CN115580457A - Honeypot system of cloud computing platform and cloud access processing method and device - Google Patents

Honeypot system of cloud computing platform and cloud access processing method and device Download PDF

Info

Publication number
CN115580457A
CN115580457A CN202211183786.6A CN202211183786A CN115580457A CN 115580457 A CN115580457 A CN 115580457A CN 202211183786 A CN202211183786 A CN 202211183786A CN 115580457 A CN115580457 A CN 115580457A
Authority
CN
China
Prior art keywords
target
vpc
probe
access request
cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211183786.6A
Other languages
Chinese (zh)
Inventor
王金松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Technology Information Technology Co Ltd
Original Assignee
Jingdong Technology Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Information Technology Co Ltd filed Critical Jingdong Technology Information Technology Co Ltd
Priority to CN202211183786.6A priority Critical patent/CN115580457A/en
Publication of CN115580457A publication Critical patent/CN115580457A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a honeypot system of a cloud computing platform and a cloud access processing method and device, and relates to the technical field of cloud computing. One embodiment of the method comprises: in response to the detection of a target access request aiming at the VPC, determining a target strategy matched with the target access request from at least one routing strategy acquired in advance, and determining a target address contained in the target strategy as a destination address; and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of the initiator of the target access request. This embodiment can guarantee the normal maintenance of the customer VPC performance and the firing ground.

Description

Honeypot system of cloud computing platform and cloud access processing method and device
Technical Field
The invention relates to the technical field of cloud computing, in particular to a honeypot system of a cloud computing platform and a cloud access processing method and device.
Background
Honeypots are a technology for inducing and recording attackers, and the attackers are induced to attack by arranging hosts, network services or information as baits, so that attack behaviors are captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders are finally made to know security threats of own systems, and the security protection capability of the own systems is enhanced through targeted improvement. In specific application, the honeypot system can comprise a honeynet formed by a probe assembly and a plurality of shooting range assemblies, wherein the probe is used for monitoring malicious accesses and forwarding the malicious accesses to the shooting range, and different shooting ranges are provided with corresponding system bugs so as to induce attackers to attack and record the attacks.
At present, when a Cloud computing platform deploys honeypots, probes and a target range can only be deployed in a Virtual Private Cloud (VPC) of a user, since the target range is a heavy component, the performance of the VPC of the user is affected by the deployment mode, and meanwhile, the VPC of the user does not open access authority to an administrator, so that the target range cannot be maintained.
Disclosure of Invention
In view of this, embodiments of the present invention provide a honeypot system of a cloud computing platform and a method and an apparatus for cloud access processing, which deploy a shooting range by establishing a specific VPC independent of a user VPC, so that the shooting range does not need to be deployed in the user VPC, thereby ensuring the performance of the user VPC and the normal maintenance of the shooting range.
To achieve the above object, according to an aspect of the present invention, a cloud access processing method is provided.
The cloud access processing method is executed by a probe of a virtual private cloud VPC deployed in a cloud computing platform user; the method comprises the following steps: in response to the detection of a target access request aiming at the located VPC, determining a target policy matched with the target access request from at least one routing policy acquired in advance, and determining a target address contained in the target policy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPC of the user, the particular VPC having at least one cloud host in which a shooting range is pre-deployed, the shooting range and the probe forming a honeypot system; and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of an initiator of the target access request.
Optionally, the routing policy characterizes a mapping relationship between feature information of an access request and the range address; and the step of determining the target policy matched with the target access request from at least one pre-acquired routing policy comprises the following steps: and determining the routing strategy containing the characteristic information consistent with the characteristic information of the target access request as a target strategy.
Optionally, the method further comprises: periodically acquiring the latest routing strategy from the cloud host of the target range by utilizing a transmission channel which is established in advance between the probe and any target range in the specific VPC; and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
Optionally, the method further comprises: under the condition that the newly added target range is judged to exist in the latest routing strategy, the target range address of the newly added target range in the latest routing strategy is used for establishing a transmission channel between the probe and the newly added target range; and under the condition that the deleted target range exists in the latest routing strategy, closing a transmission channel between the pre-established probe and the deleted target range.
Optionally, the VPC of the user is created by a plurality of cloud service parties, and one probe is deployed in one VPC of the user in an installation package manner or a container engine manner, and the honeypot system further includes: a probe deployed at the user's internet data center IDC; the enclave address includes an IP address and a port of an enclave, the particular VPC further having a load balancing component therein for forwarding the target access request.
To achieve the above object, according to another aspect of the present invention, a cloud access processing apparatus is provided.
The cloud access processing device is arranged on a probe of a virtual private cloud VPC of a cloud computing platform user; the device comprises: a matching unit for: in response to the detection of a target access request aiming at the located VPC, determining a target policy matched with the target access request from at least one routing policy acquired in advance, and determining a target address contained in the target policy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPCs of the users, the particular VPC having at least one cloud host therein that pre-deploys a range, the range and the probes forming a honeypot system; a forwarding unit to: and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of the initiator of the target access request.
To achieve the above object, according to another aspect of the present invention, a honeypot system of a cloud computing platform is provided.
The honeypot system of the cloud computing platform comprises a probe and a target range, wherein the cloud computing platform comprises: a Virtual Private Cloud (VPC) of a plurality of users and a specific VPC independent of the VPC of the users; wherein a probe is deployed in a VPC of the user; the specific VPC is provided with at least one cloud host, and each cloud host is provided with at least one shooting range; the probe forwards a target access request to a destination target range in the target range after detecting the target access request aiming at the VPC, so that the destination target range records the behavior data of an initiator of the target access request.
Optionally, the specific VPC further has therein: a load balancing component connected to the probe and the firing ground for forwarding the target access request; each cloud host in the particular VPC is isolated by a security group.
Optionally, the VPC of the user is created by a plurality of cloud service parties, and one probe is deployed in one VPC of the user in an installation package manner or a container engine manner; the system further comprises: the probe is deployed at the Internet Data Center (IDC) of the user, and after detecting a specific access request aiming at the IDC, the probe forwards the specific access request to a corresponding target range in the specific VPC, so that the corresponding target range records the behavior data of an initiator of the specific access request.
Optionally, a probe deployed in the VPC of the user determines a target policy matched with the target access request from at least one routing policy acquired in advance, and determines a target address contained in the target policy as a destination address; and forwarding the target access request to the target range through the load balancing component by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address.
Optionally, the routing policy characterizes a mapping relationship between feature information of an access request and the range address; a probe deployed on the VPC of the user determines a routing strategy containing characteristic information consistent with the characteristic information of the target access request as a target strategy; the probe periodically acquires the latest routing strategy from the cloud host of any target range in the specific VPC by using a transmission channel which is established in advance and is arranged between the probe and the target range; and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
To achieve the above object, according to still another aspect of the present invention, there is provided an electronic apparatus.
An electronic device of the present invention includes: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the cloud access processing method provided by the invention.
To achieve the above object, according to still another aspect of the present invention, there is provided a computer-readable storage medium.
The invention provides a computer-readable storage medium, on which a computer program is stored, wherein the computer program realizes the cloud access processing method provided by the invention when being executed by a processor.
According to the technical scheme of the invention, the embodiment of the invention has the following advantages or beneficial effects:
a heavyweight component, namely a target range, of the honeypot system is deployed by opening up a specific VPC independent of a user VPC through an administrator account in a cloud computing platform, only a lightweight probe needs to be deployed in the user VPC, the probe realizes the target range positioning of malicious access (namely target access requests) through a routing strategy configured at a page end, and the forwarding of the malicious access is executed through a load balancing component in the specific VPC. Therefore, the problems of performance reduction and incapability of maintenance caused by arrangement of the firing ground in the VPC of the user are solved, and the VPC performance of the user and the maintainability of the firing ground are ensured. In order to ensure the data security of the user VPC as much as possible, a link for acquiring a routing strategy by the probe is consistent with a link for forwarding a malicious request, namely, the routing strategy configured on the front-end page is written into a database and then acquired by a cloud host with a target site deployed in the specific VPC, and the probe pulls the routing strategy from the cloud host, so that the routing strategy can be transmitted through an original transmission channel between the user VPC and the specific VPC, and an additional access channel is prevented from being added in the user VPC. In addition, the embodiment of the invention further designs a matching mode of the probe and the target range based on the routing strategy and processing logics of the probe when the target range is newly added and deleted, and the honeypot deployment scheme can also be applied to a multi-cloud system according to the light weight characteristic of only deploying the probe in the VPC of the user, thereby being beneficial to improving the safety protection performance of the multi-cloud system.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic structural diagram of a honeypot system of a cloud computing platform in an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating main steps of a cloud access processing method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of portions of a cloud access processing apparatus according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic structural diagram of an electronic device for implementing the cloud access processing method in the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features of the embodiments may be combined with each other without conflict.
Fig. 1 is a schematic structural diagram of a honeypot system of a cloud computing platform in an embodiment of the present invention, and as shown in fig. 1, multiple users exist in the cloud computing platform, and each user has at least one VPC to create components such as a cloud host (i.e., a cloud server), a cloud database, and the like. In the technical field of cloud computing, a VPC is a private network of a user, which refers to an isolated virtual network environment that is built for resources such as a cloud host, a cloud container, a cloud database, and the like, and is configured and managed by a user autonomously, so that security of resources on the user cloud can be improved, network deployment of the user is simplified, and the VPC is a private network of the user and does not generally open conventional access rights to the outside (including an administrator).
Honeypots are a technology for inducing and recording attackers, and the attackers are induced to attack by arranging hosts, network services or information as baits, so that attack behaviors are captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders are finally made to know security threats of own systems, and the security protection capability of the own systems is enhanced through targeted improvement. In specific application, the honeypot system can comprise a honeynet formed by a probe assembly and a plurality of shooting range assemblies, wherein the probe is used for monitoring malicious accesses and forwarding the malicious accesses to the shooting range, and different shooting ranges have real system vulnerability environments so as to induce attackers to attack and record the attacks. It can be seen that the honeypot system of the embodiment of the present invention is a high-interaction honeypot system, which does not simply simulate some protocols or services, but provides a real attack system from which the attack manner of an attacker can be known so as to make targeted protection.
In the existing cloud computing platform honeypot deployment process, probes and a target range are generally deployed in a user VPC, the target range is a heavy component, the performance of the user VPC is affected by the deployment mode, and meanwhile, the VPC of the user does not open access authority to an administrator, so that the target range cannot be maintained.
Based on the consideration, in the technical scheme of the invention, a specific VPC is created on the cloud computing platform by using the administrator account, is completely independent of the user VPC, is only used for the deployment of the honeypot system, and is not used for deploying any service system so as to prevent the honeypot from influencing the service system. In particular, one or more cloud hosts are created in a particular VPC, each connecting a security group to achieve isolation while preventing lateral movement of an attacker after the attack is successful. Each cloud host deploys one or more shooting ranges, and in order to ensure high availability of the shooting ranges, only one shooting range can be deployed on one cloud host in an actual scene. It will be appreciated that different ranges are typically provided with different types of vulnerability environments to entice corresponding attackers and attack behaviors. In a specific application, container management tools kubernets can be used for uniformly maintaining various shooting ranges, and an IP address (which can be a virtual IP address) and a port are generated for each shooting range, and the IP address and the port form a shooting range address which can be used for positioning the shooting range.
By arranging the heavy-weight target range in the honeypot system on the specific VPC, the problems of usability and maintainability caused by the deployment of the target range on the user VPC can be solved, and the user VPC only needs to deploy a light-weight probe without influencing the performance of the probe. The probes may be deployed in an installation package manner or a container engine manner (e.g., docker), generally, only one probe needs to be deployed in one VPC to implement monitoring and forwarding of malicious access, and of course, multiple probes may also be deployed in a VPC with a large resource scale. In addition, a probe can be deployed in the IDC (Internet Data Center) of the user, the probe deployed in the IDC has similar functions with the probe deployed in the VPC of the user, and the probe deployed in the IDC also forms a honeypot system with a target range in a specific VPC.
In a specific VPC, a request forwarding and load balancing policy is executed by a load balancing component connecting each probe and each target station, and the load balancing component can support different port listening services of multiple protocols such as TCP (Transmission Control Protocol), UDP (User data Protocol), TLS (Transport Layer Security), HTTP (HyperText Transfer Protocol), HTTPs (HyperText Transfer Protocol over secure Transport Protocol), and the like, so as to facilitate forwarding and load balancing decisions of access requests.
In the embodiment of the present invention, after the probes deployed in the user VPC and the user IDC detect malicious access, the malicious access is forwarded to the corresponding target range for processing, and the routing manner of the target range is described below. Taking a probe deployed in a user VPC as an example, first, the probe detects whether the user VPC in which the probe is located receives a target access request, and in actual application, the target access request may be a malicious access request. If the probe detects the target access request, the probe forwards the target access request to a target range in a specific VPC, so that the target range records the behavior data of an initiator (namely an attacker) of the target access request. It is understood that the above behavior data may include relevant operations and actions of the attacker, and may also include characteristics of the attacker such as an IP address and the like.
As a preferred solution, the probe deployed at the customer VPC can use a pre-stored locally stored routing strategy to locate the above destination targets. The above routing policy may characterize a mapping relationship between characteristic information (e.g., request frequency, etc.) of the access request and the address of the destination. Specifically, after a probe deployed in a user VPC detects a target access request, firstly, characteristic information of the target access request is obtained through preset logic, then a target policy matched with the target access request is determined from at least one routing policy obtained in advance, for example, a routing policy containing characteristic information that matches characteristic information of a target access request is determined as a target policy, and thereafter, the probe may determine a range address contained in the target policy as a destination address, which is a range address of a destination range.
After the target shooting range is determined, the probe deployed in the user VPC can forward the target access request to the target shooting range through the load balancing component by utilizing a transmission channel which is established in advance and is between the probe and the target shooting range, and therefore the honeypot function is achieved.
Preferably, the above routing policy may be configured and used in the following manner. The staff firstly configures the routing strategy through the front-end page (the front-end component executing the function is a strategy configuration component), and the configured routing strategy is written into the preset database. Thereafter, the cloud host in a particular VPC periodically pulls the latest routing policy from the database and writes it locally, and the probe periodically pulls the latest routing policy from the above pre-established transmission channels between the probe and any one of the target bays in the particular VPC. It can be seen that the path of the probe acquiring the routing policy is consistent with the path of the forwarding target access request, so that the external access channels of the user VPC can be reduced as much as possible, and the data security of the user VPC is ensured.
In an actual scenario, when the probe determines that the newly added target range exists from the latest routing strategy, the probe may establish a transmission channel between the probe and the newly added target range by using the target range address of the newly added target range in the latest routing strategy, so as to facilitate subsequent request forwarding. After the transmission channel is established, the probe can periodically detect whether the transmission channel is available or not, and then is restarted when the transmission channel is detected to be unavailable due to fault factors. When the probe judges that the deleted target range (the target range to be deleted) exists in the latest routing strategy, the transmission channel between the pre-established probe and the deleted target range is closed so as to save resources.
In addition, the honeypot system of the embodiment of the invention can also be applied to a multi-cloud system, namely, the plurality of user VPCs of the cloud computing platform are created by a plurality of cloud service parties. It can be understood that the scheme of the invention only deploys the lightweight probe on the VPC of the user, so that the high-interaction honeypot function can be fused and executed on the multi-cloud system, and the safety protection performance of the multi-cloud system can be improved.
In the technical scheme of the embodiment of the invention, a heavyweight component, namely a target range of the honeypot system is deployed by opening up a specific VPC independent of a user VPC through an administrator account in a cloud computing platform, only a lightweight probe needs to be deployed in the user VPC, the probe realizes the target range positioning of malicious access through a routing strategy configured at a page end, and the forwarding of the malicious access is executed through a load balancing component in the specific VPC. Therefore, the problems of performance reduction and incapability of maintenance caused by arrangement of the firing ground in the VPC of the user are solved, and the VPC performance of the user and the maintainability of the firing ground are ensured. In order to ensure the data security of the user VPC as much as possible, a link for acquiring a routing strategy by the probe is consistent with a link for forwarding a malicious request, namely, the routing strategy configured on the front-end page is written into a database and then acquired by a cloud host with a target site deployed in the specific VPC, and the probe pulls the routing strategy from the cloud host, so that the routing strategy can be transmitted through an original transmission channel between the user VPC and the specific VPC, and an additional access channel is prevented from being added in the user VPC. In addition, the embodiment of the invention further designs a matching mode of the probe and the target range based on the routing strategy and processing logics of the probe when the target range is newly added and deleted, and the honeypot deployment scheme can also be applied to a multi-cloud system according to the light weight characteristic of only deploying the probe in the VPC of the user, thereby being beneficial to improving the safety protection performance of the multi-cloud system.
Fig. 2 is a schematic diagram illustrating major steps of a cloud access processing method according to an embodiment of the present invention.
As shown in fig. 2, the cloud access processing method according to the embodiment of the present invention can be executed by a probe deployed in a virtual private cloud VPC of a cloud computing platform user, and includes the following specific steps:
step S201: in response to the detection of a target access request aiming at the VPC, determining a target strategy matched with the target access request from at least one routing strategy acquired in advance, and determining a target address contained in the target strategy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPCs of the users, the particular VPC having at least one cloud host therein that pre-deploys a range, the range and the probes forming a honeypot system. Step S202: and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of the initiator of the target access request. Since the details of the implementation have been described above, they are not repeated here.
In the embodiment of the invention, the routing strategy represents the mapping relation between the characteristic information of the access request and the target range address; and the step of determining the target policy matched with the target access request from at least one pre-acquired routing policy comprises the following steps: and determining a routing strategy containing characteristic information consistent with the characteristic information of the target access request as a target strategy.
In a specific application, the method further comprises: periodically acquiring the latest routing strategy from the cloud host where the target range is located by utilizing a pre-established transmission channel between the probe and any target range in the specific VPC; and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
As a preferred aspect, the method further comprises: under the condition that the newly added target range is judged to exist in the latest routing strategy, the target range address of the newly added target range in the latest routing strategy is used for establishing a transmission channel between the probe and the newly added target range; and under the condition that the deleted target range exists in the latest routing strategy, closing a transmission channel between the pre-established probe and the deleted target range.
In addition, in an embodiment of the present invention, the VPC of the user is created by a plurality of cloud service providers, and one probe is deployed in one VPC of the user in an installation package manner or a container engine manner, where the honeypot system further includes: a probe deployed at the user's Internet data center IDC; the enclave address includes an IP address and a port of an enclave, the particular VPC further having a load balancing component therein for forwarding the target access request.
According to the technical scheme of the embodiment of the invention, a heavyweight component, namely a target range, of the honeypot system is deployed by opening up a specific VPC independent of a user VPC through an administrator account in a cloud computing platform, only a lightweight probe needs to be deployed in the user VPC, the probe realizes the purpose target range positioning of malicious access through a routing strategy configured at a page end, and the forwarding of the malicious access is executed through a load balancing component in the specific VPC. Therefore, the problems of performance reduction and incapability of maintenance caused by arrangement of the firing ground in the VPC of the user are solved, and the VPC performance of the user and the maintainability of the firing ground are ensured. In order to ensure the data security of the VPC of the user as much as possible, a link for acquiring a routing strategy by the probe is consistent with a link for forwarding a malicious request, namely, the routing strategy configured on the front-end page is written into a database and then acquired by a cloud host deploying a target range in the specific VPC, and the probe pulls the routing strategy from the cloud host, so that the routing strategy can be transmitted through an original transmission channel between the VPC of the user and the specific VPC, and an additional access channel is prevented from being added in the VPC of the user. In addition, the embodiment of the invention further designs a matching mode of the probes and the target range based on the routing strategy and processing logics of the probes when the target range is newly added and the target range is deleted, and the honeypot deployment scheme can also be applied to a multi-cloud system according to the light-weight characteristic that the probes are only deployed at the VPC of a user, thereby being beneficial to improving the safety protection performance of the multi-cloud system.
It should be noted that for the above-mentioned embodiments of the method, for convenience of description, the embodiments are described as a series of combinations of actions, but those skilled in the art should understand that the present invention is not limited by the described order of actions, and that some steps may in fact be performed in other orders or simultaneously. In addition, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required to implement the invention.
To facilitate a better implementation of the above-described aspects of embodiments of the present invention, the following also provides related apparatus for implementing the above-described aspects.
Referring to fig. 3, a cloud access processing apparatus 300 according to an embodiment of the present invention is disposed in a probe of a virtual private cloud VPC deployed in a cloud computing platform user, and may include: a matching unit 301 and a forwarding unit 302.
Wherein the matching unit 301 is operable to: in response to the detection of a target access request aiming at the located VPC, determining a target policy matched with the target access request from at least one routing policy acquired in advance, and determining a target address contained in the target policy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPCs of the users, the particular VPC having at least one cloud host therein that pre-deploys a range, the range and the probes forming a honeypot system; the forwarding unit 302 may be configured to: and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of an initiator of the target access request.
In practical application, the routing strategy represents the mapping relation between the characteristic information of the access request and the destination address; and, the matching unit 301 may be further configured to: and determining the routing strategy containing the characteristic information consistent with the characteristic information of the target access request as a target strategy.
Preferably, the apparatus 300 may further include a policy obtaining unit configured to: periodically acquiring the latest routing strategy from the cloud host of the target range by utilizing a transmission channel which is established in advance between the probe and any target range in the specific VPC; and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
In one embodiment, the apparatus 300 may further comprise a channel management unit for: under the condition that the newly added target range is judged to exist in the latest routing strategy, the target range address of the newly added target range in the latest routing strategy is used for establishing a transmission channel between the probe and the newly added target range; and under the condition that the deleted target range exists in the latest routing strategy, closing a transmission channel between the pre-established probe and the deleted target range.
In addition, in an embodiment of the present invention, the VPC of the user is created by a plurality of cloud service providers, and one probe is deployed in one VPC of the user in an installation package manner or a container engine manner, where the honeypot system further includes: a probe deployed at the user's internet data center IDC; the enclave address includes an IP address and a port of an enclave, the particular VPC further having a load balancing component therein for forwarding the target access request.
According to the technical scheme of the embodiment of the invention, a heavyweight component, namely a target range, of the honeypot system is deployed by opening up a specific VPC independent of a user VPC through an administrator account in a cloud computing platform, only a lightweight probe needs to be deployed in the user VPC, the probe realizes the purpose target range positioning of malicious access through a routing strategy configured at a page end, and the forwarding of the malicious access is executed through a load balancing component in the specific VPC. Therefore, the problems of performance reduction and incapability of maintenance caused by target range deployment in the VPC of the user are solved, and the VPC performance of the user and the maintainability of the target range are ensured. In order to ensure the data security of the user VPC as much as possible, a link for acquiring a routing strategy by the probe is consistent with a link for forwarding a malicious request, namely, the routing strategy configured on the front-end page is written into a database and then acquired by a cloud host with a target site deployed in the specific VPC, and the probe pulls the routing strategy from the cloud host, so that the routing strategy can be transmitted through an original transmission channel between the user VPC and the specific VPC, and an additional access channel is prevented from being added in the user VPC. In addition, the embodiment of the invention further designs a matching mode of the probe and the target range based on the routing strategy and processing logics of the probe when the target range is newly added and deleted, and the honeypot deployment scheme can also be applied to a multi-cloud system according to the light weight characteristic of only deploying the probe in the VPC of the user, thereby being beneficial to improving the safety protection performance of the multi-cloud system.
Fig. 4 illustrates an exemplary system architecture 400 to which the cloud access processing method or the cloud access processing apparatus according to the embodiment of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405 (this architecture is merely an example, and the components included in a particular architecture may be adapted according to application specific circumstances). The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables.
An attacker may use the end devices 401, 402, 403 to interact with the server 405 via the network 404 to receive or send messages or the like. Various communication client applications may be installed on the terminal devices 401, 402, 403.
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server that provides various services, such as a cloud server in which honeypot systems are pre-deployed in a cloud computing platform. The cloud server can process the received target access request and the like, and record behavior data of the attacker for subsequent analysis.
It should be noted that the cloud access processing method provided in the embodiment of the present invention is generally executed by the server 405, and accordingly, the cloud access processing apparatus is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
The invention also provides the electronic equipment. The electronic device of the embodiment of the invention comprises: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the cloud access processing method provided by the invention.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use in implementing an electronic device of an embodiment of the present invention. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU) 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the computer system 500 are also stored. The CPU501, ROM 502, and RAM503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, the processes described in the main step diagrams above may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the main step diagram. In the above-described embodiment, the computer program can be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the central processing unit 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a matching unit and a forwarding unit. Where the names of the units do not in some cases constitute a limitation of the unit itself, for example, a matching unit may also be described as a "unit providing a destination address to a forwarding unit".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carrying one or more programs which, when executed by the apparatus, cause the apparatus to perform steps comprising: in response to the detection of a target access request aiming at the VPC, determining a target strategy matched with the target access request from at least one routing strategy acquired in advance, and determining a target address contained in the target strategy as a destination address; wherein the cloud computing platform comprises a specific VPC independent of a VPC of a user, the specific VPC having at least one cloud host with a pre-deployed range therein, the range and probes forming a honeypot system; and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of the initiator of the target access request.
In the technical scheme of the embodiment of the invention, a heavyweight component, namely a target range, of the honeypot system is deployed by opening up a specific VPC independent of a user VPC through an administrator account in a cloud computing platform, only a lightweight probe needs to be deployed in the user VPC, the probe realizes the target range positioning of malicious access through a routing strategy configured at a page end, and the forwarding of the malicious access is executed through a load balancing component in the specific VPC. Therefore, the problems of performance reduction and incapability of maintenance caused by arrangement of the firing ground in the VPC of the user are solved, and the VPC performance of the user and the maintainability of the firing ground are ensured. In order to ensure the data security of the user VPC as much as possible, a link for acquiring a routing strategy by the probe is consistent with a link for forwarding a malicious request, namely, the routing strategy configured on the front-end page is written into a database and then acquired by a cloud host with a target site deployed in the specific VPC, and the probe pulls the routing strategy from the cloud host, so that the routing strategy can be transmitted through an original transmission channel between the user VPC and the specific VPC, and an additional access channel is prevented from being added in the user VPC. In addition, the embodiment of the invention further designs a matching mode of the probes and the target range based on the routing strategy and processing logics of the probes when the target range is newly added and the target range is deleted, and the honeypot deployment scheme can also be applied to a multi-cloud system according to the light-weight characteristic that the probes are only deployed at the VPC of a user, thereby being beneficial to improving the safety protection performance of the multi-cloud system.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (13)

1. The cloud access processing method is characterized by being executed by a probe of a Virtual Private Cloud (VPC) deployed at a cloud computing platform user; the method comprises the following steps:
in response to the detection of a target access request aiming at the located VPC, determining a target policy matched with the target access request from at least one routing policy acquired in advance, and determining a target address contained in the target policy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPCs of the users, the particular VPC having at least one cloud host therein that pre-deploys a range, the range and the probes forming a honeypot system;
and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of an initiator of the target access request.
2. The method of claim 1, wherein the routing policy characterizes a mapping between characteristic information of access requests and the enclave address; and the step of determining the target policy matched with the target access request from at least one pre-acquired routing policy comprises the following steps:
and determining the routing strategy containing the characteristic information consistent with the characteristic information of the target access request as a target strategy.
3. The method of claim 1, further comprising:
periodically acquiring the latest routing strategy from the cloud host where the target range is located by utilizing a pre-established transmission channel between the probe and any target range in the specific VPC;
and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
4. The method of claim 3, further comprising:
under the condition that the newly added target range is judged to exist in the latest routing strategy, the target range address of the newly added target range in the latest routing strategy is used for establishing a transmission channel between the probe and the newly added target range;
and under the condition that the deleted target range exists in the latest routing strategy, closing a transmission channel between the pre-established probe and the deleted target range.
5. The method of any one of claims 1-4, wherein the VPC of the user is created by a plurality of cloud service providers, and wherein a probe is deployed in an installation package or a container engine in one VPC of the user, and wherein the honeypot system further comprises: a probe deployed at the user's internet data center IDC;
the enclave address includes an enclave IP address and a port, the particular VPC further having a load balancing component therein for forwarding the target access request.
6. The cloud access processing device is characterized by being arranged on a probe of a Virtual Private Cloud (VPC) deployed on a cloud computing platform user; the device comprises:
a matching unit for: in response to the detection of a target access request aiming at the located VPC, determining a target policy matched with the target access request from at least one routing policy acquired in advance, and determining a target address contained in the target policy as a destination address; wherein the cloud computing platform further comprises a particular VPC independent of the VPCs of the users, the particular VPC having at least one cloud host therein that pre-deploys a range, the range and the probes forming a honeypot system;
a forwarding unit to: and forwarding the target access request to the target range by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address, so that the target range records the behavior data of an initiator of the target access request.
7. A honeypot system of a cloud computing platform, the cloud computing platform comprising: a Virtual Private Cloud (VPC) of a plurality of users and a specific VPC independent of the VPC of the users; wherein the content of the first and second substances,
a probe is deployed in a VPC of the user;
the specific VPC is provided with at least one cloud host, and each cloud host is provided with at least one shooting range;
after detecting a target access request aiming at the VPC, the probe forwards the target access request to a target range in the range, so that the target range records the behavior data of an initiator of the target access request.
8. The system of claim 7, further comprising, in the particular VPC: a load balancing component connected to the probe and the firing ground for forwarding the target access request;
each cloud host in the particular VPC is isolated by a security group.
9. The system of claim 7, wherein the VPC of the user is created by a plurality of cloud service parties, and one probe is deployed in one VPC of the user in an installation package manner or a container engine manner;
the system further comprises: the probe is deployed at the Internet Data Center (IDC) of the user, and after detecting a specific access request aiming at the IDC, the probe forwards the specific access request to a corresponding target range in the specific VPC, so that the corresponding target range records the behavior data of an initiator of the specific access request.
10. The system according to claim 8, wherein the probe deployed in the VPC of the user determines a target policy matching the target access request from at least one pre-acquired routing policy, and determines a destination address as a destination address contained in the target policy; and forwarding the target access request to the target range through the load balancing component by utilizing a pre-established transmission channel between the probe and the target range indicated by the target address.
11. The system of claim 10, wherein the routing policy characterizes a mapping between characteristic information of access requests and the range address; a probe deployed on the VPC of the user determines a routing strategy containing characteristic information consistent with the characteristic information of the target access request as a target strategy;
the probe periodically acquires the latest routing strategy from the cloud host where the target range is located by utilizing a transmission channel which is established in advance and is arranged between the probe and any target range in the specific VPC; and the latest routing strategy is written into a preset database after the front-end page configuration is completed, and is read from the database and stored locally by the cloud host in which the target range is located.
12. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-5.
CN202211183786.6A 2022-09-23 2022-09-23 Honeypot system of cloud computing platform and cloud access processing method and device Pending CN115580457A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211183786.6A CN115580457A (en) 2022-09-23 2022-09-23 Honeypot system of cloud computing platform and cloud access processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211183786.6A CN115580457A (en) 2022-09-23 2022-09-23 Honeypot system of cloud computing platform and cloud access processing method and device

Publications (1)

Publication Number Publication Date
CN115580457A true CN115580457A (en) 2023-01-06

Family

ID=84583594

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211183786.6A Pending CN115580457A (en) 2022-09-23 2022-09-23 Honeypot system of cloud computing platform and cloud access processing method and device

Country Status (1)

Country Link
CN (1) CN115580457A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116032691A (en) * 2023-03-30 2023-04-28 鹏城实验室 Shooting range interconnection method, electronic equipment and readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116032691A (en) * 2023-03-30 2023-04-28 鹏城实验室 Shooting range interconnection method, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US11632392B1 (en) Distributed malware detection system and submission workflow thereof
US10666686B1 (en) Virtualized exploit detection system
US10091238B2 (en) Deception using distributed threat detection
US10382467B2 (en) Recursive multi-layer examination for computer network security remediation
US9824216B1 (en) Susceptible environment detection system
US11218445B2 (en) System and method for implementing a web application firewall as a customized service
US9100432B2 (en) Cloud-based distributed denial of service mitigation
US10785255B1 (en) Cluster configuration within a scalable malware detection system
US8990944B1 (en) Systems and methods for automatically detecting backdoors
US20170374032A1 (en) Autonomic Protection of Critical Network Applications Using Deception Techniques
EP2830280B1 (en) Web caching with security as a service
US11050787B1 (en) Adaptive configuration and deployment of honeypots in virtual networks
US10785248B2 (en) Routing based on a vulnerability in a processing node
US11290424B2 (en) Methods and systems for efficient network protection
US11956279B2 (en) Cyber-security in heterogeneous networks
WO2016199127A2 (en) Predicting and preventing an attacker's next actions in a breached network
KR20220028102A (en) Methods and systems for effective cyber protection of mobile devices
CN110545277B (en) Risk processing method and device applied to security system, computing equipment and medium
Tambe et al. Detection of threats to IoT devices using scalable VPN-forwarded honeypots
CN113014571B (en) Method, device and storage medium for processing access request
CN115580457A (en) Honeypot system of cloud computing platform and cloud access processing method and device
US10250625B2 (en) Information processing device, communication history analysis method, and medium
JP6286314B2 (en) Malware communication control device
TWI764618B (en) Cyber security protection system and related proactive suspicious domain alert system
KR20110055809A (en) Malicious web and virus scanning system based cloud and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination