CN118138371A - Quick honey pot construction method, device and equipment based on search engine - Google Patents
Quick honey pot construction method, device and equipment based on search engine Download PDFInfo
- Publication number
- CN118138371A CN118138371A CN202410535063.0A CN202410535063A CN118138371A CN 118138371 A CN118138371 A CN 118138371A CN 202410535063 A CN202410535063 A CN 202410535063A CN 118138371 A CN118138371 A CN 118138371A
- Authority
- CN
- China
- Prior art keywords
- target
- address
- request message
- response messages
- detection request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 64
- 238000010276 construction Methods 0.000 title claims abstract description 28
- 230000004044 response Effects 0.000 claims abstract description 184
- 238000001514 detection method Methods 0.000 claims abstract description 98
- 238000004088 simulation Methods 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 32
- 239000000523 sample Substances 0.000 claims description 138
- 238000012545 processing Methods 0.000 claims description 27
- 230000003068 static effect Effects 0.000 claims description 24
- 238000003860 storage Methods 0.000 claims description 17
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 9
- 230000009193 crawling Effects 0.000 claims description 7
- 238000004891 communication Methods 0.000 claims description 5
- 241000264877 Hippospongia communis Species 0.000 claims description 4
- 239000000758 substrate Substances 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 12
- 238000004519 manufacturing process Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010367 cloning Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a quick honey pot construction method, device and equipment based on a search engine, wherein the method comprises the following steps: if the honey pot service corresponding to the detection request message does not exist, analyzing a plurality of key fields from the detection request message, and generating simulation features based on the plurality of key fields; searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features; sending the detection request message to a plurality of IP addresses, and receiving a plurality of response messages returned by the plurality of IP addresses aiming at the detection request message; if the plurality of response messages are normal response messages and the contents carried by at least K response messages in the plurality of response messages are matched, selecting one IP address from the plurality of IP addresses as a target IP address; and acquiring the page resource from the target IP address, and constructing a target honeypot service corresponding to the page resource. According to the technical scheme, the novel honeypot service can be quickly constructed to capture and analyze attack data, and the trapping efficiency of honeypots is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for constructing a fast honeypot based on a search engine.
Background
The honeypot technology is a technology for cheating an attacker, and by arranging a host computer, network service or information serving as a bait, the attacker is induced to attack the honeypot technology, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, attack intention and motivation are presumed, a defender can clearly know about security threat, and the security protection capability is enhanced through technology and management means.
In the related art, for the production of honeypots, the production of a honeypot environment is generally performed on a simulation object by various means, and the honeypot environment is deployed to a server for attack by external attackers.
However, this kind of honeypot manufacturing method needs to consume a large amount of time, and the attack target and attack type can't be foreseen in advance by technical staff, leads to the honeypot manufacturing process comparatively passive, once appear new security incident, need the manual work to carry out the environment preparation and the replenishment of specific honeypot afterwards, influences honeypot trapping efficiency.
Disclosure of Invention
In view of the above, the application provides a method, a device and equipment for quickly constructing honeypots based on a search engine, which can quickly construct new honeypot services to capture and analyze attack data, and improve the trapping efficiency of honeypots.
The application provides a quick honey pot construction method based on a search engine, which comprises the following steps:
Acquiring a detection request message, if no honey pot service corresponding to the detection request message exists, analyzing a plurality of key fields from the detection request message, and generating simulation features based on the plurality of key fields;
Searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features;
Sending the detection request message to the plurality of IP addresses, and receiving a plurality of response messages returned by the plurality of IP addresses for the detection request message; if the response messages are normal response messages and the contents carried by at least K response messages in the response messages are matched, selecting one IP address from the IP addresses as a target IP address, wherein K is a positive integer greater than 1;
And acquiring page resources from the target IP address, and constructing target honey pot service corresponding to the page resources, wherein the target honey pot service is used for processing a detection request message for accessing the page resources.
The application provides a quick honey pot construction device based on a search engine, which comprises:
The acquisition module is used for acquiring a detection request message, and analyzing a plurality of key fields from the detection request message if the honey pot service corresponding to the detection request message does not exist;
A search module for generating simulated features based on the plurality of key fields; searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features;
the communication module is used for sending the detection request message to the plurality of IP addresses and receiving a plurality of response messages returned by the plurality of IP addresses aiming at the detection request message;
The obtaining module is further configured to select an IP address from the plurality of IP addresses as a target IP address if the plurality of response messages are all normal response messages and contents carried by at least K response messages in the plurality of response messages are matched; wherein K is a positive integer greater than 1;
The processing module is used for acquiring page resources from the target IP address and constructing target honey pot service corresponding to the page resources; the target honey pot service is used for processing the detection request message for accessing the page resource.
The present application provides an electronic device including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the search engine-based rapid honeypot construction method described above.
The present application provides a machine-readable storage medium storing machine-executable instructions executable by a processor; the processor is configured to execute the machine-executable instructions to implement the search engine-based rapid honeypot construction method described above.
The present application provides a computer program which may be stored on a machine-readable storage medium, which when executed by a processor causes the processor to implement the search engine based rapid honeypot construction method described above.
According to the technical scheme, in the embodiment of the application, the plurality of key fields can be analyzed from the detection request message, the simulation feature is generated based on the plurality of key fields, the simulation feature is searched by adopting the search engine to obtain the plurality of IP addresses corresponding to the simulation feature, the page resource is obtained based on the plurality of IP addresses, and the target honeypot service corresponding to the page resource is constructed, so that the new honeypot service (namely the target honeypot service) can be quickly constructed to capture and analyze attack data, and the trapping efficiency of the honeypot is improved. Based on real-time attack and detection load analysis (namely key field), the target object of interest of the attacker is quickly guessed based on the search engine, the real attack intention can be captured, and the attacker can be attracted with great probability to carry out next attack load delivery.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly describe the drawings required to be used in the embodiments of the present application or the description in the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings of the embodiments of the present application for a person having ordinary skill in the art.
FIG. 1 is a flow diagram of a search engine based rapid honeypot construction method;
FIG. 2 is a flow diagram of a search engine based rapid honeypot construction method;
FIG. 3 is a schematic diagram of the construction of a search engine based rapid honeypot construction apparatus;
Fig. 4 is a hardware configuration diagram of an electronic device in an embodiment of the present application.
Detailed Description
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present application to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".
The embodiment of the application provides a quick honey pot construction method based on a search engine, which can be applied to electronic equipment, and is shown in fig. 1, and is a flow diagram of the method, and the method can comprise the following steps:
Step 101, acquiring a detection request message, if no honey service corresponding to the detection request message exists, analyzing a plurality of key fields from the detection request message, and generating simulation features based on the plurality of key fields.
Step 102, searching the simulation feature by using a search engine (i.e. a search engine for searching the IP address corresponding to the feature), to obtain a plurality of IP addresses corresponding to the simulation feature.
Step 103, the detection request message is sent to a plurality of IP addresses, and a plurality of response messages returned by the plurality of IP addresses for the detection request message are received; if the plurality of response messages are all normal response messages and the contents carried by at least K response messages in the plurality of response messages are matched, selecting one IP address from the plurality of IP addresses as a target IP address, wherein K can be a positive integer greater than 1.
And 104, acquiring the page resource from the target IP address, and constructing a target honey service corresponding to the page resource, wherein the target honey service is used for processing the detection request message for accessing the page resource.
Illustratively, parsing the plurality of key fields from the probe request message, generating simulated features based on the plurality of key fields may include, but is not limited to, the following: analyzing a plurality of key fields from the target content of the detection request message; wherein the target content may include, but is not limited to, at least one of: URL (Uniform Resource Location), uniform resource locator) content, BODY (BODY) content, header (Header) content. Then, a part of key fields or all key fields from the plurality of key fields can be selected, and the selected key fields are combined to obtain the simulation feature.
After receiving a plurality of response messages returned by a plurality of IP addresses for the probe request message, if the plurality of response messages have abnormal response messages, or if the plurality of response messages are all normal response messages and at least M response messages in the plurality of response messages carry unmatched contents, M is a positive integer greater than 1, new simulation features can be generated based on a plurality of key fields, and searching for the simulation features by using a search engine is performed, so as to obtain a plurality of IP addresses corresponding to the simulation features.
Illustratively, selecting an IP address from a plurality of IP addresses as the target IP address may include, but is not limited to: randomly selecting an IP address from the IP addresses corresponding to the K response messages as the target IP address; or based on the response time consuming time corresponding to the K response messages, the IP address corresponding to the response message with the shortest response time consuming time can be used as the target IP address.
Illustratively, retrieving page resources (e.g., static page resources and dynamic page resources) from a target IP address may include, but is not limited to: performing page crawling on the web page of the target IP address to obtain a static page resource corresponding to the target IP address; and/or learning based on the detection request message corresponding to the target IP address and the response message corresponding to the target IP address to obtain the dynamic page resource corresponding to the target IP address.
Exemplary, learning based on the probe request message corresponding to the target IP address and the response message corresponding to the target IP address, to obtain the dynamic page resource corresponding to the target IP address may include, but is not limited to: after receiving the probe request message aiming at the target IP address, if the probe request message does not have the attack characteristic, the probe request message can be sent to the target IP address, and a response message returned by the target IP address aiming at the probe request message is received. Based on this, the dynamic page resources corresponding to the target IP address can be learned from the probe request message and the response message.
For example, after receiving the probe request packet for the target IP address, if the probe request packet has an attack feature, the probe request packet may also be sent to the target honeypot service to process the probe request packet through the target honeypot service (i.e., honeypot service processing).
According to the technical scheme, in the embodiment of the application, the plurality of key fields can be analyzed from the detection request message, the simulation feature is generated based on the plurality of key fields, the simulation feature is searched by adopting the search engine to obtain the plurality of IP addresses corresponding to the simulation feature, the page resource is obtained based on the plurality of IP addresses, and the target honeypot service corresponding to the page resource is constructed, so that the new honeypot service (namely the target honeypot service) can be quickly constructed to capture and analyze attack data, and the trapping efficiency of the honeypot is improved. Based on real-time attack and detection load analysis (namely key field), the target object of interest of the attacker is quickly guessed based on the search engine, the real attack intention can be captured, and the attacker can be attracted with great probability to carry out next attack load delivery.
The above technical solution of the embodiments of the present application is described below with reference to specific application scenarios.
In the related art, for the production of honeypots, the production of a honeypot environment is generally performed on a simulation object by various means, and the honeypot environment is deployed to a server for attack by external attackers. However, this way of manufacturing honeypots requires a lot of time, and technicians cannot predict attack targets and attack types in advance, resulting in a passive manufacturing process of honeypots, and once new security events and security risks occur, environmental manufacturing and replenishment of specific honeypots need to be performed manually afterwards, affecting trapping efficiency of honeypots.
In summary, it can be seen that under the internet attack scenario, because of the diversity of attack behaviors, the attack targets have strong randomness and unpredictability, and there is a large trapping limit based on the mode of the prefabricated honeypot, the attacker is often not interested in the prerecorded honeypot service, so that the real attack intention and load cannot be captured.
Aiming at the discovery, the embodiment of the application provides a quick honey pot construction method based on a search engine. Based on real-time attack and detection load analysis, target objects interested by the attacker are quickly guessed through a search engine, and a specific IP address is randomly selected based on the search engine to carry out flow agent forwarding and static resource crawling.
By means of the flow agent forwarding mode, the detection request can be forwarded to the real physical equipment in real time, and an attacker can be attracted with high probability to deliver attack loads. In the flow agent forwarding process, attack message detection can also be performed on the probe request. If the detection result is a normal page browsing request, the detection request is continuously forwarded to the real physical equipment. If the detection result is an attack request, the detection request is stopped to be forwarded to the real physical equipment, and the detection request is forwarded to a new honeypot service to capture and analyze attack data.
The embodiment of the application provides a quick honey pot construction method based on a search engine, which can be applied to electronic equipment, wherein the electronic equipment can be a server (such as a honey pot server and the like) and does not limit the type of the electronic equipment. Referring to fig. 2, which is a schematic flow chart of the method, the method may include:
step 201, a probe request message is acquired, and the probe request message is denoted as a probe request message X.
Illustratively, the simulated object may be made of a honeypot environment by various means and deployed to a server for attack by an external attacker. On the basis, an attacker can launch the attack on the honey service, so that a detection request message X sent by the attacker can be obtained.
Step 202, judging whether a honey service corresponding to the detection request message X exists.
If there is a honey service corresponding to the probe request message X, step 203 is performed.
If there is no honeypot service corresponding to probe request message X, then step 204 is performed.
For an existing honeypot service (the honeypot service may also be referred to as a honeypot type, and refers to honeypot processing of probe request messages of the honeypot type), a mapping relationship between a service identifier of the honeypot service and an IP address of the honeypot service may be recorded in a mapping table, which indicates that the probe request messages of the IP address need to be honeypot processed by the honeypot service.
On this basis, after receiving the probe request message X, the destination IP address may be resolved from the probe request message X. If the service identifier of the honeypot service corresponding to the destination IP address exists in the mapping table, it indicates that the honeypot service corresponding to the probe request packet X exists (i.e., the honeypot service corresponding to the service identifier), and step 203 is performed. If the service identifier of the honeypot service corresponding to the destination IP address does not exist in the mapping table, it indicates that the honeypot service corresponding to the probe request message X does not exist, and step 204 is executed.
If there is a honey service corresponding to the probe request message X, the probe request message X is forwarded to the honey service, and the honey service responds to the probe request message X.
For example, if there is a honey service corresponding to the probe request message X (e.g., the probe request message X corresponds to the honey service a), it indicates that the probe request message X is an attack message for the existing honey service a, the probe request message X is forwarded to the honey service a, and the honey service a responds to the probe request message X. For example, the honeypot service a may capture and analyze the attack behavior based on the probe request packet X, and respond to the probe request packet X, which is not limited in the processing manner.
And 204, if the honey service corresponding to the detection request message X does not exist, analyzing a plurality of key fields from the detection request message X, and generating simulation features based on the plurality of key fields.
For example, if there is no honey service corresponding to the probe request message X (e.g., the probe request message X does not correspond to an existing honey service), it indicates that the probe request message X is an attack message for an unknown honey service (i.e., a new honey service), and therefore, a new honey service needs to be constructed (hereinafter referred to as a target honey service P, which may also be referred to as a honey type P or a honey environment P).
To construct the target honeypot service P, a plurality of key fields may be parsed from the probe request message X, for example, a plurality of key fields may be parsed from the target content of the probe request message X, and the target content may include, but is not limited to, at least one of: URL content, BODY content, header content.
For example, the URL content of the probe request message X may include, but is not limited to: the key fields may be parsed from the URL content of the probe request message X, for example, one or more of the mode field, the server name field, the path field, and the file name field may be used as the key fields.
For example, the BODY content of the probe request message X may include a plurality of BODY parameters, and the BODY parameters are not limited, so that a key field may be resolved from the BODY content of the probe request message X, for example, at least one BODY parameter in the BODY content may be used as the key field.
For example, the Header content of the probe request message X may include a plurality of Header parameters, and the Header parameters are not limited, so that a key field may be parsed from the Header content of the probe request message X, for example, at least one Header parameter in the Header content may be used as the key field.
For example, the key field may be parsed from the URL content and the BODY content of the probe request message X, for example, any field in the URL content and the BODY content is used as the key field.
Of course, the above is merely an example of parsing the key field from the probe request packet X, and is not limited thereto.
After the plurality of key fields are parsed from the probe request message X, a part of key fields or all of the key fields may be selected from the plurality of key fields. For example, assuming that the key field 1, the key field 2, the key field 3 and the key field 4 are parsed from the probe request message X, a part of or all of the key fields may be selected from the key field 1, the key field 2, the key field 3 and the key field 4, and the selection manner is not limited, and may be arbitrarily selected, for example, the key field 1 and the key field 2 may be selected.
The selected key fields may then be combined to obtain the simulated feature, for example, key field 1 and key field 2 may be combined to obtain the simulated feature, that is, the content of key field 1 (i.e., the content of probe request message X for key field 1) and the content of key field 2 (i.e., the content of probe request message X for key field 2) may be combined to obtain the simulated feature.
Step 205, after obtaining the analog feature, a search engine (may be at least one search engine) is used to search the analog feature, so as to obtain a plurality of IP addresses corresponding to the analog feature.
Illustratively, after obtaining the simulated feature, a search engine (e.g., shadon search engine, fofa search engine, zoomeye search engine, etc.) may be selected from the full-network search engine resources, and the simulated feature is retrieved by using the search engine to obtain a plurality of IP addresses corresponding to the simulated feature.
For example, shadon search engines may be used to retrieve the simulated feature to obtain the IP address corresponding to the simulated feature. Or adopting shadon search engine and fofa search engine to search the simulation feature to obtain the IP address corresponding to the simulation feature. Or adopting shadon search engine and zoomeye search engine to search the simulation feature to obtain the IP address corresponding to the simulation feature. Of course, the above is just a few examples, as long as a plurality of IP addresses corresponding to the simulated feature are retrieved by the search engine.
Step 206, sending the probe request message X to a plurality of IP addresses (i.e. a plurality of IP addresses corresponding to the analog feature), and receiving a plurality of response messages returned by the plurality of IP addresses for the probe request message X.
For example, after obtaining the IP address corresponding to the analog feature, the probe request packet X may be sent to the IP address, and the server where the IP address is located receives the probe request packet X. After receiving the probe request message X, the server may return a response message for the probe request message X. When a response message for the probe request message X is returned, the response message may be a normal response message (such as a 2XX message, such as a 200 OK message), or an abnormal response message (such as a 4XX message or a 5XX message, where the 4XX message represents a client error status code, and the 5XX message represents a server error status code).
In summary, after sending the probe request packet X to the plurality of IP addresses, the IP addresses may return response packets for the probe request packet X, that is, may receive a plurality of response packets, where normal response packets and/or abnormal response packets may exist.
In one possible implementation manner, after obtaining the plurality of IP addresses corresponding to the analog feature, the probe request packet X may be sent to all the IP addresses corresponding to the analog feature, or a part of the IP addresses may be selected from all the IP addresses corresponding to the analog feature, and the probe request packet X may be sent to a part of the IP addresses.
Step 207, determining whether the honeypot construction condition has been satisfied based on the plurality of response messages. If yes, go to step 208. If not, a new simulation feature is generated based on the plurality of key fields, and step 205 is returned to based on the new simulation feature, namely, the search engine is adopted to search the new simulation feature to obtain a plurality of IP addresses.
Case 1: after the multiple response messages are obtained, if the multiple response messages are normal response messages (i.e. no abnormal response messages exist), and the contents carried by at least K response messages in the multiple response messages are matched (i.e. the contents carried by at least K response messages are consistent), determining that the honeypot construction condition is met.
For example, K may be a positive integer greater than 1, and the value of K may be empirically configured, such as 3, 4, 5, etc. Or the value of K may be determined based on the total number of response messages, e.g., K is greater than or equal to w×a, where W represents the total number of response messages, and a may be empirically configured, e.g., 80%, 85%, 90%, etc.
After obtaining the plurality of response messages, if all the response messages are normal response messages and the content carried by at least K response messages is consistent, the IP addresses (i.e. the plurality of IP addresses corresponding to the simulation characteristics) can perform normal processing on the detection request message X, i.e. the IP addresses are detection targets (i.e. real targets) of the detection request message X, so that the IP addresses meet the honeypot construction conditions.
Case 2: after the multiple response messages are obtained, if the multiple response messages are normal response messages (i.e. no abnormal response messages exist), and the content carried by at least M response messages in the multiple response messages is not matched (i.e. the content carried by at least M response messages is inconsistent), determining that the honeypot construction condition is not satisfied.
For example, M may be a positive integer greater than 1, and the value of M may be empirically configured, such as 3, 4,5, etc. Or the value of M may be determined based on the total number of response messages, e.g., M is greater than or equal to w×b, where W represents the total number of response messages, and b may be empirically configured, e.g., 20%, 15%, 10%, etc. The value of b is related to the value of a, for example, a+b is 100%, for example, when a is 80%, the value of b is 20%.
After obtaining the plurality of response messages, if all the response messages are normal response messages and the content carried by at least M response messages is inconsistent, it means that although the IP addresses (i.e. the plurality of IP addresses corresponding to the analog features) can all process the probe request message X normally, the processing results of the IP addresses on the probe request message X are inconsistent, and at this time, the IP addresses are not the probe targets (i.e. the real targets) of the probe request message X, so that the IP addresses do not meet the honeypot construction conditions.
Case 3: after the plurality of response messages are obtained, if the plurality of response messages have abnormal response messages, determining that the honeypot construction condition is not met. For example, after obtaining a plurality of response messages, if there are abnormal response messages in the response messages, it indicates that there are IP addresses (i.e., IP addresses corresponding to analog features) that cannot normally process the probe request message X, where these IP addresses are not probe targets (i.e., real targets) of the probe request message X, and therefore these IP addresses do not meet the honeypot construction conditions.
For the case 2 and the case 3, if the honeypot construction condition is not satisfied, new simulation features need to be generated based on a plurality of key fields, for example, a part of key fields or all key fields are selected from all key fields, and the selected key fields are combined to obtain new simulation features, where the new simulation features need to be different from the simulation features already searched. For example, some key fields may be selected from the key field 1, the key field 2, the key field 3 and the key field 4, for example, the key field 1, the key field 3 and the key field 4 are selected, and the key field 1, the key field 3 and the key field 4 are combined to obtain the new simulation feature.
After obtaining the new simulation feature, a search engine may be used to search the new simulation feature to obtain a plurality of IP addresses corresponding to the new simulation feature, i.e. return to step 205 to repeat the above process.
Step 208, selecting an IP address from the plurality of IP addresses as the target IP address.
For example, if at least K response messages in the plurality of response messages match content carried by the K response messages, one IP address may be randomly selected from IP addresses corresponding to the K response messages as the target IP address.
For example, if at least K response messages in the plurality of response messages carry content matching, based on response time consuming time corresponding to the K response messages, an IP address corresponding to the response message with the shortest response time consuming time may be used as the target IP address. Of course, the IP address corresponding to the response message of the second short response time may be used as the target IP address, and the selection manner of the target IP address is not limited.
The response time-consuming time corresponding to the response message is the response time-consuming time corresponding to the response message from the time of sending the probe request message X until the time of receiving the response message expires. After knowing response time consuming times corresponding to the K response messages, selecting the shortest response time consuming time from the response time consuming times, wherein the IP address corresponding to the response message with the shortest response time consuming time is used as the target IP address.
For example, if the probe request message X is sent to all the IP addresses at the same time, the IP address corresponding to the first received response message may be used as the target IP address based on the receiving time corresponding to the response message, which is the response message with the shortest response time.
Step 209, performing page crawling on the web page of the target IP address to obtain a static page resource corresponding to the target IP address, i.e. cloning to obtain the static page resource corresponding to the target IP address.
For example, after the target IP address is obtained, a web page (such as a first page or other pages, which may be any page) of the target IP address may be crawled, and static page resources may be cloned, which is not limited to the crawling manner, and the static page resources corresponding to the target IP address may be obtained.
Step 210, a target honey service P corresponding to the static page resource is constructed, and the target honey service P is used for processing a probe request message for accessing the static page resource.
For example, after the static page resource is obtained, the target honeypot service P may be constructed, where the target honeypot service P includes the static page resource, so that after receiving the probe request packet, the target honeypot service P may respond to the probe request packet by using the static page resource, thereby triggering an attacker to access the target honeypot service P, so that the target honeypot service P may perform capture analysis of attack data.
Step 211, learning based on the probe request message corresponding to the target IP address and the response message corresponding to the target IP address, to obtain the dynamic page resource corresponding to the target IP address.
And 212, updating the target honey service P through the dynamic page resource, wherein the target honey service P is used for processing the detection request message for accessing the static page resource and the dynamic page resource.
For example, after the target honeypot service P is constructed, the dynamic page resources may be updated to the target honeypot service P by learning the dynamic page resources corresponding to the target IP address, that is, the target honeypot service P includes the static page resources and the dynamic page resources, and the dynamic page resources are continuously updated to the target honeypot service P multiple times. In this way, after receiving the probe request message, the target honey service P may respond to the probe request message by using the static page resource and/or the dynamic page resource, thereby triggering an attacker to access the target honey service P, so that the target honey service P can perform capture analysis of attack data.
In one possible implementation, after the target honey service P is built, the dynamic page resources may be continuously learned, updated to the target honey service P until the end condition is met, and updating of the target honey service P is stopped, and the target honey service P is referred to as an existing honey service for subsequent processing.
The end condition may be arbitrarily configured, and is not limited thereto. For example, the end condition may be a duration threshold that is timed from the target honey service P build and when the duration reaches the duration threshold, indicates that the end condition is met. For another example, the end condition may be an end command issued by an upper layer application.
In one possible implementation manner, for step 211, based on the probe request packet and the response packet corresponding to the target IP address, the following steps may be adopted to learn the dynamic page resource corresponding to the target IP address:
step S11, a detection request message A aiming at the target IP address is received.
Illustratively, after the target honeypot service P is built based on the static page resources, a service proxy forwarding function may be turned on for the target IP address. After the service proxy forwarding function is started, after a probe request message a (such as a probe request message A1, probe request messages A2, …, and probe request message An) for the target IP address is received, attack detection may be performed on the probe request message a.
For the probe request message a of the target IP address, the destination address of the probe request message a may be the target IP address, and attack detection needs to be performed on each probe request message a of the target IP address.
Step S12, after receiving the probe request message A aiming at the target IP address, carrying out attack detection on the probe request message A to determine whether the probe request message A has attack characteristics.
If the probe request packet a does not have the attack feature, step S13 may be executed.
If the probe request message a has an attack characteristic, step S14 may be performed.
For example, when the attack detection is performed on the probe request message a, the field content in the probe request message a may be obtained, and whether the attack feature exists in the probe request message a is analyzed based on the field content. Alternatively, the probe request message a may be input to a network model (such as a network model for analyzing whether the message has an attack feature), and the network model outputs a result of whether the probe request message a has the attack feature.
Of course, the above is only two examples of attack detection, and the attack detection method is not limited.
And step S13, if the detection request message A does not have the attack characteristic, the detection request message A is sent to the target IP address, and a response message returned by the target IP address for the detection request message A is received. And learning the dynamic page resources corresponding to the target IP address from the detection request message A and the response message.
For example, if the probe request packet a does not have the attack feature, it indicates that the probe request packet a does not attack the server, so that the probe request packet a may be sent to the target IP address, and the server where the target IP address is located receives the probe request packet a. After receiving the probe request message a, the server may return a response message for the probe request message a. In summary, the probe request message a corresponding to the target IP address and the response message corresponding to the target IP address can be obtained.
On this basis, the dynamic page resources corresponding to the target IP address can be learned from the probe request message a and the response message, for example, when the probe request message a is used for requesting the dynamic page resources, the response message will carry the dynamic page resources, so that the dynamic page resources corresponding to the target IP address can be learned from the response message. Of course, the above is only an example, and the learning manner is not limited, and the dynamic page resources may be learned from the probe request message a and the response message.
Because the probe request message and the response message can interact for a plurality of times, the dynamic page resource can be continuously learned from the plurality of interactions and updated into the target honeypot service P, namely the dynamic page resource is continuously updated into the target honeypot service P for a plurality of times. In summary, by learning the interaction message (the probe request message and the response message), the dynamic page resources can be continuously updated, and the dynamic page resources are stored in the database of the target honeypot service P. Along with continuous request interaction of an attacker on the target IP address, the target honeypot service P continuously learns more dynamic page resources, so that the simulation degree of the target honeypot service P is perfected.
In a possible implementation manner, the static page resource corresponding to the target IP address may also be learned from the probe request packet a and the response packet, for example, if the response packet carries the static page resource, the static page resource corresponding to the target IP address may be learned, and the static page resource may be updated to the target honeypot service P, and its implementation manner is similar to that of the dynamic page resource and will not be repeated herein.
Step S14, if the detection request message A has the attack characteristic, the detection request message A is sent to the target honey-comb service P, so that the detection request message A is processed through the target honey-comb service P.
For example, if the probe request message a has an attack feature, it indicates that the probe request message a will attack the server, so the probe request message a is not sent to the server, but is sent to the target honeypot service P, where the target honeypot service P is used to process the probe request message a. For example, after receiving the probe request message a, the target honey service P may respond to the probe request message a by using static page resources and/or dynamic page resources, thereby triggering an attacker to access the target honey service P, so that the target honey service P can perform capture analysis of attack data.
According to the technical scheme, in the embodiment of the application, the plurality of key fields can be analyzed from the detection request message, the simulation feature is generated based on the plurality of key fields, the simulation feature is searched by adopting the search engine to obtain the plurality of IP addresses corresponding to the simulation feature, the page resource is obtained based on the plurality of IP addresses, and the target honeypot service corresponding to the page resource is constructed, so that the new honeypot service (namely the target honeypot service) can be quickly constructed to capture and analyze attack data, and the trapping efficiency of the honeypot is improved. Based on real-time attack and detection load analysis (namely key field), the target object of interest of the attacker is quickly guessed based on the search engine, the real attack intention can be captured, and the attacker can be attracted with great probability to carry out next attack load delivery.
Based on the same application concept as the method, an embodiment of the present application provides a rapid honey pot construction device based on a search engine, and referring to fig. 3, a schematic structural diagram of the device is shown, where the device includes:
the obtaining module 31 is configured to obtain a probe request packet, and if there is no honeypot service corresponding to the probe request packet, parse a plurality of key fields from the probe request packet;
A search module 32 for generating simulated features based on the plurality of key fields; searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features;
a communication module 33, configured to send the probe request packet to the plurality of IP addresses, and receive a plurality of response packets returned by the plurality of IP addresses for the probe request packet;
the obtaining module 31 is further configured to select an IP address from the plurality of IP addresses as a target IP address if the plurality of response messages are all normal response messages and contents carried by at least K response messages in the plurality of response messages are matched; wherein K is a positive integer greater than 1;
the processing module 34 is configured to acquire a page resource from the target IP address, and construct a target honeypot service corresponding to the page resource; the target honey pot service is used for processing the detection request message for accessing the page resource.
Illustratively, the obtaining module 31 is specifically configured to, when parsing a plurality of key fields from the probe request packet: analyzing a plurality of key fields from the target content of the detection request message; the target content includes at least one of: URL content, BODY content, header content; the search module is specifically configured to, when generating the simulated feature based on the plurality of key fields: selecting part of key fields or all key fields from the plurality of key fields; and combining the selected key fields to obtain the simulation features.
The search module 32 is further configured to, after the communication module receives a plurality of response messages returned by the plurality of IP addresses for the probe request message, generate a new simulation feature based on the plurality of key fields if the plurality of response messages have abnormal response messages or if the plurality of response messages are all normal response messages and at least M response messages in the plurality of response messages carry non-matching content, where M is a positive integer greater than 1, and return to perform an operation of searching the simulation feature by using a search engine to obtain a plurality of IP addresses corresponding to the simulation feature.
Illustratively, the obtaining module 31 is specifically configured to, when selecting one IP address from the plurality of IP addresses as the target IP address: randomly selecting an IP address from the IP addresses corresponding to the K response messages as the target IP address; or based on the response time consuming time corresponding to the K response messages, taking the IP address corresponding to the response message with the shortest response time consuming time as the target IP address.
Illustratively, the processing module 34 is specifically configured to, when retrieving the page resource from the target IP address: performing page crawling on the web page of the target IP address to obtain a static page resource corresponding to the target IP address; and/or learning based on the detection request message corresponding to the target IP address and the response message corresponding to the target IP address to obtain the dynamic page resource corresponding to the target IP address.
Illustratively, the processing module 34 learns based on the probe request message corresponding to the target IP address and the response message corresponding to the target IP address, and is specifically configured to: after receiving a detection request message aiming at the target IP address, if the detection request message does not have attack characteristics, sending the detection request message to the target IP address, and receiving a response message returned by the target IP address aiming at the detection request message; and learning the dynamic page resources corresponding to the target IP address from the detection request message and the response message.
The processing module 34 is further configured to send, after receiving the probe request packet for the target IP address, the probe request packet to the target honeypot service if the probe request packet has an attack feature, so as to process the probe request packet through the target honeypot service.
Based on the same application concept as the above method, an embodiment of the present application proposes an electronic device, referring to fig. 4, including a processor 41 and a machine-readable storage medium 42, where the machine-readable storage medium 42 stores machine-executable instructions executable by the processor 41; the processor 41 is configured to execute machine-executable instructions to implement the search engine-based rapid honeypot construction method described above.
Based on the same application concept as the method, the embodiment of the application also provides a machine-readable storage medium, wherein a plurality of computer instructions are stored on the machine-readable storage medium, and when the computer instructions are executed by a processor, the quick honey pot construction method based on the search engine can be realized.
Wherein the machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state disk, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer entity or by an article of manufacture having some functionality. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. A search engine-based rapid honeypot construction method, the method comprising:
Acquiring a detection request message, if no honey pot service corresponding to the detection request message exists, analyzing a plurality of key fields from the detection request message, and generating simulation features based on the plurality of key fields;
Searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features;
Sending the detection request message to the plurality of IP addresses, and receiving a plurality of response messages returned by the plurality of IP addresses for the detection request message; if the response messages are normal response messages and the contents carried by at least K response messages in the response messages are matched, selecting one IP address from the IP addresses as a target IP address, wherein K is a positive integer greater than 1;
And acquiring page resources from the target IP address, and constructing target honey pot service corresponding to the page resources, wherein the target honey pot service is used for processing a detection request message for accessing the page resources.
2. The method of claim 1, wherein parsing the plurality of key fields from the probe request message, generating the simulated feature based on the plurality of key fields, comprises:
analyzing a plurality of key fields from the target content of the detection request message; wherein the target content comprises at least one of: URL content, BODY content, header content;
selecting part of key fields or all key fields from the plurality of key fields;
and combining the selected key fields to obtain the simulation features.
3. The method of claim 1, wherein after receiving a plurality of response messages returned by the plurality of IP addresses for the probe request message, the method further comprises:
If the plurality of response messages have abnormal response messages or the plurality of response messages are all normal response messages and the content carried by at least M response messages in the plurality of response messages is not matched, generating new simulation features based on the plurality of key fields, and returning to execute the operation of searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features.
4. The method of claim 1, wherein the step of determining the position of the substrate comprises,
The selecting an IP address from the plurality of IP addresses as a target IP address includes:
Randomly selecting an IP address from the IP addresses corresponding to the K response messages as the target IP address; or based on the response time consuming time corresponding to the K response messages, taking the IP address corresponding to the response message with the shortest response time consuming time as the target IP address.
5. The method of claim 1, wherein the step of determining the position of the substrate comprises,
The obtaining the page resource from the target IP address includes:
Performing page crawling on the web page of the target IP address to obtain a static page resource corresponding to the target IP address; and/or learning based on the detection request message and the response message corresponding to the target IP address to obtain the dynamic page resource corresponding to the target IP address.
6. The method of claim 5, wherein the step of determining the position of the probe is performed,
The learning based on the probe request message and the response message corresponding to the target IP address, to obtain the dynamic page resource corresponding to the target IP address, includes:
After receiving a detection request message aiming at the target IP address, if the detection request message does not have attack characteristics, sending the detection request message to the target IP address, and receiving a response message returned by the target IP address aiming at the detection request message; and learning the dynamic page resources corresponding to the target IP address from the detection request message and the response message.
7. The method of claim 6, wherein the step of providing the first layer comprises,
After receiving the probe request message for the target IP address, the method further includes:
and if the attack characteristic exists in the detection request message, the detection request message is sent to the target honey-comb service, so that the detection request message is processed through the target honey-comb service.
8. A search engine-based rapid honeypot construction apparatus, the apparatus comprising:
The acquisition module is used for acquiring a detection request message, and analyzing a plurality of key fields from the detection request message if the honey pot service corresponding to the detection request message does not exist;
A search module for generating simulated features based on the plurality of key fields; searching the simulation features by adopting a search engine to obtain a plurality of IP addresses corresponding to the simulation features;
the communication module is used for sending the detection request message to the plurality of IP addresses and receiving a plurality of response messages returned by the plurality of IP addresses aiming at the detection request message;
The obtaining module is further configured to select an IP address from the plurality of IP addresses as a target IP address if the plurality of response messages are all normal response messages and contents carried by at least K response messages in the plurality of response messages are matched; wherein K is a positive integer greater than 1;
The processing module is used for acquiring page resources from the target IP address and constructing target honey pot service corresponding to the page resources; the target honey pot service is used for processing the detection request message for accessing the page resource.
9. The apparatus of claim 8, wherein the device comprises a plurality of sensors,
The acquiring module is specifically configured to, when resolving the plurality of key fields from the probe request packet: analyzing a plurality of key fields from the target content of the detection request message; wherein the target content comprises at least one of: URL content, BODY content, header content; the search module is specifically configured to, when generating the simulated feature based on the plurality of key fields: selecting part of key fields or all key fields from the plurality of key fields; combining the selected key fields to obtain the simulation features;
The searching module is further configured to, after the communication module receives a plurality of response messages returned by the plurality of IP addresses for the probe request message, if the plurality of response messages have abnormal response messages, or if the plurality of response messages are all normal response messages and at least M response messages in the plurality of response messages carry unmatched contents, where M is a positive integer greater than 1, generate a new simulation feature based on the plurality of key fields, and return to perform an operation of searching the simulation feature by using a search engine to obtain a plurality of IP addresses corresponding to the simulation feature;
The acquiring module is specifically configured to, when selecting one IP address from the plurality of IP addresses as a target IP address: randomly selecting an IP address from the IP addresses corresponding to the K response messages as the target IP address; or based on the response time consuming time corresponding to the K response messages, taking the IP address corresponding to the response message with the shortest response time consuming time as the target IP address;
The processing module is specifically configured to, when acquiring a page resource from the target IP address: performing page crawling on the web page of the target IP address to obtain a static page resource corresponding to the target IP address; and/or learning based on the detection request message corresponding to the target IP address and the response message corresponding to the target IP address to obtain a dynamic page resource corresponding to the target IP address;
The processing module learns based on the detection request message corresponding to the target IP address and the response message corresponding to the target IP address, and is specifically used for obtaining the dynamic page resource corresponding to the target IP address when: after receiving a detection request message aiming at the target IP address, if the detection request message does not have attack characteristics, sending the detection request message to the target IP address, and receiving a response message returned by the target IP address aiming at the detection request message; learning a dynamic page resource corresponding to the target IP address from the detection request message and the response message;
and the processing module is further configured to send the probe request packet to the target honeypot service after receiving the probe request packet for the target IP address if the probe request packet has an attack feature, so as to process the probe request packet through the target honeypot service.
10. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410535063.0A CN118138371B (en) | 2024-04-29 | Quick honey pot construction method, device and equipment based on search engine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410535063.0A CN118138371B (en) | 2024-04-29 | Quick honey pot construction method, device and equipment based on search engine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118138371A true CN118138371A (en) | 2024-06-04 |
| CN118138371B CN118138371B (en) | 2024-07-02 |
Family
ID=
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190020683A1 (en) * | 2017-07-17 | 2019-01-17 | Sap Se | Automatic generation of low-interaction honeypots |
| US20190081980A1 (en) * | 2017-07-25 | 2019-03-14 | Palo Alto Networks, Inc. | Intelligent-interaction honeypot for iot devices |
| CN112714126A (en) * | 2020-12-29 | 2021-04-27 | 赛尔网络有限公司 | Method and system for improving honeypot trapping attack capability in IPv6 address space |
| CN114826663A (en) * | 2022-03-18 | 2022-07-29 | 烽台科技(北京)有限公司 | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium |
| CN115913632A (en) * | 2022-10-11 | 2023-04-04 | 中国交通信息科技集团有限公司 | Honey net cluster deployment method for industrial control system |
| CN117201184A (en) * | 2023-10-23 | 2023-12-08 | 西安胡门网络技术有限公司 | Active defense method and system |
| CN117240634A (en) * | 2023-11-16 | 2023-12-15 | 中国科学技术大学 | MySQL protocol-oriented intelligent safe honeypot method, system and equipment |
| CN117240560A (en) * | 2023-09-25 | 2023-12-15 | 哈尔滨工业大学 | GAN-based high-simulation honeypot implementation method and system |
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190020683A1 (en) * | 2017-07-17 | 2019-01-17 | Sap Se | Automatic generation of low-interaction honeypots |
| US20190081980A1 (en) * | 2017-07-25 | 2019-03-14 | Palo Alto Networks, Inc. | Intelligent-interaction honeypot for iot devices |
| CN112714126A (en) * | 2020-12-29 | 2021-04-27 | 赛尔网络有限公司 | Method and system for improving honeypot trapping attack capability in IPv6 address space |
| CN114826663A (en) * | 2022-03-18 | 2022-07-29 | 烽台科技(北京)有限公司 | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium |
| CN115913632A (en) * | 2022-10-11 | 2023-04-04 | 中国交通信息科技集团有限公司 | Honey net cluster deployment method for industrial control system |
| CN117240560A (en) * | 2023-09-25 | 2023-12-15 | 哈尔滨工业大学 | GAN-based high-simulation honeypot implementation method and system |
| CN117201184A (en) * | 2023-10-23 | 2023-12-08 | 西安胡门网络技术有限公司 | Active defense method and system |
| CN117240634A (en) * | 2023-11-16 | 2023-12-15 | 中国科学技术大学 | MySQL protocol-oriented intelligent safe honeypot method, system and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 林子滨;: "主动网络路由欺骗算法与蜜罐构建", 福建电脑, no. 02, 1 February 2008 (2008-02-01) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| US7483972B2 (en) | Network security monitoring system | |
| US9413777B2 (en) | Detection of network security breaches based on analysis of network record logs | |
| CN106657044B (en) | It is a kind of for improving the web page address jump method of web station system Prevention-Security | |
| US10686759B2 (en) | Network threat prediction and blocking | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN103918222A (en) | System and method for detection of denial of service attacks | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN105939361A (en) | Method and device for defensing CC (Challenge Collapsar) attack | |
| US9135630B2 (en) | Systems and methods for large-scale link analysis | |
| CN110855636B (en) | DNS hijacking detection method and device | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN111314379B (en) | Attacked domain name identification method and device, computer equipment and storage medium | |
| CN113259364B (en) | Network event correlation analysis method and device and computer equipment | |
| CN118138371B (en) | Quick honey pot construction method, device and equipment based on search engine | |
| CN118138371A (en) | Quick honey pot construction method, device and equipment based on search engine | |
| CN114500122B (en) | Specific network behavior analysis method and system based on multi-source data fusion | |
| CN114363002B (en) | Method and device for generating network attack relation diagram | |
| Sharma et al. | A Graph Database-Based Method for Network Log File Analysis | |
| CN103078771A (en) | Bot-net distributed collaborative detection system and method based on P2P (peer-to-peer) | |
| CN110752996A (en) | Message forwarding method and device | |
| CN115102778B (en) | State determination method, device, equipment and medium | |
| CN113055395B (en) | Security detection method, device, equipment and storage medium | |
| CN114826959B (en) | Vulnerability analysis method and system aiming at audio data anticreeper technology | |
| CN116668063B (en) | Network attack countering method and software system based on middleware process implantation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |