阅读说明：本技术 一种基于虚实结合的搭建工控蜜网的技术 (Technology for building industrial control honey net based on virtuality and reality combination ) 是由 傅涛 胡燕 郑轶 王力 王路路 郑建平 于 2019-10-14 设计创作，主要内容包括：本发明提供了一种基于虚实结合的搭建工控蜜网的技术,由虚拟蜜罐以及真实设备蜜罐结合部署,当收到网络访问请求报文后,利用网络转发原理将报文转发给虚拟机或者真实设备,并记录相应的访问报文内容,极大的减少了蜜罐被识别概率以及蜜罐部署成本,提高了获取攻击行为能力,加强网络真实设备的安全性。(The invention provides a technology for building an industrial control honey net based on virtual-real combination, which is deployed by combining a virtual honey pot and a real device honey pot, after a network access request message is received, the message is forwarded to a virtual machine or a real device by using a network forwarding principle, and the content of the corresponding access message is recorded, so that the recognition probability of the honey pot and the deployment cost of the honey pot are greatly reduced, the capability of acquiring attack behaviors is improved, and the safety of the real device of the network is enhanced.)

1. A technology for building an industrial control honey net based on virtual-real combination is characterized in that virtual honey pots and real equipment honey pots are combined and deployed, and after a network access request message is received, the message is forwarded to a virtual machine or real equipment by using a network forwarding principle, and corresponding access message content is recorded.

2. The technology for constructing an industrial honey network based on virtual-real combination as claimed in claim 1, wherein the virtual honey pot deploys a plurality of Docker containers on one device, and each Docker container corresponds to one protocol server.

3. The technology for building an industrial control honey net based on virtual-real combination as claimed in claim 1, wherein a plurality of IPs are configured on the real device, different IPs and ports are mapped to a non-through container, and a plurality of protocol servers are deployed on one physical device.

4. The technology for building an industrial control honey network based on virtual-real combination according to claim 1, characterized in that if the network access is a Docker container IP, the message is forwarded to a corresponding container for processing, the container analyzes the message content, then the access path is stored, and the container responds to an attacker according to the request content; if the network access is other IP, the message is sent to suricata for deep analysis, then the access path is stored, the message is forwarded to the real equipment, the real equipment responds to the attacker, and the attacker cannot identify the honeypot equipment.

Technical Field

The invention relates to the technical field of network security, in particular to a technology for building an industrial control honey net based on virtual-real combination.

Background

The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.

In the traditional honeypot, a protocol server is deployed on one device, the application function of the real device is simulated, the attack-initiated seeking condition is responded, and the attack behavior of an attacker is recorded in a log mode. At present, a plurality of modes and means for identifying honeypots exist, so that honeypots are very easy to identify by people, the purposes of attracting attackers to attack and acquiring attack modes of the attackers cannot be achieved originally, one device can only deploy one protocol server, and the maintenance cost is high.

Disclosure of Invention

The invention aims to provide a technology for building an industrial control honey net based on virtual-real combination, which is composed of a virtual machine and real equipment and is characterized in that the virtual honey pot and the real equipment are deployed in a combined manner, after a network access request message is received, the message is forwarded to the virtual machine or the real equipment by utilizing a network forwarding principle, and corresponding access message content is recorded, wherein the technology mainly comprises Docker environment building, message forwarding and behavior recording.

The Docker environment building method is characterized in that a plurality of Docker containers are deployed on one device by using a virtual technology, one container corresponds to one protocol server, a plurality of IPs are configured on real devices, different IPs and ports are mapped into different containers, and therefore the fact that the protocol servers are deployed on one physical device is achieved, and the protocol servers are not easy to be identified as honeypots.

The message forwarding is characterized in that after the message is acquired from a network, if the network access is a Docker container IP, the message is forwarded to a corresponding container for processing, the container analyzes the message content, then an access path is stored, and the container responds to an attacker according to the request content; if the network access is other IP, the message is sent to suricata for deep analysis, then the access path is stored, the message is forwarded to the real equipment, the real equipment responds to the attacker, and the attacker cannot identify the honeypot equipment.

The behavior record is characterized in that all accesses to the honeypot system are considered as an attack, so all messages accessing the system are analyzed and then stored for analysis.

Drawings

Fig. 1 is a flow chart of a technology for building an industrial honey net based on virtual-actual combination.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings and exemplary embodiments. It should be understood that the exemplary embodiments described herein are only for illustrating the present invention and are not intended to limit the applicable scope of the present invention.

Step 1, configuring a plurality of public network IP addresses on an equipment network port, wherein the IP addresses are mapped into different Docker containers (each Docker container is a protocol server); or mapping IP onto real physical devices.

And 2, the system acquires the access message from the IP addresses, and then the access message is forwarded to a container by the Docker program for processing or forwarded to real physical equipment.

Step 3, the container acquires the message, then analyzes the message, and if the container is a protocol service, makes a corresponding response; if the message is not the access container IP, the message is forwarded to the real equipment, the equipment makes a response, then the whole access behavior is stored, and the request and the response message are stored so as to be used for later analysis, analysis of an attack path of an attacker, and then corresponding safety measures are made.