CN115694861A - Cloud honeypot deployment method, device and system - Google Patents
Cloud honeypot deployment method, device and system Download PDFInfo
- Publication number
- CN115694861A CN115694861A CN202110876373.5A CN202110876373A CN115694861A CN 115694861 A CN115694861 A CN 115694861A CN 202110876373 A CN202110876373 A CN 202110876373A CN 115694861 A CN115694861 A CN 115694861A
- Authority
- CN
- China
- Prior art keywords
- cloud
- honeypot
- traffic
- flow
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device and a system for deploying a cloud honeypot, and belongs to the technical field of communication. Cloud honeypot deployment system includes: the cloud honeypot flow forwarding client is deployed in the intranet isolation network segment and used for allocating an idle intranet IP address to a honeypot service, labeling intranet IP flow and redirecting to a data flow interface of a cloud honeypot matrix; the domain name traffic forwarding server is deployed in an extranet and used for setting a CNAME value of a secondary domain name of a target network, labeling access traffic of the domain name and redirecting to a data traffic interface of a cloud honeypot matrix; and the cloud honey pot matrix is used for receiving the data traffic forwarded from the data traffic interface by using the traffic probe and forwarding the traffic to different cloud honey pot environments according to different labels. The technical scheme of the invention has low cost, is easy to maintain and expand and completely isolates the intranet environment of the client.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method, a device and a system for deploying a cloud honeypot.
Background
According to the existing technical scheme, honeypots are deployed to an intranet, partial IP resources of a local area network are occupied, a honeypot system is installed, an attacker enters honeypot traps to trap and trace sources when the attacker penetrates into the intranet and conducts lateral propagation attack, and the honeypot types are more specific to services and worms.
The disadvantages of the prior art solutions include: 1. trapping nodes need to be deployed in a target network, the trapping effect is influenced by the selection of the nodes, and certain occupation can be caused on target network resources; 2. lack of honeypot environment design for sophisticated attack/penetration techniques such as APT (advanced persistent threat) attacks; 3. the expansibility and flexibility are poor, and the maintenance cost after deployment is higher.
Disclosure of Invention
The invention aims to provide a method, a device and a system for deploying a cloud honeypot, which are low in cost, easy to maintain and expand and capable of completely isolating the intranet environment of a client.
To solve the above technical problem, embodiments of the present invention provide the following technical solutions:
in one aspect, a cloud honeypot deployment system is provided, including:
the cloud honeypot flow forwarding client is deployed in the intranet isolation network segment and used for allocating an idle intranet IP address to a honeypot service, labeling intranet IP flow and redirecting to a data flow interface of a cloud honeypot matrix;
the domain name traffic forwarding server is deployed in an extranet and used for setting a CNAME value of a secondary domain name of a target network, labeling access traffic of the domain name and redirecting to a data traffic interface of a cloud honeypot matrix;
and the cloud honey pot matrix is used for receiving the data traffic forwarded from the data traffic interface by using the traffic probe and forwarding the traffic to different cloud honey pot environments according to different labels.
In some embodiments, the traffic probe is configured to receive the data traffic forwarded by the data traffic interface, unpack a label of the data traffic, and forward the traffic to different cloud honeypot environments according to a difference in the label.
In some embodiments, the traffic probe is further configured to analyze the traffic session and synchronize the analysis results to the honeypot management monitoring platform.
In some embodiments, the cloud honeypot environment includes at least one of:
a network protocol and service honeypot;
a database service honeypot;
honeypots in office environment;
working host environment honeypots;
a visitor environment honeypot;
and (5) carrying out honey pot in the meeting environment.
In some embodiments, further comprising:
and the cloud sandbox is used for transferring the received and/or released and/or uploaded files to the binary analysis dynamic sandbox to perform dynamic analysis of the binary hierarchy.
An embodiment of the present invention further provides a cloud honeypot deployment method, which is applied to the cloud honeypot deployment system described above, and the method includes:
the cloud honeypot flow forwarding client allocates an idle intranet IP address to honeypot service, and redirects a data flow interface of a cloud honeypot matrix after the intranet IP flow is labeled;
the domain name flow forwarding server sets a CNAME value of a secondary domain name of a target network, marks access flow of the domain name and redirects the access flow to a data flow interface of a cloud honeypot matrix;
the cloud honey pot matrix receives the data traffic forwarded from the data traffic interface by using the traffic probe, and forwards the traffic to different cloud honey pot environments according to different labels.
In some embodiments, further comprising:
the flow probe receives the data flow forwarded by the data flow interface, unpacks the label of the data flow, and forwards the flow to different cloud honey pot environments according to different labels.
In some embodiments, further comprising:
the flow probe analyzes the flow conversation and synchronizes the analysis result to the cloud honeypot management monitoring platform.
In some embodiments, further comprising:
and the cloud sandbox transfers the received and/or released and/or uploaded files to the binary analysis dynamic sandbox for dynamic analysis of the binary level.
The embodiment of the invention also provides a cloud honeypot deployment device, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor; the processor, when executing the program, implements the cloud honeypot deployment method as described above.
In some embodiments, the processor is configured to allocate an idle intranet IP address to the honeypot service, tag intranet IP traffic, and redirect the intranet IP traffic to a data traffic interface of a cloud honeypot matrix; setting a CNAME value of a second-level domain name of a target network, labeling access flow of the domain name, and redirecting to a data flow interface of a cloud honeypot matrix; and receiving the data traffic forwarded from the data traffic interface by using the traffic probe, and forwarding the traffic to different cloud honey pot environments according to different labels.
In some embodiments, the processor is further configured to receive the data traffic forwarded by the data traffic interface, unpack a label of the data traffic, and forward the traffic to different cloud honeypot environments according to a difference in the label.
In some embodiments, the processor is further configured to analyze the traffic session and synchronize the analysis result to the honeypot management monitoring platform.
In some embodiments, the processor is further configured to forward the accepted and/or released and/or uploaded file to a binary analysis dynamic sandbox for dynamic analysis of the binary hierarchy.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the cloud honeypot deployment method described above.
The embodiment of the invention has the following beneficial effects:
in the scheme, the lightweight honeypot deployment is carried out on the client (intranet/extranet), the real honeypot environment does not need to be deployed in the client environment, the intranet only needs to reserve an idle IP network segment, and the deployment can be realized by installing client software; the external network only needs to add CNAME alias configuration (a plurality of idle secondary domain names) on DNS configuration. The cloud honeypot system is maintained at the cloud end, the cost is low, the maintenance and the expansion are easy, the internal network environment of a client is completely isolated, and an attacker is prevented from permeating the internal network through honeypots in the internal network transverse moving process under the traditional honeypot deployment mode, so that the cloud honeypot system is very safe and reliable.
Drawings
Fig. 1 is a schematic structural diagram of a cloud honeypot deployment system according to an embodiment of the present invention;
fig. 2 is a schematic composition diagram of a cloud honeypot deployment apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved by the embodiments of the present invention clearer, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
The embodiment of the invention provides a method, a device and a system for deploying a cloud honeypot, which are low in cost, easy to maintain and expand and capable of completely isolating the intranet environment of a client.
An embodiment of the present invention provides a cloud honey pot deployment system, as shown in fig. 1, including:
the cloud honeypot flow forwarding client is deployed in the intranet isolation network segment and used for allocating an idle intranet IP address to a honeypot service, labeling intranet IP flow and redirecting to a data flow interface of a cloud honeypot matrix;
the domain name traffic forwarding server is deployed in an outer network and used for setting a CNAME value of a secondary domain name of a target network, marking access traffic of the domain name and redirecting to a data traffic interface of a cloud honeypot matrix;
and the cloud honey pot matrix is used for receiving the data traffic forwarded from the data traffic interface by using the traffic probe and forwarding the traffic to different cloud honey pot environments according to different labels.
In the embodiment, the lightweight honeypot deployment is carried out on the client (intranet/extranet), the real honeypot environment does not need to be deployed in the client environment, the intranet only needs to reserve an idle IP network segment, and the deployment can be realized by installing client software; the outer net only needs to add CNAME alias configuration (several idle secondary domain names) on DNS (domain name system) configuration. The cloud honeypot system is maintained at the cloud end, the cost is low, the maintenance and the expansion are easy, the internal network environment of a client is completely isolated, and an attacker is prevented from permeating the internal network through honeypots in the internal network transverse moving process under the traditional honeypot deployment mode, so that the cloud honeypot system is very safe and reliable.
In some embodiments, the traffic probe is configured to receive the data traffic forwarded by the data traffic interface, unpack a label of the data traffic, and forward the traffic to different cloud honeypot environments according to a difference in the label.
In some embodiments, the traffic probe is further configured to analyze the traffic session and synchronize the analysis result to the cloud honeypot management monitoring platform.
In some embodiments, the honeypot environment includes at least one of:
a network protocol and service honeypot;
a database service honeypot;
honeypots in office environment;
working host environment honeypots;
honeypots for the environment of visitors;
and (5) carrying out honey pot in the meeting environment.
In some embodiments, further comprising:
and the cloud sandbox is used for transferring the received and/or released and/or uploaded files to the binary analysis dynamic sandbox to perform dynamic analysis of the binary hierarchy.
The embodiment of the invention also provides a cloud honey pot deployment method, which is applied to the cloud honey pot deployment system and comprises the following steps:
the cloud honeypot flow forwarding client allocates an idle intranet IP address to a honeypot service, and redirects the intranet IP flow to a data flow interface of a cloud honeypot matrix after the intranet IP flow is labeled;
the domain name flow forwarding server sets a CNAME value of a secondary domain name of a target network, marks access flow of the domain name and redirects the access flow to a data flow interface of a cloud honeypot matrix;
the cloud honey pot matrix receives the data traffic forwarded from the data traffic interface by using the traffic probe, and forwards the traffic to different cloud honey pot environments according to different labels.
In some embodiments, the method further comprises:
the flow probe receives the data flow forwarded by the data flow interface, unpacks the label of the data flow, and forwards the flow to different cloud honey pot environments according to different labels.
In some embodiments, the method further comprises:
the flow probe analyzes the flow conversation and synchronizes the analysis result to the cloud honeypot management monitoring platform.
In some embodiments, the method further comprises:
and the cloud sandbox transfers the received and/or released and/or uploaded files to a binary analysis dynamic sandbox to perform dynamic analysis of a binary hierarchy. In particular, malware is executed in a virtual environment called a sandbox. Running malware in a sandbox may let itself decompress as if the malware infects real targets. By simply running malware, it is possible to find out what server a particular malware binary is connected to, what system configuration parameters it changes, and what device I/O (input/output) it attempts to perform.
As shown in fig. 1, the cloud honeypot deployment system of this embodiment includes a cloud honeypot traffic forwarding client deployed in an intranet, a domain name traffic forwarding server deployed in an extranet, a cloud honeypot matrix deployed in a cloud, a cloud sandbox, and a cloud honeypot management monitoring platform. The cloud honeypot deployment method of the embodiment comprises the following steps:
step S001, under an intranet scene, an intranet isolation network segment is divided, a cloud honeypot flow forwarding client (agent) is deployed on a bypass of the network segment, the client uses an IP allocation algorithm to allocate idle intranet IP addresses of A, B and C segments to honeypot services, the flow (intranet IP) is redirected to a cloud honeypot environment (extranet IP) through the client, and flow data packets from inside to outside are labeled to distinguish different network environments (office networks, visitor networks, conference networks, data center networks, server networks and the like), so that the flow can be redirected to a specified cloud honeypot host environment, the trapping of the real intranet IP and a high-deception honeypot matrix and the tracing environment are more flexible, and the release of subsequent attack behaviors is facilitated. The IP address traffic is tagged and then redirected to the data traffic interface of the cloud honeypot matrix (step S005), and the correspondence between traffic tags is as follows:
correspondence between table-flow data label and cloud honey pot environment
And S002, setting a CNAME value of a second-level domain name of the target network (shown in a table II) in an extranet scene, labeling access traffic of the domain name (shown in a table I), and redirecting to a data traffic interface of the cloud honeypot matrix. The label of the flow data and the alias of the second-level domain name CNAME point to provide conditions for accurately entering the honeypot environment, and the real external network domain name and the high-deceptive honeypot matrix trapping and tracing environment make attackers not easily perceive that the flow data enters the honeypot, so that the attackers give up the trail of the execution of subsequent attack actions.
Table two CNAME alias setting idea
Step S003: an intranet IP flow is transmitted to a data flow interface by a cloud honeypot flow transmitting client (agent) of an intranet isolation segment network bypass; the second-level domain name traffic of the extranet is forwarded to a Uniform Resource Locator (URL) of a cloud honeypot matrix through CNAME alias analysis, then points to an Internet Protocol (IP) where the cloud honeypot matrix environment is located through the URL, and then the extranet access traffic is pulled to a data traffic interface, the interface stores the traffic for subsequent reply analysis and display of attack traffic, and forwards the data traffic to a traffic analysis probe, so that the traffic enters a more accurate honeypot environment.
And step S004, the flow probe receives the data flow forwarded by the data flow interface in the step S003, unpacks the data flow label, and forwards the flow to different cloud honey pot environments according to different labels to realize high-interaction honey pots. Meanwhile, the flow probe analyzes the flow session, plays back the whole attack process from the flow angle, synchronizes the analysis result to the cloud honeypot management monitoring platform, and is used for monitoring in the middle of affairs and replying after affairs. Specifically, the flow probe unwraps the flow data packet layer, and obtains all information contained in each attack process according to the seven-tuple information (source IP address, destination IP address, protocol number, source port, destination port, service type and interface index) of the flow and the decoding analysis of the application layer protocol.
Step S005, after the cloud honey pot environment receives the flow, the flow enters the target cloud honey pot environment, and the method comprises the following steps: network protocol and services honeypots (DNS, FTP, SSH, SMBA, SMTP, etc.), common database services (MySQL, mongoDB, redis, etc.), common office environments (mail, OA, CRM, etc.), common office mainframe environments, and so forth.
And S006, the cloud honeypot system transfers the received/released/uploaded files to a binary dynamic sandbox system to perform deep dynamic analysis of a binary layer, timely captures the utilization of 0Day or NDay vulnerability, performs packet capture analysis on the network communication of the C & C attack, detects a new vulnerability used by the advanced persistent threat attack, and retains attack samples to provide a basis for subsequent repeated disk analysis.
Advanced persistent threat attacks have the following characteristics:
the characteristics of the attack behavior are difficult to extract: the authority is acquired through a 0day or Nday vulnerability and remote control is carried out through an unknown Trojan, and the traditional detection equipment based on feature matching always captures a malicious code sample to extract features and carry out attack identification based on the features, so that the inherent hysteresis exists. For this point, the system can capture samples suspected of utilizing the 0Day/Nday vulnerability in real time, and carry out binary dynamic sandbox analysis on the malicious samples to obtain the execution behavior of the malicious samples, so that the attack target is brought into the continuous monitoring range in advance.
And S007, establishing a cloud honeypot management monitoring platform for carrying out unified monitoring management on flow storage/analysis results and attack processes/results, carrying out in-process and after-process analysis, carrying out display analysis on alarm logs of the binary analysis dynamic sandbox, deploying defense measures and preventing the disease from happening.
In the embodiment, the lightweight honeypot deployment is carried out on the client (intranet/extranet), the real honeypot environment does not need to be deployed in the client environment, the intranet only needs to reserve an idle IP network segment, and the deployment can be realized by installing client software; the external network only needs to add CNAME alias configuration (a plurality of idle secondary domain names) on DNS configuration. The cloud honeypot system is maintained at the cloud end, the cost is low, the maintenance and the expansion are easy, the internal network environment of a client is completely isolated, and an attacker is prevented from permeating the internal network through honeypots in the internal network transverse moving process under the traditional honeypot deployment mode, so that the cloud honeypot system is very safe and reliable. The whole architecture of the embodiment realizes trapping and tracing of the attack behavior with higher complexity and longer duration (similar to APT attack), can perform display analysis from multiple dimensions such as a flow data packet, a protocol, a session, a sample, an attack path, an attack means, an attack result, an influence range and the like, and well realizes precautionary deployment, in-process monitoring and after-event disk duplication.
The honeypot system is used as a disguised attacked target (preset easy attack attribute), and the flow data and the file data entering and exiting the honeypot system are restored and analyzed for a long time, so that all attack behaviors with high complexity and long duration can be mirrored, suspicious behaviors are found and early warned, and a data-searchable and repeatable disk reappears in the complete execution process of the attack. Therefore, trapping and tracing of the attack behaviors are realized.
An embodiment of the present invention further provides a honeypot deployment apparatus, as shown in fig. 2, including a memory 21, a processor 22, and a computer program stored on the memory 21 and capable of running on the processor 22; the processor 22, when executing the program, implements the cloud honeypot deployment method described above.
In some embodiments, the processor 22 is configured to allocate an idle intranet IP address to the honeypot service, tag intranet IP traffic, and redirect the intranet IP traffic to a data traffic interface of a cloud honeypot matrix; setting a CNAME value of a second-level domain name of a target network, labeling access flow of the domain name, and redirecting to a data flow interface of a cloud honeypot matrix; and receiving the data traffic forwarded from the data traffic interface by using the traffic probe, and forwarding the traffic to different cloud honey pot environments according to different labels.
In some embodiments, the processor 22 is further configured to receive the data traffic forwarded by the data traffic interface, unpack a label of the data traffic, and forward the traffic to different cloud honeypot environments according to a difference in the label.
In some embodiments, the processor 22 is further configured to analyze the traffic session and synchronize the analysis results to the cloud honeypot management monitoring platform.
In some embodiments, the processor 22 is further configured to forward the accepted and/or released and/or uploaded files to the binary analysis dynamic sandbox for dynamic analysis of the binary hierarchy.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the above-mentioned honeypot deployment method.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage terminal devices to be detected, or any other non-transmission medium that can be used to store information that can be accessed by a computer to be detected terminal device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
While the foregoing is directed to the preferred embodiment of the present invention, it will be appreciated by those skilled in the art that various changes and modifications may be made therein without departing from the principles of the invention as set forth in the appended claims.
Claims (11)
1. A cloud honeypot deployment system, comprising:
the cloud honeypot flow forwarding client is deployed in the intranet isolation network segment and used for allocating an idle intranet IP address to a honeypot service, labeling intranet IP flow and redirecting to a data flow interface of a cloud honeypot matrix;
the domain name traffic forwarding server is deployed in an outer network and used for setting a CNAME value of a secondary domain name of a target network, marking access traffic of the domain name and redirecting to a data traffic interface of a cloud honeypot matrix;
and the cloud honeypot matrix is used for receiving the data traffic forwarded from the data traffic interface by using the traffic probe and forwarding the traffic to different cloud honeypot environments according to different labels.
2. The cloud honeypot deployment system of claim 1, wherein the traffic probe is configured to receive data traffic forwarded by the data traffic interface, unpack labels of the data traffic, and forward the traffic to different cloud honeypot environments according to the labels.
3. The cloud honeypot deployment system of claim 1 wherein the traffic probe is further configured to analyze traffic sessions and synchronize analysis results to a cloud honeypot management monitoring platform.
4. The cloud honeypot deployment system of claim 1 wherein the cloud honeypot environment comprises at least one of:
a network protocol and service honeypot;
a database service honeypot;
honeypots in office environment;
working host environment honeypots;
honeypots for the environment of visitors;
and (5) carrying out honey pot in the meeting environment.
5. The cloud honeypot deployment system of claim 1, further comprising:
and the cloud sandbox is used for transferring the received and/or released and/or uploaded files to the binary analysis dynamic sandbox to perform dynamic analysis of the binary hierarchy.
6. An cloud honeypot deployment method applied to the cloud honeypot deployment system of any one of claims 1-5, the method comprising:
the cloud honeypot flow forwarding client allocates an idle intranet IP address to a honeypot service, and redirects the intranet IP flow to a data flow interface of a cloud honeypot matrix after the intranet IP flow is labeled;
the domain name flow forwarding server sets a CNAME value of a secondary domain name of a target network, marks access flow of the domain name and redirects the access flow to a data flow interface of a cloud honeypot matrix;
the cloud honey pot matrix receives data traffic forwarded from the data traffic interface by using the traffic probe, and forwards the traffic to different cloud honey pot environments according to different labels.
7. The honeypot deployment method of claim 6 further comprising:
the flow probe receives the data flow forwarded by the data flow interface, unpacks the label of the data flow, and forwards the flow to different cloud honey pot environments according to different labels.
8. The honeypot deployment method of claim 6 further comprising:
the flow probe analyzes the flow conversation and synchronizes the analysis result to the cloud honeypot management monitoring platform.
9. The cloud honeypot deployment method of claim 6, further comprising:
and the cloud sandbox transfers the received and/or released and/or uploaded files to the binary analysis dynamic sandbox for dynamic analysis of the binary level.
10. A honeypot deployment device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor; wherein the processor, when executing the program, implements the cloud honeypot deployment method of any of claims 6-9.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method for cloud honeypot deployment according to any one of claims 6-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110876373.5A CN115694861A (en) | 2021-07-29 | 2021-07-29 | Cloud honeypot deployment method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110876373.5A CN115694861A (en) | 2021-07-29 | 2021-07-29 | Cloud honeypot deployment method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115694861A true CN115694861A (en) | 2023-02-03 |
Family
ID=85060061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110876373.5A Pending CN115694861A (en) | 2021-07-29 | 2021-07-29 | Cloud honeypot deployment method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694861A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061253A (en) * | 2023-10-12 | 2023-11-14 | 南京赛宁信息技术有限公司 | Detection method and system for dynamically deploying honeypots |
-
2021
- 2021-07-29 CN CN202110876373.5A patent/CN115694861A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061253A (en) * | 2023-10-12 | 2023-11-14 | 南京赛宁信息技术有限公司 | Detection method and system for dynamically deploying honeypots |
| CN117061253B (en) * | 2023-10-12 | 2023-12-22 | 南京赛宁信息技术有限公司 | Detection method and system for dynamically deploying honeypots |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422481B (en) | Trapping method, system and forwarding equipment for network threats | |
| US10805325B2 (en) | Techniques for detecting enterprise intrusions utilizing active tokens | |
| US10567431B2 (en) | Emulating shellcode attacks | |
| US9497213B2 (en) | System and method to manage sinkholes | |
| Berk et al. | Designing a framework for active worm detection on global networks | |
| US10044736B1 (en) | Methods and apparatus for identifying and characterizing computer network infrastructure involved in malicious activity | |
| Mirsky et al. | Vesper: Using echo analysis to detect man-in-the-middle attacks in LANs | |
| Sarica et al. | A novel sdn dataset for intrusion detection in iot networks | |
| CN111225002B (en) | Network attack tracing method and device, electronic equipment and storage medium | |
| Arukonda et al. | The innocent perpetrators: reflectors and reflection attacks | |
| US20170374015A1 (en) | Domain name system identification and attribution | |
| JP2013009185A (en) | Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program | |
| Wählisch et al. | Design, implementation, and operation of a mobile honeypot | |
| Selvaraj et al. | Ant‐based distributed denial of service detection technique using roaming virtual honeypots | |
| WO2014001773A1 (en) | Resolution of address translations | |
| Garant et al. | Mining botnet behaviors on the large-scale web application community | |
| Rajendran | DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches | |
| KHALID et al. | Efficient mechanism for securing software defined network against ARP spoofing attack | |
| CN115694861A (en) | Cloud honeypot deployment method, device and system | |
| Schales et al. | Scalable analytics to detect DNS misuse for establishing stealthy communication channels | |
| CN115499179A (en) | Method for detecting DoH tunnel flow in backbone network | |
| Murugesan et al. | Design and analysis of hybrid single packet IP traceback scheme | |
| Nesary et al. | vDNS: Securing DNS from amplification attacks | |
| van der Eijk et al. | Detecting cobalt strike beacons in netflow data | |
| Yin et al. | WaterPurifier: A scalable system to prevent the DNS water torture attack in 5G-enabled SIoT network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |