CN103561004A - Cooperative type active defense system based on honey nets - Google Patents
Cooperative type active defense system based on honey nets Download PDFInfo
- Publication number
- CN103561004A CN103561004A CN201310500444.7A CN201310500444A CN103561004A CN 103561004 A CN103561004 A CN 103561004A CN 201310500444 A CN201310500444 A CN 201310500444A CN 103561004 A CN103561004 A CN 103561004A
- Authority
- CN
- China
- Prior art keywords
- server
- attack
- data
- database
- honey
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a cooperative type active defense system based on honey nets. The cooperative type active defense system comprises a data capture module, a data analysis module and a data control module and is characterized in that the data capture module, the data analysis module and the data control module are arranged at the center of one honey net and a plurality of sub nets in a distributed mode. The cooperative type active defense system depends on a honey net technology, a cooperative type active defense thought is adopted, attacker information captured by the different honey nets is shared in real time, active defensiveness of a network layer is achieved, defensive initiative and real-time performance are improved, and the cooperative type active defense system is suitable for large-scale enterprise networks. The cooperative type active defense system built through the method is high in defense rate, hit rate and robustness, and time delay from the time that attackers are firstly found to the time that all network deployment and control is achieved is greatly reduced.
Description
Technical field
The present invention relates to network safety filed, relate in particular to a kind of cooperating type Active Defending System Against based on honey net.
Background technology
Along with the development of the Internet, network security is faced with more and more serious threat.Current several main network security threats: wooden horse, worm, Botnet, network intercepting, IPv6 threatens, spyware and ad ware, zero-day vulnerability, DDoS (distributed denial of service) attacks.Network security threats is carried out to effective defence and just become the task of top priority.
The type of network security defence can be divided into the defence based on host layer and layer Network Based by the difference of defence position; By defence difference on opportunity, can be divided into Passive Defence and Initiative Defense.Traditional Passive Defence method based on host layer has been difficult to protect the safety of existing network, so produced the concept of Initiative Defense, typically refers to by the autonomous user characteristics of finding of program, makes assailant cannot complete the attack to target of attack.
The representative of Initiative Defense is intruding detection system IDS (Intrusion Detect ion System); according to certain security strategy; operation conditions to network, system monitors; find as far as possible various attack attempt, attack or attack result; to guarantee the confidentiality, integrity, and availability of network system resources; its real-time, initiative are that conventional security measures difficulty is reached, and have also made up the shortcoming that Passive Defence system can not protect UNKNOWN TYPE to attack simultaneously.But traditional intruding detection system still exists defect, because intrusion detection amount of information to be processed is very large, for the quality of attack disaggregated model, the efficiency of detection will directly be had influence on.Setting up an effective intruding detection system is a huge knowledge engineering, because development process is manual, causes the extensibility of current intruding detection system and adaptability to be all restricted.Intrusion detection model in practical application only can be processed a kind of special Audit data source, and update cost is higher, and speed is also slower.
In order to overcome the limitation of traditional intruding detection system, should adopt a kind of more automatic and efficient mechanism, honey jar (Honeypot) is such a system.“Mi Wang project team " the founder Lance Spitzner of (The Honeynet Project) provided the authority's definition to honey jar: honey jar is a kind of secure resources, and its value is to be scanned, attacks and captures.The network traffics of all inflows, outflow honey jar all may indicate scanning, attack and capture.Honey jar can be divided into product type honey jar and research honey jar two classes by disposing object.Honey jar can be divided into low mutual honey jar and high mutual honey jar two classes by the grade of its interactive degree.The advantage of Honeypot Techniques comprises: the fidelity of collecting data is high, can collect new attack instrument and attack method, does not need powerful resource support, fund input, than being easier to, grasps.
A sweet net comprises one or more honey jars, when the height that guarantees network is controlled, can provide multiple types of tools to facilitate attacking collection and the analysis of information.Utilize sweet net can effectively change the information asymmetry between defender and assailant.At present, high mutual sweet net is mainly used in extraction, analysis and the research of the attack data of data, is mainly that the mass data that sweet net is extracted is carried out manual analysis, excavates assailant's the relevant informations such as attack strategies, attack code and attack position.Although finally can reach the object of defence, belong to Passive Defence, need a large amount of artificial participations, and there is serious hysteresis quality, be difficult to systematization and commercialization.
Summary of the invention
For the deficiencies in the prior art, the object of the invention is to propose a kind of cooperating type Active Defending System Against based on honey net, it relies on sweet network technology, adopts cooperating type defence thought, can realize the Initiative Defense of network layer, is applicable to large scale business enterprise's net.
In order to realize above goal of the invention, the present invention by the following technical solutions:
A cooperating type Active Defending System Against for honey net, comprises data capture module, data analysis module and Data Control module, it is characterized in that:
Described data capture module, data analysis module and Data Control module distribution formula ground are present in Yi Gemiwang center and a plurality of subnet, wherein,
Described data capture module comprises and is arranged in the overall log recording database at Mi Wang center and the sweet wall of each subnet, many honey jar main frames, long-range logger server, intrusion detection server;
Described data analysis module comprises that the statistical server, the attack mode that are positioned at Mi Wang center extract server, overall malicious code analysis server, comprehensive calculation server, global visualization server, global statistics database and global characteristics database, and the local on-line data analysis server in each subnet;
Described Data Control module comprises that the overall Control Server, the overall situation that are positioned at Mi Wang center control database and overall intrusion behavior rule database, and retargetable router, fire compartment wall in each subnet.
The present invention has following beneficial effect:
1, sweet network technology is combined with Initiative Defense technology, improved the hysteresis quality of traditional sweet network technology Passive Defence, reduced the workload of manual analysis, improved real-time and the accuracy of defence.
2, the composite defense between a plurality of subnets, has made up the sweet net small scale of single subnet, the deficiency such as simple in structure, information is single, has further improved initiative and the real-time of defence.
3, adopted simple, efficient data analysis algorithm, the defence policies of formulation has very high fielding percentage, hit rate and the very low anti-rate of leakage and hit rate.
4, the data that honey net is collected have high reliability and controllability, low cost.Do not need reporting of user, can not affect user's proper communication, more can not reveal privacy of user.
5, in network layer, realize defence, alleviated the load of fire compartment wall and adopted the subscriber's main station burden based on host layer anti-virus software.
6, deception module has increased the robustness of system.
Accompanying drawing explanation
Fig. 1 is the main modular frame diagram of the Autonomous Defense subsystem based on honey net
Fig. 2 is the network design figure of the Autonomous Defense subsystem based on honey net
Fig. 3 is the main modular frame diagram of the cooperating type Active Defending System Against based on honey net
Fig. 4 is the network design figure of the cooperating type Active Defending System Against based on honey net
Fig. 5 is the module frame figure that has added the Autonomous Defense subsystem based on honey net of deception module
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and exemplary embodiment, the present invention is further elaborated.Should be appreciated that exemplary embodiment described herein is only in order to explain the present invention, the scope of application being not intended to limit the present invention.
Before introducing cooperating type Active Defending System Against of the present invention, first need the working mechanism of the Autonomous Defense subsystem of explanation based on honey net.Enterprise network can be divided into a plurality of subnets, generally in C class net, according to the network segment of each, divides, and in A, category-B net, according to subnet mask, divides.Autonomous type defence subsystem based on honey net is just arranged in single subnet, and it has three main modular and an add-on module.As shown in Figure 1,5, three main modular are data capture module, data analysis module and Data Control module, and add-on module is invasion deception module.
Autonomous Defense subsystem based on honey net is deployed in single subnet, and sweet net and user network are arranged in the same network segment, as shown in Figure 2, has not only marked in the drawings main hardware, and has marked module distribution and data flow direction.Wherein, data capture module comprises sweet wall (honeywall), many honey jar main frames, long-range logger server, log recording database and intrusion detection servers.Data analysis module comprises off line data analysis server, on-line data analysis server, visualization server, malicious code analysis server, staqtistical data base and property data base.Data Control module comprises Control Server, controls database, router, sweet wall, fire compartment wall and intrusion behavior rule database.
1, data capture module
Data capture module belongs to input module, comprises sweet wall, many honey jar main frames, long-range logger server, log recording database and intrusion detection servers.
(1) sweet wall (sweet net gateway)
Honey net can be arranged in outside, inside or the DMZ (demilitarized zone) of fire compartment wall, is usually placed in the DMZ of user network and outer net, i.e. region between trusted users Intranet and insincere outer net.For user network, sweet net is a dangerous region, because honey jar is the main frame of very easily being attacked, once assailant utilizes honey jar for springboard is to user network offensive attack, Active Defending System Against will lose more than gain so.And sweet wall is exactly barrier unique between sweet net and user network.Honey wall comprises three network interfaces, eth0 accessing external network, and eth1 connects sweet net, and eth2 is as a cryptochannel, is connected to a monitor network.Honey wall be one to the sightless link layer bridge joint of hacker equipment, as unique tie point of sweet net and other networks, the network traffics that all inflow and outflows honey is netted all will be by sweet wall, and is subject to its control and audit.Meanwhile, because sweet wall is a bridging device that is operated in link layer, can not carry out TTL to network packet and successively decrease and network route, the MAC Address of itself can be provided yet, therefore for assailant, sweet wall is completely sightless.
(2) honey jar main frame
The malicious code prize procedure that operates in ring0 level is installed on three honey jar main frames, owing to running on ring0 level, be not easy to victim and find, it can transfer to malicious code analysis server through cryptochannel by the malicious code automatic or manual of being attacked on honey jar main frame.In the virtual machine of this server, operation has sandbox (sandbox) program, analyzes malicious code in sandbox, and analysis result can be applied in Data Control module and go.All honey jar main frames need to carry out full maintenance after a period of time.
(3) client honeypot instrument
In order to increase the initiative of honey net, can on part honey jar, move the client honeypot instrument with spiders function, as capture-HPC, it can be realized and automatically search for malicious server, the detection of realization to web page horse hanging, the function of reinforcement data capture module.
(4) long-range logger server and log recording database
The data real-time storage that long-range logger server is responsible for honey net transmission in log recording database, and periodically by the transfer of data in log recording database to data analysis module.
(5) intrusion detection server
Consider that assailant likely directly or first invades user network, in order to increase the robustness of system, sweet net and the intruding detection system based on behavioural characteristic are combined, at intrusion detection server of user network arranged in front, it passes through all flows of user network by the Port Mirroring Function detection of router, once mate the rule in intrusion behavior rule database, be judged to be intrusion behavior, result of determination is sent to Control Server, by Control Server, directly revise firewall rule, the Initiative Defense while losing efficacy to make up honey net.In addition, give honey jar host assignment domain name, will make honey jar attract more attacks, but this can increase the potentially danger of user network.
2, data analysis module
The information that data analysis module is caught different data capture module merges, excavates, analyzes, the dangerous information that may exist in discovering network in time, is transferred to control strategy the data analysis module of each subnet in time, to realize, gives warning in advance, real-time servicing, periodically revises.As example, in this module, can apply the technology such as ripe information fusion, data mining, the analysis of sweet net attack.Such as, adopt the mathematical methods such as cluster, matrixing, produce defence blacklist and be used for changing firewall rule, extraction attack mode, malicious code are used for changing intrusion behavior rule.This module is the nucleus module of native system.Data analysis module comprises off-line analysis server, on-line analysis server, visualization server, malicious code analysis server, staqtistical data base and property data base.
(1) on-line analysis server
All datas on flows of honey net are transferred to on-line analysis server from long-range logger server, on-line analysis server mates data packet head information in real time with the attack signature in property data base, formulate some simple defence policies, the blacklist of needs defence is transferred to Control Server in real time.
(2) off-line analysis server
All datas on flows of honey net transfer to off-line analysis server from long-range logger server, the feature of off-line analysis server is accuracy and complexity, the index of the interior data of its statistics one-period (hour, day, week), upgrade staqtistical data base, extract attack signature and pattern, regeneration characteristics database, and attack trend according to the data prediction in cycle before, formulate defence policies, the blacklist of needs defence is periodically transferred to Control Server.
(3) malicious code analysis server
The malicious code that honey jar is caught automatically or manually transfers to malicious code analysis server, in its sandbox, moves malicious code, extracts its feature, regeneration characteristics database.
(4) visualization server
Visualization server, from staqtistical data base and property data base reading out data, plots chart by data, makes the manager can the timely operation conditions that must understand whole system.
3, Data Control module
Data Control module is the final Executive Module of Initiative Defense, is the output module of system, comprises Control Server, controls database, router, sweet wall, fire compartment wall and intrusion behavior rule database.Data Control can be divided into two aspects, is internal control on the one hand, comprises router and sweet wall; Be external control on the other hand, comprise fire compartment wall and intrusion behavior rule database.
(1) internally control
Internally control refers to and the attack that prevents internal host mainly prevents the attack of honey jar main frame, comprises router and sweet wall.Router can be revised the auxiliary sweet wall of routing rule and carry out Data Control.Honey wall does not carry out any restriction to the network packet flowing into, and makes hacker can shoot sweet net, but use the external springboard of initiating of honey net to attack to hacker, strictly controls.Control method comprises that attack packets suppresses and two kinds of means of external linking number restriction.
(2) externally control
Externally control and refer to the attack that prevents external host, comprise fire compartment wall and intrusion behavior rule database.Fire compartment wall can be by the attack of defence blacklist defence known attack person position and attack mode; can guarantee that the host address of trusting is not defendd by mistake by protection white list, fire compartment wall retains the methods such as IP by reverse query router and filtration can tackle the packet that spoofed IP sends.Intrusion behavior rule database can provide for the intrusion detection server of data capture module defence known attack pattern.
(3) Control Server
Control Server is the core of Data Control module, the order of its comprehensive on-line analysis server, off-line analysis server command and control database in data modification honey wall, fire compartment wall, the rule of intrusion behavior database, the defence of realization to all attacks, particularly for emerging attack, or even unknown attack.
(4) control database
The all orders that receive and send of the middle storage control server of controlling database, once can check and recover appears in fault.
4, invasion deception module
In order to strengthen the robustness of system, consider that assailant can attack all the other main frames in subnet as springboard with honey jar main frame, and fire compartment wall in Data Control module mails to the Data Packet Seize in user network by honey jar, assailant's secondary is attacked not response, finds that possibly the main frame of invading is honey jar main frame.Once victim is found real property, honey jar main frame has just lost effect.
As shown in Figure 2, invasion deception module comprises honey (honeyfarm) main frame, sweet wall server and redirected router, honey is the mirror image of user network, has simulated the IP, port, operating system of user network etc., can adopt Virtual honeypot technology to realize in the buffer memory of a main frame.On router, adopt redirecting technique, the packet that honey jar is mail in user network mails to a honey main frame, the data that honey jar is issued in honey field can be sent to assailant by sweet wall, so assailant thinks success attack, system has reached the object of defence, and make sweet net not victim find, reached the object of deception.Add the module frame figure of the Autonomous Defense subsystem based on honey net of invading deception module as shown in Figure 5.
It is main above that what consider is the logic realization of system, below the physics realization of taking into account system, still consider the situation of user network in the same network segment.In one embodiment, sweet net can adopt 3 high interactive server end honey jar main frames (operating system is respectively Linux, win2k, winxp).Because the scale of user network is not very large, computational burden is not very large, a plurality of services can be incorporated on a main frame and complete.IDS adopts snort software to realize, malicious code catches and adopts the HoneyBow software of Peking University or Xi'an to hand over large malbox software to realize, honey wall and data analysis module can all be placed on a main frame, the sweet wall software of honeynet tissue has graphic user interface, can be directly used in system configuration, management, data analysis, or adopt Xi'an to hand over large botwall software, by the pcap document analysis intercepting, therefrom read attack data, add up the distributed intelligence of attacking main frame in each cycle, the be injured distributed intelligence of port, attack distributed intelligence of agreement etc., according to attacking host number, attack agreement, attacked port, the clusters such as packet mean size go out attack mode, can draw tendency chart by these data, and suitably predict, finally blacklist is mail to fire compartment wall control law, blacklist comprises source IP address and target port.
Introducing on the basis of the Autonomous Defense subsystem based on honey net above, describing the cooperating type Active Defending System Against based on honey net of the present invention below in detail.
Along with the expansion of user network, the burden of above-mentioned Autonomous Defense subsystem will constantly expand, and performance will be had a strong impact on, and by continuous disjoint server, can solve performance issue.But along with user network is not in a network segment, the complexity of user network increases, the fragility of user network also increases, and defence difficulty has increased.No matter increase how many honey jar main frames, be all difficult to reflect the different characteristic of the user network in dissimilar different segment, the defence policies that sweet net is made is thus for the user in other network segments inapplicable.Therefore, be necessary to adopt distributed honeynet, in each subnet, arrange several honey jar main frames, at this, regard a network segment as a subnet.Between a plurality of subnets, mutually cooperate and carry out the Initiative Defense of cooperating type, can effectively overcome the fragility of user network, can obtain better Initiative Defense effect.In addition, adopt centralized analysis and control, simple in structure, be easy to deployment, reduced the workload of system, improved efficiency, what is more important has realized the data sharings of a plurality of son honey nets, mutual, coordination, synchronous, has improved the initiative of defence.The cooperating type of herein realizing is for each subnet, and what emphasize is the mutual collaborative method of each subnet, remains the Initiative Defense of autonomous type for whole user network.
Particularly, the module frame chart of the cooperating type Active Defending System Against based on honey net as shown in Figure 3.From each subnet, separate the nucleus module that the data analysis module integrating is whole system, in addition, some databases also concentrate in together.This reinforced data analysis module is called to Mi Wang center (honeycenter), comprises arithmetic element, data cell, control unit and visualization.Arithmetic element comprises that statistical server, attack mode extract server, overall malicious code analysis server, comprehensive calculation server, data cell comprises overall log recording database, global statistics database, global characteristics database, the overall situation is controlled database and overall intrusion behavior rule database, control unit comprises overall Control Server, and visualization comprises global visualization server.
In addition, in order to guarantee the robustness of subnet and the real-time of system, in each subnet, still remain with the local on-line analysis server of oneself, mainly for subnet, formulate simple egodefense strategy in real time.System is disposed as shown in Figure 4, has marked subnet and sweet net central distribution and data flow direction, has omitted the mark of each module distribution.Cooperating type Active Defending System Against comprises data capture module, data analysis module and Data Control module equally, but, compare with Autonomous Defense subsystem, each building block distributed earth of the data capture module of cooperating type Active Defending System Against, data analysis module and Data Control module is present in Mi Wang center and a plurality of subnet.
Data capture module comprises sweet wall in overall log recording database and each subnet, many honey jar main frames, long-range logger server, intrusion detection server.
Data analysis module comprises that statistical server, attack mode extract the local on-line data analysis server in server, overall malicious code analysis server, comprehensive calculation server, global visualization server, global statistics database and global characteristics database and each subnet.
Data Control module comprises that overall Control Server, the overall situation are controlled database, retargetable router, fire compartment wall in overall intrusion behavior rule database and each subnet.
The modules function at article Mi Wang center below.
(1) long-range logger server
The attack transfer of data that long-range logger server captures the subnet data capture system at place is to overall log recording database.
(2) overall log recording database
Overall situation log recording database is preserved the attack data that the next subnet data capture system of long-range logger server transmission captures, and for statistical server, attack mode, extracts server, comprehensive calculation server.
(3) statistical server
Statistical server extracts all data from overall log recording database, the project that can add up comprises: the distribution of data pack protocol, the distribution of data package size, the distribution of port, the distribution of duration, the distribution of IP region, the distribution of flow, the under fire distribution of port, the distribution of attack source, under fire honey jar distribution, attack distribution of period etc., all statistical items can, for global statistics, also can be added up for part subnet.Deposit the information of all statistics in global statistics database, according to temporal evolution Distribution Statistics information, can effectively predict the trend occurring of attacking, can be used as the foundation of formulating defence policies, and all statistical informations can be treated to various icons, reflect intuitively variation tendency and the whole system operation conditions of network security.
(4) attack mode extracts server
Attack mode extracts the main usage data excavation of server and information fusion method extracts unknown attack mode, attack pattern from daily record data, to restore Attack Scenarios.First, it carries out attack filtration to all data of extracting in overall log recording database, only retains the packet that represents attack.Then, it is processed attacking time data header data by clustering algorithm, these data comprise average packet size, attack duration, attacked port, attack quantity, the subnet quantity etc. of being injured, thereby extract various attacks pattern, from attack mode, further cluster obtains attack pattern, as DDOS attack, vulnerability scanning attack, leak injection attacks, worm attack etc.Finally, it restores Attack Scenarios according to time series analysis, and the result obtaining is stored into global characteristics database, formulates foundation, and show intuitively by visualization server as the defence policies of comprehensive calculation server and on-line analysis server.Finally, attack mode extracts server the attack signatures such as attack mode is controlled to service transmission to overall intrusion behavior rule database by the overall situation, and the attack of directtissima user network is carried out to Initiative Defense.
(5) comprehensive calculation server
Data in comprehensive calculation server comprehensive utilization data cell, produce corresponding defence policies for each subnet respectively.First, it carries out attack filtration to all data of extracting in overall log recording database.Then, it adopts some algorithms, as adopted the blacklist generating algorithm of high predictability, by staqtistical data base and property data base, determine relevant parameter, by the subnet correlation analysis of being injured, Threat analysis and assailant's correlation analysis of attack are determined final defence policies, fire compartment wall blacklist and the high-risk subnet list that needs notice of revising as need, need the intranet and extranet of reporting to the police to attack main frame list etc.Finally, comprehensive calculation server transfers to overall Control Server by operation result.
In addition,, in aforementioned Autonomous Defense subsystem, in order to strengthen the robustness of system, cooperating type Active Defending System Against can also comprise invasion deception module.This invasion deception module comprises honey (honeyfarm) main frame, sweet wall server and redirected router, for spoofing attack person, protects sweet net.
Thus, utilize integrated data analysis module, cooperating type Active Defending System Against has all functions of autonomous type Initiative Defense.
For whole network:
If assailant is positioned at outer net, the attack of a known attack position will directly be tackled by fire compartment wall, if user network is first attacked in the attack of a known attack pattern, by invaded detection discovering server, by Control Server, revise firewall rule, stop the packet of this assailant position.If sweet net is first attacked in the attack of known attack pattern, on-line analysis server is analyzed its assailant position, revises firewall rule stop by Control Server.If sweet net is first attacked in the attack of unknown attack pattern, by the analysis of arithmetic element, from traffic characteristic and malicious code analysis, extract attack signature and attack mode, regeneration characteristics database, and the strong rule of the fire prevention of or a part of subnet whole by Control Server renewal and intrusion behavior rule base, when these sweet nets or user network are attacked in same class attack again, by fire compartment wall, intercepted and captured the whole Initiative Defense of realizing user network.
For single subnet:
If assailant is Intranet user, if other users in subnet are first attacked in the attack of a known attack pattern, by invaded detection discovering server, by Control Server, it is notified and subnet is reported to the police, if sweet net is first attacked in the attack of known attack pattern, local on-line analysis server is analyzed its assailant position, by local Control Server, it is notified and subnet is reported to the police.If sweet net is first attacked in the attack of unknown attack pattern, by the analysis at Mi Wang center, from traffic characteristic and malicious code analysis, extract attack signature and attack mode, regeneration characteristics database, and it is notified and subnet is reported to the police by Control Server, and upgrade invasion rule of conduct storehouse and realized the Initiative Defense that Intranet is attacked.
If assailant is user in other subnets, if other users in this subnet are first attacked in the attack of a known attack pattern, by invaded detection discovering server, by local Control Server, revise firewall rule, stop the packet of this assailant position, by overall Control Server, it is notified and to whole network alarming.If sweet net is first attacked in the attack of known attack pattern, on-line analysis server is analyzed its assailant position, revises firewall rule it is stopped by local Control Server, by overall Control Server, it is notified and to whole network alarming.If sweet net is first attacked in the attack of unknown attack pattern, by the analysis at Mi Wang center, from traffic characteristic and malicious code analysis, extract attack signature and attack mode, regeneration characteristics database, and by local Control Server, revise firewall rule it is stopped, by overall Control Server, it notified and subnet is reported to the police, and upgrading invasion rule of conduct storehouse and realized the Initiative Defense that Intranet is attacked.
Due to information sharing, the data that single subnet can utilize the sweet net in other subnets to catch are on the defensive, and initiative and foresight significantly must improve, and for it, are originally unknown attacks, now all become known attack, probability under fire significantly reduces.In addition, this system, in order to improve interception success rate, has fully taken into account the complexity of each subnet, formulates different defence policies to each subnet, the subnet that similarity is higher, and defence policies is more similar.Once honey jar is captured, sweet wall stops honey jar to attack user, and router is redirected to honey by attacks data flow, to prevent the discovery of honey jar victim.Protection effect becomes positive correlation with the analysis speed of data cell, becomes inversely related with analytical cycle, and off-line analysis is faster, and the effect of Initiative Defense is better.In addition, protection effect also becomes positive correlation with the distribution range of honey net, i.e. honey net distribution is more much looser, and the effect of Initiative Defense is better.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (6)
1. the cooperating type Active Defending System Against based on honey net, comprises data capture module, data analysis module and Data Control module, it is characterized in that:
Described data capture module, data analysis module and Data Control module distribution formula ground are present in Yi Gemiwang center and a plurality of subnet, wherein,
Described data capture module comprises and is arranged in the overall log recording database at Mi Wang center and the sweet wall of each subnet, many honey jar main frames, long-range logger server, intrusion detection server;
Described data analysis module comprises that the statistical server, the attack mode that are positioned at Mi Wang center extract server, overall malicious code analysis server, comprehensive calculation server, global visualization server, global statistics database and global characteristics database, and the local on-line data analysis server in each subnet;
Described Data Control module comprises that the overall Control Server, the overall situation that are positioned at Mi Wang center control database and overall intrusion behavior rule database, and retargetable router, fire compartment wall in each subnet.
2. the cooperating type Active Defending System Against based on honey net according to claim 1, wherein,
The attack transfer of data that described long-range logger server captures place subnet is to overall log recording database, overall situation log recording database is preserved the attack data that long-range logger server transmission comes, and for statistical server, attack mode, extracts server and comprehensive calculation server;
Described statistical server extracts all data from overall log recording database, deposits all statistical informations in global statistics database, as the foundation of formulating defence policies;
Described attack mode extracts the data of server based on extracting from overall log recording database, extract various attacks pattern, the attack signature that comprises attack mode is transferred to overall intrusion behavior rule database by overall Control Server, the attack of directtissima user network is carried out to Initiative Defense;
Described comprehensive calculation server carries out attack filtration to all data of extracting from overall log recording database, then adopt the blacklist generating algorithm of high predictability, by global statistics database and global characteristics database, determine relevant parameter, Threat analysis and assailant's correlation analysis by be injured subnet correlation analysis, attack are determined final defence policies, and result is transferred to overall Control Server.
3. the cooperating type Active Defending System Against based on honey net according to claim 2, wherein, the project of described statistical server statistics comprises: the distribution of data pack protocol, the distribution of data package size, the distribution of port, the distribution of duration, the distribution of IP region, the distribution of flow, the under fire distribution of port, the distribution of attack source, under fire distribution, the distribution of attack period of honey jar.
4. the cooperating type Active Defending System Against based on honey net according to claim 2, wherein, described attack mode extract server specifically for:
First, all data of extracting are carried out to attack filtration from overall log recording database, only retain the packet that represents attack;
Then, utilize clustering algorithm to process attacking time data header data, extract various attacks pattern, according to time series analysis, restore Attack Scenarios, deposit the result obtaining in global characteristics database, as the local on-line data analysis server in comprehensive calculation server and each subnet, formulate the foundation of defence policies, and show intuitively by global visualization server;
Finally, the attack signature that comprises attack mode is transferred to overall intrusion behavior rule database by overall Control Server, the attack of directtissima user network is carried out to Initiative Defense.
5. the cooperating type Active Defending System Against based on honey net according to claim 4, wherein, described data packet head data comprise average packet size, attack duration, attacked port, attack quantity, the subnet quantity of being injured.
6. the cooperating type Active Defending System Against based on honey net according to claim 1, preferably, also comprise the invasion deception module for spoofing attack person, described invasion deception module comprises honey (honeyfarm) main frame, sweet wall server and redirected router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310500444.7A CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103561004A true CN103561004A (en) | 2014-02-05 |
| CN103561004B CN103561004B (en) | 2016-10-12 |
Family
ID=50015154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310500444.7A Active CN103561004B (en) | 2013-10-22 | 2013-10-22 | Cooperating type Active Defending System Against based on honey net |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103561004B (en) |
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN104486320A (en) * | 2014-12-10 | 2015-04-01 | 国家电网公司 | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology |
| CN104579841A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System for generating statistical result for specific statistic data items according to received UDP messages |
| CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
| CN105718801A (en) * | 2016-01-26 | 2016-06-29 | 国家信息技术安全研究中心 | Loophole clustering method based on programming mode and mode matching |
| CN106209867A (en) * | 2016-07-15 | 2016-12-07 | 北京元支点信息安全技术有限公司 | A kind of Advanced threat defence method and system |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN106534114A (en) * | 2016-11-10 | 2017-03-22 | 北京红马传媒文化发展有限公司 | Big-data-analysis-based anti-malicious attack system |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN106878438A (en) * | 2017-03-03 | 2017-06-20 | 久远谦长(北京)技术服务有限公司 | The method and system of user behavior analysis under a kind of https environment |
| CN106911662A (en) * | 2016-10-12 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of system and method for the low interaction of malice sample cultivation interaction conversion high |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN107360145A (en) * | 2017-06-30 | 2017-11-17 | 北京航空航天大学 | A kind of multinode honey pot system and its data analysing method |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107547495A (en) * | 2016-06-24 | 2018-01-05 | 卡巴斯基实验室股份制公司 | For protecting computer from the system and method for unwarranted remote management |
| CN107547546A (en) * | 2017-09-05 | 2018-01-05 | 山东师范大学 | The high interaction honey network data transmission method of lightweight based on card computer, system |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108366088A (en) * | 2017-12-28 | 2018-08-03 | 广州华夏职业学院 | A kind of information security early warning system for Instructing network |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN109255243A (en) * | 2018-09-28 | 2019-01-22 | 深信服科技股份有限公司 | Restorative procedure, system, device and the storage medium of potential threat in a kind of terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110035429A (en) * | 2019-04-09 | 2019-07-19 | 重庆邮电大学 | WiFi and anti-interference minimal redundancy method under ZigBee coexistance model |
| CN110505195A (en) * | 2019-06-26 | 2019-11-26 | 中电万维信息技术有限责任公司 | The dispositions method and system of fictitious host computer |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| TWI682644B (en) * | 2019-01-07 | 2020-01-11 | 中華電信股份有限公司 | Dynamic protection method for network node and network protection server |
| CN111416810A (en) * | 2020-03-16 | 2020-07-14 | 北京计算机技术及应用研究所 | Multi-security-component cooperative response method based on group intelligence |
| CN111478912A (en) * | 2020-04-10 | 2020-07-31 | 厦门慢雾科技有限公司 | Block chain intrusion detection system and method |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN111756742A (en) * | 2020-06-24 | 2020-10-09 | 广州锦行网络科技有限公司 | Honeypot deception defense system and deception defense method thereof |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
| CN112995187A (en) * | 2021-03-09 | 2021-06-18 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN113079124A (en) * | 2020-01-03 | 2021-07-06 | ***通信集团广东有限公司 | Intrusion behavior detection method and system and electronic equipment |
| CN109033825B (en) * | 2018-06-04 | 2021-07-30 | 温州市图盛科技有限公司 | Anti-attack power network system based on block chain |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN114866326A (en) * | 2022-05-16 | 2022-08-05 | 上海磐御网络科技有限公司 | Camera honeypot construction method based on linux system |
| US11570212B2 (en) | 2018-03-19 | 2023-01-31 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Method for controlling reverse data connection based on honeynet |
-
2013
- 2013-10-22 CN CN201310500444.7A patent/CN103561004B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741570A (en) * | 2008-11-14 | 2010-06-16 | 电子科技大学 | Method for controlling reverse data connection based on honeynet |
Non-Patent Citations (3)
| Title |
|---|
| XIAOBO MA ETC: "Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm", 《IEEE》 * |
| 熊明辉等: "基于主动安全策略的蜜网***的设计与实现", 《计算机工程与设计》 * |
| 董国锋: "基于协同的虚拟蜜网实现与分析", 《华东师范大学硕士学位论文》 * |
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| CN104486320B (en) * | 2014-12-10 | 2018-10-26 | 国家电网公司 | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology |
| CN104486320A (en) * | 2014-12-10 | 2015-04-01 | 国家电网公司 | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology |
| CN104579841A (en) * | 2015-01-09 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System for generating statistical result for specific statistic data items according to received UDP messages |
| CN104579841B (en) * | 2015-01-09 | 2018-09-14 | 北京京东尚科信息技术有限公司 | The system to the statistical result of certain statistical data item is generated according to the UDP messages of reception |
| CN104935580B (en) * | 2015-05-11 | 2018-09-11 | 国家电网公司 | Information security control method based on cloud platform and system |
| CN104967628A (en) * | 2015-07-16 | 2015-10-07 | 浙江大学 | Deceiving method of protecting web application safety |
| CN104967628B (en) * | 2015-07-16 | 2017-12-26 | 浙江大学 | A kind of decoy method of protection web applications safety |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN106506435B (en) * | 2015-09-08 | 2019-08-06 | 中国电信股份有限公司 | For detecting the method and firewall system of network attack |
| CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
| CN105718801A (en) * | 2016-01-26 | 2016-06-29 | 国家信息技术安全研究中心 | Loophole clustering method based on programming mode and mode matching |
| CN107404465B (en) * | 2016-05-20 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN107547495A (en) * | 2016-06-24 | 2018-01-05 | 卡巴斯基实验室股份制公司 | For protecting computer from the system and method for unwarranted remote management |
| CN106209867A (en) * | 2016-07-15 | 2016-12-07 | 北京元支点信息安全技术有限公司 | A kind of Advanced threat defence method and system |
| CN106375384B (en) * | 2016-08-28 | 2019-06-18 | 北京瑞和云图科技有限公司 | The management system and control method of image network flow in a kind of virtual network environment |
| CN106375384A (en) * | 2016-08-28 | 2017-02-01 | 北京瑞和云图科技有限公司 | Management system of mirror network flow in virtual network environment and control method |
| CN106911662A (en) * | 2016-10-12 | 2017-06-30 | 深圳市安之天信息技术有限公司 | A kind of system and method for the low interaction of malice sample cultivation interaction conversion high |
| CN106330964B (en) * | 2016-10-14 | 2019-10-11 | 成都信息工程大学 | A kind of network intrusion detection and Initiative Defense linkage control device |
| CN106330964A (en) * | 2016-10-14 | 2017-01-11 | 成都信息工程大学 | Network intrusion detection and active defense linkage control device |
| CN106534114A (en) * | 2016-11-10 | 2017-03-22 | 北京红马传媒文化发展有限公司 | Big-data-analysis-based anti-malicious attack system |
| CN106878438A (en) * | 2017-03-03 | 2017-06-20 | 久远谦长(北京)技术服务有限公司 | The method and system of user behavior analysis under a kind of https environment |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN107241338A (en) * | 2017-06-29 | 2017-10-10 | 北京北信源软件股份有限公司 | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control |
| CN107360145B (en) * | 2017-06-30 | 2020-12-25 | 北京航空航天大学 | Multi-node honeypot system and data analysis method thereof |
| CN107360145A (en) * | 2017-06-30 | 2017-11-17 | 北京航空航天大学 | A kind of multinode honey pot system and its data analysing method |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN107277039B (en) * | 2017-07-18 | 2020-01-14 | 河北省科学院应用数学研究所 | Network attack data analysis and intelligent processing method |
| CN107547546B (en) * | 2017-09-05 | 2019-11-12 | 山东师范大学 | Lightweight height interaction honey network data transmission method, system based on card computer |
| CN107547546A (en) * | 2017-09-05 | 2018-01-05 | 山东师范大学 | The high interaction honey network data transmission method of lightweight based on card computer, system |
| CN108366088A (en) * | 2017-12-28 | 2018-08-03 | 广州华夏职业学院 | A kind of information security early warning system for Instructing network |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108183916B (en) * | 2018-01-15 | 2020-08-14 | 华北电力科学研究院有限责任公司 | Network attack detection method and device based on log analysis |
| US11570212B2 (en) | 2018-03-19 | 2023-01-31 | Huawei Technologies Co., Ltd. | Method and apparatus for defending against network attack |
| CN109033825B (en) * | 2018-06-04 | 2021-07-30 | 温州市图盛科技有限公司 | Anti-attack power network system based on block chain |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN109255243B (en) * | 2018-09-28 | 2022-06-21 | 深信服科技股份有限公司 | Method, system, device and storage medium for repairing potential threats in terminal |
| CN109255243A (en) * | 2018-09-28 | 2019-01-22 | 深信服科技股份有限公司 | Restorative procedure, system, device and the storage medium of potential threat in a kind of terminal |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| TWI682644B (en) * | 2019-01-07 | 2020-01-11 | 中華電信股份有限公司 | Dynamic protection method for network node and network protection server |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110035429A (en) * | 2019-04-09 | 2019-07-19 | 重庆邮电大学 | WiFi and anti-interference minimal redundancy method under ZigBee coexistance model |
| CN110035429B (en) * | 2019-04-09 | 2021-11-09 | 重庆邮电大学 | Anti-interference minimum redundancy method in WiFi and ZigBee coexistence mode |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110505195A (en) * | 2019-06-26 | 2019-11-26 | 中电万维信息技术有限责任公司 | The dispositions method and system of fictitious host computer |
| CN110516444A (en) * | 2019-07-23 | 2019-11-29 | 成都理工大学 | Cross-terminal cross-version Root attack detecting and guard system based on kernel |
| CN113079124A (en) * | 2020-01-03 | 2021-07-06 | ***通信集团广东有限公司 | Intrusion behavior detection method and system and electronic equipment |
| CN111416810A (en) * | 2020-03-16 | 2020-07-14 | 北京计算机技术及应用研究所 | Multi-security-component cooperative response method based on group intelligence |
| CN111478912A (en) * | 2020-04-10 | 2020-07-31 | 厦门慢雾科技有限公司 | Block chain intrusion detection system and method |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN111669403A (en) * | 2020-06-24 | 2020-09-15 | 广州锦行网络科技有限公司 | Multi-drainage multi-trapping node deployment system |
| CN111756742A (en) * | 2020-06-24 | 2020-10-09 | 广州锦行网络科技有限公司 | Honeypot deception defense system and deception defense method thereof |
| CN112187825B (en) * | 2020-10-13 | 2022-08-02 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112788008B (en) * | 2020-12-30 | 2022-04-26 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112788008A (en) * | 2020-12-30 | 2021-05-11 | 上海磐御网络科技有限公司 | Network security dynamic defense system and method based on big data |
| CN112866259A (en) * | 2021-01-22 | 2021-05-28 | 杭州木链物联网科技有限公司 | Industrial control honey pot node management method and device, computer equipment and storage medium |
| CN112910917A (en) * | 2021-02-25 | 2021-06-04 | 深信服科技股份有限公司 | Network isolation method, device, equipment and readable storage medium |
| CN112995187A (en) * | 2021-03-09 | 2021-06-18 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN112995187B (en) * | 2021-03-09 | 2022-12-06 | 中国人民解放军空军工程大学 | Network cooperative defense system and method based on community structure |
| CN113395288A (en) * | 2021-06-24 | 2021-09-14 | 浙江德迅网络安全技术有限公司 | Active defense DDOS system based on SDWAN |
| CN114866326A (en) * | 2022-05-16 | 2022-08-05 | 上海磐御网络科技有限公司 | Camera honeypot construction method based on linux system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103561004B (en) | 2016-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103561004B (en) | Cooperating type Active Defending System Against based on honey net | |
| CN109617865B (en) | Network security monitoring and defense method based on mobile edge computing | |
| Blaise et al. | Detection of zero-day attacks: An unsupervised port-based approach | |
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| CN103428224B (en) | A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks | |
| CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN106657025A (en) | Network attack behavior detection method and device | |
| CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
| CN112087413B (en) | Network attack intelligent dynamic protection and trapping system and method based on active detection | |
| CN102790778A (en) | DDos (distributed denial of service) attack defensive system based on network trap | |
| CN108768917A (en) | A kind of Botnet detection method and system based on network log | |
| CN109347847A (en) | A kind of smart city security assurance information system | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| Li et al. | The research and design of honeypot system applied in the LAN security | |
| Myneni et al. | SmartDefense: A distributed deep defense against DDoS attacks with edge computing | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| Sharma et al. | Attack prevention methods for DDOS attacks in MANETs | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| CN116827690A (en) | DDoS attack and cloud WAF defense method based on distribution type | |
| CN111478912A (en) | Block chain intrusion detection system and method | |
| Li-Juan | Honeypot-based defense system research and design | |
| Mudgal et al. | Spark-Based Network Security Honeypot System: Detailed Performance Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |