CN109995705A - Attack chain detection method and device based on high interaction honey pot system - Google Patents

Attack chain detection method and device based on high interaction honey pot system Download PDF

Info

Publication number
CN109995705A
CN109995705A CN201711480108.5A CN201711480108A CN109995705A CN 109995705 A CN109995705 A CN 109995705A CN 201711480108 A CN201711480108 A CN 201711480108A CN 109995705 A CN109995705 A CN 109995705A
Authority
CN
China
Prior art keywords
information
file
virtual machine
attack
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711480108.5A
Other languages
Chinese (zh)
Other versions
CN109995705B (en
Inventor
朱晴
张颂蘅
康学斌
王小丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ahtech Network Safe Technology Ltd
Original Assignee
Beijing Ahtech Network Safe Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ahtech Network Safe Technology Ltd filed Critical Beijing Ahtech Network Safe Technology Ltd
Priority to CN201711480108.5A priority Critical patent/CN109995705B/en
Publication of CN109995705A publication Critical patent/CN109995705A/en
Application granted granted Critical
Publication of CN109995705B publication Critical patent/CN109995705B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of attack chain detection method and device based on high interaction honey pot system, wherein method includes: virtual machine system behavior and the service communication flows for obtaining high interaction honey pot system;Obtain the PE file of system process release and the networked information of PE file;The progress information and PE for being released PE file according to the backtracking of the networked information of PE file and PE file correspond to mailing address;Corresponding information on services and Intranet communications address information are obtained according to the progress information of communication for service flow, release PE file;According to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain.This method can be such that honey jar attack process becomes apparent from, improve the accuracy of attack according to the high virtual machine system behavior for interacting honey pot system and process port information extracting attack chain.

Description

Attack chain detection method and device based on high interaction honey pot system
Technical field
The present invention relates to computer security technical field, in particular to a kind of attack chain inspection based on high interaction honey pot system Survey method and device.
Background technique
In the related technology, the technology that Honeypot Techniques carry out attack trick as a kind of couple of attacker has obtained answering extensively With.By deployment bait host or network service, honey jar can capture perception attack, and be analyzed for attack, Attack tool, object of attack, the attack intension for solving attacker, allow defender to have the promotion host defence mechanism being directed to.
However, although high interaction honey jar traps the operation real system of attack as a kind of energy depth, for difference Attack pattern can make true response, and corresponding attack record can be made, but due to the complexity of environment, attacked The different with means of mode is hit, honey jar will compare difficult comb from attack data and clearly attack process, and Security Officer passes through Honeypot data extracts complete attack process from numerous threat events and also becomes difficult, it would be highly desirable to solve.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, an object of the present invention is to provide a kind of attack chain detection method based on high interaction honey pot system, Honey jar attack process can be made to become apparent from, improve the accuracy of attack.
It is another object of the present invention to propose a kind of attack chain detection device based on high interaction honey pot system.
In order to achieve the above objectives, one aspect of the present invention embodiment proposes a kind of attack chain based on high interaction honey pot system Detection method, comprising the following steps: obtain virtual machine system behavior and the service communication flows of high interaction honey pot system;Obtain system PE (Portable Executable, the transplantable executable file) file of system process release and the connection of the PE file Net information;According to the networked information of the PE file and the PE file backtracking be released the PE file progress information and The PE file corresponds to mailing address;It is obtained and is corresponded to according to the progress information of the communication for service flow, the release PE file Information on services and Intranet communications address information;According to the virtual machine system behavior, the information on services, the PE communication information, The Intranet communications address information extracting attack chain.
The attack chain detection method based on high interaction honey pot system of the embodiment of the present invention, can be according to communication for service stream The corresponding information on services of progress information acquisition and Intranet communications address information of amount, release PE file, to pass through virtual machine system System behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain, so that honey jar attack process becomes more Clearly, the accuracy of attack is improved.
Further, in one embodiment of the invention, described to be believed according to the virtual machine system behavior, the service Breath, the PE communication information, the Intranet communications address information extracting attack chain further comprise: according to the virtual machine system row For, the information on services, the PE communication information, the Intranet communications address information judge the PE file whether malice class Type;If the PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
Further, in one embodiment of the invention, described to be believed according to the virtual machine system behavior, the service Breath, the PE communication information, the Intranet communications address information judge the PE file whether malice type, further comprise: Behavioral value and quiet is carried out to the PE file and corresponding process by the system action of record and static file scanning State file identification, to judge whether the PE file is malice.
Further, in one embodiment of the invention, if the PE file is malice type, generation is attacked Chain is hit, indicating risk is otherwise generated, further comprises: if it is malice, generating the attack chain, and shows the first chain type letter Breath;If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion letter Breath, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, the virtual machine system row for obtaining high interaction honey pot system For with service communication flows, further comprise: monitoring honey jar virtual machine internal file, process, network and registration table behavior, with Obtain the virtual machine system behavior;The network interface flow packet of host is grabbed, to obtain the communication for service flow.
In order to achieve the above objectives, another aspect of the present invention embodiment proposes a kind of attack based on high interaction honey pot system Chain detection device, comprising: first obtains module, for obtaining virtual machine system behavior and the communication for service of high interaction honey pot system Flow;Second obtains module, for obtaining the PE file of system process release and the networked information of the PE file;Analyze mould Block is released the progress information of the PE file and described according to the backtracking of the networked information of the PE file and the PE file PE file corresponds to mailing address;Third obtains module, for the process according to the communication for service flow, the release PE file The corresponding information on services of acquisition of information and Intranet communications address information;Extraction module, for according to the virtual machine system behavior, The information on services, the PE communication information, the Intranet communications address information extracting attack chain.
The attack chain detection device based on high interaction honey pot system of the embodiment of the present invention, can be according to communication for service stream The corresponding information on services of progress information acquisition and Intranet communications address information of amount, release PE file;Extraction module is used for basis Virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain, so that honey jar attack stream Journey becomes apparent from, and improves the accuracy of attack.
Further, in one embodiment of the invention, the extraction module, further comprise: judging unit is used for Institute is judged according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information State PE file whether malice type;Generation unit generates attack chain, otherwise if being malice type for the PE file Generate indicating risk.
Further, in one embodiment of the invention, the judging unit further comprises: passing through the institute of record It states system action and static file scanning carries out behavioral value to the PE file and corresponding process and static file identifies, with Judge whether the PE file is malice.
Further, in one embodiment of the invention, the generation unit further comprises: if it is malice, The attack chain is generated, and shows the first chain type information;If PE be it is unknown, generate the indicating risk, and show second Chain type information, wherein chain type information includes invasion information, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, described first obtain module, further comprise: first obtains Unit, for monitoring file, process, network and the registration table behavior of honey jar virtual machine internal, to obtain the virtual machine system Behavior;Second acquisition unit, for grabbing the network interface flow packet of host, to obtain the communication for service flow.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart according to the attack chain detection method based on high interaction honey pot system of the embodiment of the present invention;
Fig. 2 is the stream according to the attack chain detection method based on high interaction honey pot system of one specific embodiment of the present invention Cheng Tu;And
Fig. 3 is the structural representation according to the attack chain detection device based on high interaction honey pot system of the embodiment of the present invention Figure.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
Before introducing the attack chain detection method and device based on high interaction honey pot system of the embodiment of the present invention, first Detection method under simple introduction in the related technology.
Honey jar in the related technology is all to carry out single attack record for attack.For example, hacker utilizes After port explosion or service loophole invasion distance host, vbs downloading person's script is write, downloads and has run a wooden horse Program, and far control the machine and carried out a ddos attack, this is one and typically grabs chicken process.Normal recordings citing: 1, Port scan;2, certain service is connected;3, port explosion;4, long-range injection;5, downloading-running;6, it establishes and communicates with remote address.
It is associated with by behavior, can be classified to each phase of the attack after generating attack chain, the complicated multiplicity of invasion situation, It attacks after chain met at least two stages and just generates:
(1) (port scan, serve port explosion)-is invaded " installation (certain process releasing document, execute certain program)-"
(2) (trojan horse program access remote address)-is controlled " it is intended to (wooden horse family viral, wooden horse type).
The present invention formally based on the above issues, and a kind of attack chain detection method based on high interaction honey pot system proposed And device.
The attack chain detection based on high interaction honey pot system proposed according to embodiments of the present invention is described with reference to the accompanying drawings Method and device describes the attack chain based on high interaction honey pot system proposed according to embodiments of the present invention with reference to the accompanying drawings first Detection method.
Fig. 1 is the flow chart of the attack chain detection method based on high interaction honey pot system of the embodiment of the present invention.
As shown in Figure 1, being somebody's turn to do the attack chain based on high interaction honey pot system, detection method includes the following steps:
In step s101, virtual machine system behavior and the service communication flows of high interaction honey pot system are obtained.
Wherein, in one embodiment of the invention, the virtual machine system behavior and service of high interaction honey pot system are obtained Communication flows further comprises: file, process, network and the registration table behavior of monitoring honey jar virtual machine internal, virtual to obtain Machine system action;The network interface flow packet of host is grabbed, to obtain communication for service flow.
It is understood that the embodiment of the present invention can such as monitor honey by monitoring the system action of honey jar virtual machine internal File, process, network and the registration table behavior of tank virtual machine internal, to obtain the virtual machine system row of high interaction honey pot system For, and communication for service flow is obtained by crawl host network interface flow packet.
In step s 102, the PE file of system process release and the networked information of PE file are obtained.
It is understood that executable file PE and the PE text of the available system process release of the embodiment of the present invention Whether part carries out the information such as outer net connection, is then labeled as IP1 if any network connection.
In step s 103, the progress information of PE file is released according to the backtracking of the networked information of PE file and PE file And PE file corresponds to mailing address.
In step S104, corresponding information on services is obtained according to the progress information of communication for service flow, release PE file And Intranet communications address information.
It is understood that the embodiment of the present invention can be obtained by parsing flow corresponding information on services, progress information, Mailing address.
In step s105, according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information Extracting attack chain.
Further, in one embodiment of the invention, according to virtual machine system behavior, information on services, PE communication letter Breath, Intranet communications address information extracting attack chain further comprise: being judged according to virtual machine system behavior and process port information PE file whether malice type;If PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
Wherein, in one embodiment of the invention, according to virtual machine system behavior, information on services, the PE communication information, interior Network Communication address information judge PE file whether malice type, further comprise: system action and static file by record Scanning carries out behavioral value to PE file and corresponding process and static file identifies, to judge whether PE file is malice.
Wherein, in one embodiment of the invention, if PE file is malice type, attack chain is generated, is otherwise given birth to At indicating risk, further comprise: if it is malice, generating attack chain, and show the first chain type information;If PE is not Know, then generate indicating risk, and show the second chain type information, wherein chain type information includes invasion information, mount message, control One of information and intent information are a variety of.
It is understood that the embodiment of the present invention can according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain, that is to say, that the embodiment of the present invention can pass through the system action and static state of record File scan carries out behavioral value to PE file and corresponding process and static file identifies, and the release of judgement system process Whether PE file is malicious file, to identify malice type:
If PE is malice type, attack chain is generated, and invade: honey jar miniport service connection -> installation: release PE text Part -> control: IP1- > intention: PE file malice type and type characteristic;
If PE be it is unknown, generate indicating risk, honey jar miniport service connection -> miniport service operation process discharges PE- > PE accesses outer net IP1.
As shown in Fig. 2, in one particular embodiment of the present invention, the attack chain detection side based on high interaction honey pot system The step of method, is as follows:
In step sl, file, process, the network, registration table behavior of honey jar virtual machine internal are monitored, capture honey jar is virtual The communication for service flow of machine open port.
In step s 2, the PE file of capture systems process release obtains PE process and connects outer net IP, is labeled as IP1.
In step s3, backtracking release PE process procX, recalls the process procY operated to procX, and be associated with The corresponding miniport service Z of procY.
In step s 4, according to step: the communication for service flow captured in S1, analysis port service the corresponding communication of Z Flow obtains remote ip address (local area network), is labeled as IP2.
In step s 5, scanned by the step S2 system action recorded and static file, to PE file and it is corresponding into Whether Cheng Jinhang behavioral value and the PE file of static file identification judgement system process release are malicious file, identify malice class Type.
In step s 6, judge whether PE file is malice type, if it is malice type, execute step S7, otherwise exist, Execute step S8.
In the step s 7, if PE is malice, generate attack chain, invasion: miniport service connects (host ip 2 of falling) -> peace Dress: release PE file -> control: IP1- > intention: PE file malice type and type characteristic.
In step s 8, if PE be it is unknown, generate risk warning, LAN IP 2 remotely access honey jar miniport service -> Port.
Finally, service operations process release PE- > PE accesses outer net IP1.
The attack chain detection method based on high interaction honey pot system proposed according to embodiments of the present invention, can be according to virtual Machine system action, information on services, the PE communication information, Intranet communications address information extracting attack chain, and then by honey pot system honey jar The attack detected is invaded, is installed, being controlled, being intended to carry out induction and conclusion, so that honey jar attack process is apparent from, And the displaying of available chain type effectively improves the accuracy of attack.
The attack chain detection based on high interaction honey pot system proposed according to embodiments of the present invention referring next to attached drawing description Device.
Fig. 3 is the structural schematic diagram of the attack chain detection device based on high interaction honey pot system of the embodiment of the present invention.
As shown in figure 3, should include: based on attack chain detection device 10 of high interaction honey pot system the first acquisition module 100, Second, which obtains module 200, analysis module 300, third, obtains module 400 and extraction module 500.
Wherein, the first acquisition module 100 is used to obtain virtual machine system behavior and the communication for service of high interaction honey pot system Flow.Second acquisition module 200 is used to obtain the PE file of system process release and the networked information of PE file.Analysis module 300 progress information and PE file for being released PE file according to the backtracking of the networked information of PE file and PE file is corresponding logical Believe address.Third obtains the corresponding service of progress information acquisition that module 400 is used to according to communication for service flow, discharge PE file Information and Intranet communications address information.Extraction module 500 be used for according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain.The device 10 of the embodiment of the present invention can be used for according to virtual machine system behavior, clothes Business information, the PE communication information, Intranet communications address information extracting attack chain become apparent from honey jar attack process, and raising is attacked The accuracy hit.
Further, in one embodiment of the invention, extraction module 500 further comprises: judging unit and generation Unit.Wherein, judging unit is used for according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information Judge PE file whether malice type.If generation unit is malice type for PE file, attack chain is generated, is otherwise generated Indicating risk.
Further, in one embodiment of the invention, judging unit further comprises: passing through the system action of record Behavioral value is carried out to PE file and corresponding process with static file scanning and static file identifies, whether to judge PE file For malice.
Further, in one embodiment of the invention, generation unit further comprises: if it is malice, generating Chain is attacked, and shows the first chain type information;If PE be it is unknown, generate indicating risk, and show the second chain type information, In, chain type information includes invasion information, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, the first acquisition module 100 further comprises: first obtains list Member and second acquisition unit.Wherein, first acquisition unit, for monitoring file, process, network and the note of honey jar virtual machine internal Volume table row is, to obtain virtual machine system behavior.Second acquisition unit, for grabbing the network interface flow packet of host, to obtain clothes Business communication flows.
It should be noted that the aforementioned explanation to the attack chain detection method embodiment based on high interaction honey pot system It is also applied for the attack chain detection device based on high interaction honey pot system of the embodiment, details are not described herein again.
The attack chain detection device based on high interaction honey pot system proposed according to embodiments of the present invention, can be according to service Communication flows, release progress information and corresponding information on services obtain process port information, thus according to virtual machine system behavior With process port information extracting attack chain, and then the attack that honey pot system honey jar detects is invaded, installs, control System is intended to carry out induction and conclusion, so that honey jar attack process is apparent from, and the displaying of available chain type, effectively improves The accuracy of attack.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", " length ", " width ", " thickness ", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom" "inner", "outside", " up time The orientation or positional relationship of the instructions such as needle ", " counterclockwise ", " axial direction ", " radial direction ", " circumferential direction " be orientation based on the figure or Positional relationship is merely for convenience of description of the present invention and simplification of the description, rather than the device or element of indication or suggestion meaning must There must be specific orientation, be constructed and operated in a specific orientation, therefore be not considered as limiting the invention.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three It is a etc., unless otherwise specifically defined.
In the present invention unless specifically defined or limited otherwise, term " installation ", " connected ", " connection ", " fixation " etc. Term shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integral;It can be mechanical connect It connects, is also possible to be electrically connected;It can be directly connected, can also can be in two elements indirectly connected through an intermediary The interaction relationship of the connection in portion or two elements, unless otherwise restricted clearly.For those of ordinary skill in the art For, the specific meanings of the above terms in the present invention can be understood according to specific conditions.
In the present invention unless specifically defined or limited otherwise, fisrt feature in the second feature " on " or " down " can be with It is that the first and second features directly contact or the first and second features pass through intermediary mediate contact.Moreover, fisrt feature exists Second feature " on ", " top " and " above " but fisrt feature be directly above or diagonally above the second feature, or be merely representative of First feature horizontal height is higher than second feature.Fisrt feature can be under the second feature " below ", " below " and " below " One feature is directly under or diagonally below the second feature, or is merely representative of first feature horizontal height less than second feature.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. a kind of attack chain detection method based on high interaction honey pot system, which comprises the following steps:
Obtain virtual machine system behavior and the service communication flows of high interaction honey pot system;
Obtain the PE file of system process release and the networked information of the PE file;
Progress information and the institute of the PE file are released according to the backtracking of the networked information of the PE file and the PE file It states PE file and corresponds to mailing address;
Corresponding information on services and interior Network Communication are obtained according to the progress information of the communication for service flow, the release PE file Address information;And
It is attacked according to the virtual machine system behavior, the information on services, the PE communication information, Intranet communications address information extraction Hit chain.
2. the attack chain detection method according to claim 1 based on high interaction honey pot system, which is characterized in that described According to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information extracting attack chain, Further comprise:
Sentenced according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information The PE file that breaks whether malice type;
If the PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
3. the attack chain detection method according to claim 2 based on high interaction honey pot system, which is characterized in that according to institute State virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information judge the PE text Part whether malice type, further comprise:
Behavioral value is carried out to the PE file and corresponding process by the system action of record and static file scanning It is identified with static file, to judge whether the PE file is malice.
4. the attack chain detection method according to claim 2 or 3 based on high interaction honey pot system, which is characterized in that institute If stating the PE file is malice type, attack chain is generated, indicating risk is otherwise generated, further comprises:
If it is malice, the attack chain is generated, and shows the first chain type information;
If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion Information, mount message, control one of information and intent information or a variety of.
5. the attack chain detection method according to claim 1-4 based on high interaction honey pot system, feature exist In the virtual machine system behavior for obtaining high interaction honey pot system and service communication flows further comprise:
File, process, network and the registration table behavior of honey jar virtual machine internal are monitored, to obtain the virtual machine system behavior;
The network interface flow packet of host is grabbed, to obtain the communication for service flow.
6. a kind of attack chain detection device based on high interaction honey pot system characterized by comprising
First obtains module, for obtaining virtual machine system behavior and the service communication flows of high interaction honey pot system;
Second obtains module, for obtaining the PE file of system process release and the networked information of the PE file;
Analysis module, for being released the PE file according to the backtracking of the networked information of the PE file and the PE file Progress information and the PE file correspond to mailing address;
Third obtains module, corresponding for being obtained according to the progress information of the communication for service flow, the release PE file Information on services and Intranet communications address information;And
Extraction module, for according to the virtual machine system behavior, the information on services, the PE communication information, the interior Network Communication Address information extraction attacks chain.
7. the attack chain detection device according to claim 6 based on high interaction honey pot system, which is characterized in that described to mention Modulus block further comprises:
Judging unit, for according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet Communications address information judge the PE file whether malice type;
Generation unit generates attack chain, otherwise generates indicating risk if being malice type for the PE file.
8. the attack chain detection device according to claim 7 based on high interaction honey pot system, which is characterized in that described to sentence Disconnected unit further comprises:
Behavioral value is carried out to the PE file and corresponding process by the system action of record and static file scanning It is identified with static file, to judge whether the PE file is malice.
9. the attack chain detection device according to claim 7 or 8 based on high interaction honey pot system, which is characterized in that institute Generation unit is stated, further comprises:
If it is malice, the attack chain is generated, and shows the first chain type information;
If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion Information, mount message, control one of information and intent information or a variety of.
10. according to the described in any item attack chain detection devices based on high interaction honey pot system of claim 6-9, feature exists In, described first obtains module, further comprise:
First acquisition unit, for monitoring file, process, network and the registration table behavior of honey jar virtual machine internal, to obtain State virtual machine system behavior;
Second acquisition unit, for grabbing the network interface flow packet of host, to obtain the communication for service flow.
CN201711480108.5A 2017-12-29 2017-12-29 Attack chain detection method and device based on high-interaction honeypot system Active CN109995705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711480108.5A CN109995705B (en) 2017-12-29 2017-12-29 Attack chain detection method and device based on high-interaction honeypot system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711480108.5A CN109995705B (en) 2017-12-29 2017-12-29 Attack chain detection method and device based on high-interaction honeypot system

Publications (2)

Publication Number Publication Date
CN109995705A true CN109995705A (en) 2019-07-09
CN109995705B CN109995705B (en) 2022-03-25

Family

ID=67108982

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711480108.5A Active CN109995705B (en) 2017-12-29 2017-12-29 Attack chain detection method and device based on high-interaction honeypot system

Country Status (1)

Country Link
CN (1) CN109995705B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110363002A (en) * 2019-07-16 2019-10-22 杭州安恒信息技术股份有限公司 A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing
CN110750788A (en) * 2019-10-16 2020-02-04 杭州安恒信息技术股份有限公司 Virus file detection method based on high-interaction honeypot technology
CN111147513A (en) * 2019-12-31 2020-05-12 广州锦行网络科技有限公司 Transverse moving attack path determination method in honey net based on attack behavior analysis
CN111431881A (en) * 2020-03-18 2020-07-17 广州锦行网络科技有限公司 Method and device for trapping nodes based on windows operating system
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN112367315A (en) * 2020-11-03 2021-02-12 浙江大学 Endogenous safe WAF honeypot deployment method
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
US20160156656A1 (en) * 2012-11-17 2016-06-02 Nathaniel Gordon Boggs Methods, Systems and Media for Evaluating Layered Computer Security Products
CN105787370A (en) * 2016-03-07 2016-07-20 成都驭奔科技有限公司 Malicious software collecting and analyzing method based on honeypots
CN106778268A (en) * 2016-11-28 2017-05-31 广东省信息安全测评中心 Malicious code detecting method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
US20160156656A1 (en) * 2012-11-17 2016-06-02 Nathaniel Gordon Boggs Methods, Systems and Media for Evaluating Layered Computer Security Products
CN105787370A (en) * 2016-03-07 2016-07-20 成都驭奔科技有限公司 Malicious software collecting and analyzing method based on honeypots
CN106778268A (en) * 2016-11-28 2017-05-31 广东省信息安全测评中心 Malicious code detecting method and system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110363002A (en) * 2019-07-16 2019-10-22 杭州安恒信息技术股份有限公司 A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing
CN110750788A (en) * 2019-10-16 2020-02-04 杭州安恒信息技术股份有限公司 Virus file detection method based on high-interaction honeypot technology
CN111147513A (en) * 2019-12-31 2020-05-12 广州锦行网络科技有限公司 Transverse moving attack path determination method in honey net based on attack behavior analysis
CN111431881A (en) * 2020-03-18 2020-07-17 广州锦行网络科技有限公司 Method and device for trapping nodes based on windows operating system
CN111431881B (en) * 2020-03-18 2020-11-20 广州锦行网络科技有限公司 Method and device for trapping nodes based on windows operating system
CN111490996A (en) * 2020-06-24 2020-08-04 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN111490996B (en) * 2020-06-24 2020-10-23 腾讯科技(深圳)有限公司 Network attack processing method and device, computer equipment and storage medium
CN112367315A (en) * 2020-11-03 2021-02-12 浙江大学 Endogenous safe WAF honeypot deployment method
CN112367315B (en) * 2020-11-03 2021-09-28 浙江大学 Endogenous safe WAF honeypot deployment method
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN112491817B (en) * 2020-11-12 2023-04-18 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment

Also Published As

Publication number Publication date
CN109995705B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
CN109995705A (en) Attack chain detection method and device based on high interaction honey pot system
US10467411B1 (en) System and method for generating a malware identifier
KR100800370B1 (en) Network attack signature generation
CN104023034B (en) Security defensive system and defensive method based on software-defined network
US10417420B2 (en) Malware detection and classification based on memory semantic analysis
US11562068B2 (en) Performing threat detection by synergistically combining results of static file analysis and behavior analysis
CN102594825B (en) The detection method of a kind of intranet Trojans and device
CN105871883B (en) Advanced duration threat detection method based on attack analysis
US8181248B2 (en) System and method of detecting anomaly malicious code by using process behavior prediction technique
EP1995929B1 (en) Distributed system for the detection of eThreats
CN101350745B (en) Intrude detection method and device
CN111988339B (en) Network attack path discovery, extraction and association method based on DIKW model
CN106022113A (en) Detecting a malicious file infection via sandboxing
CN105493060A (en) Honeyport active network security
CN105915532A (en) Method and device for recognizing fallen host
CN107465702B (en) Early warning method and device based on wireless network intrusion
CN105939311A (en) Method and device for determining network attack behavior
CN109951419A (en) A kind of APT intrusion detection method based on attack chain attack rule digging
CN107566401B (en) Protection method and device for virtualized environment
CN107423623A (en) Method for detecting virus and system are extorted in a kind of Behavior-based control analysis
CN110381009A (en) A kind of detection method of the rebound shell of Behavior-based control detection
CN102970309B (en) The detection method of zombie host, detection device and fire wall
Cui et al. GQ: Realizing a system to catch worms in a quarter million places
CN109995716A (en) Behavior exciting method and device based on high interaction honey pot system
US10897472B1 (en) IT computer network threat analysis, detection and containment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant