CN113037777B

Movatterモバイル変換

Info

Publication number: CN113037777B
Application number: CN202110385138.8A
Authority: CN
Inventors: 吴建亮; 胡鹏; 陈寿彬
Original assignee: Guangzhou Jeeseen Network Technologies Co Ltd
Current assignee: Guangzhou Jeeseen Network Technologies Co Ltd
Priority date: 2021-04-09
Filing date: 2021-04-09
Publication date: 2021-12-03
Anticipated expiration: 2041-04-09
Also published as: CN113037777A

Abstract

The invention discloses a distribution method and device of honeypot baits, a storage medium and electronic equipment, and belongs to the field of network security. Wherein, the method comprises the following steps: acquiring attack behavior data of a network attack source executing an attack event; generating an attack path of the attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source; honeypot baits are distributed on key nodes of the attack path. By the method and the device, the technical problem that the honeypots in the related technology cannot defend attacks in a targeted manner is solved, and the defense efficiency of the honeypot network is improved.

Description

Honeypot bait distribution method and device, storage medium and electronic equipment

Technical Field

The invention relates to the field of network security, in particular to a distribution method and device of honeypot baits, a storage medium and electronic equipment.

Background

In view of the above problems in the related art, no effective solution has been found at present.

Disclosure of Invention

The embodiment of the invention provides a distribution method and device of honeypot baits, a storage medium and electronic equipment.

According to an aspect of an embodiment of the present application, there is provided a method for distributing honeypot bait, including: acquiring attack behavior data of a network attack source executing an attack event; generating an attack path of the attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source; honeypot baits are distributed on key nodes of the attack path.

Further, acquiring attack behavior data of the network attack source executing the attack event includes: acquiring attack flow of the network attack source to a host node, wherein the host node is used for deploying network services; forwarding the attack traffic from the host node to a trap node, wherein the trap node is to map a honeypot port; forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and acquiring the attack behavior data of the attack event in the honeypot network.

Further, acquiring attack behavior data of the network attack source executing the attack event includes: acquiring attack traffic of the network attack source to a trapping node, wherein the trapping node is used for mapping a honeypot port; forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and acquiring the attack behavior data of the attack event in the honeypot network.

Further, the acquiring the attack behavior data of the attack event in the honeypot network comprises: recording file access records and process creation records of the network attack source in the honeypot network, wherein the honeypot network is preset with a camouflage operating system and a service application; and reading log information of the file access record and the process creation record, and outputting the log information as attack behavior data of the attack event.

Further, generating an attack path of the attack event according to the attack behavior data includes: acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to a copy of the attack behavior data; after data deduplication is carried out on the attack behavior data, a plurality of file access records in the deduplicated attack behavior data are sequenced according to a time sequence; and generating an attack path of the attack event based on the plurality of file access records and the corresponding time sequence.

Further, generating an attack path of the attack event according to the attack behavior data includes: acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to a copy of the attack behavior data; after data deduplication is carried out on the attack behavior data, a plurality of file access records in the deduplicated attack behavior data are sequenced according to frequency; and generating an attack path of the attack event based on the plurality of file access records and the corresponding access frequency.

Further, distributing honeypot baits on critical nodes of the attack path includes: generating a bait script according to the attack path, and generating a deployment script of the bait script according to the attack path, wherein the bait script is used for generating honeypot baits on honeypot nodes, and the deployment script is used for selecting honeypot nodes of the bait script to be issued in a honeypot network; selecting honeypot nodes corresponding to the key nodes in a honeypot network according to the deployment script; and issuing the bait script to the honeypot node so that the bait script is automatically executed locally at the honeypot node and generates honeypot baits.

Further, if the attack event is a remote desktop connection RDP event, generating a bait script according to the attack path includes: selecting a penetration starting node from the attack path; reading remote login information from the RDP record of the infiltration starting node; a first bait script is generated based on the telnet information.

Further, if the attack event is a hostname modification event, generating a bait script according to the attack path includes: selecting a penetration target node from the attack path; reading local login information of the penetration target node, and reading source host information and target host information from a hostname modification record of the penetration target node; generating a second bait script based on the local login information and the target host information.

Further, if the attack event is a remote desktop connection RDP event, generating the deployment script of the decoy script according to the attack path includes: selecting a penetration target node from the attack path; acquiring first position information and first equipment information of the penetration target node; generating a first twin node of the plurality of penetration target nodes based on the first device information replication; generating a first deployment script based on the first twin node and the first location information package.

Further, if the attack event is a hostname modification event, generating the deployment script of the bait script according to the attack path includes: selecting a penetration starting node from the attack path; acquiring second position information and second equipment information of the penetration starting node; generating a second twin node of the plurality of penetration initiation nodes based on the second device information replication; generating a second deployment script based on the second twin node and the second location information package.

There is also provided, in accordance with another aspect of an embodiment of the present application, a honeypot bait dispensing apparatus, including: the acquisition module is used for acquiring attack behavior data of a network attack source executing an attack event; the generating module is used for generating an attack path of the attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source; and the distribution module is used for distributing honeypot baits on the key nodes of the attack path.

Further, the obtaining module includes: an obtaining unit, configured to obtain an attack traffic of the network attack source for a host node, where the host node is configured to deploy a network service; a first forwarding unit, configured to forward the attack traffic from the host node to a trapping node, wherein the trapping node is configured to map a honeypot port; a second forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network.

Further, the obtaining module includes: a third obtaining unit, configured to obtain attack traffic of the network attack source for a trap node, where the trap node is used to map a honeypot port; a third forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network.

Further, the second acquisition unit includes: the recording unit is used for recording file access records and process creation records of the network attack source in the honeypot network, wherein the honeypot network is preset with a camouflage operating system and a service application; and the reading unit is used for reading the log information of the file access record and the process creation record and outputting the log information as the attack behavior data of the attack event.

Further, the generating module includes: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; the first sequencing unit is used for sequencing a plurality of file access records in the attack behavior data after the data deduplication is carried out on the attack behavior data according to a time sequence; and the first generation unit is used for generating an attack path of the attack event based on the plurality of file access records and the corresponding time sequence.

Further, the generating module includes: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; the second sequencing unit is used for sequencing a plurality of file access records in the attack behavior data after the data deduplication is carried out on the attack behavior data according to the frequency; and the second generation unit is used for generating an attack path of the attack event based on the plurality of file access records and the corresponding access frequency.

Further, the assignment module includes: the generating unit is used for generating a bait script according to the attack path and generating a deployment script of the bait script according to the attack path, wherein the bait script is used for generating honeypot baits on honeypot nodes, and the deployment script is used for selecting honeypot nodes of the bait script to be issued in a honeypot network; the selecting unit is used for selecting honeypot nodes corresponding to the key nodes in the honeypot network according to the deployment script; and the issuing unit is used for issuing the bait script to the honeypot node so as to enable the bait script to be automatically executed locally at the honeypot node and generate the honeypot bait.

Further, if the attack event is a remote desktop connection RDP event, the generating unit includes: a first selection subunit, configured to select a penetration start node from the attack path; the first reading subunit is used for reading the remote login information from the RDP record of the infiltration starting node; a first generating subunit configured to generate a first bait script based on the telnet information.

Further, if the attack event is a hostname modification event, the generating unit includes: the second selection subunit is used for selecting a penetration target node from the attack path; the second reading subunit is used for reading the local login information of the penetration target node and reading the source host information and the target host information from the hostname modification record of the penetration target node; and the second generation subunit is used for generating a second bait script based on the local login information and the target host information.

Further, if the attack event is a remote desktop connection RDP event, the generating unit includes: a third selecting subunit, configured to select a penetration target node from the attack path; the first acquisition subunit is used for acquiring first position information and first equipment information of the penetration target node; a first replication sub-unit configured to replicate and generate a first twin node of the plurality of infiltration target nodes based on the first device information; a third generating subunit, configured to generate a first deployment script based on the first twin node and the first location information package.

Further, if the attack event is a hostname modification event, the generating unit includes: a fourth selection subunit, configured to select a penetration start node from the attack path; the second obtaining subunit is configured to obtain second position information and second device information of the infiltration start node; a second replication sub-unit configured to replicate and generate a second twin node of the plurality of penetration start nodes based on the second device information; and the fourth generation subunit is used for generating a second deployment script based on the second twin node and the second position information package.

According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that executes the above steps when the program is executed.

According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein: a memory for storing a computer program; a processor for executing the steps of the method by running the program stored in the memory.

Embodiments of the present application also provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the steps of the above method.

According to the invention, the attack behavior data of the network attack source executing the attack event is obtained, the attack path of the attack event is generated according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source, finally, honeypot baits are distributed on the key nodes of the attack path, the key nodes for deploying the baits are obtained through data analysis by recording and analyzing the attack path of the network attack source, the safety of network protection is improved, the probability that the network attack source falls into honeypots is improved through efficient bait deployment, the technical problem that honeypots in the related technology can not defend attacks in a targeted manner is solved, and the defense efficiency of a honeypot network is improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

fig. 1 is a block diagram of a hardware configuration of a server according to an embodiment of the present invention;

FIG. 2 is a flow chart of a method of honeypot bait distribution according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an implementation of an embodiment of the present invention;

FIG. 4 is a workflow diagram of an embodiment of the present invention;

FIG. 5 is a block diagram of a honeypot bait dispensing device according to an embodiment of the present invention;

fig. 6 is a block diagram of an electronic device implementing an embodiment of the invention.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Example 1

The method provided by the first embodiment of the present application may be executed in a server, a computer, a honeypot host device, or a similar computing device. Taking an example of the server running on the server, fig. 1 is a hardware structure block diagram of a server according to an embodiment of the present invention. As shown in fig. 1, the server may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and amemory 104 for storing data, and optionally may also include atransmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

Thememory 104 may be used for storing a server program, for example, a software program and a module of application software, such as a server program corresponding to a distribution method of honeypot baits in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the server program stored in thememory 104, thereby implementing the above-mentioned method. Thememory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, thememory 104 may further include memory located remotely from the processor 102, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Thetransmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server. In one example, thetransmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, thetransmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

In the present embodiment, a distribution method of honeypot baits is provided, and fig. 2 is a flowchart of a distribution method of honeypot baits according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:

step S202, acquiring attack behavior data of a network attack source executing an attack event;

the network attack source of this embodiment refers to a device, a script, a program, and the like that initiate a network attack, and the attack event refers to an illegal operation event executed on an attacked device, such as remote login, host name change, file query, and a process creation.

Step S204, generating an attack path of an attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source;

the key nodes of this embodiment are specific honeypot nodes in a honeypot network, and are honeypot nodes through which an attack event executed by a network attack source must pass or be utilized, the honeypot nodes are externally disguised as normal service hosts, and an attacker is induced to attack the honeypot through opening bugs, ports, weak passwords and the like.

Step S206, honeypot baits are distributed on the key nodes of the attack path.

The honeypot bait of the present embodiment is data for confusing an attacker, and may be information such as a file, a database, a flag, and code.

Through the steps, attack behavior data of the network attack source executing the attack event are obtained, the attack path of the attack event is generated according to the attack behavior data, the attack path comprises a plurality of key nodes attacked by the network attack source, honeypot baits are distributed on the key nodes of the attack path, the key nodes for deploying the baits are obtained through data analysis by recording and analyzing the attack path of the network attack source, the safety of network protection is improved, the probability that the network attack source falls into honeypots is improved through efficient bait deployment, the technical problem that honeypots in the related technology cannot defend attacks in a targeted mode is solved, and the defense efficiency of the honeypot network is improved.

In an application scenario manner of this embodiment, acquiring attack behavior data of a network attack source executing an attack event includes: acquiring attack flow of a network attack source aiming at a host node, wherein the host node is used for deploying network service; forwarding the attack traffic from the host node to a trap node, wherein the trap node is used for mapping the honeypot port; forwarding the attack traffic from the trapping node to the honeypot network based on the honeypot port; and acquiring the attack behavior data of the attack event in the honeypot network.

In another application scenario manner of this embodiment, the acquiring attack behavior data of the network attack source executing the attack event includes: acquiring attack traffic of a network attack source aiming at trapping nodes, wherein the trapping nodes are used for mapping honeypot ports; forwarding the attack traffic from the trapping node to the honeypot network based on the honeypot port; and acquiring the attack behavior data of the attack event in the honeypot network.

In one implementation of this embodiment, acquiring attack behavior data of an attack event in a honeypot network includes: recording file access records and process creation records of a network attack source in a honeypot network, wherein the honeypot network is preset with a disguised operating system and service application; and reading log information of the file access record and the process creation record, and outputting the log information as attack behavior data of the attack event.

In an implementation manner of this embodiment, generating an attack path based on the file access event sequence, and generating the attack path of the attack event according to the attack behavior data includes: acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; after data deduplication is performed on the attack behavior data, sequencing a plurality of file access records in the deduplicated attack behavior data according to a time sequence; and generating an attack path of the attack event based on the plurality of file access records and the corresponding time sequence.

In this embodiment, when executing an attack event, the network attack source needs to implement the attack event according to a certain time sequence, for example, access the operating system first, then access the application program, and finally access the file in the application program.

In another implementation manner of this embodiment, generating an attack path based on the event frequency (or the number of times) of file access, and generating the attack path of the attack event according to the attack behavior data includes: acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; after data deduplication is performed on the attack behavior data, sequencing a plurality of file access records in the deduplicated attack behavior data according to frequency; and generating an attack path of the attack event based on the plurality of file access records and the corresponding access frequency.

In this embodiment, when the network attack source executes an attack event, there is no specific time sequence, all objects in the honeypot network may be traversed, and honeypot nodes with a large number of traversals may be used as key nodes in an attack path.

The attack path comprises a honeynet entrance for an attacker to enter the honeypot network, a transverse path and a longitudinal path, wherein the transverse strength is an attack path in a single honeypot node, and the longitudinal path is an attack path between two honeypot nodes, such as a shell for acquiring honeypots (from a honeypot host to a honeypot host) by transversely moving in the honeypot network, for example, the shell attacks honeypot b from honeypot a, takes the host authority of honeypot b, and then attacks other honeypots from honeypot b.

In this embodiment, distributing honeypot baits on critical nodes of an attack path includes:

s11, generating a bait script according to the attack path and generating a deployment script of the bait script according to the attack path, wherein the bait script is used for generating honeypot baits on honeypot nodes, and the deployment script is used for selecting honeypot nodes of the bait script to be issued in a honeypot network;

in an application scenario, the attack event is a Remote Desktop connection (RDP) event, and generating a bait script according to an attack path includes: selecting a penetration starting node from the attack path; reading remote login information from the RDP record of the infiltration starting node; a first bait script is generated based on the telnet information.

The first bait script comprises an account number, a password, a VPN and the like used by remote login, and the infiltration starting node is a honeypot node initiating the remote login, and the infiltration target node can be controlled and accessed on the infiltration starting node by initiating the remote login.

In the application scenario, the generating of the deployment script of the decoy script according to the attack path includes: selecting a penetration target node from the attack path; acquiring first position information and first equipment information of a penetration target node; generating a first twin node of the plurality of infiltration target nodes based on the first device information replication; a first deployment script is generated based on the first twin node and the first location information package.

The first position information of the infiltration target node is used for representing the position of the infiltration target node in the honeypot network, such as an IP address, a MAC address and the like, and since honeypot baits are all virtual and informal devices, a plurality of identical infiltration target nodes can be generated by copying the first device information to be used as twin nodes, and when the honeypot baits are attacked later, a plurality of first twin nodes can be selected to be used as attack objects, so that the trapping probability is improved.

In another application scenario, the attack event is a hostname modification event, and generating the bait script according to the attack path includes: selecting a penetration target node from the attack path; reading local login information of the penetration target node, and reading source host information and target host information from a hostname modification record of the penetration target node; a second bait script is generated based on the local login information and the target host information.

In the application scenario, the generating of the deployment script of the decoy script according to the attack path includes: selecting a penetration starting node from the attack path; acquiring second position information and second equipment information of the penetration starting node; generating a second twin node of the plurality of penetration initiation nodes based on the second device information replication; and generating a second deployment script based on the second twin node and the second position information package.

S12, selecting honeypot nodes corresponding to the key nodes in the honeypot network according to the deployment script;

and S13, issuing the bait script to the honeypot node so that the bait script can be automatically executed locally at the honeypot node and generate the honeypot bait.

For example, a bait recorded by the hostname is deployed on a window computer in an office area, the bait contains information such as an IP (Internet protocol) and an account password of a window honeypot, a manager can follow a scheme in a security operation center to generate a corresponding script, the manager can download the script and upload the script to the window computer in the office area of the real business network, and the bait information can be generated by running the script.

Fig. 3 is an implementation schematic diagram of an embodiment of the present invention, which provides a honeybee control-based bait guidance method, and combines the attack behavior of an attacker and honeybee technology to guide the bait deployment of a honeypot operating system and a real host environment. The implementation principle is shown in fig. 3, and functionally includes the following modules:

attacker (external network attack source): as an attacker to a certain honeypot system, the system can be trapped by the honeypot system and can launch continuous attack behaviors to the honeypot system;

and (4) honeypot: the service port and the weak password which are easy to be utilized are provided for logging in the disguised operating system and the service application;

a real host: a service host in a real environment;

trapping the nodes: as an entrance of the trap, mapping out port services of the honeypot and forwarding attack traffic;

attack behavior analysis system: the attack behavior data collected by the honeypot system is analyzed, the attack path of an attacker is depicted, and a complete attack path and a bait deployment scheme are output;

the safety operation center: and recording an attack path of an attacker, issuing a strategy script to the honeypot, finishing honeypot bait deployment and outputting a bait deployment guidance scheme to the service host under the real environment.

The implementation steps comprise:

s31, the attacker attacks the real host and the trapping node, the trapping node forwards the attack flow to the honeypot, and the honeypot continuously induces the attacker to attack continuously;

s32, the honeypot transmits the collected attack behavior data of the attacker to an attack behavior analysis system completely, and the attack behavior analysis system carries out attack path drawing according to the collected data;

s33, the attack behavior analysis system outputs the attack path portrait and the bait deployment recommendation scheme to a security operation center, the security operation center records the attack path of each attacker, can generate a corresponding strategy script and a real host bait deployment recommendation scheme according to the recommendation scheme, and issues the strategy script to the bait deployment strategy script corresponding to the honeypot, so as to realize prejudgment planning on the attack path of the attacker;

s34, the honeypot system automatically runs the strategy script and realizes the deployment of the bait;

s35, the administrator can generate corresponding scripts according to the real host decoy deployment recommendation scheme by one key, and the scripts can be downloaded to the real host for deployment;

s36, according to the continuous analysis and learning of the attack behavior of the attacker, the record of the attack path habit can be matched with different protection requirements of different industries on the core assets, the efficient bait deployment is carried out, and the probability that the attacker falls into a honeypot is improved;

s37, bait is deployed among the honeypot systems, the relevance of honeypots is enhanced, and attackers are arranged in the attack paths specifically arranged by the systems, so that a great deal of time and energy of the attackers are consumed.

Fig. 4 is a flowchart of the operation of the embodiment of the present invention, in which the honeypot system has been deployed according to the preset attack path key node bait, and continuously collects and outputs the attack behavior data of the attacker, so as to perform deployment update, where the deployment update includes:

s41, initializing honeypot system deployment, deploying baits among honeypots by the safety operation center according to a preset attack path of the requirements of different general industries on core asset protection, and generating a bait deployment recommendation scheme of a real host for an administrator by the safety operation center according to the types and the quantity of the honeypots;

s42, when an attacker permeates the honeypot system, the honeypot transmits attack data of the attacker back to the attack behavior analysis center for data cleaning, and continuous attack events with the same property are merged;

s43, after the data cleaning is finished, the attack events are sequenced according to the time sequence;

s44, the attack behavior analysis center carves an attack path according to the attack event;

s45, the attack behavior analysis center analyzes the key nodes of the attack path and outputs a bait deployment scheme;

s46, the administrator can perform bait deployment and update on the honeypots in the safety operation center according to the scheme and output a real host recommendation scheme;

s47, the administrator runs the script on the real host to complete the bait deployment;

s48, the security operation center continuously learns the attack paths of different attackers, and a more efficient bait deployment scheme is obtained according to data analysis, so that the security of intranet protection is improved, and the source tracing of the attackers is deepened.

By adopting the scheme of the embodiment, the deployment condition of the bait is determined according to the attack behavior analysis result of the attacker, the intelligent matching of bait deployment is realized, the attacker is induced to permeate in the honey net according to the path preset by the system, and richer attack behaviors and data are captured; bait deployment of the honeypot system is replaced in an automatic script running mode, and the honeypot system is more efficient and sustainable than manual operation; the intelligent and efficient bait deployment can greatly improve the effect of the honey net, enhance the authenticity of the honey net, consume a large amount of time and energy of attackers, and obtain valuable time for the response, defense and traceability of administrators. By continuously recording the attack path of the learning attacker and obtaining the key nodes for deploying the baits through data analysis, the safety of intranet protection is improved.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

Example 2

In this embodiment, there is also provided a distribution device for honeypot baits, which is used to implement the above embodiments and preferred embodiments, and the description thereof is omitted here. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.

Fig. 5 is a block diagram showing the structure of a honeypot decoy distribution device according to an embodiment of the present invention, as shown in fig. 5, the device includes: an acquisition module 50, a generation module 52, an assignment module 54, wherein,

an obtaining module 50, configured to obtain attack behavior data of a network attack source executing an attack event;

a generating module 52, configured to generate an attack path of the attack event according to the attack behavior data, where the attack path includes a plurality of key nodes attacked by the network attack source;

an allocation module 54 for allocating honeypot baits on critical nodes of the attack path.

Optionally, the obtaining module includes: an obtaining unit, configured to obtain an attack traffic of the network attack source for a host node, where the host node is configured to deploy a network service; a first forwarding unit, configured to forward the attack traffic from the host node to a trapping node, wherein the trapping node is configured to map a honeypot port; a second forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network.

Optionally, the obtaining module includes: a third obtaining unit, configured to obtain attack traffic of the network attack source for a trap node, where the trap node is used to map a honeypot port; a third forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network.

Optionally, the second obtaining unit includes: the recording unit is used for recording file access records and process creation records of the network attack source in the honeypot network, wherein the honeypot network is preset with a camouflage operating system and a service application; and the reading unit is used for reading the log information of the file access record and the process creation record and outputting the log information as the attack behavior data of the attack event.

Optionally, the generating module includes: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; the first sequencing unit is used for sequencing a plurality of file access records in the attack behavior data after the data deduplication is carried out on the attack behavior data according to a time sequence; and the first generation unit is used for generating an attack path of the attack event based on the plurality of file access records and the corresponding time sequence.

Optionally, the generating module includes: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to one piece of attack behavior data; the second sequencing unit is used for sequencing a plurality of file access records in the attack behavior data after the data deduplication is carried out on the attack behavior data according to the frequency; and the second generation unit is used for generating an attack path of the attack event based on the plurality of file access records and the corresponding access frequency.

Optionally, the allocating module includes: the generating unit is used for generating a bait script according to the attack path and generating a deployment script of the bait script according to the attack path, wherein the bait script is used for generating honeypot baits on honeypot nodes, and the deployment script is used for selecting honeypot nodes of the bait script to be issued in a honeypot network; the selecting unit is used for selecting honeypot nodes corresponding to the key nodes in the honeypot network according to the deployment script; and the issuing unit is used for issuing the bait script to the honeypot node so as to enable the bait script to be automatically executed locally at the honeypot node and generate the honeypot bait.

Optionally, if the attack event is a remote desktop connection RDP event, the generating unit includes: a first selection subunit, configured to select a penetration start node from the attack path; the first reading subunit is used for reading the remote login information from the RDP record of the infiltration starting node; a first generating subunit configured to generate a first bait script based on the telnet information.

Optionally, if the attack event is a hostname modification event, the generating unit includes: the second selection subunit is used for selecting a penetration target node from the attack path; the second reading subunit is used for reading the local login information of the penetration target node and reading the source host information and the target host information from the hostname modification record of the penetration target node; and the second generation subunit is used for generating a second bait script based on the local login information and the target host information.

Optionally, if the attack event is a remote desktop connection RDP event, the generating unit includes: a third selecting subunit, configured to select a penetration target node from the attack path; the first acquisition subunit is used for acquiring first position information and first equipment information of the penetration target node; a first replication sub-unit configured to replicate and generate a first twin node of the plurality of infiltration target nodes based on the first device information; a third generating subunit, configured to generate a first deployment script based on the first twin node and the first location information package.

Optionally, if the attack event is a hostname modification event, the generating unit includes: a fourth selection subunit, configured to select a penetration start node from the attack path; the second obtaining subunit is configured to obtain second position information and second device information of the infiltration start node; a second replication sub-unit configured to replicate and generate a second twin node of the plurality of penetration start nodes based on the second device information; and the fourth generation subunit is used for generating a second deployment script based on the second twin node and the second position information package.

It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.

Example 3

Fig. 6 is a structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device includes aprocessor 61, acommunication interface 62, amemory 63, and acommunication bus 64, where theprocessor 61, thecommunication interface 62, and thememory 63 complete mutual communication through thecommunication bus 64, and thememory 63 is used for storing a computer program; theprocessor 61 is configured to implement the following steps when executing the program stored in the memory 63: acquiring attack behavior data of a network attack source executing an attack event; generating an attack path of the attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source; honeypot baits are distributed on key nodes of the attack path.

The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the terminal and other equipment.

The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.

In yet another embodiment provided herein, there is also provided a computer-readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the method for allocation of honeypot baits as described in any of the above embodiments.

In yet another embodiment provided herein, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the method for honeypot bait distribution of any of the above embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method of distributing honeypot bait, comprising:

acquiring attack behavior data of a network attack source executing an attack event;

generating an attack path of the attack event according to the attack behavior data of a plurality of honeypot nodes of the honeypot network, wherein the attack path comprises a plurality of specific honeypot nodes attacked by the network attack source;

allocating honeypot baits on specific honeypot nodes of the attack path;

the method for acquiring the attack behavior data of the network attack source executing the attack event comprises the following steps: acquiring attack flow of the network attack source to a host node, wherein the host node is used for deploying network services; forwarding the attack traffic from the host node to a trap node, wherein the trap node is to map a honeypot port; forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; acquiring attack behavior data of the attack event in the honeypot network; or acquiring attack traffic of the network attack source to a trapping node, wherein the trapping node is used for mapping a honeypot port; forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and acquiring the attack behavior data of the attack event in the honeypot network.

2. The method of claim 1, wherein obtaining the attack behavior data of the attack event in the honeypot network comprises:

recording file access records and process creation records of the network attack source in the honeypot network, wherein the honeypot network is preset with a camouflage operating system and a service application;

and reading log information of the file access record and the process creation record, and outputting the log information as attack behavior data of the attack event.

3. The method of claim 1, wherein generating the attack path for the attack event from the attack behavior data for a plurality of honeypot nodes of a honeypot network comprises:

acquiring attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the honeypot network comprises the plurality of honeypot nodes, and each honeypot node corresponds to a copy of the attack behavior data;

after data deduplication is carried out on the attack behavior data, a plurality of file access records in the deduplicated attack behavior data are sequenced according to a time sequence;

and generating an attack path of the attack event based on the plurality of file access records and the corresponding time sequence.

4. The method of claim 1, wherein generating the attack path for the attack event from the attack behavior data for a plurality of honeypot nodes of a honeypot network comprises:

after data deduplication is carried out on the attack behavior data, a plurality of file access records in the deduplicated attack behavior data are sequenced according to frequency;

and generating an attack path of the attack event based on the plurality of file access records and the corresponding access frequency.

5. The method of claim 1, wherein distributing honeypot baits on a particular honeypot node of the attack path comprises:

generating a bait script according to the attack path, and generating a deployment script of the bait script according to the attack path, wherein the bait script is used for generating honeypot baits on honeypot nodes, and the deployment script is used for selecting honeypot nodes of the bait script to be issued in a honeypot network;

selecting honeypot nodes corresponding to the specific honeypot nodes in a honeypot network according to the deployment script;

and issuing the bait script to the honeypot node so that the bait script is automatically executed locally at the honeypot node and generates honeypot baits.

6. The method of claim 5, wherein if the attack event is a remote desktop connection (RDP) event, generating a bait script according to the attack path comprises:

selecting a penetration starting node from the attack path;

reading remote login information from the RDP record of the infiltration starting node;

a first bait script is generated based on the telnet information.

7. The method of claim 5, wherein if the attack event is a hostname modification event, generating a bait script according to the attack path comprises:

selecting a penetration target node from the attack path;

reading local login information of the penetration target node, and reading source host information and target host information from a hostname modification record of the penetration target node;

generating a second bait script based on the local login information and the target host information.

8. The method of claim 5, wherein if the attack event is a remote desktop connection (RDP) event, generating the deployment script of the bait script according to the attack path comprises:

selecting a penetration target node from the attack path;

acquiring first position information and first equipment information of the penetration target node;

generating a first twin node of the plurality of penetration target nodes based on the first device information replication;

generating a first deployment script based on the first twin node and the first location information package.

9. The method of claim 5, wherein if the attack event is a hostname modification event, generating the deployment script of the bait script according to the attack path comprises:

selecting a penetration starting node from the attack path;

acquiring second position information and second equipment information of the penetration starting node;

generating a second twin node of the plurality of penetration initiation nodes based on the second device information replication;

generating a second deployment script based on the second twin node and the second location information package.

10. A honeypot bait dispensing device, comprising:

the acquisition module is used for acquiring attack behavior data of a network attack source executing an attack event;

the generation module is used for generating an attack path of the attack event according to the attack behavior data of a plurality of honeypot nodes of a honeypot network, wherein the attack path comprises a plurality of specific honeypot nodes attacked by the network attack source;

a distribution module for distributing honeypot baits on specific honeypot nodes of the attack path;

wherein the acquisition module comprises: an obtaining unit, configured to obtain an attack traffic of the network attack source for a host node, where the host node is configured to deploy a network service; a first forwarding unit, configured to forward the attack traffic from the host node to a trapping node, wherein the trapping node is configured to map a honeypot port; a second forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network; or, the obtaining module comprises: a third obtaining unit, configured to obtain attack traffic of the network attack source for a trap node, where the trap node is used to map a honeypot port; a third forwarding unit for forwarding the attack traffic from the trapping node to a honeypot network based on the honeypot port; and the second acquisition unit is used for acquiring the attack behavior data of the attack event in the honeypot network.

11. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program is operative to perform the method steps of any of the preceding claims 1 to 9.

12. An electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; wherein:

a memory for storing a computer program;

a processor for performing the method steps of any of claims 1 to 9 by executing a program stored on a memory.