CN116866076A - Network honey pot identification method, device, equipment and storage medium - Google Patents
Network honey pot identification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116866076A CN116866076A CN202311010173.7A CN202311010173A CN116866076A CN 116866076 A CN116866076 A CN 116866076A CN 202311010173 A CN202311010173 A CN 202311010173A CN 116866076 A CN116866076 A CN 116866076A
- Authority
- CN
- China
- Prior art keywords
- information
- honeypot
- internet protocol
- open
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 296
- 238000000034 method Methods 0.000 title claims abstract description 127
- 238000003860 storage Methods 0.000 title claims abstract description 24
- 238000001514 detection method Methods 0.000 claims abstract description 452
- 238000011156 evaluation Methods 0.000 claims abstract description 329
- 238000004891 communication Methods 0.000 claims abstract description 197
- 238000012545 processing Methods 0.000 claims abstract description 36
- 230000004044 response Effects 0.000 claims description 50
- 230000006399 behavior Effects 0.000 claims description 49
- 239000000523 sample Substances 0.000 claims description 27
- 238000004458 analytical method Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 21
- 238000012790 confirmation Methods 0.000 claims description 8
- 238000011895 specific detection Methods 0.000 claims description 7
- 238000009826 distribution Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 43
- 238000010586 diagram Methods 0.000 description 21
- 230000006870 function Effects 0.000 description 19
- 238000005336 cracking Methods 0.000 description 10
- 230000001960 triggered effect Effects 0.000 description 8
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 7
- 230000004913 activation Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 239000002131 composite material Substances 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 206010001488 Aggression Diseases 0.000 description 2
- 230000016571 aggressive behavior Effects 0.000 description 2
- 208000012761 aggressive behavior Diseases 0.000 description 2
- 150000001875 compounds Chemical class 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- VNWKTOKETHGBQD-UHFFFAOYSA-N methane Chemical compound C VNWKTOKETHGBQD-UHFFFAOYSA-N 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000003345 natural gas Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a network honeypot identification method, a device, equipment and a storage medium, which can improve the detection efficiency and detection accuracy of honeypots. The method comprises the following steps: acquiring a target internet protocol address through a communication application, and acquiring basic network information, risk marking information and open port information corresponding to the target internet protocol address; acquiring open service information corresponding to an open port in the open port information; determining a login type open port in the open ports contained in the open port information, and acquiring open service login information corresponding to the login type open port; obtaining honey pot characteristic identification information corresponding to a target internet protocol address; the information can be used as a honey evaluation index corresponding to the target internet protocol address, the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index are subjected to weighted summation processing, and a final honey detection result is obtained and returned to the communication application.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, and a storage medium for identifying a network honey pot.
Background
In the network security evaluation process, some IP (Internet Protocol) addresses are often found to have obvious loopholes, however, the system where the IP addresses are located may not be a real service system, but a manually deployed honeypot, so as to enhance the effectiveness of network security evaluation, and generate a need for identifying whether the IP addresses are honeypots.
In the existing honeypot identification technology, manual detection is usually required for an IP address to be identified, and because the detection process of the IP address is a very complex task, very complicated and complex operation needs to be executed, the time consumption is too long, the detection effect of the IP address to be identified is completely dependent on the capability of operators, and the detection result of the honeypot is easy to be misjudged when the capability of operators is limited.
Disclosure of Invention
The embodiment of the application provides a network honeypot identification method, a device, equipment and a storage medium, which can improve the honeypot detection efficiency and the honeypot detection accuracy.
In one aspect, the embodiment of the application provides a network honey pot identification method, which comprises the following steps:
acquiring a target internet protocol address through a communication application, and acquiring basic network information and risk marking information corresponding to the target internet protocol address;
Port opening detection is carried out on a port set corresponding to the target Internet protocol address, and open port information corresponding to the target Internet protocol address is obtained in the port set;
performing fingerprint detection analysis on the target Internet protocol address and the open port in the open port information to obtain open service information corresponding to the open port in the open port information;
determining a login type open port in the open ports contained in the open port information according to the service types in the open service information, and acquiring open service login information corresponding to the login type open port;
obtaining honey feature identification information corresponding to a target internet protocol address, determining basic network information, risk marking information, open port information, open service login information and honey feature identification information as honey evaluation indexes corresponding to the target internet protocol address, and obtaining index weights corresponding to the honey evaluation indexes;
and obtaining honey evaluation values of the target internet protocol address on each honey evaluation index, carrying out weighted summation processing on the honey evaluation values corresponding to each honey evaluation index and index weights corresponding to each honey evaluation index to obtain honey detection results corresponding to the target internet protocol address, and returning the honey detection results to communication application.
In one aspect, an embodiment of the present application provides a network honey pot identification device, including:
the first acquisition module is used for acquiring a target Internet protocol address through a communication application and acquiring basic network information and risk marking information corresponding to the target Internet protocol address;
the port opening detection module is used for carrying out port opening detection on a port set corresponding to the target internet protocol address, and acquiring opening port information corresponding to the target internet protocol address from the port set;
the fingerprint detection module is used for carrying out fingerprint detection analysis on the target internet protocol address and the open port in the open port information, and acquiring open service information corresponding to the open port in the open port information;
the login information acquisition module is used for determining a login type open port in the open ports contained in the open port information according to the service type in the open service information and acquiring open service login information corresponding to the login type open port;
the second acquisition module is used for acquiring honeypot characteristic identification information corresponding to the target internet protocol address, determining basic network information, risk marking information, open port information, open service login information and honeypot characteristic identification information as honeypot evaluation indexes corresponding to the target internet protocol address, and acquiring index weights corresponding to the honeypot evaluation indexes;
And the weighted summation module is used for acquiring the honey evaluation value of the target internet protocol address on each honey evaluation index, carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a honey detection result corresponding to the target internet protocol address, and returning the honey detection result to the communication application.
The first obtaining module obtains the target internet protocol address through the communication application, and the first obtaining module comprises the following steps:
the message receiving unit is used for receiving the first message encryption data sent by the communication application; the first message encryption data are obtained by encrypting first message data received by an intelligent detection object in the communication application, and the first message data are used for indicating the intelligent detection object to trigger a honeypot detection flow;
and the message decryption unit is used for decrypting the first message encrypted data through the object access token and the key information corresponding to the intelligent detection object to obtain first message data corresponding to the intelligent detection object, and acquiring a target Internet protocol address from the first message data.
The first obtaining module obtains basic network information and risk marking information corresponding to a target internet protocol address, and the first obtaining module comprises:
The first interface calling unit is used for packaging the target Internet protocol address into a first interface request message, calling a basic information inquiry interface through the first interface request message, and acquiring geographic area position information, holder information and a security tag corresponding to the target Internet protocol address;
a basic information acquisition unit for determining geographical area location information, holder information, and security tag as basic network information corresponding to a target internet protocol address;
the risk mark obtaining unit is used for packaging the target internet protocol address into a second interface request message, calling a risk information inquiry interface through the second interface request message, and obtaining risk mark information corresponding to the target internet protocol address.
The risk mark obtaining unit calls a risk information query interface through a second interface request message to obtain risk mark information corresponding to a target internet protocol address, and the risk mark obtaining unit comprises:
the risk information query interface is called through the second interface request message, a risk type label set is obtained, and a risk type label matched with a target Internet protocol address in the risk type label set is determined to be a hit label;
combining the target internet protocol address and the hit label into risk marking information corresponding to the target internet protocol address.
The port opening detection module performs port opening detection on a port set corresponding to a target internet protocol address, acquires opening port information corresponding to the target internet protocol address in the port set, and includes:
a connection request sending unit, configured to obtain a port set corresponding to a target internet protocol address, and send a connection request to a port i in the port set;
a confirmation data receiving unit, configured to determine an open state of the port i as an opened state if connection confirmation data returned by the port i is received;
and the open port information combining unit is used for adding the port in the open state in the port set to the open port list, and combining the target internet protocol address, the open port list and the open state corresponding to the port in the open port list into open port information corresponding to the target internet protocol address.
The fingerprint detection module performs fingerprint detection analysis on the target internet protocol address and the open port in the open port information to obtain open service information corresponding to the open port in the open port information, and the fingerprint detection module comprises:
a probe data transmitting unit, configured to determine a target service device through an open port in the target internet protocol address and the open port information, and transmit specific probe data to the target service device;
The response data receiving unit is used for receiving response data which are returned by the target service equipment and are specific to the specific detection data, and performing feature analysis on the response data to obtain the service type corresponding to the open port in the open port information;
and the open service information acquisition unit is used for combining the target internet protocol address, the open port in the open port information, the specific probe data, the response data and the service type into open service information.
The login information obtaining module determines a login type open port from the open ports included in the open port information according to the service type in the open service information, and obtains open service login information corresponding to the login type open port, including:
the port classifying unit is used for classifying the open ports contained in the open port information according to the service types in the open service information to obtain M open port groups; the open ports contained in one open port group have the same service type, and M is a positive integer;
a login type port determining unit, configured to determine, as a login type open port, an open port in an open port group having a service type of login type service type, from M open port groups;
The login information acquisition unit is used for acquiring account login information corresponding to the login type open port, and combining the target internet protocol address, the login type open port, the login type service type and the account login information into the open service login information.
The second obtaining module obtains the honey pot characteristic identification information corresponding to the target internet protocol address, and the honey pot characteristic identification information comprises:
the request receiving object determining unit is used for acquiring K honeypot feature recognition strategies in the recognition strategy set, and determining a request receiving object corresponding to the honeypot feature recognition strategy a according to the honeypot type corresponding to the honeypot feature recognition strategy a in the K honeypot feature recognition strategies; k honeypot feature recognition strategies are used for recognizing honeypots of different types, wherein K is a positive integer;
the request data packet generating unit is used for generating a request data packet corresponding to the honey feature identification strategy a according to the open service information and the detection packet format corresponding to the honey feature identification strategy a, and sending the request data packet to a request receiving object;
the feature matching unit is used for receiving request response data returned by the request receiving object, and matching the request response data with the honey pot features in the honey pot feature recognition strategy a according to matching logic corresponding to the honey pot feature recognition strategy a to obtain a honey pot matching result corresponding to the honey pot feature recognition strategy a;
And the honeypot characteristic information acquisition unit is used for determining honeypot matching results corresponding to the K honeypot characteristic identification strategies as honeypot characteristic identification information corresponding to the target Internet protocol address.
The weighted summation module obtains the honey evaluation value of the target internet protocol address on each honey evaluation index, and the weighted summation module comprises the following steps:
a first evaluation value determining unit, configured to determine a honeypot evaluation value of the target internet protocol address in the base network information according to a matching relationship between the holder information in the base network information and the network service corresponding to the target internet protocol address;
the second evaluation value determining unit is used for determining a honeypot evaluation value of the target internet protocol address in the risk marking information according to the duty ratio information of the hit label in the risk type label contained in the risk marking information;
a third evaluation value determining unit, configured to determine a honeypot evaluation value of the target internet protocol address in the open port information according to the number of open ports included in the open port information;
a fourth evaluation value determining unit, configured to determine a honeypot evaluation value of the target internet protocol address in the open service information according to the open port and the service type distribution information included in the open service information;
A fifth evaluation value determining unit, configured to determine a honeypot evaluation value of the target internet protocol address in the open service login information according to a login attempt result corresponding to the account login information in the open service login information;
and a sixth evaluation value determination unit configured to determine a honeypot evaluation value of the target internet protocol address in the honeypot feature identification information based on the number of successful matching results included in the honeypot feature identification information.
Wherein the sixth evaluation value determining unit determines a honey evaluation value of the target internet protocol address in the honey feature identification information according to the number of successful matching results included in the honey feature identification information, including:
if the honey matching result corresponding to the honey feature recognition strategy exists in the honey feature recognition information, determining a honey evaluation value of the target internet protocol address in the honey feature recognition information as a first evaluation value;
and if the honeypot matching results corresponding to the K honeypot feature recognition strategies are all matching failure results, determining the honeypot evaluation value of the target internet protocol address in the honeypot feature recognition information as a second evaluation value.
The weighted summation module performs weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a honey detection result corresponding to the target internet protocol address, and the weighted summation module comprises:
The weighting unit is used for carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a comprehensive evaluation value corresponding to the target Internet protocol address;
the honeypot detection result determining unit is used for determining that the honeypot detection result corresponding to the target Internet protocol address is honeypot if the comprehensive evaluation value is greater than the honeypot evaluation threshold value;
and the honeypot detection result determining unit is further used for determining that the honeypot detection result corresponding to the target internet protocol address is undetermined if the comprehensive evaluation value is smaller than or equal to the honeypot evaluation threshold value.
The weighted summation module returns the honeypot detection result to the communication application, and the weighted summation module comprises the following steps:
the detection result encryption unit is used for encrypting the honeypot detection result by adopting the object access token and the key information corresponding to the intelligent detection object in the communication application to generate second message encryption data;
the message sending unit is used for returning the second message encryption data to the communication application so that the communication application can send the second message data to the message sending object corresponding to the first message data through the intelligent detection object; the second message data is obtained by decrypting the second message encrypted data by the communication application.
Wherein the apparatus further comprises:
the log generation module is used for acquiring system behavior information associated with the target Internet protocol address and generating a behavior log according to the system behavior information;
the log uploading module is used for uploading the behavior log to the blockchain system so that the blockchain link points in the blockchain system encapsulate the behavior log into transaction blocks and account the transaction blocks which reach consensus;
the log storage module is used for receiving uplink success information returned by a block chain node in the block chain system, and storing file hashes of the behavior log in the block chain system in a local database according to the uplink success information; the file hash is used to indicate the storage location of the behavior log in the blockchain system.
An aspect of an embodiment of the present application provides a computer device, including a memory and a processor, where the memory is connected to the processor, and the memory is used to store a computer program, and the processor is used to call the computer program, so that the computer device performs the method provided in the foregoing aspect of the embodiment of the present application.
An aspect of an embodiment of the present application provides a computer readable storage medium, in which a computer program is stored, the computer program being adapted to be loaded and executed by a processor, to cause a computer device having a processor to perform the method provided in the above aspect of an embodiment of the present application.
According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method provided in the above aspect.
According to the embodiment of the application, the target Internet protocol address (IP address) can be acquired through the communication application, so that the basic network information, the risk marking information, the open port information, the open service login information and the honey characteristic identification information corresponding to the target IP address can be acquired, the information can be further used as different honey evaluation indexes, and the honey evaluation value of the target IP address on each honey evaluation index can be acquired through analyzing each honey evaluation index. And carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index, so as to obtain a final honey detection result of the target IP address. That is, the final honeypot detection result of the target IP address is determined by the comprehensive evaluation value after weighted summation of the honeypot evaluation values corresponding to the honeypot identification indexes, so that the comprehensiveness of the data of the target IP address in the honeypot identification process can be ensured, and the identification accuracy of the honeypot can be improved; meanwhile, the honey pot detection flow can be triggered by inputting the target IP address in the form of message data in the communication application, and the honey pot detection result corresponding to the target IP address is directly output in the communication application, so that complicated operation in the honey pot detection process can be reduced, and further the honey pot detection efficiency can be improved.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of a network honey detection scenario provided by an embodiment of the present application;
fig. 3 is a schematic flow chart of a network honey tank identification method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an interface for honeypot detection according to an embodiment of the present application;
fig. 5 is a second schematic flow chart of a network honey tank identification method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of honeypot detection based on a linear weighting method according to an embodiment of the present application;
FIG. 7 is a schematic diagram of honeypot detection according to an embodiment of the present application;
fig. 8 is a schematic diagram of a network honey detection flow based on a weighting method according to an embodiment of the present application;
Fig. 9 is a schematic structural diagram of a network honey pot identification device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
For ease of understanding, the following is a brief description of several basic concepts involved in embodiments of the application:
network Honeypot (Honeypot): network honeypots are a security mechanism, which is a virtual or simulated system, aimed at attracting attackers and collecting their attack information in order to analyze the attack behaviour and enhance network security. The network honeypot may simulate various systems and services, such as network servers, routers, applications, etc., to attract an attacker to attack the simulated various systems and services while recording the attacker's behavior and collecting relevant information.
The weight method is as follows: the weighting method refers to the importance of a factor or index with respect to a thing, which is different from the general specific gravity, and is represented not only by the percentage of a factor or index, but also by the relative importance of phonemes or indexes, which tends to contribute to the degree or importance. The linear weighting method is a common weighting method and is also the simplest weighting method; in the linear weighting method, it is assumed that the weights of the respective factors are linearly related, i.e., the magnitude of the weights is proportional to the influence thereof on the decision.
Internet protocol address (Internet Protocol Address, IP address, also referred to as internet protocol address): the IP address is a unified address format provided by the IP protocol, and may be used to allocate a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a network architecture provided in an embodiment of the present application, where the network architecture may include a detection service device 10e, an application service device 10d, and a terminal cluster, and the terminal cluster may include one or more terminal devices, where the number of terminal devices included in the terminal cluster is not limited. As shown in fig. 1, the terminal cluster may specifically include a terminal device 10a, a terminal device 10b, a terminal device 10c, and the like; all the terminal devices in the terminal cluster can be connected with the application service device 10d through a network, so that each terminal device can perform data interaction with the application service device 10d through the network connection. The application service device 10d may be in network connection with the detection service device 10e, so that the application service device 10d may perform data interaction with the detection service device 10e through the network connection.
The terminal devices in the terminal cluster may include smart phones, tablet computers, notebook computers, palm computers, mobile internet devices (mobile internet device, MID), wearable devices (such as smart watches, smart bracelets, etc.), intelligent voice interaction devices, intelligent home appliances (such as smart televisions, etc.), vehicle-mounted devices, aircrafts, and other electronic devices, and the application does not limit the types of the terminal devices. It will be appreciated that each terminal device in the terminal cluster shown in fig. 1 may be provided with a communication application, and when the communication application runs in each terminal device, the communication application installed in each terminal device may perform data interaction with the application service device 10d shown in fig. 1. The communication application running in each terminal device may be an independent program application, or may be an embedded sub-program integrated in a certain program application, which is not limited in the present application. The communication application running in each terminal device may be any program application with a communication function, such as an instant messaging application, an office communication application, a mail communication application, etc., and the application does not limit the type of the communication application.
It may be understood that, the application service device 10d shown in fig. 1 may be a background server corresponding to a communication application executed by each terminal device in the terminal cluster, and the application service device 10d may be configured to store relevant information of all communication objects in the communication application, where the relevant information may include, but is not limited to: object identification information (object account number, password, identity mark and the like) of the communication objects in the communication application, transmitted message data, received message data, association relations among different communication objects and the like; the communication objects may include real users who complete registration in the communication application, as well as smart objects with specific functions (e.g., robots for triggering a honeypot detection process, which may be referred to herein as smart detection objects). The detection service device 10e shown in fig. 1 may be used to detect whether the target internet protocol address (IP address) is a network honey, and the detection service device 10e may also be referred to as a honey detection engine server.
For example, when the communication object a in the communication application wants to detect whether the target IP address is a network honeypot, a message 1 may be sent to the smart detection object in the communication application, where the content of the message 1 may include a honeypot detection instruction (e.g., honeypot_ip) and the target IP address to be detected. Through this message 1, the smart detection object in the communication application can be activated, and the application service device 10d can forward the message 1 received by the smart detection object to the detection service device 10e. After the detection service device 10e obtains the content of the message 1, a target IP address to be detected can be obtained from the content of the message 1, and then the honeypot detection is performed on the target IP address, so as to obtain a honeypot detection result corresponding to the target IP address; the detection service device 10e may return the honeypot detection result of the target IP address to the application service device 10d, and further display the honeypot detection result in the communication application, so as to notify the communication object a of the honeypot detection result of the target IP address.
The application service device 10d and the detection service device 10e may be servers, and the servers related to the embodiment of the present application may be independent physical servers, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be cloud servers that provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content distribution networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and an artificial intelligent platform, where the type of the application service device 10d is not limited.
Referring to fig. 2, fig. 2 is a schematic diagram of a network honey detection scenario provided in an embodiment of the present application. The terminal device 20a shown in fig. 2 may be any one of the terminal devices in the terminal cluster shown in fig. 1, the terminal device 20a may be an electronic device used by the communication object a in the communication application, and the communication application is installed in the terminal device 20 a. The current display interface shown in fig. 2 is a session page 20b between a communication object a and a smart detection object in a communication application (the smart detection object at this time may be referred to as a honey detection assistant, or may be referred to as another name, which is not limited in the present application), a message input area 20d may be displayed in the session page 20b, the communication object a may send message data (the message data may be a honey detection instruction for a target IP address to be detected) to the honey detection assistant through the message input area 20d in the session page 20b to trigger a honey detection procedure, and the message data sent by the communication object a to the honey detection assistant may be displayed in the session page 20 b.
When the communication object a wants to detect whether the target IP address (139.155. Xxx. Xx) is a network honey, as shown in fig. 2, a session page 20b between the communication object a and the honey detection assistant may be opened in the communication application, and message data 20c may be transmitted to the honey detection assistant through a message input area 20d in the session page 20b, and the message data 20c may be displayed in the session page 20 b. The content of the message data 20c may be "/honeypot_ip 139.155.Xxx. Xx", where "/honeypot_ip" in the message data 20c indicates a honeypot detection instruction, which is used to instruct a honeypot detection assistant in the communication application to trigger a honeypot detection procedure for the target IP address (139.155. Xxx. Xx).
After the application service device 10d (a background server corresponding to the communication application) acquires the message data 20c sent to the honeypot detection assistant by the communication object a, the message data 20c may be sent to the detection service device 10e (may be a honeypot detection server) based on a honeypot detection instruction in the message data 20c, so as to trigger a honeypot detection process of the detection service device 10e on the target IP address (139.155.xxx.xx). After receiving the message data 20c, the detection service device 10e may acquire the target IP address (139.155. Xxx. Xx) in the message data 20c, perform honeypot detection on the target IP address (139.155. Xxx. Xx), obtain a honeypot detection result 20e for the target IP address (139.155. Xxx. Xx), and return the honeypot detection result 20e to the application service device 10d. The honeypot detection process of the target IP address can be referred to in the following detailed description.
After receiving the honeypot detection result 20e returned by the detection service device 10e, the application service device 10d may transmit the honeypot detection result 20e to the terminal device 20a, and the terminal device 20a may display the honeypot detection result 20c in the session page 20b between the communication object a and the honeypot detection assistant. The honeypot detection result 20E may include, among other things, a detected target (139.155. Xxx. Xx), a detected time (2023-xx-xx 10: 47:23), a conclusion (e.g., finding a honeypot), and details herein may include all honeypots detected in all open ports of the target IP address (139.155. Xxx. Xx), such as port 21 of the target IP address (139.155. Xxx. Xx) finding a honeypot and the honeypot being type a, port 22 finding a honeypot and the honeypot being type B, port 81 finding a honeypot and the honeypot being type C, port 1433 finding a honeypot and the honeypot being type D, port 9200 finding a honeypot and the honeypot being type E, etc. It will be appreciated that an IP address may correspond to 65536 port numbers, ranging from 0 to 65535, where the IP address may be used to connect to a destination device, and if it is desired to access a service (or an application program) in a given computer, it is also necessary to specify a port number, and different services are distinguished by the port number; the IP address may be used to uniquely identify a computer, and an IP address may correspond to 65536 port numbers, where a port number between 0 and 1023 may be used for some common network services and applications, and a common application of a user may use a port number above 1024, so that the port number may be prevented from being occupied by another application or service.
In the embodiment of the application, the communication object in the communication application can output the honeypot detection result corresponding to the target IP address in the communication application only by sending the honeypot detection instruction associated with the target IP address to be detected to the honeypot detection assistant in the communication application in the form of message data. Therefore, the embodiment of the application can carry out platform and automation implementation on the network honeypot detection flow, can quickly obtain the honeypot detection result of the target IP address by sending the honeypot detection instruction in a message form in the common communication application, can reduce complicated operation in the honeypot detection process, and improves the honeypot detection efficiency of the target IP address.
Referring to fig. 3, fig. 3 is a flowchart illustrating a network honey tank identification method according to an embodiment of the present application. It will be appreciated that the network honeypot identification method may be performed by a detection service device (e.g., detection service device 10e shown in fig. 1), which may be a terminal device or a server, as the present application is not limited in this regard. As shown in fig. 3, the network honey identification method may include the following steps S101 to S106:
step S101, a target Internet protocol address is obtained through a communication application, and basic network information and risk marking information corresponding to the target Internet protocol address are obtained.
Specifically, in the network security assessment process, if the object wants to detect whether the IP address is a network honey, the object may send a honey detection instruction (e.g., the message data 20c shown in fig. 2) to the smart detection object in the form of message data in the communication application of the terminal device (e.g., the terminal device 10a shown in fig. 1) used by the object, so that the honey detection flow of the IP address may be triggered by the smart detection object in the communication application. The communication application may be any communication application program integrated with only the object to be detected for triggering the honeypot detection flow; the object registered in the communication application may be referred to as a communication object (e.g., the aforementioned object that wants to detect whether the IP address is a network honey). The smart detection object may refer to a simulated user integrated in the communication application (e.g., a specially designed robot, which may be referred to as a honey detection assistant, or may be referred to as an application robot, to which the present application is not limited) that is specially used to trigger the honey detection process; the functions of the intelligent detection objects in the communication application can be designed in advance by application developers, the names of the intelligent detection objects in the communication application can be set according to actual requirements, the intelligent detection objects in different communication applications can have the same functions, the names of the intelligent detection objects can be the same or different, and the application is not limited to the functions.
When a communication object in a communication application sends a honeypot detection instruction 'honeypot_ip address' to an intelligent detection object in the communication application, the honeypot detection instruction is sent to the intelligent detection object in a message data form, and a terminal device used by the communication object can acquire the honeypot detection instruction sent to the intelligent detection object by the communication object and display the honeypot detection instruction in the communication application. It should be understood that the terminal device may transmit the honeypot detection instruction to the application service device (which may be considered as a background server corresponding to the communication application, such as the application service device 10d shown in fig. 1), and the application server may send the honeypot detection instruction to the detection service device. The detection service device may receive the honeypot detection instruction sent by the application service device, acquire the target IP address carried in the honeypot detection instruction, and start executing the honeypot detection procedure for the target IP address, that is, may trigger the detection service device to execute the honeypot detection procedure through the honeypot detection instruction.
Wherein, the communication object in the communication application can activate the intelligent detection object in the communication application by any one of the following modes: (1) mention is made of the activation mode: the communication object in the communication application can cut into a single chat conversation page of the intelligent detection object from any conversation page, so as to activate the intelligent detection object in the communication application in the form of opening the single chat conversation page, and further, a honeypot detection instruction can be input into the single chat conversation page of the intelligent detection object to trigger the detection service equipment to execute a honeypot detection flow. (2) Message activation mode: the communication object in the communication application can input message data in a single chat session page of the intelligent detection object, activate the intelligent detection object in the communication application in the form of the message data, trigger the detection service device to execute the honeypot detection flow through a honeypot detection instruction contained in the message data, and the specific implementation process can be described in the embodiment corresponding to fig. 2. (3) Mention is made of the activation mode: the communication object in the communication application can activate the smart detection object in any group in a manner of separately referring to the smart detection object (for example, @ smart detection object), for example, a honeypot detection instruction can be sent out in the group and @ smart detection object can be further triggered to execute a honeypot detection flow by the detection service device.
After the detection service device extracts the target IP address to be detected from the honeypot detection instruction sent by the application service device, the target IP address can be analyzed to obtain basic network information so as to facilitate the subsequent recognition of the honeypot. It can be understood that, in the embodiment of the present application, the basic network information corresponding to the target IP address may be acquired in any one of an offline manner, an online manner, and a combination manner of offline+online, where the basic network information may include basic information of the target IP address, such as geographical area location information, holder information, and security tag information.
The offline mode can be understood as follows: the IP address and the corresponding basic network information are stored in a local database (which can be called as an offline information base for the convenience of understanding) of the detection service equipment in an offline text mode, and when the basic network information corresponding to the target IP address needs to be inquired, the basic network information related to the target IP address can be directly inquired in the offline text of the offline information base to obtain. It should be understood that the basic network information acquired through the offline manner may not be the latest basic network information of the target IP address, that is, the basic network information queried from the offline text of the offline information base cannot ensure the accuracy thereof, and in order to improve the accuracy of the basic network information of the IP address in the offline text as much as possible, frequent updating of the basic network information in the offline text is required.
Alternatively, the in-line approach can be understood as: the basic network information corresponding to the target IP address is queried through a public interface of the internet (the public interface may be referred to herein as a basic information query interface). The basic information query interface may be a public interface opened by the network information service provider, that is, the network information service provider may provide information query service for the outside through the open query interface. It should be understood that the latest basic network information can be obtained in an online manner, and because the basic information query interface is a public interface, the query task is possibly congested under the condition of huge query volume, and the working efficiency is affected.
It should be noted that, in the embodiment of the present application, a suitable manner may be selected according to actual requirements to obtain the basic network information corresponding to the target IP address, for example, an offline+online combination manner may be adopted to query the basic network information, so as to ensure the query effect of the basic network information corresponding to the target IP address. For a specific IP address (for example, the target IP address), an offline method may be used to perform an inquiry, and if no result is found, an online method may be used to call a basic information inquiry interface to perform an inquiry, so as to obtain basic network information corresponding to the target IP address. Alternatively, the offline information repository may be updated at intervals (e.g., daily) to ensure timeliness of the offline underlying network information.
In one or more embodiments, the target IP address may be mined deeply, and risk marking information corresponding to the target IP address is queried. The risk marking information can be derived from attack operation detection organizations in the internet field, and the attack operation detection organizations can carry out security research on internet attack operation for a long time and carry out risk marking on IP addresses with potential safety hazards. The risk marking information corresponding to the target IP address may be obtained by querying an interface (the interface may be referred to as a risk information query interface herein) opened by the risk marking server, and the main data structure field of the risk marking information corresponding to the target IP address may include the target IP address and a risk type tag.
It may be appreciated that the risk type tag may refer to a type tag corresponding to a risk existing in the IP address, such as spam, malware, etc.; all risk type labels that may exist for IP addresses in the internet may be added to one risk type label set. When the target IP address hits a certain risk type label in the risk type set, the hit risk type label can be encapsulated into risk marking information corresponding to the target IP address, and one or more risk type labels can be included in the risk marking information corresponding to the finally obtained target IP address.
Step S102, port open detection is carried out on a port set corresponding to the target Internet protocol address, and open port information corresponding to the target Internet protocol address is obtained in the port set.
Specifically, the detection service device may obtain a port set corresponding to the target IP address, where the port set may include 65536 ports, and the range of the port number is 0-65535. Further, port opening detection can be sequentially performed on 65536 ports contained in the port set to obtain an opening state corresponding to each port, and the port with the opened state is determined to be an opened port; and then all the ports with the open states in the port set are formed into an open port list, and the open port information corresponding to the target IP address can be obtained through the open port list. Wherein the target IP address may correspond to one or more open ports, in other words, the open port list may include one or more open ports; the primary data structure field of the open port information may include a target IP address, the open ports in the open port list, and the open status corresponding to each open port.
Step S103, fingerprint detection analysis is carried out on the target Internet protocol address and the open port in the open port information, and the open service information corresponding to the open port in the open port information is obtained.
Specifically, after the open port information corresponding to the target IP address is obtained, fingerprint detection analysis may be performed on the target IP address and the open ports in the open port information, and the port fingerprint information corresponding to each open port in the open port information is obtained. For example, the detection service device may send specific probe data (e.g., "\r\n\r\n" characters, etc.) to the open port in the target IP address and the open port information over the network, and the target service device (e.g., which may be a target server) determined by the target IP address and the open port in the open port information may return reply data (e.g., "a001" field) for the specific probe data to the detection service device. After receiving response data returned by the target service equipment, the detection service equipment can perform feature analysis on the response data to obtain a service type corresponding to an open port in the open port information; and the target IP address, the open port, the specific probe data, the response data and the service type can be used as data structure fields to form open service information corresponding to the target IP address.
Step S104, determining a login type open port in the open ports included in the open port information according to the service type in the open service information, and obtaining open service login information corresponding to the login type open port.
Specifically, among all the open ports included in the open port information, different open ports may be used to distinguish different services, that is, different open ports may correspond to different service types, which may include a login type service type and a non-login type service type. The detection service device can determine that the open port with the service type being the login type service type is the login type open port, and further can continuously login attempt the service of the login type open port through a large number of account passwords (the login attempt process of the large number of account passwords can be called as a violent cracking process), and the account password combination which is successfully logged in is determined as account login information corresponding to the login type open port. Further, the target IP address, the open port, the service type, the account login information, and the logged service information may be used as a data structure field to form open service login information corresponding to the target IP address.
For example, the open port in the open port information corresponding to the target IP address includes: port 2, port 6, port 20, etc., the service type in the port fingerprint information corresponding to port 2 is a login type service type, the service type in the port fingerprint information corresponding to port 6 is a non-login type service type, and the service type in the port fingerprint information corresponding to port 20 is a login type service type; the detection service device can determine the port 2 and the port 20 as login type open ports, and can determine the successfully logged-in account passwords after continuously logging in and trying on the service of the port 2 by using a large number of account passwords, and determine the successfully logged-in account passwords as account login information corresponding to the port 2; similarly, the detection service device may also obtain account login information corresponding to the port 20.
It is understood that the open port of the login service type refers to an open port that needs to input an account number and a password. Some open ports of login type service types can be broken to obtain account password information which can be successfully logged in; some open ports of login type service types may not be able to be broken to obtain account password information that can be successfully logged in, i.e. the open ports that can be successfully logged in to some login type service types are not found. The non-login type of service may be an open port that can be accessed without inputting an account number password, or an open port that can be successfully logged in using any password account number.
Step S105, obtaining honey feature identification information corresponding to the target Internet protocol address, determining basic network information, risk marking information, open port information, open service login information and honey feature identification information as honey evaluation indexes corresponding to the target Internet protocol address, and obtaining index weights corresponding to the honey evaluation indexes.
Specifically, after the open port information corresponding to the target IP address and the service information corresponding to the open port in the open port information are obtained, the target IP address may be identified by using the specific honeypot feature. If K honeypot feature recognition strategies contained in the recognition strategy set can be obtained, the K honeypot feature recognition strategies can be used for recognizing different types of network honeypots, and K is a positive integer, and if K can be 1,2 and … …; and then network honeypot detection can be sequentially carried out on the target IP address by adopting K honeypot feature recognition strategies to obtain honeypot matching results corresponding to the K honeypot feature recognition strategies respectively, and the honeypot matching results corresponding to the K honeypot feature recognition strategies are combined to obtain honeypot feature recognition information corresponding to the target IP address.
The recognition policy set may include one or more honeypot feature recognition policies, different honeypot feature recognition policies may be used to recognize different types of network honeypots, and different types of network honeypots may correspond to different honeypot features; in other words, each type of network honeypot may be provided with its unique honeypot features. Each honeypot feature identification policy may include probe packet formats and matching logic that need to be issued for that type of network honeypot. According to the probe packet format in the honeypot feature recognition strategy, a request data packet corresponding to the honeypot feature recognition strategy can be generated, the request data packet can be used for accessing the service of the open port corresponding to the target IP address, further, returned request response data (namely response data corresponding to the request data packet) can be obtained, the request response data is matched with the honeypot features in the honeypot feature recognition strategy, and the honeypot matching result of the honeypot feature recognition strategy to the target IP address can be obtained. It may be appreciated that the data structure field of the honeypot matching result corresponding to each honeypot feature recognition policy may include an open port, a service type, whether honeypot, a honeypot type, etc.; the honeypot feature identification information corresponding to the target IP address may include honeypot matching results of each honeypot feature identification policy in the set of identification policies to the target IP address.
In the embodiment of the application, the basic network information, the risk marking information, the open port information, the open service login information and the honeypot characteristic identification information corresponding to the target IP address can be all determined to be honeypot evaluation indexes corresponding to the target IP address. It can be appreciated that according to a large number of test verifications, corresponding index weights can be preset for each honeypot evaluation index; the index weight corresponding to each honeypot evaluation index can be calculated by the following formula: index weight = the importance of a single honeypot evaluation index/the sum of the importance of the individual honeypot evaluation indexes. Wherein the importance of a single honeypot evaluation index may be determined based on experience, directives, or other factors of an expert or decision object. The sum of the importance of each honeypot evaluation index is the sum of the index weights of each honeypot evaluation index, and is used for ensuring that the sum of the index weights of each honeypot evaluation index is 1.
Step S106, obtaining the honey evaluation value of the target internet protocol address on each honey evaluation index, carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a honey detection result corresponding to the target internet protocol address, and returning the honey detection result to the communication application.
Specifically, each honeypot evaluation index corresponding to the target IP address may be evaluated to obtain a honeypot evaluation value of the target IP address on each honeypot evaluation index, e.g., honeypot evaluation may be performed on the basic network information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the basic network information; performing honeypot judgment on risk marking information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the risk marking information; performing honeypot evaluation on the open port information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the open port information; performing honeypot evaluation on the open service information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the open service information; performing honeypot judgment on the open service login information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the open service login information; and carrying out honeypot evaluation on the honeypot characteristic identification information corresponding to the target IP address to obtain a honeypot evaluation value of the target IP address in the honeypot characteristic identification information.
Further, carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a comprehensive evaluation value corresponding to the target Internet protocol address; if the comprehensive evaluation value is larger than the honeypot evaluation threshold value, determining that the honeypot detection result corresponding to the target Internet protocol address is honeypot; if the comprehensive evaluation value is smaller than or equal to the honeypot evaluation threshold, determining that the honeypot detection result corresponding to the target internet protocol address is undetermined. The honeypot evaluation threshold may be set according to actual requirements of the application scenario, e.g., on a percentage basis, the honeypot evaluation threshold may be set to 60. When the comprehensive evaluation value corresponding to the target IP address exceeds 60 (honeypot evaluation threshold), the target IP address can be considered as a honeypot; when the integrated evaluation value corresponding to the target IP address does not exceed 60 (honeypot evaluation threshold), it can be considered that whether the target IP address is honeypot or not cannot be determined, that is, the final honeypot detection result is undetermined. The weighted summation processing may refer to a processing procedure of weighting each honeypot evaluation index and its corresponding index by using a linear weighting method, or may refer to a processing procedure of weighting each honeypot evaluation index and its corresponding index by using a hierarchical weighting method.
The detection service device can return the honeypot detection result corresponding to the target IP address to the application service device corresponding to the communication application, and the application server can send the honeypot detection result to the message data of the communication object as an intelligent detection object in the communication application and display the honeypot detection result corresponding to the target IP address in the communication application. It can be understood that, when the communication object initiates the honeypot detection instruction in the private chat session page of the smart detection object, the honeypot detection result corresponding to the target IP address may be displayed in the private chat session page of the smart detection object, such as the honeypot detection result 20e in the session page 20b shown in fig. 2; when the communication object is an @ intelligent detection object in any group and a honeypot detection instruction is sent, a honeypot detection result corresponding to the target IP address can be displayed in a session page of the group.
Referring to fig. 4, fig. 4 is a schematic diagram of an interface of honeypot detection according to an embodiment of the present application. The terminal device 30a shown in fig. 4 is provided with a communication application, the terminal device 30a may be an electronic device used by a communication object (for example, small a) in the communication application, and the terminal device 30a may be any one of the terminal devices in the terminal cluster shown in fig. 1. When object small a wants to detect if the IP address (139.155. Xxx. Xx) is a network honey, smart detection objects in the communication application (e.g., can @ smart detection object) can be mentioned in any one of the groups (e.g., group 1) to activate the smart detection object. The group can be understood as a platform which integrates communication objects with the same hobbies or characteristics in communication application and can communicate and interact, and one group can comprise three or more communication objects.
The current display interface shown in fig. 4 is a session page 30b of the group 1, and the message input area 30d may be displayed in the session page 30 b. When the object small a in the communication application is a member of the group 1, the object small a may perform a triggering operation on a message input area 30d in the session page 30b, input a pointing character+a smart detection object (e.g., "@ smart detection object") and a honeypot detection instruction ("/honeypot_ip 139.155.Xxx. Xx") in the message input area 30d, and may transmit the input content in the message input area 30d to the group 1 and display the input content in the form of message data 30c in the session page 30b of the group 1. It can be understood that when the object small a sends the message data 30c to the group 1, the background server of the communication application (i.e. the application service device 10d shown in fig. 1) may acquire the message data 30c and send the message data 30c to the detection service device to trigger the detection service device to execute the honeypot detection procedure for the IP address (139.155. Xxx. Xx) in the message data 30c, and the honeypot detection procedure for the IP address may be referred to the description of steps S101 to S106 in the embodiment corresponding to fig. 3. After the detection service device detects the honeypot detection result corresponding to the IP address (139.155. Xxx. Xx), the honeypot detection result may be returned to the background server of the communication application, and the background server may transmit the honeypot detection result to the terminal device 30a in the form of message data 30e, and display the message data 30e in the session page 30b of the terminal device 30 a. The honeypot detection result of the IP address (139.155. Xxx. Xx) can be notified to the object cell a by the message data 30e.
In the embodiment of the application, the basic network information, the risk marking information, the open port information, the open service login information and the honey characteristic identification information corresponding to the target IP address can be used as different honey evaluation indexes, the final honey detection result of the target IP address is determined by the honey evaluation values corresponding to the honey identification indexes after weighted summation, the comprehensiveness of the data of the target IP address in the honey identification process can be ensured, and the identification accuracy of the honey can be further improved; meanwhile, the honey pot detection flow can be triggered by inputting the target IP address in the form of message data in the communication application, and the honey pot detection result corresponding to the target IP address is directly output in the communication application, so that complicated operation in the honey pot detection process can be reduced, and further the honey pot detection efficiency can be improved.
Referring to fig. 5, fig. 5 is a second flowchart of a network honey tank identification method according to an embodiment of the present application. It will be appreciated that the network honeypot identification method may be performed by a detection service device (e.g., detection service device 10e shown in fig. 1), which may be a terminal device or a server, as the present application is not limited in this regard. As shown in fig. 5, the network honey identification method may include the following steps S201 to S214:
Step S201, first message encryption data sent by a communication application is received; the first message encryption data are obtained by encrypting first message data received by an intelligent detection object in the communication application, and the first message data are used for indicating the intelligent detection object to trigger a honeypot detection flow.
In the embodiment of the application, when the communication object in the communication application wants to detect whether the IP address is the network honeypot, the communication object can trigger the honeypot detection flow of the IP address by sending message data to the communication application. Specifically, the communication application may provide a function of a smart detection object (for example, the smart detection object may be named as an "application" or may be named as a "honey detection assistant", etc., which is not limited in the present application), and the smart detection object may be added to all groups in the communication application, which is called a group member in any one group of the communication application. The intelligent detection object can receive message data of any member in the address book of the communication application, and a self-defined logic function is realized. According to the embodiment of the application, the intelligent detection object can be used as a question input inlet of the questioning object, and the questioning object can input a honeypot detection instruction in a member page of the intelligent detection object; the question object may be any one of the communication objects in the communication application address book.
The implementation process of the intelligent detection object in the communication application can include: an intelligent detection object may be newly built in an application service device (which may be a background of communication application management or may be referred to as a background server of communication application) corresponding to the communication application, so as to obtain a message credential of the intelligent detection object, where the message credential may include, but is not limited to, a message webhook (a way for an application to provide real-time information to other applications), a Token (object access Token) address, and an key (key information). The callback address may be set in the configuration page of the smart detection object as the webhook address of the honeypot detection engine server (the detection service device 10e shown in fig. 1). The communication object in the communication application may employ any one of an open activation mode, a message activation mode, and a reference activation mode to activate the smart detection object in the communication application in a form of transmitting message data to the smart detection object. For convenience of understanding, the message data sent by the communication object to the intelligent detection object may be referred to as first message data, where the first message data may include a honeypot detection instruction "honeypot_ip address" for instructing the intelligent detection object to trigger the detection service device to start executing a honeypot detection procedure for the IP address.
When the communication object in the communication application sends first message data containing a honeypot detection instruction to the intelligent detection object, the application service device corresponding to the communication application can acquire the first message data sent by the communication object to the intelligent detection object, encrypt the first message data by using an object access Token (Token) and key information (ACEkey) corresponding to the intelligent detection object to obtain first message encrypted data, and send the first message encrypted data to a callback address (i.e. a webhook address of the detection service device) of the detection service device, which is essentially that the application service device corresponding to the communication application sends the first message encrypted data to the detection service device, that is, the detection service device can receive the first message encrypted data sent by the application service device.
Step S202, decrypting the first message encrypted data through the object access token and the key information corresponding to the intelligent detection object to obtain first message data corresponding to the intelligent detection object, and obtaining a target Internet protocol address in the first message data.
Specifically, after the detection service device receives the first message encrypted data, decryption processing can be performed on the first message encrypted data by using Token and ACEkey corresponding to the intelligent detection object, so as to obtain first message data corresponding to the intelligent detection object, and further, a target IP address to be detected, that is, an IP address in a honeypot detection instruction contained in the first message data, can be obtained from the message body content of the first message data, and a honeypot detection flow for the target IP address is started.
Step S203, obtain the basic network information and risk marking information corresponding to the target internet protocol address.
Specifically, after the target IP address is obtained, basic network information corresponding to the target IP address may be obtained through an interface (may be referred to as a basic information query interface) opened by the network information service provider; the risk marking information corresponding to the target IP address may also be obtained through an interface (risk information query interface) opened by the risk marking server.
In one or more embodiments, the process of obtaining the basic network information corresponding to the target IP address may include: the target internet protocol address can be encapsulated into a first interface request message, and a basic information inquiry interface is called through the first interface request message to obtain geographic area position information, holder information and a security tag corresponding to the target internet protocol address; combining the geographic region position information, the holder information and the security tag into basic network information corresponding to the target Internet protocol address; the basic information inquiry interface can be a public interface opened by a network information service provider.
The detection service device may encapsulate the target IP address as a request parameter to a first interface request packet, and call a basic information query interface through the first interface request packet to obtain basic network information corresponding to the target IP address, where the basic network information may include, but is not limited to: province, city, county, longitude, latitude, zip code, AS number (Autonomous System Number ), and the like, carrier information such AS operators, owners, and security tags. The basic network information may be acquired in any one of an offline manner, an online manner, and a combination manner of offline and online, and the specific description may refer to the description related to step S101 in the embodiment corresponding to the figure, which is not described herein.
In one or more embodiments, the process of acquiring risk marking information corresponding to the target IP address may include: encapsulating the target Internet protocol address into a second interface request message, calling a risk information inquiry interface through the second interface request message, acquiring a risk type label set, and determining a risk type label matched with the target Internet protocol address in the risk type label set as a hit label; combining the target internet protocol address and the hit label into risk marking information corresponding to the target internet protocol address. The risk information query interface may be a public interface opened by a risk marking service provider.
The detection service device may encapsulate the target IP address as a request parameter to a second interface request packet, call a risk information query interface through the second interface request packet, and obtain risk marking information corresponding to the target IP address. The risk type tag obtained by the detection service device through the risk information query interface may be as shown in the following table 1:
TABLE 1
All risk type labels shown in table 1 may form a risk type label set, a risk type label matched with a target IP address may be determined from all risk type labels shown in table 1 through a risk information query interface, and the target IP address and the matched risk type label are used as data structure fields to obtain risk label information corresponding to the target IP address, where the risk label information may be stored in a database of the detection service device for subsequent analysis and evaluation.
Step S204, port open detection is carried out on the port set corresponding to the target Internet protocol address, and open port information corresponding to the target Internet protocol address is obtained in the port set.
Specifically, the detection service device may obtain 0-65535 ports corresponding to the target IP address, where the 0-65535 ports may form a port set corresponding to the target IP address, and perform port opening detection on the 0-65535 ports of the target IP address in sequence to obtain an open port list, where the port list may include one or more open ports. For ease of understanding, the following description will take any one port (for example, port i) in the port set as an example, when performing port opening detection on the port i in the port set, a connection request may be sent to the port i in the port set, where i is a non-negative integer less than the number of ports corresponding to the port set, for example, i is a numerical value in a range of 0-65535; if the detection service equipment receives the connection confirmation data returned by the port i, determining the open state of the port i as an opened state; and adding the port with the open state being the open state to the open port list in the port set, and further combining the target IP address, the open port list and the open state corresponding to the port in the open port list into port open information corresponding to the target IP address. Of course, if the detection service device does not receive the connection confirmation data returned by the port i, the open state of the port i is determined to be the unopened state, and subsequent processing is not required to be executed on the port in the unopened state, so that the data processing pressure of the detection service device can be reduced, and the processing efficiency of honeypot identification can be improved.
The manner in which the detection service device obtains one or more open ports may include full connection scanning (Transmission Control Protocol Connect, TCP connection), half connection scanning (TCP SYN), and stateless port scanning, among others. The full connection scanning may refer to a probe service initiated by a detection service device (probe) and attempting to perform a complete TCP connection, if a complete handshake process is established between the detection service device and any port i in the port set, the open state of the port i is indicated as an opened state, and the port i at this time may be determined as an opened port; if the detection service equipment fails to establish a complete handshake process with the port i in the port set, the open state of the port i is indicated to be an unopened state. It should be noted that, the full connection scanning mode can rely on the multithreading concurrency technology to realize high-efficiency port detection, which is easy to realize in the implementation mode; when the hardware CPU (Central Processing Unit ), the memory and the network bandwidth of the system host meet the quality requirement and the number of ports to be scanned is smaller than the number threshold, the port opening detection can be performed by using the fully-connected scanning mode, so that the scanning efficiency of the ports can be improved. When the number of ports to be scanned is greater than or equal to the number threshold, the number of ports that can be kept connected at the same time is limited because the full connection scanning method requires the use of a TCP/IP (Transmission Control Protocol/Internet Protocol ) protocol stack.
Alternatively, the semi-connection scan is specifically designed using the three-way handshake feature. By sending a probe packet request to any port i in the port set to establish a SYN (Synchronize Sequence Numbers, synchronization sequence number, which may be understood as a synchronization flag) connection, if no SYN/ACK (Acknowledgement Number, acknowledgement number, which may be understood as a acknowledgement flag) acknowledgement message is received, but a RST (Reset, which may be understood as a Reset connection) data message is received, it may be determined that the port i is not open, i.e. the open state of the port i is an unopened state. If the SYN/ACK confirmation message is received, it can be determined that the port i is open, that is, the open state of the port i is open, and the SYN data packet is not replied to complete the three-way handshake, but the RST data packet is sent to terminate the connection request. Compared with a full-connection scanning mode, in a half-connection scanning mode, unfinished connection cannot be perceived by a target server corresponding to a target IP address, and further a record for establishing connection cannot be left, so that scanning concealment is guaranteed; the half-connection scanning mode can make up the problem of limit of the number of protocol stack connections in the full-connection scanning mode by timely terminating the connection, thereby greatly accelerating the scanning speed. Of course, the half-link scan method is more complex to implement than the full-link scan method, and a new status bit packet needs to be constructed according to the connection status.
Optionally, the ports in the port set may also be scanned using a stateless port scanning approach, which may be used to solve the problem of limiting the number of protocol stack connections. The stateless state in the stateless port scanning manner may refer to a state that the operating system does not need to care about TCP connection, and when the stateless port scanning manner is adopted to detect the established connection, TCP/IP protocol stack resources of the operating system may not be occupied any more, but an application program directly manages and maintains the TCP/IP protocol stack resources at a bottom layer, and the operating system is not required to perform session group packet on the connection state. By stateless port scanning, the number of connections that can be simultaneously maintained is no longer limited by the operating system. The data group package is directly carried out from the bottom layer through the self-designed system, the connection is maintained and managed, and the limit of the number of the connection is determined by the application program. Compared with an operating system, the upper limit of the connection quantity is greatly improved, so that the scanning speed is greatly improved. In summary, the stateless port scan approach may not rely on a protocol stack nor on independent packet sending and receiving logic with handshaking. It should be noted that, in an actual application scenario, an appropriate scanning mode may be selected according to actual requirements, and the port scanning mode is not limited in the present application.
In the process of port opening detection on the ports in the port set, data in the port opening detection process can be recorded, the recorded data structure field can comprise a target IP address, the ports and the opening states of the ports, and further the recorded data structure field can be combined into open port information corresponding to the target IP address.
Step S205, fingerprint detection analysis is carried out on the target Internet protocol address and the open port in the open port information, and the open service information corresponding to the open port in the open port information is obtained.
Specifically, the target service device (target server) may be determined through the target IP address and the open port in the open port information, and specific probe data may be sent to the target service device, where the specific probe data may be specific data of a pointer to the open port, and different open ports may correspond to different specific probe data. After receiving the specific detection data sent by the detection service device, the target service device can return response data corresponding to the specific detection data to the detection service device through an open port for receiving the specific detection data.
Further, the detection service device can receive response data which is returned by the target service device and is aimed at specific detection data, and the service type corresponding to the open port in the open port information can be obtained by carrying out feature analysis on the received response data. For different open ports, the target service device may also return different response data, and by performing feature analysis on the response data corresponding to each open port, the service type corresponding to each open port can be obtained.
The detection service device can record data in the fingerprint detection and analysis process in detail so as to facilitate subsequent honeypot detection. Specifically, the open port, specific probe data, response data and service type in the target IP address and the open port information may be used as data structure fields to be combined into open service information corresponding to the target IP address, where the open service information may also be stored in a database of the detection service device for subsequent analysis and evaluation. For example, if the specific probe data sent to the target service device is a character of "\r\n\n", and the returned response data is a field of "a001", the service type of the port may be obtained according to the response data "a001" field, so as to obtain the open service information.
Step S206, determining a login type open port in the open ports included in the open port information according to the service type in the open service information, and obtaining the open service login information corresponding to the login type open port.
Specifically, the open ports in the open port information may be classified according to the service types in the open service information, so as to obtain M open port groups, where the open ports included in one open port group have the same service type, and M is a positive integer, and if M may take the values of 1,2, and … …. For example, when the service type includes a login type service type and a non-login type service type, the open ports in the open port information may be classified to obtain two open port groups (where M may take a value of 2), where one open port group may include all open ports whose service types belong to the login type service type, and the other open port group may include all open ports whose service types belong to the non-login type service type. Optionally, when the service types include service type 1, service type 2, service type 3, and service type 4, one or more open ports may be divided into 4 open port groups (where M may take a value of 4), and the open ports included in the same open port group all belong to the same service type.
In the M open port groups, the open ports in the open port group with the service type being the login type service type are determined as login type open ports, that is, the service types corresponding to the open ports in the open port information can be traversed in sequence, the open ports requiring account passwords for login are screened out, the screened open ports are taken as login type open ports, the service types corresponding to the login type open ports are all login type service types, wherein the login type service types can include but are not limited to: ssh (Secure Shell, secure Shell protocol), which refers to a Secure protocol based on an application layer and a transport layer, mysql (relational database management system), ftp (File Transfer Protocol ).
The account login information corresponding to the login type open port is obtained, and then the target internet protocol address, the login type open port, the login type service type and the account login information are used as data structure fields to be combined into the open service login information corresponding to the target IP address. The method comprises the steps of obtaining account login information corresponding to a login type open port in a violent cracking mode, wherein the violent cracking principle is that continuous login attempts are carried out through a large number of account passwords until the correct account passwords are found, and the correct account passwords are used as account password information corresponding to the login type open port.
Alternatively, to increase the speed of brute force cracking, login attempts with account password combinations may be made in a distributed and multi-threaded manner. Wherein, the distributed mode refers to a functional implementation mode for disassembling a complex task from a single system into a plurality of systems. In the embodiment of the application, the login attempt task of the account number and password combination can be disassembled into a plurality of distributed subsystems to be realized, so that the failure of the global task can not be caused after a single system fails, and the success rate of the violent cracking result can be improved. In each distributed subsystem for performing the account and password combination login attempt, a large number of login attempt tasks can be allocated, and the successful speed of the account and password combination login attempt can be greatly accelerated in a multithreaded parallel mode.
In the process of performing the violent cracking of the account number and password combination, the data in the violent cracking process can be recorded, and the recorded data structure field can comprise a target IP address, a login type open port, a service type corresponding to the login type open port, account number login information, service information after login and the like.
Step S207, obtaining K honeypot feature recognition strategies in the recognition strategy set, and determining a request receiving object corresponding to the honeypot feature recognition strategy a according to the honeypot type corresponding to the honeypot feature recognition strategy a in the K honeypot feature recognition strategies; k honeypot feature recognition strategies are used for recognizing honeypots of different types, and K is a positive integer.
Specifically, after the information such as the open port information and the open service information corresponding to the target IP address is obtained through the foregoing steps, the target IP address may be subjected to targeted honey feature identification, and the honey feature identification policy may be obtained from the identification policy set. One or more honeypot feature recognition strategies can be included in the recognition strategy set, different honeypot recognition strategies can be used for recognizing different types of honeypots, and different types of honeypots can correspond to different honeypot features; the detection service device can be internally provided with a conventional honeypot-based policy database, and the honeypot feature identification policy in the policy database details the format of the detection packet and the matching logic corresponding to different honeypot types. Assuming that the number of the honeypot feature recognition strategies contained in the recognition strategies is K, and K is a positive integer, the K honeypot feature recognition strategies in the recognition strategy set can be used for carrying out honeypot recognition on the target IP address, so that a honeypot matching result of each honeypot feature recognition strategy on the target IP address can be obtained.
Further, the request receiving object corresponding to each honeypot feature recognition policy may be determined according to the honeypot type corresponding to each honeypot feature recognition policy of the K honeypot feature recognition policies. The honeypot feature recognition strategies are different, and corresponding request receiving objects are different. For example, for a honey feature recognition policy a of the K honey feature recognition policies, a request receiving object corresponding to the honey feature recognition policy a may be determined according to a honey type corresponding to the honey feature recognition policy a, where the honey feature recognition policy a may be any one of the K honey feature recognition policies.
Step S208, according to the open service information and the probe packet format corresponding to the honey feature recognition strategy a, a request data packet corresponding to the honey feature recognition strategy a is generated, and the request data packet is sent to a request receiving object.
Specifically, according to the service type corresponding to the open port in the open service information and the probe packet format corresponding to the honeypot feature recognition policy a (any honeypot feature recognition policy of the K honeypot feature recognition policies), a request data packet may be generated for the honeypot feature recognition policy a, and then the request data packet may be sent to a request receiving object of the honeypot feature recognition policy a. After receiving the request data packet, the request receiving object can respond to the request data packet to obtain request response data corresponding to the request data packet, and returns the request response data to the detection service device. The request receiving object may be a target service device corresponding to an open port, a specific page(s) of a certain service, a specific URL (Uniform Resource Location, uniform resource locator) of a certain service(s), an icon of a web service, a specific page of a honeypot service, etc., which are determined by the type of the honeypot feature recognition policy a.
Step S209, receiving request response data returned by the request receiving object, and matching the request response data with the honey pot features in the honey pot feature recognition strategy a according to the matching logic corresponding to the honey pot feature recognition strategy a to obtain a honey pot matching result corresponding to the honey pot feature recognition strategy a.
Specifically, the detection service device may receive request response data returned by the request receiving object, and further may match the request response data with the honey feature in the honey feature identification policy a according to the matching logic corresponding to the honey feature identification policy a in the policy database of the detection service device, if the matching is successful, it indicates that the current service of the target IP address is a honey, and the honey type is a honey name field in the honey feature identification policy a, and further may combine fields such as an open port, a service type, whether it is a honey, a honey type, and the like into a honey matching result corresponding to the honey feature identification policy a. If the matching fails, the method indicates that whether the current service of the target IP address is honeypot or not can not be determined temporarily.
Step S210, combining the honey matching results corresponding to the K honey feature recognition strategies into honey feature recognition information corresponding to the target Internet protocol address.
In the embodiment of the application, K honeypot feature recognition strategies can be adopted to carry out honeypot recognition on the target IP address in a serial mode according to the specific requirements of an actual application scene, or K honeypot feature recognition strategies can be adopted to carry out honeypot recognition on the target IP address in a parallel mode, the application is not limited to the above, and thus, the honeypot matching result corresponding to each honeypot feature recognition strategy can be obtained; and then, the honey matching results corresponding to the K honey feature recognition strategies can be combined into honey feature recognition information corresponding to the target IP address.
The K honeypot feature recognition strategies can include, but are not limited to: the present application is not limited to the port service Banner information feature recognition policy, the web page feature recognition policy, the feature URL reachability recognition policy, the favicon. Ico (abbreviated icon of web page service) hash value matching recognition policy, the page hash value matching recognition policy, and the like. Wherein, the Banner information may refer to the relevant information of the response header returned by the server (receiving the request object), such as the returned status code, service version number, etc.; the hash value may be digest information calculated using a hash algorithm, where the hash algorithm may include, but is not limited to, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, as the application is not limited in this regard. The various honeypot feature recognition strategies mentioned above are described in detail below, wherein:
(1) Port service Banner information feature identification policy: in general, when an open port corresponding to a target IP address is accessed from outside, the server corresponding to the accessed open port may be referred to as a request receiving object, and the returned Banner information may be referred to as request response data. The detection service equipment can be internally provided with a conventional honeypot-based strategy database, and the strategy database stores strategy tables corresponding to various honeypot feature identification strategies, wherein the strategy tables detail the format of detection packets and matching logic which are supposed to be sent out by different honeypots. For example, the policy table of the Port service Banner information feature identification policy in the policy database may be as shown in Table 2 below:
TABLE 2
| Rule identification | Honeypot name | Requesting data | Rule matching regular expression |
| 001 | AAA | aaaaa | .*pysnmp.* |
| 002 | BBB | bbbbb | .*Elastic honey.* |
Wherein, the rule identification in the table 2 can be a rule ID (number), and one or more rules can be included in a policy table in a honeypot feature recognition policy; ". pysnmp" may be a library of a set of snmp (Simple Network Management Protocol ) protocols implemented in python (a programming language); "." Elastic honeypot "; the rule matching regular expression may be considered a honeypot feature in a honeypot feature recognition policy (which may be specifically referred to herein as a port service Banner information feature recognition policy). The detection and identification logic of the port service Banner information feature identification policy may include: the detection service device may load all policies in the policy table corresponding to the port service Banner information feature identification policy, and for each rule, may encapsulate a request data packet according to the "request data" field content, and send the request data packet to the opposite service (the service corresponding to the open port may be referred to as a request receiving object); and further, request response data returned by the opposite terminal service can be obtained, the returned request response data is matched by adopting a regular expression, if the matching is successful, the service indicating the current open port is honeypot, and the honeypot type can be a honeypot name field shown in table 2. Further, the honeypot matching result of the port service Banner information feature identification policy may be stored in a result database, and the data structure field of the honeypot matching result may include, but is not limited to: open port, service type, whether honeypot, honeypot type, etc.
(2) Webpage feature recognition strategy: the request may be initiated for a particular page of the target service, where the particular page may be referred to as a request receiving object, and the honeypot type may be determined from a particular field in the returned page content, which may be referred to as request response data. The policy table of the web page feature recognition policy in the policy database may be as shown in the following table 3:
TABLE 3 Table 3
Wherein "/index. PHP" in Table 3 is the first page of a web site developed in PHP (Hypertext Preprocessor, hypertext preprocessor, a scripting language executing on the server side); ". "(.
The detection and identification logic of the webpage feature identification strategy can comprise: the detection service device can load all strategies in a strategy table corresponding to the webpage feature identification strategy, and can package a request data packet according to the content of a request URL field for each rule and send the request data packet to a corresponding service (service corresponding to an open port, which can be called as a request receiving object); and further, returned request response data of the opposite terminal service can be obtained, the returned request response data is matched by adopting a regular expression, if the matching is successful, the service of the current open port is honeypot, and the honeypot type can be a honeypot name field shown in table 3. The honeypot matching results of the web page feature recognition policy may then be stored in a results database, and the data structure fields of the honeypot matching results may include, but are not limited to: open port, service type, whether honeypot, honeypot type, etc.
(3) Feature URL reachability identification policy: the request may be initiated for a specific URL of the target service, where the specific URL may be referred to as a request receiving object, and the honeypot type may be determined according to whether the returned page status code is 200, which may be referred to as request response data. The policy table of the feature URL reachability recognition policy in the policy database may be as shown in the following table 4:
TABLE 4 Table 4
| Rule identification | Honeypot name | Request URL |
| 001 | AAA | /URLAAA |
| 002 | BBB | /URLBBB |
Wherein "/uraaa" and "/ullbbb" in table 4 are specific request URLs. The detection and identification logic of the feature URL reachability identification policy may include: the detection service device may load all policies in the policy table corresponding to the feature URL reachability identification policy, and for each rule, may package a request packet according to the "request URL" field content, and send the request packet to the peer service (service corresponding to the open port, which may be referred to as a request receiving object); if the page status code in the returned request response data is 200, it indicates that the feature URL can be accessed, the service of the current open port is honeypot, and the honeypot type can be the "honeypot name" field shown in table 4. Further, the honeypot matching result of the feature URL reachability recognition policy may be stored in a result database, and the data structure field of the honeypot matching result may include, but is not limited to: open port, service type, whether honeypot, honeypot type, etc.
(4) favicon. Ico hash value matching identification policy: favicon. Ico represents a thumbnail icon of a web service, a request can be initiated for favicon. Ico of a target service, hash operation is performed according to returned picture data, the obtained hash value can be used for judging a honey type, here, favicon. Ico of the target service can be called a request receiving object, and the returned picture can be called request response data. The policy table of favicon, ico hash value matching identification policy in the policy database may be as shown in the following table 5:
TABLE 5
| Rule identification | Honeypot name | favicon. Ico hash value |
| 001 | AAA | e88e2387376fc35e9b3b2691f314f4a65771f53f |
| 002 | BBB | fde97181e45850bf1b99e7b95c47025e221f85c3 |
Wherein "e88e2387376fc35e9b3b2691f314f4a65771f53f" and "fde97181e45850bf1b99e7b95c47025e221f85c3" in table 5 are hash values of a particular favicon. The detection and identification logic of the favicon. Ico hash value matching and identification strategy can comprise: the detection service equipment can load all strategies in a strategy table corresponding to the favicon.ico hash value matching identification strategy, and can access the favicon.ico aiming at each rule to acquire request response data (picture data) returned by the opposite-end service; and carrying out hash operation on the returned picture data to obtain a hash value, and matching the hash value with a ' favicon ' field in a policy table of a favicon ' ico hash value matching identification policy, wherein if the matching is successful, the service of the current open port is a honeypot, and the honeypot type can be a ' honeypot name ' field shown in table 5. Further, the honeypot matching result of the favicon. Ico hash value matching recognition policy may be stored in a result database, and the data structure field of the honeypot matching result may include, but is not limited to: open port, service type, whether honeypot, honeypot type, etc.
(5) Page hash value matching identification policy: the honey type can be detected by comparing hash values of special pages of honey service, the returned page data is subjected to hash calculation aiming at a target service initiating request, and the honey type is judged by matching the calculated page hash values. The policy table of the page hash value matching identification policy in the policy database may be as follows in table 6:
TABLE 6
Wherein, "e88e2387376fc35e9b3b2691f314f4a65771f53f" and "fde97181e45850bf1b99e7b95c47025e221f85c3" in table 6 are specific page hash values, "/URLAAA" and "/URLBBB" are specific page URLs. The detection and identification logic of the page hash value matching and identification strategy can comprise: the detection service equipment can load all strategies in the strategy table corresponding to the page hash value matching identification strategy, and can access a 'page URL' for each rule to acquire request response data (webpage data) returned by the opposite terminal service; and carrying out hash operation on the returned webpage data to obtain a page hash value, and matching the page hash value with a page hash value field in a policy table of a page hash value matching identification policy, wherein if the matching is successful, the service of the current open port is honeypot, and the honeypot type can be a honeypot name field shown in table 6. Further, the honeypot matching result of the page hash value matching identification policy may be stored in a result database, and the data structure field of the honeypot matching result may include, but is not limited to: open port, service type, whether honeypot, honeypot type, etc.
Step S211, determining the basic network information, the risk marking information, the open port information, the open service login information and the honey characteristic identification information as honey evaluation indexes corresponding to the target Internet protocol addresses, and obtaining index weights corresponding to the honey evaluation indexes.
Specifically, based on the obtained basic network information, risk marking information, open port information, open service login information and honeypot characteristic identification information, the identity of the target IP address may be finally evaluated to confirm the possibility that the target IP address is a honeypot. In other words, it is possible to take the basic network information, the risk flag information, the open port information, the open service login information, and the honeypot feature identification information as a plurality of honeypot evaluation indexes that affect the honeypot detection result, and set the index weights for each of the honeypot evaluation indexes, respectively. The index weight corresponding to each honeypot evaluation index can be preset according to the specific requirements of an application scene; for example, according to a number of test validations, the index weights set for the respective honeypot evaluation indexes may be as shown in the following table 7:
TABLE 7
| Sequence number | Honeypot evaluation index | Index weight |
| 1 | Basic network information of IP addresses | 0.2 |
| 2 | Risk marking information for IP addresses | 0.1 |
| 3 | Open port information for IP addresses | 0.2 |
| 4 | Open service information for IP addresses | 0.1 |
| 5 | Open service login information for IP address | 0.1 |
| 6 | Honeypot feature identification information | 0.3 |
It can be understood that the sum of the index weights corresponding to the respective honeypot evaluation indexes is 1, and the index weights shown in table 7 are only one example of the embodiment of the present application, and the specific numerical values of the index weights corresponding to the respective honeypot evaluation indexes are not limited in the embodiment of the present application. For ease of understanding, embodiments of the present application will be described with reference to the index weights in table 7.
Step S212, obtaining the honey evaluation value of the target internet protocol address on each honey evaluation index, and carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain the honey detection result corresponding to the target internet protocol address.
Specifically, based on basic network information, risk marking information, open port information, open service login information and honeypot characteristic identification information corresponding to a target IP address, acquiring honeypot evaluation values of the target IP address on each honeypot evaluation index; the honeypot evaluation value may be expressed in a form of a percentage, or may be expressed in a form of a ten system, or may be expressed in another system, which is not limited in the embodiment of the present application. For ease of understanding, embodiments of the present application represent each honeypot evaluation value in percent form.
For the honeypot evaluation index of the basic network information, the honeypot evaluation value of the target internet protocol address in the basic network information can be determined according to the matching relationship between the holder information in the basic network information and the network service corresponding to the target internet protocol address. The detection service device can perform preliminary honeypot judgment through the basic network information of the target IP address and the service type of the open port corresponding to the target IP address. For example, smart grid-related services are not normally possible to appear on IP addresses belonging to cloud facilitators; smart grid related services may include, but are not limited to, PLC (Programmable Logic Controller ) devices, RTU (Remote Terminal Unit, remote telemetry unit) devices, network electricity meters, substation gateways, circuit breakers, transformers, and the like. The service related to the intelligent water supply system cannot appear on the IP address belonging to the cloud service provider under normal conditions; services associated with intelligent water supply systems may include, but are not limited to, electronic water pumps, electronic water tanks, water sensors, water management actuators, and water supply PLC devices. The internet of things (Internet of Things, ioT) services such as natural gas pipelines, intelligent buildings, etc. are also not normally possible to appear on IP addresses belonging to cloud service providers. If any of the above situations occurs in the base network information of the target IP address, it may be determined that the honeypot evaluation value of the target IP address in the base network information is the first evaluation value (the first evaluation value may be 100 points here); if the base network information of the target IP address does not appear in the above case, it may be determined that the honeypot evaluation value of the target IP address in the base network information is the second evaluation value (the second evaluation value here may be 0 points).
For the honeypot evaluation index of the risk mark information, the honeypot evaluation value of the target internet protocol address in the risk mark information can be determined according to the ratio information of the hit label in the risk type label contained in the risk mark information. Wherein, risk marking information corresponding to the target IP address may be used to identify honeypots, and in all risk type tags shown in the foregoing table 1, if the risk marking information of the target IP address matches each risk type tag of the last type, then the honeypot evaluation value of the target IP address in the risk marking information may be increased by 10 points; if all the information is matched, determining the honeypot evaluation value of the target IP address in the risk mark information as a first evaluation value (100 minutes); if all risk type tags are not matched, the honeypot evaluation value of the target IP address in the risk marking information can be determined to be a second evaluation value (0 score).
For the honeypot evaluation index, which is the open port information, the honeypot evaluation value of the target internet protocol address in the open port information may be determined according to the number of open ports included in the open port information. It should be noted that, in order to ensure that the personnel deploying the honeypot captures the attack as much as possible in the situation of limited resources, a greater number of ports, and possibly even all of the ports, are typically opened for the honeypot than for the conventional service application. According to the open port information corresponding to the target IP address, the number of open ports corresponding to the target IP address can be counted, and if the number of open ports is increased by 10, the honeypot evaluation value of the target IP address in the open port information can be increased by 10 minutes, and when the number of open ports corresponding to the target IP address is greater than 100, the honeypot evaluation value of the target IP address in the open port information can be determined to be a first evaluation value (100 minutes); when the number of open ports corresponding to the target IP address is 0, it may be determined that the honeypot evaluation value of the target IP address in the open port information is the second evaluation value (0 score).
For the honeypot evaluation index, which is open service information, the honeypot evaluation value of the target internet protocol address in the open service information can be determined according to the open port and service type distribution information contained in the open service information. For some compound honeypots, in order to capture as many aggressive behaviors as possible under the condition of limited server resources, multiple services are often run on a single IP address, but the distribution of open port numbers and service types is stable, so that open service information can be judged as honeypot characteristics. For example, assume a composite honeypot with an open port to the outside is: 80 161, 623, 1025, 2404, 10001 and 50100. If it is determined from the open service information corresponding to the target IP address that the target IP address opens services of all ports corresponding to the composite honeypot, it may be determined that the honeypot evaluation value of the target IP address in the open service information is a first evaluation value (100 points); if it is determined from the open service information corresponding to the target IP address that the target IP address does not open the service of the port, the honeypot evaluation value of the target IP address in the open service information may be determined to be the second evaluation value (0 score).
For the honeypot evaluation index of the open service login information, the honeypot evaluation value of the target internet protocol address in the open service login information can be determined according to the login attempt result corresponding to the account login information in the open service login information. In some compound honeypots, in order to capture as many aggressive behaviors as possible under the condition of limited server resources, the capability of arbitrary login is provided for services requiring account passwords, so that the cost of an attacker entering the honeypot is reduced, and the cost can also be used as information for honeypot identification. The logic of the honeypot evaluation index, open service login information, can be expressed as: aiming at the service of the open port on the target IP address, if any account number and password can log in the service of the open port, the honeypot evaluation value of the target IP address in the open service login information can be 50 minutes; if the account number and password in the weak password dictionary (including the set of all the common account number and password) built in the detection service equipment can log in the service of the open port, the honeypot evaluation value of the target IP address in the open service login information can be 30 minutes; if the account number and the password of the open port service cannot be determined by a brute force cracking mode, the honeypot evaluation value of the target IP address in the open service login information can be 0 score.
For the honeypot evaluation index, which is honeypot feature identification information, the honeypot evaluation value of the target internet protocol address in the honeypot feature identification information can be determined according to the number of successful matching results contained in the honeypot feature identification information. If the honey matching result corresponding to the honey feature recognition strategy exists in the honey feature recognition information, determining a honey evaluation value of the target internet protocol address in the honey feature recognition information as a first evaluation value; and if the honeypot matching results corresponding to the K honeypot feature recognition strategies are all matching failure results, determining the honeypot evaluation value of the target internet protocol address in the honeypot feature recognition information as a second evaluation value. For example, the honey feature identification information may be an important honey detection manner in the embodiment of the present application, if any honey feature identification policy is matched to a honey type in K honey feature identification policies, such as a port service Banner information feature identification policy, a web page feature identification policy, a feature URL reachability identification policy, a favicon. Ico hash value matching identification policy, a page hash value matching identification policy, etc., then the honey evaluation value of the target IP address in the honey feature identification information is a first evaluation value (100 minutes); if none of the K honeypot feature recognition strategies matches the honeypot type, the honeypot evaluation value of the target IP address in the honeypot feature recognition information is a second evaluation value (0 minutes).
The relationship among the honeypot detection result, the honeypot evaluation value corresponding to each honeypot evaluation index, and the index weight corresponding to each honeypot evaluation index may be as shown in the following formula (1):
/>
wherein S is q Comprehensive evaluation value representing the q-th target IP address, R p Represents the index weight corresponding to the p-th honeypot evaluation index, S pq A honeypot evaluation value representing the qth target IP address on the p-th honeypot evaluation index; q represents the detection sequence of the target IP address for honeypot detection currently, and q is a positive integer; n represents the number of honeypot evaluation indexes, N is a positive integer, in the embodiment of the application, the value of N can be 6, and p is a positive integer less than or equal to N. According to the formula (1), the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index can be multiplied to obtain the weight value corresponding to each honey evaluation index, and then N honey evaluation indexes can be obtainedAnd accumulating the weighted values of the estimated indexes to obtain a comprehensive estimated value corresponding to each target IP address.
In one or more embodiments, a honeypot evaluation threshold may be preset, where the honeypot evaluation threshold may be used to determine whether the composite evaluation value corresponding to the target IP address is a honeypot. If the comprehensive evaluation value is greater than the honeypot evaluation threshold, determining that the honeypot detection result of the target IP address is honeypot; if the comprehensive evaluation value is smaller than or equal to the honeypot evaluation threshold, the target IP address is only suspected honeypot, namely the honeypot detection result of the target IP address is uncertain.
Referring to fig. 6, fig. 6 is a schematic diagram of honeypot detection based on a linear weighting method according to an embodiment of the present application. As shown in fig. 6, assuming that the target IP address required for the honeypot detection includes IP addresses such as IPA, IPB, and IPC, the honeypot evaluation index involved in the honeypot detection may include the 6 honeypot evaluation indexes described above, and the 6 honeypot evaluation indexes are basic network information, risk flag information, open port information, open service login information, and honeypot feature identification information in this order. Each honeypot evaluation index may correspond to an index weight, where the index weight may be determined by a number of test verifications.
As shown in fig. 6, the honeypot evaluation values of IPA on the 6 honeypot evaluation indexes may be sequentially 100, 80, 40, 0, 30, 100, and the comprehensive evaluation value of IPA (may be referred to as the comprehensive evaluation value IPA) may be calculated by the linear weighting method shown in the above formula (1); wherein, the total evaluation value ipa=0.2x100+0.1x80+0.2x40+0.1x0+0.1x30+0.3x100=69. The honeypot evaluation values of the IPB on the 6 honeypot evaluation indexes may be 0, 40, 50, 100, 50, 0 in order, and the comprehensive evaluation value of the IPB (may be denoted as the comprehensive evaluation value IPB) may be calculated by the linear weighting method shown in the above formula (1); wherein the integrated evaluation value ipb=0.2×0+0.1×40+0.2×50+0.1×100+0.1×50+0.3×0=29. The honeypot evaluation values of IPC on the 6 honeypot evaluation indexes may be 0, 60, 90, 0, 100 in order, and the comprehensive evaluation value of IPC (may be referred to as the comprehensive evaluation value IPC) may be calculated by the linear weighting method shown in the above formula (1); wherein the comprehensive evaluation value ipc=0.2x0+0.1x60+0.2x90+0.1x0+0.1x0+0.3x100=55. Assuming that the honeypot evaluation threshold is set to 60, it may be determined that the honeypot detection result of IPA is honeypot and that the honeypot detection results of IPB and IPC are uncertain, i.e., IPB and IPC are suspected honeypots.
And step S213, encrypting the honeypot detection result by adopting the object access token and the key information corresponding to the intelligent detection object in the communication application, and generating second message encryption data.
Specifically, after the detection service device obtains the honeypot detection result corresponding to the target IP address, the honeypot detection result may be returned to the communication object initiating the honeypot detection instruction through the intelligent detection object in the communication application. For example, an object access Token (Token) and key information (key) corresponding to the smart detection object in the communication application may be used to encrypt the honeypot detection result of the target IP address, so as to generate second message encrypted data.
Step S214, the second message encryption data is returned to the communication application, so that the communication application can send the second message data to the message sending object corresponding to the first message data through the intelligent detection object; the second message data is obtained by decrypting the second message encrypted data by the communication application.
Specifically, the detection service device may return the second message encrypted data to the application service device (the background server of the communication application) corresponding to the communication application; after receiving the second message encrypted data, the application service device corresponding to the communication application can also decrypt the second message encrypted data by using Token and ACEkey corresponding to the intelligent detection object to obtain second message data; the second message data may be further notified to the communication object sending the honeypot detection instruction (the first message data) as a message of the smart detection object, and the second message data may be displayed in the communication application, and the manner of presentation of the second message data in the communication application may be described in the embodiments corresponding to fig. 2 and fig. 4. It may be understood that, in the embodiment of the present application, a communication object that sends a honeypot detection instruction may be referred to as a message sending object, where the message sending object may be a communication object that wants to detect whether the target IP address is a honeypot, and the message sending object is an object that receives a honeypot detection result.
Referring to fig. 7, fig. 7 is a schematic diagram of honeypot detection according to an embodiment of the present application. As shown in fig. 7, after the detection service device obtains the target IP address (139.155. Xxx. Xx), the target IP address (139.155. Xxx. Xx) may be analyzed to obtain the basic network information and the risk marking information corresponding to the target IP address (139.155. Xxx. Xx), where the obtaining manner of the basic network information and the risk marking information may participate in the related description in the foregoing step S203, which is not repeated herein. Meanwhile, the detection service device may obtain the port set 40a corresponding to the target IP address (139.155.xxx.xx), and since the port number of the IP address may be represented by two bytes (16-bit binary number), the port set 40a may include 65536 port numbers, which may have a value ranging from 0 to 65535, that is, the target IP address (139.155.xxx.xx) may correspond to 65536 ports.
Further, the detection service device may sequentially perform port opening detection on the 0-65535 ports included in the port set 40a, to obtain open states corresponding to 65536 ports respectively; for example, the open state of port 0 is: the unopened state, the open state of port 1 is: the unopened state, the open state of port 2 is: the unopened state, the open state of port 3 is: the open state of the open state … …, port 65535 is: an unopened state. Further, the port in the opened state may be determined as an opened port, so as to obtain an opened port list 40b corresponding to the target IP address (139.155. Xxx. Xx), where the opened port list 40b may include: the open port 3, the open ports 22, … …, the open port 81, and the like, and the open port in the open port list 40b, the open state of the open port, and the target IP address (139.155. Xxx. Xx) may constitute open port information as data structure fields.
Fingerprint detection analysis may be performed on the target IP address (139.155.xxx.xx) and the open ports in the open port list 40b, and obtaining open service information corresponding to each open port in the open port list 40b, where the open service information corresponding to the port 3 may include: destination IP address (139.155. Xxx. Xx), port 3, specific probe data, response data, and service type 1 (i.e., service type corresponding to the service of port 3); the open service information corresponding to the port 22 may include: target IP address (139.155. Xxx. Xx), port 22, specific probe data, reply data, and service type 2; the open service information corresponding to the port 81 may include: destination IP address (139.155. Xxx. Xx), port 81, specific probe data, reply data, and service type 3.
Further, when the service type 2 in the open service information corresponding to the open port 22 belongs to a login service type (a service requiring an account number code to perform login), continuous login attempts can be performed on the service of the port 22 through a large number of account number code combinations until the account number code of the service successfully logged in the port 22 is obtained, and the account number code capable of being successfully logged in can be referred to as account number login information. Optionally, when the service type 3 in the open service information corresponding to the open port 81 belongs to the login service type, a large number of account number and password combinations are required to perform login attempts on the service of the port 81, and if the account number and password of the service of the port 81 cannot be obtained finally, the account number and password of the port 81 cannot be obtained successfully. Of course, when the service type 1 in the open service information corresponding to the open port 3 is a non-login service type (a service requiring no account number and password login, or a service requiring no account number and password combination to be successfully logged in can be understood), a login attempt of the account number and password combination is not required, and then the open service login information corresponding to the target IP address (139.155.xxx.xx) can be combined by using the target IP address (139.155.xxx.xx), the login type open port, the login service type, and the account number login information as data structure fields.
The detection service device can take basic network information, risk marking information, open port information, open service login information and honey feature identification information corresponding to the target IP address (139.155. Xxx. Xx) as honey evaluation indexes for influencing honey detection results; further, the honey evaluation values of the target IP address (139.155. Xxx. Xx) on the respective different honey evaluation indexes may be determined, and may be sequentially noted as a honey evaluation value 1, a honey evaluation value 2, a honey evaluation value 3, a honey evaluation value 4, a honey evaluation value 5, and a honey evaluation value 6. Further, the honeypot evaluation values corresponding to the honeypot evaluation indexes and the corresponding index weights (which can be preset) can be weighted and summed to obtain a comprehensive evaluation value corresponding to the target IP address (139.155. Xxx. Xx), and then the honeypot detection result corresponding to the target IP address (139.155. Xxx. Xx) is determined according to the magnitude relation between the comprehensive evaluation value and the preset honeypot evaluation threshold.
Referring to fig. 8, fig. 8 is a schematic diagram of a network honey detection flow based on a weight method according to an embodiment of the present application. It can be appreciated that the network honeypot detection flow based on the weighting method can be executed by the detection service device; the detection process of the network honeypot may include the following steps S301 to S312:
In step S301, the communication application is triggered. In the honeypot detection process, the honeypot detection process can be triggered by a communication application. Specifically, the application service device of the communication application may acquire a message credential of the smart detection object, where the message credential may include information such as a message webhook address, token, and ack corresponding to the smart detection object; setting a callback address as a webhook address of the detection service equipment in a configuration page of the intelligent detection object, enabling the intelligent detection object to be activated by a communication object in a communication application in a questioning mode, and enabling the intelligent detection object to acquire input information (first message data) of the communication object; the application server searches the message (first message data) sent to the intelligent detection object by the communication object, encrypts the first message data by using Token and ACEkey, and sends the encrypted message (first message encrypted data) to a callback address of the detection service device. After the intelligent detection object trigger of the detection service equipment receives the encrypted message, decrypting the encrypted message by using Token and ACEkey to obtain the message body content; the intelligent detection object trigger can start the detection service equipment to start to execute the honeypot detection flow aiming at the target IP address, and the honeypot detection flow is completed by the detection service equipment.
Step S302, according to the target IP address, the relevant basic network information is obtained, and the information is obtained in an online and offline combination mode. The basic network information corresponding to the target IP address can be obtained by adopting an online and offline combination mode, and the offline mode can be that the network basic information corresponding to the target IP address is retrieved from a local network information file (which can be offline text), and the local network information file is updated periodically; the online mode may refer to directly calling a basic information query interface opened by a network information service provider, and acquiring basic network information corresponding to a target IP address in real time.
Step S303, an internal and external risk information calling interface is called, and risk marking information related to the target IP address is obtained. And acquiring risk marking information corresponding to the target IP address by calling a risk information query interface opened by the risk marking server.
Step S304, port opening detection is carried out on the ports 0-65535 of the target IP address, and an opening port list is obtained. One IP address may correspond to 65535 ports, and port opening detection may be sequentially performed on 65535 ports, to obtain an open port list with an open state being an open state.
Step S305, whether an open port exists. Whether an open port exists in the open port list can be judged, and if the open port exists in the open port list, the step S306 can be continuously executed; if there is no open port in the open port list, the process may continue to step S309.
Step S306, fingerprint detection analysis is carried out on the port of the target IP address, and the open service type is identified according to the fingerprint information. The fingerprint detection analysis can be performed on the open port of the target IP address, the port fingerprint information of the open port is obtained, and the honeypot identification is performed by using the open service type in the port fingerprint information. The port fingerprint information may be used as open service information corresponding to the target IP address.
Step S307, whether there is a registerable service. Whether the open service information corresponding to the target IP address includes a service capable of logging in or not can be judged, and if the open service information includes a service capable of logging in (service of a login type open port), step S308 is continuously executed; if no login-enabled service exists in the open service information, the process continues to step S309.
And step S308, performing account password brute force cracking on the target service by using the weak password list to acquire login service related information. The weak password list may be a set (or dictionary) containing a plurality of account password combinations, and account password brute force cracking is performed on the service of the open port through a large number of account password combinations in the weak password list, so that account password information of the service capable of logging in and service information after logging in can be obtained.
Step S309, the special honeypot is identified for the service feature by using the built-in identification rule. The built-in identification rule may be a K types of honeypot feature identification policies set in the detection service device, the service feature may be a specific service feature of an open port, the special honeypot may include honeypot types that the K types of honeypot feature identification policies may be used to identify, such as the port service Banner information feature identification policy, the web page feature identification policy, the feature URL reachability identification policy, the favicon.ico hash value matching identification policy, the page hash value matching identification policy, and the like, and honeypot feature identification is performed on the target IP address based on the K types of honeypot feature identification policies, so as to obtain honeypot feature identification information corresponding to the target IP address.
Step S310, corresponding honeypot evaluation values are generated for each index, and a final evaluation value is calculated by using a linear weighting method. Each index may refer to a honeypot evaluation index affecting a honeypot detection result, and may include, but is not limited to, basic network information, risk marking information, open port information, open service login information, and honeypot feature identification information, obtain honeypot evaluation values of a target IP address on each honeypot evaluation index, set an index weight for each honeypot evaluation index (for example, refer to the index weight values in table 7), and further perform weighted summation on the honeypot evaluation values of each honeypot evaluation index and the corresponding index weights thereof by using a linear weight method to obtain a final evaluation value (comprehensive evaluation value); and further, the honeypot detection result corresponding to the target IP address can be determined according to the comprehensive evaluation value.
Step S311, calling a message interface of the communication application, and returning a final conclusion of the honey identification to the communication object. After obtaining the honey detection result corresponding to the target IP address, the detection service device can call a message interface of the communication application, return a final conclusion (honey detection result) of honey identification to the communication application, display the honey detection result of the target IP address in the communication application, and notify the honey detection result to a communication object initiating a question.
Step S312, after execution is completed, the execution result is written into the database, and the log information of the whole system is recorded in the log file.
Specifically, after the honeypot detection process of the target IP address is performed, the honeypot detection result (execution result) obtained in the honeypot detection process may be written into the database, and the log information of the entire system may be recorded in the log file. By recording the behavior log of the target IP address in the whole honeypot detection process, the system operation information can be ensured to be traced; optionally, after the detection service device obtains the behavior log corresponding to the target IP address, the behavior log may be stored in a log server, and at the same time, a copy is stored locally in a text manner.
The behavior log may be classified, for example, the log classification may include: ERROR, WARN, INFO, DEBUG, etc., the log level details may be as shown in table 8 below:
TABLE 8
Alternatively, the above-mentioned behavior log may be used for system daily fault investigation and status recording, and the behavior log may be classified according to log content, as shown in table 9 below, and may be classified into a configuration log, a management log, an alarm log, a running log, and the like. Wherein, table 9 can be expressed as follows:
TABLE 9
| Classification | Description of the invention |
| Configuration log | And recording the behavior of newly adding, deleting and modifying the configuration of the object. |
| Managing logs | The record management module detects the operation behavior of the validity of the certificate of the target site each time. |
| Alarm log | And recording the behavior of the alarm module for each external alarm action. |
| Operation log | The method is used for recording the behavior of the whole system in the background operation process. |
Optionally, the log server may be any one of the blockchain nodes in the blockchain system, and the detection service device may obtain system behavior information associated with the target internet protocol address (target IP address), and generate a behavior log according to the system behavior information; the behavior log can be uploaded to the blockchain system, so that the blockchain link points in the blockchain system encapsulate the behavior log into transaction blocks, and accounting processing is carried out on the transaction blocks which reach consensus; receiving uplink success information returned by a block chain node in a block chain system, and storing file hash of a behavior log in the block chain system in a local database according to the uplink success information; the file hash is used to indicate the storage location of the behavior log in the blockchain system. In other words, the detection service device may upload the behavior log as transaction data to the blockchain system, after receiving the behavior log, the blockchain node in the blockchain system may encapsulate the behavior log into a transaction block, and send the transaction block to the consensus node in the blockchain system, where the consensus node may perform consensus processing on the transaction block, when the transaction block achieves consensus in the blockchain system, may perform accounting processing on the agreed transaction block, and after the transaction block is successfully uplink in the blockchain system, may return uplink success information for the behavior log to the detection service device, where the uplink success information may be used to prompt that the behavior log is successfully uplink in the blockchain system. The uplink success information may include a file hash corresponding to the behavior log, after the detection service device receives the uplink success information, the file hash may be stored locally, and when the behavior log needs to be queried subsequently, the behavior log may be obtained in the blockchain system according to the file hash.
Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block.
In the embodiment of the application, the target IP address can be acquired through the communication application, so that the basic network information, the risk marking information, the open port information, the open service login information and the honey characteristic identification information corresponding to the target IP address can be acquired, the information can be further used as different honey evaluation indexes, and the honey evaluation value of the target IP address on each honey evaluation index can be obtained through analyzing each honey evaluation index. And carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index, so as to obtain a final honey detection result of the target IP address. That is, the final honeypot detection result of the target IP address is determined by the comprehensive evaluation value after weighted summation of the honeypot evaluation values corresponding to the honeypot identification indexes, so that the comprehensiveness of the data of the target IP address in the honeypot identification process can be ensured, and the identification accuracy of the honeypot can be improved; meanwhile, the honey pot detection flow can be triggered by inputting the target IP address in the form of message data in the communication application, the honey pot detection flow is carried out in a platform mode and is automatically implemented, a honey pot identification result of the target IP address can be obtained rapidly by issuing a detection instruction through one key, and further complicated operation of a user can be reduced, so that honey pot detection efficiency aiming at the target IP address is improved; the whole honey pot detection process can be managed, the consistency of the target IP address in the honey pot identification process can be ensured by standardizing and processing the honey pot identification process, the detection details of the honey pot identification process can be traced through the behavior log, and false alarms can be eliminated.
It will be appreciated that in the embodiments of the present application, related information (object identifier, account number, nickname, image, etc.) of a communication object in a communication application may be involved, and when the above embodiments of the present application are applied to specific products or technologies, permission or consent of a user needs to be obtained, and collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a network honey tank identifying device according to an embodiment of the present application, where the network honey tank identifying device may be used to execute corresponding steps in the method according to the embodiment of the present application. As shown in fig. 9, the network honey pot identification device 1 may include: the device comprises a first acquisition module 10, a port opening detection module 11, a fingerprint detection module 12, a login information acquisition module 13, a second acquisition module 14 and a weighted summation module 15;
a first obtaining module 10, configured to obtain a target internet protocol address through a communication application, and obtain basic network information and risk marking information corresponding to the target internet protocol address;
the port opening detection module 11 is configured to perform port opening detection on a port set corresponding to the target internet protocol address, and obtain open port information corresponding to the target internet protocol address in the port set;
The fingerprint detection module 12 is configured to perform fingerprint detection analysis on the target internet protocol address and the open port in the open port information, and obtain open service information corresponding to the open port in the open port information;
a login information obtaining module 13, configured to determine a login type open port from the open ports included in the open port information according to the service type in the open service information, and obtain open service login information corresponding to the login type open port;
a second obtaining module 14, configured to obtain honeypot feature identification information corresponding to the target internet protocol address, determine basic network information, risk marking information, open port information, open service login information, and honeypot feature identification information as honeypot evaluation indexes corresponding to the target internet protocol address, and obtain index weights corresponding to the honeypot evaluation indexes;
the weighted summation module 15 is configured to obtain the honeypot evaluation values of the target internet protocol address on each honeypot evaluation index, perform weighted summation processing on the honeypot evaluation values corresponding to each honeypot evaluation index and the index weights corresponding to each honeypot evaluation index, obtain a honeypot detection result corresponding to the target internet protocol address, and return the honeypot detection result to the communication application.
In one or more embodiments, the first acquisition module 10 acquires the target internet protocol address through the communication application, including:
a message receiving unit 101, configured to receive first message encrypted data sent by a communication application; the first message encryption data are obtained by encrypting first message data received by an intelligent detection object in the communication application, and the first message data are used for indicating the intelligent detection object to trigger a honeypot detection flow;
the message decryption unit 102 is configured to decrypt the first message encrypted data through the object access token and the key information corresponding to the smart detection object, obtain first message data corresponding to the smart detection object, and obtain the target internet protocol address in the first message data.
In one or more embodiments, the first obtaining module 10 obtains the basic network information and the risk marking information corresponding to the target internet protocol address, including:
a first interface calling unit 103, configured to encapsulate the target internet protocol address into a first interface request packet, call a basic information query interface through the first interface request packet, and obtain geographic area location information, holder information, and a security tag corresponding to the target internet protocol address;
A basic information obtaining unit 104, configured to determine geographical area location information, holder information, and security tag as basic network information corresponding to a target internet protocol address;
the risk tag obtaining unit 105 is configured to encapsulate the target internet protocol address into a second interface request packet, invoke the risk information query interface through the second interface request packet, and obtain risk tag information corresponding to the target internet protocol address.
In one or more embodiments, the risk tag obtaining unit 105 invokes a risk information query interface through a second interface request packet to obtain risk tag information corresponding to a target internet protocol address, where the risk tag information includes:
the risk information query interface is called through the second interface request message, a risk type label set is obtained, and a risk type label matched with a target Internet protocol address in the risk type label set is determined to be a hit label;
combining the target internet protocol address and the hit label into risk marking information corresponding to the target internet protocol address.
In one or more embodiments, the port opening detection module 11 performs port opening detection on a port set corresponding to a target internet protocol address, and obtains opening port information corresponding to the target internet protocol address in the port set, including:
A connection request sending unit 111, configured to obtain a port set corresponding to the target internet protocol address, and send a connection request to a port i in the port set;
a confirmation data receiving unit 112, configured to determine an open state of the port i as an opened state if connection confirmation data returned by the port i is received;
the open port information combining unit 113 is configured to add a port in an open state in the port set to the open port list, and combine the target internet protocol address, the open port list, and the open state corresponding to the port in the open port list into open port information corresponding to the target internet protocol address.
In one or more embodiments, the fingerprint detection module 12 performs fingerprint detection analysis on the target internet protocol address and the open port in the open port information, and obtains the open service information corresponding to the open port in the open port information, including:
a probe data transmitting unit 121, configured to determine a target service device through an open port in the target internet protocol address and the open port information, and transmit specific probe data to the target service device;
the response data receiving unit 122 is configured to receive response data for specific probe data returned by the target service device, perform feature analysis on the response data, and obtain a service type corresponding to an open port in the open port information;
The open service information obtaining unit 123 is configured to combine the target internet protocol address, the open port in the open port information, the specific probe data, the response data, and the service type into open service information.
In one or more embodiments, the login information obtaining module 13 determines a login type open port from the open ports included in the open port information according to the service type in the open service information, and obtains the open service login information corresponding to the login type open port, including:
a port classification unit 131, configured to classify, according to a service type in the open service information, open ports included in the open port information, to obtain M open port groups; the open ports contained in one open port group have the same service type, and M is a positive integer;
a login-type port determining unit 132 configured to determine, as a login-type open port, an open port in an open port group having a service type of login-type service type, among the M open port groups;
the login information obtaining unit 133 is configured to obtain account login information corresponding to the login type open port, and combine the target internet protocol address, the login type open port, the login type service type, and the account login information into open service login information.
In one or more embodiments, the second obtaining module 14 obtains honeypot feature identification information corresponding to the target internet protocol address, including:
a request receiving object determining unit 141, configured to obtain K types of honeypot feature recognition policies in the recognition policy set, and determine a request receiving object corresponding to the honeypot feature recognition policy a according to a honeypot type corresponding to the honeypot feature recognition policy a in the K types of honeypot feature recognition policies; k honeypot feature recognition strategies are used for recognizing honeypots of different types, wherein K is a positive integer;
a request data packet generating unit 142, configured to generate a request data packet corresponding to the honeypot feature identification policy a according to the open service information and a probe packet format corresponding to the honeypot feature identification policy a, and send the request data packet to a request receiving object;
the feature matching unit 143 is configured to receive request response data returned by the request receiving object, and match the request response data with the honey feature in the honey feature recognition policy a according to the matching logic corresponding to the honey feature recognition policy a, so as to obtain a honey matching result corresponding to the honey feature recognition policy a;
the honeypot feature information obtaining unit 144 is configured to determine honeypot feature identification information corresponding to the target internet protocol address as honeypot matching results corresponding to the K honeypot feature identification policies.
In one or more embodiments, the weighted summation module 15 obtains the honeypot evaluation value of the target internet protocol address on each honeypot evaluation index, including:
a first evaluation value determining unit 150, configured to determine a honeypot evaluation value of the target internet protocol address in the base network information according to a matching relationship between the holder information in the base network information and the network service corresponding to the target internet protocol address;
a second evaluation value determining unit 151, configured to determine a honeypot evaluation value of the target internet protocol address in the risk flag information according to the duty ratio information of the hit flag in the risk type flag included in the risk flag information;
a third evaluation value determining unit 152, configured to determine a honeypot evaluation value of the target internet protocol address in the open port information according to the number of open ports included in the open port information;
a fourth evaluation value determining unit 153, configured to determine a honeypot evaluation value of the target internet protocol address in the open service information according to the open port and the service type distribution information included in the open service information;
a fifth evaluation value determining unit 154, configured to determine a honeypot evaluation value of the target internet protocol address in the open service login information according to a login attempt result corresponding to the account login information in the open service login information;
A sixth evaluation value determination unit 155 for determining a honeypot evaluation value of the target internet protocol address in the honeypot feature identification information based on the number of successful match results included in the honeypot feature identification information.
In one or more embodiments, the sixth evaluation value determination unit 155 determines a honey evaluation value of the target internet protocol address in the honey feature recognition information according to the number of matching success results included in the honey feature recognition information, including:
if the honey matching result corresponding to the honey feature recognition strategy exists in the honey feature recognition information, determining a honey evaluation value of the target internet protocol address in the honey feature recognition information as a first evaluation value;
and if the honeypot matching results corresponding to the K honeypot feature recognition strategies are all matching failure results, determining the honeypot evaluation value of the target internet protocol address in the honeypot feature recognition information as a second evaluation value.
In one or more embodiments, the weighted summation module 15 performs weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a honey detection result corresponding to the target internet protocol address, where the weighted summation processing includes:
A weighting unit 156, configured to perform weighted summation processing on the honeypot evaluation value corresponding to each honeypot evaluation index and the index weight corresponding to each honeypot evaluation index, so as to obtain a comprehensive evaluation value corresponding to the target internet protocol address;
a honeypot detection result determining unit 157, configured to determine that the honeypot detection result corresponding to the target internet protocol address is honeypot if the comprehensive evaluation value is greater than the honeypot evaluation threshold;
the honeypot detection result determining unit 157 is further configured to determine that the honeypot detection result corresponding to the target internet protocol address is undetermined if the comprehensive evaluation value is less than or equal to the honeypot evaluation threshold.
In one or more embodiments, the weighted summation module 15 returns the honeypot detection results to the communication application, including:
the detection result encrypting unit 158 is configured to encrypt the honeypot detection result by using the object access token and the key information corresponding to the smart detection object in the communication application, so as to generate second message encrypted data;
a message sending unit 159, configured to return the second message encrypted data to the communication application, so that the communication application sends the second message data to a message sending object corresponding to the first message data through the intelligent detection object; the second message data is obtained by decrypting the second message encrypted data by the communication application.
In one or more embodiments, the network honey pot identification device 1 further includes: a log generation module 16, a log uploading module 17, a log storage module 18;
a log generation module 16, configured to obtain system behavior information associated with the target internet protocol address, and generate a behavior log according to the system behavior information;
the log uploading module 17 is configured to upload the behavior log to the blockchain system, so that the blockchain link point in the blockchain system encapsulates the behavior log into a transaction block, and perform accounting processing on the transaction block that is agreed;
the log storage module 18 is configured to receive uplink success information returned by a blockchain node in the blockchain system, and store a file hash of the behavior log in the blockchain system in a local database according to the uplink success information; the file hash is used to indicate the storage location of the behavior log in the blockchain system.
According to one embodiment of the present application, the steps involved in the above-described network honey identification method may be performed by the respective modules and units in the network honey identification device 1 shown in fig. 9. For example, step S101 shown in fig. 3 may be performed by the first acquisition unit 10 shown in fig. 9, step S102 shown in fig. 3 may be performed by the port open detection module 11 shown in fig. 9, step S103 shown in fig. 3 may be performed by the fingerprint detection module 12 shown in fig. 9, step S104 shown in fig. 3 may be performed by the login information acquisition module 13 shown in fig. 9, step S105 shown in fig. 3 may be performed by the second acquisition module 14 shown in fig. 9, step S106 shown in fig. 3 may be performed by the weighted summation module 15 shown in fig. 9, and so on.
According to an embodiment of the present application, each module (unit) in the network honey pot identification device 1 shown in fig. 9 may be formed by combining one or several modules (units) separately or all, or some module (units) may be further split into at least two sub-units with smaller functions, so that the same operation may be implemented without affecting the implementation of the technical effects of the embodiment of the present application. The above modules (units) are divided based on logic functions, and in practical applications, the functions of one module (unit) may be implemented by at least two modules (units), or the functions of at least two modules (units) may be implemented by one module (unit). In other embodiments of the present application, the network honey pot identification device 1 may also include other modules (units), and in practical applications, these functions may also be implemented with assistance by other modules (units), and may be implemented by at least two modules (units) in cooperation.
In the embodiment of the application, the target IP address can be acquired through the communication application, so that the basic network information, the risk marking information, the open port information, the open service login information and the honey characteristic identification information corresponding to the target IP address can be acquired, the information can be further used as different honey evaluation indexes, and the honey evaluation value of the target IP address on each honey evaluation index can be obtained through analyzing each honey evaluation index. And carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index, so as to obtain a final honey detection result of the target IP address. That is, the final honeypot detection result of the target IP address is determined by the comprehensive evaluation value after weighted summation of the honeypot evaluation values corresponding to the honeypot identification indexes, so that the comprehensiveness of the data of the target IP address in the honeypot identification process can be ensured, and the identification accuracy of the honeypot can be improved; meanwhile, the honey pot detection flow can be triggered by inputting the target IP address in the form of message data in the communication application, and the honey pot detection result corresponding to the target IP address is directly output in the communication application, so that complicated operation in the honey pot detection process can be reduced, and further the honey pot detection efficiency can be improved.
Referring to fig. 10, fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the application. As shown in fig. 10, the computer device 1000 may be a server or may be a terminal device, which is not limited herein. For ease of understanding, taking the example that the computer device is a terminal device in the embodiment of the present application, the computer device 1000 may include: processor 1001, network interface 1004, and memory 1005, and in addition, the above-described computer device 1000 may further include: a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and optionally, the user interface 1003 may further include a standard wired interface, a wireless interface. Alternatively, the network interface 1004 may include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory 1005 may also be at least one memory device located remotely from the aforementioned processor 1001. As shown in fig. 10, an operating system, a network communication module, a user interface module, and a device control application program may be included in the memory 1005, which is one type of computer-readable storage medium.
In the computer device 1000 shown in fig. 10, the network interface 1004 may provide a network communication function; while user interface 1003 is primarily used as an interface for providing input to a user; the processor 1001 may be used to invoke device control applications stored in the memory 1005.
It should be understood that the computer device 1000 described in the embodiment of the present application may perform the description of the network honey identifying method in any of the embodiments corresponding to fig. 3 and 5, and may also perform the description of the network honey identifying device 1 in the embodiment corresponding to fig. 9, which is not repeated herein. In addition, the description of the beneficial effects of the same method is omitted.
Furthermore, it should be noted here that: the embodiment of the present application further provides a computer readable storage medium, in which the aforementioned computer program executed by the network honey tank identification device 1 is stored, and the computer program includes program instructions, when executed by the processor, can execute the description of the network honey tank identification method in any of the foregoing embodiments corresponding to fig. 3 and 5, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application. As an example, program instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or, alternatively, across multiple computing devices distributed across multiple sites and interconnected by a communication network, where the multiple computing devices distributed across multiple sites and interconnected by the communication network may constitute a blockchain system.
In addition, it should be noted that: embodiments of the present application also provide a computer program product or computer program that may include computer instructions that may be stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor may execute the computer instructions, so that the computer device performs the foregoing description of the network honey tank identification method in any of the embodiments corresponding to fig. 3 and fig. 5, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments according to the present application, reference is made to the description of the method embodiments according to the present application.
The terms first, second and the like in the description and in the claims and drawings of embodiments of the application, are used for distinguishing between different media content and not for describing a particular sequential order. Furthermore, the term "include" and any variations thereof is intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or modules but may, in the alternative, include other steps or modules not listed or inherent to such process, method, apparatus, article, or device.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The method and related apparatus provided in the embodiments of the present application are described with reference to the flowchart and/or schematic structural diagrams of the method provided in the embodiments of the present application, and each flow and/or block of the flowchart and/or schematic structural diagrams of the method may be implemented by computer program instructions, and combinations of flows and/or blocks in the flowchart and/or block diagrams. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or structural diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or structures.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.
Claims (17)
1. The network honeypot identification method is characterized by comprising the following steps of:
acquiring a target Internet protocol address through a communication application, and acquiring basic network information and risk marking information corresponding to the target Internet protocol address;
port opening detection is carried out on a port set corresponding to the target internet protocol address, and opening port information corresponding to the target internet protocol address is obtained in the port set;
performing fingerprint detection analysis on the target internet protocol address and the open port in the open port information to obtain open service information corresponding to the open port in the open port information;
determining a login type open port in the open ports included in the open port information according to the service type in the open service information, and acquiring open service login information corresponding to the login type open port;
obtaining honey feature identification information corresponding to the target internet protocol address, determining the basic network information, the risk marking information, the open port information, the open service login information and the honey feature identification information as honey evaluation indexes corresponding to the target internet protocol address, and obtaining index weights corresponding to the honey evaluation indexes;
And obtaining honey evaluation values of the target internet protocol address on the honey evaluation indexes, carrying out weighted summation processing on the honey evaluation values corresponding to the honey evaluation indexes and index weights corresponding to the honey evaluation indexes to obtain honey detection results corresponding to the target internet protocol address, and returning the honey detection results to the communication application.
2. The method of claim 1, wherein the obtaining the target internet protocol address by the communication application comprises:
receiving first message encryption data sent by a communication application; the first message encryption data are obtained by encrypting first message data received by an intelligent detection object in the communication application, and the first message data are used for indicating the intelligent detection object to trigger a honeypot detection flow;
and decrypting the first message encrypted data through the object access token and the key information corresponding to the intelligent detection object to obtain the first message data corresponding to the intelligent detection object, and obtaining the target internet protocol address in the first message data.
3. The method according to claim 1, wherein the obtaining the base network information and risk marking information corresponding to the target internet protocol address includes:
Encapsulating the target Internet protocol address into a first interface request message, and calling a basic information inquiry interface through the first interface request message to acquire geographic area position information, holder information and a security tag corresponding to the target Internet protocol address;
combining the geographical area location information, the holder information, and the security tag into base network information corresponding to the target internet protocol address;
and packaging the target Internet protocol address into a second interface request message, and calling a risk information inquiry interface through the second interface request message to obtain risk marking information corresponding to the target Internet protocol address.
4. The method according to claim 3, wherein the step of requesting the message to call the risk information query interface through the second interface to obtain risk flag information corresponding to the target internet protocol address includes:
the risk information query interface is called through the second interface request message, a risk type label set is obtained, and a risk type label matched with the target Internet protocol address in the risk type label set is determined to be a hit label;
And combining the target internet protocol address and the hit label into risk marking information corresponding to the target internet protocol address.
5. The method according to claim 1, wherein the performing port open detection on the port set corresponding to the target internet protocol address, and obtaining open port information corresponding to the target internet protocol address in the port set, includes:
acquiring a port set corresponding to the target Internet protocol address, and sending a connection request to a port i in the port set;
if connection confirmation data returned by the port i is received, determining the opening state of the port i as an opened state;
and adding the port in the opened state in the port set to an opened port list, and combining the target internet protocol address, the opened port list and the opened state corresponding to the port in the opened port list into opened port information corresponding to the target internet protocol address.
6. The method according to claim 1, wherein the performing fingerprint detection analysis on the target internet protocol address and the open port in the open port information to obtain open service information corresponding to the open port in the open port information includes:
Determining a target service device through the target internet protocol address and an open port in the open port information, and sending specific detection data to the target service device;
receiving response data which is returned by the target service equipment and is specific to the specific detection data, and carrying out feature analysis on the response data to obtain a service type corresponding to an open port in the open port information;
and combining the target internet protocol address, the open port in the open port information, the specific probe data, the response data and the service type into the open service information.
7. The method according to claim 1, wherein determining a login type open port from among the open ports included in the open port information according to the service type in the open service information, and obtaining open service login information corresponding to the login type open port, includes:
classifying the open ports contained in the open port information according to the service types in the open service information to obtain M open port groups; the open ports contained in one open port group have the same service type, and M is a positive integer;
Determining the open port in the open port group with the service type being the login type service type as a login type open port in the M open port groups;
and acquiring account login information corresponding to the login type open port, and combining the target internet protocol address, the login type open port, the login type service type and the account login information into the open service login information.
8. The method according to claim 1, wherein the obtaining the honeypot feature identification information corresponding to the target internet protocol address includes:
obtaining K honeypot feature recognition strategies in a recognition strategy set, and determining a request receiving object corresponding to the honeypot feature recognition strategy a according to the honeypot type corresponding to the honeypot feature recognition strategy a in the K honeypot feature recognition strategies; the K honeypot characteristic identification strategies are used for identifying honeypots of different types, and K is a positive integer;
generating a request data packet corresponding to the honey feature recognition strategy a according to the open service information and a detection packet format corresponding to the honey feature recognition strategy a, and sending the request data packet to the request receiving object;
Receiving request response data returned by the request receiving object, and matching the request response data with honey pot features in the honey pot feature recognition strategy a according to matching logic corresponding to the honey pot feature recognition strategy a to obtain a honey pot matching result corresponding to the honey pot feature recognition strategy a;
and combining the honeypot matching results corresponding to the K honeypot feature recognition strategies into honeypot feature recognition information corresponding to the target Internet protocol address.
9. The method according to any one of claims 1 to 8, wherein said obtaining a honeypot evaluation value of the target internet protocol address on the respective honeypot evaluation index comprises:
determining a honeypot evaluation value of the target internet protocol address in the basic network information according to a matching relationship between holder information in the basic network information and the network service corresponding to the target internet protocol address;
determining a honeypot evaluation value of the target internet protocol address in the risk marking information according to the duty ratio information of the hit label in the risk type label contained in the risk marking information;
determining a honeypot evaluation value of the target internet protocol address in the open port information according to the number of the open ports contained in the open port information;
Determining a honeypot evaluation value of the target internet protocol address in the open service information according to the open port and service type distribution information contained in the open service information;
determining a honeypot evaluation value of the target internet protocol address in the open service login information according to a login attempt result corresponding to the account login information in the open service login information;
and determining a honeypot evaluation value of the target internet protocol address in the honeypot feature identification information according to the number of successful matching results contained in the honeypot feature identification information.
10. The method of claim 9, wherein determining the honeypot evaluation value of the target internet protocol address in the honeypot feature identification information based on the number of successful matches contained in the honeypot feature identification information comprises:
if the honey matching result corresponding to the honey feature recognition strategy exists in the honey feature recognition information, determining a honey evaluation value of the target internet protocol address in the honey feature recognition information as a first evaluation value;
and if the honeypot matching results corresponding to the K honeypot feature recognition strategies are all matching failure results, determining that the honeypot evaluation value of the target internet protocol address in the honeypot feature recognition information is a second evaluation value.
11. The method according to claim 1, wherein the weighting and summing the honeypot evaluation values corresponding to the honeypot evaluation indexes and the index weights corresponding to the honeypot evaluation indexes to obtain the honeypot detection results corresponding to the target internet protocol addresses includes:
carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a comprehensive evaluation value corresponding to the target Internet protocol address;
if the comprehensive evaluation value is larger than a honeypot evaluation threshold, determining that a honeypot detection result corresponding to the target Internet protocol address is honeypot;
and if the comprehensive evaluation value is smaller than or equal to the honeypot evaluation threshold, determining that the honeypot detection result corresponding to the target Internet protocol address is undetermined.
12. The method of claim 2, wherein the returning the honeypot detection result to the communication application comprises:
encrypting the honeypot detection result by adopting object access tokens and key information corresponding to intelligent detection objects in the communication application to generate second message encryption data;
Returning the second message encryption data to the communication application so that the communication application can send the second message data to a message sending object corresponding to the first message data through the intelligent detection object; the second message data is obtained by decrypting the second message encrypted data by the communication application.
13. The method as recited in claim 1, further comprising:
acquiring system behavior information associated with the target Internet protocol address, and generating a behavior log according to the system behavior information;
uploading the behavior log to a blockchain system so that a blockchain link point in the blockchain system encapsulates the behavior log into a transaction block, and accounting is carried out on the transaction block which achieves consensus;
receiving uplink success information returned by a block chain node in the block chain system, and storing file hashes of the behavior logs in the block chain system in a local database according to the uplink success information; the file hash is used to indicate a storage location of the behavior log in the blockchain system.
14. A network honeypot identification device, comprising:
The first acquisition module is used for acquiring a target Internet protocol address through a communication application and acquiring basic network information and risk marking information corresponding to the target Internet protocol address;
the port opening detection module is used for carrying out port opening detection on a port set corresponding to the target internet protocol address, and acquiring opening port information corresponding to the target internet protocol address from the port set;
the fingerprint detection module is used for carrying out fingerprint detection analysis on the target Internet protocol address and the open port in the open port information to obtain open service information corresponding to the open port in the open port information;
the login information acquisition module is used for determining a login type open port in the open ports contained in the open port information according to the service type in the open service information and acquiring open service login information corresponding to the login type open port;
the second acquisition module is configured to acquire honeypot feature identification information corresponding to the target internet protocol address, determine the basic network information, the risk marking information, the open port information, the open service login information and the honeypot feature identification information as honeypot evaluation indexes corresponding to the target internet protocol address, and acquire index weights corresponding to the honeypot evaluation indexes;
And the weighted summation module is used for acquiring the honey evaluation value of the target internet protocol address on each honey evaluation index, carrying out weighted summation processing on the honey evaluation value corresponding to each honey evaluation index and the index weight corresponding to each honey evaluation index to obtain a honey detection result corresponding to the target internet protocol address, and returning the honey detection result to the communication application.
15. A computer device comprising a memory and a processor;
the memory is connected to the processor, the memory is used for storing a computer program, and the processor is used for calling the computer program to enable the computer device to execute the method of any one of claims 1 to 13.
16. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded and executed by a processor to cause a computer device having the processor to perform the method of any of claims 1 to 13.
17. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any of claims 1 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311010173.7A CN116866076A (en) | 2023-08-10 | 2023-08-10 | Network honey pot identification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311010173.7A CN116866076A (en) | 2023-08-10 | 2023-08-10 | Network honey pot identification method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866076A true CN116866076A (en) | 2023-10-10 |
Family
ID=88219243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311010173.7A Pending CN116866076A (en) | 2023-08-10 | 2023-08-10 | Network honey pot identification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866076A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117806226A (en) * | 2024-03-01 | 2024-04-02 | 北京中关村实验室 | Deep vulnerability discovery method and system for protocol stack of PLC (programmable logic controller) equipment |
-
2023
- 2023-08-10 CN CN202311010173.7A patent/CN116866076A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117806226A (en) * | 2024-03-01 | 2024-04-02 | 北京中关村实验室 | Deep vulnerability discovery method and system for protocol stack of PLC (programmable logic controller) equipment |
| CN117806226B (en) * | 2024-03-01 | 2024-04-30 | 北京中关村实验室 | Deep vulnerability discovery method and system for protocol stack of PLC (programmable logic controller) equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11075932B2 (en) | Appliance extension for remote communication with a cyber security appliance | |
| Xing et al. | Survey on botnet detection techniques: Classification, methods, and evaluation | |
| Macaulay et al. | Cybersecurity for industrial control systems: SCADA, DCS, PLC, HMI, and SIS | |
| Helmer et al. | Lightweight agents for intrusion detection | |
| US20200213336A1 (en) | Detecting inappropriate activity in the presence of unauthenticated API requests using artificial intelligence | |
| CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| Lin et al. | Internet of things intrusion detection model and algorithm based on cloud computing and multi-feature extraction extreme learning machine | |
| Luntovskyy et al. | Cryptographic technology blockchain and its applications | |
| CN116866076A (en) | Network honey pot identification method, device, equipment and storage medium | |
| Prajisha et al. | An efficient intrusion detection system for MQTT-IoT using enhanced chaotic salp swarm algorithm and LightGBM | |
| Hassan et al. | New advancements in cybersecurity: A comprehensive survey | |
| Dong et al. | BotDetector: An extreme learning machine‐based Internet of Things botnet detection model | |
| Naik et al. | D-FRI-Honeypot: A secure sting operation for hacking the hackers using dynamic fuzzy rule interpolation | |
| CN114268505B (en) | Method and device for adjusting fraud policy of honeynet, electronic equipment and storage medium | |
| Badruddoja et al. | Integrating DOTS with blockchain can secure massive IoT sensors | |
| Araya et al. | Anomaly-based cyberattacks detection for smart homes: A systematic literature review | |
| Miller et al. | Detection of anonymising proxies using machine learning | |
| Zhu | Resilient control and intrusion detection for scada systems | |
| Zammit | A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data | |
| Khaing et al. | IoT botnet detection mechanism based on UDP protocol | |
| CN111385293B (en) | Network risk detection method and device | |
| Arul et al. | Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud | |
| Ch et al. | Machine Learning Based Data Security Model Using Blockchain for Secure Data Transmission in IoT | |
| Loganathan | Real-time intrusion detection using multidimensional sequence-to-sequence machine learning and adaptive stream processing | |
| Pillutla et al. | Recursive Self Organizing Maps and Software Defined Networking Cloud-A Survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |