CN107046535B - A kind of abnormality sensing and method for tracing and system - Google Patents
A kind of abnormality sensing and method for tracing and system Download PDFInfo
- Publication number
- CN107046535B CN107046535B CN201710183157.6A CN201710183157A CN107046535B CN 107046535 B CN107046535 B CN 107046535B CN 201710183157 A CN201710183157 A CN 201710183157A CN 107046535 B CN107046535 B CN 107046535B
- Authority
- CN
- China
- Prior art keywords
- honey guide
- document
- honey
- module
- guide
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention proposes a kind of to be carried out abnormality sensing based on document honey guide technology and track the method traced to the source, comprising the following steps: 1) the honey guide document of insertion honey guide is generated in shielded host, and the honey guide for recording the carrying of honey guide document generates information;2) exceptional condition is judged according to the type of honey guide document and the mode of insertion honey guide, setting;3) when honey guide document is triggered, judgement request is sent;4) judgement request is analyzed, the honey guide of the finger print information and the honey guide document being triggered that extract triggering honey guide document generates information;Information is generated based on the finger print information and honey guide, according to exceptional condition is judged, judges whether to occur abnormal and attacker is tracked.The system for realizing the above method is provided simultaneously.The implementation of this method and the deployment of system do not depend on the service environment of host, unrelated with the attack method of attacker, can effectively detect a variety of abnormal behaviours, and implement effectively tracking to type attack of stealing secret information and trace to the source.
Description
Technical field
The present invention relates to computer network security fields, in particular to abnormality sensing and tracer technique, more specifically, being one
Abnormality sensing and method for tracing and system of the kind based on document honey guide technology.
Background technique
Universal and internet industry the high speed development of computer, network have become in order to indispensable in people's life
Important component, is various network security problems thereupon, and what leaking data had become network security seriously threatens it
One.
On the one hand, it is difficult to effectively detect unknown, advanced attack.Since computer operating system, application software often go out
Existing a variety of loopholes, quietly by hacker attack, victim has no to discover more and more computers.New attack form is especially
The appearance of APT class attack, attack pattern, attack means and the attack strategies that attacker uses also emerge one after another, to existing quilt
The security mechanism of dynamic defence forms very big challenge.Moreover, be based on attacker of the defence policies on boundary for Intranet can not
Effectively it detected.
On the other hand, it can not effectively trace to the source attacker's tracking.Network security threats are got worse, however network trace
Realization is very limited.Major embodiment is in the following areas: firstly, the development of network attack means and agency, springboard technology
Using the unreliability and complexity of network trace is substantially increased, so that work of tracing to the source is hard to work;Second, it be to network
Attacker is tracked, then first to find network attack, but existing Intrusion Detection Technique can't be fully solved invasion leakage
The problem of report and false-alarm;Third, the Network Traceback Technology of current main-stream are by adding flag data in message or data packet
(such as digital watermarking) then realizes the tracking to attack and invasion, it is clear that can increase to the detection of these flag datas and tracking
Add router or the expense of other tracing equipments, and increase the flow of network, realizes and operating cost is higher.
APT (Advanced Persistent Threat) attack carries out specific objective using advanced attack means
Long duration network attack generally comprises attack investigation with infiltration, internal translation, strike mission and executes three phases, compares
Other attack more advanced property and harmfulness.Advanced property be mainly reflected in using a variety of advanced means (as using 0day loophole,
0day loophole refers to the loophole having been found but without patch) it can bypass existing defense mechanism.Harmfulness, which is embodied in, to be stolen
Information under tight protection, destroys Physical Disconnection System, and existing defense mechanism is difficult to detect and find.In addition, the important spy of APT
Point first is that implementing to generally require the process of internal translation before strike mission, internal translation includes internal investigation and inside again
Infiltration.Inside investigation refers to that attacker on the nodal basis captured, collects new information, finds new node, excavates new close
System, determines fresh target.Internal penetration refers to that the much information obtained using internal investigation is carried out more deep attack and permeated.And
Existing defense mechanism carries out detection to the internal translation of APT, and there are significant limitations.
Barros proposed honey guide (HoneyToken) technological concept in 2003: honey guide is a kind of for attracting attacker
Carry out the information resources used without permission.Honey guide has a variety of data shapes, such as the identity ID of a forgery, mail
Location, database table entry, Word or Excel document etc..When attacker's steal information resource from environment, honey guide will be mingled in letter
It is stolen simultaneously in breath resource, later, once attacker uses honey guide data in reality scene, such as using one by mark
The forged identity ID trial of note logs in operation system, and defender can detect and trace current actual attack.
Although the technical idea of honey guide and definition it is early, it has been proposed that but this field how the technology is specifically implemented and is applied
It studies less.
Summary of the invention
In view of the above-mentioned problems, the purpose of the present invention is to propose to one kind carry out based on document honey guide technology abnormality sensing with
Track the method and system traced to the source.The implementation of this method and the deployment of system do not depend on the service environment of host, with attacker's
Attack method is unrelated, can effectively detect a variety of abnormal behaviours, and implement effectively tracking to type attack of stealing secret information and trace to the source.
In order to achieve the above object, the specific technical solution that the present invention takes is:
A kind of abnormality sensing and method for tracing, comprising the following steps:
1) the honey guide document of insertion honey guide is generated in shielded host, and the honey guide for recording the carrying of honey guide document generates
Information;
2) according to the mode of insertion honey guide, setting judges exceptional condition;
3) when honey guide document is triggered, judgement request is sent;
4) judgement request is analyzed, the honey guide of the finger print information and the honey guide document being triggered that extract triggering honey guide document is raw
At information;Information is generated based on the finger print information and honey guide, according to exceptional condition is judged, judges whether to occur abnormal;
If so, then carrying out abnormality warnings, and notify designated user;
It is triggered as honey guide document is detached from shielded host, and is judged as that appearance is abnormal, then it is same in progress abnormality warnings
When obtain the finger print information, attacker is tracked as the finger print information of attacker, and accordingly.
Further, the process of honey guide is embedded in described in step 1) are as follows: be inserted into specific field code in a document, macrodoce is made
For beacon, the core of the beacon is an address URI, and address URI includes one and utilizes host number, current time, at random
The character string with uniqueness that number generates, it includes the character string, host ip and document title that the honey guide, which generates information,.
Further, the mode of insertion honey guide includes: by carrying out insertion honey in local newly-generated document in step 1)
Mark operation, and/or insertion honey guide operation is carried out by having document to one or more, and/or to the false document automatically generated
Carry out insertion honey guide operation.
Further, judge that exceptional condition includes: that locally touching is i.e. abnormal and document strange land is touched for document described in step 2)
It touches i.e. abnormal;As long as locally touching i.e. exception is that honey guide document is triggered to the document, that is, it is considered as abnormal operation;The document is different
Ground touching be it is abnormal only to be generated with it at the honey guide document when the different host ip of place host ip be triggered,
Just it is considered as abnormal operation.
Further, when the honey guide document on protected host is triggered, the address Xiang Qianshu URI sends judgement request.
A kind of abnormality sensing and tracing system, comprising:
One honey guide generates system module, to generate the honey guide document of insertion honey guide in shielded host;
One main control module, the honey guide to record the carrying of honey guide document generate information;And according to the type of honey guide document and
It is embedded in the mode of honey guide, setting judges exceptional condition;When honey guide document is triggered, judgement request is sent, and analyze the judgement
The honey guide of request, the honey guide document carrying extracting the finger print information of triggering honey guide document and being triggered generates information;According to judgement
Exceptional condition judges whether to occur abnormal;If so, then carrying out abnormality warnings, and notify designated user;
One abnormality sensing tracing module;It is triggered as honey guide document is detached from shielded host, and is judged as that appearance is abnormal,
It is then carrying out abnormality warnings while obtaining the finger print information, attacker is being chased after as the finger print information of attacker, and accordingly
Track.
Further, it includes that honey guide generates local service module and the long-range clothes of honey guide generation that the honey guide, which generates system module,
Business module;
The honey guide generates local service module and is mounted on shielded host, and there is new document to beat honey guide module,
There is document to beat honey guide module and network cheating functional module;
The honey guide generates remote service module, and there is existing document to beat honey guide module and network cheating functional module;
The new document beats honey guide module to carry out insertion honey guide operation in local newly-generated document;The existing text
Shelves beat honey guide module and carry out insertion honey guide operation to have document to one or more;The network cheating functional module is to certainly
It is dynamic to generate false document, and insertion honey guide operation is carried out to false document.
Further, the main control module includes: Database Systems module;Honey guide demand processing system module;Analysis control
System module processed and abnormal notification module;
Wherein, Database Systems module generates the honey guide generation information that system returns, including mark honey to record honey guide
Host ip and document title where the address target URI, honey guide document;To record finger print information when honey guide file is triggered,
Including place host source IP, operating system and documentation release;And to provide statistical query, configuration for analysis and Control system module
Interface automatically generates relevant query result and returns according to querying condition;
Honey guide demand processing system module, to when the honey guide document in protected equipment is triggered, Xiang Qianshu URI
Location sends analysis request;And it analyzes the request and generates information and finger print information to obtain aforementioned honey guide, and the two is sent to point
Analyse control system module;
Analysis and Control system module, to generate the interface of system module and database system module as honey guide, externally
It receives honey guide and generates the honey guide generation information that system is sent, internally forward it to database module and recorded;Also with reception
The honey guide that honey guide demand processing system module obtains generates information and finger print information, and believes with the honey guide in Database Systems module
Breath is inquired, is associated with, according to abnormality sensing condition, where whether judgement, positioning are abnormal and are abnormal, and will be abnormal alert
It accuses and gives abnormal notification module;
Abnormal notification module, the abnormality warnings transmitted to analysis and Control system module are notified to designated user;Abnormal letter
Breath includes abnormal host IP, abnormal document title, attacker IP and attacker's operating system.
Further, the analysis and Control system module include a system configuration module, to abnormality sensing condition into
Row configuration.
Compared with existing abnormality detection and tracing system, the present invention has following advantage:
1. abnormality detection does not depend on attack type, rule match is not depended on, as long as attacker touches honey guide file, backstage
Analysis module can real-time monitor, and whether extremely judge automatically the activity according to exceptional condition, if any abnormal automatic progress
Real-time alerting notice, system rate of false alarm is zero.
2. Technology of Network Bam is added, prevent attacker from the information that distinguishes truth from false, can effectively attract, find various height
Grade continues sexual assault, can also effectively find that Intranet is attacked, improve abnormality detection success rate.
3. this system deployment is convenient, efficiently, existing abnormality detection system and tracing system is compared, simplified deployment control is only needed
Control server is not required to increase router, firewall, the additional hardware resource such as IPS, can effectively save cost, improve abnormal sense
The efficiency known.
4. carry out real-time abnormality alarming, realize that reliable to the attacker that steals secret information, zero cost tracking is traced to the source.It solves
The problem of attacker can not effectively obtain its real IP using springboard network.
Detailed description of the invention
Fig. 1 is abnormality sensing and tracing system overall structure schematic diagram in one embodiment of the invention.
Fig. 2 is that honey guide generates system composition schematic diagram in one embodiment of the invention.
Fig. 3 is that abnormality sensing and tracking main control module constitute schematic diagram in one embodiment of the invention.
Fig. 4 is foundation and blanket flow chart in one embodiment of the invention.
Fig. 5 is that honey guide generates the blanket schematic diagram of system deployment in one embodiment of the invention.
Fig. 6 is that blanket schematic diagram is disposed in master control system configuration in one embodiment of the invention.
Fig. 7 is in an of the invention case study on implementation to the discovery of attack of stealing secret information and trace flow schematic diagram.
Specific embodiment
In honey guide (HoneyToken) technological concept, document honey guide refers to is inserted into special code etc. in a document, works as text
When shelves are touched, are opened, which can send to specified URI and request, and defender can get the finger print informations such as the IP of attacker,
To carry out tracing.The present invention is that the implementation and application based on document honey guide proposes specific method and system.
Mainly include following module for the composition of system:
1. honey guide generates system module.Its client service is mounted on shielded host, on server apparatus, and is linked into
The operating system of equipment.Its central role is, carries out insertion honey guide operation to local newly-generated document.To newly-generated text
Shelves telescopiny is that the calling that client process monitors document function interface is embedded in honey to it automatically when generating new document every time
Mark.The process for being embedded in honey guide is to be inserted into specific field code, macrodoce in a document as beacon, and the core of beacon is a spy
The address URI very constructed, which, which includes one, has uniqueness using the generations such as host number, current time, random number
Character string, be inserted into beacon while, by the honey guides such as the character string, host ip, document title generation information be sent to database
System module is stored.
2. Database Systems module.It is mounted on main control server, both sides function is provided, on the one hand, record honey
It marks the honey guide that generation system returns and generates information, uniqueness character string, honey guide place host ip, document name including identifying honey guide
Claim etc..The finger print informations such as host source IP, operating system, documentation release where when record honey guide file is triggered.On the other hand, it gives
Background analysis system provides statistical query, configuration interface automatically generates relevant query result and return according to querying condition.
3. honey guide demand processing system module.It is mounted on main control server, when the honey guide document quilt in protected equipment
When opening, replicate, deleting, beacon is triggered, and sends request to the module's address (address URI of i.e. above-mentioned 1 construction).Honey guide is asked
It asks the effect of processing system modules to be, the request can be analyzed and the uniqueness character string for obtaining beacon and host where it
The finger print informations such as source IP, operating system, documentation release, and transmit these information to background analysis control system module analysis.
4. analysis and Control system module.It is mounted on main control server, its role is to, first, system is generated as honey guide
The interface for the module and database system module of uniting externally receives the honey guide that honey guide generation system is sent and generates information, internally by it
Database module is transmitted to be stored.Second, the honey guide and finger print information that honey guide demand processing system module obtains are received, and
It inquired, be associated with the honey guide information in database, according to the abnormality sensing condition of setting, judgement, that whether positioning occurs is different
Often and where exception, the real-time analysis for carrying out graphical interfaces is shown, and abnormality warnings are sent to abnormal notification module.
5. abnormal notification module.It is mounted on main control server, its role is to pass background analysis control system module
The exception information come is sent to designated user by short massage notice, mail notification etc., and exception information includes abnormal host IP, different
Normal document title, the finger print informations such as attacker IP, attacker's operating system.
As prioritization scheme, honey guide generates system module further include:
Existing document beats honey guide module.Its role is to can select one or more existing documents and carry out batch insertion honey
Mark.Some catalogue can be selected, automatically scanning file is embedded in honey guide.It wherein, can be as needed by user to the screening of existing document
Determine that screening conditions, such as document significance level, settling time etc., the application mainly provide the composition and application of document honey guide,
Specific screening content and screening mode are not limited.
Network cheating functional module, its role is to input in goal systems according to user from the angle of attacker
Keyword automatically generate the false document of specific type title and content, and be inserted into honey guide, value is decoy attack person
It is touched, checked or is stolen, to note abnormalities in time and attack.
Long-range honey guide generates system service module.Client is locally generated different from honey guide, remote service installation is in office
In what believable intranet server, service is provided by Web, has the function of existing document insertion honey guide module and network cheating
The two-part function of module.User accesses specified page by browser, can choose the local document of upload and beats honey guide, can also be defeated
Enter specified type keyword, server-side automatically generates the false document of insertion honey guide.Server-side carries out document to beat honey guide, simultaneously
The file abnormality warnings information of the uniqueness character string for identifying honey guide, subscriber's main station IP, document title, user's input is sent to
Database Systems module.For infrequently creating protected host, the server of new document, the service that remote terminal module provides
It is more flexible, faster.
As the second prioritization scheme, analysis and Control system module further include:
System configuration module.The module can configure abnormality sensing condition, for example, specifically can be configured to document
Local touching is that the touching of abnormal and strange land is abnormal.Locally touching is exception to document, as long as referring to that document is touched, is opened,
No matter at that time place host ip when host ip locating for honey guide and creation honey guide identical, is all considered as abnormal operation.Document is different
Ground touching be it is abnormal, when place host ip when referring to the only host ip locating for the honey guide and creation honey guide is not identical, be just considered as
Abnormal operation.Certainly, above-mentioned only to make a kind of optional example, different demands is corresponded to, system configuration module can change configuration
Condition carries out self-defining operation to abnormality sensing condition, and the application is to this and without limitation.
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention
Objects, features and advantages can be more obvious and easy to understand, makees with reference to the accompanying drawing with example to technological core in the present invention further
Detailed description.
In one embodiment of this invention, it is based on honey guide Technology design a set of reliably abnormality detection and tracing system,
Can effectively solve the problem that the problems of above-mentioned, the system comprises as follows:
As shown in Figure 1, abnormality sensing and tracing system are integrally formed schematic diagram, physically by multiple insertion destination host systems
The honey guide of system generate client, one long-range provide the different of the honey guide generation remote service for playing honey guide service and integrated control
Often perception and tracking master control service three parts are constituted, both rear to share same physical equipment.
As shown in Fig. 2, honey guide generates, system generates local service by honey guide and honey guide generates long distance service system and constitutes.Before
Person is to be embedded in honey guide system client program in protected host system, and the latter is that honey guide generation service is mounted on remote equipment
On, honey guide insertion service is provided by Web.
As shown in figure 3, abnormality sensing and tracking master control system module, including Database Systems module, honey guide request processing
System module, background analysis control module, abnormal notification module, system configuration module.
As shown in figure 4, abnormality sensing of the present invention and tracing system foundation and blanket operational flow diagram, comprising:
Step 100, honey guide generate system deployment, locally-installed honey guide service client or using long-range honey guide service into
The generation and deployment for shelves honey guide of composing a piece of writing generate false document using network cheating module, attract attacker's touching, steal, and
When note abnormalities, be tracked, it is specific as shown in Figure 5.
Step 200, master control system configuration deployment receives honey guide and generates the honey guide information of system generation and be stored in database,
The condition of judgement exception, abnormal notification information and abnormal notification communication record are configured, it is specific as shown in Figure 6.
Step 300, anomaly, notice track the person of stealing secret information.Master control system requests letter after receiving the triggering of honey guide document
Breath, with the honey guide information progress data correlation in database, according to the condition that system configuration judgement is abnormal, automation finds and determines
Position is abnormal, and records to the abnormal notification communication of configuration and carry out abnormal notice, and be tracked according to the triggering form of honey guide document
It traces to the source, it is specific as shown in Figure 7.
As shown in figure 5, it includes that honey guide generates the local module of service that honey guide, which generates system, honey guide generates service remote module.
The former has that new document beats honey guide, existing document beats honey guide, network cheating three parts function.The latter have existing document beat honey guide,
Network cheating two parts function.Specifically:
Step 110, it is that client background program is supervised in real time that honey guide, which generates the local module of service and beats honey guide step to new document,
Listen system to the calling of document process function, when creating new document, program is embedded in honey guide to new files automatically.It is embedded in honey guide
Process be to be used as beacon in the specific position insertion field code of document, macrodoce etc., the key of beacon is a special tectonic
The address URI, wherein the character string with uniqueness comprising one using the generations such as host number, current time, random number,
While being inserted into beacon, the information such as the character string, protected host IP, document title are sent to Database Systems module.
Step 120, honey guide, which generates to service local module and beat honey guide step to existing document, is, the certain documents of user's selection or
File, the browsable all documents of program are embedded in honey guide to it, and insertion honey guide operation is as described in step 110.
Step 130, it is that user can input or select certain class key that honey guide, which generates and services local module network deception function,
Word, such as input " business ", " economy ", " company " keyword, then it is business that program, which can automatically generate false, similar filename,
The document of secret title, and it is embedded in honey guide, these files can be placed into the position for being easy to be attacked touching or stolen by user.It should
The effect of module is that the false honey guide document of generation allows attacker to find and causes great interest, induces it to document touching, steals
It takes, to carry out abnormality sensing and tracking.
Step 140, it is that user browses the Web page of the service that honey guide, which generates remote service and plays honey guide operation to existing document,
Face uploads local document, and after server-side is according to progress honey guide embedding operation described in step 110, user downloads document.
Step 150, it is that user browses the service and specifies Web page, defeated that honey guide, which generates the network cheating function of remote service,
Enter or select keyword, input generates the number of document, and server automatically generates the falseness of specified number according to keyword type
Honey guide document, user is locally downloading, is placed into the position for easily attracting attacker.Service is generated for some inconvenient installation honey guides
Client or the equipment for infrequently creating document, it is more convenient compared to local service using remote service.User can basis
Specific environment demand independently selects above-mentioned honey guide to generate the generation and deployment of a certain or several function progress honey guide of system.
As shown in fig. 6, the abnormality sensing and tracing system main control module, comprising:
Step 210, Database Systems module, on the one hand, storage honey guide generates the honey guide generated when system creation honey guide only
Host ip, honey guide document title where one property character string, honey guide document, touching warning message etc..It on the other hand, is backstage
Analysis and Control module provides query interface, carries out abnormal judgement and abnormal notice.
Step 220, honey guide request processing module, the module receive and process the request of the honey guide after honey guide document is triggered,
By the request, the IP of equipment where honey guide document that is triggered, operating system, document function software, mark honey guide are obtained only
Finger print informations and the current time in system such as one property character string send above- mentioned information to background analysis control module progress data and look into
Ask association and anomaly analysis.
Step 230, background analysis control module, host correlation where receiving the honey guide that honey guide request processing module transmits refer to
On the one hand data are passed to database and stored by line information.On the other hand, reading database passes through honey guide uniqueness character
The honey guide information stored in string and database is associated, and obtains the information stored when honey guide generates.Institute when honey guide is generated
It compares in host ip and host ip where honey guide request, according to the condition that the judgement of system configuration module configuration is abnormal, sentences
Whether this honey guide of breaking request carries out abnormality warnings, if any exception, then by abnormal honey guide information, host information and warning letter
Breath, warning notice number, email address etc. are sent to abnormal notification module, carry out abnormal notice in real time.
Step 240, abnormal notification module, the abnormal notification information that background analysis control module is transmitted, passes through short message, postal
The modes such as case carry out real-time informing.
Step 250, system configuration module, most important function are that Allocation Analysis control module judges abnormal condition (such as
Upper described, can be configured to document, locally touching is i.e. abnormal and strange land touching is i.e. abnormal).Under default situations, have document and client
The honey guide for the normal document insertion that end generates is configured to document strange land touching i.e. exception, i.e. normal users carry out document in the machine
Operation will not cause exception, and be touched after honey guide document is detached from the machine, then can cause abnormality alarming.Network cheating module is raw
At honey guide document, be configured to document locally touching i.e. extremely, i.e., such document will not be touched under normal circumstances, once have
People's touching, then mean to be abnormal.Due to being all embedded in honey guide to the new document of all creations, also mean that, according to exception
Sensed condition, all new documents of protected host once will issue abnormality warnings by strange land triggering.In addition to this, pass through
The module can carry out the abnormal configuration for notifying number, email address, abnormal notification alert information etc..
As shown in fig. 7, to the discovery of attack of stealing secret information and trace flow in case study on implementation of the present invention, comprising:
Step 310, as described above, abnormality sensing and tracing system deployment are completed.
Step 320, attacker touches the false honey guide text as generated in step 130 or step 150 on victim host
Shelves, as described in step 250, such document meaning is to attract attacker's touching, steal, and exceptional condition belongs to document touching i.e.
Exception Type, therefore after attacker touches it, can triggering step 340 carries out abnormality warnings at once and notice, defender can be fast
Speed notes abnormalities.
Step 330, attacker steals the honey guide document on victim host, when it is in any equipment in addition to victim host
The honey guide document being stolen is opened, honey guide request can be all triggered.Since honey guide document has disengaged from victim host, when honey guide is triggered
Afterwards, on the one hand, abnormality sensing and tracing system main control module can carry out abnormality warnings as indicated in step 340.On the other hand, master control
Module can get the finger print informations such as the host ip of attacker, operating system, to carry out tracing.
Step 340, exception information is carried out visualizing the real-time informing with short message, mail.
Step 350, host ip where when obtaining honey guide exception (source IP address when honey guide initiation is requested), host service function
The fingerprints such as system carry out tracing.
To sum up, the application is to protect host and network data security in specified network, can be realized effective abnormality sensing,
Attack is traced to the source.By using honey guide technology, and network of relation Cheating Technology is added, realization file system efficiently, inexpensive is different
The a variety of threats of often perception, effectively discovery including the threat of advanced duration and Intranet attack.Protect target network host and
Data safety, and realize reliably abnormality sensing and steal secret information and attack tracing.
It should be noted last that the above case study on implementation is only used to illustrate the technical scheme of the present invention and not to limit it, although
It is described the invention in detail using example, those skilled in the art should understand that, it can be to technology of the invention
Scheme is modified or equivalencing, without departing from the spirit and scope of the technical solution of the present invention, should all cover in this hair
In bright scope of the claims.
Claims (9)
1. a kind of abnormality sensing and method for tracing, comprising the following steps:
1) the honey guide document of insertion honey guide is generated in shielded host, and the honey guide for recording the carrying of honey guide document generates letter
Breath;
2) according to the mode of insertion honey guide, setting judges exceptional condition;
3) when honey guide document is triggered, judgement request is sent;
4) judgement request is analyzed, the honey guide of the finger print information and the honey guide document being triggered that extract triggering honey guide document generates letter
Breath;Information is generated based on the finger print information and honey guide, according to exceptional condition is judged, judges whether to occur abnormal;
If so, then carrying out abnormality warnings, and notify designated user;
It is triggered as honey guide document is detached from shielded host, and is judged as that appearance is abnormal, then obtained simultaneously in progress abnormality warnings
The finger print information is taken, attacker is tracked as the finger print information of attacker, and accordingly.
2. abnormality sensing as described in claim 1 and method for tracing, which is characterized in that be embedded in the mistake of honey guide described in step 1)
Journey are as follows: be inserted into specific field code, macrodoce in a document as beacon, the core of the beacon is an address URI, the address
URI includes one and utilizes host number, current time, the character string with uniqueness of generating random number, and the honey guide generates
Information includes the character string, host ip and document title.
3. abnormality sensing as claimed in claim 2 and method for tracing, which is characterized in that when the honey guide document on protected host
When being triggered, the address Xiang Qianshu URI sends judgement request.
4. abnormality sensing as described in claim 1 and method for tracing, which is characterized in that the mode packet of insertion honey guide in step 1)
It includes: being operated by carrying out insertion honey guide in local newly-generated document, and/or be embedded in by having document to one or more
Honey guide operation, and/or insertion honey guide operation is carried out to the false document automatically generated.
5. abnormality sensing as described in claim 1 and method for tracing, which is characterized in that judge exceptional condition described in step 2)
It include: that locally touching is i.e. abnormal and the touching of document strange land is i.e. abnormal for document;As long as locally touching i.e. exception is honey guide to the document
Document is triggered, that is, is considered as abnormal operation;It is only to give birth to when honey guide document is present with it that the document strange land touching, which is abnormal,
At when the different host ip of place host ip be triggered, be just considered as abnormal operation.
6. a kind of abnormality sensing and tracing system characterized by comprising
One honey guide generates system module, to generate the honey guide document of insertion honey guide in shielded host;
One main control module, the honey guide to record the carrying of honey guide document generate information;And according to the type and insertion of honey guide document
The mode of honey guide, setting judge exceptional condition;When honey guide document is triggered, judgement request is sent, and analyzes judgement request,
The honey guide for the honey guide document carrying extracting the finger print information of triggering honey guide document and being triggered generates information;According to the abnormal item of judgement
Part judges whether to occur abnormal;If so, then carrying out abnormality warnings, and notify designated user;
One abnormality sensing tracing module;It is triggered as honey guide document is detached from shielded host, and is judged as that appearance is abnormal, then exist
It carries out abnormality warnings and obtains the finger print information simultaneously, attacker is tracked as the finger print information of attacker, and accordingly.
7. abnormality sensing as claimed in claim 6 and tracing system, which is characterized in that the honey guide generates system module and includes
Honey guide generates local service module and honey guide generates remote service module;
The honey guide generates local service module and is mounted on shielded host, and there is new document to beat honey guide module, existing text
Shelves beat honey guide module and network cheating functional module;
The honey guide generates remote service module, and there is existing document to beat honey guide module and network cheating functional module;
The new document beats honey guide module to carry out insertion honey guide operation in local newly-generated document;The existing document is beaten
Honey guide module carries out insertion honey guide operation to have document to one or more;The network cheating functional module to give birth to automatically
Insertion honey guide operation is carried out at false document, and to false document.
8. abnormality sensing as claimed in claim 6 and tracing system, which is characterized in that the main control module includes: database
System module;Honey guide demand processing system module;Analysis and Control system module and abnormal notification module;
Wherein, Database Systems module generates the honey guide generation information that system returns to record honey guide, including mark honey guide
Host ip and document title where the address URI, honey guide document;Recording finger print information when honey guide file is triggered, including
Place host source IP, operating system and documentation release;And it is connect to provide statistical query for analysis and Control system module, configure
Mouthful, according to querying condition, automatically generates relevant query result and return;
Honey guide demand processing system module, to when the honey guide document in protected equipment is triggered, the address Xiang Qianshu URI is sent out
Send analysis request;And it analyzes the request and generates information and finger print information to obtain aforementioned honey guide, and the two is sent to analysis control
System module processed;
Analysis and Control system module is externally received to generate the interface of system module and database system module as honey guide
Honey guide generates the honey guide that system is sent and generates information, internally forwards it to database module and is recorded;Also with reception honey guide
The honey guide that demand processing system module obtains generates information and finger print information, and with the honey guide information in Database Systems module into
Row inquiry, association where whether judgement, positioning are abnormal and are abnormal, and abnormality warnings are sent out according to abnormality sensing condition
Give abnormal notification module;
Abnormal notification module, the abnormality warnings transmitted to analysis and Control system module are notified to designated user;Exception information packet
Include abnormal host IP, abnormal document title, attacker IP and attacker's operating system.
9. abnormality sensing as claimed in claim 6 and tracing system, which is characterized in that the analysis and Control system module includes
One system configuration module, to be configured to abnormality sensing condition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710183157.6A CN107046535B (en) | 2017-03-24 | 2017-03-24 | A kind of abnormality sensing and method for tracing and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710183157.6A CN107046535B (en) | 2017-03-24 | 2017-03-24 | A kind of abnormality sensing and method for tracing and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107046535A CN107046535A (en) | 2017-08-15 |
| CN107046535B true CN107046535B (en) | 2019-11-29 |
Family
ID=59545016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710183157.6A Active CN107046535B (en) | 2017-03-24 | 2017-03-24 | A kind of abnormality sensing and method for tracing and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107046535B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111030963B (en) * | 2018-10-09 | 2021-06-08 | 华为技术有限公司 | Document tracking method, gateway equipment and server |
| CN111030973B (en) * | 2019-03-29 | 2023-02-24 | 安天科技集团股份有限公司 | Method and device for positioning attack based on identification file and storage device |
| CN112118204B (en) * | 2019-06-19 | 2021-12-21 | 中国科学院信息工程研究所 | Method and system for sensing illegal access of Windows file system |
| CN112187699B (en) * | 2019-07-01 | 2021-12-28 | 中国科学院信息工程研究所 | Method and system for sensing file theft |
| CN110602104B (en) * | 2019-09-17 | 2022-02-18 | 北京丁牛科技有限公司 | Method and device for preventing public cloud disk from being maliciously utilized by botnet |
| CN110798454B (en) * | 2019-10-18 | 2020-10-27 | 中国科学院信息工程研究所 | Method and system for defending attack based on attack organization capability evaluation |
| CN111131271A (en) * | 2019-12-26 | 2020-05-08 | 北京天融信网络安全技术有限公司 | Security defense method and device, electronic equipment and computer readable storage medium |
| CN111404934B (en) * | 2020-03-16 | 2021-01-29 | 广州锦行网络科技有限公司 | Network attack tracing method and system based on dynamic and static combination mode and honey mark technology |
| CN114531294A (en) * | 2022-02-28 | 2022-05-24 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Network anomaly sensing method and device, terminal and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8739281B2 (en) * | 2011-12-06 | 2014-05-27 | At&T Intellectual Property I, L.P. | Multilayered deception for intrusion detection and prevention |
-
2017
- 2017-03-24 CN CN201710183157.6A patent/CN107046535B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
Non-Patent Citations (2)
| Title |
|---|
| "HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle";Mitsuaki Akiyama;《Springerlink》;20170130;全文 * |
| "Honeyfiles: Deceptive Files for Intrusion Detection";Jim Yuill;《IEEE》;20050606;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107046535A (en) | 2017-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107046535B (en) | A kind of abnormality sensing and method for tracing and system | |
| Han et al. | Deception techniques in computer security: A research perspective | |
| Bowen et al. | Baiting inside attackers using decoy documents | |
| US9356957B2 (en) | Systems, methods, and media for generating bait information for trap-based defenses | |
| CN107046543A (en) | A kind of threat intelligence analysis system traced to the source towards attack | |
| US20160012222A1 (en) | Methods, systems, and media for baiting inside attackers | |
| Niakanlahiji et al. | Phishmon: A machine learning framework for detecting phishing webpages | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| US20120084866A1 (en) | Methods, systems, and media for measuring computer security | |
| US20160164893A1 (en) | Event management systems | |
| US10642906B2 (en) | Detection of coordinated cyber-attacks | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN103765432A (en) | Visual component and drill down mapping | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
| Zhang et al. | A framework for dark web threat intelligence analysis | |
| CN111783092B (en) | Malicious attack detection method and system for communication mechanism between Android applications | |
| Pastor-Galindo et al. | Nothing to hide? On the security and privacy threats beyond open data | |
| CN106973051B (en) | Establish the method, apparatus and storage medium of detection Cyberthreat model | |
| CN108182360A (en) | A kind of Risk Identification Method and its equipment, storage medium, electronic equipment | |
| CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
| Verma et al. | An exploration analysis of social media security | |
| Ehney et al. | DEEP WEB, DARK WEB, INVISIBLE WEB AND THE POST ISIS WORLD. | |
| Rauti | Towards cyber attribution by deception |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |