CN109995705A - Attack chain detection method and device based on high interaction honey pot system - Google Patents
Attack chain detection method and device based on high interaction honey pot system Download PDFInfo
- Publication number
- CN109995705A CN109995705A CN201711480108.5A CN201711480108A CN109995705A CN 109995705 A CN109995705 A CN 109995705A CN 201711480108 A CN201711480108 A CN 201711480108A CN 109995705 A CN109995705 A CN 109995705A
- Authority
- CN
- China
- Prior art keywords
- information
- file
- virtual machine
- attack
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of attack chain detection method and device based on high interaction honey pot system, wherein method includes: virtual machine system behavior and the service communication flows for obtaining high interaction honey pot system;Obtain the PE file of system process release and the networked information of PE file;The progress information and PE for being released PE file according to the backtracking of the networked information of PE file and PE file correspond to mailing address;Corresponding information on services and Intranet communications address information are obtained according to the progress information of communication for service flow, release PE file;According to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain.This method can be such that honey jar attack process becomes apparent from, improve the accuracy of attack according to the high virtual machine system behavior for interacting honey pot system and process port information extracting attack chain.
Description
Technical field
The present invention relates to computer security technical field, in particular to a kind of attack chain inspection based on high interaction honey pot system
Survey method and device.
Background technique
In the related technology, the technology that Honeypot Techniques carry out attack trick as a kind of couple of attacker has obtained answering extensively
With.By deployment bait host or network service, honey jar can capture perception attack, and be analyzed for attack,
Attack tool, object of attack, the attack intension for solving attacker, allow defender to have the promotion host defence mechanism being directed to.
However, although high interaction honey jar traps the operation real system of attack as a kind of energy depth, for difference
Attack pattern can make true response, and corresponding attack record can be made, but due to the complexity of environment, attacked
The different with means of mode is hit, honey jar will compare difficult comb from attack data and clearly attack process, and Security Officer passes through
Honeypot data extracts complete attack process from numerous threat events and also becomes difficult, it would be highly desirable to solve.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, an object of the present invention is to provide a kind of attack chain detection method based on high interaction honey pot system,
Honey jar attack process can be made to become apparent from, improve the accuracy of attack.
It is another object of the present invention to propose a kind of attack chain detection device based on high interaction honey pot system.
In order to achieve the above objectives, one aspect of the present invention embodiment proposes a kind of attack chain based on high interaction honey pot system
Detection method, comprising the following steps: obtain virtual machine system behavior and the service communication flows of high interaction honey pot system;Obtain system
PE (Portable Executable, the transplantable executable file) file of system process release and the connection of the PE file
Net information;According to the networked information of the PE file and the PE file backtracking be released the PE file progress information and
The PE file corresponds to mailing address;It is obtained and is corresponded to according to the progress information of the communication for service flow, the release PE file
Information on services and Intranet communications address information;According to the virtual machine system behavior, the information on services, the PE communication information,
The Intranet communications address information extracting attack chain.
The attack chain detection method based on high interaction honey pot system of the embodiment of the present invention, can be according to communication for service stream
The corresponding information on services of progress information acquisition and Intranet communications address information of amount, release PE file, to pass through virtual machine system
System behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain, so that honey jar attack process becomes more
Clearly, the accuracy of attack is improved.
Further, in one embodiment of the invention, described to be believed according to the virtual machine system behavior, the service
Breath, the PE communication information, the Intranet communications address information extracting attack chain further comprise: according to the virtual machine system row
For, the information on services, the PE communication information, the Intranet communications address information judge the PE file whether malice class
Type;If the PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
Further, in one embodiment of the invention, described to be believed according to the virtual machine system behavior, the service
Breath, the PE communication information, the Intranet communications address information judge the PE file whether malice type, further comprise:
Behavioral value and quiet is carried out to the PE file and corresponding process by the system action of record and static file scanning
State file identification, to judge whether the PE file is malice.
Further, in one embodiment of the invention, if the PE file is malice type, generation is attacked
Chain is hit, indicating risk is otherwise generated, further comprises: if it is malice, generating the attack chain, and shows the first chain type letter
Breath;If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion letter
Breath, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, the virtual machine system row for obtaining high interaction honey pot system
For with service communication flows, further comprise: monitoring honey jar virtual machine internal file, process, network and registration table behavior, with
Obtain the virtual machine system behavior;The network interface flow packet of host is grabbed, to obtain the communication for service flow.
In order to achieve the above objectives, another aspect of the present invention embodiment proposes a kind of attack based on high interaction honey pot system
Chain detection device, comprising: first obtains module, for obtaining virtual machine system behavior and the communication for service of high interaction honey pot system
Flow;Second obtains module, for obtaining the PE file of system process release and the networked information of the PE file;Analyze mould
Block is released the progress information of the PE file and described according to the backtracking of the networked information of the PE file and the PE file
PE file corresponds to mailing address;Third obtains module, for the process according to the communication for service flow, the release PE file
The corresponding information on services of acquisition of information and Intranet communications address information;Extraction module, for according to the virtual machine system behavior,
The information on services, the PE communication information, the Intranet communications address information extracting attack chain.
The attack chain detection device based on high interaction honey pot system of the embodiment of the present invention, can be according to communication for service stream
The corresponding information on services of progress information acquisition and Intranet communications address information of amount, release PE file;Extraction module is used for basis
Virtual machine system behavior, information on services, the PE communication information, Intranet communications address information extracting attack chain, so that honey jar attack stream
Journey becomes apparent from, and improves the accuracy of attack.
Further, in one embodiment of the invention, the extraction module, further comprise: judging unit is used for
Institute is judged according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information
State PE file whether malice type;Generation unit generates attack chain, otherwise if being malice type for the PE file
Generate indicating risk.
Further, in one embodiment of the invention, the judging unit further comprises: passing through the institute of record
It states system action and static file scanning carries out behavioral value to the PE file and corresponding process and static file identifies, with
Judge whether the PE file is malice.
Further, in one embodiment of the invention, the generation unit further comprises: if it is malice,
The attack chain is generated, and shows the first chain type information;If PE be it is unknown, generate the indicating risk, and show second
Chain type information, wherein chain type information includes invasion information, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, described first obtain module, further comprise: first obtains
Unit, for monitoring file, process, network and the registration table behavior of honey jar virtual machine internal, to obtain the virtual machine system
Behavior;Second acquisition unit, for grabbing the network interface flow packet of host, to obtain the communication for service flow.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart according to the attack chain detection method based on high interaction honey pot system of the embodiment of the present invention;
Fig. 2 is the stream according to the attack chain detection method based on high interaction honey pot system of one specific embodiment of the present invention
Cheng Tu;And
Fig. 3 is the structural representation according to the attack chain detection device based on high interaction honey pot system of the embodiment of the present invention
Figure.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
Before introducing the attack chain detection method and device based on high interaction honey pot system of the embodiment of the present invention, first
Detection method under simple introduction in the related technology.
Honey jar in the related technology is all to carry out single attack record for attack.For example, hacker utilizes
After port explosion or service loophole invasion distance host, vbs downloading person's script is write, downloads and has run a wooden horse
Program, and far control the machine and carried out a ddos attack, this is one and typically grabs chicken process.Normal recordings citing: 1,
Port scan;2, certain service is connected;3, port explosion;4, long-range injection;5, downloading-running;6, it establishes and communicates with remote address.
It is associated with by behavior, can be classified to each phase of the attack after generating attack chain, the complicated multiplicity of invasion situation,
It attacks after chain met at least two stages and just generates:
(1) (port scan, serve port explosion)-is invaded " installation (certain process releasing document, execute certain program)-"
(2) (trojan horse program access remote address)-is controlled " it is intended to (wooden horse family viral, wooden horse type).
The present invention formally based on the above issues, and a kind of attack chain detection method based on high interaction honey pot system proposed
And device.
The attack chain detection based on high interaction honey pot system proposed according to embodiments of the present invention is described with reference to the accompanying drawings
Method and device describes the attack chain based on high interaction honey pot system proposed according to embodiments of the present invention with reference to the accompanying drawings first
Detection method.
Fig. 1 is the flow chart of the attack chain detection method based on high interaction honey pot system of the embodiment of the present invention.
As shown in Figure 1, being somebody's turn to do the attack chain based on high interaction honey pot system, detection method includes the following steps:
In step s101, virtual machine system behavior and the service communication flows of high interaction honey pot system are obtained.
Wherein, in one embodiment of the invention, the virtual machine system behavior and service of high interaction honey pot system are obtained
Communication flows further comprises: file, process, network and the registration table behavior of monitoring honey jar virtual machine internal, virtual to obtain
Machine system action;The network interface flow packet of host is grabbed, to obtain communication for service flow.
It is understood that the embodiment of the present invention can such as monitor honey by monitoring the system action of honey jar virtual machine internal
File, process, network and the registration table behavior of tank virtual machine internal, to obtain the virtual machine system row of high interaction honey pot system
For, and communication for service flow is obtained by crawl host network interface flow packet.
In step s 102, the PE file of system process release and the networked information of PE file are obtained.
It is understood that executable file PE and the PE text of the available system process release of the embodiment of the present invention
Whether part carries out the information such as outer net connection, is then labeled as IP1 if any network connection.
In step s 103, the progress information of PE file is released according to the backtracking of the networked information of PE file and PE file
And PE file corresponds to mailing address.
In step S104, corresponding information on services is obtained according to the progress information of communication for service flow, release PE file
And Intranet communications address information.
It is understood that the embodiment of the present invention can be obtained by parsing flow corresponding information on services, progress information,
Mailing address.
In step s105, according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information
Extracting attack chain.
Further, in one embodiment of the invention, according to virtual machine system behavior, information on services, PE communication letter
Breath, Intranet communications address information extracting attack chain further comprise: being judged according to virtual machine system behavior and process port information
PE file whether malice type;If PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
Wherein, in one embodiment of the invention, according to virtual machine system behavior, information on services, the PE communication information, interior
Network Communication address information judge PE file whether malice type, further comprise: system action and static file by record
Scanning carries out behavioral value to PE file and corresponding process and static file identifies, to judge whether PE file is malice.
Wherein, in one embodiment of the invention, if PE file is malice type, attack chain is generated, is otherwise given birth to
At indicating risk, further comprise: if it is malice, generating attack chain, and show the first chain type information;If PE is not
Know, then generate indicating risk, and show the second chain type information, wherein chain type information includes invasion information, mount message, control
One of information and intent information are a variety of.
It is understood that the embodiment of the present invention can according to virtual machine system behavior, information on services, the PE communication information,
Intranet communications address information extracting attack chain, that is to say, that the embodiment of the present invention can pass through the system action and static state of record
File scan carries out behavioral value to PE file and corresponding process and static file identifies, and the release of judgement system process
Whether PE file is malicious file, to identify malice type:
If PE is malice type, attack chain is generated, and invade: honey jar miniport service connection -> installation: release PE text
Part -> control: IP1- > intention: PE file malice type and type characteristic;
If PE be it is unknown, generate indicating risk, honey jar miniport service connection -> miniport service operation process discharges PE-
> PE accesses outer net IP1.
As shown in Fig. 2, in one particular embodiment of the present invention, the attack chain detection side based on high interaction honey pot system
The step of method, is as follows:
In step sl, file, process, the network, registration table behavior of honey jar virtual machine internal are monitored, capture honey jar is virtual
The communication for service flow of machine open port.
In step s 2, the PE file of capture systems process release obtains PE process and connects outer net IP, is labeled as IP1.
In step s3, backtracking release PE process procX, recalls the process procY operated to procX, and be associated with
The corresponding miniport service Z of procY.
In step s 4, according to step: the communication for service flow captured in S1, analysis port service the corresponding communication of Z
Flow obtains remote ip address (local area network), is labeled as IP2.
In step s 5, scanned by the step S2 system action recorded and static file, to PE file and it is corresponding into
Whether Cheng Jinhang behavioral value and the PE file of static file identification judgement system process release are malicious file, identify malice class
Type.
In step s 6, judge whether PE file is malice type, if it is malice type, execute step S7, otherwise exist,
Execute step S8.
In the step s 7, if PE is malice, generate attack chain, invasion: miniport service connects (host ip 2 of falling) -> peace
Dress: release PE file -> control: IP1- > intention: PE file malice type and type characteristic.
In step s 8, if PE be it is unknown, generate risk warning, LAN IP 2 remotely access honey jar miniport service ->
Port.
Finally, service operations process release PE- > PE accesses outer net IP1.
The attack chain detection method based on high interaction honey pot system proposed according to embodiments of the present invention, can be according to virtual
Machine system action, information on services, the PE communication information, Intranet communications address information extracting attack chain, and then by honey pot system honey jar
The attack detected is invaded, is installed, being controlled, being intended to carry out induction and conclusion, so that honey jar attack process is apparent from,
And the displaying of available chain type effectively improves the accuracy of attack.
The attack chain detection based on high interaction honey pot system proposed according to embodiments of the present invention referring next to attached drawing description
Device.
Fig. 3 is the structural schematic diagram of the attack chain detection device based on high interaction honey pot system of the embodiment of the present invention.
As shown in figure 3, should include: based on attack chain detection device 10 of high interaction honey pot system the first acquisition module 100,
Second, which obtains module 200, analysis module 300, third, obtains module 400 and extraction module 500.
Wherein, the first acquisition module 100 is used to obtain virtual machine system behavior and the communication for service of high interaction honey pot system
Flow.Second acquisition module 200 is used to obtain the PE file of system process release and the networked information of PE file.Analysis module
300 progress information and PE file for being released PE file according to the backtracking of the networked information of PE file and PE file is corresponding logical
Believe address.Third obtains the corresponding service of progress information acquisition that module 400 is used to according to communication for service flow, discharge PE file
Information and Intranet communications address information.Extraction module 500 be used for according to virtual machine system behavior, information on services, the PE communication information,
Intranet communications address information extracting attack chain.The device 10 of the embodiment of the present invention can be used for according to virtual machine system behavior, clothes
Business information, the PE communication information, Intranet communications address information extracting attack chain become apparent from honey jar attack process, and raising is attacked
The accuracy hit.
Further, in one embodiment of the invention, extraction module 500 further comprises: judging unit and generation
Unit.Wherein, judging unit is used for according to virtual machine system behavior, information on services, the PE communication information, Intranet communications address information
Judge PE file whether malice type.If generation unit is malice type for PE file, attack chain is generated, is otherwise generated
Indicating risk.
Further, in one embodiment of the invention, judging unit further comprises: passing through the system action of record
Behavioral value is carried out to PE file and corresponding process with static file scanning and static file identifies, whether to judge PE file
For malice.
Further, in one embodiment of the invention, generation unit further comprises: if it is malice, generating
Chain is attacked, and shows the first chain type information;If PE be it is unknown, generate indicating risk, and show the second chain type information,
In, chain type information includes invasion information, mount message, control one of information and intent information or a variety of.
Further, in one embodiment of the invention, the first acquisition module 100 further comprises: first obtains list
Member and second acquisition unit.Wherein, first acquisition unit, for monitoring file, process, network and the note of honey jar virtual machine internal
Volume table row is, to obtain virtual machine system behavior.Second acquisition unit, for grabbing the network interface flow packet of host, to obtain clothes
Business communication flows.
It should be noted that the aforementioned explanation to the attack chain detection method embodiment based on high interaction honey pot system
It is also applied for the attack chain detection device based on high interaction honey pot system of the embodiment, details are not described herein again.
The attack chain detection device based on high interaction honey pot system proposed according to embodiments of the present invention, can be according to service
Communication flows, release progress information and corresponding information on services obtain process port information, thus according to virtual machine system behavior
With process port information extracting attack chain, and then the attack that honey pot system honey jar detects is invaded, installs, control
System is intended to carry out induction and conclusion, so that honey jar attack process is apparent from, and the displaying of available chain type, effectively improves
The accuracy of attack.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", " length ", " width ",
" thickness ", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom" "inner", "outside", " up time
The orientation or positional relationship of the instructions such as needle ", " counterclockwise ", " axial direction ", " radial direction ", " circumferential direction " be orientation based on the figure or
Positional relationship is merely for convenience of description of the present invention and simplification of the description, rather than the device or element of indication or suggestion meaning must
There must be specific orientation, be constructed and operated in a specific orientation, therefore be not considered as limiting the invention.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
In the present invention unless specifically defined or limited otherwise, term " installation ", " connected ", " connection ", " fixation " etc.
Term shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integral;It can be mechanical connect
It connects, is also possible to be electrically connected;It can be directly connected, can also can be in two elements indirectly connected through an intermediary
The interaction relationship of the connection in portion or two elements, unless otherwise restricted clearly.For those of ordinary skill in the art
For, the specific meanings of the above terms in the present invention can be understood according to specific conditions.
In the present invention unless specifically defined or limited otherwise, fisrt feature in the second feature " on " or " down " can be with
It is that the first and second features directly contact or the first and second features pass through intermediary mediate contact.Moreover, fisrt feature exists
Second feature " on ", " top " and " above " but fisrt feature be directly above or diagonally above the second feature, or be merely representative of
First feature horizontal height is higher than second feature.Fisrt feature can be under the second feature " below ", " below " and " below "
One feature is directly under or diagonally below the second feature, or is merely representative of first feature horizontal height less than second feature.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.
Claims (10)
1. a kind of attack chain detection method based on high interaction honey pot system, which comprises the following steps:
Obtain virtual machine system behavior and the service communication flows of high interaction honey pot system;
Obtain the PE file of system process release and the networked information of the PE file;
Progress information and the institute of the PE file are released according to the backtracking of the networked information of the PE file and the PE file
It states PE file and corresponds to mailing address;
Corresponding information on services and interior Network Communication are obtained according to the progress information of the communication for service flow, the release PE file
Address information;And
It is attacked according to the virtual machine system behavior, the information on services, the PE communication information, Intranet communications address information extraction
Hit chain.
2. the attack chain detection method according to claim 1 based on high interaction honey pot system, which is characterized in that described
According to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information extracting attack chain,
Further comprise:
Sentenced according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information
The PE file that breaks whether malice type;
If the PE file is malice type, attack chain is generated, indicating risk is otherwise generated.
3. the attack chain detection method according to claim 2 based on high interaction honey pot system, which is characterized in that according to institute
State virtual machine system behavior, the information on services, the PE communication information, the Intranet communications address information judge the PE text
Part whether malice type, further comprise:
Behavioral value is carried out to the PE file and corresponding process by the system action of record and static file scanning
It is identified with static file, to judge whether the PE file is malice.
4. the attack chain detection method according to claim 2 or 3 based on high interaction honey pot system, which is characterized in that institute
If stating the PE file is malice type, attack chain is generated, indicating risk is otherwise generated, further comprises:
If it is malice, the attack chain is generated, and shows the first chain type information;
If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion
Information, mount message, control one of information and intent information or a variety of.
5. the attack chain detection method according to claim 1-4 based on high interaction honey pot system, feature exist
In the virtual machine system behavior for obtaining high interaction honey pot system and service communication flows further comprise:
File, process, network and the registration table behavior of honey jar virtual machine internal are monitored, to obtain the virtual machine system behavior;
The network interface flow packet of host is grabbed, to obtain the communication for service flow.
6. a kind of attack chain detection device based on high interaction honey pot system characterized by comprising
First obtains module, for obtaining virtual machine system behavior and the service communication flows of high interaction honey pot system;
Second obtains module, for obtaining the PE file of system process release and the networked information of the PE file;
Analysis module, for being released the PE file according to the backtracking of the networked information of the PE file and the PE file
Progress information and the PE file correspond to mailing address;
Third obtains module, corresponding for being obtained according to the progress information of the communication for service flow, the release PE file
Information on services and Intranet communications address information;And
Extraction module, for according to the virtual machine system behavior, the information on services, the PE communication information, the interior Network Communication
Address information extraction attacks chain.
7. the attack chain detection device according to claim 6 based on high interaction honey pot system, which is characterized in that described to mention
Modulus block further comprises:
Judging unit, for according to the virtual machine system behavior, the information on services, the PE communication information, the Intranet
Communications address information judge the PE file whether malice type;
Generation unit generates attack chain, otherwise generates indicating risk if being malice type for the PE file.
8. the attack chain detection device according to claim 7 based on high interaction honey pot system, which is characterized in that described to sentence
Disconnected unit further comprises:
Behavioral value is carried out to the PE file and corresponding process by the system action of record and static file scanning
It is identified with static file, to judge whether the PE file is malice.
9. the attack chain detection device according to claim 7 or 8 based on high interaction honey pot system, which is characterized in that institute
Generation unit is stated, further comprises:
If it is malice, the attack chain is generated, and shows the first chain type information;
If PE be it is unknown, generate the indicating risk, and show the second chain type information, wherein chain type information includes invasion
Information, mount message, control one of information and intent information or a variety of.
10. according to the described in any item attack chain detection devices based on high interaction honey pot system of claim 6-9, feature exists
In, described first obtains module, further comprise:
First acquisition unit, for monitoring file, process, network and the registration table behavior of honey jar virtual machine internal, to obtain
State virtual machine system behavior;
Second acquisition unit, for grabbing the network interface flow packet of host, to obtain the communication for service flow.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711480108.5A CN109995705B (en) | 2017-12-29 | 2017-12-29 | Attack chain detection method and device based on high-interaction honeypot system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711480108.5A CN109995705B (en) | 2017-12-29 | 2017-12-29 | Attack chain detection method and device based on high-interaction honeypot system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109995705A true CN109995705A (en) | 2019-07-09 |
CN109995705B CN109995705B (en) | 2022-03-25 |
Family
ID=67108982
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711480108.5A Active CN109995705B (en) | 2017-12-29 | 2017-12-29 | Attack chain detection method and device based on high-interaction honeypot system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109995705B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110363002A (en) * | 2019-07-16 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing |
CN110750788A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Virus file detection method based on high-interaction honeypot technology |
CN111147513A (en) * | 2019-12-31 | 2020-05-12 | 广州锦行网络科技有限公司 | Transverse moving attack path determination method in honey net based on attack behavior analysis |
CN111431881A (en) * | 2020-03-18 | 2020-07-17 | 广州锦行网络科技有限公司 | Method and device for trapping nodes based on windows operating system |
CN111490996A (en) * | 2020-06-24 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Network attack processing method and device, computer equipment and storage medium |
CN112367315A (en) * | 2020-11-03 | 2021-02-12 | 浙江大学 | Endogenous safe WAF honeypot deployment method |
CN112491817A (en) * | 2020-11-12 | 2021-03-12 | 中国联合网络通信集团有限公司 | Honeypot technology-based tracing method and device and honeypot equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
US20160156656A1 (en) * | 2012-11-17 | 2016-06-02 | Nathaniel Gordon Boggs | Methods, Systems and Media for Evaluating Layered Computer Security Products |
CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
-
2017
- 2017-12-29 CN CN201711480108.5A patent/CN109995705B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
US20160156656A1 (en) * | 2012-11-17 | 2016-06-02 | Nathaniel Gordon Boggs | Methods, Systems and Media for Evaluating Layered Computer Security Products |
CN105787370A (en) * | 2016-03-07 | 2016-07-20 | 成都驭奔科技有限公司 | Malicious software collecting and analyzing method based on honeypots |
CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110363002A (en) * | 2019-07-16 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing |
CN110750788A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Virus file detection method based on high-interaction honeypot technology |
CN111147513A (en) * | 2019-12-31 | 2020-05-12 | 广州锦行网络科技有限公司 | Transverse moving attack path determination method in honey net based on attack behavior analysis |
CN111431881A (en) * | 2020-03-18 | 2020-07-17 | 广州锦行网络科技有限公司 | Method and device for trapping nodes based on windows operating system |
CN111431881B (en) * | 2020-03-18 | 2020-11-20 | 广州锦行网络科技有限公司 | Method and device for trapping nodes based on windows operating system |
CN111490996A (en) * | 2020-06-24 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Network attack processing method and device, computer equipment and storage medium |
CN111490996B (en) * | 2020-06-24 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Network attack processing method and device, computer equipment and storage medium |
CN112367315A (en) * | 2020-11-03 | 2021-02-12 | 浙江大学 | Endogenous safe WAF honeypot deployment method |
CN112367315B (en) * | 2020-11-03 | 2021-09-28 | 浙江大学 | Endogenous safe WAF honeypot deployment method |
CN112491817A (en) * | 2020-11-12 | 2021-03-12 | 中国联合网络通信集团有限公司 | Honeypot technology-based tracing method and device and honeypot equipment |
CN112491817B (en) * | 2020-11-12 | 2023-04-18 | 中国联合网络通信集团有限公司 | Honeypot technology-based tracing method and device and honeypot equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109995705B (en) | 2022-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109995705A (en) | Attack chain detection method and device based on high interaction honey pot system | |
US10467411B1 (en) | System and method for generating a malware identifier | |
KR100800370B1 (en) | Network attack signature generation | |
CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
US11562068B2 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
CN102594825B (en) | The detection method of a kind of intranet Trojans and device | |
CN105871883B (en) | Advanced duration threat detection method based on attack analysis | |
US8181248B2 (en) | System and method of detecting anomaly malicious code by using process behavior prediction technique | |
EP1995929B1 (en) | Distributed system for the detection of eThreats | |
CN101350745B (en) | Intrude detection method and device | |
CN111988339B (en) | Network attack path discovery, extraction and association method based on DIKW model | |
CN106022113A (en) | Detecting a malicious file infection via sandboxing | |
CN105493060A (en) | Honeyport active network security | |
CN105915532A (en) | Method and device for recognizing fallen host | |
CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
CN105939311A (en) | Method and device for determining network attack behavior | |
CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
CN107566401B (en) | Protection method and device for virtualized environment | |
CN107423623A (en) | Method for detecting virus and system are extorted in a kind of Behavior-based control analysis | |
CN110381009A (en) | A kind of detection method of the rebound shell of Behavior-based control detection | |
CN102970309B (en) | The detection method of zombie host, detection device and fire wall | |
Cui et al. | GQ: Realizing a system to catch worms in a quarter million places | |
CN109995716A (en) | Behavior exciting method and device based on high interaction honey pot system | |
US10897472B1 (en) | IT computer network threat analysis, detection and containment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |