CN103581104A - Active trapping method based on behavior capturing - Google Patents
Active trapping method based on behavior capturing Download PDFInfo
- Publication number
- CN103581104A CN103581104A CN201210247893.0A CN201210247893A CN103581104A CN 103581104 A CN103581104 A CN 103581104A CN 201210247893 A CN201210247893 A CN 201210247893A CN 103581104 A CN103581104 A CN 103581104A
- Authority
- CN
- China
- Prior art keywords
- behavior
- attack
- engine
- initiatively
- entrapping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention brings forward an active trapping method based on behavior capturing. A trapping system is established in a formulated network area. The active trapping method comprises the following three links: (1) an active trapping system is established in an advance defense of a network defense system, and an active trapping engine technology is adopted; an active trapping engine, target cheating, attack capturing, attack control, attack analysis and characteristic extracting are established in multiple systems included by a computer; (2) a dynamic depth target cheating attack behavior is utilized to trap a real attack objective of an attacker; (3) and the active trapping system makes the attacker be sure of the attack target according to the aforementioned judgment results so that the real attack objective of the attacker is trapped. According to the active trapping method based on behavior capturing, known and unknown attack behaviors can be captured, the security state of the whole network is mastered and the network security level is enhanced.
Description
Technical field
The present invention is specifically related to a kind of active method for entrapping catching based on behavior, for the PC terminal on network, server, work station, carries out active, efficient, system-level Prevention-Security.
Background technology
Nowadays along with the extensive use of network technology, assault emerges in an endless stream, network security becomes the focus of current study hotspot and social concerns, and existing network safe practice be take the defense technique that fire compartment wall (firewall) and intruding detection system (IDS) be core and conventionally lagged behind various attack technologies.Honeypot Techniques, as a kind of new network security technology, receives people's concern gradually.It takes a proactive approach, and by its distinctive feature, attracts assailant, the method that effectively tackles is analyzed and found in assailant's various attack behavior simultaneously.
Data capture technology is one of key technology of existing honey jar.Can catch the significant datas such as Firewall Log, network traffics, system activity, be then sent to far-end log server and analyze.
The unknown attack of the non-feature formula of current appearance to existing Prevention-Security System forming serious threat.Unknown attack is exactly unknown threat, refers to not yet foundly to have unknown characteristics and information system is existed the Activity Type of potential threat simultaneously.Unknown threat may be to be caused by unknown virus, wooden horse, hacker, or a kind of illegal abuse to resource.
Although Honeypot Techniques is under the cooperation of the safety measures such as network firewall, intruding detection system, can make up the deficiency of original passive security defence, but still there is the shortcoming that some cannot overcome: the data that capture are not comprehensive, there is no specific aim, be difficult to analyze real attack data, to unknown attack, cannot play effective protection.
Summary of the invention
The present invention produces in order to solve the shortcoming of existing honey pot system technology just, its object is to provide a kind of active method for entrapping catching based on behavior, to condition code formula, known attack has good protection effect, unknown attack to reply potential threat can more effectively catch, and guarantees the safety of computer.
For achieving the above object, the technical solution adopted in the present invention is:
The active method for entrapping catching based on behavior of the present invention, the embodiment of the present invention provides a kind of active method for entrapping catching based on behavior, comprises following three links:
(1) initiatively trapping system is set up in the defence in advance in cyber-defence system, adopts and initiatively traps engine technique; In foundation such as the operating system nucleus system of computer, background service system, application program, communication system, account system, file system, initiatively trap engine, target deception, attack and catch, attack control, attack analysis and feature extraction;
(2) dynamic depth target spoofing attack behavior, the true attack object of traping out assailant;
(3) initiatively trapping system, according to above-mentioned judged result, makes assailant be sure of that this is target of attack, thereby traps out assailant's true attack object;
With said method, in the network area of formulating, build trapping system.Control, attack analysis and feature extraction are caught, are attacked in target deception, attack, find that in advance network, main frame and the application of the existence in this region attacked.
The present invention also provides a kind of active method for entrapping catching based on behavior another kind of execution mode, comprising:
In the behavior of setting up of operating system nucleus system, background service system, application program, communication system, account system, the file system of the computer of computer, detect engine, analysis engine, Initiative Defense engine; By whole system of defense, form and initiatively trap engine, simultaneously by behavior capturing technology, at related system, dispose attack capture engine, program behavior is carried out to depth analysis, and the various actions of a certain working procedure are carried out to combinatory analysis, by program behavior characteristics algorithm storehouse (various malicious code behavioural characteristic algorithm models storehouse), combination behavior is analyzed to judgement, judged result is delivered to each defence engine in real time; Realization can catch known and unknown attack and security strategy is controlled.
Further, described malicious code behavior comprises that process creation, thread creation, file operation, network operation, registry operations, stack manipulation, thread inject, senior continuation threatens and attacks, and the operation of user account.Can obtain malicious code behavior by Hook Technique, obtain the three kinds of approach that mainly contain: interception system service distribution table, intercept and capture the software terminal of transplantable execution body, interception system service.
With respect to prior art, the active method for entrapping catching based on behavior of the present invention, has following useful technique effect:
The invention has the beneficial effects as follows, can initiatively to the program behavior operating in computer system, carry out target deception, attack and catch, attack control, attack analysis and feature extraction, thereby prevent network host by malicious code invasion, attack and destroy.By behavior capturing technology, realization can be caught known and unknown attack simultaneously, holds network-wide security situation, improves network security level.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of embodiment of a kind of active method for entrapping catching based on behavior of the present invention.
Fig. 2 is the composition diagram of the embodiment of the active method for entrapping catching based on behavior of the present invention based on Fig. 1.
Embodiment
The embodiment of the present invention provides a kind of and has caught the initiatively method and system of trapping based on behavior, to solve the defect of the data capture technology of existing honey pot system employing, the PC terminal, server, the work station that are mainly used on network carry out active, efficient, system-level Prevention-Security.
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Some malicious acts that the present invention defends comprise: process creation, thread creation, file operation, network operation, registry operations, stack manipulation, thread inject, senior continuation threatens and attacks (APT attack), and the operation of user account etc., can obtain program behavior by Hook Technique, obtain the three kinds of approach that mainly contain, interception system service distribution table (SSDT), intercept and capture the software terminal (HOOK INT 2E) of transplantable execution body (HOOK PE), interception system service.
Behavior in conjunction with Fig. 1 catches the initiatively flow chart of the embodiment of the method for trapping.
Step 101: carry out the behavior of automatic network;
Step 102: catch and initiatively trap engine by behavior, network behavior is carried out to depth detection, obtain program behavior;
Step 103: malicious code determining device, if this walking of this program is normal, proceed to 105 steps, behavior catches and initiatively traps engine permission program continuation execution.If malicious code determining device judges that this walking of this program, for for abnormal, proceeds to 104 steps;
Step 104: the behavior of a certain program is carried out to preanalysis, if the behavior of program (referring to a behavior in numerous behaviors) means no harm or danger, enter next step; If program behavior is abnormal, containing malice or hazardous act, this behavior is combined with malice or dangerous process before this program, judges the extent of injury of this group abnormal behaviour according to behavior algorithms library.Afterwards, enter next step.
Step 106: rogue program determining device, the safe class requiring according to network system and the hazard level of program, determine whether malicious code or rogue program, if be only slight dangerous, forward 110 steps to, if rogue program determining device judges by program exception behavior combination, be defined as serious harm, enter 108 steps, continue the execution of the follow-up behavior of this program, 108 steps and 110 steps enter next step simultaneously;
Step 111: behavior seizure is initiatively traped engine and sent data to GMC, and analyzes data by control desk.
Flow process by above embodiment is described, to coming the attack of automatic network to carry out behavior seizure, and a plurality of abnormal behaviour combination of same program judgement extent of injury, just more accurate to the judgement of rogue program (code) like this, greatly improved capturing ability.
The method that the present invention adopts behavior to catch, the system of initiatively traping that provides behavior to catch.
Behavior in conjunction with Fig. 2 catches the initiatively composition diagram of the embodiment of the method for trapping.
It is a scheme of initiatively traping based on behavior that behavior catches initiatively trapping system, and it comprises initiatively traps system service end software specialized hardware platform, GMC, control desk, dedicated security hardware platform composition.
As 201 of Fig. 2 for initiatively to trap system service end software specialized hardware platform, dispose real working environment, by system vulnerability, SQL leak, account leak, web leak etc., trapping carrys out the attack of automatic network.By behavior algorithms library and safety regulation, the extent of injury of accurate early warning malicious act, emergency processing malicious act.
As 202 of Fig. 2 being GMC data acquisition platform, it completes from initiatively traping the collection of the data that system service end software specialized hardware platform sends over, storage.
As 203 of Fig. 2 being control desk, it completes the analysis to data in GMC, and implementing monitoring malicious act, is recorded to safety archive, on early warning map, present in real time simultaneously malicious act dynamically.
Above-described embodiment is just to allow one of ordinary skilled in the art can understand content of the present invention and implement according to this for technical conceive of the present invention and feature being described, its objective is, can not limit the scope of the invention with this.Every equivalent variation or modification that according to the present invention, the essence of content has been done, all should be encompassed in protection scope of the present invention.
Claims (6)
1. the active method for entrapping catching based on behavior, is characterized in that, in the network area of formulating, builds trapping system, comprises following three links:
(1) initiatively trapping system is set up in the defence in advance in cyber-defence system, adopts and initiatively traps engine technique; In the some systems that comprise at computer, set up and initiatively trap engine, target deception, attack and catch, attack control, attack analysis and feature extraction;
(2) utilize dynamic depth target spoofing attack behavior, the true attack object of traping out assailant;
(3) initiatively trapping system, according to above-mentioned judged result, makes assailant be sure of that this is target of attack, thereby traps out assailant's true attack object.
2. the active method for entrapping catching based on behavior according to claim 1, is characterized in that, in the network area of formulating, builds trapping system, also comprises following link:
The behavior of setting up in the some systems that comprise at computer detects engine, analysis engine, Initiative Defense engine; By whole system of defense, form and initiatively trap engine, simultaneously by behavior capturing technology, at related system, dispose attack capture engine, program behavior is carried out to depth analysis, and the various actions of a certain working procedure are carried out to combinatory analysis, by program behavior characteristics algorithm storehouse, combination behavior is analyzed to judgement, judged result is delivered to each defence engine in real time; Realization can catch known and unknown attack and security strategy is controlled.
3. the active method for entrapping catching based on behavior according to claim 1 and 2, it is characterized in that, some systems that described computer comprises comprise operating system nucleus system, background service system, application program, communication system, account system and file system.
4. the active method for entrapping catching based on behavior according to claim 2, is characterized in that, described characteristics algorithm model library comprises various malicious code behaviors.
5. the active method for entrapping catching based on behavior according to claim 4, is characterized in that,
Described malicious code behavior comprises that process creation, thread creation, file operation, network operation, registry operations, stack manipulation, thread inject, senior continuation threatens and attacks, and the operation of user account.
6. the active method for entrapping catching based on behavior according to claim 5, it is characterized in that, can obtain malicious code behavior by Hook Technique, obtain the three kinds of approach that mainly contain: interception system service distribution table, intercept and capture the software terminal of transplantable execution body, interception system service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210247893.0A CN103581104A (en) | 2012-07-18 | 2012-07-18 | Active trapping method based on behavior capturing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210247893.0A CN103581104A (en) | 2012-07-18 | 2012-07-18 | Active trapping method based on behavior capturing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103581104A true CN103581104A (en) | 2014-02-12 |
Family
ID=50052049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210247893.0A Pending CN103581104A (en) | 2012-07-18 | 2012-07-18 | Active trapping method based on behavior capturing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103581104A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN106961442A (en) * | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN109218327A (en) * | 2018-10-15 | 2019-01-15 | 西安电子科技大学 | Initiative type safeguard technology based on cloud container |
| CN110855697A (en) * | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense method for network security in power industry |
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
| CN111431881A (en) * | 2020-03-18 | 2020-07-17 | 广州锦行网络科技有限公司 | Method and device for trapping nodes based on windows operating system |
| CN111541701A (en) * | 2020-04-24 | 2020-08-14 | 上海沪景信息科技有限公司 | Attack trapping method, device, equipment and computer readable storage medium |
| CN112804204A (en) * | 2020-12-30 | 2021-05-14 | 上海磐御网络科技有限公司 | Intelligent network safety system based on big data analysis |
| CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
| CN114491516A (en) * | 2022-01-26 | 2022-05-13 | 北京小佑网络科技有限公司 | Threat detection trapping method based on container environment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1748342A1 (en) * | 2005-07-29 | 2007-01-31 | H+BEDV Datentechnik GmbH | Honeypot computer system for detecting viruses in computer networks |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| CN101582817A (en) * | 2009-06-29 | 2009-11-18 | 华中科技大学 | Method for extracting network interactive behavioral pattern and analyzing similarity |
-
2012
- 2012-07-18 CN CN201210247893.0A patent/CN103581104A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1748342A1 (en) * | 2005-07-29 | 2007-01-31 | H+BEDV Datentechnik GmbH | Honeypot computer system for detecting viruses in computer networks |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| CN101582817A (en) * | 2009-06-29 | 2009-11-18 | 华中科技大学 | Method for extracting network interactive behavioral pattern and analyzing similarity |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105488394B (en) * | 2014-12-27 | 2018-06-12 | 哈尔滨安天科技股份有限公司 | A kind of method and system that intrusion behavior identification and classification are carried out towards honey pot system |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN105721416B (en) * | 2015-11-16 | 2019-09-13 | 哈尔滨安天科技股份有限公司 | A kind of apt event attack tissue homology analysis method and device |
| CN106961442A (en) * | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN109218327A (en) * | 2018-10-15 | 2019-01-15 | 西安电子科技大学 | Initiative type safeguard technology based on cloud container |
| CN110855697A (en) * | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense method for network security in power industry |
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
| CN111431881A (en) * | 2020-03-18 | 2020-07-17 | 广州锦行网络科技有限公司 | Method and device for trapping nodes based on windows operating system |
| CN111541701A (en) * | 2020-04-24 | 2020-08-14 | 上海沪景信息科技有限公司 | Attack trapping method, device, equipment and computer readable storage medium |
| CN112804204A (en) * | 2020-12-30 | 2021-05-14 | 上海磐御网络科技有限公司 | Intelligent network safety system based on big data analysis |
| CN113965409A (en) * | 2021-11-15 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Network trapping method and device, electronic equipment and storage medium |
| CN114491516A (en) * | 2022-01-26 | 2022-05-13 | 北京小佑网络科技有限公司 | Threat detection trapping method based on container environment |
| CN114491516B (en) * | 2022-01-26 | 2023-04-14 | 北京小佑网络科技有限公司 | Threat detection trapping method based on container environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103581104A (en) | Active trapping method based on behavior capturing | |
| CN106790023B (en) | Network security Alliance Defense method and apparatus | |
| Vidal et al. | Adaptive artificial immune networks for mitigating DoS flooding attacks | |
| KR101057432B1 (en) | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN107046543A (en) | A kind of threat intelligence analysis system traced to the source towards attack | |
| CN109617865A (en) | A kind of network security monitoring and defence method based on mobile edge calculations | |
| Anagnostakis et al. | A cooperative immunization system for an untrusting internet | |
| CN105024976B (en) | A kind of advanced constant threat attack recognition method and device | |
| Fultz et al. | Blue versus red: Towards a model of distributed security attacks | |
| CN106888196A (en) | A kind of coordinated defense system of unknown threat detection | |
| CN103561004A (en) | Cooperative type active defense system based on honey nets | |
| CN113422771A (en) | Threat early warning method and system | |
| CN103634264A (en) | Active trapping method based on behavior analysis | |
| CN110855697A (en) | Active defense method for network security in power industry | |
| CN109302426A (en) | Unknown loophole attack detection method, device, equipment and storage medium | |
| CN101087196A (en) | Multi-layer honey network data transmission method and system | |
| CN102457495A (en) | Method and system for defending network virus | |
| CN110401638B (en) | Network traffic analysis method and device | |
| TWI407328B (en) | Network virus protection method and system | |
| CN108965210A (en) | Safety test platform based on scene-type attacking and defending simulation | |
| CN107347067B (en) | Network risk monitoring method and system and security network system | |
| CN107241338A (en) | Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control | |
| CN102571786A (en) | Method for linkage defense among multiple safety modules in firewall and firewall | |
| CN115134166B (en) | Attack tracing method based on honey hole |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140212 |