CN115567307A - Honeypot protection method and device - Google Patents

Abstract

The embodiment of this specification provides a honeypot protection method and device, wherein the honeypot protection method includes: receiving a data access request sent by a client according to the project domain name, wherein the project platform and the honeypot platform have the same project domain name, and according to the data access request Request, identify whether the client is an abnormal access client, if so, forward the data access request to the honeypot platform, so that the client can access the honeypot platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, improve the camouflage of the honeypot platform, and guide deeper access. When the client is identified as an abnormal access client, it will Data access requests are forwarded to the honeypot platform, which avoids attacks on the project platform by abnormal access clients and protects the data security of the project platform.

Description

Honeypot protection method and device

technical field

The embodiments of this specification relate to the technical field of network security, and in particular to a honeypot protection method.

Background technique

With the development of Internet technology, more and more data are deployed on the project platform, and abnormal access clients can destroy the project platform, obtain data, change data, etc., causing serious data security problems.

At present, a fake project platform with loopholes, that is, a honeypot platform, is set up. Use the honeypot platform to induce abnormal access clients to attack it, avoid the project platform from being attacked, and prevent and trace the abnormal access clients by collecting the attack behavior events of the abnormal access clients in the honeypot platform, thus protecting the project Security of data on the platform.

However, when the camouflage of the honeypot platform is insufficient, the abnormal access client can identify the honeypot platform, avoid data access to the honeypot platform, and cannot collect the attack behavior events of the abnormal access client on the honeypot platform. As a result, it is impossible to prevent and trace the source of abnormal access clients, which reduces the data security of the project platform. Therefore, there is an urgent need for a honeypot protection method that is highly camouflaged and can improve the data security of the project platform.

Contents of the invention

In view of this, the embodiment of this specification provides a honeypot protection method. One or more embodiments of this specification also relate to a honeypot protection device, a computing device, a computer-readable storage medium and a computer program, so as to solve technical defects in the prior art.

According to the first aspect of the embodiment of this specification, a honeypot protection method is provided, which is applied to the access control component integrated on the project platform, including:

Receive the data access request sent by the client according to the project domain name, where the project platform and the honeypot platform have the same project domain name;

According to the data access request, identify whether the client is an abnormal access client;

If so, forward the data access request to the honeypot platform, so that the client can access the honeypot platform.

According to the second method of the embodiment of this specification, a honeypot protection method is provided, which is applied to a honeypot platform, including:

Receive the data access request forwarded by the project platform, where the data access request is sent by the client to the project platform according to the project domain name, and the project platform and the honeypot platform have the same project domain name;

Obtain the corresponding honeybait data according to the data access request;

Feedback the honeybait data to the project platform.

According to the third aspect of the embodiment of this specification, a honeypot protection system is provided, including a project platform and a honeypot platform, and the project platform is integrated with an access control component, including:

The access control component is used to receive the data access request sent by the client according to the project domain name, wherein the project platform and the honeypot platform have the same project domain name; according to the data access request, identify whether the client is an abnormal access client; if so, then Forward the data access request to the honeypot platform so that the client can access the honeypot platform;

The honeypot platform is used to receive the data access request forwarded by the project platform; obtain the corresponding honeybait data according to the data access request; and feed back the honeybait data to the project platform.

According to the fourth aspect of the embodiment of this specification, an access control component is provided, and the access control component is integrated on the project platform, including:

The first receiving module is configured to receive the data access request sent by the client according to the project domain name, wherein the project platform and the honeypot platform have the same project domain name;

The identification module is configured to identify whether the client is an abnormal access client according to the data access request;

The forwarding module is configured to forward the data access request to the honeypot platform so that the client can access the honeypot platform.

According to the fifth aspect of the embodiments of this specification, a honeypot protection device is provided, which is applied to a honeypot platform, including:

The second receiving module is configured to receive the data access request forwarded by the project platform, wherein the data access request is sent to the project platform by the client according to the project domain name, and the project platform and the honeypot platform have the same project domain name;

The obtaining module is configured to obtain corresponding honeybait data according to the data access request;

The feedback module is configured to feed back the honeybait data to the project platform.

According to a sixth aspect of the embodiments of this specification, a computing device is provided, including:

memory and processor;

The memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions. When the computer-executable instructions are executed by the processor, the steps of the above honeypot protection method are realized.

According to a seventh aspect of the embodiments of this specification, there is provided a computer-readable storage medium, which stores computer-executable instructions, and when the instructions are executed by a processor, the steps of the above honeypot protection method are implemented.

According to an eighth aspect of the embodiments of the present specification, a computer program is provided, wherein, when the computer program is executed in a computer, it causes the computer to execute the steps of the above honeypot protection method.

In one or more embodiments of this specification, the data access request sent by the client according to the project domain name is received, wherein the project platform and the honeypot platform have the same project domain name, and according to the data access request, it is identified whether the client is an abnormal access client , if so, forward the data access request to the honeypot platform, so that the client can access the honeypot platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform and guides deeper access. When the client is identified as an abnormal access client, it will Data access requests are forwarded to the honeypot platform, which avoids attacks on the project platform by abnormal access clients and protects the data security of the project platform.

Description of drawings

Fig. 1 is a schematic diagram of the architecture of a honeypot protection system provided by an embodiment of this specification;

Fig. 2 is the flowchart of a kind of honeypot protection method that an embodiment of this description provides;

Fig. 3 is the flow chart of another kind of honeypot protection method that an embodiment of this specification provides;

Fig. 4 is a processing flow chart of a honeypot protection method applied to web application data provided by an embodiment of this specification;

Fig. 5 is a schematic structural diagram of a honeypot protection system provided by an embodiment of this specification;

Fig. 6 is a schematic structural diagram of an access control component provided by an embodiment of this specification;

Fig. 7 is a schematic structural diagram of a honeypot protection device provided by an embodiment of this specification;

Fig. 8 is a structural block diagram of a computing device provided by an embodiment of this specification.

detailed description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the specification. However, this specification can be implemented in many other ways different from those described here, and those skilled in the art can make similar extensions without violating the connotation of this specification, so this specification is not limited by the specific implementations disclosed below.

Terms used in one or more embodiments of this specification are for the purpose of describing specific embodiments only, and are not intended to limit one or more embodiments of this specification. As used in one or more embodiments of this specification and the appended claims, the singular forms "a", "the", and "the" are also intended to include the plural forms unless the context clearly dictates otherwise. It should also be understood that the term "and/or" used in one or more embodiments of the present specification refers to and includes any or all possible combinations of one or more associated listed items.

It should be understood that although the terms first, second, etc. may be used to describe various information in one or more embodiments of the present specification, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, the first may also be referred to as the second, and similarly, the second may also be referred to as the first without departing from the scope of one or more embodiments of the present specification. Depending on the context, the word "if" as used herein may be interpreted as "at" or "when" or "in response to a determination."

First, terms and terms involved in one or more embodiments of this specification are explained.

Honeypot platform: a technology for inducing attacks on abnormal access clients. By deploying certain honeybait data, it induces abnormal access clients to obtain honeybait data to attack, and attacks the honeypot platform on abnormal access clients. During the process, the honeypot platform collects and analyzes the attack behavior events of abnormal access clients, improves the ability to prevent and respond to abnormal access clients, and protects the data security of the actual project platform. The honeypot platform has a high similarity with the project platform, that is, when the abnormal access client accesses data on the honeypot platform, it is difficult to perceive the difference between the two.

Domain name: A string of dot-separated names consisting of a certain terminal or a group of terminal names on the Internet, used to locate and identify terminals during data transmission. There is a corresponding relationship between the domain name and the IP (Internet Protocol, Internet Protocol) address of the terminal.

URL (Uniform Resource Locator, Uniform Resource Locator): It is a representation method used to specify the location of information on the World Wide Web service program in the Internet.

Interface: A class module that encapsulates data access methods during code development. The client can realize data access to the database, function nodes, etc. through the interface.

At present, honeypot platforms can be divided into low-interaction honeypot platforms, high-interaction honeypot platforms, and even pure honeypot platforms according to their interactivity. The high-interaction honeypot platform simulates the interaction process between the real project platform and the client, and interacts with the abnormal access client to imitate the interaction process of the project platform. The abnormal access client is more likely to be induced to perform more in-depth data access. Improved the camouflage of the honeypot platform. Due to the deeper data access of abnormal access clients in the high-interaction honeypot platform, the high-interaction honeypot platform can collect more attack behavior events, and conduct deeper analysis on attack behavior and abnormal access clients. Based on the low-interaction honeypot platform and pure honeypot platform, the ability to prevent and trace abnormal access clients is improved, and the data security of the project platform is more effectively protected.

Although the high-interaction honeypot platform has certain advantages compared with the low-interaction honeypot platform and the pure honeypot platform, however, because the high-interaction honeypot platform is still deployed separately, the way to receive data access requests is through the preset domain name or port Receive the data access request sent by the client, which makes the domain name or port have a one-to-one correspondence with the high-interaction honeypot platform. Abnormal access clients can use this one-to-one correspondence to mark the honeypot with the domain name or port Platform, avoid accessing the high-interaction honeypot platform corresponding to the marked domain name or marked port, which makes the high-interaction honeypot platform insufficiently camouflaged, so that it is impossible to collect the attack behavior events of the abnormal access client in the high-interaction honeypot platform, and it is impossible to analyze the abnormal Accessing the client for prevention and traceability reduces the data security of the project platform.

In view of the above problems, in this specification, a honeypot protection method is provided. This specification also relates to a honeypot protection system, a computing device, and a computer-readable storage medium. In the following embodiments, one by one Describe in detail.

Referring to FIG. 1 , FIG. 1 shows a schematic diagram of a honeypot protection system provided by an embodiment of this specification.

As shown in Figure 1, the honeypot protection system includes a project platform, a honeypot platform, and a cloud server, where access control components are integrated on the project platform, and project data is deployed on the project platform. Multiple project terminals are set on the project platform, and multiple honeypot agent terminals are set on the honeypot platform.

The client sends a data access request to the project platform. The access control component intercepts the data access request, and judges whether the client is a normal access client or an abnormal access client according to the data access request. When the client is a normal access client, the project data is obtained according to the data access request, and when the client is an abnormal access client, the data access request is forwarded to the honeypot platform. After forwarding the data access request to the honeypot platform, the honeypot platform collects the attack behavior events of the client and sends the attack behavior events to the cloud server. The cloud server generates a detection strategy based on the attack behavior events and sends the detection strategy to the access The control component enables the access control component to judge the client according to the detection policy.

Referring to Fig. 2, Fig. 2 shows a flow chart of a honeypot protection method provided by an embodiment of this specification, the method is applied to the access control component integrated on the project platform, and specifically includes the following steps.

Step 202: Receive the data access request sent by the client according to the project domain name, wherein the project platform and the honeypot platform have the same project domain name.

The embodiment of this specification is applied to the access control component integrated on the project platform. Since the access control component is integrated on the project platform, that is, the client needs to send a data access request to the project platform in order to perform data access. The access control component identifies the client as After abnormal access to the client, the data access request is forwarded to the honeypot platform, which realizes the deep integration of the honeypot platform and the real project in the data access part, and at the same time decouples the data, preventing the abnormal access client from obtaining project data At the same time, it is impossible to perceive data access to the honeypot platform, which improves the camouflage of the honeypot platform and protects the data security of the project platform.

The project platform is a data service platform deployed in the network system and deployed with project data. For example, a project data server of an application or a website, a project database of an institution, etc. The project platform includes multiple project ends, and each project end corresponds to a specific data access function. For example, the client needs to access geographic data on the project platform, that is, access the project end where the geographic data is located to obtain geographic data.

The access control component is a control component for access traffic with functions such as traffic interception, traffic analysis, and traffic forwarding. The access control component can be integrated hardware with the above functions, or an integrated virtual function module with the above functions. For example, set in The traffic interceptor (Interceptor) at the traffic entrance of the project platform. The access control component has no functionality for processing project data. Multiple interfaces are preset on the access control component, each interface corresponds to the data type in the data access request, and forwards the data access request. The access control component intercepts and analyzes all data access requests sent to the project platform, and forwards them to the project platform or honeypot platform after the analysis is completed. Since the access control component is integrated on the project platform, for the client accessing the project platform, it can only confirm that the data access request is sent to the project platform, but cannot confirm that the data access request is sent to a specific port, so it is impossible to distinguish the follow-up Whether the object of data access is the project platform or the honeypot platform.

The project domain name is the access domain name of the project data open to the public on the project platform. For example, for the website "ABC", the access domain name of the project data open to the public is "www.ABC.com", "www.ABC.com/80", "www.ABC.com/21" etc. Among them, "80" is the HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) access port preset by the website "ABC", and "21" is the FTP (File Transfer Protocol, file transfer protocol) access preset by the website "ABC". port, the client accesses through the above domain names, and the access control component will conduct traffic interception and traffic analysis. The project domain name of the project platform and the honeypot platform are the same, and the client can only perceive that the data access request is sent through the project domain name, that is, it cannot be determined whether the data access request is sent to the project platform or the honeypot platform.

The data access request is the network transmission data sent by the client to the project platform to request project data access. The data access request includes client information, project data information, data access method, transmission network information and other access sub-information. The information of the client is the identification information of the client, including the client IP address, the Mac address of the client, the geographic location of the client, etc.; the information of the project data is the identification information of the project data, including the name of the project data, the type of the project data, and the project data The storage address, etc., data access methods include GET(), POST(), etc., and the transmission network information is the identification information of the transmission network between the client and the project platform, including network transmission protocols, network transmission paths, etc.

Exemplarily, the access control component receives the data access request Request sent by the client according to the project domain name "www.ABC.com", wherein the data access request includes the client's information (client IP address, client Mac address, client terminal geographic location), project data information (name of project data, type of project data, storage address of project data), data access method, transmission network information (network transmission protocol, network transmission path).

Receive the data access request sent by the client according to the project domain name. The project platform and the honeypot platform have the same project domain name, which provides a data basis for subsequent identification of whether the client is an abnormal access client. In addition, because the project platform and the honeypot platform The platform has the same project domain name, which improves the camouflage of the honeypot platform.

Step 204: According to the data access request, identify whether the client is an abnormal access client.

According to the data access request, identify whether the client is an abnormal access client, specifically, according to the access information in the data access request, identify whether the client is an abnormal access client.

Continuing the above embodiment, the client whose abnormal access reference IP address is pre-recorded in the access control component is an abnormal access client, and the access information in the data access request, specifically the client IP address in the client information, and the abnormal access Compare with the reference IP address, if the client IP address matches the abnormal access reference IP address, it is determined that the client is an abnormal access client.

According to the data access request, identify whether the client is an abnormal access client, which provides a reference for the subsequent forwarding of data access requests to the honeypot platform, and improves the stability of the project platform while ensuring the data security of the project platform.

Step 206: If yes, forward the data access request to the honeypot platform, so that the client can access the honeypot platform.

In the embodiment of this specification, a plurality of honeypot interfaces corresponding to the honeypot platform are set on the project platform, and a plurality of honeypot agents are preset in the honeypot platform, and each honeypot interface corresponds to one or more preset Honeypot proxy. Each honeypot proxy end is a fake project end corresponding to the project end set in the project platform in advance, and has a high similarity with the project end in the project platform. Honeypot platforms are preset to be accessed only by access control components. Setting multiple honeypot agents ensures that after a honeypot agent is captured by an abnormal access client, the honeypot platform is difficult to distinguish, and the honeypot platform can still induce the abnormal access client to continue in-depth access.

Forward the data access request to the honeypot platform, so that the client can access the honeypot platform. The specific method is to forward the data access request to the corresponding honeypot platform through the honeypot interface, so that the abnormal access client can platform to access.

Continuing with the above example, the data access request Request is forwarded to the honeypot platform through the honeypot interface 1, so that the abnormal access client can access the honeypot platform.

In the embodiment of this specification, the data access request sent by the client according to the project domain name is received, wherein the project platform and the honeypot platform have the same project domain name, and according to the data access request, identify whether the client is an abnormal access client, and if so, then Forward the data access request to the honeypot platform so that the client can access the honeypot platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform and guides deeper access. When the client is identified as an abnormal access client, it will Data access requests are forwarded to the honeypot platform, which avoids attacks on the project platform by abnormal access clients and protects the data security of the project platform.

Optionally, the project platform and the honeypot platform are deployed in different geographic locations.

At present, in some schemes, the honeypot platform and the project platform are deployed in the same geographical location, that is, in the same computer room. Correspondingly, once the honeypot platform is compromised, the abnormal access client will control the components of traffic forwarding and modify the execution logic of its traffic forwarding, so that the honeypot platform can be used as a springboard to attack the project platform. At the same time, since the honeypot platform and the project platform are deployed in the same computer room, the operation of the honeypot platform needs to consume limited data resources, which increases the performance burden of the hardware equipment in the computer room to handle normal project data access.

In the embodiment of this specification, by deploying the project platform and the honeypot platform in different geographic locations, the project platform and the honeypot platform are deployed in different computer rooms.

Exemplarily, the project platform is deployed in a computer room at site A, and the honeypot platform is deployed in the computer room at site B, and the project platform and the honeypot platform are physically isolated.

Through the isolation at the computer room level, the project platform is physically isolated from the honeypot platform, combined with the execution logic of the above access control components, that is, the abnormal access client needs to send data access requests through the project domain name, making it difficult for the abnormal access client to perceive the honeypot With the existence of the platform, even if the honeypot platform is conquered, it is difficult for abnormal access clients to use access control components to attack project platforms deployed in different geographical locations, which prevents the honeypot platform from being used as a springboard to attack the project platform. It further improves the data security of the project platform. At the same time, since the honeypot platform and the project platform are deployed in different geographical locations, the operation of the honeypot platform does not consume the resources of the project platform, which reduces the performance burden of hardware devices to handle normal project data access, and improves the data processing performance of the project platform .

Optionally, after step 204, the following specific steps are also included:

If not, the client is allowed to access the project data in the project platform.

If the access control component identifies that the client is not an abnormal access client, that is, a normal access client, then the normal access client is allowed to normally access the project data in the project platform to ensure that the project platform can normally provide data access functions.

The client is allowed to access the project data in the project platform. The specific method is to allow normal access clients to access the project data in the project platform through the project interface.

Exemplarily, the client whose specific network transmission path is pre-recorded in the access control component is an abnormal access client, and the access information in the data access request, specifically the network transmission path in the client information, is compared with the specific network transmission path In comparison, the network transmission path in the client information does not have a specific network transmission path, and the client is determined to be a normal access client, allowing the client to access the project data corresponding to project interface 1 in the project platform through project interface 1.

If it is identified that the client is not abnormally accessing the client, the client is allowed to access the project data in the project platform, which ensures that the project platform can normally provide data access functions and the stability of the project platform.

Optionally, the project platform includes a project end;

Correspondingly, allowing the client to access the project data in the project platform includes the following specific steps:

Send the data access request to the target project side through the project interface;

Receive the project data returned by the target project end based on the data access request;

Send project data to client.

The project side in the project platform is a data access function module set according to the information of the project data, for example, the project data is the log data of the project platform, and the project side is a data access function module of the log data. A specific data access interface is preset for the project side, which is the project interface. The target item end is an item end corresponding to the type of item data in the data access request sent by the client.

Send the data access request to the target project end through the project interface. The specific method is to determine the corresponding project interface according to the project data information in the data access request, establish a data transmission connection with the target project end through the project interface, and send the data access request to the target project end. Send to the target project side.

Exemplarily, according to the type of project data in the data access request Request: customer personal information, determine the corresponding project interface 23, establish a data transmission connection with the customer personal information project end through the project interface 23, and send the data access request Request to the customer personal information items.

The project data returned by the target project end based on the data access request is received, specifically, the project data returned by the target project end based on the information of the project data in the data access request is received.

Exemplarily, the item data in the data access request is named "Customer_info", the customer personal information item end obtains the corresponding item data DATA according to the item data name, and the access control component receives the item data DATA returned by the customer personal information item end.

Send the data access request to the target project side through the project interface, receive the project data returned by the target project side based on the data access request, and send the project data to the client. The data access request is sent to the target project end through the project interface, so that the normal access client can accurately obtain the project data, which further ensures that the project platform can normally provide data access functions and the stability of the project platform.

Optionally, the honeypot platform includes a honeypot agent;

Correspondingly, in step 206, the data access request is forwarded to the honeypot platform, including the following specific steps:

Forward the data access request to the target honeypot agent through the honeypot interface;

Receive the honeybait data returned by the target honeypot agent based on the data access request;

Send the honeybait data to the client.

The honeypot agent in the honeypot platform is a data access function module constructed for the project data corresponding to the project end. Honeypot data is deployed in the honeypot agent. There is a high similarity between the honeybait data and the project data. There is also a high similarity between the deployment method of honeybait data and the deployment method of project data on the project side. For example, corresponding to the log data project end, build a log data honeypot proxy end, in which honeybait data is deployed to forge log data, and the log data project end deploys log data in the following way: set a separate data unit according to the number of days (for example, file Folder), the time information in the log data is in the format of "year-month-day-hour-minute-second", and the log data honeypot agent also sets a separate data unit (for example, folder) according to the number of days, honeybait data The time information is also in the format of "year-month-day-hour-minute-second". The target honeypot agent is the honeypot agent corresponding to the item data information in the data access request sent by the client. Due to the high similarity between the honeybait data and the project data, there is also a high similarity between the honeypot agent's deployment method for the honeybait data and the project side's deployment method for the project data. When the abnormal access client performs abnormal access, It is difficult to distinguish honeybait data from project data, and it is impossible to distinguish whether the object of data access is the project platform or the honeypot platform, which induces abnormal access clients to perform deeper data access.

The construction method of the honeybait data can be to execute at least one of the methods of adding, modifying, deleting, and covering the project data, or use the pre-trained neural network model to process the project data, or to obtain part of the project data, The honeybait data constructed by the first two methods are mixed with some project data to obtain the honeybait data. Such honeybait data makes it more difficult for abnormal access clients to distinguish between honeybait data and project data during abnormal access, and further induces abnormal access clients to perform deeper data access.

The data access request is forwarded to the target honeypot agent through the honeypot interface. The specific method is to determine the corresponding honeypot interface according to the project data information in the data access request, and establish data with the target honeypot agent through the honeypot interface. The transmission connection sends the data access request to the target honeypot agent.

Exemplarily, according to the storage address of the item data in the data access request Request is "Browser\UserData\Default" (customer personal information), determine the corresponding honeypot interface 35, and communicate with the customer personal information honeypot agent through the honeypot interface 35 The terminal establishes a data transmission connection, and sends the data access request Request to the client's personal information honeypot agent.

Receive the honeybait data returned by the target honeypot agent based on the data access request. The specific method is to receive the item data returned by the target project end based on the item data information in the data access request.

Exemplarily, the storage address of the project data in the data access request is "Browser\User Data\Default", the customer personal information honeypot agent obtains the corresponding project data DATA according to the storage address of the project data, and the access control component receives the customer personal information The project data DATA returned by the information honeypot agent.

Forward the data access request to the target honeypot agent through the honeypot interface, receive the honeybait data returned by the target honeypot agent based on the data access request, and send the honeybait data to the client. The data access request is sent to the target honeypot agent through the honeypot interface, so that the abnormal access client can accurately obtain the honeybait data, which makes it more difficult to distinguish honeybait data from project data, and even more difficult to distinguish honeypot platform from project platform. It further improves the camouflage of the honeypot platform, and at the same time further ensures the data security of the project platform.

Optionally, before step 204, the following specific steps are also included:

Receive the detection strategy sent by the cloud server, wherein the detection strategy is generated by the cloud server according to the attack behavior events of the client collected by the honeypot platform;

Correspondingly, step 204 includes the following specific steps:

Analyze data access requests to obtain access information;

Use the detection strategy to detect the access information and identify whether the client is an abnormal access client.

The cloud server is a server with functions of collecting attack behavior events, analyzing functions of attack behavior events and distributing detection strategies, and may be a cloud server. There is a data transmission connection between the cloud server and the access control component and the honeypot platform. The data transmission connection between the cloud server and the access control component is a one-way data transmission connection "from the cloud server to the access control component". The data transmission connection with the honeypot platform is a one-way data transmission connection "from the honeypot platform to the cloud server". By setting such a one-way transmission connection, it is ensured that after the honeypot platform is captured by the abnormal access client, it cannot use the data transmission connection to obtain the detection policy from the cloud server, modify it, or send the modified policy to the access control component. The detection strategy makes the traffic analysis function and traffic forwarding function of the access control component invalid.

The detection strategy is an identification strategy for the client generated by the cloud server based on the attack behavior events of the client collected by the honeypot platform. The detection policy implements the traffic analysis function on the access control component. The specific generation process of the detection strategy can be obtained by adjusting the artificially set initial detection strategy according to the attack behavior event, or can be obtained directly after analyzing the attack behavior event, which is not limited here. Optionally, the detection strategy has a corresponding version, and an updated version of the detection strategy is generated according to preset version generation conditions.

Access information is reference information for determining the identity of the client, including access sub-information such as the client, project data, data access methods, and/or the transmission network between the client and the project platform. The access information can be used as a reference to identify whether the client is an abnormal access client. Access information includes client information, project data information, data access methods, transmission network information, etc. The information of the client is the identification information of the client, including the client IP address, the Mac address of the client, the geographic location of the client, etc.; the information of the project data is the identification information of the project data, including the name of the project data, the type of the project data, and the project data The storage address, etc., data access methods include GET(), POST(), etc., and the transmission network information is the identification information of the transmission network between the client and the project platform, including network transmission protocols, network transmission paths, etc.

The detection strategy sent by the cloud server is received, specifically, the detection strategy sent by the cloud server through a one-way data transmission connection is received. Furthermore, the sending condition may be sending according to a preset frequency, or sending after the update of the detection strategy is completed, or sending according to a version of the detection strategy, which is not limited here.

Exemplarily, the detection strategy sent by the receiving cloud server according to the preset frequency: once a day, through a one-way data transmission connection: Abnormal access reference information: 192.168.6.0-192.168.6.255; XX region, YY region, ZZ region ....

Analyze the data access request to obtain access information, specifically by using an information identification tool to identify the data access request and obtain access information. Specifically, the information recognition tool is a tool with a keyword recognition function, for example, a regular expression-based information recognition tool, a pre-trained information recognition neural network model.

Continuing the above example, use the regular expression-based information identification tool to identify the message information of the data access request, and obtain the access information: 192.168.6.7; YY region.

Using the detection strategy to detect the access information to identify whether the client is an abnormal access client. The specific method is to use the detection strategy to detect each access sub-information in the access information to identify whether the client is an abnormal access client. Furthermore, in order to obtain the corresponding abnormal confidence degree calculated according to each access sub-information, determine whether the client is an abnormal access client according to the abnormal confidence degree corresponding to each access sub-information, and calculate the abnormal confidence degree corresponding to each access sub-information The method may be to use a pre-trained neural network model, or to use a confidence calculation function, which is not limited here. In addition, each access sub-information can be compared with the abnormal access reference information in the detection strategy. If one or more of the abnormal access reference information is matched, it is determined that the client is an abnormal access client. Multiple abnormal access reference information to determine that the client is a normal access client.

Continuing with the above example, abnormal access reference information is recorded in the detection policy, compare each access sub-information with the abnormal access reference information in the detection policy, hit two abnormal access reference information (192.168.6.7; YY region), and determine the customer The end is an exception access client.

Receive the detection strategy sent by the cloud server, where the detection strategy is generated by the cloud server based on the client’s attack behavior events collected by the honeypot platform, parse the data access request, obtain access information, use the detection strategy to detect and identify the access information Whether the client is an exception access client. The recognition accuracy of the client is improved, and the data security of the project platform is further protected.

Referring to FIG. 3 , FIG. 3 shows a flow chart of another honeypot protection method provided by an embodiment of this specification. The method is applied to a honeypot platform and specifically includes the following steps.

Step 302: Receive the data access request forwarded by the project platform, wherein the data access request is sent to the project platform by the client according to the project domain name, and the project platform and the honeypot platform have the same project domain name.

The embodiment of this specification is applied to the honeypot platform. In order to perform data access, the client needs to send a data access request to the project platform, and the project platform forwards the data access request to the honeypot platform, realizing the data access part between the honeypot platform and the real project. At the same time of deep integration, data is decoupled. After the abnormal access client sends a data access request to the project platform, it needs to provide corresponding honeybait data, so that the abnormal access client cannot perceive that it is not accessing the project platform. Instead, data access to the honeypot platform improves the camouflage of the honeypot platform and protects the data security of the project platform.

The honeypot platform is preset to be accessed only by the access control components in the project platform.

The project platform is a data service platform that is deployed in the network system and records project data. For example, a project data server of an application or a website, a project database of an institution, etc. There are multiple honeypot interfaces corresponding to the honeypot platform on the project platform.

The data access request is the network transmission data sent by the client to the project platform to request project data access.

The project domain name is the access domain name of the project data open to the public on the project platform. The project domain name of the project platform and the honeypot platform are the same, and the client can only perceive that the data access request is sent through the project domain name, that is, it cannot be determined whether the data access request is sent to the project platform or the honeypot platform.

Receive the data access request forwarded by the project platform, specifically by receiving the data access request forwarded by the project platform through the honeypot interface.

Exemplarily, the data access request Request forwarded by the project platform through the honeypot interface 1 is received.

By receiving the data access request forwarded by the project platform, it provides a data basis for the subsequent acquisition of the corresponding honeybait data. Since the project platform and the honeypot platform have the same project domain name, the client cannot identify the honeypot platform, which improves the honeypot. Platform camouflage.

Step 304: Obtain corresponding honeybait data according to the data access request.

The honeybait data is forged project data constructed corresponding to the project data, and there is a high similarity between the honeybait data and the project data.

Obtain the corresponding honeybait data according to the data access request. The specific method is to obtain the corresponding honeybait data according to the access information of the data access request.

Access information is reference information for determining the identity of the client, including access sub-information such as the client, project data, data access methods, and/or the transmission network between the client and the project platform. The access information can be used as a reference to identify whether the client is an abnormal access client. Access information includes client information, project data information, data access methods, transmission network information, etc. The information of the client is the identification information of the client, including the client IP address, the Mac address of the client, the geographic location of the client, etc.; the information of the project data is the identification information of the project data, including the name of the project data, the type of the project data, and the project data The storage address, etc., data access methods include GET(), POST(), etc., and the transmission network information is the identification information of the transmission network between the client and the project platform, including network transmission protocols, network transmission paths, etc.

Continuing with the above example, according to the item data named "Customer_info" in the data access request Request, obtain the corresponding honeybait data Fake_DATA.

By obtaining the corresponding honeybait data according to the data access request, it provides a data basis for the subsequent feedback of the honeybait data to the project platform, ensuring the acquisition of honeybait data with high similarity with the project data, so that the client cannot identify the honeypot platform, further enhancing the camouflage of the honeypot platform.

Step 306: Feed back the honeybait data to the project platform.

After the honeybait data is fed back to the project platform, the project platform forwards the honeybait data to the client. In this way, the method of forwarding the honeybait data to the client through the project platform ensures that the client does not directly transmit data with the honeypot platform, which makes it difficult for the abnormal access client to feel the existence of the honeypot platform, and induces the abnormal access client to Honeypot platforms continue to conduct in-depth access.

The honeybait data is fed back to the project platform. The specific method is to feed back the honeybait data to the project platform through the honeypot interface.

Exemplarily, the honeypot data Fake_DATA is fed back to the project platform through the honeypot interface 1, so that the project platform forwards the honeybait data Fake_DATA to the client.

In the embodiment of this specification, the data access request forwarded by the project platform is received. The data access request is sent to the project platform by the client according to the project domain name. The project platform and the honeypot platform have the same project domain name. According to the data access request, obtain Corresponding honeybait data, feedback the honeybait data to the project platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, and obtain the corresponding honeybait data according to the data access request, ensuring the acquisition of honeybait data with high similarity with the project data, making The client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform. The honeypot platform feeds back the honeybait data to the project platform, and does not directly transmit data with the client, making it difficult for abnormal access clients to feel the honeypot platform The existence of the honeypot platform further enhances the camouflage of the honeypot platform, avoids the attack behavior of the abnormal access client on the project platform, and protects the data security of the project platform.

Optionally, the honeypot platform and the project platform are deployed in different geographic locations.

This embodiment has been described in detail in the embodiment of FIG. 2 , and will not be repeated here.

Optionally, the honeypot platform includes a honeypot agent;

Correspondingly, before step 304, the following specific steps are also included:

Determine the client's access authority to the target honeypot agent according to the data access request;

In the case that the client has access authority to the target honeypot agent, according to the access authority, the corresponding honeybait data is obtained from the target honeypot agent.

There are multiple honeypot agents preset in the honeypot platform, and each honeypot agent corresponds to a honeypot interface on a project platform. Each honeypot proxy end is a fake project end corresponding to the project end set in the project platform in advance, and has a high similarity with the project end in the project platform. Setting up multiple honeypot agents ensures that a honeypot agent can still induce abnormal access clients to continue in-depth access when the honeypot platform is difficult to distinguish after a honeypot agent has homework by an abnormal access client. Generally, the project side in the project platform has access rights. For example, the project side corresponding to the platform management key needs an administrator identity to access, so it is necessary to set the corresponding access rights on the honeypot agent to improve the honeypot platform. Attack difficulty and the similarity between the honeypot platform and the project platform, and then improve the camouflage of the honeypot platform. The target honeypot agent is the honeypot agent corresponding to the information of the item data in the data access request.

Access rights represent the data access rights of the client to some or all of the data deployed on the honeypot agent. The specific access rights include the call rights to classes and methods set at the application layer, and the data access rights to the container at the container layer. For example, some classes and methods have high-risk risks. Calling such class and method data on the project side requires corresponding calling permissions. Therefore, corresponding calling permissions are set on the honeypot agent side of high-risk classes and method data. Similarly, the data in some containers cannot be accessed, and the access permissions should be set accordingly.

According to the data access request, the access authority of the client to the target honeypot agent is determined. The specific method is to determine the client's access authority to the target honeypot agent according to the access information in the data access request. Further, according to the information of the client in the data access request, determine the access authority of the client to the target honeypot agent.

Exemplarily, according to the client IP address 192.168.2.7 in the data access request Request, it is determined that the client's access authority to the target honeypot agent is: authority to all data. Obtain the corresponding honeybait data Fake_DATA from the target honeypot agent according to the access authority (with authority to all data).

According to the data access request, determine the access authority of the client to the target honeypot agent, and if the client has access authority to the target honeypot agent, obtain the corresponding honeybait data from the target honeypot agent according to the access authority. Improve the attack difficulty of the honeypot platform and the similarity between the honeypot platform and the project platform, and further enhance the camouflage of the honeypot platform.

Optionally, the method also includes the following specific steps:

Collect client attack behavior events;

The attack behavior event is sent to the cloud server, so that the cloud server generates a detection strategy based on the attack behavior event, and the detection strategy is used by the access control component integrated on the project platform to use the detection strategy to identify whether the client is an abnormal access client.

The cloud server is a server with functions of collecting attack behavior events, analyzing functions of attack behavior events and distributing detection strategies. There is a data transmission connection between the cloud server and the access control component and the honeypot platform. The data transmission connection between the cloud server and the honeypot platform is a one-way data transmission connection "from the honeypot platform to the cloud server". Such a one-way transmission connection ensures that after the honeypot platform is captured by the abnormal access client, it cannot use the data transmission connection to obtain the detection strategy from the cloud server.

The detection strategy is an identification strategy for the client generated by the cloud server based on the attack behavior events of the client collected by the honeypot platform. The detection policy implements the traffic analysis function on the access control component. The specific generation process of the detection strategy can be obtained by adjusting the artificially set initial detection strategy according to the attack behavior event, or it can be obtained directly after analyzing the attack behavior event. Among them, the specific analysis method for analyzing the attack behavior event , after extracting the access information in the attack behavior events, the neural network model can be used for analysis. Optionally, the detection strategy has a corresponding version, and an updated version of the detection strategy is generated according to preset version generation conditions.

The attack behavior event is sent to the cloud server, specifically, the attack behavior event is sent to the cloud server through a one-way data transmission connection. Furthermore, the sending condition may be sending according to a preset frequency, or sending after the client completes an attack on the honeypot platform, which is not limited here.

Exemplarily, the attack behavior event Logs are sent to the cloud server through a one-way data transmission connection according to a preset frequency: once an hour.

Collect the attack behavior events of the client, and send the attack behavior events to the cloud server, so that the cloud server can generate a detection strategy based on the attack behavior events, and the detection strategy is used by the access control component integrated on the project platform to use the detection strategy to identify whether the client is Abnormal access to the client. Improve the identification accuracy of the client, prevent the project platform from being attacked, and prevent and trace the source of the abnormal access client by collecting the attack behavior events of the abnormal access client in the honeypot platform, protecting the security of the data on the project platform .

The following describes the honeypot protection method further by taking the application of the honeypot protection method provided in this specification in web application data as an example in conjunction with FIG. 4 . Wherein, FIG. 4 shows a processing flow chart of a honeypot protection method applied to web application data provided by an embodiment of this specification, which specifically includes the following steps.

Step 402: Receive the detection strategy sent by the cloud server;

The embodiment of this specification is applied to the traffic interceptor integrated on the web application platform.

The detection strategy is generated by the cloud server based on historical attack behavior events sent by the honeypot platform.

Step 404: Receive the web application data access request sent by the client according to the network domain name of the web application, wherein the network domain name of the web application platform is the same as the network domain name of the honeypot platform, and the web application platform and the honeypot platform are deployed in different computer rooms ;

The network domain name of the web application is the location identifier of the publicly available web application.

Step 406: Analyzing the access request of web application data to obtain access information;

Step 408: Use the detection strategy to detect the access information, and identify whether the client is an abnormal access client;

Step 410: If not, send the access request to the target web application data terminal of the web application platform through the web application data interface;

Step 412: Receive the web application data returned by the target web application data terminal based on the access request;

Step 414: Send the web application data to the client;

Step 416: If yes, forward the access request to the target honeypot agent in the honeypot platform through the honeypot interface;

The target honeypot agent is a pre-built data access function module that has a high similarity with the web application data end.

Step 418: receiving the honeybait data returned by the target honeypot agent based on the access request;

Honeybait data is pre-set fake application data that has a high similarity with web application data.

Step 420: Send the honeybait data to the client.

In the embodiment of this specification, the same project domain name is set for the web application platform and the honeypot platform, so that the client cannot identify the honeypot platform, and the camouflage of the honeypot platform is improved. The web application platform and the honeypot platform are deployed in different computer rooms, making it difficult for abnormal access clients to attack the web application platform after the honeypot platform is captured, preventing the honeypot platform from being used as a springboard to attack the web application platform . The data security of the web application platform is further improved, and the performance burden of hardware devices for processing normal web application data access is reduced, and the data processing performance of the web application platform is improved. Use the detection strategy to detect the access information, identify whether the client is an abnormal access client, improve the accuracy of identification, avoid the attack behavior of the abnormal access client on the web application platform, and protect the web application data of the web application platform data security. When the client is identified as a normal access client, after the access request is sent to the target web application data end of the web application platform through the web application data interface, the web application data returned by the target web application data end based on the access request is received, ensuring The project platform can normally provide data access functions, which ensures the stability of the project platform. When it is recognized that the client is an abnormal access client, the access request is forwarded to the target honeypot agent in the honeypot platform through the honeypot interface, the honeypot data returned by the target honeypot agent based on the access request is received, and the honeypot The bait data is sent to the client, which makes it difficult for the abnormal access client to feel the existence of the honeypot platform, further improves the camouflage of the honeypot platform, and avoids the attack behavior of the abnormal access client on the web application platform. The data security of the web application platform is protected.

Corresponding to the foregoing method embodiments, this specification also provides an embodiment of a honeypot protection system, and FIG. 5 shows a schematic structural diagram of a honeypot protection system provided by an embodiment of this specification. As shown in FIG. 5 , the system includes a project platform 502 and a honeypot platform 504 . The project platform is integrated with an access control component 5022;

The access control component 5022 is used to receive the data access request sent by the client according to the project domain name, wherein the project platform 502 and the honeypot platform 504 have the same project domain name; according to the data access request, identify whether the client is an abnormal access client; If so, the data access request is forwarded to the honeypot platform 504, so that the client accesses the honeypot platform 504;

The honeypot platform 504 is used to receive the data access request forwarded by the project platform 502 ; obtain corresponding honeybait data according to the data access request; and feed back the honeybait data to the project platform 502 .

Optionally, the system also includes a cloud server 506;

The cloud server 506 is used to receive the attack behavior event of the client sent by the honeypot platform 504; generate a detection strategy according to the attack behavior event; send the detection strategy to the project platform 502;

The access control component 5022 is also configured to receive a detection policy, use the detection policy to detect the access information in the data access request, and identify whether the client is an abnormal access client.

In the embodiment of this manual, the same project domain name is set for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform, guides deeper access, and recognizes that the client is abnormal When accessing the client, the data access request is forwarded to the honeypot platform, which avoids the attack behavior of the abnormal access client on the project platform and protects the data security of the project platform. Receive the client's attack behavior event sent by the honeypot platform, generate a detection strategy according to the attack behavior event, and send the detection strategy to the project platform. Improve the identification accuracy of the client, prevent the project platform from being attacked, and prevent and trace the source of the abnormal access client by collecting the attack behavior events of the abnormal access client in the honeypot platform, protecting the security of the data on the project platform .

The foregoing is a schematic solution of a honeypot protection system in this embodiment. It should be noted that the technical solution of the honeypot protection system and the technical solution of the above-mentioned honeypot protection method belong to the same concept. For details not described in detail in the technical solution of the honeypot protection system, please refer to the above-mentioned honeypot protection method. Description of the technical solution.

Corresponding to the above method embodiments, this specification also provides an embodiment of an access control component. FIG. 6 shows a schematic structural diagram of an access control component provided by an embodiment of this specification. The access control component is integrated on the project platform. As shown in Figure 6, this component includes:

The first receiving module 602 is configured to receive a data access request sent by the client according to the project domain name, wherein the project platform and the honeypot platform have the same project domain name;

The identification module 604 is configured to identify whether the client is an abnormal access client according to the data access request;

The forwarding module 606 is configured to forward the data access request to the honeypot platform if yes, so that the client can access the honeypot platform.

Optionally, the project platform and the honeypot platform are deployed in different geographic locations.

Optionally, the component also includes:

The release module is configured to allow the client to access the project data in the project platform if not.

Optionally, the project platform includes a project end;

Correspondingly, the release module can be further configured as:

Send the data access request to the target project side through the project interface; receive the project data returned by the target project side based on the data access request; send the project data to the client.

Optionally, the honeypot platform includes a honeypot agent;

Correspondingly, the forwarding module 606 is further configured as:

Forward the data access request to the target honeypot agent through the honeypot interface; receive the honeybait data returned by the target honeypot agent based on the data access request; and send the honeybait data to the client.

Optionally, the component also includes:

The detection strategy receiving module is configured to receive the detection strategy sent by the cloud server, wherein the detection strategy is generated by the cloud server according to the attack behavior event of the client collected by the honeypot platform;

Correspondingly, the identification module 604 is further configured to:

Analyze data access requests to obtain access information; use detection strategies to detect access information and identify whether the client is an abnormal access client.

In the embodiment of this specification, the data access request sent by the client according to the project domain name is received, wherein the project platform and the honeypot platform have the same project domain name, and according to the data access request, identify whether the client is an abnormal access client, and if so, then Forward the data access request to the honeypot platform so that the client can access the honeypot platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform and guides deeper access. When the client is identified as an abnormal access client, it will Data access requests are forwarded to the honeypot platform, which avoids attacks on the project platform by abnormal access clients and protects the data security of the project platform.

The foregoing is a schematic solution of an access control component in this embodiment. It should be noted that the technical solution of the access control component and the technical solution of the above-mentioned honeypot protection method belong to the same concept, and details that are not described in detail in the technical solution of the access control component can be found in the technical solution of the above-mentioned honeypot protection method description of.

Corresponding to the above method embodiments, this specification also provides an embodiment of a honeypot protection device. FIG. 7 shows a schematic structural diagram of a honeypot protection device provided by an embodiment of this specification, which is applied to a honeypot platform. As shown in Figure 7, the device includes:

The second receiving module 702 is configured to receive the data access request forwarded by the project platform, wherein the data access request is sent to the project platform by the client according to the project domain name, and the project platform and the honeypot platform have the same project domain name;

The obtaining module 704 is configured to obtain corresponding honeybait data according to the data access request;

The feedback module 706 is configured to feed back the honeybait data to the project platform.

Optionally, the honeypot platform and the project platform are deployed in different geographic locations.

Optionally, the honeypot platform includes a honeypot agent;

Correspondingly, the device also includes:

The access authority determination module is configured to determine the client's access authority to the target honeypot agent according to the data access request; when the client has access authority to the target honeypot agent, according to the access authority, from the target honeypot agent The end obtains the corresponding honeybait data.

Optionally, the device also includes:

The attack behavior event sending module is configured to collect the attack behavior events of the client; send the attack behavior events to the cloud server, so that the cloud server can generate detection strategies according to the attack behavior events, and the detection strategies are used for integrated access control on the project platform The component uses the detection strategy to identify whether the client is an abnormal access client.

In the embodiment of this specification, the data access request forwarded by the project platform is received. The data access request is sent to the project platform by the client according to the project domain name. The project platform and the honeypot platform have the same project domain name. According to the data access request, obtain Corresponding honeybait data, feedback the honeybait data to the project platform. Set the same project domain name for the project platform and the honeypot platform, so that the client cannot identify the honeypot platform, and obtain the corresponding honeybait data according to the data access request, ensuring the acquisition of honeybait data with high similarity with the project data, making The client cannot identify the honeypot platform, which improves the camouflage of the honeypot platform. The honeypot platform feeds back the honeybait data to the project platform, and does not directly transmit data with the client, making it difficult for abnormal access clients to feel the honeypot platform The existence of the honeypot platform further enhances the camouflage of the honeypot platform, avoids the attack behavior of the abnormal access client on the project platform, and protects the data security of the project platform.

The foregoing is a schematic solution of a honeypot protection device in this embodiment. It should be noted that the technical solution of the honeypot protection device and the technical solution of the above-mentioned honeypot protection method belong to the same concept. For details not described in detail in the technical solution of the honeypot protection device, please refer to the above-mentioned honeypot protection method. A description of the technical solution.

Fig. 8 shows a structural block diagram of a computing device provided according to an embodiment of this specification. Components of the computing device 800 include, but are not limited to, a memory 810 and a processor 820 . The processor 820 is connected to the memory 810 through the bus 830, and the database 850 is used for storing data.

Computing device 800 also includes an access device 840 that enables computing device 800 to communicate via one or more networks 860 . Examples of these networks include a public switched telephone network (PSTN, Public Switched Telephone Network), a local area network (LAN, Local Area Network), a wide area network (WAN, Wide Area Network), a personal area network (PAN, Personal Area Network) or a communication network such as the Internet The combination. The access device 840 may include one or more of wired or wireless network interfaces of any type (for example, a network interface card (NIC, Network Interface Controller)), such as an IEEE802.11 wireless local area network (WLAN, WirelessLocal Area Networks) wireless interface , World Interoperability for Microwave Access (Wi-MAX, World Interoperability for Microwave Access) interface, Ethernet interface, Universal Serial Bus (USB, Universal Serial Bus) interface, cellular network interface, Bluetooth interface, near field communication (NFC, Near Field Communication) interface, and so on.

In an embodiment of the present specification, the above-mentioned components of the computing device 800 and other components not shown in FIG. 8 may also be connected to each other, for example, through a bus. It should be understood that the structural block diagram of the computing device shown in FIG. 8 is only for the purpose of illustration, rather than limiting the scope of this description. Those skilled in the art can add or replace other components as needed.

Computing device 800 can be any type of stationary or mobile computing device, including mobile computers or mobile computing devices (e.g., tablet computers, personal digital assistants, laptop computers, notebook computers, netbooks, etc.), mobile telephones (e.g., smartphones), ), wearable computing devices (eg, smart watches, smart glasses, etc.), or other types of mobile devices, or stationary computing devices such as desktop computers or PCs. Computing device 800 may also be a mobile or stationary server.

Wherein, the processor 820 is configured to execute the following computer-executable instructions. When the computer-executable instructions are executed by the processor, the steps of the above honeypot protection method are implemented.

The foregoing is a schematic solution of a computing device in this embodiment. It should be noted that the technical solution of the computing device and the technical solution of the above-mentioned honeypot protection method belong to the same concept. For details not described in detail in the technical solution of the computing device, please refer to the description of the technical solution of the above-mentioned honeypot protection method .

An embodiment of the present specification further provides a computer-readable storage medium, which stores computer-executable instructions, and when the computer-executable instructions are executed by a processor, the steps of the above honeypot protection method are implemented.

The foregoing is a schematic solution of a computer-readable storage medium in this embodiment. It should be noted that the technical solution of the storage medium and the technical solution of the above-mentioned honeypot protection method belong to the same concept, and the details of the technical solution of the storage medium that are not described in detail can be found in the description of the technical solution of the above-mentioned honeypot protection method .

An embodiment of the present specification also provides a computer program, wherein, when the computer program is executed in a computer, the computer is made to execute the steps of the above honeypot protection method.

The foregoing is a schematic solution of a computer program in this embodiment. It should be noted that the technical solution of the computer program and the technical solution of the above-mentioned honeypot protection method belong to the same concept, and details not described in detail in the technical solution of the computer program can be found in the description of the technical solution of the above-mentioned honeypot protection method .

The foregoing describes specific embodiments of this specification. Other implementations are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain embodiments.

The computer instructions include computer program code, which may be in source code form, object code form, executable file or some intermediate form, and the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer memory, and a read-only memory (ROM, Read-Only Memory) , Random Access Memory (RAM, Random Access Memory), electrical carrier signal, telecommunication signal, and software distribution medium, etc.

It should be noted that, for the sake of simplicity of description, the above-mentioned method embodiments are expressed as a series of action combinations, but those skilled in the art should know that the embodiments of this specification are not limited by the described action sequence. Because according to the embodiment of the present specification, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the embodiments of the specification.

In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

The preferred embodiments of the present specification disclosed above are only for helping to explain the present specification. Alternative embodiments are not exhaustive in all detail, nor are the inventions limited to specific implementations described. Obviously, many modifications and changes can be made according to the contents of the embodiments of this specification. This specification selects and specifically describes these embodiments in order to better explain the principles and practical applications of the embodiments of this specification, so that those skilled in the art can well understand and use this specification. This specification is to be limited only by the claims, along with their full scope and equivalents.

Claims (14)

1. A honeypot protection method is applied to an access control component integrated on a project platform and comprises the following steps:

receiving a data access request sent by a client according to a project domain name, wherein the project platform and the honeypot platform have the same project domain name;

identifying whether the client is an abnormal access client or not according to the data access request;

if so, forwarding the data access request to the honeypot platform so that the client accesses the honeypot platform.

2. The method of claim 1, the project platform deployed in a different geographic location than the honeypot platform.

3. The method of claim 1, further comprising, after said identifying whether the client is an anomalous access client from the data access request:

and if not, allowing the client to access the project data in the project platform.

4. The method of claim 3, the project platform comprising a project end; the allowing the client to access project data in the project platform comprises:

sending the data access request to a target project end through a project interface;

receiving project data returned by the target project terminal based on the data access request;

and sending the project data to the client.

5. The method of claim 1, the honeypot platform comprising a honeypot agent; the forwarding the data access request to the honeypot platform comprises:

forwarding the data access request to a target honeypot agent end through a honeypot interface;

receiving the honey bait data returned by the target honeypot agent based on the data access request;

and sending the honey bait data to the client.

6. The method of any of claims 1-5, further comprising, prior to said identifying whether the client is an anomalous access client from the data access request:

receiving a detection strategy sent by a cloud server, wherein the detection strategy is generated by the cloud server according to the client-side attack behavior event collected by the honeypot platform;

the identifying whether the client is an abnormal access client according to the data access request comprises:

analyzing the data access request to obtain access information;

and detecting the access information by using the detection strategy, and identifying whether the client is an abnormal access client.

7. A honeypot protection method is applied to a honeypot platform and comprises the following steps:

receiving a data access request forwarded by a project platform, wherein the data access request is sent to the project platform by a client according to a project domain name, and the project platform and the honeypot platform have the same project domain name;

acquiring corresponding honey bait data according to the data access request;

and feeding the honey bait data back to the project platform.

8. The method of claim 7, the honeypot platform deployed in a different geographic location than the project platform.

9. The method of claim 7, the honeypot platform comprising a honeypot agent; before the acquiring the corresponding honey bait data according to the data access request, the method further comprises the following steps:

determining the access authority of the client to the target honeypot agent according to the data access request;

and under the condition that the client has access authority to the target honeypot agent, acquiring corresponding honeybait data from the target honeypot agent according to the access authority.

10. The method according to any one of claims 7-9, further comprising:

collecting attack behavior events of the client;

and sending the attack behavior event to a cloud server so that the cloud server generates a detection strategy according to the attack behavior event, wherein the detection strategy is used for an access control component integrated on the project platform to identify whether the client is an abnormal access client or not by using the detection strategy.

11. A honeypot protection system comprises a project platform and a honeypot platform, wherein the project platform is integrated with an access control component;

the access control component is used for receiving a data access request sent by a client according to a project domain name, wherein the project platform and the honeypot platform have the same project domain name; identifying whether the client is an abnormal access client or not according to the data access request; if so, forwarding the data access request to the honeypot platform so that the client accesses the honeypot platform;

the honeypot platform is used for receiving the data access request forwarded by the project platform; acquiring corresponding honey bait data according to the data access request; and feeding the honey bait data back to the project platform.

12. The system of claim 11, further comprising a cloud server;

the cloud server is used for receiving the attack behavior event of the client sent by the honeypot platform; generating a detection strategy according to the attack behavior event; sending the detection strategy to the project platform;

the access control component is further configured to receive the detection policy, detect access information in the data access request by using the detection policy, and identify whether the client is an abnormal access client.

13. A computing device, comprising:

a memory and a processor;

the memory is configured to store computer-executable instructions and the processor is configured to execute the computer-executable instructions, which when executed by the processor, implement the steps of the honeypot protection method of any one of claims 1 to 10.

14. A computer readable storage medium storing computer executable instructions which, when executed by a processor, carry out the steps of the honeypot protection method of any one of claims 1 to 10.

Images