CN115549943B - Four-honey-based integrated network attack detection method - Google Patents

Four-honey-based integrated network attack detection method Download PDF

Info

Publication number
CN115549943B
CN115549943B CN202210816937.0A CN202210816937A CN115549943B CN 115549943 B CN115549943 B CN 115549943B CN 202210816937 A CN202210816937 A CN 202210816937A CN 115549943 B CN115549943 B CN 115549943B
Authority
CN
China
Prior art keywords
honey
access
protected system
attack
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210816937.0A
Other languages
Chinese (zh)
Other versions
CN115549943A (en
Inventor
方滨兴
崔翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202210816937.0A priority Critical patent/CN115549943B/en
Publication of CN115549943A publication Critical patent/CN115549943A/en
Application granted granted Critical
Publication of CN115549943B publication Critical patent/CN115549943B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an integrated network attack detection method based on four honeys, which provides two new modes of honeyspots and honeyholes, improves the existing honeypots and honeynets, and can realize multidirectional protection of a protected system by respectively arranging the honeyspots, the honeyholes, the honeypots and the honeynets around the protected system.

Description

Four-honey-based integrated network attack detection method
Technical Field
The invention belongs to the technical field of network space security, and particularly relates to an integrated network attack detection method based on four honeys.
Background
In recent years, international cyberspace security challenge is increasing, and cyberspace security is increasingly important. From the existing attack case, typical attacks can be categorized into three categories: to paralysis attacks, i.e. targeted attack by distributed denial of service attacks (DDoS), aimed at interrupting its service and making panic; the attack is controlled, namely malicious software is implanted into a target through means such as fish-fork fishing and the like, so as to realize long-term secret control; the destruction attack, that is, the erasure or honeyed data is started once the execution right is obtained on the target system, aiming at realizing the immediate destruction effect.
In order to defend against the above attacks, the defense means adopted at present can be classified into two types, one is a "self-defense mode", that is, to ensure the security of the system itself. For example, mimicry defense, vulnerability scanning, etc. all belong to this defense mode, which requires that the protectee itself have sufficiently strong self-defense capabilities. The other is "guard mode", i.e., to organize external forces to protect the information system of the protected person from being trapped. For example, security services, information system security hosts, etc. all fall into this model. The concepts of honeypots (Honeypot) and honeynets (honeynets) in the information security technology have been proposed for more than twenty years so far, the technical connotations of the honeypots and honeynets are gradually developed since the honeypots and honeynets are proposed, and the technologies of Honeypot Deception, honeybait, honeymark and the like related to honeypots and honeynets are studied greatly.
In honeypot research, the prior art solutions fall into three general categories: physical honeypots, virtual honeypots and semi-physical honeypots. The physical honeypot is a honeypot adopting original software and hardware equipment as bait, the existing research content mainly relates to improvement on honeypot construction, deployment and scheduling, but focuses on comprehensive analysis of honeypot captured data, so that attacker portraits, attack chain restoration and the like are realized, and the honeypot is not concerned. The virtual honeypot is to simulate targets by adopting virtualization and other technologies, simulate required operating systems and services by software through preset trapping conditions, and aims to attract aggressors to invade and realize efficient threat capture and monitoring, and the existing research mainly relates to how to construct the virtual honeypot, how to deploy the virtual honeypot, install monitoring software on the basis of original honeypot equipment and the like so as to improve the defending capability. The semi-physical honeypot is a honeypot which adopts physical and software simulation at the same time.
In the aspect of honey network research, the prior art schemes are roughly divided into three categories: the control scheduling class, the honey network deployment class and the data analysis class are mainly focused on the research of network attack or abnormal flow control and scheduling, the research of the construction and deployment methods of the honey network, the research of the attacker behavior data analysis so as to master the specific activities of the attacker, the attack tracing and the attack intention, and the like.
In the network spoofing research aspect, the research directions of hiding real host information, evaluating the effectiveness of network spoofing defense and the like by using a camouflage or confusion method are mainly focused at present. In the aspect of honey bait research, the main focus is on honey bait generation and automatic generation, and the honey bait is utilized to attract attack and further defend, trace the source and the like. In the aspect of honey mark research, the main focus is on using honey marks to perform abnormal perception early warning, defense and tracing. Illustratively, network spoofing refers to: the security defender lays a cheat in the own information communication system, interferes and misleads the attacker to know the own information system, so that the attacker takes favorable actions (or does not act) for the defender, thereby helping to discover, delay or block the activities of the attacker, and achieving the purpose of increasing the security of the information system. Network spoofing includes honeypots, honeybaits, breadcrumbs, shadow services, virtual network topologies, etc., and the actual deployed network spoofing environment may be flexibly combined by one or more of the above components. Honeypots were the earliest emerging spoofing technique, and more forms of spoofing have evolved thereafter. The present invention does not deploy because the connotation of network spoofing has reached industry consensus.
However, existing honeypots, honeynets, network spoofing, honeybaits, and honeymark technologies have mainly the following problems: 1. the fusion problem, the current research focuses on how to improve the technology to obtain better effect, but how to organically integrate a plurality of technologies into a mutually synergistic system is not involved; 2. unknown attack defense problems are mainly focused on known characteristic attacks, and although network spoofing has certain detection capability on the unknown characteristic attacks, if the unknown characteristic attacks cannot be accurately judged, whether the attack is fashionable or not is judged without an effective processing method; 3. the virtual-real interaction problem is that once suspicious attacks are introduced into a deception environment in the current research, the suspicious attacks are difficult to re-introduce into a real system, so that service interruption is caused; 4. the problem of attack path contraction is solved, an attacker can stealthily detect the protected system for a long time, slowly and secretly to find an effective attack path, so that the protected system is finally attacked; 5. the deterrent problem is that the current research focuses on attack early warning and recording attack means, but the earthquake deterrent attack source cannot be automated so as to tend to actively stop attack.
In summary, the guard mode for the important system currently has the problems of large attack sensing delay, low attack tolerance, few attack observation paths and high tracing deterrence cost, so that the important system is difficult to defend against advanced persistent threat (Advanced Persistent Threat, APT) and distributed denial of service attack.
Disclosure of Invention
In view of the above, the invention provides a four-honey-based integrated network attack detection method, which realizes attack detection based on common protection of honey points, honey holes, honey pots and honey nets.
The invention provides a four-honey-based integrated network attack detection method, which comprises the following steps:
configuring a domain name or a website of a protected system, and configuring an application gateway of the protected system;
constructing honey points, honey holes, honey nets and honey pots; constructing the honey point by adopting a simulation system of a protected system with partial functions, constructing the honey hole by adopting an attack deterrent and tracing system, constructing the honey net by adopting an application gateway containing the protected system and a system with a white list accessing the protected system, and constructing the honey pot by adopting partial functions of the protected system;
deploying and operating the honey points, the honey holes, the honey nets and the honey pots; and configuring the honey points, the honey holes and the honey nets as domain names or web addresses similar to the protected system.
Further, the integrated network attack detection method further comprises the steps of carrying out cooperative linkage among the honey points, the honey holes, the honey nets and the honey pots, and comprises the following steps:
when the honey point is accessed in the running process of the protected system, the honey point records the access trace to a log to form threat information, and then the threat information is sent to a management and control center; when the honey network is accessed, forwarding the access to a protected system if the access source is in a user white list, forwarding the access to a honey tank if the access source is not in the white list, and simultaneously sending the access information to a management and control center as threat information; after the honey pot receives the access forwarded by the honey net, performing behavior analysis on the access, judging whether the access is normal or not according to the analysis result, forwarding the access to a protected system if the access is normal, otherwise, sending the analysis result to a management and control center as threat information, and simultaneously notifying a honey hole to start a tracing deterrent function on the current access; when the honey hole receives the access forwarded by the honey pot, the access source is required to provide an identification, then the access is judged according to analysis and judgment information obtained from the management and control center, whether the access is normal is determined, if so, the access is forwarded to a protected system, and otherwise, the access information is sent to the management and control center as threat information;
and the control center is used for analyzing the information received from the honey points and the honey pots to judge whether the access is normal or not, so as to form analysis and judgment information.
Further, the access information includes a source destination IP address, a destination port, access time, and Payload information.
Further, the method of configuring the honey point, the honey hole and the honey net to be similar to the domain name or the web address of the protected system is to obtain the domain name or the web address similar to the protected system by adopting an enumeration method.
Further, the access source is required to download a traceability tool designated by the execution defender when the honey hole receives the access forwarded from the honey pot.
Further, the identification includes, but is not limited to, a WeChat code, a Payment Buddha, a verifiable credential, or a manageable attendance.
Further, the honeypot is constructed using a sand box technique.
The beneficial effects are that:
1. the invention provides two new modes of honey points and honey holes, improves the existing honey pot and honey net, and can realize multidirectional protection of the protected system by respectively arranging the honey points, the honey holes, the honey pot and the honey net around the protected system.
2. According to the invention, through integrating the honey points, the honey holes, the honey pots and the honey nets, the honey points, the honey holes, the honey pots and the honey nets are coordinated in a multi-point manner, so that an elastic, decoupling, three-dimensional and deep network attack detection system is established, the integrated detection protection capability of the protected system based on four-honey coordination is formed, and meanwhile, the attempt of striking an attacker to initiate attack slowly and dispersedly to avoid detection is realized.
Drawings
Fig. 1 is a schematic diagram of a working process of a honey point in a four-honey-based integrated network attack detection method provided by the invention.
Fig. 2 is a schematic diagram of a working process of a honey hole in the four-honey-based integrated network attack detection method provided by the invention.
Fig. 3 is a schematic diagram of a working process of a honey network in the four-honey-based integrated network attack detection method provided by the invention.
Fig. 4 is a schematic diagram of a working process of a honeypot in the four-honey-based integrated network attack detection method provided by the invention.
Fig. 5 is a diagram of internal linkage mechanism and external relationship of four-honey in the four-honey based integrated network attack detection method provided by the invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings.
The invention classifies network attacks into three categories by analysis, namely paralysis attack, control attack and destruction attack. The defending modes are categorized into two types, namely, a self-defending mode and a defending mode.
The invention provides a four-honey-based integrated network attack detection method from the perspective of a guard mode, wherein the four honey in the invention refers to honey points, honey holes, honey pots and honey nets, and the basic idea is that: and constructing a set of elastic, decoupling, stereoscopic and deep network attack detection system which mainly depends on means such as honey points based on-site low-level early warning, a honey network with self-adaptive swimming service reconstruction guarantee, attack screening honey pots with intrusion capacity, edge multi-stage identity authentication or tracing honey holes. The invention provides two new concepts of honey points and honey holes, improves honey pots and honey nets in the prior art, and designs a linkage mode among the honey points, the honey holes, the honey pots and the honey nets so as to realize integrated network attack detection. In the invention, honey points, honey holes, honey pots and honey nets are called four honey for short.
(1) And (5) honey-spotting.
The honey point is a set of simulation system for the protected system for warning of the protected system, which is constructed, deployed and operated by comprehensively utilizing the trap technology and the simulation technology, and has the main functions of sensing suspicious attacks, so that an attacker is effectively caught and cannot be obviously influenced on a user of the device, the device is suitable for preventing attack modes of 'from outside to inside' and 'internal translation', and the working process schematic diagram of the honey point is shown in figure 1, and the honey point is deployed on one side close to a protected object. The honey acts like a "whistle" of the protected system, and in particular, when an attacker touches the honey, the honey interacts with the depth of the process deployed on the honey and carefully set by the defender, and the honey identifies the attacker from the information acquired during the interaction. In general, when the attack behavior cannot be determined by other technical means, suspicious identification can be performed through the honey point, mainly because the honey point should not be touched in normal access to the protected system, and once touched, the access behavior is highly suspicious. The core idea of the honey point is as follows: by analyzing the protected system and taking the simulation system constructed for the protected system as the honey point, and then deploying the honey point on a path which is frequently adopted when an attacker detects the protected system, the attacker which intends to permeate the protected system can probe the honey point with high probability, and threat information can be obtained.
In the honey point construction stage, after the protected system is analyzed, a corresponding simulation system is constructed for the protected system, and the simulation system aims at not being perceived by a permeator to enter a trap, so that the simulation system does not need to realize all functions of the protected system and only needs to be similar to the protected system in aspects of appearance, interaction flow and the like. In addition, a simulation system which is not similar to the protected system itself but can be mistakenly considered to be closely related to the protected system by an attacker, for example, the attacker can be mistakenly considered to be an auxiliary system of the protected system. In conclusion, the honey points constructed by adopting the principle can achieve the effect of sensing suspicious attacks. In an implementation, for example, a trap technique may be used to implement a simulation system of a protected system with attack awareness capability.
In the honeypoint deployment phase, it may be deployed "around" the protected system so that an attacker who intends to penetrate the protected system will be detected with a high probability. "periphery" is a logical concept rather than a physical concept, and disposing a honey point around a protected system refers to making it easier for an attacker to find the honey point by configuring the honey point with a domain name similar to that of the protected system, the same network segment IP, etc., and the honey point may be far from the protected system from the physical environment. Specifically, there are two common deployment modes of honey points: if the protected system is only opened to the outside (such as an intranet) in an IP form, deploying the honey points into the same network segment as the protected system; if the protected system can only access through the domain name, the corresponding random information needs to be configured according to the domain name of the protected system, which is the domain name of the honey point. For example: the domain name of the protected system is aab.edu.cn, and the domain name of the honey point can be set to aba.edu.cn.
Because an attacker needs to continuously detect the IP address, the system fingerprint and other information of the protected system in order to effectively implement the attack, the attacker is very likely to touch the honey point which is arranged on the 'necessary path' in the detection process and looks like the protected system component, and the compliance user generally does not access the protected system by adopting detection means such as enumeration, scanning and the like, so the honey point attracts the attacker with high probability but is touched by the compliance user with small probability, thereby the early warning with low false alarm rate can be generated. The honey point no longer requires any additional capability other than simulating the protected system and recording the behavior of the permeate.
The positioning of the honey point is attack perception, which is a simulation system of the protected system, aiming at perceiving that an attacker detects the behavior of the protected system and reliably records the behavior. In addition, the honey point can share the action log as threat information, and other three honey can indirectly obtain the information reported by the honey point from a threat information analysis and judgment center positioned in a management and control center.
(2) Honey hole.
The honey hole is an attack deterrence and tracing system which is deployed in a real network near an attacker, and when the user access abnormality is perceived, the user identity is authenticated by adopting an edge multi-level identity authentication or tracing mode, such as requesting identity credentials for the user or requiring the user to download and execute specific executable codes. The honey hole is used for frightening an attacker to spontaneously stop the attack by improving the attack cost and increasing the traceability risk. The role of the honey hole is similar to that of a living police, and the honey hole is implemented in a manner similar to that of the police which asks the suspicious person to identify the suspicious person to verify the credibility of the suspicious person when the suspicious person cannot be judged by the suspicious person, and the method cannot ensure that the suspicious object has no problem, but forms a deterrent at least for the suspicious person so that the suspicious person cannot be easily involved. The honey hole is suitable for preventing the attack modes of 'from outside to inside' and 'from inside to inside', and the working schematic diagram of the honey hole is shown in figure 2. The core idea of the honey hole is as follows: when a suspected attack or non-compliant access is detected, the honey hole will impose a requirement to the accessing user to provide identity credentials or download execution specific code, etc.
In the current threat scenario, an attacker can detect the protected system for a long time, slowly and continuously so as to accumulate enough effective information without worrying about tracing risks. In addition, neither the service whitelist nor the threat intelligence system can directly intercept suspicious attacks at a cursive rate so as to avoid falsely blocking legal user access. In order to cope with the threat scene, the network attack and defense battlefield can be extended to the visit source side by the introduction of the honey holes, so that the visit source participates in, and a more accurate decision can be made by the defense system. The concrete working mode of the honey hole is as follows: when a suspected attack or non-compliant access is detected, the honey hole will force the remote user to provide identity credentials or download to perform built-in operations such as specific code. The identity credential is a credential that can prove its identity or credit, for example, by way of a micro-swipe code, a payment swipe, a verifiable credential (Verifiable Credentials), or a manageable attendance Proof POAP (Proof-of-Attendance Protocol), etc. Downloading execution specific code is a traceability tool requiring access sources to download execution defenses, such tools including but not limited to scripts and executable files, for example, when a user accesses a protected website using a browser, once a honey hole finds an exception but cannot be judged as an attack, javascript scripts are implanted in a website response page, and the scripts function to pop up prompt boxes to prompt the defenses for mandatory requirements. From the effect, because the required identity credentials have a strong binding relationship with the true identity of the individual, the attacker cannot easily obtain or forge the identity credentials; because the traceability tool required to be executed is a black box for an attacker, the hidden traceability capability of the traceability tool is difficult to learn, and the attacker is not dared to easily execute the traceability tool. Thus, the honey hole can form a deterrent to an attacker by automatically asking for credit evidence, and legal users are willing to submit the evidence because of no fear of tracing. It should be noted that, using government-certified, credit-level POAP proofs that protect user privacy should be better than costly, inefficient, privacy-revealing proofs that are brushed and the like. If the visitor refuses the extracted information, the access is aborted; if the visitor allows the information to be extracted, some necessary information of the attacker is already obtained once the attack occurs.
The positioning of honey holes is a tracing deterrent, which forces the access source to participate in so that the honey holes are not dared for 'light delusions' due to fear of exposure, and the realization method is to display the suspicious access source to provide identification. The honey hole is considered to be suspicious in terms of a certain visit source mainly because corresponding threat information or decision-making decision is obtained from other three honey, and the function of the honey hole can be directly called by other three honey.
(3) A honey net.
The honeynet is a trapping system for introducing all unmanaged accesses to the protected system to an application gateway for screening and filtering, is an improvement on the basis of the existing honeynet, and can rapidly identify the compliant accesses according to a service white list and realize collaborative decision of shareable threat information among the multiple honeynets. Its role is similar to the ingress of a network, with traffic coming from all directions eventually contracting, converging on the unique ingress and accepting security checks. In practical use, the protected system often has a plurality of access portals, the invention performs the unique contraction processing on the portals of the normal access of the protected system through the honey network, and once the portals are found to be bypassed to initiate the access, the access traffic is highly suspicious. The honey net is deployed on the side close to the protected object, the main function is to attract suspicious attacks, the honey net is suitable for preventing attack modes from outside to inside, and the working schematic diagram of the honey net is shown in figure 3. The core idea of the honey net improvement is as follows: firstly, fusing a traditional honey network with an application gateway, so that all the flow accessed by a protected system is subjected to centralized return processing; the white list provided by the protected system is configured into the honey network, and all the behaviors attempting to access addresses outside the white list are regarded as non-compliant suspicious attack behaviors.
In the honeynet construction phase, the protected system is configured to have access via the application gateway (Application Gateway, AG) and the whitelist is configured into the honeynet, the protected system being configured to accept only IP-initiated access requests from the AG or other whitelist (specifically serving the authorised manager). Taking site protection as an example, site access is configured to have to be accessed via WAF or CDN, so that all access to the protected system can only be made by AG, i.e., the address resolved by the domain name of the protected system points to AG. It can be seen that the honey network is capable of superposing the capabilities of service white list, threat information sharing and the like on the basis of the existing AG system.
In actual use, the single-point honey network can rapidly identify compliance access according to a pre-configured service white list, threat information can be shared among the multi-point honey networks to realize collaborative decision, and all behaviors attempting to access addresses outside the white list are regarded as non-compliance suspicious attack behaviors and are redirected into honey pots or honey holes, so that DDoS attack can be effectively realized, and the monitoring capability of unknown control type and damage type attack can be remarkably improved.
The location of the mesh is an attack attraction, which is embedded therein as a core component of the improved AG, intended to hide the protected system and to defend it against DDoS attacks, screening for suspected penetration attacks on the necessary way to access the protected system. For the first-occurring IP address, the honeynet forwards the traffic to the honeypot. For a validated IP address, it will be forwarded directly to the protected system.
(4) And (5) honeypot.
The honeypot is an attack observation system and is a front-end processor of a protected system formed by extracting part of functions of the protected system, and aims to truly provide initial service for visitors drawn into the honeypot, observe and analyze behavior activities of the visitors, and transfer the visitors into a real system environment through flow traction if the visitors are finally judged to be benign users, otherwise, trigger an alarm or draw the visitors into a deception environment, and meanwhile, threat information is generated and shared in the whole defense system. The difference with the traditional honeypot is that: the traditional honeypot is accessed by setting holes and deliberately exposing the holes to induce the outside, and judging whether the access source is an attacker or not by whether to dig or utilize the abnormal behaviors such as the holes. Honeypots are suitable for protecting against outside-in attack patterns, and the honeypot is deployed on the side close to the protected object, as shown in fig. 4, which is a schematic diagram of the operation of the honeypot. The improved honey pot has the following core ideas: firstly, extracting a part of necessary functions of a protected system as main functions of a honeypot, then, deploying the honeypot in front of the protected system, interacting with a user visited for the first time, observing interaction behaviors, judging the degree of abnormality of the interaction behaviors, and if the user is finally judged to be a benign user, transferring the user into a real system environment through flow traction, otherwise, triggering an alarm, and generating threat information and sharing the threat information in the whole defense system.
The honeypot may be constructed using sand box technology (e.g., sandbox) in the present invention. Because the honeypot is realized by the sand-like box and is isolated from a real system, the honeypot is not fear of damage. The attack in the honeypot can not harm the real system, so when the attacker is judged to be malicious, a series of defensive measures such as blocking, deception and the like can be adopted for the attacker. Especially for the means of deception, the honey pot can be utilized to consume attack resources of an attacker, drag and delay the time of an attack effective target, acquire attack information and continuously share the attack information in the whole network, so that the whole threat information system can dynamically acquire feedback and realize more accurate attack perception.
In actual use, the protection against APT threats may be prioritized. Currently, the main difficulty faced in defending an APT attack is that an attacker often adopts a strategy of constantly replacing IP addresses, so that the defender cannot lock and connect the continuous behavior of the attacker in parallel. The intention of the honeypot is to force reasonable visitors to maintain access IP unchanged by requiring all newly entered access IP to be first directed to run in the honeypot and to run to some extent in the honeypot and redirected to the real system when AG (embedded honeynet) is released. Any IP redirected to the real system is recorded by the AG and is directly distributed to the real system in future continuous accesses, but the IP access without going through the honeypot must be first directed to the honeypot, which limits the APT attacks that access with new IP. The sandbox technique is a mature technique in the field of network security, and can ensure that unknown programs running to a certain extent are reflected into a real system, for example, malicious codes copy files to a Windows system directory and indicate that the copying is successful, and actually copy the files into a sandbox file system.
In summary, the positioning of the honey point is attack perception, which is used for perceiving that an attacker detects the behavior of the protected system and reliably records the behavior; the location of the mesh is an attack attraction for hiding the protected system. The honeynet can forward suspicious traffic to the honeypot; the positioning of the honeypot is attack observation, and the honeypot can observe suspicious behaviors and cooperatively judge with other three honeys; the positioning of honey holes is a tracing deterrent, which forces the access source to participate in so that the honey holes are not dared for 'light delusions' due to fear of exposure, and the realization method is to display the suspicious access source to provide identification. The honey hole is considered to be suspicious in terms of a certain visit source mainly because corresponding threat information or decision-making decision is obtained from other three honey, and the function of the honey hole can be directly called by other three honey.
The invention provides an integrated network attack detection method based on four honeys, which is characterized in that the invention provides a three-dimensional detection mode of high-low level longitudinal cooperation and protection point transverse linkage formed by the cooperation linkage between improved honeypoints, honeyholes, honeypots and honeynets, and realizes the integrated detection of network attack, and the invention refers to a protection system consisting of the honeypoints, the honeyholes, the honeypots and the honeynets as a four-honeysystem, as shown in fig. 5, and specifically comprises the following steps:
determining a protected system, setting the protected system to be accessed through a gateway, configuring a honey network as the gateway of the protected system, setting an access user white list of the protected system in the honey network, and deploying the honey network; constructing a simulation system of a protected system as a honey point, constructing an attack deterrent and tracing system as honey holes, respectively setting similar domain names for the honey point and the honey holes if the protected system is accessed by the domain names, and respectively deploying the honey point and the honey holes in the same network section as the protected system if the protected system is accessed by the IP address; adopting part of non-core function structures of the protected system to construct honeypots mutually isolated from the protected system, and deploying the honeypots; and deploying a management and control center, wherein the management and control center is used for analyzing the information received from the honey points and the honey pots to finish judging whether the access is normal or not, so as to form analysis and judgment information.
When the honey point is accessed in the running process of the protected system, the honey point records the access trace to a log to form threat information, and then the threat information is sent to a management and control center; when the honey network is accessed, if the access source is in the user white list, the access is forwarded to the protected system, if the access source is not in the white list, the access is forwarded to the honey tank, and meanwhile, part or all of the source destination IP address, the destination port, the access time and the Payload and other important meta information are sent to a management and control center as threat information; after the honey pot receives the access forwarded by the honey net, performing behavior analysis on the access, judging whether the access is normal or not according to the analysis result, forwarding the access to a protected system if the access is normal, otherwise, sending the analysis result to a management and control center as threat information, and simultaneously notifying a honey hole to start a tracing deterrent function on the current access; when the honey hole receives the access forwarded by the honey pot, the access source is required to provide identification, then the access is judged according to analysis and judgment information obtained from the management and control center, whether the access is normal is determined, if so, the access is forwarded to a protected system, otherwise, the source and destination IP address, the destination port, the access time, part or all of the content of the Payload and other important meta information are sent to the management and control center as threat information.
Embodiment one:
the embodiment adopts the four-honey-based integrated network attack detection method to realize the protection of the protected system against denial of service attack, and specifically comprises the following steps:
the method provided by the invention basically does not need to upgrade and reform the protected system, and only needs to be matched with the operator of the protected object to a certain extent, so that the domain name is configured for the protected system in the example.
In the embodiment, a management and control center is set up as an analysis and judgment center of threat information by adopting the method provided by the invention, and is used for receiving threat information of four-honey systems distributed in different physical areas, and then automatically and manually combined analysis is carried out on the threat information to form analysis and judgment information; the network spoofing environment is set, the judged attack flow can be taken over and interacted with an attack source, so that an attacker is induced to expose more attack methods and the like; the management and control center sets monitoring strategy configuration and distribution, configures a large number of strategies of the four-honey system, and the like.
In the actual attack process, in general, after an attacker selects an attack target, namely a protected system, the attack target is first detected, for example, a manner of enumerating sub-domain names of the attack target and traversing a possible IP address field of the attack target is adopted, and when the detection manner is adopted, the attack target naturally falls into the domain name or the IP address field set by a honey point, so that detection access behaviors can be perceived by the honey point in a low position, trace of the detection access behaviors is collected in a hidden manner, and subsequent access is guided to a network spoofing environment.
And then, after the attacker considers that enough information of the attack target is obtained, the attacker can permeate the attack target by utilizing the weak point of the attack target so as to obtain the control right of the attack target, at the moment, the access of the new IP address from the attacker can be forwarded to the honeypot for observation, if the honeypot is observed to find abnormality, threat information is generated, and the subsequent access is guided to a network spoofing environment of the management and control center.
Finally, when an attacker tries to penetrate an attack target by means of the fragile point and fails, a denial of service attack can be initiated on the attack target so as to achieve the purpose of destroying the availability of the attack target, and at the moment, the access of the denial of service attack can be received and intercepted by the honeynet and cannot reach the protected system, so that the effect of not actually reducing the availability of the protected system is achieved.
Embodiment two:
the embodiment adopts the four-honey-based integrated network attack detection method to realize the protection of the protected system against unknown attacks, and specifically comprises the following steps:
in the actual attack process, in general, after an attacker selects an attack target, namely a protected system, the attack target is first detected, for example, a manner of enumerating sub-domain names of the attack target and traversing a possible IP address field of the attack target is adopted, and when the detection manner is adopted, the attack target naturally falls into the domain name or the IP address field set by a honey point, so that detection access behaviors can be perceived by the honey point in a low position, trace of the detection access behaviors is collected in a hidden manner, and subsequent access is guided to a network spoofing environment.
And then, after the attacker considers that enough information of the attack target is obtained, the attacker can permeate the attack target by utilizing the weak point of the attack target so as to obtain the control right of the attack target, at the moment, the access of the new IP address from the attacker can be forwarded to the honeypot for observation, if the honeypot is observed to find abnormality, threat information is generated, and the subsequent access is guided to a network spoofing environment of the management and control center.
Finally, when an attacker accesses an attack target in a normal way for a long time and then utilizes an unknown vulnerability or an unknown attack means to permeate the attack target, the honeypot in the invention can not accurately judge whether the current access is attack or not, but only can sense abnormal behaviors so as to presume that the access source is likely to be the attacker. The identity of the honey hole needs to be very difficult to forge, such as WeChat code scanning, face brushing or supervision attendance checking.
In summary, the above embodiments are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. The four-honey-based integrated network attack detection method is characterized by comprising the following steps of:
configuring a domain name or a website of the protected system, configuring an application gateway of the protected system, and configuring the protected system to be accessible only through the application gateway;
constructing honey points, honey holes, honey nets and honey pots; constructing the honey point by adopting a simulation system of a protected system with partial functions, constructing the honey hole by adopting an attack deterrence and tracing system, constructing the honey net by adopting an application gateway containing the protected system and a system provided with an access white list of the protected system, and constructing the honey pot isolated from the protected system by adopting partial non-core functions of the protected system;
deploying and operating the honey points, the honey holes, the honey nets and the honey pots; configuring the honey points, the honey holes and the honey nets as domain names or web addresses similar to the protected system;
the integrated network attack detection method further comprises the steps of carrying out cooperative linkage among the honey points, the honey holes, the honey nets and the honey pots, and comprises the following steps:
when the honey point is accessed in the running process of the protected system, the honey point records the access trace to a log to form threat information, and then the threat information is sent to a management and control center; when the honey network is accessed, forwarding the access to a protected system if the access source is in a user white list, forwarding the access to a honey tank if the access source is not in the white list, and simultaneously sending the access information to a management and control center as threat information; after the honey pot receives the access forwarded by the honey net, performing behavior analysis on the access, judging whether the access is normal or not according to the analysis result, forwarding the access to a protected system if the access is normal, otherwise, sending the analysis result to a management and control center as threat information, and simultaneously notifying a honey hole to start a tracing deterrent function on the current access; when the honey hole receives the access forwarded by the honey pot, the access source is required to provide an identification, then the access is judged according to analysis and judgment information obtained from the management and control center, whether the access is normal is determined, if so, the access is forwarded to a protected system, and otherwise, the access information is sent to the management and control center as threat information;
and the control center is used for analyzing the information received from the honey points and the honey pots to judge whether the access is normal or not, so as to form analysis and judgment information.
2. The method of claim 1, wherein the access information includes, but is not limited to, source destination IP address, destination port, access time, and Payload information.
3. The method for detecting an integrated network attack according to claim 1, wherein the method for configuring the honey point, the honey hole and the honey net as domain names or web addresses similar to the protected system is to obtain the domain names or web addresses similar to the protected system by adopting an enumeration method.
4. The method of claim 1, wherein the access source is required to download a trace-source tool specified by the execution defender when the honey hole receives an access from honey pot forwarding.
5. The integrated network attack detection method according to claim 1 wherein the identification includes, but is not limited to, a WeChat code, a Payment Bush, a verifiable credential or a policable attendance.
6. The integrated network attack detection method according to claim 1, wherein the honeypot is constructed using a sandbox technique.
CN202210816937.0A 2022-07-12 2022-07-12 Four-honey-based integrated network attack detection method Active CN115549943B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210816937.0A CN115549943B (en) 2022-07-12 2022-07-12 Four-honey-based integrated network attack detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210816937.0A CN115549943B (en) 2022-07-12 2022-07-12 Four-honey-based integrated network attack detection method

Publications (2)

Publication Number Publication Date
CN115549943A CN115549943A (en) 2022-12-30
CN115549943B true CN115549943B (en) 2023-05-23

Family

ID=84724217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210816937.0A Active CN115549943B (en) 2022-07-12 2022-07-12 Four-honey-based integrated network attack detection method

Country Status (1)

Country Link
CN (1) CN115549943B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
CN111147513B (en) * 2019-12-31 2020-08-14 广州锦行网络科技有限公司 Transverse moving attack path determination method in honey net based on attack behavior analysis
CN112578761B (en) * 2021-02-03 2023-05-26 山东云天安全技术有限公司 Industrial control honey pot safety protection device and method

Also Published As

Publication number Publication date
CN115549943A (en) 2022-12-30

Similar Documents

Publication Publication Date Title
CN110677408B (en) Attack information processing method and device, storage medium and electronic device
Joshi et al. Honeypots: a new paradigm to information security
Zhang et al. Three decades of deception techniques in active cyber defense-retrospect and outlook
CN105915532B (en) A kind of recognition methods of host of falling and device
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
WO2020103454A1 (en) Defense method for configuring weak password vulnerabilities of internal and external network cameras
CN105024976A (en) Advanced persistent threat attack recognition method and device
CN112910907A (en) Defense method, device, client, server, storage medium and system
Karthikeyan et al. Honeypots for network security
Jeremiah Intrusion detection system to enhance network security using raspberry pi honeypot in kali linux
Saalbach Attribution of cyber attacks
CN115242466A (en) Intrusion active trapping system and method based on high-simulation virtual environment
Yasinsac et al. Honeytraps, a network forensic tool
Tian et al. An architecture for intrusion detection using honey pot
Ahmad et al. Detection and Analysis of Active Attacks using Honeypot
CN115134166B (en) Attack tracing method based on honey hole
CN115549943B (en) Four-honey-based integrated network attack detection method
Zhao et al. Network security model based on active defense and passive defense hybrid strategy
CN115694965A (en) Network security close network system for power industry
Li-Juan Honeypot-based defense system research and design
CN114024740A (en) Threat trapping method based on secret tag bait
Colombini et al. Cyber threats monitoring: Experimental analysis of malware behavior in cyberspace
Gu et al. Misleading and defeating importance-scanning malware propagation
Zhai et al. Research on applications of honeypot in Campus Network security
Katsinis et al. A Framework for Intrusion Deception on Web Servers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant