CN118400202B

CN118400202B - Method, system, device, equipment and product for scheduling honeypot trapping strategy

Info

Publication number: CN118400202B
Application number: CN202410851604.0A
Authority: CN
Inventors: 王滨; 何承润; 万里
Original assignee: Hangzhou Hikvision Digital Technology Co Ltd
Current assignee: Hangzhou Hikvision Digital Technology Co Ltd
Priority date: 2024-06-27
Filing date: 2024-06-27
Publication date: 2024-08-27
Anticipated expiration: 2044-06-27
Also published as: CN118400202A

Abstract

The embodiment of the application provides a method, a system, a device, equipment and a product for scheduling honeypot trapping strategies, which relate to the technical field of network security and are applied to a server, wherein the method comprises the following steps: receiving target description data reported by a trap node; determining an interested port for the aggressor from the full ports based on the target description data; acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the trap node is controlled to associate the port of interest with the target honey. The dynamic change of the attacker can be automatically adapted through the scheme, so that an implementation basis is provided for capturing effective attack characteristics.

Description

Method, system, device, equipment and product for scheduling honeypot trapping strategy

Technical Field

The application relates to the technical field of network security, in particular to a method, a system, a device, equipment and a product for scheduling honeypot trapping strategies.

Background

Honeypots are a decoy system that counterfeits services by means of manufacturing flawed services, web services, etc. to induce an attacker to attack; once an attack is generated, the attack behavior is captured and analyzed to learn the attack means and the attack purpose of the attacker. The port of the trapping node is associated with a corresponding honeypot, and when the trapping node is attacked, the attack is forwarded to the honeypot corresponding to the port through traffic traction.

In the internet attack scenario, the attack behaviors of the attacker are diversified, and the service with the vulnerability which is interested by the attacker can be dynamically changed (namely, the honey pot which is interested by the attacker can be dynamically changed). Therefore, how to automatically adapt to the dynamic changes of the attacker, thereby providing an implementation basis for capturing the effective attack characteristics, is a problem to be solved.

Disclosure of Invention

The embodiment of the application aims to provide a method, a system, a device, equipment and a product for scheduling honeypot trapping strategy arrangement, which are used for automatically adapting to dynamic changes of an attacker, so as to provide an implementation basis for capturing effective attack characteristics. The specific technical scheme is as follows:

In a first aspect, an embodiment of the present application provides a method for scheduling honeypot trapping policy, applied to a server, where the method includes:

Receiving target description data reported by a trap node; wherein the object description data is used to characterize: the trap node monitors the traffic of all ports, and the traffic is generated when an attacker tries to connect the ports in the trap node;

Determining an interested port for the aggressor from the full ports based on the target description data;

Acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened;

determining a target honey pot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

the trap node is controlled to associate the port of interest with the target honey.

Optionally, all ports except for each target port in the all ports are in a closed state, and each target port comprises a port associated with a honeypot and/or a port which is not associated with the honeypot and is opened by default;

The method further comprises, when the interested port in the trap node is opened, before the attacker detects each message for the interested port, the steps of:

Responsive to a port of interest in the trap node not being open, the port of interest in the trap node is controlled to be open.

Optionally, after the controlling the trap node to associate the port of interest with the target honeypot, the method further comprises:

responsive to there being a port other than the port of interest associated with a honeypot, the port associated with the honeypot is closed.

Optionally, the determining, based on each acquired probe packet, the target honeypot corresponding to the port of interest includes:

Classifying the acquired detection messages aiming at the access paths to obtain classification results;

determining a target message to be analyzed based on the classification result; the target message is a message in a detection message with the largest message quantity;

and performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port.

Optionally, the classifying the acquired detection messages for the access path to obtain a classification result includes:

Classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results;

the target character string in each detection message is used for representing the access path of the detection message.

Optionally, the performing guess processing on the target message for the service to be accessed to obtain a target honeypot corresponding to the interested port includes:

the target message is sent to a plurality of preset honeypots;

and determining the honeypot for carrying out service response on the target message to obtain the target honeypot corresponding to the interested port.

Optionally, the determining, based on the target description data, a port of interest to the attacker from the full ports includes:

analyzing the target description data in a designated dimension to obtain an analysis result;

Selecting ports meeting preset interested conditions in the trap node based on the analysis result to obtain interested ports of the whole ports for the attacker;

wherein the analysis processing of the specified dimension includes: analyzing the frequency change of the connection of each port in each time point of the same period;

The predetermined condition of interest includes: the connected frequency changes in a predetermined upward trend and the connected frequency reaches a predetermined threshold at a time of the analyzed period.

In a second aspect, an embodiment of the present application provides a method for scheduling honeypot trapping policy, applied to trapping nodes, the method including:

Monitoring the flow of the full port;

Determining target description data; wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

Reporting the target description data to a server, so that the server determines an interested port of the whole ports for the attacker based on the target description data, and obtains each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

And in response to receiving a first control instruction of the server, associating the port of interest with the target honeypot.

The method further comprises the steps of:

responsive to receiving a second control instruction of the server, opening the port of interest;

The second control instruction is an instruction which is sent to the trap node by the server and used for controlling the opening of the interested port in the trap node in response to the fact that the interested port in the trap node is not opened.

Optionally, the method further comprises:

Responsive to receiving a third control instruction from the server, closing ports other than the port of interest, which are associated with honeypots;

And the third control instruction is an instruction which is sent to the trap node by the server and used for controlling the port to be closed in response to the existence of the honeypot associated with the port except the interested port.

In a third aspect, embodiments of the present application provide a system for honeypot trapping policy orchestration scheduling, the system comprising: a server and a trap node;

The trapping node is used for monitoring the flow of the full port; determining target description data; reporting the target description data to a server; wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

The server is used for receiving target description data reported by the trapping node; determining an interested port for the aggressor from the full ports based on the target description data; acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message, and sending a first control instruction to the trapping node; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

The trap node is configured to associate the port of interest with the target honeypot in response to receiving a first control instruction of the server.

In a fourth aspect, an embodiment of the present application provides an apparatus for scheduling honeypot trapping policies, applied to a server, the apparatus including:

The receiving module is used for receiving the target description data reported by the trapping node; wherein the object description data is used to characterize: the trap node monitors the traffic of all ports, and the traffic is generated when an attacker tries to connect the ports in the trap node;

A first determining module, configured to determine, based on the target description data, a port of interest to the aggressor from among the full ports;

the acquisition module is used for acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trap node is opened;

The second determining module is used for determining a target honeypot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

A first control module for controlling the trap node to associate the port of interest with the target honeypot.

In a fifth aspect, an embodiment of the present application provides an apparatus for scheduling honeypot trapping policies, applied to trapping nodes, the apparatus comprising:

the monitoring module is used for monitoring the flow of the full port;

A third determining module for determining target description data; wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

The reporting module is used for reporting the target description data to a server so that the server determines an interested port of the whole ports for the attacker based on the target description data, and obtains each detection message of the attacker for the interested port under the condition that the interested port of the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

And the association module is used for associating the interested port with the target honeypot in response to receiving a first control instruction of the server.

In a sixth aspect, an embodiment of the present application provides an electronic device, including:

A memory for storing a computer program;

And the processor is used for realizing any honeypot trapping strategy scheduling method when executing the programs stored in the memory.

In a seventh aspect, embodiments of the present application provide a computer readable storage medium having a computer program stored therein, which when executed by a processor implements a method of honeypot trap policy orchestration scheduling of any of the above.

The embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of honeypot trap policy orchestration scheduling described in any of the above.

The embodiment of the application has the beneficial effects that:

in the honeypot trapping policy scheduling method provided by the embodiment of the application, the server can receive the target description data reported by the trapping node, wherein the target description data is the traffic condition generated by the way that the trapping node monitors traffic aiming at all ports and an attacker tries to connect the ports in the trapping node; determining an interested port for an attacker in the full ports based on the target description data; under the condition that the interested port is opened, the attacker aims at each detection message of the interested port, and each detection message of the attacker can represent the service interested by the attacker; further, based on each detection message, a target honeypot corresponding to the port of interest is determined, and the trap node is controlled to associate the port of interest with the target honeypot. The application can automatically determine the interested port of the attacker and the target honey corresponding to the service of the attacker, and correlate the interested port with the target honey, thereby automatically scheduling the honey to adapt to the interested port of the attacker and the honey. Therefore, the dynamic change of the attacker can be automatically adapted by the method, so that an implementation basis is provided for capturing effective attack characteristics.

Of course, it is not necessary for any one product or method of practicing the application to achieve all of the advantages set forth above at the same time.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the application, and other embodiments may be obtained according to these drawings to those skilled in the art.

FIG. 1 is a schematic flow chart of a method for scheduling honeypot trapping strategy according to an embodiment of the present application;

fig. 2 is a graph of frequency variation of each port connected at each time point of the same period according to an embodiment of the present application;

FIG. 3 is another flow chart of a method for scheduling honeypot trapping strategy according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a system for scheduling honeypot trapping strategies according to an embodiment of the present application;

FIG. 5 is a schematic flow chart of a system for scheduling honeypot trapping strategy according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a device for scheduling honeypot trapping strategies according to an embodiment of the present application;

FIG. 7 is another schematic diagram of an apparatus for scheduling honeypot trapping policies according to an embodiment of the present application;

fig. 8 is a block diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by the person skilled in the art based on the present application are included in the scope of protection of the present application.

When new security holes appear and directional collection attack behaviors are needed, a large amount of deployment and release of specific honeypots are needed to achieve the maximum capturing effect, but infinite deployment of full-quantity trapping nodes cannot be achieved due to limitation of trapping resources. By scheduling honeypots, the existing honeypots can be switched to honeypots of interest to an attacker so as to adapt to dynamically changing attack behaviors of the attacker. Scheduling honeypots, i.e., switching the honeypot associated with the port of the trap node to a new honeypot of interest, or switching the port of the trap node to a new port of interest, and associating a new honeypot of interest with the new port of interest.

In the related art, a new interested port in the trap node is usually determined manually, a honey corresponding to the new interested service is analyzed, namely, the new interested honey is analyzed, and the new interested honey is associated with the new interested port; however, the manual scheduling of honeypots is time consuming, labor consuming and inefficient.

Aiming at the automatic arrangement and scheduling technology of honeypots, the aim of improving the efficiency of honeypot arrangement and scheduling can be certainly achieved through full-automatic arrangement. Therefore, an automatic arrangement and scheduling technology of honeypots is needed, real-time sensing, analysis and prediction of attack trend and attack heat are realized, and dynamic arrangement and adjustment of honeypots are realized, so that dynamic changes of an attacker are automatically adapted, and a realization basis is provided for capturing effective attack characteristics.

Based on the above, the embodiment of the application provides a method, a system, a device, equipment and a product for scheduling honeypot trapping strategy arrangement, which are used for automatically adapting to the dynamic change of an attacker, thereby providing an implementation basis for capturing effective attack characteristics.

The following first describes a method for scheduling honeypot trapping strategy arrangement provided by the embodiment of the application.

The honeypot trapping strategy scheduling method provided by the embodiment of the application is applied to a server, and the specific equipment form of the server is not particularly limited. And, the honey trap strategy scheduling method can be applied to any scene with honey scheduling requirements. The server can be understood as a server for managing the trap node, and the server can schedule the ports in the trap node and honeypots corresponding to the ports to adapt to dynamic changes of the aggressors. In addition, orchestration scheduling for honey trap policies may be understood as adjusting honeypots to those of interest to the attacker.

The method for scheduling honeypot trapping strategy is applied to a server and comprises the following steps:

The following describes a honeypot trapping strategy scheduling method provided by the embodiment of the application with reference to the attached drawings.

As shown in fig. 1, the method for scheduling honeypot trapping policy arrangement provided by the embodiment of the application is applied to a server, and may include the following steps:

S101: receiving target description data reported by a trap node;

Wherein the object description data is used to characterize: the trap node monitors the traffic of all ports, and the traffic is generated when an attacker tries to connect the ports in the trap node;

In the embodiment of the application, the trapping node can monitor the flow of all ports of the trapping node, and determine the flow condition generated by the port in the trapping node which is tried to be connected by an attacker, namely, the trapping node can monitor the flow of all ports of the trapping node, so as to obtain target description data and report the target description data to a server; correspondingly, the server may receive the object description data reported by the trap node for subsequent analysis.

It should be noted that, because of the diversity of attack behaviors of the attacker and the dynamic change of the service with the vulnerability that the attacker is interested in, the interested port of the attacker may also change in real time, so in order to better adapt to the dynamic change of the attack behaviors, the trapping node may monitor all ports, i.e. all ports. In addition, the number of the trapping nodes can be one or more, each trapping node can monitor the traffic of all ports in the trapping node, and the traffic condition generated by the attacker trying to connect all ports in the trapping node is determined; thus, each trapping node can determine that the target description data of the trapping node is reported to the server, and schedule the honeypot of the trapping node through subsequent steps.

By way of example, the object description data may include: an attacker tries to connect port numbers and time information of each port in the trap node; of course, the target description may also include: how often an attacker attempts to connect to each port in the trap node for each predetermined period of time, and so on. The specific expression of the traffic situation generated by the attacker attempting to connect to the port in the trap node is not limited by the embodiment of the present application.

S102: determining an interested port for the aggressor from the full ports based on the target description data;

because the target description data of the trap node characterizes the traffic situation generated by the attacker trying to connect the ports in the trap node, and the traffic situation can show the interest degree, the target description data can be analyzed to determine the interesting ports for the attacker in the whole ports.

It should be noted that any implementation that can determine, based on the object description data, an interesting port for the attacker from among the full ports may be applied to the present application. For example, in one implementation, for each port in the trap node, the access frequency of the port may be analyzed within a predetermined statistical period based on the object description data, and if the access frequency is higher than a predetermined frequency threshold, the port may be determined as a port of interest (corresponding to a specific analysis of a frequency change in a specific port within the predetermined period), where the predetermined statistical period may be a period with the current time as an end time and a predetermined duration, and of course, may be any other period that needs to be focused or analyzed. For example, in one implementation, for each port in the trap node, the access frequency of the port in a first statistical period and the access frequency of the port in a second statistical period may be analyzed based on the target description data, the first statistical period being a previous statistical period of the second statistical period; then, an increasing proportion of the frequency of accesses in the second period relative to the frequency of accesses in the first statistical period is identified, and if the increasing proportion is higher than a predetermined proportion threshold, the port can be determined as the port of interest.

Illustratively, in another implementation, to have higher accuracy, the determining, based on the target description data, the port of interest to the aggressor of the full ports includes:

The predetermined condition of interest includes: the connected frequency changes in a predetermined upward trend and the connected frequency reaches a predetermined threshold at a time of the analyzed period. Wherein the predetermined upward trend is an upward trend having a degree of change higher than the predetermined degree of change upon rising.

When the interested port of the attacker is determined, analysis processing of specified dimension can be carried out on the target description data, and the port meeting the preset interested condition in the trap node is selected based on the analysis result, so that the interested port of the attacker in the whole ports is obtained. Wherein, the analysis processing of the specified dimension may include: analyzing the frequency change of the connected ports in each time point of the same period (namely, carrying out overall analysis on the frequency change of all ports); the predetermined condition of interest may be understood as satisfying both the first condition and the second condition, the first condition being: the connected frequency changes in a predetermined upward trend, and the degree of the upward change is higher than the predetermined degree of the change, and the second condition is that the connected frequency reaches a predetermined threshold at a time of the analyzed period.

For example, as shown in fig. 2, the frequency change curve of each port connected in each time point in the same period has an axis of abscissa as t axis, which represents time change, and an axis of ordinate as c axis, which represents the number of times (frequency) of port connected change; according to the method, the change curves of the frequency of the connection of different ports in the same time interval are observed, and the intensity of the heat change of the ports can be analyzed according to the slope of the curve of each port in the same time interval, wherein the larger the slope is, the larger the heat increase or the heat attenuation of the ports is. Illustratively, the slope of each port curve is calculated during the same time interval as follows: for each port, coordinates at times t1 and t2, respectively, by the port: (t 1, c 1), (t 2, c 2), calculating a slope m=Δc/Δt over a time interval from t1 to t 2; wherein Δc is the change in the number of times the port is connected in the time interval from t1 to t2, Δt is the time difference between t1 and t2, Δc=c2-c 1, Δt=t2-t 1.

Then, selecting a port meeting a preset interested condition, namely an interested port, from the ports through the slope m of the ports in the time interval from t1 to t 2; specifically, for the ports 80, 81, 82, the obtained slopes in the time interval from t1 to t2 are m ₈₀、m₈₁、m₈₂, the corresponding connected times at the time t2 are c2 ₈₀、c2₈₁、c2₈₂, the preset frequency threshold is c0 (i.e. the preset threshold), the preset slope threshold is m0 (i.e. the preset variation degree), wherein m ₈₀>m0>m₈₁>m₈₂,c2₈₁>c2₈₀>c0>c2₈₂, if a certain port satisfies c2> c0& > m0, i.e. the port satisfies the first condition and the second condition, the port can be the port of interest; it can be seen that port 80 satisfies m ₈₀ > m0, and c2 ₈₀ > c0, then of the ports, port 80 is the port of interest.

It can be seen that in the embodiment of the present application, the frequency threshold c0 and the slope threshold m0 are set, and whether a certain port is an interested port is determined by using the dual threshold, so that the interested port satisfying the predetermined interested condition can be accurately screened out. In addition, the above description of the manner in which the ports of interest are determined is by way of example only and should not be construed as limiting the application.

It should be noted that the ports of interest determined by different trap nodes may be different, and the number of ports of interest in different trap nodes may be different, which is not limited in the present application, and each port of interest in each trap node may schedule the honeypot through subsequent steps.

S103: acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened;

After determining the interested port of the attacker, in order to determine the honey pot to which the interested port needs to be associated, each detection message of the attacker aiming at the interested port can be acquired under the condition that the interested port in the trapping node is opened, and each detection message of the attacker aiming at the interested port can represent the service interested by the attacker.

Under the condition that an interested port in the trapping node is opened, the trapping node can continue to monitor the flow of the interested port, determine each detection message of an attacker aiming at the interested port, upload each detection message of the attacker aiming at the interested port to a server, and the server can acquire each detection message of the attacker aiming at the interested port from the trapping node.

In one implementation, all ports of the all ports except for each target port are in a closed state, and each target port comprises a port associated with a honeypot and/or a port which is not associated with the honeypot and is opened by default;

In some cases, there are each target port in the trap node in an open state, where each target port includes a port associated with a honeypot, or a port not associated with a honeypot but open by default, and so on, and ports other than each target port are in a closed state, and if the determined port of interest is not open, the server needs to control the port of interest in the trap node to be open, for example: the server may send a second control instruction to the trap node to cause the trap node to open the port of interest.

In another implementation, each of the full ports is in a closed state; the method further comprises, when the interested port in the trap node is opened, before the attacker detects each message for the interested port, the steps of:

In other cases, each port in the trap node is in a closed state, and if the determined port of interest is not opened, the opening of the port of interest in the trap node is controlled.

It should be emphasized that, whether each port in the trap node is opened or not, the trap node can monitor the traffic of all ports and determine the traffic condition generated by the port in the trap node which is tried to be connected by the attacker, that is, whether each port in the trap node is opened or not, the trap node can report the target description data to the server, and the target description data at this time characterizes the frequency change of the port in the trap node which is tried to be connected by the attacker. Under the condition that the port is opened, the trapping node can continuously monitor the port to determine each detection message of the port for an attacker, and each detection message represents the service which is interested by the attacker sending the detection message, so if the port of interest is not opened, the trapping node can be controlled to firstly open the port of interest, and the attacker can acquire each detection message of the port of interest under the condition that the port of interest in the trapping node is opened, so that the honeypot corresponding to the service which is interested by the attacker can be determined later.

S104: determining a target honey pot corresponding to the interested port based on each acquired detection message;

The target honeypot is a honeypot corresponding to the service of interest of the attacker;

Because the attack behaviors of the attacker are diversified, and the service with the vulnerability which is interested by the attacker can be dynamically changed, namely, the honey pot which is interested by the attacker can be changed in real time, each detection message which is obtained in real time by the attacker aiming at the port which is interested can represent the service which is interested by the attacker, and the target honey pot which corresponds to the port which is interested can be determined based on each obtained detection message.

It should be noted that there may be multiple target honeypot manners corresponding to the port of interest, and specific implementation manners of the target honeypot manner will be described in detail in the following embodiments, which are not described herein.

S105: controlling the trap node to associate the port of interest with the target honeypot;

After the interested port and the target honeypot corresponding to the interested port are determined, the trapping node can be controlled to associate the interested port with the target honeypot so as to drain the message received by the interested port to the target honeypot, at the moment, the latest and most interesting attack behaviors of an attacker can be captured in real time through the target honeypot, and the dynamic change of the attacker can be automatically adapted, so that a realization basis is provided for capturing effective attack characteristics.

It should be noted that, the honeypot may be understood as a honeypot trapping policy for an attack of an attacker, so as to capture the attack through the honeypot trapping policy, and analyze the attack; according to the application, the interested port is associated with the target honeypot, which is equivalent to scheduling the honeypot trapping strategy associated with the interested port, so that the honeypot trapping strategy of the target honeypot associated with the interested port can be automatically adapted to the dynamic change of the attacker, and the latest and effective attack behavior of the attacker can be captured.

For example, the server may send a first control instruction to the trap node, causing the trap node to associate the port of interest with the corresponding target honeypot. If the interested port is currently associated with a honeypot, at the moment, the honeypot associated with the interested port can be switched to a target honeypot, the honeypot associated with the interested port can be unloaded, and then the interested port is associated with the target honeypot; if the port of interest is not currently associated with a honey, the target honey is directly associated with the port of interest.

After the interested port is associated with the target honeypot, in order to enable the latest attack behavior of the attacker to be captured through the interested port and the associated target honeypot, if the port other than the interested port is associated with the honeypot, the port associated with the honeypot can be closed, so that the latest attack behavior of the attacker is prevented from being captured by the interested port and the target honeypot.

In the technical scheme of the application, the related operations of acquiring, storing, using, processing, transmitting, providing, disclosing and the like of the target description data and the detection message are all performed under the condition of obtaining the authorization of the user.

Optionally, in another embodiment of the present application, the determining, based on each acquired probe packet, the target honeypot corresponding to the port of interest includes:

The service of interest of the attacker may be different (different interesting services may exist in the same attacker, or different interesting services of different attackers are different, etc.), when the target honeypot corresponding to the interesting port is determined, the access path may represent the service of interest of the attacker, the obtained detection messages may be classified according to the access path, the obtained classification result may include multiple types of detection messages, each type of detection message may represent a service of interest of the attacker, a message in the type of detection message with the largest number of messages may be selected from the classification result, namely, the target message to be analyzed may represent the detection message with the highest heat of the attacker, namely, the representative detection message; and performing guessing processing on the target message aiming at the service to be accessed, so that the target honeypot corresponding to the interested port can be obtained.

The guess process is to guess the service that the target message wants to access.

In an exemplary implementation manner, the classifying the acquired probe packets for the access path to obtain a classification result includes:

The target character string in each detection message can represent the access path of the detection message, and the detection messages can be classified based on the respective target character strings of the detection messages to obtain a classification result.

The target string in each probe packet may be understood as a key string of the probe packet, and exemplary, the target string in the probe packet may be: URL (Uniform Resource Locator), uniform resource locator) fields, IP (Internet Protocol ) addresses, and the like, as the application is not limited in this regard.

the target message is sent to a plurality of preset honeypots;

In the application, a plurality of corresponding honeypots are preset for various services, each honeypot is used for simulating a service with holes, web service and the like, a target message can be sent to the preset honeypots, and the honeypot which responds to the target message in service is determined as the honeypot which the target message wants to access, namely the target honeypot corresponding to the interested port.

According to the honeypot trapping strategy scheduling method, the access path is used for classifying each detection message, the target message to be analyzed is determined based on the classification result, the target message is the detection message with the highest heat degree of an attacker, the target honeypot corresponding to the interested port can be obtained through guessing the target message for the service to be accessed, and the honeypot capable of responding to the target message, namely the honeypot corresponding to the service interested by the attacker, can be obtained. Therefore, the application can classify each detection message, determine the target message with highest heat of the attacker, and accurately determine the target honeypot corresponding to the service of interest of the attacker by performing guessing processing on the target message aiming at the service to be accessed.

The embodiment of the application also provides a honeypot trapping strategy scheduling method which is applied to the trapping node, wherein the trapping node can be understood as host equipment corresponding to a server, as shown in fig. 3, and the method comprises the following steps:

s301: monitoring the flow of the full port;

Any trapping node in the application can be arranged at a corresponding geographic position so as to capture effective attack characteristics for an attacker at each geographic position through each trapping node; each trap node may monitor traffic for all ports in the trap node, where there may be a port in the trap node that is open and that is associated with a honeypot.

Illustratively, the monitoring module in the trap node may perform traffic monitoring on all ports in the trap node, i.e., the ports in the trap node, and by monitoring traffic on all ports (whether the ports are on or off), the subsequent server may determine the ports of interest to the attacker.

S302: determining target description data;

Wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

When the trap node monitors the traffic of all ports, the traffic condition generated by the attacker trying to connect all ports in the trap node can be recorded, namely, the target description data is determined. By way of example, the target description data may characterize how often an attacker attempts to connect to ports in the trap node, port number, time information, etc., as the application is not limited in this regard.

S303: reporting the target description data to a server, so that the server determines an interested port of the whole ports for the attacker based on the target description data, and obtains each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message;

s304: in response to receiving a first control instruction of the server, associating the port of interest with the target honeypot;

the target honeypot is a honeypot corresponding to the service of which the attacker is interested.

After the target description data is determined, the target description data can be reported to a server, and the server determines an interested port of an attacker in all ports of the trap node through the target description data; under the condition that an interested port in the trapping node is opened, a monitoring module in the trapping node can continue to monitor the flow of the interested port, record each detection message of an attacker aiming at the interested port, report the detection messages to a server, determine a target honeypot corresponding to the interested port after the server acquires each detection message, send a first control instruction, and correlate the interested port with the target honeypot after the trapping node receives the first control instruction.

Optionally, in one implementation, all ports of the all ports except for each target port are in a closed state, and each target port includes a port associated with a honeypot and/or a port not associated with a honeypot and opened by default;

The method further comprises the steps of:

The ports of the full ports except for each target port can be in a closed state, and if the interested port is not opened, the interested port needs to be opened first so as to acquire each detection message of an attacker. The server can control the trapping node to open the interested port in a mode of sending a second control instruction to the trapping node; specifically, when the server identifies that the interested port in the trapping node is not opened, the server may send a second control instruction to the trapping node, and after the trapping node receives the second control instruction, the interested port may be opened.

Of course, each port in the full ports may be in a closed state, or all ports may be in an open state, or some ports may be in an open state, or the like, if the port of interest is not opened, the server may issue a second control instruction to the trap node, and after the trap node receives the second control instruction, the trap node opens the port of interest, and other ports except the port of interest may be in an open state or a closed state, or the like.

Optionally, there may be a default open port in the trap node, the port being associated with a honeypot to capture the attack signature of the attacker, at which point in order for the port of interest and associated honeypot to capture the latest attack signature of the attacker, the method further comprises:

The server can control the trapping node to close the ports which are related to the honeypot except the interested port by issuing a third control instruction, so that the latest attack behavior of an attacker is prevented from being captured by the interested port and the target honeypot.

It should be noted that the first control instruction, the second control instruction, and the third control instruction described above are only used to distinguish different control instructions issued by the server, where the first control instruction is used to control the trap node to associate the port of interest with the target honeypot, the second control instruction is used to control the trap node to open the port of interest, and the third control instruction is used to control the trap node to close the port of interest, which is associated with the honeypot, except for the port of interest, and the application is not limited thereto.

In the honeypot trapping policy scheduling method provided by the embodiment of the application, the trapping node can monitor the flow of all ports, determine the flow condition generated by the port in the trapping node, namely, determine the target description data, report the target description data to the server, and the server can receive the target description data reported by the trapping node and determine the interested port of the attacker in all ports based on the target description data; under the condition that the interested port is opened, the attacker aims at each detection message of the interested port, and each detection message of the attacker can represent the service interested by the attacker; and further, based on each detection message, determining a target honey pot corresponding to the port of interest, and sending a first control instruction to the trapping node, wherein the trapping node associates the port of interest with the target honey pot after receiving the first control instruction. The method and the device can automatically determine the interested port of the attacker and the target honeypot corresponding to the service of the attacker, and associate the interested port with the target honeypot through the interaction of the server and the trapping node, so that the honeypot is automatically scheduled to adapt to the interested port of the attacker and the honeypot. Therefore, the dynamic change of the attacker can be automatically adapted by the method, so that an implementation basis is provided for capturing effective attack characteristics.

Based on the above method embodiment, the present application further provides a system for scheduling honeypot trapping policy, as shown in fig. 4, where the system includes: server 410 and trap node 420;

the trap node 420 is configured to perform traffic monitoring on the full port; determining target description data; reporting the target description data to a server 410; wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

The server 410 is configured to receive target description data reported by the trapping node 420; determining an interested port for the aggressor from the full ports based on the target description data; acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trap node 420 is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message, and sending a first control instruction to the trapping node 420; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

The trap node 420 is configured to associate the port of interest with the target honeypot in response to receiving a first control instruction from the server 410.

In the honeypot trapping policy scheduling system provided by the embodiment of the application, the trapping node can monitor the flow of all ports, determine the flow condition generated by the port in the trapping node, namely, determine the target description data, report the target description data to the server, and the server can receive the target description data reported by the trapping node and determine the interested port of the whole ports for the attacker based on the target description data; under the condition that the interested port is opened, the attacker aims at each detection message of the interested port, and each detection message of the attacker can represent the service interested by the attacker; and further, based on each detection message, determining a target honey pot corresponding to the port of interest, and sending a first control instruction to the trapping node, wherein the trapping node associates the port of interest with the target honey pot after receiving the first control instruction. The method and the device can automatically determine the interested port of the attacker and the target honeypot corresponding to the service of the attacker, and associate the interested port with the target honeypot through the interaction of the server and the trapping node, so that the honeypot is automatically scheduled to adapt to the interested port of the attacker and the honeypot. Therefore, the dynamic change of the attacker can be automatically adapted by the method, so that an implementation basis is provided for capturing effective attack characteristics.

the server is further configured to send a second control instruction to the trapping node; the second control instruction is an instruction which is sent to the trap node by the server and used for controlling the opening of the interested port in the trap node in response to the fact that the interested port in the trap node is not opened;

The trap node is further configured to open the port of interest in response to receiving a second control instruction from the server.

Optionally, the server is further configured to send a third control instruction to the trap node; the third control instruction is an instruction which is sent to the trapping node by the server and used for controlling the port to be closed in response to the existence of the honeypot associated with the port except the interested port;

The trap node is further configured to close a port, except the port of interest, associated with a honeypot in response to receiving a third control instruction from the server.

The system for scheduling honeypot trapping strategies provided by the application is described below in connection with another embodiment.

According to the method, the problem that under an Internet attack scene, due to diversified attack behaviors, an attack target has strong randomness and event burstiness, a mode based on arrangement of the prefabricated honeypots has large trapping limit, as time goes on, an attacker is not interested in the pre-arranged honeypot service or the heat of old honeypot service attack is gradually reduced, so that the latest attack intention and load cannot be captured (namely, the dynamic change of the attacker cannot be adapted and the effective attack characteristic cannot be captured), therefore, the optimal honeypot throwing strategy is comprehensively calculated and estimated mainly under the Internet scene based on various factors such as full flow monitoring perception, attack heat, frequency, time distribution, geographical distribution and the like, and the honeypot node flow traction path (namely, the honeypot associated with an automatic switching port) is automatically modified in real time, so that the attacker is guided to further attack deeply, and the optimal attack characteristic is obtained. As shown in fig. 5, the flow of the honeypot trapping policy scheduling system in the present application may include the following steps:

s501: the trap node executes a scheduling policy;

And deploying a monitoring module at the trapping node H1 … Hn, wherein the monitoring module carries out traffic traction and forwards to the back-end honeypot based on a scheduling strategy (a default scheduling strategy or a scheduling strategy issued by a server), and executes the honeypot trapping strategy. I.e. the monitoring module in each trap node Hn, may also, based on the scheduling policy, direct the attack, traffic, to the honey corresponding to the port (the honey corresponding to the default port, or the target honey corresponding to the port of interest in the previous scheduling policy).

S502: the trapping node monitors the full port flow;

the monitoring module in the trapping node monitors the network traffic of all ports on the trapping node, records and analyzes the traffic conditions such as the frequency and trend of the attack party attempting to connect each port captured in the network traffic in each time slice, namely the target description data, and reports the target description data to the server.

S503: the server analyzes the frequency change of each port of the trapping node;

The server receives and analyzes the traffic conditions such as the frequency and the trend of each port reported by each trap node Hn, and the analysis includes the geographic position of the reported trap node Hn, the access frequency change of different ports in a specific period (namely, the frequency change of each port in each time point of the same period in which the ports are connected), and the access frequency change of the specific port in the specific period (namely, the frequency change of each port in the preset period in which the ports are connected). During analysis, a frequency variation curve of each port can be generated.

S504: the server identifies whether the frequency variation exceeds a threshold;

After analyzing each port in the trap node, the server may identify whether the frequency variation of the port exceeds the set policy change threshold X (i.e., c0 described above) based on the frequency variation curve of each port, if yes, execute step S505, and if no, return to step S502.

S505: determining and starting an interested port, and continuously monitoring the interested port;

after the server recognizes that the frequency variation of the port exceeds the threshold, the server may continue to determine the port of interest to the attacker, specifically, if the frequency variation of the port is still in an overall upward trend (the trend reaches the predetermined variation degree m 0) while the frequency variation of the port exceeds the threshold, the port is the port of interest P of the attacker, which may also be referred to as a high-heat port. After the interested port P is determined, the trapping node can be controlled to open the interested port P, and the interested port P is continuously monitored through a monitoring module in the trapping node so as to acquire each detection message R of an attacker aiming at the interested port.

S506: the server analyzes each detection message of the interested port of the attacker and guesses the corresponding interested honeypot;

The server may obtain each probe packet R1 … Rn of the interested port P by the attacker, classify each probe packet according to the access path of each probe packet, sort the probe packets according to the number of probe packets in each class, and select the probe packet Rm with the front sorting, for example: selecting a message Rm in a detection message with the largest message number, and performing target service/equipment guessing (namely guessing processing) on the detection message Rm by a server aiming at the detection message Rm to obtain an interested honeypot Hm (namely the target honeypot) corresponding to the detection message Rm.

S507: the server automatically generates a scheduling strategy and transmits the scheduling strategy to the trapping node;

The policy scheduling module in the server can automatically generate a scheduling policy and send the scheduling policy to the trapping node, and the trapping node associates the interested port P with the interested honeypot Hm and closes the original trapping port according to the received scheduling policy. When the port of interest is attacked, traffic traction is performed on the trap node, and the attack is forwarded to the honey to capture the latest attack characteristics of the attacker.

Wherein the geographic location of each trap node may be used for analysis processing such as: if the frequency change of the trap node in a geographic position is large, it is indicated that the trap node in the geographic position is attacked multiple times in a short time, at this time, the security protection capability of the trap node in the geographic position can be enhanced, or more interested ports (the policy change threshold X at this time can be lowered, etc. to determine more interested ports) are opened for the trap node in the geographic position and corresponding honeypots are associated, so as to capture a large number of latest and effective attack features. And the geographical positions of different trap nodes can be the same, at this time, if only one trap node exists in the geographical positions to analyze the scheduling policy so as to capture the latest and effective attack characteristics through the trap node, other trap nodes do not capture the attack characteristics, and at this time, the server can also send the scheduling policy obtained by the analysis of the trap node to other trap nodes in the same geographical region at the same time so as to capture the latest and effective attack characteristics through other trap nodes.

The trapping nodes and the server continuously repeat the processes, and the traffic traction strategy is automatically arranged on all ports of each trapping node in real time, namely honeypots are automatically arranged and scheduled in real time according to the dynamic changes of the aggressors, so that the foundation is realized for capturing effective attack characteristics.

The method mainly solves the problems that under the Internet attack scene, as attack behaviors are diversified, attack targets have strong periodic fluctuation, the attack behaviors present certain dynamic fluctuation conditions along with new vulnerabilities, the conventional preset honeypot cannot timely respond to the new attack behavior characteristics and cannot accurately capture the new vulnerability utilization characteristics, and the method dynamically adjusts the honeypot network construction through automatic prediction of network attack heat, trend and space-time distribution, and maximally responds to the new attack characteristics, so that the effective capture of the attack characteristics is realized.

Based on the above method embodiment, the present application further provides a device for scheduling honeypot trapping policy, which is applied to a server, as shown in fig. 6, and the device includes:

A receiving module 610, configured to receive target description data reported by a trap node; wherein the object description data is used to characterize: the trap node monitors the traffic of all ports, and the traffic is generated when an attacker tries to connect the ports in the trap node;

a first determining module 620, configured to determine, based on the target description data, a port of interest to the aggressor from among the full ports;

An obtaining module 630, configured to obtain each probe packet of the interested port of the trapping node for the attacker when the interested port is opened;

A second determining module 640, configured to determine, based on each acquired probe packet, a target honeypot corresponding to the port of interest; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

A first control module 650 controls the trap node to associate the port of interest with the target honeypot.

In the honey trap policy scheduling device provided by the embodiment of the application, the server can receive the target description data reported by the trap node, wherein the target description data is the traffic condition generated by the attempt of an attacker to connect ports in the trap node, which is determined by the trap node for traffic monitoring aiming at all ports; determining an interested port for an attacker in the full ports based on the target description data; under the condition that the interested port is opened, the attacker aims at each detection message of the interested port, and each detection message of the attacker can represent the service interested by the attacker; further, based on each detection message, a target honeypot corresponding to the port of interest is determined, and the trap node is controlled to associate the port of interest with the target honeypot. The application can automatically determine the interested port of the attacker and the target honey corresponding to the service of the attacker, and correlate the interested port with the target honey, thereby automatically scheduling the honey to adapt to the interested port of the attacker and the honey. Therefore, the dynamic change of the attacker can be automatically adapted by the method, so that an implementation basis is provided for capturing effective attack characteristics.

The apparatus further comprises:

And the second control module is used for controlling the interested port in the trap node to be opened in response to the interested port in the trap node not being opened.

Optionally, the apparatus further comprises:

And the first closing module is used for closing the port with the honey pot in response to the existence of the honey pot associated with the port except the interested port.

Optionally, the second determining module includes:

The classifying sub-module is used for classifying the acquired detection messages aiming at the access paths to obtain classifying results;

The determining submodule is used for determining a target message to be analyzed based on the classification result; the target message is a message in a detection message with the largest message quantity;

And the processing sub-module is used for performing guessing processing on the target message aiming at the service to be accessed so as to obtain the target honeypot corresponding to the interested port.

Optionally, the classifying sub-module is specifically configured to:

Optionally, the processing submodule is specifically configured to:

the target message is sent to a plurality of preset honeypots;

Optionally, the first determining module is specifically configured to:

Based on the above method embodiment, the present application further provides a device for scheduling honeypot trapping policy, which is applied to trapping nodes, as shown in fig. 7, and the device includes:

The monitoring module 710 is configured to monitor a flow rate of the full port;

A third determining module 720, configured to determine target description data; wherein the object description data is used to characterize: an attacker attempts to connect traffic conditions generated by ports in the trap node;

A reporting module 730, configured to report the target description data to a server, so that the server determines an interested port of the full ports for the attacker based on the target description data, and obtains each detection message of the attacker for the interested port when the interested port of the trapping node is opened; determining a target honey pot corresponding to the interested port based on each acquired detection message; the target honeypot is a honeypot corresponding to the service of interest of the attacker;

And an association module 740, configured to associate the port of interest with the target honeypot in response to receiving the first control instruction of the server.

In the honeypot trapping policy scheduling device provided by the embodiment of the application, the trapping node can monitor the flow of all ports, determine the flow condition generated by the port in the trapping node, namely, determine the target description data, report the target description data to the server, and the server can receive the target description data reported by the trapping node and determine the interested port of the whole ports for the attacker based on the target description data; under the condition that the interested port is opened, the attacker aims at each detection message of the interested port, and each detection message of the attacker can represent the service interested by the attacker; and further, based on each detection message, determining a target honey pot corresponding to the port of interest, and sending a first control instruction to the trapping node, wherein the trapping node associates the port of interest with the target honey pot after receiving the first control instruction. The method and the device can automatically determine the interested port of the attacker and the target honeypot corresponding to the service of the attacker, and associate the interested port with the target honeypot through the interaction of the server and the trapping node, so that the honeypot is automatically scheduled to adapt to the interested port of the attacker and the honeypot. Therefore, the dynamic change of the attacker can be automatically adapted by the method, so that an implementation basis is provided for capturing effective attack characteristics.

The apparatus further comprises:

The starting module is used for responding to the received second control instruction of the server and starting the interested port;

Optionally, the apparatus further comprises:

The second closing module is used for closing the ports which are except for the interested port and are associated with the honeypot in response to receiving a third control instruction of the server;

The embodiment of the application also provides an electronic device, as shown in fig. 8, including:

a memory 801 for storing a computer program;

A processor 802, configured to implement any of the methods of honeypot trapping policy orchestration scheduling described above when executing the program stored on the memory 801.

And the electronic device may further comprise a communication bus and/or a communication interface, through which the processor 802, the communication interface, and the memory 801 communicate with each other.

The communication bus mentioned above for the electronic device may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface is used for communication between the electronic device and other devices.

The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.

In yet another embodiment of the present application, there is also provided a computer readable storage medium having stored therein a computer program which, when executed by a processor, implements the steps of the method of any of the honeypot trap policy orchestration schedules described above.

In yet another embodiment of the present application, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the method of honeypot trapping policy orchestration scheduling of any of the above embodiments.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, tape), an optical medium (e.g., DVD), or a Solid state disk (Solid STATE DISK, SSD), etc.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system and apparatus embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the section of the method embodiments being relevant.

The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims

1. A method of honeypot trapping policy orchestration scheduling, applied to a server, the method comprising:

Classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results; determining a target message to be analyzed based on the classification result; performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the target message is a message in a detection message with the largest message quantity; the target character string in each detection message is used for representing the access path of the detection message;

2. The method of claim 1, wherein all ports of the full ports are in a closed state except for each destination port, each destination port including a port associated with a honeypot and/or a port not associated with a honeypot and opened by default;

3. The method of claim 2, wherein after the controlling the trap node to associate the port of interest with the target honeypot, the method further comprises:

4. The method of claim 1, wherein performing a guess process on the target message for the service to be accessed to obtain a target honeypot corresponding to the port of interest comprises:

the target message is sent to a plurality of preset honeypots;

5. A method according to any of claims 1-3, wherein said determining an interested port for the aggressor of the full ports based on the target description data comprises:

6. A method of honeypot trapping policy orchestration scheduling, applied to a trapping node, the method comprising:

Monitoring the flow of the full port;

Reporting the target description data to a server, so that the server determines an interested port of the whole ports for the attacker based on the target description data, and obtains each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results; determining a target message to be analyzed based on the classification result; performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the target message is a message in a detection message with the largest message quantity; the target character string in each detection message is used for representing the access path of the detection message;

7. The method of claim 6, wherein all ports of the full ports are in a closed state except for each destination port, each destination port including a port associated with a honeypot and/or a port not associated with a honeypot and opened by default;

The method further comprises the steps of:

8. The method of claim 6, wherein the method further comprises:

9. A system for honeypot trapping policy orchestration scheduling, the system comprising: a server and a trap node;

The server is used for receiving target description data reported by the trapping node; determining an interested port for the aggressor from the full ports based on the target description data; acquiring each detection message of the interested port by the attacker under the condition that the interested port in the trapping node is opened; classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results; determining a target message to be analyzed based on the classification result; performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port, and sending a first control instruction to the trapping node; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the target message is a message in a detection message with the largest message quantity; the target character string in each detection message is used for representing the access path of the detection message;

10. An apparatus for honeypot trapping policy orchestration scheduling, for use with a server, the apparatus comprising:

The second determining module is used for classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results; determining a target message to be analyzed based on the classification result; performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the target message is a message in a detection message with the largest message quantity; the target character string in each detection message is used for representing the access path of the detection message;

11. An apparatus for honeypot trapping policy orchestration scheduling, applied to a trapping node, the apparatus comprising:

the monitoring module is used for monitoring the flow of the full port;

The reporting module is used for reporting the target description data to a server so that the server determines an interested port of the whole ports for the attacker based on the target description data, and obtains each detection message of the attacker for the interested port under the condition that the interested port of the trapping node is opened; classifying the acquired detection messages based on the acquired target character strings in the detection messages to obtain classification results; determining a target message to be analyzed based on the classification result; performing guessing processing on the target message aiming at the service to be accessed to obtain a target honeypot corresponding to the interested port; the target honeypot is a honeypot corresponding to the service of interest of the attacker; the target message is a message in a detection message with the largest message quantity; the target character string in each detection message is used for representing the access path of the detection message;

12. An electronic device, comprising:

A memory for storing a computer program;

a processor for implementing the method of any of claims 1-8 when executing a program stored on a memory.

13. A computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-8.