CN117118708A - Threat trapping process evaluation method and system for hybrid honeypot - Google Patents
Threat trapping process evaluation method and system for hybrid honeypot Download PDFInfo
- Publication number
- CN117118708A CN117118708A CN202311085683.0A CN202311085683A CN117118708A CN 117118708 A CN117118708 A CN 117118708A CN 202311085683 A CN202311085683 A CN 202311085683A CN 117118708 A CN117118708 A CN 117118708A
- Authority
- CN
- China
- Prior art keywords
- threat
- model
- spn
- states
- isomorphic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 230000008569 process Effects 0.000 title claims abstract description 89
- 238000011156 evaluation Methods 0.000 title claims abstract description 29
- 238000010586 diagram Methods 0.000 claims abstract description 27
- 230000007704 transition Effects 0.000 claims description 58
- 238000004458 analytical method Methods 0.000 claims description 25
- 230000000694 effects Effects 0.000 claims description 14
- 238000010276 construction Methods 0.000 claims description 11
- 239000000470 constituent Substances 0.000 claims description 5
- 235000012907 honey Nutrition 0.000 description 24
- 239000003795 chemical substances by application Substances 0.000 description 21
- 230000035515 penetration Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 239000011159 matrix material Substances 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 238000005315 distribution function Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003416 augmentation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- HQQSBEDKMRHYME-UHFFFAOYSA-N pefloxacin mesylate Chemical compound [H+].CS([O-])(=O)=O.C1=C2N(CC)C=C(C(O)=O)C(=O)C2=CC(F)=C1N1CCN(C)CC1 HQQSBEDKMRHYME-UHFFFAOYSA-N 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N7/00—Computing arrangements based on specific mathematical models
- G06N7/01—Probabilistic graphical models, e.g. probabilistic networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a threat trapping process evaluation method and system for a hybrid honeypot, comprising the following steps: s1, establishing a system model of a threat trapping process of the mixed honeypot; s2, establishing an SPN model diagram based on a system model; s3, constructing isomorphic Markov chains based on the SPN model diagram; and S4, evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain. The invention can realize threat trapping process evaluation of the hybrid honeypot.
Description
Technical Field
The invention relates to the field of threat trapping process evaluation of hybrid honeypots, in particular to a method and a system for threat trapping process evaluation of hybrid honeypots.
Background
In the research field of threat trapping technology, the method mainly comprises two main parts of construction of threat trapping environment and analysis of threat trapping process. Analyzing the trapping process of the threat trapping environment and further evaluating the construction effect of the threat trapping environment can provide network security personnel with a more appropriate sense of defense means. Meanwhile, specific index items can be provided for network security protection personnel to modify threat trapping environment construction, short plates are supplemented, and network security of enterprises is further guaranteed. In the analysis of threat trapping processes based on random Perti networks (Stochastic Petri net, SPN), previous experts have analyzed threat trapping environments such as normal honeypots, business simulation systems, and dynamic honeypots. But lack analysis of the threat trapping process of hybrid honeypots.
Disclosure of Invention
The invention aims to provide a method and a system for evaluating a threat trapping process of a hybrid honeypot, which aim to solve the problem of evaluating the threat trapping process of the hybrid honeypot.
The invention provides a threat trapping process evaluation method for a hybrid honeypot, which comprises the following steps:
s1, establishing a system model of a threat trapping process of the mixed honeypot;
s2, establishing an SPN model diagram based on a system model;
s3, constructing isomorphic Markov chains based on the SPN model diagram;
and S4, evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
The invention also provides a threat trapping process evaluation system of the hybrid honeypot, which comprises the following steps:
the process module is used for establishing a system model of a threat trapping process of the hybrid honeypot;
the SPN module is used for establishing an SPN model diagram based on the system model;
the Markov chain is used for constructing isomorphic Markov chains based on the SPN model diagram;
and the evaluation module is used for evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
By adopting the embodiment of the invention, the threat trapping process evaluation of the mixed honeypot can be realized.
The foregoing description is only an overview of the present invention, and is intended to provide a more clear understanding of the technical means of the present invention, as it is embodied in accordance with the present invention, and to make the above and other objects, features and advantages of the present invention more apparent, as it is embodied in the following detailed description of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method of threat trapping process evaluation for a hybrid honeypot in accordance with an embodiment of the invention;
FIG. 2 is a schematic diagram of a hybrid honey threat trapping model Markov chain of a method of threat trapping process evaluation of a hybrid honey;
FIG. 3 is a schematic diagram of a service agent-based hybrid honey threat trapping model Markov chain for a method of threat trapping process evaluation for a hybrid honey of an embodiment of the invention;
FIG. 4 is a schematic diagram of a system for threat trapping process evaluation of a hybrid honeypot in accordance with an embodiment of the invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Method embodiment
According to an embodiment of the present invention, there is provided a method for evaluating a threat trapping process of a hybrid honeypot, and fig. 1 is a flowchart of a method for evaluating a threat trapping process of a hybrid honeypot according to an embodiment of the present invention, as shown in fig. 1, specifically including:
s1, establishing a system model of a threat trapping process of the mixed honeypot;
s2, establishing an SPN model diagram based on a system model;
s3, constructing isomorphic Markov chains based on the SPN model diagram;
and S4, evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
The establishing of the SPN model diagram based on the system model specifically comprises the following steps: based on the interrelation between states in the system model, the SPN constituent elements are utilized to describe the activities and transitions between states of the system model, the states and transitions of the library and the system are related to events occurring in the system activity process, and an SPN model diagram of the system is established.
Constructing an isomorphic Markov chain based on the SPN model diagram specifically comprises: constructing a reachable graph of the system model state, and replacing a transition set in the reachable graph by the average implementation rate of each transition based on the reachable graph to obtain a Markov chain isomorphic with the SPN model graph.
Constructing an reachable graph of the system model state specifically comprises: and gradually generating new states from the initial state according to the transition which can occur until no transition can be implemented, analyzing the next state, marking all implemented transitions and generated states until the analysis of all states of the system model is completed, and completing the construction of the reachable graph.
The evaluation of the various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain specifically comprises the following steps: and calculating the stability probability of the reachable graph identification based on the isomorphic Markov chain, and solving the performance index based on the stability probability to obtain an evaluation result.
The specific implementation method is as follows:
based on the connection information collected by the expert scholars through deployment Conpot, gridpot and other industrial control honeypots, a certain proportion of scanning and malicious connection attack intentions are not obvious and attack killing power is not strong in the attack and defense process of the industrial control network. Many attackers do not have the penetration experience of industrial control networks or simply acquire control rights of computing and network resources by implanting worms or viruses through automated scanning. For this part of attacks, the trapping effect is mainly represented by the proportion of false services to real services exposed to the outside. The invention makes the following assumption for the attacker who carries out penetration invasion by adding the defending effect of the service agent in resisting the network attack with a certain industrial control network penetration experience and a certain pertinence for better analysis.
The attacker should have a certain penetration experience of the industrial control network, can identify the basic honey pot characteristics, and has the awareness of avoiding the industrial control honey pot; before performing penetration attack, an attacker has certain knowledge on the network to be attacked in the modes of an industrial Internet information platform, information collection and the like, and prepares corresponding attack resources including an IP proxy pool, an Nday vulnerability, a 0day vulnerability and the like; the penetration attack of an attacker has a certain intention, and hopes to acquire unpublished operation data of an industrial control network or master control rights of key equipment and the like through penetration, rather than preparing for other malicious attacks such as distributed denial attack by deploying worms, trojans and the like to establish connection. The trapping process is modeled and analyzed with the view angle deployment of the aggressor, based on the above assumptions about the aggressor.
In a continuous-time random Petri network, the implementation of transitions from an implementable state to completion requires a time delay, described as a continuous random variable x i And obeys a distribution function F i (x)=P{x i X is less than or equal to x. In the definition of different types of SPN networks, the random variables describing the continuous time are different. The invention adopts an exponential distribution function with memoryless and identification countability proposed by Molloy to describe the time delay.
The performance analysis of SPN is divided into three steps: firstly, modeling of a system process needs to be completed, and a corresponding SPN model is given. Then constructing isomorphic Markov Chains (MC) based on the SPN model. And finally, analyzing various performance indexes of the system based on isomorphism.
The modeling process of the SPN of the system is an abstraction of the running flow of the system, and the possible states of the system in the running process and the transition which can cause the state change of the system need to be judged, and the physical significance of the states and the transition of the system is definitely given.
The state set and event set of the system are determined based on the state in which the system exists and the time at which the transition occurs. The transitions between the states and the activities of the system are described by the constituent elements of the SPN in terms of the states and interrelationships between the states of the system. And (3) associating the state and transition of the library and the system with events occurring in the system activity process, and establishing an SPN model diagram of the system.
Constructing an MC isomorphic to a system SPN model graph requires first constructing an reachability graph of the system state. Starting from the initial state, a new state is gradually generated according to the transition which can occur until no transition can be implemented, and then the next state is analyzed. All the implementable transitions and the generated states are marked until the analysis of all the states of the system is completed, and the construction of the reachability graph is completed.
Assuming that the transition average implementation rates of the model are λ= { λ respectively 1 ,λ 2 ,λ 3 ,λ 4 ,λ 5 On the basis of the reachability graph with average implementation rate lambda for each transition i Substituting T in reachability graph i A markov chain isomorphic to the SPN model is obtained. After the construction of the system isomorphic MC is completed, the performance analysis of the system can be performed based on the MC, and the analysis method for solving the stability probability and the performance index of the reachable graph is researched. It is assumed that there is already a Markov chain isomorphic to SPN, where [ M ] 0 >In n states, an infinitesimal generator, i.e. a transition matrix, is defined, q= [ Q ] i,j ],1≤i,j≤n。
(1) When i is not equal to j,[M i >M j :
else:q i,j =0
(2) When i=j, the number of times,
wherein k is not equal to i and M' is not equal to [ M ] 0 >,M i [t k >M',λ k Is t k Is a rate of (a).
Let the steady state probability of n states in MC be a row vector x= (X) 1 ,x 2 ,…,x n ) There may be the following set of linear equations according to the markov process:
by solving this system of equations constructed from n+1 equations, the solution P [ M ] of the stability probability of n reachable identifications can be solved i ]=x i (1.ltoreq.i.ltoreq.n). After the stability probability is obtained, a new performance index can be further constructed to analyze the performance of the system. The constructed metrics may correspond to actual physical meanings through system activity and state transitions.
Mixed honeypot analysis:
the invention carries out arrangement analysis in the threat trapping process of extracting the mixed honeypot to obtain a state (library) set:
P={P noraml ,P analyse ,P checkhoney ,P checkREAL ,P lserveract ,P lserverpoc ,P OOC },
transition (event) set:
T={T scan ,T interacthoney ,T interactREAL ,T changetarget ,T attackhoney ,T honeywarnact ,T attackREAL ,T systemwarndes }。
the specific meanings of the state and transition set in the threat trapping process of the hybrid honeypot are shown in tables 5 and 6, and the threat trapping process of the hybrid honeypot is analyzed and constructed according to the above states and transitions.
TABLE 5 hybrid honeypot threat trapping process state set
TABLE 6 hybrid honeypot trapping process transition set
The SPN model of the hybrid honey threat trapping process is constructed as follows: the hybrid honeypot is initially in a decoy initial state P normal . When an attacker starts to invade the industrial control network, the whole network is firstly scanned T scan All host nodes and services are acquired. The attacker then begins to analyze the acquired scan results P analysis A host or service to attack is determined.
Assume that among the acquired network services, an attacker first interacts T with a certain honeypot service interacthoney . Subsequently, the authenticity of the service provided by the hybrid honeypot is analyzed and judged according to the response result given by the hybrid honeypot service checkhoney . If the attacker determines that the service provided by the hybrid honeypot is a false service, the attacker can replace the IP proxy and other attack resources and forego launching an attack T on the current service changetarget . At the moment, the honey pot enters the state P lserveract Recording the interaction process, and then sending out alarm information T by the honeypot according to the interaction process honeywarnact . If the attacker does not identify the false service, the attack T is launched to the simulation equipment through the attack load prepared in advance attackhoney . The hybrid honeypot records P on attack load and interaction process delivered by attacker lserverpoc And sends alarm information T to the administrator according to the recorded interaction process and attack load honeywarnpoc 。
The construction process of the invention does not consider the situation that the attacker generates misjudgment on the response of the real system, namely the real system is regarded as a honey pot to bypass and avoid. If an attacker tries to interact with the real system T interactREAL Interaction P with real system through analysis checkREAL The latter attacker will choose to initiate an attack T towards the real system attackREAL . The invention considers that an attacker can successfully infiltrate into a real host P after careful preparation and Nday or 0day loopholes are included OOC . Then, an attacker can conduct vandalism such as right raising, maintenance, information collection, transverse scanning and the like according to the system loopholes. After the attacker achieves the purpose of attack, the network security maintainer can receive the perception T for the intruder in the network according to the experience of the attacker against the attacker for many years systemwarndes . When the administrator acquires the alert information, the threat trapping environment is rearranged to return to the original decoy state. The present invention does not take into account the time for the network security personnel to restore the trapping environment to an initial state, since in any case, if the administrator is able to receive the alarm information, the corresponding handling is immediately performed.
According to the performance analysis process of SPN, all possible states in the threat trapping process, namely the reachable states, are analyzed first. The process of constructing from the set of reachable states constructs a Markov chain isomorphic with the SPN, requiring the replacement of transitions with corresponding implementation rates. The reachable state of the threat trapping process of the hybrid honeypot constructed by the invention is represented by S= { S 0 ,S 1 ,S 2 ,S 3 ,S 4 ,S 5 ,S 6 Marking, wherein each row represents an reachable state, and each column representsWhether such a repository is included in the reachable state. Replacing transitions between reachable states with the implementation rate of the transition can result in a homogenous Markov chain;
FIG. 2 is a schematic diagram of a hybrid honey threat trapping model Markov chain of a method of threat trapping process evaluation of a hybrid honey;
as shown in fig. 2. The definition of the transfer matrix in the Markov chain and random Petri network performance analysis of the hybrid honeypot threat trapping model is combined, and the current transfer matrix Q= [ Q ] can be obtained i,j ]1.ltoreq.i, j.ltoreq.7, as shown in formula (1).
TABLE 7 hybrid honeypot threat trapping process reachable state
Assuming that the row vector consisting of the stability probabilities for each state in the stochastic Petri net model of the hybrid honey threat trap process is P= { P 0 ,P 1 ,P 2 ,P 3 ,P 4 ,P 5 ,P 6 Solution of steady state probability according to stochastic performance analysis theoryThe system of equations is available with a sum of stability probabilities of all states of 1:
the stability probability for each state obtained by solving the system of equations is as follows:
and calculating the performance evaluation index of the trapping process on the basis of the obtained stability probability of each state. The invention evaluates the performance of the trapping process by the probability of capturing attacks by the honeypot system, the probability of defending success and the probability of sinking of the system. Wherein the fall probability of the system is a state S for expressing successful invasion of an attacker and implementing destruction 6 Probability P of (2) fall =P 6 The probability of system security is P succsess =1-P 3 -P 6 The probability of a honey system capturing an attack is the sum of the probability of an attacker interacting with the hybrid honey, P defense =P 2 +P 4 +P 5 。
FIG. 3 is a schematic diagram of a service agent-based hybrid honey threat trapping model Markov chain for a method of threat trapping process evaluation for a hybrid honey of an embodiment of the invention;
hybrid honeypot analysis based on service agents:
based on the above analysis and study of threat trapping processes for hybrid honeypots, a service agent is added to analyze threat trapping processes for hybrid honeypots based on the service agent. Service proxyThe method can add a path for manager to sense threat when an attacker invades real service to the trapping process. The alarm information processing state of the service agent is increased, and the attacker is expressed to contact the decoy file to send out the transition of the alarm information, so that the transition set state set P of the threat trapping process of the hybrid honeypot based on the service agent can be obtained agent =P∪P{P lserverloss ' T } and agent =T∪{T interactbait ,T baitwarnloss }. The meaning of the state set and transition set added to the service agent-based hybrid honey threat trapping process compared to the hybrid honey threat trapping process is described in tables 7, 8.
Table 7 service agent based state set for added hybrid honey threat trapping process
Table 8 service agent based transition set for hybrid honey threat trapping process augmentation
And (3) analyzing and newly determining states and transition sets according to the threat trapping process of the hybrid honeypot, and completing the construction of an SPN model of the threat trapping process of the hybrid honeypot based on the service agent. The threat trapping process for the attacker to interact with the hybrid honeypot after the attacker finishes scanning is the same as the threat trapping process described in the previous subsection. When an attacker infiltrates into a real host to perform destructive actions such as information collection, if the attacker touches a decoy file T deployed in advance intearactbait The monitoring program of the decoy file records the related information and action information of the attacker P lserverloss . Subsequently, alarm information T is sent to network security maintenance personnel baitwarnloss . Therefore, network security guard can sense the host computer collapse and enter the maintenance and processing flow before the attacker achieves the purpose of attack.
According to random PetThe performance analysis process of ri net performs the same performance analysis process on the service agent based hybrid honeypot. Firstly, the reachable state is analyzed, and the reachable state of the mixed honey model based on the service agent adopts S '= { S' 0 ,S 1 ',S' 2 ,S 3 ',S' 4 ,S 5 ',S' 6 ,S' 7 Label.
Table 9 service agent based hybrid honeypot reachability status
The implementation rate of transitions is also used to replace transitions between reachable states to yield an isomorphic markov chain. Combining with a Markov chain of a mixed honey threat trapping model based on a service agent, replacing transition with corresponding implementation rate, and obtaining a current transition matrix Q' = [ Q ] according to definition of the transition matrix in random Petri network performance analysis i,j ]And 1.ltoreq.i, j.ltoreq.8, as shown in formula (3). Assuming a row vector of the stability probability composition for each state in the service agent-based hybrid honeypot model, a system of equations can be derived that solve for the stability probability of the model.
The stability probability for each state obtained by solving the system of equations is as follows:
/>
constructing the same performance evaluation index as the mixed honeypot model according to the obtained stability probability of each state, wherein the sinking probability of the system is state S 6 Probability P of (2) fall =P 6 The probability of system security is P success =1-P 3 -P 6 -P 7 The probability of a service agent-based honey system capturing an attack is the sum P of the probabilities of an attacker interacting with the hybrid honey and the service agent defense =P 2 +P 4 +P 5 +P 7 。
System embodiment one
According to an embodiment of the present invention, there is provided a system for threat trapping process evaluation of a hybrid honeypot, and fig. 4 is a schematic diagram of the system for threat trapping process evaluation of a hybrid honeypot according to an embodiment of the present invention, as shown in fig. 4, specifically including:
the process module is used for establishing a system model of a threat trapping process of the hybrid honeypot;
the SPN module is used for establishing an SPN model diagram based on the system model;
the Markov chain is used for constructing isomorphic Markov chains based on the SPN model diagram;
and the evaluation module is used for evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
The SPN module is specifically used for: based on the interrelation between states in the system model, the SPN constituent elements are utilized to describe the activities and transitions between states of the system model, the states and transitions of the library and the system are related to events occurring in the system activity process, and an SPN model diagram of the system is established.
The Markov chain module is specifically configured to: constructing a reachable graph of the system model state, and replacing a transition set in the reachable graph by the average implementation rate of each transition based on the reachable graph to obtain a Markov chain isomorphic with the SPN model graph.
The Markov chain module is specifically configured to: and gradually generating new states from the initial state according to the transition which can occur until no transition can be implemented, analyzing the next state, marking all implemented transitions and generated states until the analysis of all states of the system model is completed, and completing the construction of the reachable graph.
The evaluation module is specifically used for: and calculating the stability probability of the reachable graph identification based on the isomorphic Markov chain, and solving the performance index based on the stability probability to obtain an evaluation result.
The embodiment of the present invention is a system embodiment corresponding to the above method embodiment, and specific operations of each module may be understood by referring to the description of the method embodiment, which is not repeated herein.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; and these modifications or substitutions may be made to the technical solutions of the embodiments of the present invention without departing from the spirit of the corresponding technical solutions.
Claims (10)
1. A method of threat trapping process assessment for a hybrid honeypot, comprising:
s1, establishing a system model of a threat trapping process of the mixed honeypot;
s2, establishing an SPN model diagram based on a system model;
s3, constructing isomorphic Markov chains based on the SPN model diagram;
and S4, evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
2. The method according to claim 1, wherein the creating the SPN model map based on the system model specifically comprises: based on the interrelation between states in the system model, the SPN constituent elements are utilized to describe the activities and transitions between states of the system model, the states and transitions of the library and the system are related to events occurring in the system activity process, and an SPN model diagram of the system is established.
3. The method according to claim 2, wherein constructing an isomorphic markov chain based on the SPN model graph specifically comprises: constructing a reachable graph of the system model state, and replacing a transition set in the reachable graph by the average implementation rate of each transition based on the reachable graph to obtain a Markov chain isomorphic with the SPN model graph.
4. A method according to claim 3, wherein constructing an reachability graph of system model states comprises: and gradually generating new states from the initial state according to the transition which can occur until no transition can be implemented, analyzing the next state, marking all implemented transitions and generated states until the analysis of all states of the system model is completed, and completing the construction of the reachable graph.
5. The method of claim 4, wherein the estimating the metrics of the threat trapping process for the hybrid honeypot based on the isomorphic-based markov chain specifically comprises: and calculating the stability probability of the reachable graph identification based on the isomorphic Markov chain, and solving the performance index based on the stability probability to obtain an evaluation result.
6. A system for threat trapping process assessment for a hybrid honeypot, comprising:
the process module is used for establishing a system model of a threat trapping process of the hybrid honeypot;
the SPN module is used for establishing an SPN model diagram based on the system model;
the Markov chain is used for constructing isomorphic Markov chains based on the SPN model diagram;
and the evaluation module is used for evaluating various indexes of the threat trapping process of the hybrid honeypot based on the isomorphic Markov chain.
7. The system of claim 6, wherein the SPN module is specifically configured to: based on the interrelation between states in the system model, the SPN constituent elements are utilized to describe the activities and transitions between states of the system model, the states and transitions of the library and the system are related to events occurring in the system activity process, and an SPN model diagram of the system is established.
8. The system of claim 7, wherein the markov chain module is specifically configured to: constructing a reachable graph of the system model state, and replacing a transition set in the reachable graph by the average implementation rate of each transition based on the reachable graph to obtain a Markov chain isomorphic with the SPN model graph.
9. The system of claim 8, wherein the markov chain module is specifically configured to: and gradually generating new states from the initial state according to the transition which can occur until no transition can be implemented, analyzing the next state, marking all implemented transitions and generated states until the analysis of all states of the system model is completed, and completing the construction of the reachable graph.
10. The system according to claim 9, wherein the evaluation module is specifically configured to: and calculating the stability probability of the reachable graph identification based on the isomorphic Markov chain, and solving the performance index based on the stability probability to obtain an evaluation result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311085683.0A CN117118708A (en) | 2023-08-25 | 2023-08-25 | Threat trapping process evaluation method and system for hybrid honeypot |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311085683.0A CN117118708A (en) | 2023-08-25 | 2023-08-25 | Threat trapping process evaluation method and system for hybrid honeypot |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117118708A true CN117118708A (en) | 2023-11-24 |
Family
ID=88808772
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311085683.0A Pending CN117118708A (en) | 2023-08-25 | 2023-08-25 | Threat trapping process evaluation method and system for hybrid honeypot |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118708A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592011A (en) * | 2011-12-30 | 2012-07-18 | 清华大学 | Layering aviation operation system HM/FM (health monitoring/fault management) modeling and evaluating method based on stochastic Petri net |
| CN115277068A (en) * | 2022-06-15 | 2022-11-01 | 广州理工学院 | Novel honeypot system and method based on deception defense |
-
2023
- 2023-08-25 CN CN202311085683.0A patent/CN117118708A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592011A (en) * | 2011-12-30 | 2012-07-18 | 清华大学 | Layering aviation operation system HM/FM (health monitoring/fault management) modeling and evaluating method based on stochastic Petri net |
| CN115277068A (en) * | 2022-06-15 | 2022-11-01 | 广州理工学院 | Novel honeypot system and method based on deception defense |
Non-Patent Citations (2)
| Title |
|---|
| LEYI SHI.ET: ""Performance Analysis of Honeypot with Petri Nets"", 《MDPI》, 30 September 2018 (2018-09-30) * |
| 冯梅杰: ""基于Petri 网的蜜罐系统模型设计与性能分析"", 《CNKI》, 15 July 2018 (2018-07-15), pages 3 - 5 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gharib et al. | An evaluation framework for intrusion detection dataset | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| De Vries et al. | Systems for detecting advanced persistent threats: A development roadmap using intelligent data analysis | |
| Fung et al. | Bayesian decision aggregation in collaborative intrusion detection networks | |
| Cook et al. | Attribution of cyber attacks on industrial control systems | |
| Korchenko et al. | Development of a method for constructing linguistic standards for multi-criteria assessment of honeypot efficiency | |
| CN113810406B (en) | Network space security defense method based on dynamic defense graph and reinforcement learning | |
| Lin et al. | Constructing detection knowledge for DDoS intrusion tolerance | |
| Chen et al. | Defending malicious attacks in cyber physical systems | |
| Wang et al. | Using honeypots to model botnet attacks on the internet of medical things | |
| Abri et al. | Markov decision process for modeling social engineering attacks and finding optimal attack strategies | |
| CN117118708A (en) | Threat trapping process evaluation method and system for hybrid honeypot | |
| Haseeb et al. | Probabilistic modelling of deception-based security framework using markov decision process | |
| Shinde et al. | Cyber attack intent recognition and active deception using factored interactive pomdps | |
| Wang et al. | Transformer-based framework for alert aggregation and attack prediction in a multi-stage attack | |
| CN114006744A (en) | LSTM-based power monitoring system network security situation prediction method and system | |
| Rai et al. | Genetic algorithm based intrusion detection system | |
| Al Amin et al. | Cyber Deception Metrics for Interconnected Complex Systems | |
| CN114386042A (en) | Method suitable for deduction of power enterprise network war chess | |
| Ramakrishnan et al. | Intelligent agent based artificial immune system for computer security—a review | |
| Huang | Human-centric training and assessment for cyber situation awareness | |
| Kondakci | A concise cost analysis of Internet malware | |
| Ivanchenko et al. | Dependability assessment for SCADA system considering usage of cloud resources | |
| Aung et al. | Developing and analysis of cyber security models for security operation center in Myanmar | |
| Sabata et al. | Multisource evidence fusion for cyber-situation assessment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |