CN116599765A - Honeypot deployment method - Google Patents
Honeypot deployment method Download PDFInfo
- Publication number
- CN116599765A CN116599765A CN202310784566.7A CN202310784566A CN116599765A CN 116599765 A CN116599765 A CN 116599765A CN 202310784566 A CN202310784566 A CN 202310784566A CN 116599765 A CN116599765 A CN 116599765A
- Authority
- CN
- China
- Prior art keywords
- asset
- subnet
- network
- target network
- honeypots
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000009826 distribution Methods 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 6
- 235000012907 honey Nutrition 0.000 abstract description 14
- 230000007123 defense Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 235000009508 confectionery Nutrition 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a honey pot deployment method. The method comprises the following steps: determining a target network needing to protect assets, and acquiring asset type and asset number information of the target network; dividing the asset levels of the subnets according to the key asset positions and the historical attack information of each subnet in the target network, calculating the equipment importance scores of the subnets, and calculating the asset density of the subnets according to the importance scores of the equipment of each subnet; and deploying the available honeypots into each subnet of the target network according to the deployment formula according to the asset density and the asset level of each subnet. The method of the invention is based on key equipment in the existing network, is fit with actual service scenes, and dynamically deploys the honeypot under different scenes, thereby reducing the cost of honeypot deployment, and achieving the purposes of deception attacker, obtaining more information of deception and delaying attacker.
Description
Technical Field
The invention relates to the technical field of network attack, in particular to a honeypot deployment method.
Background
With the development of digital technology, large-scale targeted network actions are greatly increased, data leakage, luxury software and security holes are continuously upgraded and developed, and network security becomes an important factor of national security.
The traditional honeypot uses high sweet trapping and redirecting passive means to influence an attacker to make error judgment, the simulation degree and the deployment position directly influence the deception effect, and if the honeypot cannot embody the intranet service characteristics, the attacker can avoid a defense system.
Meanwhile, after the honeypot trap is deployed, if the surrounding network environment is not matched with information guidance, an attacker is difficult to actively approach the trap, so that the honeypot deployment range needs to be enlarged and the concentration is improved.
However, the existing protection network has various service systems, such as an external open system with service class, an internal system with management class, a protection unit, a monitoring industrial system and the like, disguised by excessive whitewashing, and too high honey pot deployment breadth and density, so that higher cost is generated, the existing network information system resource is burdened, and the network information system resource is easily and prematurely recognized by an attacker to continue to be hidden.
In the network attack and defense system, the strength and cost consumption of the attack and defense parties are also unbalanced game processes, and a large amount of expenditure is easily put into the deployment of the early honeypot.
Therefore, in order to solve the above problems, how to reduce the deployment cost and difficulty of the defense system and maximize the benefits of the fraud effect is to be solved by constructing a strict high-temptation defense system.
Disclosure of Invention
The embodiment of the invention provides a honey pot deployment method for realizing dynamic deployment of honey pots under different scenes.
In order to achieve the above purpose, the present invention adopts the following technical scheme.
A honeypot deployment method, comprising:
determining a target network needing to protect assets, and acquiring asset type and asset number information of the target network;
dividing the asset levels of the subnets according to the key asset positions and the historical attack information of each subnet in the target network, calculating the equipment importance scores of the subnets, and calculating the asset density of the subnets according to the importance scores of the equipment of each subnet;
and deploying the available honeypots into each subnet of the target network according to the deployment formula according to the asset density and the asset level of each subnet.
Preferably, the determining the target network for protecting the asset, and acquiring the asset type and the asset number information of the target network, includes:
detecting the virtual local area network through an analysis engine, obtaining the number and types of the assets in the virtual local area network, dividing the virtual local area network into different network areas according to different asset types and network segments, generating a framework of a target network needing to protect the assets, and recording asset type and asset number information of the target network.
Preferably, the dividing the asset class of the subnet according to the key asset location and the historical attack information of each subnet in the target network, and calculating the device importance score of the subnet includes:
counting the sub-network IP in the target network to be protected, setting the importance degree F of the sub-network as a plurality of levels respectively, summarizing and counting the historical attack data on the target network by using an analysis engine, analyzing the historical attack time and the distribution density by using a historical attack log, acquiring a probability distribution value M of the historical attack times in the target network, and determining the probability distribution value M as the percentage of the sub-network equipment in the target network to be tested by attack;
the importance score of the subnet equipment is D, and the calculation method is as follows: d=f x M,
all subnet devices in the target network segment have a device importance score.
Preferably, the calculating the asset density of the subnet according to the importance score of each subnet device includes:
the density engine divides the target network segment IP to be protected into four grades according to the importance score D of each subnet device: ap, bp, cp and Dp, dividing a subnet with a host importance score greater than seventy-five percent in the subnet into a class Ap, dividing a subnet with a host importance score greater than fifty percent in the subnet into a class Bp, dividing a subnet with a host importance score greater than twenty-five percent in the subnet into a class Cp, and dividing the remaining subnets into a class Dp;
the asset density ρ of the subnet is the number of key assets in the subnet of the target network divided by the total number of key assets in the target network.
Preferably, the deploying the available honeypots into each subnet of the target network according to the deployment formula according to the asset density and the asset level of each subnet comprises:
the method comprises the steps of setting the existing honeypots as idle honeypots and available honeypots according to a certain proportion, recording the number of the available honeypots as N, deploying the available honeypots into each subnet of a target network according to a deployment formula, and calculating the number N of the honeypots to be deployed in different asset levels in the subnets as follows:
n=N×G×ρ
ρ is the asset density of the subnet, and the calculation formula of the allocation ratio G corresponding to the asset class is shown in the following table:
| asset class | Distribution ratio G |
| Ap | 40% |
| Bp | 30% |
| Cp | 20% |
| Dp | 10% |
。
According to the technical scheme provided by the embodiment of the invention, the method is based on key equipment in the existing network, the actual service scene is attached, and the honeypot is dynamically deployed in different scenes, so that the cost of honeypot deployment is reduced, the purpose of deception attacker can be achieved, and the purposes of acquiring more information of deception and delaying the attacker can be achieved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a relationship between a honeypot deployment module and an alarm module according to an embodiment of the present invention;
fig. 2 is a process flow diagram of a honeypot deployment method according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the present invention and are not to be construed as limiting the present invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
For the purpose of facilitating an understanding of the embodiments of the invention, reference will now be made to the drawings of several specific embodiments illustrated in the drawings and in no way should be taken to limit the embodiments of the invention.
Honeypots (Honeypot) are a vulnerability-containing system that simulates one or more vulnerable hosts, providing a vulnerable target for hackers. According to the embodiment of the invention, the number, the density and the positions of honeypots are dynamically deployed according to the current target network segment to be protected.
A schematic diagram of the relationship between a honeypot deployment module and an alarm module provided by the embodiment of the invention is shown in fig. 1, and honeypot deployment in the embodiment of the invention is realized by four engines, which respectively consist of an analysis engine, a position engine, a density engine and a deployment engine. When an attacker tries to attack by entering the dense network system, attack flow is led into a system alarm module from the dense network, the system alarm module records attack flow information, integrates the historical attack information according to the needs of users, and sends the integrated attack information to a honeypot deployment module. And then, the honeypot deployment module dynamically deploys the existing idle honeypots according to the resources and the historical attack information of the existing network segments, and implements the honeypot deployment strategy into the dense network system.
The processing flow of the honeypot deployment method provided by the embodiment of the invention is shown in fig. 2, and comprises the following processing steps:
step S10, scanning the existing network, generating a framework of a target network needing to protect the assets, and acquiring information such as asset types, asset numbers and the like of the target network.
The analysis engine scans and detects the existing network segments, acquires the number and types of the assets in the VLAN (Virtual Local Area Network ), divides different network areas according to different asset types and network segments, generates the architecture of a target network needing to protect the assets, and records the information of the asset types, the asset numbers and the like of the target network.
The honey point templates with rich functions and types are arranged in the honey point warehouse, and comprise router honey points, web honey points, database honey points, mailbox honey points and the like. According to the current architecture of the generated target network, different honey points are set in the service demands of different service hosts, different types of functional honeypots are divided into network segments of the target network associated with the honeypots, and the position and the quantity deployment configuration of the honeypots can be realized in the honeypot pool, so that an attacker is induced to release attack load.
And step S20, dividing the asset class of the subnetwork according to the key asset position and the historical attack information of the subnetwork in the target network by the position engine, and calculating the equipment importance score of the subnetwork.
And counting the sub-networks IP in the target network to be protected, wherein the importance degree F is respectively set to 3 grades, namely three grades of importance, general grade and common grade. For example, for a sub-network of a company research and development department, a department manager has the highest value of asset data in the sub-network segment, and the asset data is classified as important in the class, the class of a secondary manager or a business group is general, and the class of a common employee is general. But such analysis is unavoidably influenced by subjective factors, so we take into account the historical attack distribution.
The analysis engine gathers and counts the historical attack data on the target network, analyzes the historical attack time and the distribution density by utilizing the historical attack log, and represents the historical attack times in the target network as the average value, the median value or the mode of the probability distribution. The location engine determines a probability distribution value M of the number of historical attacks in the target network as a percentage of the subnet devices in the target network that are tested for the attack.
Preferably, the tracing time of the historical attack information is configured by the user, which can be one month or one year, and can be controlled according to the iteration speed of the attack.
The importance score of the subnet equipment is D, and the calculation method is as follows: d=f x M,
f is a ranking score of importance, configured by the user himself, who can configure the value of F with reference to the opinion of the test person or company person, and thus is handed over to the user for control.
All subnet devices in the target network segment will have a device importance score.
Step S30, the density engine divides the IP of the target network segment to be protected into four levels according to the importance score D of each subnet device: ap, bp, cp and Dp. Subnets with a host importance score greater than seventy-five percent in the subnets are classified as a level Ap, subnets with a host importance score greater than fifty percent in the subnets are classified as a level Bp, subnets with a host importance score greater than twenty-five percent in the subnets are classified as a level Cp, and the remaining subnets are classified as a level Dp. The asset density of a subnet is the total number of key assets in the subnet of the target network divided by the total number of key assets in the target network.
And S40, setting idle honeypots and available honeypots for the existing honeypots according to a certain proportion by a deployment engine according to the asset density and the asset grade of the sub-network, and deploying the available honeypots into each sub-network of the target network according to a deployment formula.
The number of available honeypots is recorded as N, and the distribution proportion G corresponding to the asset level is recorded as follows:
| asset class | Distribution ratio G |
| Ap | 40% |
| Bp | 30% |
| Cp | 20% |
| Dp | 10% |
The calculation formula for the number of honeypots to be deployed by devices of different asset classes in the subnet is:
n=N×G×ρ
because the number of spoofing mechanisms deployed in a subnet depends on information associated with that portion of the subnet in the network. For example, as more assets are on the subnet, the number of spoofing mechanisms may increase; as the number of attacks in a subnet increases, the number of spoofing mechanisms in the entire network increases.
The honey tank deployment method in the embodiment of the invention depends on historical attack information, so that when an attacker reenters the system to generate attack, the alarm system can continuously generate alarm logs, and the newly generated alarm logs can be introduced into an analysis engine, so that the position and the number of the honey tanks can be deployed in real time according to the attack targets of the attacker, thereby achieving the purpose of dynamic deployment of the honey tanks.
The type of honeypots to be deployed in the embodiment of the invention depends on the network area where the attacker is located, and multiple honeypots can be deployed in the same network area.
In summary, the embodiment of the invention provides a deployment rule capable of deploying honeypots according to the needs of each network area. According to the network architecture in the actual network, different honeypots are defined to belong to related network area types, and the honeypots are attached to the actual service scene, so that the practicability is strong Jiang Pushi.
(2) The four engines of the analysis engine, the position engine, the density engine and the deployment engine cooperate with each other and form a closed loop with the alarm control module, so that the dynamic deployment of honeypots can be carried out according to different business scenes and different importance degrees of assets
(3) The invention researches a method for throwing the puzzled honeypot, and improves the probability of the trap in stepping to be exposed as soon as possible after an attacker enters a network. And combining with a server and a client in the current service network, determining the deployment range which accords with the daily office production characteristics of the enterprise by service characteristics and personnel characteristics. And under the premise of cost, the deployment range is maximized to expand the guiding surface, so that the attacker cannot be recognized by the attacker, and the attacker is attracted by the honeypot with low cost and wide distribution and is further pulled to the trap.
Those of ordinary skill in the art will appreciate that: the drawing is a schematic diagram of one embodiment and the modules or flows in the drawing are not necessarily required to practice the invention.
From the above description of embodiments, it will be apparent to those skilled in the art that the present invention may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present invention.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, with reference to the description of method embodiments in part. The apparatus and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
Claims (5)
1. A method of honeypot deployment, comprising:
determining a target network needing to protect assets, and acquiring asset type and asset number information of the target network;
dividing the asset levels of the subnets according to the key asset positions and the historical attack information of each subnet in the target network, calculating the equipment importance scores of the subnets, and calculating the asset density of the subnets according to the importance scores of the equipment of each subnet;
and deploying the available honeypots into each subnet of the target network according to the deployment formula according to the asset density and the asset level of each subnet.
2. The method of claim 1, wherein the determining the target network that needs to protect the asset, obtaining asset type and asset number information of the target network, comprises:
detecting the virtual local area network through an analysis engine, obtaining the number and types of the assets in the virtual local area network, dividing the virtual local area network into different network areas according to different asset types and network segments, generating a framework of a target network needing to protect the assets, and recording asset type and asset number information of the target network.
3. The method according to claim 1 or 2, wherein the dividing the asset class of the sub-network according to the key asset location and the history attack information of each sub-network in the target network, and calculating the device importance score of the sub-network comprises:
counting the sub-network IP in the target network to be protected, setting the importance degree F of the sub-network as a plurality of levels respectively, summarizing and counting the historical attack data on the target network by using an analysis engine, analyzing the historical attack time and the distribution density by using a historical attack log, acquiring a probability distribution value M of the historical attack times in the target network, and determining the probability distribution value M as the percentage of the sub-network equipment in the target network to be tested by attack;
the importance score of the subnet equipment is D, and the calculation method is as follows: d=f x M,
all subnet devices in the target network segment have a device importance score.
4. A method according to claim 3, wherein said calculating the asset density of the sub-network based on the importance scores of the respective sub-network devices comprises:
the density engine divides the target network segment IP to be protected into four grades according to the importance score D of each subnet device: ap, bp, cp and Dp, dividing a subnet with a host importance score greater than seventy-five percent in the subnet into a class Ap, dividing a subnet with a host importance score greater than fifty percent in the subnet into a class Bp, dividing a subnet with a host importance score greater than twenty-five percent in the subnet into a class Cp, and dividing the remaining subnets into a class Dp;
the asset density ρ of the subnet is the number of key assets in the subnet of the target network divided by the total number of key assets in the target network.
5. The method of claim 4, wherein deploying the available honeypots into the respective subnets of the target network according to the deployment formula based on the asset density and asset class of the respective subnets, comprises:
the method comprises the steps of setting the existing honeypots as idle honeypots and available honeypots according to a certain proportion, recording the number of the available honeypots as N, deploying the available honeypots into each subnet of a target network according to a deployment formula, and calculating the number N of the honeypots to be deployed in different asset levels in the subnets as follows:
n=N×G×ρ
ρ is the asset density of the subnet, and the calculation formula of the allocation ratio G corresponding to the asset class is shown in the following table:
。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310784566.7A CN116599765B (en) | 2023-06-29 | 2023-06-29 | Honeypot deployment method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310784566.7A CN116599765B (en) | 2023-06-29 | 2023-06-29 | Honeypot deployment method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116599765A true CN116599765A (en) | 2023-08-15 |
| CN116599765B CN116599765B (en) | 2023-12-08 |
Family
ID=87606446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310784566.7A Active CN116599765B (en) | 2023-06-29 | 2023-06-29 | Honeypot deployment method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599765B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240598A (en) * | 2023-11-07 | 2023-12-15 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| CN110460481A (en) * | 2019-09-12 | 2019-11-15 | 南京经纬信安科技有限公司 | A kind of recognition methods of network key assets |
| US10986127B1 (en) * | 2018-09-14 | 2021-04-20 | Rapid7, Inc. | Dynamic management of deception systems |
| CN113904852A (en) * | 2021-10-11 | 2022-01-07 | 北京知道创宇信息技术股份有限公司 | Honeypot dynamic deployment method and device, electronic equipment and readable storage medium |
| CN114598504A (en) * | 2022-02-21 | 2022-06-07 | 烽台科技(北京)有限公司 | Risk assessment method and device, electronic equipment and readable storage medium |
| CN116015860A (en) * | 2022-12-26 | 2023-04-25 | 安天科技集团股份有限公司 | Network asset simulation method, device, equipment and medium based on honeypot technology |
-
2023
- 2023-06-29 CN CN202310784566.7A patent/CN116599765B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331858A1 (en) * | 2016-05-10 | 2017-11-16 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| US10986127B1 (en) * | 2018-09-14 | 2021-04-20 | Rapid7, Inc. | Dynamic management of deception systems |
| CN110460481A (en) * | 2019-09-12 | 2019-11-15 | 南京经纬信安科技有限公司 | A kind of recognition methods of network key assets |
| CN113904852A (en) * | 2021-10-11 | 2022-01-07 | 北京知道创宇信息技术股份有限公司 | Honeypot dynamic deployment method and device, electronic equipment and readable storage medium |
| CN114598504A (en) * | 2022-02-21 | 2022-06-07 | 烽台科技(北京)有限公司 | Risk assessment method and device, electronic equipment and readable storage medium |
| CN116015860A (en) * | 2022-12-26 | 2023-04-25 | 安天科技集团股份有限公司 | Network asset simulation method, device, equipment and medium based on honeypot technology |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240598A (en) * | 2023-11-07 | 2023-12-15 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
| CN117240598B (en) * | 2023-11-07 | 2024-02-20 | 国家工业信息安全发展研究中心 | Attack detection method, attack detection device, terminal equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116599765B (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351307A (en) | Abnormal user detection method and system based on integrated study | |
| CN107659543A (en) | The means of defence of facing cloud platform APT attacks | |
| CN212259006U (en) | Network security management equipment | |
| CN116599765B (en) | Honeypot deployment method | |
| Hershey et al. | System of systems for quality-of-service observation and response in cloud computing environments | |
| CN109214177A (en) | A kind of anti-fake system of internet finance | |
| Cao et al. | Combating friend spam using social rejections | |
| Moskal et al. | Extracting and evaluating similar and unique cyber attack strategies from intrusion alerts | |
| Niu et al. | Malware on internet of uavs detection combining string matching and fourier transformation | |
| Torkura et al. | Security chaos engineering for cloud services: Work in progress | |
| Shojafar et al. | Automatic clustering of attacks in intrusion detection systems | |
| Lin et al. | Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet | |
| Rutherford et al. | Using an improved cybersecurity kill chain to develop an improved honey community | |
| Song et al. | A comprehensive approach to detect unknown attacks via intrusion detection alerts | |
| Feng et al. | Sentinel: An Aggregation Function to Secure Decentralized Federated Learning | |
| Islam et al. | {Araña}: Discovering and Characterizing Password Guessing Attacks in Practice | |
| Gürsun et al. | On context-aware DDoS attacks using deep generative networks | |
| CN113329026B (en) | Attack capability determination method and system based on network target range vulnerability drilling | |
| Martinez et al. | Mobile encounter-based social Sybil control | |
| Onuchowska et al. | Disruption and deception in crowdsourcing: Towards a crowdsourcing risk framework | |
| Abou Haidar et al. | High perception intrusion detection system using neural networks | |
| CN111765801A (en) | Shooting range training and intrusion discovery method | |
| Thakare et al. | Denial-of-service attack detection system | |
| Johansson | Countermeasures Against Coordinated Cyber-Attacks Towards Power Grid Systems: A systematic literature study | |
| Lazarevic et al. | Cyber threat analysis–a key enabling technology for the objective force (a case study in network intrusion detection) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |