CN115296909A - Method, device and medium for obtaining target honeypot system and attack response method - Google Patents
Method, device and medium for obtaining target honeypot system and attack response method Download PDFInfo
- Publication number
- CN115296909A CN115296909A CN202210934661.6A CN202210934661A CN115296909A CN 115296909 A CN115296909 A CN 115296909A CN 202210934661 A CN202210934661 A CN 202210934661A CN 115296909 A CN115296909 A CN 115296909A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- target
- security device
- information
- information table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000004044 response Effects 0.000 title claims abstract description 21
- 238000004590 computer program Methods 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 4
- 230000001939 inductive effect Effects 0.000 claims description 2
- 230000006870 function Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 238000012545 processing Methods 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 7
- 235000012907 honey Nutrition 0.000 description 7
- 238000013515 script Methods 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000009193 crawling Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000011835 investigation Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- RJWLAIMXRBDUMH-ULQDDVLXSA-N N-Acetylleucyl-leucyl-methioninal Chemical compound CSCC[C@@H](C=O)NC(=O)[C@H](CC(C)C)NC(=O)[C@H](CC(C)C)NC(C)=O RJWLAIMXRBDUMH-ULQDDVLXSA-N 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a method, a device and a medium for obtaining a target honeypot system and an attack response method, wherein the method comprises the following steps: the method comprises the steps of obtaining an original honeypot system and obtaining a system version number of a target security device, wherein the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device; searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and updating the configuration of the original honeypot system based on the configuration information to obtain a target honeypot system. According to the method and the device, the target honeypot system can be quickly established through the target honeypot information table, so that reusability of the target honeypot system can be improved.
Description
Technical Field
The embodiment of the application relates to the field of network security, in particular to a method, a device, a medium and an attack response method for obtaining a target honeypot system.
Background
The honeypot system induces an attack source to attack the bait host by arranging some bait hosts, network services or information, so that attack behaviors can be captured and analyzed. In the related art, the honeypot system is generally customized by a fixed manufacturer according to requirements, so that the cost of customizing the honeypot system is high, and the reusability of the honeypot system is poor.
Therefore, how to improve the reusability of the honeypot system and reduce the cost of manufacturing the honeypot system becomes a problem to be solved.
Disclosure of Invention
The embodiments of the present application provide a method, an apparatus, a medium, and an attack response method for obtaining a target honeypot system, and some embodiments of the present application can at least quickly establish the target honeypot system through a target honeypot information table, thereby improving reusability of the target honeypot system and reducing manufacturing cost.
In a first aspect, the present application provides a method of obtaining a target honeypot system, the method comprising: the method comprises the steps of obtaining an original honeypot system and obtaining a system version number of a target security device, wherein the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device; searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and updating the configuration of the original honeypot system based on the configuration information to obtain a target honeypot system.
Therefore, different from a method in the related art that needs to be customized according to needs each time a honeypot system is manufactured, the embodiment of the application establishes the target honeypot system quickly through the target honeypot information table, so that reusability of the target honeypot system can be improved, and manufacturing cost can be reduced.
With reference to the first aspect, in an implementation manner of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on a target candidate security device; before the looking up the configuration information corresponding to the system version number in the target honeypot information table, the method further includes: acquiring a system version number of at least one candidate safety device; searching the target candidate security equipment with the system vulnerability from the at least one candidate security equipment, and acquiring the vulnerability number of the system vulnerability on the target candidate security equipment; and adding the system version number of the target candidate security equipment and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
Therefore, by adding the vulnerability number corresponding to the system vulnerability on the target candidate security device into the honeypot information table, the embodiment of the application can directly read the honeypot information table in the process of generating the target honeypot system, namely, add the system vulnerability, thereby improving the efficiency of generating the target honeypot system.
With reference to the first aspect, in an embodiment of the present application, the at least one candidate security device includes a first candidate security device, where the first candidate security device is any one of the at least one candidate security device; after the obtaining of the system version number of the at least one candidate security device, the method further comprises: when the first candidate security device is determined to have no system bug, further determining that the first candidate security device has an application bug, and acquiring a first bug number of the application bug, wherein the application bug is a bug corresponding to an application program; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
Therefore, in the embodiment of the application, the application vulnerability is obtained under the condition that the equipment has no system vulnerability, and the first vulnerability number of the application vulnerability is added into the honeypot information table, so that the application vulnerability can be added to the system in the process of generating the target honeypot system.
With reference to the first aspect, in an implementation manner of the present application, the target honeypot information table is further configured to record operation resource information, where the operation resource information represents different operation capabilities by using an interval where an operation parameter value is located; before the looking up the configuration information corresponding to the system version number in the target honeypot information table, the method further includes: calculating an operation parameter value of the at least one candidate security device, wherein the operation parameter value is used for characterizing the operation capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
With reference to the first aspect, in one embodiment of the present application, the operation parameter values include an average number of clock cycles CPI required for executing each instruction within a preset time, and a number of MIPS instructions processed per second; the calculating of the operation parameter value of the at least one candidate security device comprises: respectively calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device; the generating the operation resource information according to the operation parameter value includes: acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; and the operation resource information is represented by the first operation resource information and the second operation resource information.
Therefore, according to the embodiment of the application, the operation parameter value of at least one candidate security device is calculated, and the operation resource information is generated according to the operation parameter value, so that the target honeypot system has a certain operation capacity, the function of the target honeypot system is similar to that of a real device system, and the existence of the target honeypot system is not easily perceived by an attack source.
With reference to the first aspect, in an embodiment of the present application, the looking up, in a target honeypot information table, configuration information corresponding to the system version number includes: searching vulnerability information and operation resource information corresponding to the system version number of the target security equipment in a target honeypot information table; the updating the configuration of the original honeypot system based on the configuration information to obtain the target honeypot system comprises the following steps: and updating the configuration of the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
Therefore, the original honeypot system is configured and updated through the vulnerability information and the operation resource information, and the high-interaction target honeypot system with the function similar to that of a real system can be rapidly configured.
With reference to the first aspect, in one embodiment of the present application, before the obtaining the original honeypot system, the method further includes: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
Therefore, the traffic characteristics of the initial honeypot system are hidden, so that the traffic characteristics can be changed, and the traffic characteristics are prevented from being identified by the attack source.
With reference to the first aspect, in one embodiment of the present application, the system version number in the target honeypot information table is arranged according to query times.
Therefore, the system version number is sorted according to the number of times of inquiry, and information with high use frequency can be placed in front, so that the efficiency of obtaining the target honeypot system can be improved.
In a second aspect, the present application provides an apparatus for obtaining a target honeypot system, the apparatus comprising: the system comprises an original system acquisition module and a target security device, wherein the original system acquisition module is configured to acquire an original honeypot system and acquire a system version number of the target security device, the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device; the configuration information acquisition module is configured to search configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number; and the system configuration module is configured to update the configuration of the original honeypot system based on the configuration information to obtain a target honeypot system.
With reference to the second aspect, in an embodiment of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on a target candidate security device; the configuration information acquisition module is further configured to: acquiring a system version number of at least one candidate safety device; searching the target candidate security equipment with the system vulnerability from the at least one candidate security equipment, and acquiring the vulnerability number of the system vulnerability on the target candidate security equipment; and adding the system version number of the target candidate security equipment and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in one embodiment of the present application, the at least one candidate security device includes a first candidate security device, where the first candidate security device is any one of the at least one candidate security device; the configuration information acquisition module is further configured to: when the first candidate security device is determined to have no system bug, further determining that the first candidate security device has an application bug, and acquiring a first bug number of the application bug, wherein the application bug is a bug corresponding to an application program; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in an embodiment of the present application, the target honeypot information table is further configured to record operation resource information, where the operation resource information represents different operation capabilities by using an interval where an operation parameter value is located; the configuration information acquisition module is further configured to: calculating an operation parameter value of the at least one candidate security device, wherein the operation parameter value is used for characterizing the operation capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
With reference to the second aspect, in one embodiment of the present application, the operation parameter values include an average number of clock cycles CPI required for executing each instruction within a preset time, and a number of MIPS instructions processed per second; the configuration information acquisition module is further configured to: respectively calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device; acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; and the operation resource information is represented by the first operation resource information and the second operation resource information.
With reference to the second aspect, in an embodiment of the present application, the configuration information obtaining module is further configured to: searching vulnerability information and operation resource information corresponding to the system version number of the target security equipment in a target honeypot information table; and updating the configuration of the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
With reference to the second aspect, in one embodiment of the present application, the original system acquisition module is configured to: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
With reference to the second aspect, in one embodiment of the present application, the system version number in the target honeypot information table is arranged according to query times.
In a third aspect, the present application provides an attack response method, which is applied to the target honeypot system obtained in any embodiment of the first aspect, where the attack response method includes: inducing an attack source to send malicious traffic according to the vulnerability information; and responding to the malicious traffic, and sending a response message to the attack source.
Therefore, the target honeypot system can better meet the function of a real system by enabling the target honeypot system to send the response message to the attack source, and the attack source is not easy to identify the target honeypot system.
In a fourth aspect, the present application provides an electronic device, comprising: a processor, a memory, and a bus; the processor is connected to the memory via the bus, and the memory stores a computer program, which, when executed by the processor, is adapted to carry out the method according to any of the embodiments of the first aspect.
In a fifth aspect, the present application provides a computer readable storage medium having a computer program stored thereon, which when executed, may implement the method according to any of the embodiments of the first aspect.
Drawings
Fig. 1 is a schematic diagram illustrating a configuration of an attack response system according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for obtaining a target honeypot system according to an embodiment of the present disclosure;
FIG. 3 is a second flowchart of a method for obtaining a target honeypot system according to an embodiment of the present application;
FIG. 4 is a third flowchart of a method for obtaining a target honeypot system according to an embodiment of the present application;
FIG. 5 is a fourth flowchart illustrating a method for obtaining a target honeypot system according to an embodiment of the present application;
FIG. 6 is a schematic diagram of the apparatus for obtaining a target honeypot system according to the embodiment of the present application;
fig. 7 is a schematic diagram illustrating a composition of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
In the related art, by arranging some hosts as baits in an intranet, an attack source is induced to attack the hosts, so that attack behaviors can be captured and analyzed, tools and methods used by the attack source are known, attack intentions and motivations are presumed, security equipment can clearly know security threats faced by the intranet, and the security protection capability of the intranet is enhanced through technical and management means.
In some embodiments of the present application, the configuration information is obtained in a target honeypot information table, and the original honeypot system is configured according to the obtained configuration information to obtain the target honeypot system. For example, in some embodiments of the present application, first, a system version number of a target security device that deploys an original honeypot system is obtained, then, the system version number and configuration information corresponding to the system version number are searched in a target honeypot information table, and finally, the original honeypot system is reconfigured according to the configuration information to obtain a target honeypot system, so that the target honeypot system is quickly established through the target honeypot information table, and thus, reusability of the target honeypot system can be improved, and manufacturing cost can be reduced.
The method steps in the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 provides an attack response system according to some embodiments of the present application, which implements an attack using a target honeypot system obtained according to some embodiments of the present application, and includes an attack source 110 and a target honeypot system 120. Specifically, the attack source 110 sends malicious traffic to the target honeypot system 120, and after obtaining the malicious traffic, the target honeypot system 120 sends a response message to the attack source 110, and stores the malicious traffic in a database of the security device, so that the security device analyzes the malicious traffic and generates an interception policy.
In the related art, the honeypot system is generally customized by a fixed manufacturer according to requirements, resulting in higher cost of customizing the honeypot system and poor reusability of the honeypot system. In the embodiment of the application, the configuration information corresponding to the system version number is searched in the target honeypot information table, and the target honeypot system is obtained through the configuration information, so that the target honeypot system can be automatically obtained without customizing the honeypot system by a fixed manufacturer according to requirements.
The following will describe a method for acquiring a target honeypot system of some embodiments of the present application by a server.
At least to solve the above problem, as shown in fig. 2, some embodiments of the present application provide a method of obtaining a target honeypot system, the method including:
s210, acquiring an original honeypot system and acquiring a system version number of the target security device.
It should be noted that the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device. It will be appreciated that the target security device is a device that needs to obtain malicious traffic sent by the attack source.
The source of the attack may be an extranet device that sends malicious traffic. For example, assuming that the intranet is secure, the attack source refers to an extranet device that wants to attack the intranet. The size of the intranet is not limited by the embodiments of the present application. For example, in some embodiments the intranet is a network associated with a university, in some embodiments the intranet is a network of a company, in some embodiments the intranet is a network of a city, and so forth. It will be appreciated that if the intranet is a college network, the attack sources are all extranet devices that want to attack the college network.
The target safety equipment is the safety equipment for protecting the intranet equipment, so the program corresponding to the target honeypot system is deployed on the target safety equipment. Because of the large number of vulnerabilities in the target honeypot system, all traffic that accesses the target honeypot system is deemed malicious traffic.
In an embodiment of the present application, before S210, the method further includes: and acquiring an initial honeypot system, extracting flow characteristics corresponding to the initial honeypot system, and then hiding the flow characteristics to obtain the original honeypot system.
It should be noted that the initial honeypot system is an open-source low-interaction honeypot system, if the initial honeypot system sends a response packet, the response packet will carry traffic characteristics (for example, the traffic characteristics carry characteristic character strings of the initial honeypot system), and after the attack source acquires the response packet carrying the traffic characteristics, the attack source may identify the honeypot system in the target security device through the traffic characteristics. Meanwhile, the response message containing the traffic characteristics can be monitored by the traffic rule of the attack source, so that the attack source does not send malicious traffic to the honeypot system any more. Therefore, after the initial honeypot system is obtained, the traffic characteristics are hidden, that is, the traffic characteristics are prevented from being carried when a message is sent, the traffic characteristics are modified, and the basic service function of the initial honeypot system is reserved.
Specifically, first, an open source initial honeypot system, e.g., a conpot, is obtained. Then, all the flow fixed character strings in the initial honeypot system are modified, for example, the flow fixed character strings include "origin Siemens Equipment, 88111222", "IM151-8 PN/DP CPU", etc., "origin Siemens Equipment, 88111222" after being encrypted by using an encryption algorithm (e.g., base 64) is "T3JpZ2 luywgwgu 2 llwvucybfcxvpcg 1lbnQ =", and the forward ordering function is used to shuffle the sequence to obtain "zyxwwwwullutqutqpggjgcccbbbb =3221".
That is, by changing the fixed characteristic string into a random form, it is possible to avoid the traffic rule characteristic matching of the attacked source appearing in the traffic.
It can be understood that the present application does not limit the processing manner of all the traffic fixed strings in the initial honeypot system, and the above-mentioned manner of using the forward ordering function to shuffle the order is only an example.
S220, the configuration information corresponding to the system version number is searched in the target honeypot information table.
It should be noted that the target honeypot information table is used to record vulnerability information and operation resource information corresponding to different system version numbers.
The following exemplarily illustrates an implementation process of obtaining the target honeypot information table.
In one embodiment of the present application, prior to S220, the method includes:
s221, obtaining a system version number of at least one candidate security device.
That is to say, at least one candidate security device is all security devices capable of carrying a honeypot system, and in the process of establishing the target honeypot information table, it is necessary to first obtain a system version number of each candidate security device in the at least one candidate security device, and then use the system version number of each candidate security device as a key (key) in the honeypot information table, that is, use the system version number as an index in the honeypot information table.
Specifically, based on all versions of existing windows, linux and other systems, the original honeypot system is deployed to candidate security devices with different system version numbers, all the candidate security devices for building the original honeypot system are made into clusters, and a honeypot information table is combed. The honeypot information table encompasses most of the system versions of existing windows and linux, and the original honeypot systems are deployed in these systems.
As shown in table 1, in some embodiments of the present application, the honeypot information table includes a system version number and an original honeypot system source. For example, the original honeypot system source corresponding to the system version number "Windows 10for x64-based Systems" in Table 1 is "concot".
TABLE 1 honeypot information table 1
| System version | Original honeypot system source |
| Windows 10 | conpot |
| Windows 10 for x64-based Systems | conpot |
| Windows 10 for 32-bit Systems | conpot |
| Windows 10 21H2 for x64-based Systems | conpot |
| Windows 10 21H2 for ARM64-based Systems | conpot |
| Windows 10 21H2 for 32-bit Systems | conpot |
| Windows 10 21H1 for x64-based Systems | conpot |
| Windows 10 21H1 for ARM64-based Systems | conpot |
| Windows 10 21H1 for 32-bit Systems | conpot |
| Windows 10 20H2 for x64-based Systems | conpot |
S222, searching target candidate security equipment with the system bug from the at least one candidate security equipment, and acquiring the bug number of the system bug on the target candidate security equipment.
That is, the system vulnerability is searched in each candidate security device in a crawler manner, and if the system vulnerability exists, the candidate security device with the system vulnerability is taken as a target candidate security device. And then, acquiring the vulnerability number of the system vulnerability on the selected target candidate security equipment.
For example, the system version number of one of the candidate security devices is Windows 10, it is confirmed that a system bug in the Windows 10 system is found, and then the bug number of the system bug is further acquired as "CVE-2021-33739".
For example, the system version number of one of the candidate security devices is Windows 10for x64-based Systems, it is confirmed that the system vulnerability in the system is found, and then the vulnerability number of the system vulnerability is further acquired as "CVE-2022-21127".
And S223, adding the system version number of the target candidate security equipment and the corresponding vulnerability number into the honeypot information table to obtain the target honeypot information table.
That is, after the vulnerability number of the target candidate security device is acquired, the vulnerability number corresponding to the system version number of the target candidate security device is added to the honeypot information table, and the target honeypot information table is acquired.
As shown in table 2, in some embodiments of the present application, the target honeypot information table (one) includes a system version, an original honeypot system source, whether a system bug exists, and a bug number.
TABLE 2 target honeypot information table 1
It is understood that there may be a plurality of candidate security devices of the same system version, and the vulnerability number of the same candidate security device may be one or more.
In one embodiment of the present application, the at least one candidate security device includes a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device.
After S221, further comprising:
firstly, when it is confirmed that the first candidate security device does not have the system bug, further confirming that the first candidate security device has the application bug, and then obtaining a first bug number of the application bug.
That is to say, the first candidate security device may not have a system vulnerability, and at this time, the application vulnerability in the first candidate security device needs to be further crawled, and a vulnerability number of the application vulnerability, that is, the first vulnerability number, is obtained.
For example, the system version number of the first candidate security device is Windows 10 21H2 for ARM64-based Systems, it is confirmed that the first candidate security device does not have a system vulnerability, then the application vulnerability in the first candidate security device is further crawled, and the first vulnerability number is acquired as "CVE-2022-21128".
It may be understood that the application vulnerability is a vulnerability corresponding to the application program, for example, the application vulnerability may be a vulnerability of a third party payment application program, and may also be a vulnerability of a music application program.
And then, adding the system version number of the first candidate security device and the corresponding first vulnerability number into the honeypot information table to obtain a target honeypot information table.
That is, after the first vulnerability number is obtained, the first vulnerability number corresponding to the system version number is added to the honeypot information table, and the target honeypot information table is obtained.
As shown in table 3, in some embodiments of the present application, the target honeypot information table (two) includes a system version, an original honeypot system source, whether a system bug exists, and a bug number. And if the system bug exists, filling in 'no' indicates that the system bug does not exist and the application bug exists.
TABLE 3 goal honeypot information table 2
As a specific embodiment of the present application, a system vulnerability crawler is performed on the cluster obtained in table 1, and application vulnerabilities or system high-risk vulnerabilities corresponding to all system versions in table 1 are crawled. If the system loophole exists, the system can be attacked by the outside, processing is not needed, only the loophole information is recorded, if the system loophole does not exist, but service or application loophole exists, 1-3 loophole environments are crawled, and the loophole environments are configured and arranged in the original honeypot system. And adopting a mode of actively exposing the loophole so as to attract an attack source to attack.
In one embodiment of the present application, the target honeypot information table may be capable of recording calculation resource information in addition to the vulnerability information related to the vulnerability. The operation resource information represents different operation capabilities by adopting an interval where the operation parameter value is located. The steps of obtaining the target honeypot information table are as follows:
first, an operational parameter value of at least one candidate security device is calculated.
It will be appreciated that the value of the operational parameter is used to characterise the operational capability of at least one candidate security device. The values of the operation parameters include the average number of clock cycles CPI required to execute each instruction within a preset time, and the number of MIPS instructions processed per second. Wherein the preset time may be one hour.
Specifically, the CPI and the MIPS of each candidate security device in the at least one candidate security device are respectively calculated.
The calculation formula of CPI is shown as the following formula (1):
wherein, the IC meterIndicates the total number of instructions, m indicates the total number of clock cycles required to execute the number of instructions of the IC, n indicates the number of classes of CPI, CPI i CPI, P representing any type of instruction i Representing the percentage of instructions of any type in the total number of instructions, P i =IC i /IC。
The calculation formula of the MIPS is shown in the following formula (2):
MIPS=IC/T CPU ×106IC=f/CPI (2)
wherein, T CPU Indicates the time the CPU spends on the program, T CPU As shown in the following equation (3):
T CPU =m×T=m×1/f=(CPI×IC)/f (3)
where T represents a clock cycle, f represents a clock frequency (i.e., a master frequency), and the clock cycle and the clock frequency are reciprocal, i.e., T =1/f.
It should be noted that the unit of MIPS can be counted in millions, for example, the value of MIPS is 1 (million) or 50 (million).
Then, the calculation resource information is generated based on the calculation parameter value.
Specifically, a target reference value interval where the CPI of each candidate security device is located is obtained, and first operation resource information is obtained. And acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information.
It should be noted that the operation resource information is represented by using the first operation resource information and the second operation resource information.
Specifically, if the calculated CPI values are 6, 17, 24, 35, and 40, respectively, the sections for obtaining the CPI include 5-10, 10-15, 15-20, 20-25, 25-30, 30-35, and 35-40 according to the reference data section in which the CPI value is located. The above-mentioned segment can be characterized by using "5/10/15/20/25/30/35/40", i.e. the first operation resource information is "5/10/15/20/25/30/35/40".
If the calculated values of the MIPS are 50, 140, 230, 280 and 300 respectively, the segments of the MIPS are obtained to include 50-100, 100-150, 150-200, 200-250 and 250-3000 according to the reference data interval in which the value of the MIPS is located. The above segment may be characterized by "50/100/150/200/250/300", i.e. the second operation resource information is "50/100/150/200/250/300".
And finally, adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain a target honeypot information table.
That is, after the first and second calculation resource information are obtained, they are added to the honeypot information table, and the target honeypot information table is obtained.
As shown in table 4, in some embodiments of the present application, the target honeypot information table (three) includes a system version, an original honeypot system source, whether a system bug exists, a bug number, first computing resource information, and second computing resource information.
TABLE 4 goal honeypot information table (III)
In one embodiment of the present application, after the target honeypot information table (three) is obtained, performance information of at least one candidate security device is obtained using a script. Specifically, all the environment information configurations including upper application environments, open services and port numbers, including product databases and running process thread environments, are integrated into the target honeypot information table by using scripts. The high-interaction honeypot can be automatically formed, the normal system and the honeypot system cannot be distinguished by an attack source while the simulation product machine of the honeypot to the highest degree is guaranteed, and meanwhile, the leak attraction flow can be actively exposed.
In one embodiment of the present application, the system version number in the target honeypot information table is arranged according to the number of queries.
That is, in the process of using the target honeypot information table, the number of times the system version number is queried (i.e. the utilization rate is high) is counted at intervals, and the system version number with the large number of times and the corresponding original honeypot system source, whether a system bug exists, the bug number, the first operation resource information and the second operation resource information are arranged in front. Namely, the target honeypot information table is automatically optimized and ranked, and the system version number with high ranking is tried to be matched preferentially, so that the construction efficiency is improved.
And S230, updating the configuration of the original honeypot system based on the configuration information to obtain the target honeypot system.
It can be understood that the original honeypot system in the present application is a low-interaction honeypot, and the target honeypot system is a high-interaction honeypot.
That is to say, after the target honeypot information table is established, in a process that needs to be generated, firstly, vulnerability information and operation resource information corresponding to the system version number of the target security device are searched in the target honeypot information table, and then, the original honeypot system is configured and updated based on the vulnerability information and the operation resource information, so that the target honeypot system is obtained.
Specifically, when the target honeypot system is established, the original honeypot system is first deployed on the target secure device, and the system version number of the target secure device is obtained, for example, the system version number of the target secure device is "Windows 10 21H2 for 32-bit Systems". And then, searching configuration information corresponding to the system version number in a target honeypot information table, wherein the configuration information comprises vulnerability information and operation resource information, and then updating the original honeypot system by using the vulnerability information and the operation resource information to obtain a high-interaction target honeypot system.
It should be noted that the original honeypot system can only receive the malicious traffic of the attack source, and the target honeypot system can not only receive the malicious traffic of the attack source, but also send a response message to the attack source, so that the attack source cannot distinguish the normal system from the target honeypot system.
As shown in fig. 3, as an embodiment of the present application, the process of processing the original honeypot system includes:
s301, loading an original honeypot system, and performing feature modification on source codes to prevent the source codes from being scanned by regular features.
S302, initially creating a honeypot information table, and creating a cluster based on the original honeypot system.
S303, automatically carrying out vulnerability environment arrangement on all system environments in the honeypot information table.
And S304, perfecting the honeypot information table by using the script according to the CPI value and the MIPS value.
S305, performing performance system investigation on the candidate safety equipment by using the script and automatically matching the honeypot information table.
As shown in fig. 4, as an embodiment of the present application, the process of obtaining a target honeypot system includes:
s401, environment investigation is conducted on the target safety equipment through the script, configuration updating is conducted on the original honeypot system, and the target honeypot system is obtained.
S402, automatically optimizing the target honeypot information table.
Having described embodiments of a method for obtaining a target honeypot system provided herein, specific embodiments of a method for obtaining a target honeypot system provided herein will be described below.
Technical drawbacks in the related art include: the honeypot system in the related art only has simple interaction capability, such as specific Secure Shell (ssh) access and return of cracking results, but other complex responses of an attack source are not replied at all. In addition, the honeypot system code in the related technology is too fixed, the flow characteristic is obvious and is unchanged, the characteristics are easily written into the flow rule by an attack source for identification, and the high-interaction honeypot in the related technology needs to be customized by communication manufacturers, so that the reusability is poor and the cost is high.
Therefore, the present application aims to solve the following problems: first, the problems of single function, low confusion and easy feature monitoring of low interaction honeypots are solved. Secondly, the problem of poor reusability of the high-interaction honeypots is solved. And thirdly, the problems of honeypot scanning and identification after the extranet invades the intranet and high cost of customizing the high-interaction honeypot are solved.
Specifically, the original honeypot system can be complemented in system environment and code by supplementing the original honeypot system, so that the system can simulate a normal system, has the capability of attracting attack sources to attack and drain, can effectively capture malicious traffic of the attack sources, and can be automatically configured and reused when the application environment is changed. Therefore, the use scenes can be automatically matched, and the low-interaction honeypots (namely, the original honeypot system) can be built into the high-interaction honeypots (namely, the target honeypot system) containing the vulnerability environments.
As shown in fig. 5, in some embodiments of the present application, there is provided a method of obtaining a target honeypot system, the method illustratively including:
s510, obtaining a system version number of at least one candidate safety device.
And S520, matching the corresponding system version number through the honeypot information table.
And S530, detecting whether a system bug exists, if so, executing S540, crawling the system bug and adding the system bug into the honeypot information table, and if not, executing S550, crawling the application bug and adding the application bug into the honeypot information table.
And S560, selecting corresponding operation resource information according to the CPI value and the MIPS value, and adding the operation resource information into the honeypot information table.
And S570, integrating the service port number of the candidate safety device and the database into the honeypot information table.
And S580, performing matching updating on the original honeypot system to obtain a target honeypot system.
Specifically, the method and the device are applied to sandbox products of enterprises, and after the honeypot system is deployed, the attack source is attracted to attack in a vulnerability exposure mode, so that attack means and attack flow are captured, and the safety of management equipment is enhanced.
In some embodiments of the present application, a method of obtaining a target honeypot system is provided, the method specifically including:
in the first step, an open source initial honeypot system is obtained. For example, open source honeypots: and (5) concot. Modifying all flow fixed character strings in the source code of the initial honeypot system as follows: because some specific characters can appear in the flow and can be monitored by the flow rule of an attack source, for example, the string of the origin Siemens Equipment, 88111222, IM151-8 PN/DP CPU and the like, after being encrypted by base64, is as follows: t3JpZ luYWwgU2llbWVucyBFcXVpcG1lbnQ =, which is obtained after disordering the order using the forward ordering function:
ZYyXWwWVVuUuTQppnllllJgGFcccbBb=3221
therefore, the fixed character strings with characteristics are changed into a random form, the original honeypot system is obtained, and the flow rule characteristic matching of an attacked source appearing in the flow can be avoided.
And secondly, deep processing is carried out on the original honey pot system processed in the last step, the original honey pot system is added into all the counted windows and linux systems to form a primary cluster, and a honey pot information table is combed.
And thirdly, crawling each system vulnerability or application vulnerability environment by using a crawler according to the system version in the honeypot information table acquired in the last step, arranging the vulnerability environment into the original honeypot system, and updating the honeypot information table.
And fourthly, continuously processing the honey pot information table according to the CPI and MIPS values, and continuously processing the honey pot information table on the basis of the average value of the performance in the interval as a unit and in an hour to obtain a target honey pot information table, so that the calculation resource information can be conveniently selected from the honey pot information table in the follow-up process.
And fifthly, performing performance system investigation on the target safety equipment by using the script, automatically matching the target honeypot information table, checking whether the system version is in the target honeypot information table, and repeating all the steps from the first step to the fourth step if the system version is not in the target honeypot information table. If the target security device exists, the sixth step is carried out, for example, the system version of the target security device is win7 x64 sp1, and the target honeypot information table is compared to confirm that the target security device has the system bug, so that other bugs do not need to be integrated, and the next step is carried out.
And sixthly, traversing all environment information configurations by using a script, wherein the environment information configurations comprise an upper application environment, an open service and port number, a product database, an operating process thread environment and the like, and integrating the environment information into a target honeypot information table, and automatically forming a new high-interaction honeypot.
And seventhly, the matching sequence of the configuration information with high utilization rate is advanced, and the matching efficiency is automatically improved. And updating the target honeypot information table, and automatically integrating the system version which is not added into the target honeypot information table.
Therefore, the technical key point of the application is that the step of processing the low-interaction honeypot comprises the following steps: randomizing the feature character string in the open-source low-interaction honeypot and the fixed feature in the flow to avoid being identified by the feature; generating a brand new high-interaction honeypot: the method comprises the steps that while the function of a low-interaction honeypot is kept, the honeypot product environment host is kept consistent, and under the condition that a system version is disclosed, a new high-interaction honeypot with a drainage function is automatically generated; the honeypot information table of the honeypot cluster is automatically generated, honeypots with corresponding performances are automatically matched according to the performance of the computer, and the honeypot cluster honeypot automatic matching method has the functions of automatically adjusting the use priority and updating a cluster basic system.
Therefore, the high-interaction honeypot under any product environment is automatically generated, the cost of customization and other aspects is reduced, and the reusability and the portability of the honeypot are enhanced. Attack information of an attack source is collected more effectively, so that unknown attacks are protected in the first step, and unnecessary loss is avoided.
Having described a specific embodiment of a method for obtaining a target honeypot system provided by the present application, an apparatus for obtaining a target honeypot system is described.
As shown in fig. 6, some embodiments of the present application provide an apparatus 600 for obtaining a target honeypot system, the apparatus comprising: an original system acquisition module 610, a configuration information acquisition module 620, and a system configuration module 630.
An original system acquisition module 610 configured to acquire an original honeypot system for receiving malicious traffic of an attack source, and acquire a system version number of a target security device on which the original honeypot system is deployed.
The configuration information obtaining module 620 is configured to search configuration information corresponding to the system version number in a target honeypot information table, where the target honeypot information table is at least used to record vulnerability information related to the system version number.
A system configuration module 630 configured to perform configuration update on the original honeypot system based on the configuration information to obtain a target honeypot system.
In one embodiment of the present application, the vulnerability information includes a vulnerability number of a system vulnerability on a target candidate security device; the configuration information acquisition module 620 is further configured to: acquiring a system version number of at least one candidate safety device; searching the target candidate security equipment with the system vulnerability from the at least one candidate security equipment, and acquiring the vulnerability number of the system vulnerability on the target candidate security equipment; and adding the system version number of the target candidate security equipment and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
In one embodiment of the present application, the at least one candidate security device includes a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device; the configuration information acquisition module 620 is further configured to: when the first candidate security device is determined to have no system bug, further determining that the first candidate security device has an application bug, and acquiring a first bug number of the application bug, wherein the application bug is a bug corresponding to an application program; and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
In an embodiment of the present application, the target honeypot information table is further configured to record operation resource information, where the operation resource information represents different operation capabilities by using an interval where an operation parameter value is located; the configuration information acquisition module 620 is further configured to: calculating an operation parameter value of the at least one candidate security device, wherein the operation parameter value is used for characterizing the operation capability of the at least one candidate security device; generating the operation resource information according to the operation parameter value; and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
In one embodiment of the present application, the operation parameter values include an average number of clock cycles CPI required for executing each instruction within a preset time, and a number of MIPS instructions processed per second; the configuration information acquisition module 620 is further configured to: respectively calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device; acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information; acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information; and the operation resource information is represented by the first operation resource information and the second operation resource information.
In one embodiment of the present application, the configuration information obtaining module 620 is further configured to: searching vulnerability information and operation resource information corresponding to the system version number of the target security equipment in a target honeypot information table; and updating the configuration of the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
In one embodiment of the present application, the original system acquisition module 610 is configured to: acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system; and hiding the flow characteristics to obtain the original honeypot system.
In one embodiment of the present application, the system version number in the target honeypot information table is arranged according to the number of queries.
In the embodiment of the present application, the module shown in fig. 6 can implement each process in the method embodiments of fig. 1 to 5. The operations and/or functions of the respective modules in fig. 6 are respectively for implementing the corresponding flows in the method embodiments in fig. 1 to 5. Reference may be made specifically to the description of the above method embodiments, and a detailed description is appropriately omitted herein to avoid redundancy.
As shown in fig. 7, an embodiment of the present application provides an electronic device 700, including: a processor 710, a memory 720 and a bus 730, wherein the processor is connected to the memory through the bus, the memory stores a computer program, and the computer program is used for implementing the method according to any one of the above embodiments when being executed by the processor, and the detailed description can be referred to the description of the above method embodiments, and is omitted here to avoid repetition.
Wherein the bus is used for realizing direct connection communication of the components. The processor in the embodiment of the present application may be an integrated circuit chip having signal processing capability. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory stores computer readable instructions that, when executed by the processor, perform the methods described in the embodiments above.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative and may include more or fewer components than shown in fig. 7 or have a different configuration than shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a server, the method in any of the above-mentioned all embodiments is implemented, which may specifically refer to the description in the above-mentioned method embodiments, and in order to avoid repetition, detailed description is appropriately omitted here.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (12)
1. A method of obtaining a target honeypot system, the method comprising:
the method comprises the steps of obtaining an original honeypot system and obtaining a system version number of a target security device, wherein the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device;
searching configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number;
and updating the configuration of the original honeypot system based on the configuration information to obtain a target honeypot system.
2. The method of claim 1, wherein the vulnerability information includes a vulnerability number of a system vulnerability on a target candidate security device;
before the looking up the configuration information corresponding to the system version number in the target honeypot information table, the method further includes:
acquiring a system version number of at least one candidate safety device;
searching the target candidate security equipment with the system vulnerability from the at least one candidate security equipment, and acquiring the vulnerability number of the system vulnerability on the target candidate security equipment;
and adding the system version number of the target candidate security equipment and the corresponding vulnerability number into a honeypot information table to obtain the target honeypot information table.
3. The method of claim 2, wherein the at least one candidate security device comprises a first candidate security device, wherein the first candidate security device is any one of the at least one candidate security device;
after the obtaining of the system version number of the at least one candidate security device, the method further comprises:
when the first candidate security device is determined to have no system bug, further determining that the first candidate security device has an application bug, and acquiring a first bug number of the application bug, wherein the application bug is a bug corresponding to an application program;
and adding the system version number of the first candidate security device and the corresponding first vulnerability number into a honeypot information table to obtain the target honeypot information table.
4. The method according to claim 3, wherein the target honeypot information table is further used for recording operation resource information, and the operation resource information represents different operation capabilities by adopting an interval where operation parameter values are located;
before the looking up the configuration information corresponding to the system version number in the target honeypot information table, the method further includes:
calculating the operation parameter value of the at least one candidate security device, wherein the operation parameter value is used for characterizing the operation capability of the at least one candidate security device;
generating the operation resource information according to the operation parameter value;
and adding the operation resource information corresponding to the same system version number into the honeypot information table to obtain the target honeypot information table.
5. The method of claim 4, wherein the operation parameter values include an average number of clock cycles CPI required to execute each instruction within a preset time, and a number of MIPS instructions processed per second;
said calculating said operational parameter value of said at least one candidate security device, comprising:
respectively calculating the CPI and the MIPS of each candidate security device in the at least one candidate security device;
the generating the operation resource information according to the operation parameter value comprises:
acquiring a target reference value interval of the CPI of each candidate safety device to obtain first operation resource information;
acquiring a target reference value interval of the MIPS of each candidate safety device to obtain second operation resource information;
and the operation resource information is represented by adopting the first operation resource information and the second operation resource information.
6. The method according to any one of claims 1-5, wherein the looking up the configuration information corresponding to the system version number in the target honeypot information table comprises:
searching vulnerability information and operation resource information corresponding to the system version number of the target security equipment in a target honeypot information table;
the updating the configuration of the original honeypot system based on the configuration information to obtain the target honeypot system comprises the following steps:
and updating the configuration of the original honeypot system based on the vulnerability information and the operation resource information to obtain the target honeypot system.
7. The method according to any one of claims 1-5, characterized in that before said obtaining the original honeypot system, the method further comprises:
acquiring an initial honeypot system, and extracting flow characteristics corresponding to the initial honeypot system;
and hiding the flow characteristics to obtain the original honeypot system.
8. The method according to any one of claims 1-5, wherein the system version number in the target honeypot information table is arranged according to the number of queries.
9. An apparatus for obtaining a target honeypot system, the apparatus comprising:
the system comprises an original system acquisition module and a target security device, wherein the original system acquisition module is configured to acquire an original honeypot system and acquire a system version number of the target security device, the original honeypot system is used for receiving malicious traffic of an attack source, and the original honeypot system is deployed on the target security device;
the configuration information acquisition module is configured to search configuration information corresponding to the system version number in a target honeypot information table, wherein the target honeypot information table is at least used for recording vulnerability information related to the system version number;
and the system configuration module is configured to update the configuration of the original honeypot system based on the configuration information to obtain a target honeypot system.
10. An attack response method applied to the target honeypot system obtained according to any one of claims 1 to 8, the attack response method comprising:
inducing an attack source to send malicious traffic according to the vulnerability information;
and responding to the malicious traffic, and sending a response message to the attack source.
11. An electronic device, comprising: a processor, memory, and a bus;
the processor is connected via the bus to the memory, which stores a computer program that, when executed by the processor, implements the method according to any one of claims 1 to 8.
12. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934661.6A CN115296909B (en) | 2022-08-04 | 2022-08-04 | Method, device, medium and attack response method for obtaining target honeypot system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934661.6A CN115296909B (en) | 2022-08-04 | 2022-08-04 | Method, device, medium and attack response method for obtaining target honeypot system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115296909A true CN115296909A (en) | 2022-11-04 |
| CN115296909B CN115296909B (en) | 2023-11-10 |
Family
ID=83827118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210934661.6A Active CN115296909B (en) | 2022-08-04 | 2022-08-04 | Method, device, medium and attack response method for obtaining target honeypot system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115296909B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104780A1 (en) * | 2015-10-08 | 2017-04-13 | Siege Technologies LLC | Assessing effectiveness of cybersecurity technologies |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN110391937A (en) * | 2019-07-25 | 2019-10-29 | 哈尔滨工业大学 | A kind of Internet of Things honeynet system based on SOAP service simulation |
| CN111488547A (en) * | 2020-04-16 | 2020-08-04 | 广州锦行网络科技有限公司 | Implementation device for flattening management of honeypots and honeynets based on web technology |
| CN111818062A (en) * | 2020-07-10 | 2020-10-23 | 四川长虹电器股份有限公司 | Docker-based CentOS high-interaction honeypot system and implementation method thereof |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| US20210011985A1 (en) * | 2019-07-08 | 2021-01-14 | Cloud Linux Software Inc. | Systems and methods for intrusion detection and prevention using software patching and honeypots |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| US20210194853A1 (en) * | 2019-12-19 | 2021-06-24 | Palo Alto Networks, Inc. | Smart proxy for a large scale high-interaction honeypot farm |
| CN113553590A (en) * | 2021-08-12 | 2021-10-26 | 广州锦行网络科技有限公司 | Method for preventing attackers from escaping from honeypots |
| CN114500026A (en) * | 2022-01-20 | 2022-05-13 | 深信服科技股份有限公司 | Network traffic processing method, device and storage medium |
-
2022
- 2022-08-04 CN CN202210934661.6A patent/CN115296909B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170104780A1 (en) * | 2015-10-08 | 2017-04-13 | Siege Technologies LLC | Assessing effectiveness of cybersecurity technologies |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| US20210011985A1 (en) * | 2019-07-08 | 2021-01-14 | Cloud Linux Software Inc. | Systems and methods for intrusion detection and prevention using software patching and honeypots |
| CN110391937A (en) * | 2019-07-25 | 2019-10-29 | 哈尔滨工业大学 | A kind of Internet of Things honeynet system based on SOAP service simulation |
| US20210194853A1 (en) * | 2019-12-19 | 2021-06-24 | Palo Alto Networks, Inc. | Smart proxy for a large scale high-interaction honeypot farm |
| CN111488547A (en) * | 2020-04-16 | 2020-08-04 | 广州锦行网络科技有限公司 | Implementation device for flattening management of honeypots and honeynets based on web technology |
| CN111818062A (en) * | 2020-07-10 | 2020-10-23 | 四川长虹电器股份有限公司 | Docker-based CentOS high-interaction honeypot system and implementation method thereof |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112367307A (en) * | 2020-10-27 | 2021-02-12 | 中国电子科技集团公司第二十八研究所 | Intrusion detection method and system based on container-grade honey pot group |
| CN113553590A (en) * | 2021-08-12 | 2021-10-26 | 广州锦行网络科技有限公司 | Method for preventing attackers from escaping from honeypots |
| CN114500026A (en) * | 2022-01-20 | 2022-05-13 | 深信服科技股份有限公司 | Network traffic processing method, device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 贾召鹏;方滨兴;崔翔;刘奇旭;: "ArkHoney:基于协同机制的Web蜜罐", 计算机学报, no. 02 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115296909B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11240262B1 (en) | Malware detection verification and enhancement by coordinating endpoint and malware detection systems | |
| CN110381045B (en) | Attack operation processing method and device, storage medium and electronic device | |
| US10102372B2 (en) | Behavior profiling for malware detection | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US9690936B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| US9773112B1 (en) | Exploit detection of malware and malware families | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US9311476B2 (en) | Methods, systems, and media for masquerade attack detection by monitoring computer user behavior | |
| Liu et al. | A novel approach for detecting browser-based silent miner | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| US20200104488A1 (en) | Detecting frame injection through web page analysis | |
| CN110995640B (en) | Method for identifying network attack and honeypot protection system | |
| CN109766694B (en) | Program protocol white list linkage method and device of industrial control host | |
| Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
| CN113098835A (en) | Honeypot implementation method based on block chain, honeypot client and honeypot system | |
| CN109756467B (en) | Phishing website identification method and device | |
| Djap et al. | Xb-pot: Revealing honeypot-based attacker’s behaviors | |
| CN111125702A (en) | Virus identification method and device | |
| CN114124414B (en) | Method and device for generating honey service, method for capturing attack behavior data, computer equipment and storage medium | |
| EP3331211B1 (en) | Apparatus, method, and non-transitory computer-readable storage medium for attacking node detection | |
| Rahman et al. | Classification of spamming attacks to blogging websites and their security techniques | |
| CN115296909B (en) | Method, device, medium and attack response method for obtaining target honeypot system | |
| US11763004B1 (en) | System and method for bootkit detection | |
| CN113596044A (en) | Network protection method and device, electronic equipment and storage medium | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |