CN115208670A - Honey net construction method and device, electronic equipment and computer readable storage medium - Google Patents

Honey net construction method and device, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN115208670A
CN115208670A CN202210836372.2A CN202210836372A CN115208670A CN 115208670 A CN115208670 A CN 115208670A CN 202210836372 A CN202210836372 A CN 202210836372A CN 115208670 A CN115208670 A CN 115208670A
Authority
CN
China
Prior art keywords
network
target
template
node
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210836372.2A
Other languages
Chinese (zh)
Other versions
CN115208670B (en
Inventor
李永梅
张彩霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210836372.2A priority Critical patent/CN115208670B/en
Publication of CN115208670A publication Critical patent/CN115208670A/en
Application granted granted Critical
Publication of CN115208670B publication Critical patent/CN115208670B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a honey net construction method, a honey net construction device, electronic equipment and a computer readable storage medium, and relates to the technical field of network security. The method comprises the following steps: determining network information of a network to be protected; matching in a template library according to the network information, and determining a corresponding target service system template; and constructing a honey net corresponding to the network to be protected based on the target service system template. According to the method and the device, the network to be protected is matched and compared with the template library, the virtual service system corresponding to the real service system of the network to be protected can be identified as the target service system template, so that the honey net of the virtual service system corresponding to the network to be protected is automatically constructed according to the target service system template, virtual service interaction can be carried out on the constructed honey net, the camouflage effect and the simulation capability of the honey net when the honey net disguises the real network to be protected of a user are improved, the trapping efficiency of the honey net on an attacker is improved, and the safety of the user when the user uses the network is improved.

Description

Honey net construction method and device, electronic equipment and computer readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for constructing a honeynet, an electronic device, and a computer-readable storage medium.
Background
The honeypot technology is essentially a technology for cheating an attacker, a trapping network is formed by arranging hosts and the like serving as baits to be used as a honeynet, the attacker is induced to attack the hosts, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, the attack intention and motivation are presumed, the defender can clearly know the facing security threats, and the security protection capability of the actual system is enhanced through the technology and management means.
In the prior art, when a honey net is constructed, a virtual host is usually added to induce an attacker to attack the honey net through a service opened on the constructed virtual host or a bug on the service, so that the purpose of trapping the attacker is achieved. The similarity between the virtual network of the existing constructed honey net and the protected actual network is low, so that the purpose of trapping attackers is not favorably achieved, and the trapping efficiency of the existing honey net is low.
Disclosure of Invention
In view of the above, an object of the embodiments of the present invention is to provide a method, an apparatus, an electronic device and a computer-readable storage medium for constructing a honeynet, so as to solve the problem in the prior art that the trapping efficiency of the honeynet for attackers is low.
In order to solve the above problem, in a first aspect, an embodiment of the present application provides a honey net construction method, where the method includes:
determining network information of a network to be protected;
matching in a template library according to the network information, and determining a corresponding target service system template;
and constructing a honey net corresponding to the network to be protected based on the target service system template.
In the implementation process, by matching and comparing the real network information in the network to be protected with the template library, the template of the virtual service system corresponding to the real service system of the network information can be identified in the template library and used as the target service system template. Therefore, the honey net of the virtual service system corresponding to the network to be protected is automatically constructed according to the target service system template, the constructed honey net has high structural similarity with the real network to be protected used by the user, and the honey net can also perform virtual service interaction during working. The camouflage effect and the simulation capability of the honeynet for camouflage of the real network to be protected used by the user are improved from the aspects of structure and service, so that the trapping efficiency of the honeynet for the attacker is improved, and the safety of the user in using the network is improved.
Optionally, the matching in the template library according to the network information to determine the corresponding target service system template includes:
comparing the network information with a plurality of service system templates in the template library respectively to obtain a plurality of similarity degrees;
and taking the service system template with the similarity reaching a threshold value as the target service system template matched with the network to be protected.
In the implementation process, the similarity between the network information and each business system template can be determined by sequentially comparing the network information of the network to be protected with a plurality of historical business system templates in the template library, so that the business system template with the similarity reaching a threshold value, namely the high similarity is used as the target business system template matched with the network to be protected. The method and the device can screen a plurality of business system templates, and improve the effectiveness of the target business system template.
Optionally, the constructing a honey net corresponding to the network to be protected based on the target service system template includes:
determining corresponding target nodes and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of the target node, a target node port opened by the target node network address, a target node service and a target node operating system;
establishing a virtual host based on the target node;
configuring corresponding target node network information in the virtual host;
and carrying out service configuration on the virtual host to obtain a honey net corresponding to the network to be protected.
In the implementation process, when a honey net corresponding to a network to be protected is constructed, a target node and target node network information corresponding to a target service system template can be determined, so that one or more virtual hosts are newly built according to the target node, and the corresponding target node network information is configured in the virtual hosts, so that the virtual nodes have network structures of various nodes such as network addresses, corresponding ports, services, operating systems and the like, and the virtual hosts are subjected to virtual service configuration on the basis of the target node network, so that the honey net corresponding to the network to be protected and having virtual services can be obtained. The method effectively improves the similarity of the structure of the honey net and the network to be protected and the simulation capability of the service.
Optionally, the performing service configuration on the virtual host to obtain a honeynet corresponding to the network to be protected includes:
determining target business data in the target business system template, wherein the target business data comprises: at least one of a target service message and a target interaction frequency;
and configuring the corresponding target service data in the virtual host to enable the target node to perform simulation data interaction so as to obtain the honeynet which comprises the virtual host and corresponds to the network to be protected.
In the implementation process, the target service data in the target service system template can be acquired as simulated service data, and the target node network information is configured, so that simulated data interaction can be performed among virtual hosts corresponding to a plurality of target nodes, and the relevance of virtual services among all target nodes is increased, so that a honey net comprising one or more virtual hosts has virtual services, and the simulation capability and the camouflage effect of the honey net are effectively improved.
Optionally, the determining network information of the network to be protected includes:
extracting a scanning network segment in the network to be protected;
scanning the scanning network segment according to a scanning algorithm to identify the network information in the scanning network segment, wherein the network information comprises: at least one of a real node existing in the scanning network segment, a target network address corresponding to the real node, a target network port opened by the target network address, a target network service and a target operating system.
In the implementation process, in order to construct a corresponding honey net according to the real situation of the network to be protected, a scanning network segment in the network to be protected may be extracted first, and scanning is performed in the scanning network segment by using a scanning algorithm of a probe network, so as to identify a network address of a host corresponding to a live real node therein, and various information such as a port, a service, an operating system, and the like developed by the address. The method can quickly and accurately scan and acquire the network information reflecting the actual structure of the network to be protected, thereby effectively improving the similarity between the target business system template obtained by matching the network information in the template library and the network to be protected and improving the protection effect of the honey net on the network to be protected.
Optionally, the method further comprises:
and creating a service system template according to the network template, and taking a plurality of service system templates as the template library.
In the implementation process, the corresponding service system template can be created according to the network template, so that a template library is formed by a plurality of service system templates. The template library can be provided with the service system templates with various different structures, so that the success rate in matching is improved.
Optionally, the creating a service system template according to a network template includes:
determining a plurality of historical nodes, historical node network information and historical traffic data in the network template, wherein the historical node network information comprises: at least one of a historical node network address of the historical node, a historical node port opened by the historical node network address, a historical node service and a historical node operating system, wherein the historical service data comprises: at least one of historical service messages and historical interaction frequency;
configuring corresponding historical node network information in a plurality of historical nodes;
and configuring corresponding historical service data in a plurality of historical nodes to obtain the service system template.
In the implementation process, when each service system template is created, historical nodes of a network in the network template, historical node network information and historical service data for service interaction in the network template can be obtained. And configuring corresponding historical node network information in the historical nodes so as to determine the network structure in the nodes, and configuring corresponding historical service data on the basis of the historical node network information so as to construct a corresponding service system template. The service system template can be configured from two aspects of network structure and service interaction, and the authenticity of the service system template and the correlation of services among nodes are improved.
In a second aspect, an embodiment of the present application further provides a honey net constructing apparatus, where the apparatus includes:
the determining module is used for determining the network information of the network to be protected;
the matching module is used for matching in a template library according to the network information and determining a corresponding target service system template;
and the construction module is used for constructing the honey net corresponding to the network to be protected based on the target service system template.
In a third aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes steps in any implementation manner of the mesh construction method.
In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, where computer program instructions are stored in the computer-readable storage medium, and when the computer program instructions are read and executed by a processor, the steps in any implementation manner of the honey net construction method are executed.
In summary, the present application provides a honey net construction method, device, electronic device and computer readable storage medium, matching a corresponding service system template through network information of a network to be protected, thereby constructing a corresponding honey net according to a network structure and service interaction of the service system template, and improving a camouflage effect and a simulation capability of the honey net when camouflaging a real network to be protected used by a user from a plurality of aspects of structure and service, thereby improving an attacker trapping efficiency of the honey net, and improving safety when the user uses the network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of a honey net construction method provided in an embodiment of the present application;
fig. 3 is a detailed flowchart of a step S300 according to an embodiment of the present disclosure;
fig. 4 is a detailed flowchart of a step S400 provided in an embodiment of the present application;
fig. 5 is a detailed flowchart of step S440 according to an embodiment of the present disclosure;
fig. 6 is a detailed flowchart of a step S200 according to an embodiment of the present disclosure;
fig. 7 is a schematic flow chart of another honey net construction method provided in the embodiment of the present application;
fig. 8 is a schematic structural diagram of a honey net constructing device provided in an embodiment of the present application.
An icon: 100-an electronic device; 111-a memory; 112-a memory controller; 113-a processor; 114-a peripheral interface; 115-input-output unit; 116-a display unit; 600-honey net building means; 610-a determination module; 620-matching module; 630-building a module.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of them. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without any creative effort belong to the protection scope of the embodiments of the present application.
In the prior art, because various types of network attacks, such as denial of service attack, domain name hijack attack, malicious crawler, web page trojan, illegal override and the like, have adverse effects on network use, honeypot technology is usually used for active defense in order to improve the security protection capability of the network. Honeypots ((Honeypots) can be a service, a network page, a database or a complete operating system, and the like), and the purposes of deceiving attackers, inducing attacks, increasing attack cost and reducing security threats to actual systems or services are achieved by constructing simulated systems or services.
The honeynet (Honeynetts) constructed on the basis of honeypots is essentially in a high-interaction honeypot system form, and is a simulation network consisting of a plurality of honeypots, and a plurality of honeypot hosts are configured in one network. When a plurality of honeypots are connected together by the network, a large-scale false service network can be formed, a part of hosts are used for attracting the invasion of attackers, and by monitoring the invasion process of the attackers, on one hand, the attack behaviors of the attackers can be collected, and on the other hand, related safety protection strategies can be updated. The honeynet combines a plurality of honeypots to form a trapping network similar to a real service network behind a gateway, comprehensively captures and monitors all flow entering a system architecture, is highly controllable in network setting, is rich and diverse in function hosts, and can acquire and sample various types of attack information.
In the prior art, a system actively constructs a honey net with a corresponding structure, and adds a virtual host to the constructed honey net so as to induce an attacker to attack the constructed honey net through opening a service or a vulnerability on the service on the constructed virtual host, thereby achieving the purpose of trapping the attacker.
However, compared with the actual network to be protected, the virtual network of the existing honey net is low in similarity of network structure and business, so that the existing honey net is poor in camouflage effect and simulation capability, the purpose of trapping attackers is not facilitated, and the existing honey net is low in trapping efficiency.
In order to solve the above problems, an embodiment of the present application provides a method for constructing a honey net, which is applied to an electronic device, where the electronic device may be an electronic device with a logic calculation function, such as a server, a Personal Computer (PC), a tablet PC, a smart phone, and a Personal Digital Assistant (PDA), and can match a target service system template of a corresponding structure and a service according to network information of a network to be protected, so as to construct a honey net with a high simulation capability from multiple aspects of a network structure and service interaction according to the target service system template, thereby improving a trapping efficiency of the honey net.
Optionally, referring to fig. 1, fig. 1 is a block schematic diagram of an electronic device according to an embodiment of the present disclosure. The electronic device 100 may include a memory 111, a memory controller 112, a processor 113, a peripheral interface 114, an input-output unit 115, and a display unit 116. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the electronic device 100. For example, electronic device 100 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The above-mentioned elements of the memory 111, the memory controller 112, the processor 113, the peripheral interface 114, the input/output unit 115 and the display unit 116 are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 113 is used to execute the executable modules stored in the memory.
The Memory 111 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 111 is used for storing a program, the processor 113 executes the program after receiving an execution instruction, and the method executed by the electronic device 100 defined by the process disclosed in any embodiment of the present application may be applied to the processor 113, or implemented by the processor 113.
The processor 113 may be an integrated circuit chip having signal processing capability. The Processor 113 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. The general purpose processor may be a microprocessor, any conventional processor, etc.
The peripheral interface 114 couples various input/output devices to the processor 113 and memory 111. In some embodiments, the peripheral interface 114, the processor 113, and the memory controller 112 may be implemented in a single chip. In other examples, they may be implemented separately from the individual chips.
The input/output unit 115 is used for providing input data to the user, for example, enabling the user to input corresponding network information, select a corresponding service system template, and the like. The input and output unit 115 may be, but is not limited to, a mouse, a keyboard, and the like.
The display unit 116 provides an interactive interface (e.g., a user interface) between the electronic device 100 and a user or is used for displaying image data to the user for reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing. In the embodiment of the present application, the display unit 116 may display a variety of information such as the structure of the constructed honeynet and the service interaction state of each node therein.
The electronic device in this embodiment may be configured to execute each step in each honey net construction method provided in this embodiment. The implementation of the method for constructing the honey net is described in detail by several embodiments.
Referring to fig. 2, fig. 2 is a schematic flow chart of a honey net construction method according to an embodiment of the present application, and the method may further include steps S200-S400.
Step S200, determining the network information of the network to be protected.
In order to construct a honey net with higher similarity to the network to be protected, network information reflecting the real situation of the network to be protected can be obtained. The obtaining mode may be scanning the network to be protected, or collecting related information from the network to be protected.
Optionally, the network information is data reflecting a network condition of a real service system of the network to be protected, and may include one or more of a real node corresponding to a real host that survives in the network to be protected, a target network address of the real node, a target network port opened by the target network address, a target network service, a target operating system, and the like.
Optionally, the network to be protected that the user currently needs to protect may be determined from the multiple networks, and the user may input the network to be protected on the user terminal used, so that the electronic device terminal may receive the network to be protected that the user determines.
And step S300, matching in the template base according to the network information, and determining a corresponding target service system template.
The template library can comprise a plurality of different service system templates, and the service system template with higher similarity to the network information can be matched as the target service system template by comparing the network information with the plurality of service system templates.
Optionally, the target service system template may include information of each node in the network and virtual service information for data interaction between the nodes.
And S400, constructing a honey net corresponding to the network to be protected based on the target service system template.
The nodes can establish a network structure similar to the network to be protected according to the node information in the target service system template and the service information among the nodes, and the network has a virtual service system, and a honeynet of the virtual service system capable of sending service data can be simulated among the nodes.
In the embodiment shown in fig. 2, the camouflage effect and the simulation capability of the honey net for camouflage of the real network to be protected used by the user can be improved from the aspects of structure and service, so that the trapping efficiency of the honey net for the attacker is improved, and the safety of the user in using the network is improved.
Optionally, referring to fig. 3, fig. 3 is a detailed flowchart of step S300 provided in the embodiment of the present application, and step S300 may further include steps S310 to S320.
Step S310, comparing the network information with a plurality of service system templates in the template library respectively to obtain a plurality of similarity.
The network information of the network to be protected can be compared with a plurality of historical service system templates in the template library in sequence, so that the similarity between the network information and each service system template is obtained.
And step S320, taking the service system template with the similarity reaching the threshold value as a target service system template matched with the network to be protected.
The threshold may be a preset similarity threshold, for example, 98%, and the service system template with the similarity exceeding the threshold may be used as the target service system template corresponding to the network information. By limiting the similarity value, the similarity between the network structure of the target service system template and the network to be protected and the real service system can be effectively improved, and the adverse effects of poor camouflage effect and poor simulation capability of the constructed honey net when the similarity between the target service system template and the network to be protected is low are reduced.
Optionally, when a plurality of similarity degrees exceed a threshold, a service system template with the highest similarity degree may be selected as a target service system template; the business system template with the highest similarity can also be directly used as the target business system template.
In the embodiment shown in fig. 3, a plurality of business system templates can be screened in the template library, so that the effectiveness of the target business system template is improved.
Optionally, referring to fig. 4, fig. 4 is a detailed flowchart of step S400 provided in the present embodiment, and step S400 may further include steps S410 to S440.
Step S410, according to the target service system template, determining the corresponding target node and the target node network information.
The relevant data of the network structure in the target service system template, that is, the corresponding number of target nodes and the network information of the target nodes existing in the target service system template, may be determined first. The target node network information may include: the network address of the target node, the port of the target node opened by the network address of the target node, the service of the target node, the operating system of the target node and the like.
Step S420, a virtual host is newly built based on the target node.
For example, when the target node is two nodes, 2 corresponding virtual hosts can be newly created and started, and can be marked as virtual OA node 1 and virtual OA node 2.
Step S430, configuring corresponding target node network information in the virtual host.
In order to make the network structure in the virtual host similar to that in the network to be protected, the network information of the target node corresponding to each node may be configured in the virtual host. For example, the virtual OA node 1 and the virtual OA node 2 are configured with a target node network address, a target node port opened by the target node network address, a target node service, a target node operating system, and other relevant information.
Step S440, service configuration is carried out on the virtual host machine, so that a honey net corresponding to the network to be protected is obtained.
In order to enable the plurality of nodes to perform simulated data interaction, virtual service configuration can be performed on the virtual host on the basis of network information of the target nodes, and the plurality of target nodes can be started to work after the configuration is completed, so that a honey net which is similar to a network to be protected in structure and has a virtual service system is constructed.
Optionally, when constructing the honey net, the name of the unit to which the honey net belongs, the area, the scale and the like can also be limited.
In the embodiment shown in fig. 4, the similarity of the honey net and the network to be protected in structure and the simulation capability in service are effectively improved.
Optionally, referring to fig. 5, fig. 5 is a detailed flowchart of step S440 according to an embodiment of the present disclosure, and step S440 may further include steps S441-S442.
Step S441, determining the target service data in the target service system template.
The target service data may be various parameter data configured when a target service system template is constructed, and the target service data may include one or more of various service-related information such as a target service packet and target interaction frequency.
Illustratively, the target service packet may be packet data for performing virtual service interaction, such as newly created OA long data, login information for logging in an OA system, and related data of a queried OA user; the target interaction frequency may be frequency or periodic data for interacting the target service packet, for example, the target service packet is sent and received every 30 minutes.
Step S442, configuring corresponding target service data in the virtual host, so that the target node performs analog data interaction, and obtaining a honey net including the virtual host corresponding to the network to be protected.
The virtual service is configured based on network information of a plurality of target nodes in the virtual service system according to the target service data, so that the virtual host corresponding to each target node can perform simulated data interaction on the corresponding target service packet at the corresponding target interaction frequency, for example, the service data packet is sent once in the virtual OA node 1 and the virtual OA node 2 in the virtual host every 30 minutes.
In the embodiment shown in fig. 5, virtual service interaction is added in each node when the honey net is constructed, so that the relevance of virtual services among all target nodes can be increased, the honey net comprising one or more virtual hosts has virtual services, and the simulation capability and the camouflage effect of the honey net are effectively improved.
Optionally, referring to fig. 6, fig. 6 is a detailed flowchart of step S200 provided in the embodiment of the present application, and step S200 may further include steps S210 to S220.
Step S210, extracting a scanning network segment in the network to be protected.
Because a network to be protected uploaded or determined by a user and needing protection received in the electronic device may have multiple network segments, in order to improve the efficiency of obtaining network information, information in the network to be protected may be extracted to obtain a key scanning network segment.
Illustratively, when the network to be protected is 10.7.212.227-10.7.212.236, then the extracted critical scan segment may be 10.36.3.Xx, etc.
Step S220, scanning the scanning network segment according to the scanning algorithm to identify the network information in the scanning network segment.
The scanning network segment can be scanned according to a scanning algorithm in an automatic detection network tool, such as a namp tool, so as to identify a real network structure and a service system existing in a network to be protected. The network information obtained by scanning may include one or more of a plurality of information reflecting real network structures and service conditions in the network to be protected, such as a real node existing in a scanning network segment, a target network address corresponding to the real node, a target network port opened by the target network address, a target network service, a target operating system, and the like.
Optionally, during scanning, the scanning progress in the scanning process and various network information identified by scanning may be displayed for the staff to view and operate.
In the embodiment shown in fig. 6, the network information reflecting the actual structure of the network to be protected can be rapidly and accurately scanned and obtained, and the method is suitable for various different networks to be protected and meets different requirements of various users.
Alternatively, the service system template may be created according to a network template, and a plurality of service system templates are used as a template library. The service system templates with different structures can be added into the template library, so that the success rate in matching is improved.
For example, referring to fig. 7, fig. 7 is a schematic flowchart of another honeynet construction method provided in the embodiment of the present application, and the method may further include steps S510 to 530.
Step S510, determining a plurality of history nodes, history node network information and history service data in the network template.
When constructing the corresponding service system template, the historical network template may be obtained first, and the network template may be scanned and the like to obtain a plurality of historical nodes reflecting the network structure of the network template and the service system, and historical node network information and historical service data corresponding to the historical nodes. The historical node network information may include one or more of historical node network addresses of the historical nodes, historical node ports opened by the historical node network addresses, historical node services, historical node operating systems and the like, which reflect network structures and service conditions in the network templates, and the historical service data may include one or more of historical service messages and service-related information of which the historical interaction frequency is equal to that of the network templates.
Alternatively, historical network templates may be retrieved from a database of the network.
Step S520, corresponding history node network information is configured in the plurality of history nodes.
Corresponding historical node network information can be configured in a plurality of historical nodes existing in a network template, for example, when two historical nodes exist, an 80 node port can be configured in a historical node 1 and corresponding http node service is provided, and a historical operating system is set as a linux system; and configuring a development 3306 node port in the history node 2, providing corresponding mysql node service, setting a history operating system as a linux system and the like.
Step S530, configuring corresponding historical service data in a plurality of historical nodes to obtain a service system template.
The historical service data in the historical service system in the network template can be configured to the corresponding historical node on the basis of the historical node network information, so that the service system template with the network structure information and the service system information is created and obtained.
For example, the service configuration may be performed according to the historical service packets in the historical service data and the historical interaction frequency, for example, the configuration is performed to transmit or receive the historical service packets every 30 minutes, and the like.
In the embodiment shown in fig. 7, the service system template can be configured from two aspects of network structure and service interaction, so that the authenticity of the service system template and the relevance of services between nodes are improved.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a honey net constructing device according to an embodiment of the present application, and the honey net constructing device 600 may include:
a determining module 610, configured to determine network information of a network to be protected;
the matching module 620 is configured to perform matching in the template library according to the network information, and determine a corresponding target service system template;
the constructing module 630 is configured to construct a honeynet corresponding to the network to be protected based on the target service system template.
In an optional embodiment, the matching module 620 may further include a comparison sub-module and a matching sub-module;
the comparison submodule is used for respectively comparing the network information with a plurality of service system templates in the template library to obtain a plurality of similarities;
and the matching submodule is used for taking the business system template with the similarity reaching the threshold as a target business system template matched with the network to be protected.
In an optional embodiment, the building module 630 may further include a node sub-module, a host sub-module, and a configuration sub-module;
the node submodule is used for determining a corresponding target node and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of the target node, a target node port opened by the target node network address, a target node service and a target node operating system;
the host submodule is used for establishing a virtual host based on the target node;
the configuration submodule is used for configuring corresponding target node network information in the virtual host; and carrying out service configuration on the virtual host to obtain a honey net corresponding to the network to be protected.
In an optional implementation manner, the configuration sub-module may further include a service sub-unit, configured to determine target service data in the target service system template, where the target service data includes: at least one of a target service message and a target interaction frequency; and configuring corresponding target service data in the virtual host to enable the target node to perform simulated data interaction so as to obtain a honey net which comprises the virtual host and corresponds to the network to be protected.
In an optional embodiment, the determining module 610 may further include an extracting sub-module and a scanning sub-module;
the extraction submodule is used for extracting a scanning network segment in a network to be protected;
the scanning submodule is used for scanning the scanning network segment according to a scanning algorithm so as to identify network information in the scanning network segment, wherein the network information comprises: scanning at least one of a real node, a target network address corresponding to the real node, a target network port opened by the target network address, a target network service and a target operating system existing in the network segment.
In an optional implementation manner, the honey net constructing apparatus 600 may further include a template creating module, configured to create a service system template according to the network template, and use a plurality of service system templates as the template library.
In an optional embodiment, the template creating module may further include a template node sub-module and a template configuration sub-module;
the template node submodule is used for determining a plurality of historical nodes, historical node network information and historical service data in a network template, wherein the historical node network information comprises: at least one of historical node network addresses of historical nodes, historical node ports opened by the historical node network addresses, historical node services and historical node operating systems, wherein the historical service data comprises: at least one of historical service messages and historical interaction frequency;
the template configuration submodule is used for configuring corresponding historical node network information in a plurality of historical nodes; and configuring corresponding historical service data in the plurality of historical nodes to obtain a service system template.
Since the principle of the honey net construction apparatus 600 in the embodiment of the present application for solving the problem is similar to that of the embodiment of the honey net construction method, the implementation of the honey net construction apparatus 600 in the embodiment of the present application can refer to the description in the embodiment of the honey net construction method, and repeated descriptions are omitted.
The embodiment of the present application further provides a computer-readable storage medium, where computer program instructions are stored in the computer-readable storage medium, and when the computer program instructions are read and executed by a processor, the steps in any one of the honey net construction methods provided in the embodiment are executed.
In summary, the embodiments of the present application provide a honey net construction method, apparatus, electronic device, and computer readable storage medium, which match a corresponding service system template through network information of a to-be-protected network, so as to construct a corresponding honey net according to a network structure and service interaction of the service system template, thereby improving a camouflage effect and a simulation capability of the honey net when disguising a real to-be-protected network used by a user from a plurality of aspects of structure and service, thereby improving an attacker trapping efficiency of the honey net, and improving security of the user when using the network.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined or explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising 8230; \8230;" comprises 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for constructing a honeynet, the method comprising:
determining network information of a network to be protected;
matching in a template library according to the network information, and determining a corresponding target service system template;
and constructing a honey net corresponding to the network to be protected based on the target service system template.
2. The method of claim 1, wherein the matching in a template library according to the network information to determine a corresponding target business system template comprises:
comparing the network information with a plurality of service system templates in the template library respectively to obtain a plurality of similarity degrees;
and taking the service system template with the similarity reaching a threshold value as the target service system template matched with the network to be protected.
3. The method according to claim 1, wherein the constructing a honey net corresponding to the network to be protected based on the target service system template comprises:
determining corresponding target nodes and target node network information according to the target service system template, wherein the target node network information comprises: at least one of a target node network address of the target node, a target node port opened by the target node network address, a target node service and a target node operating system;
establishing a virtual host based on the target node;
configuring corresponding target node network information in the virtual host;
and carrying out service configuration on the virtual host to obtain a honey net corresponding to the network to be protected.
4. The method according to claim 3, wherein the performing service configuration on the virtual host to obtain a honeynet corresponding to the network to be protected includes:
determining target service data in the target service system template, wherein the target service data comprises: at least one of a target service message and a target interaction frequency;
and configuring the corresponding target service data in the virtual host to enable the target node to perform simulated data interaction, so as to obtain the honey net which comprises the virtual host and corresponds to the network to be protected.
5. The method of claim 1, wherein determining the network information of the network to be protected comprises:
extracting a scanning network segment in the network to be protected;
scanning the scanning network segment according to a scanning algorithm to identify the network information in the scanning network segment, wherein the network information comprises: at least one of a real node existing in the scanning network segment, a target network address corresponding to the real node, a target network port opened by the target network address, a target network service and a target operating system.
6. The method of claim 1, further comprising:
and creating a business system template according to the network template, and taking a plurality of business system templates as the template library.
7. The method of claim 6, wherein creating a business system template from a network template comprises:
determining a plurality of historical nodes, historical node network information and historical traffic data in the network template, wherein the historical node network information comprises: at least one of a historical node network address of the historical node, a historical node port opened by the historical node network address, a historical node service and a historical node operating system, wherein the historical service data comprises: at least one of historical service messages and historical interaction frequency;
configuring corresponding historical node network information in a plurality of historical nodes;
and configuring corresponding historical service data in a plurality of historical nodes to obtain the service system template.
8. A honeynet building apparatus, the apparatus comprising:
the determining module is used for determining the network information of the network to be protected;
the matching module is used for matching in a template library according to the network information and determining a corresponding target service system template;
and the construction module is used for constructing the honey net corresponding to the network to be protected based on the target service system template.
9. An electronic device comprising a memory having stored therein program instructions and a processor that, when executed, performs the steps of the method of any of claims 1-7.
10. A computer-readable storage medium, having stored thereon computer program instructions, which, when executed by a processor, perform the steps of the method of any one of claims 1-7.
CN202210836372.2A 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium Active CN115208670B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210836372.2A CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210836372.2A CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115208670A true CN115208670A (en) 2022-10-18
CN115208670B CN115208670B (en) 2023-10-13

Family

ID=83582705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210836372.2A Active CN115208670B (en) 2022-07-15 2022-07-15 Honey net construction method, device, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115208670B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
US20110093251A1 (en) * 2009-10-16 2011-04-21 Sun Microsystems, Inc. Virtualizing complex network topologies
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
US9495188B1 (en) * 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN110768987A (en) * 2019-10-28 2020-02-07 电子科技大学 SDN-based dynamic deployment method and system for virtual honey network
US11050787B1 (en) * 2017-09-01 2021-06-29 Amazon Technologies, Inc. Adaptive configuration and deployment of honeypots in virtual networks
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN113676449A (en) * 2021-07-13 2021-11-19 北京奇艺世纪科技有限公司 Network attack processing method and device
CN114221815A (en) * 2021-12-16 2022-03-22 北京国腾创新科技有限公司 Intrusion detection method, storage medium and system based on honey arranging net

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101516A1 (en) * 2004-10-12 2006-05-11 Sushanthan Sudaharan Honeynet farms as an early warning system for production networks
US20110093251A1 (en) * 2009-10-16 2011-04-21 Sun Microsystems, Inc. Virtualizing complex network topologies
US9495188B1 (en) * 2014-09-30 2016-11-15 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN104506507A (en) * 2014-12-15 2015-04-08 蓝盾信息安全技术股份有限公司 Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
US11050787B1 (en) * 2017-09-01 2021-06-29 Amazon Technologies, Inc. Adaptive configuration and deployment of honeypots in virtual networks
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN110768987A (en) * 2019-10-28 2020-02-07 电子科技大学 SDN-based dynamic deployment method and system for virtual honey network
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN113676449A (en) * 2021-07-13 2021-11-19 北京奇艺世纪科技有限公司 Network attack processing method and device
CN114221815A (en) * 2021-12-16 2022-03-22 北京国腾创新科技有限公司 Intrusion detection method, storage medium and system based on honey arranging net

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
向全青;: "基于网络扫描技术的动态蜜罐网络设计与实现", 信息技术, no. 06 *
张涛;芦斌;李玎;何康;: "一种基于软件定义网络的主机指纹抗探测模型", 信息网络安全, no. 07 *

Also Published As

Publication number Publication date
CN115208670B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
CN110677408B (en) Attack information processing method and device, storage medium and electronic device
US6952779B1 (en) System and method for risk detection and analysis in a computer network
CN103999089B (en) For the system and method for scanning computer leak in a network environment
US7383578B2 (en) Method and system for morphing honeypot
EP2618538B1 (en) Apparatus, Method and Medium for Detecting Payload Anomaly using N-Gram Distribution of Normal Data
Arfeen et al. Endpoint detection & response: A malware identification solution
CN111651757A (en) Attack behavior monitoring method, device, equipment and storage medium
CN112738071B (en) Method and device for constructing attack chain topology
CN101567887A (en) Vulnerability simulation overload honeypot method
US20230179631A1 (en) System and method for detection of malicious interactions in a computer network
CN109167781A (en) A kind of recognition methods of network attack chain and device based on dynamic associated analysis
Korchenko et al. Development of a method for constructing linguistic standards for multi-criteria assessment of honeypot efficiency
CN115277068B (en) Novel honeypot system and method based on spoofing defense
CN114598512B (en) Network security guarantee method and device based on honeypot and terminal equipment
Tsow et al. Warkitting: the drive-by subversion of wireless home routers
Wang et al. Using honeypots to model botnet attacks on the internet of medical things
Djap et al. Xb-pot: Revealing honeypot-based attacker’s behaviors
CN113726790A (en) Network attack source identification and blocking method, system, device and medium
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN115102785B (en) Automatic tracing system and method for network attack
Yang et al. Network forensics in the era of artificial intelligence
AlZoubi et al. The effect of using honeypot network on system security
CN115208670B (en) Honey net construction method, device, electronic equipment and computer readable storage medium
Liu et al. A goal-oriented approach for modeling and analyzing attack graph
CN115296909B (en) Method, device, medium and attack response method for obtaining target honeypot system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant