Network attack processing method and device

文档序号：1864732 发布日期：2021-11-19 浏览：2次中文

阅读说明：本技术 网络攻击处理方法及装置 (Network attack processing method and device ) 是由翁迟迟于 2021-07-13 设计创作，主要内容包括：本发明实施例提供了一种网络攻击处理方法及装置,包括互相隔离的蜜罐网络与业务系统,包括：接收蜜罐部署策略,所述蜜罐部署策略包括监听端口和监听模式；所述蜜罐部署策略为将于在所述业务系统上运行的业务进程的业务运行信息生成；在所述业务系统上部署的蜜罐进程,通过所述监听端口监听攻击请求,按照所述监听模式对所述攻击请求进行处理或者转发至所述蜜罐网络进行处理。本发明实施例通过业务系统的业务运行信息自动生成蜜罐部署策略,使得业务系统能够基于蜜罐部署策略部署蜜罐进程,提高了蜜罐部署效率,并且由于蜜罐进程可以按照监听模式将监听的请求转发至蜜罐网络处理,因此无需在业务系统中部署蜜罐,降低了蜜罐部署成本。(The embodiment of the invention provides a network attack processing method and a device, which comprise a honeypot network and a service system which are isolated from each other, and comprise the following steps: receiving a honeypot deployment strategy, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode; the honeypot deployment strategy is generated by service operation information of a service process to be operated on the service system; and the honeypot process deployed on the service system monitors the attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing. According to the embodiment of the invention, the honeypot deployment strategy is automatically generated through the service operation information of the service system, so that the service system can deploy the honeypot process based on the honeypot deployment strategy, the honeypot deployment efficiency is improved, and the honeypot process can forward the monitoring request to the honeypot network for processing according to the monitoring mode, so that honeypots do not need to be deployed in the service system, and the honeypot deployment cost is reduced.)

1. A network attack processing method, comprising a honeypot network and a service system which are isolated from each other, the method comprising:

receiving a honeypot deployment strategy, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode; the honeypot deployment strategy is generated by service operation information of a service process to be operated on the service system;

and the honeypot process deployed on the service system monitors the attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing.

2. The method according to claim 1, wherein the processing the attack request in the listening mode or forwarding the attack request to the honeypot network for processing comprises:

when the monitoring mode is a black hole mode, alarming aiming at the attack request;

when the monitoring mode is a simple mode, sending response information corresponding to the attack request to a server sending the attack request;

and when the monitoring mode is the interactive mode, forwarding the attack request to the honeypot network so that the honeypot network forms attack behavior information based on the attack request and stores the attack behavior information.

3. The method of claim 2, wherein the honeypot network includes honeypots having corresponding types, and wherein forwarding the attack request to the honeypot network includes:

forwarding the attack request into the honeypots of one or more of the honeypot networks that match the type of the attack request.

4. The method according to claim 1 or 3, characterized in that the method further comprises:

counting the number of honeypots of alarm information sent for the attack request;

and when the number of the honeypots reaches a preset threshold value, determining that an alarm needs to be given.

5. The method of claim 2, further comprising:

and acquiring the attack behavior information or the honeypot deployment information, and displaying the attack behavior information or the honeypot deployment information.

6. The method of claim 1, wherein the traffic operation information comprises an occupied service port.

7. A network attack processing method, comprising a honeypot network and a service system which are isolated from each other, the method comprising:

acquiring service operation information of a service process operated on the service system;

generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

and sending the honeypot deployment strategy to the service system so that a honeypot process deployed on the service system monitors an attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing.

8. A network attack processing system is characterized by comprising an operation module, a honeypot network and a service system which are isolated from each other, wherein:

the operation module is used for acquiring service operation information of a service process operated on the service system; generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

the service system is used for monitoring an attack request through the monitoring port through a honeypot process, and processing the attack request according to the monitoring mode or forwarding the attack request to the honeypot network;

and the honeypot network is used for processing the attack request.

9. A network attack processing apparatus, comprising a honeypot network and a service system isolated from each other, the apparatus comprising:

the honeypot deployment strategy receiving module is used for receiving honeypot deployment strategies, and the honeypot deployment strategies comprise monitoring ports and monitoring modes; the honeypot deployment strategy is generated by service operation information of a service process to be operated on the service system;

and the honeypot deployment module is used for monitoring an attack request through the monitoring port in a honeypot process deployed on the service system, and processing the attack request according to the monitoring mode or forwarding the attack request to the honeypot network for processing.

10. A network attack processing apparatus, comprising a honeypot network and a service system isolated from each other, the apparatus comprising:

a service operation information acquisition module, configured to acquire service operation information of a service process operating on the service system;

the honeypot deployment strategy generation module is used for generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

and the honeypot deployment strategy sending module is used for sending the honeypot deployment strategy to the service system so as to enable a honeypot process deployed on the service system to monitor an attack request through the monitoring port, and process the attack request according to the monitoring mode or forward the attack request to the honeypot network for processing.

11. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;

a memory for storing a computer program;

a processor for implementing the method steps of any of claims 1 to 7 when executing a program stored in the memory.

12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a network attack processing method, a network attack processing apparatus, a network attack processing system, an electronic device, and a computer-readable storage medium.

Background

The honeypot is a system which is provided with a plurality of hosts serving as baits, network services or information, induces an attacker to attack, then captures and analyzes the attack behavior of the attacker (hacker), further knows tools and methods used by the attacker, speculates the attack intention and motivation, can enable a defensive party to clearly know the facing security threat, and correspondingly enhances the security protection capability or gives an alarm in time. Among them, a network formed based on a plurality of honeypots is called a honeypot network.

In order to increase the probability of attacking honeypots by attackers, a plurality of honeypots need to be prepared by special developers and then correspondingly deployed on a server, and in the traditional honeypot deployment mode, the number of honeypots can increase along with the increase of time, so that the cost is very high, and the honeypot deployment efficiency is low.

Disclosure of Invention

Embodiments of the present invention provide a network attack processing method, a network attack processing apparatus, a network attack processing system, an electronic device, and a computer-readable storage medium, so as to implement automated honeypot deployment and improve honeypot deployment efficiency. The specific technical scheme is as follows:

in a first aspect of the present invention, there is provided a network attack processing method, including a honeypot network and a service system that are isolated from each other, the method including:

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

and when the monitoring mode is a black hole mode, alarming aiming at the attack request.

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

and when the monitoring mode is the simple mode, sending response information corresponding to the attack request to a server sending the attack request.

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

Optionally, the honeypot network includes honeypots having corresponding types, the forwarding the attack request to the honeypot network includes:

forwarding the attack request into the honeypots of one or more of the honeypot networks that match the type of the attack request.

Optionally, the method further comprises:

counting the number of honeypots of alarm information sent for the attack request;

and when the number of the honeypots reaches a preset threshold value, determining that an alarm needs to be given.

Optionally, the method further comprises:

and acquiring the attack behavior information or the honeypot deployment information, and displaying the attack behavior information or the honeypot deployment information.

Optionally, the service operation information includes an occupied service port.

In a second aspect of the present invention, there is also provided a network attack processing method, including a honeypot network and a service system that are isolated from each other, the method including:

acquiring service operation information of a service process operated on the service system;

generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

In a third aspect of the present invention, there is further provided a network attack processing system, including an operation module, and a honeypot network and a service system isolated from each other, where:

and the honeypot network is used for processing the attack request.

In a fourth aspect of the present invention, there is also provided a network attack processing apparatus, including a honeypot network and a service system that are isolated from each other, the apparatus including:

In a fifth aspect of the present invention, there is also provided a network attack processing apparatus, including a honeypot network and a service system that are isolated from each other, the apparatus including:

a service operation information acquisition module, configured to acquire service operation information of a service process operating on the service system;

In yet another aspect of the present invention, there is also provided a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to execute any one of the above-mentioned network attack processing methods.

In yet another aspect of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any one of the above-mentioned network attack processing methods.

According to the network attack processing method provided by the embodiment of the invention, after the honeypot deployment strategy is received, the honeypot process deployed on the service system according to the honeypot deployment strategy enables the honeypot process to monitor the attack request through the monitoring port of the honeypot deployment strategy, and the attack request is processed according to the monitoring mode of the honeypot deployment strategy or forwarded to the honeypot network for processing. According to the embodiment of the invention, the honeypot deployment strategy is automatically generated through the service operation information of the service system, so that the service system can deploy the honeypot process based on the honeypot deployment strategy, the honeypot deployment efficiency is improved, and the honeypot process can forward the monitoring request to the honeypot network for processing according to the monitoring mode, so that honeypots do not need to be deployed in the service system, and the honeypot deployment cost is reduced. In addition, because the honeypot network and the service system are isolated from each other, the honeypot network does not influence the real service of the user.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

Fig. 1 is a flowchart illustrating steps of a network attack processing method according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating steps of another network attack processing method according to an embodiment of the present invention;

fig. 3 is a block diagram of a network attack processing system provided in an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a network attack processing system provided in an embodiment of the present invention;

fig. 5 is a block diagram of a network attack processing apparatus according to an embodiment of the present invention;

fig. 6 is a block diagram of another network attack processing apparatus provided in the embodiment of the present invention;

fig. 7 is a block diagram of an electronic device provided in an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.

In the related art, a common honeypot deployment method is to associate honeypots with service systems of real services of users, and although this method can induce attackers to attack, interference is generated on the real services of users at the same time, and the security risk of the real services of users is relatively high. The real service refers to video playing, chatting, shopping, and the like, and can be implemented by a service process (application program) running on a service system.

In view of the above problems, an embodiment of the present invention provides a network attack processing method, which relates to three modules, namely an operation module, and a honeypot network and a service system that are isolated from each other. The three modules may be implemented by independent servers or a server cluster composed of a plurality of servers, which is not limited in this embodiment of the present invention.

Specifically, the operation module is configured to obtain service operation information of a service process running on the service system, so as to generate a honeypot deployment policy according to the service operation information, and then send the honeypot deployment policy to the service system, so that the service system can attack a request (abnormal traffic) through a monitoring port of the honeypot deployment policy, and process the attack request locally or forward the attack request to a honeypot network for processing according to a monitoring mode of the honeypot deployment policy.

Referring to fig. 1, a flowchart of steps of a network attack processing method provided in an embodiment of the present invention includes a honeypot network and a service system that are isolated from each other and are applied to the service system, and as shown in fig. 1, the method may specifically include the following steps:

step 101, receiving a honeypot deployment strategy, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode; the honeypot deployment strategy is generated for service operation information of a service process to be operated on the service system.

The business system is a system or a module for running business processes; the application program referred to by the business process may be, for example, an application program capable of implementing real services such as video playing, chatting, shopping, and the like; the service operation information refers to information related to operation of the service process, and may specifically include a service port occupied by the service process, for example, 80 ports are occupied.

The honeypot deployment strategy comprises a monitoring port and a monitoring mode, specifically, the monitoring port refers to an attack request for monitoring an attack end, and the monitoring mode refers to a processing mode for the attack request monitored by the monitoring port, for example, the attack request can be processed locally in a service system or forwarded to a honeypot network; specifically, the honeypot deployment policy is generated by the operation module according to service operation information of a service process running on the service system, for example, if the 80 port is already occupied, the 80 port is not set as a monitoring port, if the service system is not expected to frequently interact with the honeypot network and occupy too many resources, the attack request may be selected to be processed on the service system instead of being forwarded to the honeypot network, and if it is expected to be able to capture and analyze the attack request through honeypots in the honeypot network, the attack request may be selected to be forwarded to the honeypot network.

In the embodiment of the invention, the honeypot network can be implemented based on k8s (an orchestration management tool of a portable container), and k8s can support dynamic capacity expansion to better process attack requests. Specifically, a new node (node) may be extended in k8s, and a new honeypot network may be further added based on the extended new node, or new processing logic for processing an attack request is added in the honeypot network, so that the honeypot network of the embodiment of the present invention can better complete processing of capture and analysis of the attack request, and the like. Of course, the implementation may be based on tools such as docker and swarm, besides k8s, which is not necessarily limited in this embodiment of the present invention.

102, the honeypot process deployed on the service system monitors an attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing.

The honeypot process may also be referred to as a honeypot probe, and is a component or an application deployed on a business system, and the honeypot process may capture, filter, analyze, and the like a data packet (e.g., an attack request) sent by another machine. In the embodiment of the invention, the honeypot process is supported to self-define and open a plurality of ports to forward the attack request, and each port can support honeypots which are associated to run in different sandboxes.

The honeypot network forms an attacker trapping network system architecture, and the architecture comprises one or more honeypots, so that the high controllability of the network is guaranteed, and various tools are provided to conveniently collect and analyze attack requests. In the embodiment of the invention, the honeypot network generates a corresponding processing scheme corresponding to the steps of attack taken by an attacker. Specifically, the processing scheme of the honeypot network for dealing with the attack request of the attacker comprises the following steps:

service simulation: when an attacker carries out point stepping detection on the user, the honeypot simulates the real service of the user and gives false information to the attacker.

Disguising the vulnerability: on the basis of simulating the real service of a user in the honeypot, a plurality of common bugs are well packaged, and an attacker is attracted to attack the honeypot.

Desensitization data: the information stolen by the attacker is desensitized, and the false information has no value to the user.

Recording of a trace: when an attacker prepares to evacuate from a crime scene and erases an attack path and an invasion trace, the honeypot records the attacker as attack behavior information and stores the attack behavior information as log data in a cloud database, an attacker portrait can be formed based on the attack behavior information, the social network information of the attacker can be captured, a user can conveniently trace the source of the attack behavior, and the log data recorded in the cloud database is strong evidence for proving that the attacker implements the crime behavior.

Specifically, a bait is formed in the honeypot by simulating real traffic of the user, so that an attacker is attracted to the honeypot through the bait, and specifically, the bait for the honeypot support setting may include:

mail bait: the method supports setting of mail decoys, for example, mails sent to a company high-pipe mailbox, and can sense the behavior of opening the mails by an attacker;

bait for office networks: the method supports forging login credentials on a windows pc (personal computer), RDP (Remote Desktop Protocol) connection records, files and the like, and deceives the horizontal movement stage of an attacker;

the file bait: the behavior of opening a sensitive file can be sensed;

internet bait: distributing fraud defense information over the internet confuses attackers, such as fake Github (open source hosted service) leaks.

In the embodiment of the present invention, the following analysis may be performed for the attack request: attack event types including Ping scanning events and Ping scanning sources; honeypot intrusion events including connection setup, disconnection, password login, scanner attack, nmap scan, key login, shell command execution, intrusion legacy files, database operations, unknown scanner connections, command injection, code injection attack, information leakage attempts, xss cross site scripting attack, SQL injection attack, back door programs, file upload, FTP command execution, ssh connection, remote code execution, path traversal, file containment type attack, arbitrary file download vulnerabilities, Samba command execution, curl connection, XXE attack, deserialization, SSRF attack, internal connection events, download files, scanner connections, user download events, unauthorized access; a port probing event comprising: full connections and half connections are identified. Of course, the processing and analysis of the attack request are only examples, and may be adjusted according to actual situations in specific implementation, and embodiments of the present invention need not be limited thereto.

In the embodiment of the present invention, after receiving the honeypot deployment policy sent by the operation module, the service system may adjust the configuration parameters of the honeypot process according to the honeypot deployment policy, so that the honeypot process monitors the attack request through the monitoring port, and simultaneously, the attack request monitored at the monitoring port is processed on the service system or forwarded to the honeypot network according to the monitoring mode, so that the honeypot in the honeypot network processes the attack request.

In the network attack processing method, after the honeypot deployment strategy is received, the honeypot process deployed on the service system according to the honeypot deployment strategy enables the honeypot process to monitor the attack request through the monitoring port of the honeypot deployment strategy, and the attack request is processed according to the monitoring mode of the honeypot deployment strategy or forwarded to the honeypot network for processing. According to the embodiment of the invention, the honeypot deployment strategy is automatically generated through the service operation information of the service system, so that the service system can deploy the honeypot process based on the honeypot deployment strategy, the honeypot deployment efficiency is improved, and the honeypot process can forward the monitoring request to the honeypot network for processing according to the monitoring mode, so that honeypots do not need to be deployed in the service system, and the honeypot deployment cost is reduced. In addition, because the honeypot network and the service system are isolated from each other, the honeypot network does not affect the real service of the user.

In an exemplary embodiment of the present invention, the honeypot process may support three monitoring modes, which are a black hole mode, a simple mode, and an interactive mode according to the interaction capability and the resource occupation condition, specifically, the black hole mode: only receiving an attack request and sending an alarm, the occupied resource is the lowest, and the interaction capacity is general; simple mode: receiving an attack request, and displaying different results back to an attacker according to the analysis result of the attack request, wherein the occupied resources are general, and the interaction capacity is medium; and (3) interaction mode: and the attack request is received and forwarded to the honeypot network (back end), and the interaction capacity is high.

For the black hole mode, the step 102, processing the attack request according to the monitoring mode or forwarding the attack request to the honeypot network for processing may include: and when the monitoring mode is a black hole mode, alarming aiming at the attack request.

When the monitoring mode of the honeypot process is the black hole mode, if the honeypot network monitors the attack request through the monitoring port, the alarm is given for the attack request. Specifically, the alarm may be to notify the relevant personnel through a mail, a popup, an instant messaging software, and the like on the service system, so as to alarm and stop damage in time.

For the simple mode, the step 102 of processing the attack request according to the monitoring mode or forwarding the attack request to the honeypot network for processing may include: and when the monitoring mode is the simple mode, sending response information corresponding to the attack request to a server sending the attack request.

When the monitoring mode of the honeypot process is the simple mode, if the honeypot network monitors the attack request through the monitoring port, analyzing the attack request, and sending corresponding response information to the server sending the attack request according to the analysis result, wherein the response information is virtual information prepared in advance aiming at different analysis results. Specifically, if the analysis result of the attack request is to steal a chat record, a false chat record may be sent to the server sending the attack request, and if the analysis result of the attack request is to steal a social account, a false social account may be sent to the server sending the attack request. Of course, in addition to sending false information to the server of the attack request, an alarm can be given for the attack request.

For the interaction mode, the step 102, processing the attack request according to the monitoring mode or forwarding the attack request to the honeypot network for processing may include: and when the monitoring mode is the interactive mode, forwarding the attack request to the honeypot network so that the honeypot network forms attack behavior information based on the attack request and stores the attack behavior information. In particular, the attack behavior information may include an attacker identity, an attacker trajectory, tools used by the attacker, and the like.

When the monitoring mode of the honeypot process is the interactive mode, if the honeypot network monitors the attack request through the monitoring port, the attack request is forwarded to the honeypot network, so that the honeypot network traces the source of the attack request to form attack behavior information which is stored in the database as log data. Of course, besides forwarding the attack request to the honeypot network, the attack request can be analyzed on the service system, and corresponding response information is sent to the server sending the attack request according to the analysis result, and in addition, an alarm can be given for the attack request. As a specific example, a snapshot of attack requests at a certain time may be formed and saved as log data to a database.

Optionally, the honeypot network includes honeypots having corresponding types, and the forwarding the attack request to the honeypot network may include: forwarding the attack request into the honeypots of one or more of the honeypot networks that match the type of the attack request.

Wherein, a plurality of honeypots are deployed in the honeypot network, and different honeypots can be used for processing different types of attack requests. Specifically, honeypots can be roughly classified into the following types, weak passwords, according to their corresponding services: e.g. ssh (port 22), rsync (port 873), ftp (port 21), samba (port 445); the web vulnerability class: such as http (port 80), strucs2, zabbix, redmine, https (port 443), unauthorized access: sensitive data (e.g. mongodb (port 27017), memcached (port 11211), elastic search (port 9200/9300/9201), redis (port 6379), vnc (port 5900), mysql (port 3306)), big data (e.g. hadoop (port 8088/50070/50075/50030/50060/8088/10000/10003/9000/8020)), middleware (activemq (port 8161), zookeeper (port 2181)); windows honeypot: such as rdp (port 3389), mssql (port 1433). In the embodiment of the invention, the attack request is forwarded to the honeypot matched with the type of the attack request, for example, the attack request aiming at the webpage can be forwarded to the honeypot aiming at the web vulnerability class.

In the above embodiment, the monitoring mode of the honeypot process is corresponded according to different requirements, for example, according to the current resource occupation situation, the service importance degree, and the like, so that the attack requests do not need to be all forwarded to the honeypot network, the interaction with the honeypot network is reduced, and the resource occupation is further reduced. In addition, when the interaction mode is adopted, the attack request is forwarded to the honeypot providing the corresponding service, so that the processing efficiency of the attack request is improved, and the attack request is processed more accurately.

In an exemplary embodiment of the present invention, the method may further include: counting the number of honeypots of alarm information sent for the attack request; and when the number of the honeypots reaches a preset threshold value, determining that an alarm needs to be given.

In the embodiment of the invention, the honeypot can determine whether the attack request needs to be alarmed according to different alarm strategies, and the alarm strategy can be a single alarm strategy or a plurality of alarm strategies. Specifically, the attack request can be simultaneously forwarded to a plurality of honeypots, and if one honeypot sends alarm information in a single alarm strategy, the alarm can be determined to be needed; if the alarm strategies are multiple, when the number of honeypots sending alarm information reaches a preset threshold, it may be determined that an alarm is needed, for example, assuming that the preset threshold is 2, when it is counted that the number of honeypots sending alarm information is 2 or exceeds 2, it may be determined that an alarm is needed.

In the embodiment, whether the attack request needs to be alarmed or not is determined according to the number of honeypots sending the alarm information, misjudgment caused by single honeypot alarm is avoided, and the accuracy of the attack request alarm is improved.

In an exemplary embodiment of the present invention, the method may further include: and acquiring the attack behavior information or the honeypot deployment information, and displaying the attack behavior information or the honeypot deployment information.

The attack behavior information refers to relevant information of the attack request, and may specifically include an attacker identity, an attacker trajectory, and the like.

Specifically, the attack behavior information can be displayed in a visual mode by the embodiment of the invention. Specifically, when showing attack behavior information, showing can be supported in the following manner: supporting custom selection of attack time query; the method supports the viewing of the image of the attacker, and can view information such as the identity of the attacker, the remark marking, the track of the attacker and the like in detail; the tracing of the device fingerprint is supported, and the device fingerprint contains detailed information such as an operating system, a display card device and an audio device. Supporting to check an attacker track, recording attack event details of a detailed time period, including attack time, attack assets, attack methods and operation, supporting to retrieve events through dimensions of an attacker/the attack assets/an isolation sandbox/the like, playing back the attack events, supporting to display all attacks through a time line, supporting to display the events through dimensions of the attacker, an attack source, the attack assets, the isolation sandbox, the attack methods and the like, and the like; supporting the display of attack source detection, and recording an IP address, a port, a service fingerprint and detection time of an attacker; and the report generation by tracing the attacker is supported.

The honeypot deployment information can include distribution and states of honeypot processes, sandboxes, honeypots, baits and the like.

Specifically, the honey net deployment information can be displayed in a topological graph manner, that is, honey pot processes, sandboxes, honey pots, baits and the like can be displayed in a 3D (three-dimensional) topological graph manner, and the composition distribution condition and state of the current honey pot network system can be intuitively reflected through the topological graph.

In the embodiment, the attack behavior information or the honeypot deployment information is displayed in a topological graph mode, so that a user can visually know the attack behavior information, the user is supported to selectively check the required attack behavior information, and the check experience of the user is improved.

Referring to fig. 2, a flowchart of steps of a network attack processing method provided in the embodiment of the present invention includes a honeypot network and a service system that are isolated from each other and are applied to an operation module, and as shown in fig. 2, the method may specifically include the following steps:

step 201, acquiring service operation information of a service process operated on the service system;

step 202, generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

step 203, sending the honeypot deployment strategy to the service system, so that the honeypot process deployed on the service system monitors an attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing.

The operation module is in long connection with the service process and sends the honeypot deployment strategy to the service system, so that the honeypot process in the service system can monitor and process the attack request based on the honeypot deployment strategy for the attack request or finish monitoring and processing the attack request based on the honeypot deployment strategy. In the embodiment of the invention, the honeypot process of the service system (client) can be quickly controlled through long connection, namely, the operation module can generate a honeypot deployment strategy to the service system at any time to modify the monitoring port and the monitoring mode of the honeypot process.

In the network attack processing method, the operation module collects service operation information of service processes on each service system, generates the honeypot deployment strategy based on the service operation information, and then issues the honeypot deployment strategy to the corresponding service system, so that the service system monitors the attack request based on a monitoring port of the honeypot deployment strategy, and processes the attack request according to a monitoring mode of the honeypot deployment strategy or forwards the attack request to the honeypot network for processing. In the embodiment of the invention, the deployment and control of the service system are realized by issuing the honey deployment strategy through the operation module, and the honey deployment strategy is deployed by the service system to the honey process, so that the honey process can rapidly and safely control the start, the end, the change and the like of the honey process, and the efficiency is higher.

Referring to fig. 3, a block diagram of a network attack processing system provided in the embodiment of the present invention is shown in fig. 3, and includes an operation module 301, and a honeypot network 302 and a service system 303 isolated from each other, where:

the operation module 301 is configured to acquire service operation information of a service process that is operated on the service system 303; generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

the service system 302 is configured to monitor, through a honeypot process, an attack request through the monitoring port, and process or forward the attack request to the honeypot network 303 according to the monitoring mode;

the honeypot network 303 is configured to process the attack request.

In the embodiment of the invention, the operation module collects service operation information on the service system at an earlier stage, for example, service ports occupied by service processes, then forms a uniform honeynet deployment strategy based on the service operation information to send to the corresponding service system, and the service system deploys honeypot processes according to the honeypot deployment strategy, so that the honeypot processes monitor attack requests according to the ports of the honeypot deployment strategy, and processes the attack requests according to a monitoring mode or forwards the attack requests to the honeypot network for processing.

In order to make those skilled in the art better understand the embodiment of the present invention, a specific example is used for the following description, and referring to fig. 4, an architecture diagram of a network attack processing system of the present invention is shown, specifically, the network attack processing system includes an operation module, and a honeypot network and a service system which are isolated from each other, specifically: the operation module collects service operation information of service processes on each service system, generates a honeypot deployment strategy based on the service operation information, and then issues the honeypot deployment strategy to the corresponding service system, so that the service system monitors the attack request based on a monitoring port of the honeypot deployment strategy, and processes the attack request according to a monitoring mode of the honeypot deployment strategy or forwards the attack request to a honeypot network for processing. In the embodiment of the invention, the deployment and control of the service system are realized by issuing the honey deployment strategy through the operation module, and the honey deployment strategy is deployed by the service system to the honey process, so that the honey process can rapidly and safely control the start, the end, the change and the like of the honey process, and the efficiency is higher.

Referring to fig. 5, a structural block diagram of a network attack processing apparatus provided in the embodiment of the present invention includes a honeypot network and a service system that are isolated from each other, and as shown in fig. 5, the apparatus may specifically include the following modules:

a honeypot deployment policy receiving module 501, configured to receive a honeypot deployment policy, where the honeypot deployment policy includes a monitoring port and a monitoring mode; the honeypot deployment strategy is generated by service operation information of a service process to be operated on the service system;

the honeypot deployment module 502 is configured to monitor an attack request through the monitoring port in a honeypot process deployed on the service system, and process the attack request according to the monitoring mode or forward the attack request to the honeypot network for processing.

In an exemplary embodiment of the present invention, the honeypot deployment module 502 is configured to alarm for the attack request when the monitoring mode is a black hole mode; when the monitoring mode is a simple mode, sending response information corresponding to the attack request to a server sending the attack request; and when the monitoring mode is the interactive mode, forwarding the attack request to the honeypot network so that the honeypot network forms attack behavior information based on the attack request and stores the attack behavior information.

In an exemplary embodiment of the invention, the honeypot network comprises honeypots having corresponding types, and the honeypot deployment module 502 is configured to forward the attack requests into the honeypots of one or more of the honeypot networks that match the types of the attack requests.

In an exemplary embodiment of the invention, the apparatus further comprises: the alarm module is used for counting the number of the honeypots of the alarm information sent aiming at the attack request; and when the number of the honeypots reaches a preset threshold value, determining that an alarm needs to be given.

In an exemplary embodiment of the invention, the apparatus further comprises: and the display module is used for acquiring the attack behavior information or the honeypot deployment information and displaying the attack behavior information or the honeypot deployment information.

In an exemplary embodiment of the present invention, the service operation information includes an occupied service port.

Referring to fig. 6, a structural block diagram of a network attack processing apparatus provided in the embodiment of the present invention includes a honeypot network and a service system that are isolated from each other, and as shown in fig. 6, the apparatus may specifically include the following modules:

a service operation information obtaining module 601, configured to obtain service operation information of a service process running on the service system;

a honeypot deployment policy generating module 602, configured to generate a honeypot deployment policy according to the service operation information, where the honeypot deployment policy includes a monitoring port and a monitoring mode;

a honeypot deployment policy sending module 603, configured to send the honeypot deployment policy to the service system, so that a honeypot process deployed on the service system monitors an attack request through the monitoring port, and processes the attack request according to the monitoring mode or forwards the attack request to the honeypot network for processing.

The embodiment of the present invention further provides an electronic device, as shown in fig. 7, which includes a processor 71, a communication interface 72, a memory 73 and a communication bus 74, where the processor 71, the communication interface 72, and the memory 73 complete mutual communication through the communication bus 74,

a memory 73 for storing a computer program;

the processor 71, when executing the program stored in the memory 73, implements the following steps:

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

and when the monitoring mode is a black hole mode, alarming aiming at the attack request.

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

and when the monitoring mode is the simple mode, sending response information corresponding to the attack request to a server sending the attack request.

Optionally, the processing the attack request according to the listening mode or forwarding the attack request to the honeypot network for processing includes:

Optionally, the honeypot network includes honeypots having corresponding types, the forwarding the attack request to the honeypot network includes:

forwarding the attack request into the honeypots of one or more of the honeypot networks that match the type of the attack request.

Optionally, the method further comprises:

counting the number of honeypots of alarm information sent for the attack request;

and when the number of the honeypots reaches a preset threshold value, determining that an alarm needs to be given.

Optionally, the method further comprises:

and acquiring the attack behavior information or the honeypot deployment information, and displaying the attack behavior information or the honeypot deployment information.

Optionally, the service operation information includes an occupied service port.

The processor 71, when configured to execute the program stored in the memory 73, may further implement the following steps:

acquiring service operation information of a service process operated on the service system;

generating a honeypot deployment strategy according to the service operation information, wherein the honeypot deployment strategy comprises a monitoring port and a monitoring mode;

The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the terminal and other equipment.

The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.

In another embodiment of the present invention, a computer-readable storage medium is further provided, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute the network attack processing method in any one of the above embodiments.

In yet another embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the network attack processing method according to any one of the above embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

17页详细技术资料下载

Network attack processing method and device

相关技术

网友询问留言