CN115694928A - Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method - Google Patents
Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method Download PDFInfo
- Publication number
- CN115694928A CN115694928A CN202211267529.0A CN202211267529A CN115694928A CN 115694928 A CN115694928 A CN 115694928A CN 202211267529 A CN202211267529 A CN 202211267529A CN 115694928 A CN115694928 A CN 115694928A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- service
- attack
- module
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a cloud honeypot, attack event perception and behavior analysis method for a whole-ship computing environment, and belongs to the field of data security. The high in the clouds honeypot includes: the system comprises a link gateway, a TCP/UDP protocol analysis authentication engine, a data analysis engine, a honeypot simulation calculation service node, a honeypot simulation storage node and a proxy gateway, wherein the honeypot simulation calculation service node and the honeypot simulation storage node jointly construct a virtual calculation storage environment. The invention constructs a honeypot with the advantages of an actual system honeypot and a pseudo system honeypot in the whole ship computing environment, and induces an attacker to attack the honeypots, so that the attacker can capture and analyze the attack behavior, know tools and methods used by the attacker, speculate the attack intention and motivation, and enable a defender to clearly know the security threat faced by the attackers. The method and the device solve the problem that under the condition that energization of the internet cloud cannot be obtained in real time, unknown novel attack means are captured and analyzed, and therefore the safety protection capability of an actual system is enhanced.
Description
Technical Field
The invention belongs to the field of data security, and particularly relates to a cloud honeypot, attack event perception and behavior analysis method for a whole-ship computing environment.
Background
With the progress of network attack technology, the limitation and vulnerability of the traditional firewall on the known danger-based rule system are more and more obvious, if an intruder starts a new form of attack, the firewall does not have corresponding rules to process, the firewall is similar to a nominal firewall, and the system protected by the firewall is damaged, so that a technician needs a honeypot to record the actions and intrusion data of the intruder, and adds new rules to the firewall or defends manually when necessary. The honeypot technology induces attackers to attack the host, network service or information by arranging the host, network service or information as bait, so that the attackers can capture and analyze the attack behavior, know tools and methods used by the attackers, speculate attack intentions and motivations, enable defenders to clearly know the security threats faced by the attackers, and enhance the security protection capability of a practical system through technical and management means.
Honeypots can be divided into real system honeypots and pseudo system honeypots. The actual system honeypot is the truest honeypot, runs a real system and carries real invadeable loopholes, belongs to the most dangerous loopholes, each invasion of an invader can cause real reaction of the system, such as overflow, infiltration, permission capture and the like, but can record truest invasion information. The fake system honeypot is a 'bug' which is not a self-platform and is invaded by a manager by using strong imitation ability of some tool programs, so that even though the 'penetration' is successful by an intruder, the intruder can only make a turn in a program frame actually and blindly work in the dream of program manufacture, thereby realizing the tracking and recording of the intruder.
In the existing cloud honeypot technology, one method is to screen out an untrusted process from all currently running processes, inject a hook function into the untrusted process, obtain a call function record and a function execution record of the untrusted process, traverse the obtained call function record and function execution record, and identify whether the untrusted process has a risk. The other method is that the socket sent by the user is compared with the socket appointed in the honeypot system acquired in advance, as long as the socket sent by the user belongs to the socket appointed in the honeypot system acquired in advance, whether the access request sent by the user generates a malicious process or not can be identified with risks, and if the method cannot link threat information at the first time, the threat of unknown novel attack means cannot be predicted and prevented.
A whole-vessel computing environment (TSCE) is a private cloud, which integrates all sensors and weapon resources of modern naval vessels in wartime and at ordinary times with various operation operations and basic data of an instruction control system and a naval vessel platform management system based on an open system structure and a civil ready-made technology by taking a network as a center. Being a private cloud, is also subject to various security threats both inside and outside the system. Different from a common private cloud, the whole ship computing environment is physically isolated from the Internet, and threat information cannot be obtained in real time through the Internet. Therefore, a cloud honeypot technology for a whole-ship computing environment is needed, which is used for capturing and analyzing unknown attack behaviors, knowing tools and methods used by attackers, speculating attack intentions and motivations and enabling defensive parties to clearly understand security threats faced by the attackers under the condition that internet cloud energization cannot be acquired in real time, so that the security protection capability of an actual system is enhanced.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide a cloud honeypot, attack event perception and behavior analysis method for a whole-ship computing environment, and aims to solve the problem that under the condition that the cloud enabling of the Internet cannot be obtained in real time, an unknown novel attack means is captured and analyzed, so that the safety protection capability of an actual system is enhanced.
In order to achieve the above object, in a first aspect, the present invention provides a cloud honeypot for a whole-vessel computing environment, where the cloud honeypot includes: the system comprises a link gateway, a TCP/UDP protocol analysis and authentication engine, a data analysis engine, a honeypot simulation calculation service node, a honeypot simulation storage node and a proxy gateway, wherein the honeypot simulation calculation service node and the honeypot simulation storage node jointly construct a virtual calculation storage environment;
the link gateway is used for providing point-to-point RDP connection for each terminal in the whole ship computing environment;
the TCP/UDP protocol analysis and authentication engine is used for analyzing and authenticating information and service requests from the link gateway, transmitting the information and service requests to the proxy gateway for legal access, guiding the access flow of an attacker to a virtual computing storage environment for illegal access or attack, monitoring and detecting the illegal activities of the attacker, and sending attack and illegal access data to the data analysis engine;
the data analysis engine is used for detecting the application flow passing through the virtual computing storage environment in a bypass mode in real time, recording and applying analysis to the flow, matching the analyzed application data with a feature library, and finding out the behavior of server vulnerability attack existing in the data flow; for an unauthorized behavior, an attack behavior utilizing an unknown vulnerability can be suspected; performing domain name process relation chain association proof-giving on the attack behavior identified in the application flow, and submitting to an operation and maintenance management terminal for interpretation and attack chain truncation;
the honeypot simulation computing service node is used for responding to a computing service request of an attacker, providing non-real computing service for the attacker, providing virtual computing service based on simulation honeypot resources for the attacker, and comprises infrastructure, a platform and software, wherein the attacker can create a virtual machine, construct an application program and a service platform and use the application program in the honeypot; all access requests initiated by the honeypot simulation service node are guided to the honeypot simulation calculation service node and the honeypot simulation storage node and response is obtained, so that an attacker mistakenly thinks that real calculation service is obtained;
the honeypot simulation storage node is used for responding to a data read-write service request of an attacker and providing unreal structured data for the attacker, so that the attacker mistakenly thinks that the real data are stolen and the real storage service is obtained;
the proxy gateway is used for further authenticating the message authenticated by the TCP/UDP protocol analysis authentication engine and providing real access of the cloud service platform of the whole ship computing environment for the user finally authenticated.
Preferably, the honeypot simulation computing service nodes are deployed according to a full-ship computing environment cloud service platform, and 3 service modes are provided;
the 3 services provided by the honeypot simulation computation service node are respectively as follows: infrastructure as a service (IaaS) that virtualizes computing resources, such as virtual machines, storage, networks, and operating systems, for attackers; the platform as a service (PaaS) is used for constructing an application program and a service platform for an attacker and providing an environment developed according to needs; software as a service (SaaS) that provides applications for attackers and runs them to access data in honeypots;
the computing resources, the application programs and the service platform are deployed according to a cloud service platform in the whole ship computing environment, but the data and the algorithm of the computing resources, the application programs and the service platform are all subjected to decryption processing, and the access data of the computing resources, the application programs and the service platform are limited in honeypot simulation storage nodes;
the data structure of the honeypot simulation storage node is deployed according to a full-ship computing environment cloud service platform, sensitive data are modified by adopting real data of the cloud service platform, decryption processing is carried out, and a basic database of the full-ship computing environment is provided to simulate cloud storage service.
It should be noted that, the invention makes the attacker think that the attack is a real system by the full chain deception of the attack process, and can obtain the real service and data which confuse the attacker, delay the time and energy of the attacker, and strive for time for accurate capture and maintenance.
Preferably, the link gateway is composed of a convergence module, an RDP module, an NAP module and an NP module;
the aggregation module is used for aggregating data of a plurality of externally connected physical ports to 1 port and sending the data to the data analysis engine;
the RDP module is used for realizing the conversion of information and service requests;
the NAP module is used for enforcing the requirements of health conditions, including hardware requirements, safety updating requirements, required computer configuration and other settings, on the terminals accessed to the whole-ship computing environment according to preset rules;
the NP module is used for dividing the information and the service request into 3 types according to the processing results of the PDP module and the NAP module and sending the marked information and service request to a TCP/UDP protocol analysis authentication engine, and the classification rules are as follows: information and service requests sent by authentication equipment in the whole ship computing environment system are marked as class A, information and service requests sent by equipment which meets authentication conditions outside the system are marked as class B, and other information and service requests are marked as class C.
Preferably, the data analysis engine is configured to mirror a to-be-detected data packet to a to-be-detected queue, perform scanning detection on the detected data packet in the detection process, and temporarily release or block various information and service requests according to an instruction of the operation and maintenance management terminal:
the scan detection includes: and judging whether the terminal has corresponding service access authority or not by judging the attribution of the IP address of the visitor and detecting the health condition of the terminal.
Preferably, the TCP/UDP protocol analysis authentication engine is composed of a protocol identification module, an encrypted protocol blasting module, a protocol analysis module and a data processing module;
the protocol identification module is used for identifying information and service requests from the link gateway, sending the information and service requests to the encrypted protocol blasting module for the encrypted protocol, and directly entering the protocol analysis module for the non-encrypted protocol;
the encrypted protocol blasting module is used for judging the login authentication state of the encrypted protocol based on a multi-feature model, and comprehensively judging whether the login is successful or not according to the session duration, the protocol interaction, the flow and a tool; abnormal login detection based on fingerprints is adopted, and non-standard program login, blasting attack login and vulnerability attack login behaviors are identified; after the login state is identified, entering a low-speed blasting detection engine based on multi-scale time window serialization, and identifying a hidden low-speed blasting behavior;
the data processing module is used for classifying the identified information and service requests, immediately guiding the access flow of an attacker to a virtual computing storage environment for illegal access or attack, monitoring and detecting illegal activities, and sending attack and illegal access data to the data analysis engine;
and the data processing module is used for receiving the data analysis engine instruction and performing exception removal on the information and service request according to the instruction of the operation and maintenance management terminal.
Preferably, the proxy gateway includes: the system comprises an identity authentication module, an access control module and a resource agent module;
the resource agent module is used for being responsible for establishing and maintaining the agent gateway tunnel and receiving and transmitting data;
the identity authentication module is used for performing binding authentication of more than a plurality of factors by adopting mixed authentication, including a user name and a password, an LDAP/AD and a hardware feature code authentication mode;
and the access control module is used for accessing the access which simultaneously meets the authentication modes into the cloud service platform according to the security requirement and refusing to provide service for the attack event.
In order to achieve the above object, in a second aspect, the present invention provides an attack event awareness method applied to the cloud honeypot in the whole-ship computing environment according to the first aspect, where the method includes:
defining the access of the terminal with the unsatisfactory health condition as an attack event by the link gateway;
analyzing and authenticating the information and the service request by a TCP/UDP protocol analysis authentication engine, and defining four types of abnormal login behaviors of non-standard program login, blasting attack login, slow blasting behavior login and vulnerability attack login as an attack event;
the data analysis engine judges the validity of access according to the IP address, the equipment MAC address and the related hardware ID number, and defines illegal access as an attack event;
the proxy gateway adopts mixed authentication, including a user name and a password, LDAP/AD and a hardware feature code authentication mode, combines information from an operation and maintenance management terminal to judge the validity of access, and defines illegal access as an attack event.
Preferably, all accesses added with exception exclusion are allowed to be normally accessed to the cloud service platform of the whole ship computing environment, and the exception exclusion is added through an operation and maintenance management terminal and comprises an event, a message and a source terminal.
In order to achieve the above object, in a third aspect, the present invention provides an attack behavior analysis method applied to the cloud honeypot in the whole-ship computing environment according to the first aspect, where the method includes:
all access flows which are guided to the honeypot simulation computation service node and the honeypot simulation node are regarded as attack behaviors;
by analyzing the access flow, the information of the equipment fingerprint and the social fingerprint of the attacker is obtained, the image of the attacker is accurately drawn, and an attack link and the behavior of the attacker are traced and analyzed.
To achieve the above object, in a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method as described above.
Generally, compared with the prior art, the above technical solution conceived by the present invention has the following beneficial effects:
(1) The invention provides a cloud honeypot for a whole-ship computing environment, which consists of a link gateway, a TCP/UDP protocol analysis authentication engine, a data analysis engine, a honeypot simulation computing service node, a honeypot simulation storage node and a proxy gateway, and is used for capturing and analyzing unknown novel attack means and enhancing the safety protection capability of the whole-ship computing environment data through a deception technology. The data analysis engine carries out real-time bypass detection on the flow through a bypass detection technology to realize detection and judgment of the attack behavior; by constructing a honeypot simulation calculation service/storage node, the intrusion of an intruder is tracked and recorded while the intrusion of overflow, penetration, capturing permission and the like of a real system is prevented; because the honeypot simulation node is constructed based on a real application environment, but access resources of the honeypot simulation node are limited in the honeypot simulation node, and real computing service of a cloud platform simulating a whole-ship computing environment can be provided. The method can obtain full-chain deception in the attack process, so that an attacker thinks that the attack is a real system, can obtain real service and data which confuse the attacker, delays the time and energy of the attacker, and strives for time for accurate capture and maintenance.
(2) The invention provides an attack event sensing method, which senses various illegal terminal login, non-standard program login, blasting attack login, slow blasting behavior login and vulnerability attack login attack events by means of analysis, authentication and mixed authentication of terminal health condition detection, information and service requests, and realizes identification of the attack events. In order to ensure the normal operation of the emergency access equipment and the service, the operation and maintenance manager can add an exception exclusion rule and perform exception exclusion on the non-attack event, the message and the source terminal which do not conform to the rule.
(3) The invention provides an attack behavior analysis method. Based on the technical scheme of the invention, all the access flows which are guided to the honeypot simulation computation service node and the honeypot simulation node are regarded as attack behaviors. As the whole ship computing environment is a system composed of limited devices, a physical link is relatively fixed, an IP address is statically allocated, a device MAC address and a related hardware ID number are relatively limited and fixed, through analysis of access flow, attacker device fingerprints and social fingerprint information are obtained, attacker portrait is accurately drawn, and attack link and attacker behaviors are traced and analyzed.
Drawings
Fig. 1 is a schematic diagram of a cloud honeypot in a whole-ship computing environment according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of an operating principle of a link gateway according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a TCP/UDP protocol parsing authentication engine according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention constructs a honeypot with the advantages of both an actual system honeypot and a pseudo system honeypot in a whole-ship computing environment, and induces an attacker to attack the actual system honeypot and the pseudo system honeypot, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker can be known, the attack intention and motivation can be conjectured, and a defender can clearly know the security threat faced by the actual system honeypot and the pseudo system honeypot. The method aims to capture and analyze unknown novel attack means under the condition that the energization of the internet cloud cannot be obtained in real time, so that the safety protection capability of an actual system is enhanced.
Fig. 1 is a schematic diagram of a whole-ship computing environment cloud honeypot provided by an embodiment of the present invention. As shown in fig. 1, the cloud honeypot of the whole-ship computing environment is composed of a link gateway, a TCP/UDP protocol parsing and authenticating engine, a data analysis engine, a honeypot simulation computing service node, a honeypot simulation storage node and a proxy gateway. The honeypot simulation computing service node and the honeypot simulation storage node are used for constructing a virtual computing storage environment.
Fig. 2 is a schematic diagram of an operating principle of a link gateway according to an embodiment of the present invention. As shown in fig. 2, the link gateway is composed of a convergence module, a Remote Display Protocol (RDP) module, a Network Access Protection (NAP) module, and a Network Processor (NP) module, and provides a point-to-point RDP connection, instead of allowing a Remote user to Access all internal Network resources. The aggregation module is used for aggregating data of a plurality of externally connected physical ports to 1 port and sending the data to the data analysis engine for bypass detection. The RDP module is used for completing the conversion of the information and the service request. The NAP module is used for enforcing the requirements of health conditions on terminals accessing the whole ship computing environment according to preset rules, wherein the requirements comprise hardware requirements, safety updating requirements, required computer configuration and other settings. The link gateway responds to all connection requests, obtaining the requested information and service requests on behalf of the data source. The NP module classifies the information and service request into 3 types according to the processing result of the PDP module and the NAP module, and the classification rule is as follows: information and service requests sent by authentication equipment in the whole ship computing environment system are marked as class A, information and service requests sent by equipment which meets authentication conditions outside the system are marked as class B, and other information and service requests are marked as class C. The marked information and the service request are sent to a TCP/UDP protocol analysis authentication engine.
Fig. 3 is a schematic diagram of a TCP/UDP protocol parsing authentication engine according to an embodiment of the present invention. As shown in fig. 3, the TCP/UDP protocol parsing authentication engine is composed of a protocol identification module, an encrypted protocol blasting module, a protocol parsing module and a data processing module, and the engine parses and authenticates the information and service request, and provides real service for the information and service request meeting the rules through the proxy gateway to the cloud service platform by combining the data analysis engine according to the detection result of the bypass data. The working process is as follows: the protocol identification module identifies information and service requests from the link gateway, and for an encrypted protocol, the encrypted protocol is processed by the encrypted protocol blasting module and then sent to the protocol analysis module, and for a non-encrypted protocol, the non-encrypted protocol directly enters the protocol analysis module; the encryption protocol blasting module judges the login authentication state of the encryption protocol based on a multi-feature model, and comprehensively judges whether the login is successful or not according to multi-dimensional features such as session duration, protocol interaction, flow and tools; abnormal login detection based on fingerprints is adopted to identify abnormal login behaviors such as non-standard program login, explosion attack login, vulnerability attack login and the like; and after the login state is identified, entering a slow blasting detection engine based on multi-scale time window serialization, and identifying the concealed slow blasting behavior. The data processing module classifies the identified information and service requests, immediately drains the access flow of an attacker to a virtual computing storage environment of a cloud honeypot of the whole-ship computing environment for illegal access or attack, enables the attacker to mistakenly think that the attacker sniffs a real service system, and tries to perform illegal operations such as privilege escalation on the simulation service and the host, thereby delaying the progress of the attacker. Meanwhile, the illegal activities are monitored and detected, and the attack and illegal access data are sent to a data analysis engine for analysis and evidence collection. And the data processing module receives the data analysis engine instruction and performs exception removal on the information and the service request according to the instruction of the operation and maintenance management terminal.
The data analysis engine adopts a bypass detection technology, namely, a data packet to be detected is mirrored to a queue to be detected, and the detection process scans and detects the detected data packet without causing any performance influence on the forwarding of the original data packet. The data analysis engine detects the application flow passing through the cloud honeypot of the whole ship computing environment in a bypass manner in real time, performs application analysis on the flow, matches the analyzed application data with a feature library, and finds out the behavior existing in the data flow and attacking the server vulnerability; the flow is analyzed in a syntactic manner, corresponding semantic features such as information of dangerous function calling, class declaration and the like are extracted, the accuracy of feature extraction is improved by using a syntactic tree, the feature extraction is not interfered by annotation, various deformations are easily resisted, attacks are easily avoided, and compared with the traditional rule matching, the false alarm and the missing report can be effectively reduced; based on the clear authority of each service role in the whole ship computing environment, the behavior is known, and the unauthorized behavior can be suspected to be an attack behavior utilizing unknown vulnerabilities; and performing domain name process relation chain association verification on the attack behavior identified in the application flow, submitting the domain name process relation chain association verification to operation and maintenance management personnel for interpretation and cutting off an attack chain. The feature library is extensible and has feature items required by service identification. Including but not limited to vulnerability signature library, IPS signature library, URL classification signature library, APR signature library, antivirus signature library, WAF signature library, IP reputation signature library, URL reputation signature library, and domain name reputation signature library. The data analysis engine judges whether the terminal has corresponding service access authority or not mainly by judging the attribution of the IP address of the visitor and detecting the health condition of the terminal. And the data analysis engine temporarily passes or blocks the 3 types of information and service requests according to the instruction of the operation and maintenance management terminal.
Because the whole ship computing environment is a system composed of limited equipment, the IP address of the system is statically allocated, and the MAC address of the equipment and the ID number of the related hardware are relatively limited and fixed. The data analysis engine is combined with analysis results of the TCP/UDP protocol analysis authentication engine, network malicious behaviors are identified through analyzing the flow of the in-out network, a server or a terminal controlled by a hacker in the whole ship computing environment is positioned, and a domain name process relation chain is provided for the TCP/UDP protocol analysis authentication engine and displayed on an operation and maintenance management terminal.
The simulation nodes comprise a honeypot simulation computing service node and a honeypot simulation storage node. The two simulation nodes are constructed based on the cloud computing storage service node of the whole ship computing environment, and the real computing service node and the real storage node are simulated to the maximum extent.
The honeypot simulation computing service node is constructed based on a real application environment, resources such as simulation service, virtual machines and storage access are deployed according to the whole-ship computing environment cloud platform, but access resources of the honeypot simulation computing service node are limited in the honeypot simulation storage node, and real computing service simulating the whole-ship computing environment cloud platform can be provided. In order to ensure the information security of the whole ship computing environment, the computing resources and the algorithm are subjected to decryption processing, a relatively real application environment is provided for an attacker, and no decryption is caused. The honeypot simulation computing service node can be used for acquiring a large amount of information and capturing various operation behaviors of an attacker, so that the honeypot simulation computing service node has the capability of discovering a new attack mode and a new vulnerability exploitation method. As the honeypot simulation calculation service node provides a relatively real application environment for an attacker, the attacker mistakenly thinks that the real service system is sniffed, and tries to perform illegal operations such as privilege escalation on simulation service and a host, thereby delaying the progress of the attacker. The honeypot simulation computing service node has no conventional tasks in the network and no fixed active users, so that the honeypot simulation computing service node should not have any abnormal processes and generate any network traffic except for running normal daemon processes or services on the system. These assumptions help to detect attacks: every interaction with a honeypot emulated computing service node is suspicious and may point to a possible malicious activity. Thus, all network traffic to and from the honeypot simulation computing service node is sent to the data analysis engine and recorded. In addition, the activity of the system is recorded for later analysis.
The honeypot simulation storage node is constructed based on a real application environment, a data structure of the honeypot simulation storage node is deployed according to a full-ship computing environment cloud platform, real information cannot be leaked after data are processed, and the honeypot simulation storage node is used for simulating a large-capacity storage space and providing simulated cloud storage service. The honeypot simulation storage node responds to a data read-write service request of an attacker, provides unreal structured data for the attacker, enables the attacker to mistakenly think that the real data are obtained, and therefore delays the progress of the attacker. The simulation storage node has no regular task in the network, and a real authorized user does not apply for the data storage service, so that the simulation storage node does not have any abnormal process and generate any network flow except for a normal daemon process or service on a running system. These assumptions help to detect attacks: each proposed data read-write service to an emulated storage node is suspicious and may point to a possible malicious activity. Thus, all network traffic to and from the emulated storage node is recorded. In addition, the activity of the system is recorded for later analysis.
The proxy gateway is based on Apache service and mainly comprises an identity authentication module, an access control module and a resource proxy module. And the identity authentication module performs identity authentication on each user according to the system data provided by the data analysis engine. And the access control module receives the authentication result of the identity authentication module, processes the information and the service request which accord with the rules by the resource agent module, and guides the information and the service request which do not accord with the rules into the network honeypot. The resource agent module is responsible for establishing and maintaining the agent gateway tunnel and receiving and transmitting data. The proxy gateway performs mixed authentication protection mechanism authentication on the message primarily authenticated by the UDP protocol analysis authentication engine, and provides real cloud service for the authenticated user. In order to further improve the security of identity authentication, the proxy gateway adopts mixed authentication, including authentication modes of user names, passwords, LDAP/AD, hardware feature codes and the like, can perform binding authentication of more than a plurality of factors, and can access the cloud platform only by simultaneously meeting the authentication modes according to the security requirement. Denial of service for attack events.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. The utility model provides a full naval vessel computing environment high in clouds honeypot which characterized in that, the high in clouds honeypot includes: the system comprises a link gateway, a TCP/UDP protocol analysis authentication engine, a data analysis engine, a honeypot simulation calculation service node, a honeypot simulation storage node and a proxy gateway, wherein the honeypot simulation calculation service node and the honeypot simulation storage node jointly construct a virtual calculation storage environment;
the link gateway is used for providing point-to-point RDP connection for each terminal in the whole ship computing environment;
the TCP/UDP protocol analysis and authentication engine is used for analyzing and authenticating information and service requests from the link gateway, transmitting the information and service requests to the proxy gateway for legal access, guiding the access flow of an attacker to a virtual computing storage environment for illegal access or attack, monitoring and detecting the illegal activities of the attacker, and sending attack and illegal access data to the data analysis engine;
the data analysis engine is used for detecting the application flow passing through the virtual computing storage environment in a bypass mode in real time, recording and applying analysis to the flow, matching the analyzed application data with a feature library, and finding out the behavior of server vulnerability attack existing in the data flow; for an unauthorized behavior, an attack behavior that exploits an unknown vulnerability may be suspected; performing domain name process relation chain association verification on the attack behavior identified in the application flow, and submitting to an operation and maintenance management terminal to interpret and cut off an attack chain;
the honeypot simulation computing service node is used for responding to a computing service request of an attacker, providing non-real computing service for the attacker, providing virtual computing service based on simulation honeypot resources for the attacker, and comprises infrastructure, a platform and software, wherein the attacker can create a virtual machine, construct an application program and a service platform and use the application program in the honeypot; all access requests initiated by the honeypot simulation service node are guided to the honeypot simulation computation service node and the honeypot simulation storage node and response is obtained, so that an attacker mistakenly thinks that real computation service is obtained;
the honeypot simulation storage node is used for responding to a data read-write service request of an attacker and providing unreal structured data for the attacker, so that the attacker mistakenly thinks to acquire stolen real data and acquire real storage service;
the proxy gateway is used for further authenticating the message authenticated by the TCP/UDP protocol analysis authentication engine and providing real access to the cloud service platform of the whole ship computing environment for the user who finally passes the authentication.
2. The cloud honeypot of claim 1, wherein the honeypot emulated computing service nodes are deployed as full-ship computing environment cloud service platforms, providing 3 service modes;
the honeypot simulation computation service node provides 3 services respectively: infrastructure as a service, virtualizing computing resources, such as virtual machines, storage, networks, and operating systems, for attackers; the platform is a service, an application program and a service platform are constructed for an attacker, and an environment developed according to needs is provided; the software is a service, provides an application program for an attacker and operates the application program to access data in the honeypot;
the computing resources, the application programs and the service platform are deployed according to a full-ship computing environment cloud service platform, but data and algorithms of the computing resources, the application programs and the service platform are subjected to decryption processing, and access data of the computing resources, the application programs and the service platform are limited in honeypot simulation storage nodes;
the data structure of the honeypot simulation storage node is deployed according to a full-ship computing environment cloud service platform, sensitive data are modified by adopting real data of the cloud service platform, decryption processing is carried out, and a basic database of the full-ship computing environment is provided to simulate cloud storage service.
3. The cloud honeypot of claim 1, wherein the link gateway is comprised of a convergence module, an RDP module, a NAP module, and an NP module;
the aggregation module is used for aggregating data of a plurality of externally connected physical ports to 1 port and sending the aggregated data to the data analysis engine;
the RDP module is used for realizing the conversion of information and service requests;
the NAP module is used for enforcing the requirements of health conditions, including hardware requirements, safety updating requirements, required computer configuration and other settings, on the terminals accessed to the whole-ship computing environment according to preset rules;
the NP module is used for dividing the information and the service request into 3 types according to the processing results of the PDP module and the NAP module and sending the marked information and the service request to a TCP/UDP protocol analysis authentication engine, and the classification rules are as follows: information and service requests sent by authentication equipment in the whole ship computing environment system are marked as class A, information and service requests sent by equipment which meets authentication conditions outside the system are marked as class B, and other information and service requests are marked as class C.
4. The cloud honeypot of claim 1, wherein the data analysis engine is configured to mirror a data packet to be detected to a queue to be detected, perform scanning detection on the detected data packet in the detection process, and temporarily pass or block various information and service requests according to an instruction of the operation and maintenance management terminal:
the scan detection includes: and judging whether the terminal has corresponding service access authority or not by judging the attribution of the IP address of the visitor and detecting the health condition of the terminal.
5. The cloud honeypot of claim 1, wherein the TCP/UDP protocol parsing authentication engine is comprised of a protocol identification module, an encrypted protocol blasting module, a protocol parsing module, and a data processing module;
the protocol identification module is used for identifying information and service requests from the link gateway, sending the information and service requests to the encrypted protocol blasting module for the encrypted protocol, and directly entering the protocol analysis module for the non-encrypted protocol;
the encrypted protocol blasting module is used for judging the login authentication state of the encrypted protocol based on a multi-feature model, and comprehensively judging whether the login is successful or not according to the session duration, the protocol interaction, the flow and a tool; abnormal login detection based on fingerprints is adopted, and non-standard program login, blasting attack login and vulnerability attack login behaviors are identified; after the login state is identified, entering a low-speed blasting detection engine based on multi-scale time window serialization, and identifying a hidden low-speed blasting behavior;
the data processing module is used for classifying the identified information and service requests, immediately guiding the access flow of an attacker to a virtual computing storage environment for illegal access or attack, monitoring and detecting illegal activities, and sending attack and illegal access data to the data analysis engine;
and the data processing module is used for receiving the data analysis engine instruction and performing exception removal on the information and service request according to the instruction of the operation and maintenance management terminal.
6. The cloud honeypot of claim 1, wherein the proxy gateway comprises: the system comprises an identity authentication module, an access control module and a resource agent module;
the resource agent module is used for being responsible for establishing and maintaining the agent gateway tunnel and receiving and transmitting data;
the identity authentication module is used for performing binding authentication of more than a plurality of factors by adopting mixed authentication, including a user name and a password, an LDAP/AD and a hardware feature code authentication mode;
and the access control module is used for accessing the access which simultaneously meets the authentication modes into the cloud service platform according to the security requirement and refusing to provide service for the attack event.
7. An attack event awareness method applied to the cloud honeypot in the whole-ship computing environment according to any one of claims 1 to 6, wherein the method comprises the following steps:
defining the access of the terminal with the unsatisfactory health condition as an attack event by the link gateway;
analyzing and authenticating the information and the service request by a TCP/UDP protocol analysis authentication engine, and defining four types of abnormal login behaviors of non-standard program login, blasting attack login, slow blasting behavior login and vulnerability attack login as an attack event;
the data analysis engine judges the validity of access according to the IP address, the equipment MAC address and the related hardware ID number, and defines illegal access as an attack event;
the proxy gateway adopts mixed authentication, including a user name and a password, LDAP/AD and a hardware feature code authentication mode, combines information from an operation and maintenance management terminal to judge the validity of access, and defines illegal access as an attack event.
8. The method according to claim 7, wherein all accesses added with exception exclusion are allowed to normally access the cloud service platform of the whole ship computing environment, and the exception exclusion is added through an operation and maintenance management terminal and comprises events, messages and source terminals.
9. An attack behavior analysis method applied to the cloud honeypot in the whole-ship computing environment according to any one of claims 1 to 6, wherein the method comprises the following steps:
all access flows which are guided to the honeypot simulation computation service node and the honeypot simulation node are regarded as attack behaviors;
by analyzing the access flow, the information of the equipment fingerprint and the social fingerprint of the attacker is obtained, the image of the attacker is accurately drawn, and an attack link and the behavior of the attacker are analyzed in a tracing way.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method according to any one of claims 7 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211267529.0A CN115694928A (en) | 2022-10-17 | 2022-10-17 | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211267529.0A CN115694928A (en) | 2022-10-17 | 2022-10-17 | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115694928A true CN115694928A (en) | 2023-02-03 |
Family
ID=85067403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211267529.0A Pending CN115694928A (en) | 2022-10-17 | 2022-10-17 | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694928A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117057163A (en) * | 2023-10-11 | 2023-11-14 | 富钛字节车载软件(长春)有限公司 | Remote simulation method, system, equipment and storage medium based on wireless communication |
| CN118018327A (en) * | 2024-04-08 | 2024-05-10 | 畅捷通信息技术股份有限公司 | Active whole network abnormal attack processing method, system, equipment and medium |
-
2022
- 2022-10-17 CN CN202211267529.0A patent/CN115694928A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117057163A (en) * | 2023-10-11 | 2023-11-14 | 富钛字节车载软件(长春)有限公司 | Remote simulation method, system, equipment and storage medium based on wireless communication |
| CN117057163B (en) * | 2023-10-11 | 2024-01-19 | 富钛字节车载软件(长春)有限公司 | Remote simulation method, system, equipment and storage medium based on wireless communication |
| CN118018327A (en) * | 2024-04-08 | 2024-05-10 | 畅捷通信息技术股份有限公司 | Active whole network abnormal attack processing method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Banerjee et al. | A blockchain future for internet of things security: a position paper | |
| JP6894003B2 (en) | Defense against APT attacks | |
| US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
| Cazorla et al. | Cyber stealth attacks in critical information infrastructures | |
| Modi et al. | A survey of intrusion detection techniques in cloud | |
| Moustafa et al. | Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets | |
| KR101737726B1 (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| CN115694928A (en) | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method | |
| CN113037713B (en) | Network attack resisting method, device, equipment and storage medium | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| Raghav et al. | Intrusion detection and prevention in cloud environment: A systematic review | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Supriya et al. | Malware detection techniques: a survey | |
| Uyyala | Multilevel Authentication System Using Hierarchical Intrusion Detection Architecture For Online Banking | |
| Suryantoro et al. | The Analysis of Attacks Against Port 80 Webserver with SIEM Wazuh Using Detection and OSCAR Methods | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Vokorokos et al. | Sophisticated honeypot mechanism-the autonomous hybrid solution for enhancing computer system security | |
| Kishore et al. | Intrusion Detection System a Need | |
| CN113079182A (en) | Network security control system | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| Singh et al. | Intrusion detection system and its variations | |
| Rahmawati et al. | Web Application Firewall Using Proxy and Security Information and Event Management (SIEM) for OWASP Cyber Attack Detection | |
| CN115460023B (en) | Method and system for integrally guaranteeing network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |