CN117061253B - Detection method and system for dynamically deploying honeypots - Google Patents
Detection method and system for dynamically deploying honeypots Download PDFInfo
- Publication number
- CN117061253B CN117061253B CN202311318401.7A CN202311318401A CN117061253B CN 117061253 B CN117061253 B CN 117061253B CN 202311318401 A CN202311318401 A CN 202311318401A CN 117061253 B CN117061253 B CN 117061253B
- Authority
- CN
- China
- Prior art keywords
- address
- arp
- addresses
- request message
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 52
- 238000012544 monitoring process Methods 0.000 claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 15
- 238000012360 testing method Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 11
- 235000012907 honey Nutrition 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 2
- 230000018109 developmental process Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5046—Resolving address allocation conflicts; Testing of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5069—Address allocation for group communication, multicast communication or broadcast communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a detection method and a detection system for a dynamically deployed honeypot. Firstly, constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address; constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A; constructing a common ARP request message D to inquire the MAC address corresponding to the IP address A; and finally judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and monitoring the newly-online IP address E within the preset time, marking the IP address E as the IP address of the dynamic deployment honeypot. The method and the device can accurately acquire the dynamically deployed honeypots, and improve the accuracy and efficiency of related network application software.
Description
Technical Field
The invention relates to a detection method and a detection system for dynamically deploying honeypots, and belongs to the technical field of network security.
Background
The honeypot technology is a technology for cheating an attacker, and by arranging a host computer, network service or information serving as a bait, the attacker is induced to attack the attacker, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, and the safety protection capability of an actual system is enhanced through technology and management means. Wherein bait hosts are a common solution. Trapping of attack occurring within the target network is achieved by deploying a plurality of honeypot nodes with IP addresses within the target network. The number of honeypot nodes must be sufficiently large to be able to protect other devices within the network. In general, the number of honeypot nodes is configured in proportion to the number of existing devices within the network, e.g., 4:1, meaning that 4 honeypots are configured per existing device.
Because the number of honeypots is large, the manual deployment process is too complicated, and certain requirements are also met for operators, so that the use and planning conditions of the IP address are required to be fully known. Therefore, an industry person proposes a dynamic deployment scheme (such as patent publication number CN113904852 a), which can automatically detect the use condition of the IP address in the network, and automatically select an idle IP address for the honeypot; and in the event that the IP address being used by the honeypot is reused by some existing device, the honeypot will automatically release this IP address and reselect other free IP addresses. This is significant because it is possible that some IP address is fixedly assigned to a certain device, but that this device is in a powered-off state during the detection. The network is announced the use of this IP address after it has started. If a honeypot also uses the IP address, the IP address must be given to the honeypot, otherwise, the IP address conflict is caused, and the normal use of the equipment is affected.
Implementation of the dynamic deployment honeypot scheme also brings challenges to other network applications, for example, in the process of performing penetration test on the existing network of a client according to the requirements of the client, a great deal of time is wasted on the honeypot if the honeypot is not treated differently, and even the linkage of the honeypot and other protective equipment is triggered, so that the test effect is affected. And if the standard information exchange interface is lacking between the network mapping software and the honeypot system, the IP addresses of all honeypots at present cannot be obtained, so that the honeypot nodes are identified to be common network nodes, and the information is inaccurate.
Disclosure of Invention
The invention aims to: aiming at the problems in the prior art, the invention aims to provide a detection method and a detection system for dynamically deploying honeypots so as to accurately acquire the dynamically deployed honeypots.
The technical scheme is as follows: in order to achieve the aim of the invention, the invention adopts the following technical scheme:
a detection method for dynamically deploying honeypots, which detects each IP address A to be detected again after preemption test to identify whether the honeypots belong to the dynamically deployed honeypots, comprises the following steps:
step 1: constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address;
step 2: constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A;
step 3: constructing a common ARP request message D to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A;
step 4: judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, obtaining a new online IP address E by monitoring the ARP message, and marking the IP address E as the IP address of the dynamic deployment honeypot.
Further, all online IP addresses and MAC addresses thereof are obtained through ARP scanning network segments, each IP address A is traversed, and the steps 1 to 4 are executed.
Further, starting an ARP monitoring thread before starting traversal to monitor ARP messages in a network, finding out that a host is online and acquiring the IP and MAC addresses of the newly online host; and stopping the ARP listening thread after the traversal is finished.
Further, after the first traversal detection is completed, only the re-online honeypot IP address is detected.
The utility model provides a detection system of honey jar is deployed to developments, includes detection module for each IP address A that waits to detect, survey again after the preemption test in order to discern whether belong to the honey jar of dynamic deployment, include:
the preemption test unit is used for constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address;
the recovery cache unit is used for constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A;
the re-detection unit is used for constructing a common ARP request message D so as to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A;
the honeypot judging unit is used for judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, the new online IP address E is obtained by monitoring the ARP message, and the IP address E is marked as the IP address of the dynamic deployment honeypot.
Further, the method further comprises the following steps:
the scanning module is used for scanning the network segment through ARP to obtain all online IP addresses and MAC addresses thereof;
and the monitoring module is used for monitoring ARP messages in the network to find out that the host is online and acquire the IP and MAC addresses of the newly online host.
Further, after the scanning module acquires all the IP addresses, the monitoring module is started, each IP address A is traversed, and detection is carried out through the detection module; after the traversal is complete, the monitoring module is stopped.
Further, the honey pot IP address detection system further comprises a follow-up detection module, wherein the follow-up detection module is used for detecting the honey pot IP address which is on line again through the detection module after the first traversal detection is completed.
A computer system comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program implementing the steps of the method for dynamically deploying honeypots when loaded into the processor.
A computer readable storage medium storing a computer program which when executed by a processor performs the steps of the method of dynamically deploying honeypots detection.
The beneficial effects are that: the invention detects again after the preemption test to identify whether the target address belongs to the honey pot deployed dynamically, and simultaneously considers the recovery of ARP caches of the host and the switch to avoid influencing the original network equipment. Compared with the prior art, the invention has the following advantages: 1. in a network mapping system, the information of dynamically deploying honeypots in a network can be obtained by using the scheme of the invention, so that the mapping result is more accurate; 2. in the penetration test, the honey pots which are dynamically deployed can be identified and removed, the test progress can be greatly accelerated, and the test efficiency is improved.
Drawings
FIG. 1 is a flow chart of a method according to an embodiment of the invention.
Fig. 2 is a flowchart illustrating an example of a process to which an embodiment of the present invention is applied.
Fig. 3 is a schematic diagram of a system structure according to an embodiment of the invention.
Fig. 4 is a schematic diagram of another system structure according to an embodiment of the invention.
Detailed Description
The technical scheme of the invention will be clearly and completely described below with reference to the accompanying drawings and specific embodiments.
The embodiment of the invention discloses a detection method for dynamically deploying honeypots, which is characterized in that whether a target node is a dynamically deployed honeypot is identified by sending a specific message to the target node and a network to which the target node belongs, specifically, each IP address A to be detected is detected again after preemption test to identify whether the IP address belongs to the dynamically deployed honeypot, as shown in fig. 1, and the detection method specifically comprises the following steps:
step 1: constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address;
step 2: constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A;
step 3: constructing a common ARP request message D to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A;
step 4: judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, obtaining a new online IP address E by monitoring the ARP message, and marking the IP address E as the IP address of the dynamic deployment honeypot.
In this embodiment, all online IP addresses and MAC addresses thereof are obtained by ARP scanning of the network segments, each IP address a is traversed, and steps 1 to 4 are performed, so that all dynamically deployed honeypots in the detected network segments can be identified.
The following describes in detail the detailed detection execution flow to which the embodiment of the present invention is applied, with reference to fig. 2:
1. one network segment (such as 192.168.0.0/24) is scanned by ARP scanning technology to obtain all online IP addresses and MAC addresses thereof.
2. And starting an ARP monitoring thread, which is used for monitoring ARP messages in the network, discovering the online of the host, and acquiring the IP and MAC addresses of the newly online host.
3. And (3) preempting test is carried out on each IP address, namely a free ARP request message is constructed, and the IP address is disguised. Wherein the MAC address is randomly generated and does not repeat with the MAC address within the network. For example, for IP address 192.168.0.1 and its MAC address 12:a3:3a:32:eb:3b, the ARP message content is constructed:
Sender IP address: 192.168.0.1
sender MAC address:fe:10:48:8 c:a4:1c (randomly generated MAC address)
Target IP address: 192.168.0.1
If the IP address belongs to a dynamically deployed honeypot, the honeypot receives the ARP message and considers that the IP address is being used. To prevent collisions, it actively releases this IP address.
4. Since the ARP message is sent in broadcast, the host in the network receives the ARP message and may learn the random MAC address. To correct this error, the probe program then builds a gratuitous ARP request message quickly, broadcasting the correct MAC address for the IP address to hosts within the network to recover the ARP cache on those hosts. The ARP message constructed here contains the following contents:
Sender IP address: 192.168.0.1
sender MAC address:12:a3:3a:32:eb:3b (correct MAC address)
Target IP address: 192.168.0.1
5. Constructing a common ARP request message, and inquiring the MAC address of the IP address. Assume that the host at which the detection procedure is located has an IP address of 192.168.0.253 and a MAC address of 12:a3:3a:ef:11:45. The ARP message content is:
Sender IP address: 192.168.0.253
Sender MAC address: 12:a3:3a:ef:11:45
Target IP address: 192.168.0.1
if this IP address was previously owned by a dynamically deployed honeypot and has been released by the honeypot, then this ARP request should not be responded to and timeout. If an ARP response is obtained, the IP address belongs to other network equipment; at the same time, the ARP cache in the switch is updated due to this ARP response.
6. Waiting a short period of time (say 10 seconds) and checking whether a new IP address is on-line by listening to ARP messages, and sometimes marking this IP address as a dynamically deployed honeypot is found.
7. And stopping the ARP monitoring thread after the traversal is finished.
In the subsequent detection process, if the known honeypot IP addresses are not found to be on line again (namely ARP request messages are detected), preemption tests on the IP addresses can be skipped, so that unnecessary dynamic deployment is not triggered, and the waste of computing resources is caused.
Based on the same inventive concept, the detection system for dynamically deploying honeypots disclosed in the embodiment of the present invention, as shown in fig. 3, includes a detection module, configured to detect again after preemption test for each IP address a to be detected, to identify whether the honeypots belong to dynamically deployed honeypots, including: the preemption test unit is used for constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address; the recovery cache unit is used for constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A; the re-detection unit is used for constructing a common ARP request message D so as to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A; the honeypot judging unit is used for judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, the new online IP address E is obtained by monitoring the ARP message, and the IP address E is marked as the IP address of the dynamic deployment honeypot.
As shown in fig. 4, the detection system further includes: the scanning module is used for scanning the network segment through ARP to obtain all online IP addresses and MAC addresses thereof; the monitoring module is used for monitoring ARP messages in the network to find out that the host is online and acquire the IP and MAC addresses of the newly online host; and the subsequent detection module is used for detecting the re-online honeypot IP address through the detection module after the first traversal detection is completed. After the scanning module acquires all IP addresses, a monitoring module is started, each IP address A is traversed, and detection is carried out through a detection module; after the traversal is complete, the monitoring module is stopped.
Based on the same inventive concept, the computer system disclosed in the embodiment of the invention comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the computer program realizes the steps of the detection method for dynamically deploying honeypots when being loaded to the processor.
Based on the same inventive concept, the embodiment of the invention discloses a computer readable storage medium, which stores a computer program, and the computer program realizes the steps of the detection method for dynamically deploying honeypots when being executed by a processor.
Claims (10)
1. The detection method of the dynamic deployment honeypot is characterized in that each IP address A to be detected is detected again after preemption test to identify whether the honeypot belongs to the dynamic deployment honeypot or not, and the detection method comprises the following steps:
step 1: constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address;
step 2: constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A;
step 3: constructing a common ARP request message D to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A;
step 4: judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, obtaining a new online IP address E by monitoring the ARP message, and marking the IP address E as the IP address of the dynamic deployment honeypot.
2. The method for dynamically deploying honeypots according to claim 1, wherein all online IP addresses and MAC addresses thereof are obtained by ARP scanning of network segments, each IP address a is traversed, and steps 1 to 4 are performed.
3. The method for dynamically deploying honeypots according to claim 2, wherein an ARP listening thread is started before traversal starts to listen for ARP messages in the network, discover hosts online and acquire IP and MAC addresses of newly online hosts; and stopping the ARP listening thread after the traversal is finished.
4. The method for dynamically deploying honeypots of claim 2, wherein only the re-online honeypot IP address is detected after the first traversal detection is completed.
5. The utility model provides a detection system of honey pot is deployed to developments, its characterized in that includes detection module for each IP address A that waits to detect, detect again after the preemption test and discern whether belong to the honey pot of dynamic deployment, include:
the preemption test unit is used for constructing and broadcasting a free ARP request message B, wherein the source and destination IP addresses in the message B are A, and the MAC address is a random address;
the recovery cache unit is used for constructing and broadcasting a gratuitous ARP request message C, wherein the source and destination IP addresses in the message C are A, and the MAC address is the MAC address corresponding to the acquired IP address A;
the re-detection unit is used for constructing a common ARP request message D so as to inquire the MAC address corresponding to the IP address A; the source IP address and the MAC address in the message D are the IP address and the MAC address of the test host, and the destination IP address is the IP address A;
the honeypot judging unit is used for judging whether the ARP request message D is responded or not, if the ARP request message D is not responded, and in the preset time, the new online IP address E is obtained by monitoring the ARP message, and the IP address E is marked as the IP address of the dynamic deployment honeypot.
6. The dynamically deployed honeypot detection system of claim 5, further comprising:
the scanning module is used for scanning the network segment through ARP to obtain all online IP addresses and MAC addresses thereof;
and the monitoring module is used for monitoring ARP messages in the network to find out that the host is online and acquire the IP and MAC addresses of the newly online host.
7. The detection system for dynamically deploying honeypots according to claim 6, wherein after the scanning module acquires all the IP addresses, the monitoring module is started, each IP address a is traversed, and detection is performed by the detection module; after the traversal is complete, the monitoring module is stopped.
8. The system of claim 6, further comprising a subsequent detection module configured to detect, by the detection module, the re-online honeypot IP address after the first traversal detection is complete.
9. A computer system comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the computer program when loaded into the processor implements the steps of the method for dynamically deploying honeypots according to any of claims 1-4.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the detection method of dynamically deploying honeypots according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311318401.7A CN117061253B (en) | 2023-10-12 | 2023-10-12 | Detection method and system for dynamically deploying honeypots |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311318401.7A CN117061253B (en) | 2023-10-12 | 2023-10-12 | Detection method and system for dynamically deploying honeypots |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117061253A CN117061253A (en) | 2023-11-14 |
| CN117061253B true CN117061253B (en) | 2023-12-22 |
Family
ID=88669600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311318401.7A Active CN117061253B (en) | 2023-10-12 | 2023-10-12 | Detection method and system for dynamically deploying honeypots |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117061253B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110099040A (en) * | 2019-03-01 | 2019-08-06 | 江苏极元信息技术有限公司 | A kind of defence method intercepting Intranet attack source based on a large amount of deployment bait host detections |
| CN111107171A (en) * | 2018-10-26 | 2020-05-05 | 中兴通讯股份有限公司 | Security defense method and device for DNS (Domain name Server), communication equipment and medium |
| CN114157479A (en) * | 2021-12-01 | 2022-03-08 | 北京航空航天大学 | Intranet attack defense method based on dynamic spoofing |
| CN114268491A (en) * | 2021-12-21 | 2022-04-01 | 南方电网科学研究院有限责任公司 | Network security system based on honeypot technology |
| CN114338203A (en) * | 2021-12-31 | 2022-04-12 | 河南信大网御科技有限公司 | Intranet detection system and method based on mimicry honeypots |
| CN115694861A (en) * | 2021-07-29 | 2023-02-03 | 中国移动通信有限公司研究院 | Cloud honeypot deployment method, device and system |
| CN116668187A (en) * | 2023-07-19 | 2023-08-29 | 杭州海康威视数字技术股份有限公司 | Honeypot identification method and device and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10609074B2 (en) * | 2016-11-23 | 2020-03-31 | Attivo Networks Inc. | Implementing decoys in network endpoints |
-
2023
- 2023-10-12 CN CN202311318401.7A patent/CN117061253B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111107171A (en) * | 2018-10-26 | 2020-05-05 | 中兴通讯股份有限公司 | Security defense method and device for DNS (Domain name Server), communication equipment and medium |
| CN110099040A (en) * | 2019-03-01 | 2019-08-06 | 江苏极元信息技术有限公司 | A kind of defence method intercepting Intranet attack source based on a large amount of deployment bait host detections |
| CN115694861A (en) * | 2021-07-29 | 2023-02-03 | 中国移动通信有限公司研究院 | Cloud honeypot deployment method, device and system |
| CN114157479A (en) * | 2021-12-01 | 2022-03-08 | 北京航空航天大学 | Intranet attack defense method based on dynamic spoofing |
| CN114268491A (en) * | 2021-12-21 | 2022-04-01 | 南方电网科学研究院有限责任公司 | Network security system based on honeypot technology |
| CN114338203A (en) * | 2021-12-31 | 2022-04-12 | 河南信大网御科技有限公司 | Intranet detection system and method based on mimicry honeypots |
| CN116668187A (en) * | 2023-07-19 | 2023-08-29 | 杭州海康威视数字技术股份有限公司 | Honeypot identification method and device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于本地网络的蠕虫协同检测方法;张新宇;卿斯汉;李琦;李大治;何朝辉;;软件学报(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117061253A (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109474575B (en) | DNS tunnel detection method and device | |
| JP5390798B2 (en) | Method and apparatus for early warning of network equipment | |
| CN111385260B (en) | Port detection method, system, server and storage medium | |
| JP2013545196A (en) | Method and system for fingerprinting an operating system running on a node of a communication network | |
| CN104780139B (en) | A kind of defence method and system based on MAC Address attack | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| CN110798427A (en) | Anomaly detection method, device and equipment in network security defense | |
| CN114257413A (en) | Application container engine-based anti-braking blocking method and device and computer equipment | |
| CN105577669A (en) | Method and device for identifying false source attack | |
| CN112637377A (en) | Method and equipment for detecting IP address conflict | |
| CN109495602B (en) | Method and device for processing network access abnormity | |
| CN102185724B (en) | Address management method and equipment | |
| CN113810427B (en) | Penetration testing method, terminal equipment and storage medium | |
| CN117061253B (en) | Detection method and system for dynamically deploying honeypots | |
| US10097418B2 (en) | Discovering network nodes | |
| CN112615848B (en) | Vulnerability repair state detection method and system | |
| CN114244801A (en) | ARP (Address resolution protocol) cheating preventing method and system based on government and enterprise gateway | |
| CN108471427B (en) | Method and device for defending attack | |
| CN107786496B (en) | Early warning method and device for ARP (Address resolution protocol) table entry spoofing attack of local area network | |
| CN106488458B (en) | Method and device for detecting gateway ARP spoofing | |
| CN108965277B (en) | DNS (Domain name System) -based infected host distribution monitoring method and system | |
| US10015179B2 (en) | Interrogating malware | |
| JP4484190B2 (en) | Router search system, router search method, and router search program | |
| CN114070633A (en) | Address scanning behavior detection method and device | |
| US9912557B2 (en) | Node information detection apparatus, node information detection method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |