[go: up one dir, main page]

CN107872467A - Honeypot active defense method and honeypot active defense system based on Serverless architecture - Google Patents

Honeypot active defense method and honeypot active defense system based on Serverless architecture Download PDF

Info

Publication number
CN107872467A
CN107872467A CN201711432754.4A CN201711432754A CN107872467A CN 107872467 A CN107872467 A CN 107872467A CN 201711432754 A CN201711432754 A CN 201711432754A CN 107872467 A CN107872467 A CN 107872467A
Authority
CN
China
Prior art keywords
attack
processing function
container
honeypot
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711432754.4A
Other languages
Chinese (zh)
Inventor
刘畅
毋涛
王智明
贾智宇
卢莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201711432754.4A priority Critical patent/CN107872467A/en
Publication of CN107872467A publication Critical patent/CN107872467A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks, the wherein honey jar active defense method includes:Attack behavior type is identified according to the attack information of attacker, and corresponding dispatch command is generated according to qualification result;The container mirror image of attack processing function corresponding with attack type is selected from mirror image warehouse according to dispatch command and is instantiated, to be created that the container that can run attack processing function, and attack information is handled using container, generates echo message;Echo message is received, and sends it to attacker.Technical scheme enough quickly tackles different types of attack;In addition, " honey jar " is realized using container, have and be preferably environmentally isolated effect, can prevent attacker from passing through the whole place network environment of honey jar environmental threat to the full extent.

Description

基于Serverless架构的蜜罐主动防御方法和蜜罐主动防御 系统Honeypot active defense method and honeypot active defense based on Serverless architecture system

技术领域technical field

本发明涉及网络技术领域,特别涉及一种基于Serverless架构的蜜罐主动防御方法和蜜罐主动防御系统。The invention relates to the field of network technology, in particular to a serverless architecture-based honeypot active defense method and a honeypot active defense system.

背景技术Background technique

随着互联网的发展,网络安全已经受到了广泛的重视,目前的网络安全技术主要分为被动防御技术和主动防御技术。With the development of the Internet, network security has received extensive attention. The current network security technology is mainly divided into passive defense technology and active defense technology.

其中,被动防御技术对外防止黑客入侵,对内进行访问控制,主要是通过防火墙等设备进行安全策略配置,力求在攻击发生前进行防御策略的制定,从而进行阻断。Among them, the passive defense technology prevents hackers from externally and controls access internally. It mainly configures security policies through firewalls and other devices, and strives to formulate defense policies before attacks occur, thereby blocking them.

主动防御技术主要包括入侵检测、蜜罐等技术,力求在攻击行为发生时进行感知,从而进行防御部署。其中,蜜罐技术通过在生产网络中部署一台或多台具有弱点的主机,吸引攻击者的注意力,并捕获攻击者的具体攻击行为,从而针对这些攻击行为进行相应的防御部署,进一步对网络的安全进行加固。Active defense technologies mainly include technologies such as intrusion detection and honeypots, and strive to sense attacks when they occur, so as to deploy defenses. Among them, the honeypot technology deploys one or more vulnerable hosts in the production network to attract the attention of the attacker and capture the specific attack behavior of the attacker, so as to carry out corresponding defense deployment against these attack behaviors and further protect the The security of the network is strengthened.

但是现有的蜜罐系统都是部署在资源有限的、真实的系统环境和网络中,对于目前越来越多的资源耗尽型的拒绝服务(Denial Of Service,简称DOS)攻击,无法做到快速响应。此外,现有的蜜罐系统能够应对的攻击种类单一,极其容易被攻陷;与此同时,由于蜜罐系统部署于真实系统环境中,一旦其被攻击者发现并攻陷,可以被当做跳板机从而威胁所在的整个网络环境。However, the existing honeypot systems are all deployed in real system environments and networks with limited resources. For the current increasing number of resource-exhausting denial of service (Denial Of Service, DOS) attacks, it is impossible to Quick response. In addition, the existing honeypot system can cope with a single type of attack and is extremely easy to be compromised; at the same time, since the honeypot system is deployed in a real system environment, once it is discovered and compromised by an attacker, it can be used as a springboard to The entire network environment in which the threat resides.

发明内容Contents of the invention

本发明旨在至少解决现有技术中存在的技术问题之一,提出了一种基于Serverless架构的蜜罐主动防御方法和蜜罐主动防御系统。The present invention aims to solve at least one of the technical problems existing in the prior art, and proposes a honeypot active defense method and a honeypot active defense system based on a Serverless architecture.

为实现上述目的,本发明提供了一种基于Serverless架构的蜜罐主动防御方法,包括:In order to achieve the above object, the present invention provides a honeypot active defense method based on Serverless architecture, comprising:

根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令;Identify the type of attack behavior based on the attacker's attack information, and generate corresponding scheduling instructions based on the identification result;

根据所述调度指令从镜像仓库中选择与所述攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用所述容器对所述攻击信息进行处理,生成回应信息;Select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the container to analyze the attack information Process and generate response information;

接收所述回应信息,并将其发送至所述攻击者。The response message is received and sent to the attacker.

可选地,还包括:Optionally, also include:

记录所述攻击者的攻击信息。Record the attack information of the attacker.

可选地,所述容器对所述攻击信息进行处理的步骤之后还包括:Optionally, after the container processes the attack information, it further includes:

回收所述容器。Recycle the container.

可选地,所述攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击中的至少一种。Optionally, the attack behavior type includes: at least one of port detection attack, SQL injection attack, overflow attack, denial of service attack, encryption attack, password detection attack, flood attack, and unknown type attack.

可选地,所述攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种;Optionally, the attack processing function includes: port detection processing function, database request processing function, overflow attack processing function, denial of service attack processing function, encryption attack processing function, password detection processing function, flood attack processing function, unknown attack processing function, At least one of the processing functions;

其中,所述端口探测处理函数与所述端口探测攻击对应;Wherein, the port detection processing function corresponds to the port detection attack;

所述数据库请求处理函数与所述SQL注入攻击对应;The database request processing function corresponds to the SQL injection attack;

所述溢出攻击处理函数与所述溢出攻击对应;The overflow attack processing function corresponds to the overflow attack;

所述拒绝服务攻击处理函数与所述拒绝服务攻击对应;The denial of service attack processing function corresponds to the denial of service attack;

所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack;

所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack;

所述口令探测处理函数与所述口令探测攻击对应;The password detection processing function corresponds to the password detection attack;

所述泛洪攻击处理函数与所述泛洪攻击对应;The flood attack processing function corresponds to the flood attack;

所述未知攻击处理函数与所述未知类型攻击对应。The unknown attack processing function corresponds to the unknown type of attack.

为实现上述目的,本发明还提供了一种基于Serverless架构的蜜罐主动防御系统,包括:To achieve the above object, the present invention also provides a honeypot active defense system based on Serverless architecture, including:

攻击鉴定路由模块,用于根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令;The attack identification routing module is used to identify the type of attack behavior according to the attack information of the attacker, and generate corresponding scheduling instructions according to the identification result;

容器集群管理模块,用于根据所述调度指令从镜像仓库中选择与所述攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用所述容器对所述攻击信息进行处理,生成回应信息;The container cluster management module is used to select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the The container processes the attack information to generate response information;

回应结果处理模块,用于接收所述回应信息,并将其发送至所述攻击者。The response result processing module is configured to receive the response information and send it to the attacker.

可选地,还包括:日志收集模块,用于记录所述攻击者的攻击信息。Optionally, it also includes: a log collection module, configured to record the attacker's attack information.

可选地,所述容器集群管理模块还用于在所述容器对所述攻击信息进行处理的之后回收所述容器。Optionally, the container cluster management module is further configured to recycle the container after the container processes the attack information.

可选地,所述攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击中的至少一种。Optionally, the attack behavior type includes: at least one of port detection attack, SQL injection attack, overflow attack, denial of service attack, encryption attack, password detection attack, flood attack, and unknown type attack.

可选地,所述攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种;Optionally, the attack processing function includes: port detection processing function, database request processing function, overflow attack processing function, denial of service attack processing function, encryption attack processing function, password detection processing function, flood attack processing function, unknown attack processing function, At least one of the processing functions;

其中,所述端口探测处理函数与所述端口探测攻击对应;Wherein, the port detection processing function corresponds to the port detection attack;

所述数据库请求处理函数与所述SQL注入攻击对应;The database request processing function corresponds to the SQL injection attack;

所述溢出攻击处理函数与所述溢出攻击对应;The overflow attack processing function corresponds to the overflow attack;

所述拒绝服务攻击处理函数与所述拒绝服务攻击对应;The denial of service attack processing function corresponds to the denial of service attack;

所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack;

所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack;

所述口令探测处理函数与所述口令探测攻击对应;The password detection processing function corresponds to the password detection attack;

所述泛洪攻击处理函数与所述泛洪攻击对应;The flood attack processing function corresponds to the flood attack;

所述未知攻击处理函数与所述未知类型攻击对应。The unknown attack processing function corresponds to the unknown type of attack.

本发明具有以下有益效果:The present invention has the following beneficial effects:

本发明提供了一种基于Serverless架构的蜜罐主动防御方法和蜜罐主动防御系统,其中该蜜罐主动防御方法包括:根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令;根据调度指令从镜像仓库中选择与攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用容器对攻击信息进行处理,生成回应信息;接收回应信息,并将其发送至攻击者。本发明的技术方案够快速应对不同类型的攻击;此外,“蜜罐”采用容器来实现,具有较佳的环境隔离效果,可最大程度上防止攻击者通过蜜罐环境威胁整个所在网络环境。The present invention provides a honeypot active defense method and a honeypot active defense system based on a Serverless architecture, wherein the honeypot active defense method includes: identifying the attack behavior type according to the attacker's attack information, and generating a corresponding response according to the identification result. According to the dispatching instruction, the container image of the attack processing function corresponding to the attack behavior type is selected from the mirror warehouse according to the scheduling instruction and instantiated to create a container that can run the attack processing function, and use the container to process the attack information and generate Response message; receive the response message and send it to the attacker. The technical solution of the present invention is capable of quickly responding to different types of attacks; in addition, the "honeypot" is implemented by a container, which has a better environment isolation effect and can prevent attackers from threatening the entire network environment through the honeypot environment to the greatest extent.

附图说明Description of drawings

图1为本发明实施例一提供的一种基于Serverless架构的蜜罐主动防御系统的结构示意图;FIG. 1 is a schematic structural diagram of a honeypot active defense system based on a Serverless architecture provided by Embodiment 1 of the present invention;

图2为本发明实施例二提供的一种基于Serverless架构的蜜罐主动防御方法的流程图。FIG. 2 is a flow chart of an active defense method for honeypots based on the Serverless architecture provided by Embodiment 2 of the present invention.

具体实施方式Detailed ways

为使本领域的技术人员更好地理解本发明的技术方案,下面结合附图对本发明提供的一种基于Serverless架构的蜜罐主动防御方法和蜜罐主动防御系统进行详细描述。In order for those skilled in the art to better understand the technical solution of the present invention, a serverless architecture-based honeypot active defense method and honeypot active defense system provided by the present invention will be described in detail below in conjunction with the accompanying drawings.

Serverless架构又称无服务器架构,是最新兴起的架构模式之一,其实际意义是:在没有任何基础设施干预下的软件部署的能力。Serverless平台自动化了整个过程中的建立、部署和按需启动服务,用户只需注册各种所需要的业务功能和其资源的需求。Serverless architecture, also known as serverless architecture, is one of the latest architectural patterns. Its practical significance is: the ability to deploy software without any infrastructure intervention. The serverless platform automates the establishment, deployment, and on-demand startup of services in the entire process. Users only need to register various required business functions and their resource requirements.

与传统构架不同在于,服务端逻辑运行于无状态的计算容器中,它由事件触发,完全被第三方管理,其业务层面的状态则被开发者使用的数据库和存储资源所记录。Serverless架构具体如下特点:The difference from the traditional architecture is that the server-side logic runs in a stateless computing container, which is triggered by events and completely managed by a third party, and its business-level state is recorded by the database and storage resources used by developers. The specific characteristics of the serverless architecture are as follows:

1)快速启动:需要对事件请求快速响应,能够在亚秒级完成启动。1) Fast startup: It needs to respond quickly to event requests and be able to complete startup at the sub-second level.

2)弹性扩展:可以按照应用需求,自动在群集上分配资源,按需伸缩,无需人工干预。2) Elastic expansion: According to application requirements, resources can be automatically allocated on the cluster, and scaled on demand without manual intervention.

3)良好的隔离性:不同应用之间不相互干扰。3) Good isolation: different applications do not interfere with each other.

4)健壮性:应用逻辑执行失败后,可以快速调度并重新执行。4) Robustness: After the execution of the application logic fails, it can be quickly scheduled and re-executed.

基于Serverless架构的上述特点,本发明提供了一种具有较佳防御功能的蜜罐主动防御方法和蜜罐主动防御系统。Based on the above characteristics of the Serverless architecture, the present invention provides a honeypot active defense method and a honeypot active defense system with better defense functions.

图1为本发明实施例一提供的一种基于Serverless架构的蜜罐主动防御系统的结构示意图,如图1所示,该系统包括:攻击鉴定路由模块1、容器集群管理模块2和回应结果处理模块3。Figure 1 is a schematic structural diagram of a serverless architecture-based honeypot active defense system provided by Embodiment 1 of the present invention. As shown in Figure 1, the system includes: an attack identification routing module 1, a container cluster management module 2 and response result processing Module 3.

其中,攻击鉴定路由模块1用于根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令。Wherein, the attack identification routing module 1 is used to identify the attack behavior type according to the attacker's attack information, and generate corresponding dispatching instructions according to the identification result.

容器集群管理模块2用于根据调度指令从镜像仓库中选择与攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用容器对攻击信息进行处理,生成回应信息。The container cluster management module 2 is used to select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the container to process the attack information. Process and generate a response message.

回应结果处理模块3用于接收回应信息,并将其发送至攻击者,以达到迷惑攻击者的目的。The response result processing module 3 is used to receive the response information and send it to the attacker, so as to confuse the attacker.

在本发明中,可根据实际经验来对攻击鉴定路由模块1可识别的攻击行为类型进行设定。作为一种可选方案,攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务(Denial of Service,简称DOS)攻击、加密攻击、口令探测攻击、泛洪攻击中的至少一种。为提升系统的完备性,还可额外设置一个“未知类型攻击”,将不属于上述已知类型攻击的攻击行为归为“未知类型攻击”一类。In the present invention, the types of attack behaviors that can be identified by the attack identification routing module 1 can be set according to actual experience. As an optional solution, the attack behavior type includes: at least one of port detection attack, SQL injection attack, overflow attack, denial of service (Denial of Service, DOS) attack, encryption attack, password detection attack, and flood attack . In order to improve the completeness of the system, an additional "unknown type of attack" can be set to classify the attack behaviors that do not belong to the above-mentioned known type of attacks into the category of "unknown type of attack".

在实际应用中,攻击鉴定路由模块1可识别的攻击行为类型越多,则该蜜罐主动防御系统的防御能力越强。本实施例中,以攻击行为类型包含上述端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击共8类为例,进行实例性描述。当然,还可根据实际需要来对攻击行为类型划分方式进行调整。In practical applications, the more types of attack behaviors that the attack identification routing module 1 can identify, the stronger the defense capability of the honeypot active defense system. In this embodiment, taking the attack behavior types including the above-mentioned port detection attack, SQL injection attack, overflow attack, denial of service attack, encryption attack, password detection attack, flood attack, and unknown type attack as an example, an example description is given . Certainly, the manner of classifying the attack behavior types may also be adjusted according to actual needs.

容器集群管理模块2中设置有一镜像仓库,镜像仓库中预先存储有针对不同类型攻击行为的攻击处理函数。本发明中攻击行为类型对应的“攻击处理函数”具体是指:通过模拟成虚拟的操作系统和网络服务来对攻击者的攻击行为进行响应,并向攻击者反馈相应数据,以营造出真实操作系统和网络服务被攻击的假象,从而达到欺骗攻击者的目的。攻击处理函数的本质是对攻击者的攻击信息进行相应运算时所使用的算法。A mirror warehouse is set in the container cluster management module 2, and attack processing functions for different types of attack behaviors are pre-stored in the mirror warehouse. The "attack processing function" corresponding to the type of attack behavior in the present invention specifically refers to responding to the attacker's attack behavior by simulating a virtual operating system and network service, and feeding back corresponding data to the attacker to create a real operation The illusion that the system and network services are attacked, so as to deceive the attacker. The essence of the attack processing function is the algorithm used to perform corresponding operations on the attacker's attack information.

本实施例中可选地,攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种;其中,端口探测处理函数与端口探测攻击对应;数据库请求处理函数与SQL注入攻击对应;溢出攻击处理函数与溢出攻击对应;拒绝服务攻击处理函数与拒绝服务攻击对应;加密攻击处理函数与加密攻击对应;加密攻击处理函数与加密攻击对应;口令探测处理函数与口令探测攻击对应;泛洪攻击处理函数与泛洪攻击对应;未知攻击处理函数与未知类型攻击对应。Optionally in this embodiment, the attack processing function includes: a port detection processing function, a database request processing function, an overflow attack processing function, a denial of service attack processing function, an encryption attack processing function, a password detection processing function, a flood attack processing function, At least one of the unknown attack processing functions; wherein, the port detection processing function corresponds to the port detection attack; the database request processing function corresponds to the SQL injection attack; the overflow attack processing function corresponds to the overflow attack; the denial of service attack processing function corresponds to the denial of service attack Correspondence; encryption attack processing function corresponds to encryption attack; encryption attack processing function corresponds to encryption attack; password detection processing function corresponds to password detection attack; flood attack processing function corresponds to flood attack; unknown attack processing function corresponds to unknown type attack .

其中,端口探测处理函数是指在模拟操作系统或网络服务受到端口探测攻击时对攻击信息进行运算时所使用的算法;数据库请求处理函数是指在模拟操作系统或网络服务受到数据库请求攻击时对攻击信息进行运算时所使用的算法;溢出攻击处理函数是指在模拟操作系统或网络服务受到溢出攻击时对攻击信息进行运算时所使用的算法;拒绝服务攻击处理函数是指在模拟操作系统或网络服务受到拒绝服务攻击时对攻击信息进行运算时所使用的算法;加密攻击处理函数是指在模拟操作系统或网络服务受到加密攻击时对攻击信息进行运算时所使用的算法;口令探测处理函数是指在模拟操作系统或网络服务受到口令探测攻击时对攻击信息进行运算时所使用的算法;泛洪攻击处理函数是指在模拟操作系统或网络服务受到泛洪攻击时对攻击信息进行运算时所使用的算法。对于上述7种处理函数各自所对应的具体算法,可以选自现有技术中已知的处理相应类型攻击行为时所使用的算法,此处不一一举例说明。Among them, the port detection processing function refers to the algorithm used to calculate the attack information when the simulated operating system or network service is attacked by the port detection; the database request processing function refers to the algorithm used when the simulated operating system or network service is attacked by the database request Algorithm used for computing attack information; overflow attack processing function refers to the algorithm used for computing attack information when simulating an operating system or network service is under overflow attack; denial of service attack processing function refers to The algorithm used to calculate the attack information when the network service is under a denial of service attack; the encrypted attack processing function refers to the algorithm used to calculate the attack information when the simulated operating system or network service is subjected to an encrypted attack; the password detection processing function Refers to the algorithm used to calculate the attack information when the simulated operating system or network service is under a password detection attack; the flood attack processing function refers to the algorithm used to calculate the attack information when the simulated operating system or network service is subjected to a flood attack the algorithm used. The specific algorithms corresponding to each of the above seven processing functions may be selected from algorithms known in the prior art for processing corresponding types of attack behaviors, and examples are not given here.

未知攻击处理函数为是指模拟操作系统或网络服务受到未知类型攻击时对攻击信息进行运算时所使用的算法,其可根据实际需要进行相应设定。The unknown attack processing function refers to the algorithm used to calculate the attack information when the simulated operating system or network service is attacked by an unknown type, and it can be set according to actual needs.

下面将结合示例来对本发明的技术方案进行详细描述。其中,假定攻击者对系统进行了拒绝服务攻击。The technical solution of the present invention will be described in detail below in combination with examples. Among them, it is assumed that the attacker has carried out a denial of service attack on the system.

首先,攻击鉴定路由模块1根据预先存储的不同攻击行为类型的攻击信息的模版,来对攻击者发送的攻击信息进行鉴定,并判断出攻击行为类型为拒绝服务攻击;接着,攻击鉴定路由模块1向容器集群管理模块2发送调度拒绝服务攻击处理函数的调度指令;然后,容器集群管理模块2根据接收到的调度指令,从镜像仓库中调度出拒绝服务攻击处理函数的容器镜像,并在云服务集群中随机选取一个空闲节点(空闲服务器)来进行拒绝服务攻击处理函数的容器镜像的实例化,以创建出一个够运行拒绝服务攻击处理函数的容器;再然后,利用该容器来对攻击者发送的攻击信息进行处理,生成回应信息(模拟出系统受到拒绝服务攻击后输出的数据信息),并将生成的回应信息发送至回应结果处理模块3;最后,回应结果处理模块3将该回应信息发送至攻击者,以营造出真实操作系统/网络服务被攻击的假象,从而达到欺骗攻击者的目的。First, the attack identification routing module 1 identifies the attack information sent by the attacker according to the pre-stored attack information templates of different attack behavior types, and determines that the attack behavior type is a denial of service attack; then, the attack identification routing module 1 Send a scheduling instruction for scheduling the denial-of-service attack processing function to the container cluster management module 2; then, the container cluster management module 2 dispatches the container image of the denial-of-service attack processing function from the mirror warehouse according to the received scheduling instruction, and uploads it to the cloud service Randomly select an idle node (idle server) in the cluster to instantiate the container image of the denial-of-service attack processing function to create a container capable of running the denial-of-service attack processing function; then, use the container to send process the attack information, generate response information (simulate the output data information after the system is subjected to a denial of service attack), and send the generated response information to the response result processing module 3; finally, the response result processing module 3 sends the response information to the attacker, so as to create the illusion that the real operating system/network service is attacked, so as to deceive the attacker.

需要说明的是,容器技术对于应用程序有非常好的环境隔离效果,可最大程度上防止攻击者通过蜜罐环境威胁整个所在网络环境。It should be noted that container technology has a very good environmental isolation effect on applications, which can prevent attackers from threatening the entire network environment through the honeypot environment to the greatest extent.

进一步优选地,本发明提供的蜜罐主动防御系统还可实现系统资源的动态按需伸缩;具体地,在系统受到突发的攻击时,系统可以快速扩展自身的计算资源(创建容器),以达到引诱攻击者的目的;在容器完成对攻击信息的运算之后,容器集群管理模块2会对容器资源进行回收利用。Further preferably, the honeypot active defense system provided by the present invention can also realize the dynamic on-demand scaling of system resources; specifically, when the system is attacked suddenly, the system can quickly expand its own computing resources (create containers) to To achieve the purpose of luring the attacker; after the container completes the calculation of the attack information, the container cluster management module 2 will recycle the container resources.

优选地,该蜜罐主动防御系统还包括:日志收集模块4,日志收集模块4用于记录攻击者的攻击信息。本实施例中,容器集群管理模块2连接着日志收集模块4,日志收集模块4可将攻击者的攻击行为进行记录,以提供后续进行分析。此外,该日志收集模块4还可具备将加密攻击协议进行解码的能力,从而为后续的安全加固提供支撑。Preferably, the honeypot active defense system further includes: a log collection module 4, and the log collection module 4 is used to record the attacker's attack information. In this embodiment, the container cluster management module 2 is connected to the log collection module 4, and the log collection module 4 can record the attacker's attack behavior for subsequent analysis. In addition, the log collection module 4 can also have the ability to decode encrypted attack protocols, so as to provide support for subsequent security reinforcement.

本发明实施例一提供了一种基于Serverless架构的蜜罐主动防御系统,该系统能够快速应对不同类型的攻击;此外,“蜜罐”采用容器来实现,具有较佳的环境隔离效果,可最大程度上防止攻击者通过蜜罐环境威胁整个所在网络环境。Embodiment 1 of the present invention provides a honeypot active defense system based on a serverless architecture, which can quickly respond to different types of attacks; in addition, the "honeypot" is implemented by a container, which has a better environmental isolation effect and can maximize To a certain extent, it prevents attackers from threatening the entire network environment through the honeypot environment.

图2为本发明实施例二提供的一种基于Serverless架构的蜜罐主动防御方法的流程图,如图2所示,该蜜罐主动防御方法基于上述实施例一中的蜜罐主动防御系统,对于该蜜罐主动防御系统的具体描述可参见上述实施例一中的内容,此处不再赘述;该蜜罐主动防御方法包括:Fig. 2 is a flow chart of a honeypot active defense method based on the Serverless architecture provided by Embodiment 2 of the present invention. As shown in Fig. 2, the honeypot active defense method is based on the honeypot active defense system in the first embodiment above, For the specific description of the honeypot active defense system, please refer to the content in the above-mentioned embodiment one, which will not be repeated here; the honeypot active defense method includes:

步骤S1、根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令。Step S1, identifying the attack behavior type according to the attacker's attack information, and generating a corresponding dispatching instruction according to the identification result.

步骤S1由上述实施例一中的攻击鉴定路由模块来执行。Step S1 is executed by the attack identification routing module in the first embodiment above.

可选地,攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击中的至少一种。在本发明中,攻击鉴定路由模块可识别的攻击行为类型越多,则该蜜罐主动防御系统的防御能力越强。Optionally, the attack behavior type includes: at least one of port detection attack, SQL injection attack, overflow attack, denial of service attack, denial of service attack, encryption attack, password detection attack, flood attack, and unknown type attack. In the present invention, the more types of attack behaviors that the attack identification routing module can identify, the stronger the defense capability of the honeypot active defense system.

步骤S2、根据调度指令从镜像仓库中选择与攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用容器对攻击信息进行处理,生成回应信息。Step S2: Select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the container to process the attack information and generate a response information.

步骤S2由上述实施例一中的容器集群管理模块来执行。Step S2 is performed by the container cluster management module in the first embodiment above.

可选地,攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种。其中,端口探测处理函数与端口探测攻击对应;数据库请求处理函数与SQL注入攻击对应;溢出攻击处理函数与溢出攻击对应;拒绝服务攻击处理函数与拒绝服务攻击对应;加密攻击处理函数与加密攻击对应;加密攻击处理函数与加密攻击对应;口令探测处理函数与口令探测攻击对应;泛洪攻击处理函数与泛洪攻击对应;未知攻击处理函数与未知类型攻击对应。Optionally, the attack processing function includes: port detection processing function, database request processing function, overflow attack processing function, denial of service attack processing function, encryption attack processing function, password detection processing function, flood attack processing function, unknown attack processing function at least one of the Among them, the port detection processing function corresponds to the port detection attack; the database request processing function corresponds to the SQL injection attack; the overflow attack processing function corresponds to the overflow attack; the denial of service attack processing function corresponds to the denial of service attack; the encryption attack processing function corresponds to the encryption attack ; The encryption attack processing function corresponds to the encryption attack; the password detection processing function corresponds to the password detection attack; the flood attack processing function corresponds to the flood attack; the unknown attack processing function corresponds to the unknown type attack.

本实施中优选地,在容器完成对攻击信息的处理之后,容器集群管理模块对容器资源进行回收,以实现系统的动态按需伸缩功能。In this implementation, preferably, after the container completes the processing of the attack information, the container cluster management module reclaims the container resources, so as to realize the dynamic on-demand scaling function of the system.

步骤S3、接收回应信息,并将其发送至攻击者。Step S3, receiving the response information and sending it to the attacker.

步骤S3由上述实施例一中的回应结果处理模块来执行。Step S3 is executed by the response result processing module in the first embodiment above.

回应结果处理模块接收容器集群管理模块生成的回应信息,并将其发送至攻击者,以达到迷惑攻击者的目的。The response result processing module receives the response information generated by the container cluster management module and sends it to the attacker, so as to confuse the attacker.

本实施例中,优选地,在步骤S2之后还包括:In this embodiment, preferably, after step S2, it also includes:

步骤S4、记录攻击者的攻击信息。Step S4, recording the attacker's attack information.

步骤S3由上述实施例一中的日志收集模块来执行。Step S3 is performed by the log collection module in the first embodiment above.

日志收集模块可将攻击者的攻击行为进行记录,以提供后续进行分析。此外,该日志收集模块还可具备将加密攻击协议进行解码的能力,从而为后续的安全加固提供支撑。The log collection module can record the attacker's attack behavior to provide subsequent analysis. In addition, the log collection module can also have the ability to decode encrypted attack protocols, so as to provide support for subsequent security hardening.

需要说明的是,本发明的技术方案对步骤S4的执行顺序没有限定。It should be noted that the technical solution of the present invention does not limit the execution order of step S4.

对于上述步骤S1~步骤S4的具体描述,可参见前述实施例一中的相应内容,此处不在赘述。For the specific description of the above step S1 to step S4, reference may be made to the corresponding content in the first embodiment above, and details are not repeated here.

本发明实施例二提供了一种基于Serverless架构的蜜罐主动防御方法,该方法能够快速应对不同类型的攻击;此外,“蜜罐”采用容器来实现,具有较佳的环境隔离效果,可最大程度上防止攻击者通过蜜罐环境威胁整个所在网络环境。Embodiment 2 of the present invention provides a honeypot active defense method based on a Serverless architecture, which can quickly respond to different types of attacks; in addition, the "honeypot" is implemented by a container, which has a better environmental isolation effect and can maximize To a certain extent, it prevents attackers from threatening the entire network environment through the honeypot environment.

可以理解的是,以上实施方式仅仅是为了说明本发明的原理而采用的示例性实施方式,然而本发明并不局限于此。对于本领域内的普通技术人员而言,在不脱离本发明的精神和实质的情况下,可以做出各种变型和改进,这些变型和改进也视为本发明的保护范围。It can be understood that, the above embodiments are only exemplary embodiments adopted for illustrating the principle of the present invention, but the present invention is not limited thereto. For those skilled in the art, various modifications and improvements can be made without departing from the spirit and essence of the present invention, and these modifications and improvements are also regarded as the protection scope of the present invention.

Claims (10)

1.一种基于Serverless架构的蜜罐主动防御方法,其特征在于,包括:1. A honeypot active defense method based on Serverless architecture, characterized in that it comprises: 根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令;Identify the type of attack behavior based on the attacker's attack information, and generate corresponding scheduling instructions based on the identification result; 根据所述调度指令从镜像仓库中选择与所述攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用所述容器对所述攻击信息进行处理,生成回应信息;Select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the container to analyze the attack information Process and generate response information; 接收所述回应信息,并将其发送至所述攻击者。The response message is received and sent to the attacker. 2.根据权利要求1所述的蜜罐主动防御方法,其特征在于,还包括:2. honeypot active defense method according to claim 1, is characterized in that, also comprises: 记录所述攻击者的攻击信息。Record the attack information of the attacker. 3.根据权利要求1所述的蜜罐主动防御方法,其特征在于,所述容器对所述攻击信息进行处理的步骤之后还包括:3. honeypot active defense method according to claim 1, is characterized in that, described container also comprises after the step of processing described attack information: 回收所述容器。Recycle the container. 4.根据权利要求1所述的蜜罐主动防御方法,其特征在于,所述攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击中的至少一种。4. The honeypot active defense method according to claim 1, wherein the attack behavior types include: port detection attack, SQL injection attack, overflow attack, denial of service attack, encryption attack, password detection attack, flooding At least one of attack, unknown type of attack. 5.根据权利要求4所述的蜜罐主动防御方法,其特征在于,所述攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种;5. honeypot active defense method according to claim 4, is characterized in that, described attack processing function comprises: port detection processing function, database request processing function, overflow attack processing function, denial of service attack processing function, encryption attack processing function, password detection processing function, flood attack processing function, and unknown attack processing function; 其中,所述端口探测处理函数与所述端口探测攻击对应;Wherein, the port detection processing function corresponds to the port detection attack; 所述数据库请求处理函数与所述SQL注入攻击对应;The database request processing function corresponds to the SQL injection attack; 所述溢出攻击处理函数与所述溢出攻击对应;The overflow attack processing function corresponds to the overflow attack; 所述拒绝服务攻击处理函数与所述拒绝服务攻击对应;The denial of service attack processing function corresponds to the denial of service attack; 所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack; 所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack; 所述口令探测处理函数与所述口令探测攻击对应;The password detection processing function corresponds to the password detection attack; 所述泛洪攻击处理函数与所述泛洪攻击对应;The flood attack processing function corresponds to the flood attack; 所述未知攻击处理函数与所述未知类型攻击对应。The unknown attack processing function corresponds to the unknown type of attack. 6.一种基于Serverless架构的蜜罐主动防御系统,其特征在于,包括:6. A honeypot active defense system based on Serverless architecture, characterized in that it comprises: 攻击鉴定路由模块,用于根据攻击者的攻击信息对攻击行为类型进行鉴定,并根据鉴定结果生成相应的调度指令;The attack identification routing module is used to identify the type of attack behavior according to the attack information of the attacker, and generate corresponding scheduling instructions according to the identification result; 容器集群管理模块,用于根据所述调度指令从镜像仓库中选择与所述攻击行为类型对应的攻击处理函数的容器镜像并进行实例化,以创建出能够运行攻击处理函数的容器,并利用所述容器对所述攻击信息进行处理,生成回应信息;The container cluster management module is used to select and instantiate the container image of the attack processing function corresponding to the attack behavior type from the mirror warehouse according to the scheduling instruction, so as to create a container capable of running the attack processing function, and use the The container processes the attack information to generate response information; 回应结果处理模块,用于接收所述回应信息,并将其发送至所述攻击者。The response result processing module is configured to receive the response information and send it to the attacker. 7.根据权利要求6所述的蜜罐主动防御系统,其特征在于,还包括:日志收集模块,用于记录所述攻击者的攻击信息。7. The honeypot active defense system according to claim 6, further comprising: a log collection module configured to record the attacker's attack information. 8.根据权利要求6所述的蜜罐主动防御系统,其特征在于,所述容器集群管理模块还用于在所述容器对所述攻击信息进行处理的之后回收所述容器。8. The honeypot active defense system according to claim 6, wherein the container cluster management module is further configured to recycle the container after the container processes the attack information. 9.根据权利要求6所述的蜜罐主动防御系统,其特征在于,所述攻击行为类型包括:端口探测攻击、SQL注入攻击、溢出攻击、拒绝服务攻击、加密攻击、口令探测攻击、泛洪攻击、未知类型攻击中的至少一种。9. The honeypot active defense system according to claim 6, wherein the attack behavior types include: port detection attack, SQL injection attack, overflow attack, denial of service attack, encryption attack, password detection attack, flooding At least one of attack, unknown type of attack. 10.根据权利要求9所述的蜜罐主动防御系统,其特征在于,所述攻击处理函数包括:端口探测处理函数、数据库请求处理函数、溢出攻击处理函数、拒绝服务攻击处理函数、加密攻击处理函数、口令探测处理函数、泛洪攻击处理函数、未知攻击处理函数中的至少一种;10. The honeypot active defense system according to claim 9, wherein the attack processing function comprises: port detection processing function, database request processing function, overflow attack processing function, denial of service attack processing function, encryption attack processing function function, password detection processing function, flood attack processing function, and unknown attack processing function; 其中,所述端口探测处理函数与所述端口探测攻击对应;Wherein, the port detection processing function corresponds to the port detection attack; 所述数据库请求处理函数与所述SQL注入攻击对应;The database request processing function corresponds to the SQL injection attack; 所述溢出攻击处理函数与所述溢出攻击对应;The overflow attack processing function corresponds to the overflow attack; 所述拒绝服务攻击处理函数与所述拒绝服务攻击对应;The denial of service attack processing function corresponds to the denial of service attack; 所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack; 所述加密攻击处理函数与所述加密攻击对应;The encryption attack processing function corresponds to the encryption attack; 所述口令探测处理函数与所述口令探测攻击对应;The password detection processing function corresponds to the password detection attack; 所述泛洪攻击处理函数与所述泛洪攻击对应;The flood attack processing function corresponds to the flood attack; 所述未知攻击处理函数与所述未知类型攻击对应。The unknown attack processing function corresponds to the unknown type of attack.
CN201711432754.4A 2017-12-26 2017-12-26 Honeypot active defense method and honeypot active defense system based on Serverless architecture Pending CN107872467A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711432754.4A CN107872467A (en) 2017-12-26 2017-12-26 Honeypot active defense method and honeypot active defense system based on Serverless architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711432754.4A CN107872467A (en) 2017-12-26 2017-12-26 Honeypot active defense method and honeypot active defense system based on Serverless architecture

Publications (1)

Publication Number Publication Date
CN107872467A true CN107872467A (en) 2018-04-03

Family

ID=61756153

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711432754.4A Pending CN107872467A (en) 2017-12-26 2017-12-26 Honeypot active defense method and honeypot active defense system based on Serverless architecture

Country Status (1)

Country Link
CN (1) CN107872467A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900467A (en) * 2018-05-31 2018-11-27 华东师范大学 A method of perception is built and threatened to the automation honey jar based on Docker
CN109150848A (en) * 2018-07-27 2019-01-04 众安信息技术服务有限公司 A kind of realization method and system of the honey jar based on Nginx
CN109284168A (en) * 2018-09-10 2019-01-29 福建星瑞格软件有限公司 A kind of big data platform environment configurations and business datum separation management method and system
CN110035079A (en) * 2019-04-10 2019-07-19 阿里巴巴集团控股有限公司 A kind of honey jar generation method, device and equipment
CN110460601A (en) * 2019-08-14 2019-11-15 北京三快在线科技有限公司 Rely on packet safety detecting method, device and storage medium
CN110719299A (en) * 2019-11-18 2020-01-21 中国移动通信集团内蒙古有限公司 Honeypot construction method, device, equipment and medium for defending network attack
CN110851827A (en) * 2019-10-14 2020-02-28 杭州安恒信息技术股份有限公司 Service customizable high-interaction honeypot realized based on container technology and use method
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111565199A (en) * 2020-07-14 2020-08-21 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN111756761A (en) * 2020-06-29 2020-10-09 杭州安恒信息技术股份有限公司 Network defense system and method based on flow forwarding and computer equipment
CN112187825A (en) * 2020-10-13 2021-01-05 网络通信与安全紫金山实验室 Honeypot defense method, system, equipment and medium based on mimicry defense
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN113055126A (en) * 2021-03-09 2021-06-29 华夏云融航空科技有限公司 Flight data decoding method and device and terminal equipment
CN113132293A (en) * 2019-12-30 2021-07-16 中国移动通信集团湖南有限公司 Attack detection method and device and public honeypot system
CN113259387A (en) * 2021-06-21 2021-08-13 江苏天翼安全技术有限公司 Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system
CN114157450A (en) * 2021-11-04 2022-03-08 南方电网深圳数字电网研究院有限公司 Internet of things honeypot-based network attack induction method and device
CN114342319A (en) * 2019-09-04 2022-04-12 甲骨文国际公司 Honeypot for infrastructure as a service security

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090328216A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Personalized honeypot for detecting information leaks and security breaches
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
CN104935580A (en) * 2015-05-11 2015-09-23 国家电网公司 Information security control method and system based on cloud platform
CN105488393A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Database honey pot based attack behavior intention classification method and system
CN106411937A (en) * 2016-11-15 2017-02-15 中国人民解放军信息工程大学 Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof
US9794287B1 (en) * 2016-10-31 2017-10-17 International Business Machines Corporation Implementing cloud based malware container protection
CN107426242A (en) * 2017-08-25 2017-12-01 中国科学院计算机网络信息中心 Network safety protection method, device and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090328216A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Personalized honeypot for detecting information leaks and security breaches
CN102088379A (en) * 2011-01-24 2011-06-08 国家计算机网络与信息安全管理中心 Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
CN105488393A (en) * 2014-12-27 2016-04-13 哈尔滨安天科技股份有限公司 Database honey pot based attack behavior intention classification method and system
CN104935580A (en) * 2015-05-11 2015-09-23 国家电网公司 Information security control method and system based on cloud platform
US9794287B1 (en) * 2016-10-31 2017-10-17 International Business Machines Corporation Implementing cloud based malware container protection
CN106411937A (en) * 2016-11-15 2017-02-15 中国人民解放军信息工程大学 Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof
CN107426242A (en) * 2017-08-25 2017-12-01 中国科学院计算机网络信息中心 Network safety protection method, device and storage medium

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
B1NGZ: "欢迎来到threatkey的帮助文档", 《GITHUB》 *
DTAG-DEV-SEC: "T-Pot 16.10-Multi-Honeypot Platform Redefined", 《GITHUB》 *
杨青: "基于主动防御的蜜罐技术研究", 《信息技术与信息化》 *
王传极: "基于APT攻击的蜜罐技术的研究", 《信息网络安全 2016增刊》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900467B (en) * 2018-05-31 2020-12-22 华东师范大学 A method for automated honeypot construction and threat perception based on Docker
CN108900467A (en) * 2018-05-31 2018-11-27 华东师范大学 A method of perception is built and threatened to the automation honey jar based on Docker
CN109150848A (en) * 2018-07-27 2019-01-04 众安信息技术服务有限公司 A kind of realization method and system of the honey jar based on Nginx
CN109150848B (en) * 2018-07-27 2021-11-23 众安信息技术服务有限公司 Method and system for realizing honeypot based on Nginx
CN109284168A (en) * 2018-09-10 2019-01-29 福建星瑞格软件有限公司 A kind of big data platform environment configurations and business datum separation management method and system
CN110035079A (en) * 2019-04-10 2019-07-19 阿里巴巴集团控股有限公司 A kind of honey jar generation method, device and equipment
CN110035079B (en) * 2019-04-10 2021-10-29 创新先进技术有限公司 Honeypot generation method, device and equipment
CN110460601A (en) * 2019-08-14 2019-11-15 北京三快在线科技有限公司 Rely on packet safety detecting method, device and storage medium
CN114342319A (en) * 2019-09-04 2022-04-12 甲骨文国际公司 Honeypot for infrastructure as a service security
CN110851827A (en) * 2019-10-14 2020-02-28 杭州安恒信息技术股份有限公司 Service customizable high-interaction honeypot realized based on container technology and use method
CN110719299A (en) * 2019-11-18 2020-01-21 中国移动通信集团内蒙古有限公司 Honeypot construction method, device, equipment and medium for defending network attack
CN113132293A (en) * 2019-12-30 2021-07-16 中国移动通信集团湖南有限公司 Attack detection method and device and public honeypot system
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111756761A (en) * 2020-06-29 2020-10-09 杭州安恒信息技术股份有限公司 Network defense system and method based on flow forwarding and computer equipment
CN111565199B (en) * 2020-07-14 2021-10-01 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN111565199A (en) * 2020-07-14 2020-08-21 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN112187825A (en) * 2020-10-13 2021-01-05 网络通信与安全紫金山实验室 Honeypot defense method, system, equipment and medium based on mimicry defense
CN112187825B (en) * 2020-10-13 2022-08-02 网络通信与安全紫金山实验室 A honeypot defense method, system, device and medium based on mimic defense
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN113055126A (en) * 2021-03-09 2021-06-29 华夏云融航空科技有限公司 Flight data decoding method and device and terminal equipment
CN113259387A (en) * 2021-06-21 2021-08-13 江苏天翼安全技术有限公司 Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN113472761A (en) * 2021-06-22 2021-10-01 杭州默安科技有限公司 Website cheating method and system
CN113472761B (en) * 2021-06-22 2023-04-18 杭州默安科技有限公司 Website deception method and system
CN114157450A (en) * 2021-11-04 2022-03-08 南方电网深圳数字电网研究院有限公司 Internet of things honeypot-based network attack induction method and device
CN114157450B (en) * 2021-11-04 2024-03-15 南方电网数字平台科技(广东)有限公司 Internet of things honeypot-based network attack induction method and device

Similar Documents

Publication Publication Date Title
CN107872467A (en) Honeypot active defense method and honeypot active defense system based on Serverless architecture
Moustafa et al. Federated TON_IoT Windows datasets for evaluating AI-based security applications
CN112769821B (en) A threat response method and device based on threat intelligence and ATT&CK
US9686301B2 (en) Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
US10091238B2 (en) Deception using distributed threat detection
US10050999B1 (en) Security threat based auto scaling
US10009381B2 (en) System and method for threat-driven security policy controls
US12058148B2 (en) Distributed threat sensor analysis and correlation
US8549643B1 (en) Using decoys by a data loss prevention system to protect against unscripted activity
Gupta et al. A profile based network intrusion detection and prevention system for securing cloud environment
US9294442B1 (en) System and method for threat-driven security policy controls
US20180191779A1 (en) Flexible Deception Architecture
US12041094B2 (en) Threat sensor deployment and management
US10673878B2 (en) Computer security apparatus
KR101753647B1 (en) Honypot security system based on cloud computing and method therof
Kumar et al. A comprehensive review of vulnerabilities and AI-enabled defense against DDoS attacks for securing cloud services
Hamed et al. Intrusion detection in contemporary environments
CN106850690A (en) A kind of honey jar building method and system
Ariffin et al. API vulnerabilities in cloud computing platform: attack and detection
Sharma et al. An intrusion detection system for detecting denial-of-service attack in cloud using artificial bee colony
Snehi et al. Introspecting intrusion detection systems in dealing with security concerns in cloud environment
Kandukuru et al. Android malicious application detection using permission vector and network traffic analysis
US9621586B2 (en) Methods and apparatus for enhancing business services resiliency using continuous fragmentation cell technology
CN114584359A (en) Safe trapping method and device and computer equipment
Sunitha et al. Key Observation to Prevent IP Spoofing in DDoS Attack on Cloud Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180403

RJ01 Rejection of invention patent application after publication