | Antivirus protection system and method for computers | |
US10225280B2 (en) | System and method for verifying and detecting malware | |
RU2568295C2 (en) | System and method for temporary protection of operating system of hardware and software from vulnerable applications | |
US9264441B2 (en) | System and method for securing a network from zero-day vulnerability exploits | |
RU2680736C1 (en) | Malware files in network traffic detection server and method | |
US11070570B2 (en) | Methods and cloud-based systems for correlating malware detections by endpoint devices and servers | |
US20170061126A1 (en) | Process Launch, Monitoring and Execution Control | |
WO2014113501A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
CN111651754B (en) | Intrusion detection method and device, storage medium and electronic device | |
KR101972825B1 (en) | Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method | |
CN112653654A (en) | Security monitoring method and device, computer equipment and storage medium | |
CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
CN109241730B (en) | Container risk defense method, device, equipment and readable storage medium | |
CN112653655A (en) | Automobile safety communication control method and device, computer equipment and storage medium | |
CN114861168A (en) | Anti-escape attack behavior deception honeypot construction method | |
CN115086081B (en) | Escape prevention method and system for honeypots | |
CN115544503A (en) | File-free attack detection method, device, equipment and storage medium | |
CN113824678B (en) | System, method, and non-transitory computer readable medium for processing information security events | |
US11763004B1 (en) | System and method for bootkit detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |