WO2019140876A1 - Procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, support et dispositif - Google Patents

Procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, support et dispositif Download PDF

Info

Publication number
WO2019140876A1
WO2019140876A1 PCT/CN2018/096106 CN2018096106W WO2019140876A1 WO 2019140876 A1 WO2019140876 A1 WO 2019140876A1 CN 2018096106 W CN2018096106 W CN 2018096106W WO 2019140876 A1 WO2019140876 A1 WO 2019140876A1
Authority
WO
WIPO (PCT)
Prior art keywords
phantom
real
phantom device
mac address
template
Prior art date
Application number
PCT/CN2018/096106
Other languages
English (en)
Chinese (zh)
Inventor
肖政
涂大志
戴昌
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019140876A1 publication Critical patent/WO2019140876A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5038Address allocation for local use, e.g. in LAN or USB networks, or in a controller area network [CAN]

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method, a medium, and a device for establishing a phantom device for preventing network attacks.
  • honeynet honeypot is a network system, not a single host, this network system is hidden behind the firewall, all incoming and outgoing data is monitored, captured and controlled; honeypot technology It is a technique for spoofing an attacker. By arranging some hosts, network services or information as bait, the attacker is induced to attack them, so that the attack behavior can be captured and analyzed to understand the tools used by the attacker. And methods, speculating on the intent and motivation of the attack, can enable the defenders to clearly understand the security threats they face, and enhance the security protection of the actual system through technical and management means; these active defense technologies can effectively perceive and capture the botnet.
  • the application provides a method, a medium and a device for establishing a phantom device for preventing network attacks, and the established phantom device can be perfectly camouflaged into the network, and has strong defense capability.
  • the present application provides a method for establishing a phantom device for preventing network attacks, including:
  • the real device is classified, and each type of the real device is used as a device template
  • the configuration file is loaded to generate the phantom device.
  • the setting, according to the device template, a configuration file of the phantom device includes:
  • the assigning an IP address and a MAC address to each phantom device according to the device template includes:
  • the configuration file of the corresponding phantom device is set according to the IP, the MAC address, and the feature corresponding to the device template, including:
  • a profile of the phantom device is generated according to the set characteristics, IP, and MAC address of the phantom device.
  • the setting corresponding to the phantom device according to the feature of the device template includes:
  • the open port of the phantom device is set to a proxy mode according to an open port feature of the device module.
  • the method further comprises:
  • the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the configuration file corresponding to the phantom device is modified, and the modified The configuration file, updating the phantom device;
  • IP of the real device does not conflict with the IP of the phantom device, determining whether the MAC address of the real device conflicts with the MAC address of the phantom device;
  • the MAC address of the real device conflicts with the MAC address of the phantom device, reselecting a MAC address for the phantom device; updating the MAC address of the phantom device according to the reselected MAC address;
  • the new device that is newly online is continuously monitored.
  • the method further comprises:
  • the present application provides a method for preventing network attacks, including:
  • the method further comprises: continuously monitoring the suspicious device while blocking communication between the suspect device and the phantom device and the real device in the local area network.
  • the method further includes: collecting the risk information of the phantom device in real time after the phantom device is established, and transmitting the risk information to the user.
  • the present application provides a computer readable storage medium having stored thereon a computer program executed by a processor to implement the phantom device for preventing network attacks according to the first aspect. method.
  • the present application provides a computer device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to implement The method for establishing a phantom device for preventing network attacks according to the first aspect.
  • the present application provides a method for establishing a phantom device for preventing network attacks, comprising: acquiring features of real devices in a local area network; classifying the real devices according to the features, and using each type of the real devices as a type a device template, configured to set a configuration file of the phantom device according to the device template, and load the configuration file to generate the phantom device. Since each device template has the same characteristics as the real device, the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect.
  • the phantom device thus established is simple to deploy and use, consumes less computer resources and human resources, and is deployed and maintained. The safety and technical requirements of personnel are not high.
  • the method for preventing network attacks provided by the present application has the same advantageous effects as the method for establishing the phantom device for preventing network attacks described above.
  • a computer readable storage medium and a computer device provided by the present application have the same beneficial effects as the above-described phantom device establishment method for preventing network attacks.
  • FIG. 1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to the present invention
  • FIG. 3 is a schematic structural diagram of a computer device according to the present invention.
  • the invention provides a phantom device establishment method, a medium, a device and an anti-network attack method for preventing network attacks.
  • FIG. 1 is a flowchart of a method for establishing a phantom device for preventing network attacks according to an embodiment of the present invention.
  • Step S101 Acquire a feature of a real device in the local area network.
  • Step S102 According to the feature, classify the real device, and use each type of the real device as a device template.
  • Step S103 Set a configuration file of the phantom device according to the device template.
  • Step S104 Load the configuration file to generate the phantom device.
  • the features may include: device type, operating system, operating system fingerprint, open port, vendor feature, and the like.
  • each real device in the local area network is classified, and one category corresponds to one device template.
  • one operating system corresponds to a category.
  • a phantom device refers to a masquerading system that prevents a network from attacking a real device.
  • the phantom device configuration file is set according to the device template, and the phantom device is generated according to the configuration file, so that the generated phantom device has high similarity with the corresponding real device, and can be perfect.
  • the camouflage into the network realize high simulation camouflage, timely and effectively perceive network attacks and conduct trapping or alarm forensics; at the same time, the phantom device thus established is simple to deploy and use, and consumes less computer resources and human resources.
  • the setting a configuration file of the phantom device according to the device template includes: assigning an IP (Internet Protocol) and a MAC (Media Access) to each phantom device according to the device template. Control or Medium Access Control) address; set a configuration file of the corresponding phantom device according to the IP, MAC address, and the feature corresponding to the device template.
  • IP Internet Protocol
  • MAC Media Access
  • the MAC address can be a physical address or a hardware address.
  • IP and MAC addresses are IP and MAC addresses.
  • IP address and MAC address must be set, but also other parameters, such as operating system fingerprint, operating system, open port, etc., need to be set according to multiple characteristics.
  • the assigning an IP address and a MAC address to each phantom device according to the device template includes: counting the number of real devices corresponding to each device template; and based on the number of real devices, according to a preset magnification Calculating a number of phantom devices corresponding to each of the device templates; calculating an alternative IP according to the IP of the real device; and selecting a corresponding quantity from the candidate IP for the device template according to the phantom device number IP; generates a MAC address of the corresponding phantom device according to the vendor characteristics of the device template.
  • the MAC address is generated according to the vendor characteristics of the device template, where the vendor feature of the device template is the vendor feature of the corresponding real device.
  • the generated phantom device has a different MAC address than the real device's MAC address, and each phantom device has a different MAC address.
  • the background staff can distinguish between real devices and phantom devices, and at the same time, improve the similarity between phantom devices and real devices. Moreover, in this way, the number of phantom devices can be adjusted according to the actual needs of different intranet levels, and the scalability is strong.
  • setting a configuration file of the corresponding phantom device according to the IP, the MAC address, and the feature corresponding to the device template including: setting a phantom device according to the feature of the device template Corresponding features; setting a corresponding IP for the phantom device according to the IP; setting a corresponding MAC address for the phantom device according to the MAC address; according to the feature of the phantom device, IP And a MAC address, generating a configuration file of the phantom device.
  • the port supported by the phantom device such as 22, 80 is configured as the proxy mode, and the proxy service points to the IP and port of the phantom device.
  • the phantom device's emulation can be improved by setting the phantom device's open port to proxy mode.
  • the similarity of the phantom device generated from the profile to the real device can be improved.
  • Honeyd when a profile is loaded to generate a phantom device, Honeyd can be used to load a profile to generate a phantom device.
  • Honeyd is an open source software for generating virtual honeypots.
  • the method further includes: monitoring a real device that is newly online in real time; detecting whether an IP address and a MAC address of the real device are related to an IP of the phantom device And the MAC address conflicts; if there is no conflict, the device continues to listen to the new device that is online; if the conflict occurs, it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP address of the real device Determining the IP conflict of the phantom device, deactivating the phantom device corresponding to the IP, and deleting the record of the phantom device; modifying the configuration file corresponding to the phantom device, loading the modified configuration file, and updating the phantom If the IP address of the real device does not conflict with the IP address of the phantom device, determine whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the IP address of the real device does not conflict with the IP address of the phantom device, determine whether the
  • the method further includes: detecting whether the IP address and the MAC address of the real device in the local area network conflict with the IP address and the MAC address of the phantom device, and if the conflict occurs, adjusting the parameter setting of the phantom device.
  • the specific detection process is:
  • Real-time monitoring of the real device on the new line detecting whether the IP and MAC address of the real device conflict with the IP and MAC address of the phantom device; if there is no conflict, it continues to listen to the new device that is online.
  • the conflict it is determined whether the IP of the real device conflicts with the IP of the phantom device; if the IP of the real device conflicts with the IP of the phantom device, the phantom device corresponding to the IP is disabled, and the record of the phantom device is deleted; the phantom is modified
  • the configuration file corresponding to the device load the modified configuration file, and update the phantom device. When loading the configuration file, use Honeyd to load the new configuration file.
  • the IP of the real device does not conflict with the IP of the phantom device, it is determined whether the MAC address of the real device conflicts with the MAC address of the phantom device; if the MAC address of the real device conflicts with the MAC address of the phantom device, the phantom device is selected again. MAC address; update the MAC address of the phantom device according to the reselected MAC address; if the MAC address of the real device does not conflict with the MAC address of the phantom device, continue to listen to the new device that is online.
  • the method further includes: determining whether the phantom device has reached a refresh cycle; if yes, performing the step of establishing a phantom device; if not, continuing Use the phantom device.
  • the phantom device After using the phantom device for a period of time, it is necessary to determine whether the phantom device has reached the refresh cycle. If not, the phantom device can continue to be used; if so, the phantom device needs to be deleted and a new phantom device is re-established. In this way, when the characteristics of the real device change, the phantom device that is not applicable can be deleted in time, the corresponding phantom device is established, and the phantom device is updated in time to better prevent the network from attacking the real device.
  • the refresh period can be determined based on the empirical value.
  • the advantages of the traditional honeypot honey net technology are fully absorbed, and a phantom device similar to the real device can be established, and the phantom device can be perfectly camouflaged into the real device in the network, and the network attack is timely and effectively perceived.
  • Conduct trapping or alarm forensics the present invention is simple to deploy and use, and the generation of these phantom devices in the internal network consumes a small amount of computer resources and saves resources.
  • the present invention can adjust the number of phantom devices according to the actual needs of different intranet levels, so that corresponding phantom devices can be provided for each real device.
  • the above is a method for establishing a phantom device for preventing network attacks provided by the present invention.
  • the present invention further provides a method for preventing network attacks.
  • FIG. 2 it is a schematic diagram of a method for preventing network attacks according to an embodiment of the present invention.
  • Step S101 Real-time monitoring communication information of the phantom device in the local area network; wherein the phantom device is established by the method described in the first embodiment;
  • Step S102 determining whether another device communicates with the phantom device
  • Step S103 If not, continue to monitor the communication information of the phantom device;
  • Step S104 If yes, mark the other device as a suspicious device
  • Step S105 Block communication between the suspicious device and the phantom device and the real device in the local area network, and send the information of the suspicious device to a network administrator.
  • the phantom device After the phantom device is generated, the phantom device needs to be spoofed into the real device.
  • the phantom device can be used as a shadow of a real device, pretending to be a real device, and preventing the real device from being attacked.
  • the phantom device prevents the network attack by: monitoring the communication information of the phantom device in the local area network in real time, determining whether other devices communicate with the phantom device, and if not, continuing to monitor the communication information of the phantom device; if any, the other
  • the device is marked as a suspicious device; the suspicious device is blocked from communicating with the phantom device and the real device, so that the suspicious device cannot attack the real device.
  • the information of the suspicious device can also be sent to the network administrator, so that the network administrator can perform related processing according to the information of the suspicious device in time.
  • the information of the discovered suspicious device can be sent to the network administrator through SMS/E-mail/SNMP Trap/syslog.
  • the risk information of the phantom device may also be collected in real time; the risk information is sent to the user.
  • the risk information of the phantom device can also be collected in real time, and the risk information is sent to the user for alerting and alerting the user to the risk of the phantom device.
  • the risk information may refer to information such as hacker attacks, communication between other devices and phantom devices.
  • the risk information of the phantom device of the user can be promptly alerted.
  • a phantom device establishment method for preventing network attacks is provided.
  • a third embodiment of the present invention provides a computer readable storage medium on which a computer program is stored. When the program is executed by the processor, the phantom device establishment method for preventing network attacks provided by the foregoing first embodiment is implemented.
  • the present invention further provides a computer device, including: a memory, a processor, and a computer program stored on the memory and operable on the processor,
  • the phantom device establishing method for preventing network attacks provided by the foregoing first embodiment is implemented when the processor executes the program.
  • FIG. 3 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
  • the processor 201 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • Memory 202 can include mass storage for data or instructions.
  • the memory 202 may include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these.
  • Memory 202 may include removable or non-removable (or fixed) media, where appropriate.
  • Memory 202 may be internal or external to the data processing device, where appropriate.
  • memory 202 is a non-volatile solid state memory.
  • memory 202 includes a Read-Only Memory (ROM).
  • the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable).
  • PROM Programmable Read-only Memory
  • EPROM Erasable Programmable ROM
  • PROM Electrically Erasable Programmable
  • EEPROM Electrically rewritable ROM
  • flash memory or a combination of two or more of these.
  • the processor 201 implements the phantom device establishment method for preventing any network attack by reading and executing the computer program instructions stored in the memory 202.
  • the establishment device of the anti-network attack phantom device may further include a communication interface 203 and a bus 210. As shown in FIG. 2, the processor 201, the memory 202, and the communication interface 203 are connected by the bus 210 and complete communication with each other.
  • the communication interface 203 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
  • the bus 210 includes hardware, software, or both, and couples components of the phantom device-creating device that are resistant to network attacks to each other.
  • the bus may include Accelerated Graphic Ports or Advanced Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (EISA) bus, Front Side Bus (Front Side Bus, FSB), HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, microchannel architecture ( MicroChannel Architecture, MCA) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus, VLB) bus or other suitable bus or a combination of two or more of these.
  • Bus 210 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
  • the functional blocks shown in the above structural block diagram may be implemented as hardware, software, firmware, or a combination thereof.
  • hardware When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like.
  • ASIC application specific integrated circuit
  • the elements of the present invention are programs or code segments that are used to perform the required tasks.
  • the program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier.
  • a "machine-readable medium” can include any medium that can store or transfer information.
  • machine-readable media examples include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like.
  • the code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention se réfère à un procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, à un support et à un dispositif. Le procédé consiste à : obtenir des caractéristiques de dispositifs réels dans un réseau local ; classer les dispositifs réels selon les caractéristiques, et utiliser séparément chaque type des dispositifs réels en tant que modèle de dispositif ; établir un fichier de configuration d'un dispositif fantôme en fonction du modèle de dispositif ; et charger le fichier de configuration pour générer le dispositif fantôme. Le dispositif fantôme généré à l'aide du procédé de la présente invention est très similaire à un dispositif réel correspondant, et peut ainsi être parfaitement camouflé dans un réseau de façon à réaliser un camouflage haute simulation et à permettre de détecter rapidement et efficacement une attaque de réseau, et à piéger ou signaler et révéler celle-ci ; en outre, le dispositif fantôme ainsi établi est simple en termes de déploiement et d'utilisation, requiert moins de ressources informatiques et humaines, et présente de faibles exigences en matière d'expertise de sécurité du personnel de déploiement et de maintenance.
PCT/CN2018/096106 2018-01-22 2018-07-18 Procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, support et dispositif WO2019140876A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810059506.8 2018-01-22
CN201810059506.8A CN108322456A (zh) 2018-01-22 2018-01-22 一种防网络攻击的幻影设备建立方法、介质及设备

Publications (1)

Publication Number Publication Date
WO2019140876A1 true WO2019140876A1 (fr) 2019-07-25

Family

ID=62887561

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096106 WO2019140876A1 (fr) 2018-01-22 2018-07-18 Procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, support et dispositif

Country Status (2)

Country Link
CN (1) CN108322456A (fr)
WO (1) WO2019140876A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112578761A (zh) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 一种工业控制蜜罐安全防护装置及方法
US12015630B1 (en) * 2020-04-08 2024-06-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with vulnerability remediation circuitry

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664844B (zh) * 2022-11-17 2024-02-23 博智安全科技股份有限公司 基于协议代理的蜜罐伪装模拟方法、装置及电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (zh) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 一种增强蜜网诱骗力度的方法和蜜网系统
CN103634264A (zh) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 一种基于行为分析的主动诱捕方法
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107222515A (zh) * 2016-03-22 2017-09-29 阿里巴巴集团控股有限公司 蜜罐部署方法、装置及云端服务器

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887B (zh) * 2008-12-25 2012-05-23 中国人民解放军总参谋部第五十四研究所 一种漏洞拟真超载蜜罐方法
CN103139184B (zh) * 2011-12-02 2016-03-30 中国电信股份有限公司 智能网络防火墙设备及网络攻击防护方法
CN105024977A (zh) * 2014-04-25 2015-11-04 湖北大学 基于数字水印和蜜罐技术的网络追踪系统
CN107241338A (zh) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 网络防攻击装置、系统和方法,可读介质和存储控制器

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (zh) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 一种增强蜜网诱骗力度的方法和蜜网系统
CN103634264A (zh) * 2012-08-20 2014-03-12 江苏中科慧创信息安全技术有限公司 一种基于行为分析的主动诱捕方法
US20170019425A1 (en) * 2014-09-30 2017-01-19 Palo Alto Networks, Inc. Synchronizing a honey network configuration to reflect a target network environment
CN107222515A (zh) * 2016-03-22 2017-09-29 阿里巴巴集团控股有限公司 蜜罐部署方法、装置及云端服务器

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG SHAOFANG ET AL.: "Deployment of honeypot system in virtual environment", COMPUTER KNOWLEDGE AND TECHNOLOGY, vol. 13, no. 23, 31 August 2017 (2017-08-31), pages 1 - 3 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12015630B1 (en) * 2020-04-08 2024-06-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with vulnerability remediation circuitry
CN112578761A (zh) * 2021-02-03 2021-03-30 山东云天安全技术有限公司 一种工业控制蜜罐安全防护装置及方法

Also Published As

Publication number Publication date
CN108322456A (zh) 2018-07-24

Similar Documents

Publication Publication Date Title
US11271907B2 (en) Smart proxy for a large scale high-interaction honeypot farm
US11265346B2 (en) Large scale high-interactive honeypot farm
US10992704B2 (en) Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US10404661B2 (en) Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
US10230689B2 (en) Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network
Antonakakis et al. Understanding the mirai botnet
US10015198B2 (en) Synchronizing a honey network configuration to reflect a target network environment
US9838416B1 (en) System and method of detecting malicious content
US8997231B2 (en) Preventive intrusion device and method for mobile devices
US8006305B2 (en) Computer worm defense system and method
Tsikerdekis et al. Approaches for preventing honeypot detection and compromise
WO2017139489A1 (fr) Système de fourniture automatique de pots de miel
CN110381041B (zh) 分布式拒绝服务攻击态势检测方法及装置
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
WO2019140876A1 (fr) Procédé d'établissement d'un dispositif fantôme capable de prévenir une attaque de réseau, support et dispositif
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
Chovancová et al. Securing distributed computer systems using an advanced sophisticated hybrid honeypot technology
Qin et al. Worm detection using local networks
JP6592196B2 (ja) 悪性イベント検出装置、悪性イベント検出方法および悪性イベント検出プログラム
CN117411711A (zh) 一种入侵检测防御系统的威胁阻断方法
US8661102B1 (en) System, method and computer program product for detecting patterns among information from a distributed honey pot system
WO2020057156A1 (fr) Procédé de gestion de sécurité et dispositif de gestion de sécurité
WO2020176066A1 (fr) Visualisation multidimensionnelle de cybermenaces servant de base pour un guidage d'opérateur
Ohri et al. Software-defined networking security challenges and solutions: A comprehensive survey
Rodrigues et al. Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18901509

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.11.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18901509

Country of ref document: EP

Kind code of ref document: A1