CN110336811A - A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system - Google Patents
A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system Download PDFInfo
- Publication number
- CN110336811A CN110336811A CN201910581198.XA CN201910581198A CN110336811A CN 110336811 A CN110336811 A CN 110336811A CN 201910581198 A CN201910581198 A CN 201910581198A CN 110336811 A CN110336811 A CN 110336811A
- Authority
- CN
- China
- Prior art keywords
- honey
- web site
- daily record
- record data
- cyberthreat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 176
- 238000004458 analytical method Methods 0.000 title claims abstract description 29
- 238000000034 method Methods 0.000 claims description 33
- 238000003860 storage Methods 0.000 claims description 30
- 239000000284 extract Substances 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 7
- 238000010801 machine learning Methods 0.000 claims description 6
- 230000003542 behavioural effect Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 238000000605 extraction Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000007405 data analysis Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013481 data capture Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000005291 magnetic effect Effects 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 244000035744 Hura crepitans Species 0.000 description 1
- 241000270322 Lepidosauria Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 210000004027 cell Anatomy 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 210000000352 storage cell Anatomy 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The Cyberthreat analysis method based on honey pot system that the invention discloses a kind of characterized by comprising establish honey pot system, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is for simulating different types of Web site;Obtain the daily record data for accessing the Web site honey jar;The daily record data is analyzed, the data attacked different Web sites are obtained.The present invention solves the honey jar demand of internet financial field, and by Web site honey jar, analysis is directed to the network attack of internet financial field, analyzes network attack sample, obtains attacker IP list, the loophole etc. that equipment feature list, attack utilize.
Description
Technical field
The present invention relates to computer information processing fields, in particular to a kind of Cyberthreat based on honey pot system
Analysis method, device, electronic equipment and computer-readable medium.
Background technique
With the development of virtualization technology, various Virtual honeypots are also developed, the prior art can by virtual machine come
It realizes high interaction honey jar, and realizes business type honey jar by docker, before this, need the deployment of expensive hardware equipment
Support.By using virtual technology, largely reduce the lower deployment cost of honey jar, a host can realize entire collection
Data control, data capture and data analysis are in the architectural framework of multi-functional more honey jar height interaction honey nets of one.
Detection grey black production attack situation may be implemented by disposing multiple integrated honey pot systems in internet, find grey black
Attack source IP data are produced, attack sample is obtained, will be seen that the newest attack in internet by producing attack sample analysis to grey black
Form obtains related information, and timely early warning.
Present mainstream honey jar platform mainly integrates various open source honey pot system, and the unified pipe of the data that honey jar is obtained
Reason, honey pot system include low interactive honey jar, high interaction honey jar, and functionally dividing has industry control honey jar, SSH honey jar, Web honey jar
Deng although a large amount of attack information can be collected, and without the specific aim applied to internet finance.
Summary of the invention
The technical problem to be solved by the present invention is to how to utilize Web site honey jar, to analyze the net of internet financial platform
Network threatens and network attack.
An aspect of of the present present invention provides a kind of Cyberthreat analysis method based on honey pot system, comprising:
Honey pot system is established, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is for simulating not
The Web site of same type;
Obtain the daily record data for accessing the Web site honey jar;
The daily record data is analyzed, the data attacked different Web sites are obtained.
A preferred embodiment of the invention, described to establish honey pot system, the honey pot system includes multiple Web
Website honey jar, each Web site honey jar are used to simulate different types of Web site, further comprise:
The honey pot system including multiple Web site honey jars is established by Docker.
A preferred embodiment of the invention, further includes: by internet financial web site template, build Web net
It stands honey jar.
A preferred embodiment of the invention, it is described to obtain the daily record data for accessing the Web site honey jar, into
One step includes:
By firewall, the daily record data of access Web site honey jar is obtained;Or
By intruding detection system IDS, the daily record data of access Web site honey jar is obtained;Or
By honey jar host, the daily record data of access Web site honey jar is obtained.
A preferred embodiment of the invention, further includes: establish the database for storing the daily record data.
Different Web sites are attacked in a preferred embodiment of the invention, the analysis daily record data, acquisition
The data hit further comprise:
The behavioral data of visitor in daily record data is analyzed, characteristic information relevant to Cyberthreat is extracted, is obtained to not
With the data of Web site attack.
A preferred embodiment of the invention, it is described to extract characteristic information relevant to Cyberthreat, further
Include:
Extract network attack keyword relevant to Cyberthreat.
Different Web sites are attacked in a preferred embodiment of the invention, the analysis daily record data, acquisition
The data hit, further includes:
According to the characteristic information relevant to Cyberthreat extracted, Cyberthreat record log is obtained;
By analyzing Cyberthreat record log, tool, method and the path for executing Cyberthreat are obtained.
A preferred embodiment of the invention, further includes: distribute ID for the visitor of the honey pot system.
The second aspect of the present invention provides a kind of Cyberthreat analytical equipment based on machine learning, comprising:
Honey pot system establishes module, and for establishing honey pot system, the honey pot system includes multiple Web site honey jars, respectively
Web site honey jar is for simulating different types of Web site;
Daily record data trapping module, for obtaining the daily record data for accessing the Web site honey jar;
Cyberthreat analysis module obtains the data attacked different Web sites for analyzing the daily record data.
A preferred embodiment of the invention, the honey pot system establish module, further comprise:
Honey pot system establishes unit, for establishing the honey pot system including multiple Web site honey jars by Docker.
A preferred embodiment of the invention, further includes: Web site honey jar builds unit, passes through internet gold
Melt website form, builds Web site honey jar.
A preferred embodiment of the invention, the daily record data trapping module further comprise:
Firewall unit, for obtaining the daily record data of access Web site honey jar by firewall;Or
IDS unit, for obtaining the daily record data of access Web site honey jar by intruding detection system IDS;Or
Honey jar main computer unit, for obtaining the daily record data of access Web site honey jar by honey jar host.
A preferred embodiment of the invention, further includes: database module stores the log number for establishing
According to database.
A preferred embodiment of the invention, the daily record data trapping module further comprise: characteristic information
Extraction unit extracts characteristic information relevant to Cyberthreat, obtains for analyzing the behavioral data of visitor in daily record data
To the data of different Web sites attack.
A preferred embodiment of the invention, feature information extraction unit further comprise: network attack is crucial
Word extracts subelement, for extracting network attack keyword relevant to Cyberthreat.
A preferred embodiment of the invention, the daily record data trapping module, further includes:
Cyberthreat record log acquiring unit, for obtaining according to the characteristic information relevant to Cyberthreat extracted
Take Cyberthreat record log;
Cyberthreat record log analytical unit, for obtaining and executing network prestige by analysis Cyberthreat record log
Tool, method and the path of the side of body.
A preferred embodiment of the invention, further includes: ID distribution module, for the visit for the honey pot system
The person of asking distributes ID.
The third aspect of the present invention provides a kind of electronic equipment, wherein the electronic equipment includes: processor;And
The memory of computer executable instructions is stored, the executable instruction when executed executes the processor
Described in any item methods.
The fourth aspect of the present invention provides a kind of computer readable storage medium, wherein the computer-readable storage medium
Matter stores one or more programs, and one or more of programs when being executed by a processor, realize described in any item methods.
Technical solution of the present invention has the following beneficial effects:
The present invention solves the honey jar demand of internet financial field, and by Web site honey jar, analysis is for internet finance
The network attack in field analyzes network attack sample, understands newest attack form, obtains attacker IP list, equipment feature name
The loophole etc. that single, attack utilizes.
Cyberthreat analysis method based on honey pot system of the invention solves the difficult point of defending against network attacks, identifies net
Network attack, enhancing internet financial company resist the ability of network attack.
Detailed description of the invention
In order to keep technical problem solved by the invention, the technological means of use and the technical effect of acquirement clearer,
Detailed description of the present invention specific embodiment below with reference to accompanying drawings.But it need to state, drawings discussed below is only this
The attached drawing of invention exemplary embodiment of the present, to those skilled in the art, before not making the creative labor
It puts, the attached drawing of other embodiments can be obtained according to these attached drawings.
Fig. 1 is the Cyberthreat analysis method flow diagram of the invention based on honey pot system;
Fig. 2 is the Cyberthreat analytical equipment module architectures signal based on honey pot system of a specific embodiment of the invention
Figure;
Fig. 3 is that the honey pot system of the Cyberthreat analytical equipment of the invention based on honey pot system establishes module architectures signal
Figure;
Fig. 4 is the honey pot system configuration diagram of the Cyberthreat analytical equipment of the invention based on honey pot system;
Fig. 5 is the daily record data of the Cyberthreat analytical equipment based on honey pot system of a specific embodiment of the invention
Trapping module configuration diagram;
Fig. 6 is the log number of the Cyberthreat analytical equipment based on honey pot system of another specific embodiment of the invention
According to trapping module configuration diagram;
Fig. 7 is that the Cyberthreat analytical equipment module architectures based on honey pot system of another specific embodiment of the invention show
It is intended to;
Fig. 8 is the electronic devices structure block schematic illustration of the user's registration of the invention based on machine learning;
Fig. 9 is computer readable storage medium schematic diagram of the invention.
Specific embodiment
Exemplary embodiment of the present invention is described more fully with reference to the drawings.However, exemplary embodiment can
Implement in a variety of forms, and is understood not to that present invention is limited only to embodiments set forth herein.On the contrary, it is exemplary to provide these
Embodiment enables to the present invention more full and complete, easily facilitates the technology that inventive concept is comprehensively communicated to this field
Personnel.Identical appended drawing reference indicates same or similar element, component or part in figure, thus will omit weight to them
Multiple description.
Under the premise of meeting technical concept of the invention, the feature described in some specific embodiment, structure, spy
Property or other details be not excluded for can be combined in any suitable manner in one or more other embodiments.
In the description for specific embodiment, feature, structure, characteristic or the other details that the present invention describes are to make
Those skilled in the art fully understands embodiment.But, it is not excluded that those skilled in the art can practice this hair
Bright technical solution is one or more without special characteristic, structure, characteristic or other details.
Flow chart shown in the drawings is merely illustrative, it is not necessary to including all content and operation/step,
It is not required to execute by described sequence.For example, some operation/steps can also decompose, and some operation/steps can close
And or part merge, therefore the sequence actually executed is possible to change according to the actual situation.
Block diagram shown in the drawings is only functional entity, not necessarily must be corresponding with physically separate entity.
I.e., it is possible to realize these functional entitys using software form, or realized in one or more hardware modules or integrated circuit
These functional entitys, or these functional entitys are realized in heterogeneous networks and/or processor device and/or microcontroller device.
Although it should be understood that may indicate the attribute of number using first, second, third, etc. to describe various devices herein
Part, element, component or part, but this should not be limited by these attributes.These attributes are to distinguish one and another one.Example
Such as, the first device is also referred to as the second device without departing from the technical solution of essence of the invention.
Term "and/or" or " and/or " include associated listing all of any of project and one or more
Combination.
Honeypot Techniques are a kind of deception invaders to reach acquisition hacker attack method and true host object is protected to lure
Deceive technology.
Virtual honeypot can by it is a kind of it is quick in a manner of configure several honey jars, Virtual honeypot software can imitate IP stack, OS,
With the application program of real system, once you establish your Virtual Honeypot System, it captured it is rear you be also easy to weight
It builds.Under normal conditions, imitation is realized in memory completely.Virtual honeypot software also allows to match on single physical host
A complete close net is set, a Virtual Honeypot System can be used to imitate thousands of a systems, and each system uses thousands of
A ports up to ten thousand and the different IP of use.
Docker is the application container engine of an open source, and developer can be packaged their application and rely on packet and arrives
In one transplantable container, then it is published on the Linux machine of any prevalence, also may be implemented to virtualize.Container has been
Sandbox mechanism is entirely used, does not have any interface between each other.
By the present invention in that disposing the Web site honey jar of multiple and different types with Docker, and full dose is retained grey black production and attacked
Flow is hit, and periodically honey jar is reset.By analysis, identification attacker is reptile instrument or the positive frequentation of web browser
It asks, unique identification is carried out to access attacker using canvas device-fingerprint information.
The grey black produces, and refers to that telecommunication fraud, fishing website, trojan horse, hacker extort etc. to carry out using network and disobeys
The behavior of method criminal activity.Slightly different, " black production " refers to the network crime for directly offending state's laws, " ash produce " then
It is migration at law edge, often provides the dispute behavior of auxiliary for " black production ".
The device-fingerprint, which refers to, can be used for equipment feature or unique device identification that unique identification goes out the equipment.
Fig. 1 is the Cyberthreat analysis method flow diagram of the invention based on honey pot system;As shown in Figure 1, this hair
Bright method includes:
S1: establishing honey pot system, and the honey pot system includes multiple Web site honey jars, and each Web site honey jar is for simulating
Different types of Web site.
Wherein, described to establish honey pot system, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is used
In simulating different types of Web site, further comprise:
The honey pot system including multiple Web site honey jars is established by Docker.
Described to establish honey pot system, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is used for mould
Intend different types of Web site, further includes:
By internet financial web site template, Web site honey jar is built.
S2: the daily record data for accessing the Web site honey jar is obtained.
Wherein, described to obtain the daily record data for accessing the Web site honey jar, further comprise:
By firewall, the daily record data of access Web site honey jar is obtained;Or
By intruding detection system IDS, the daily record data of access Web site honey jar is obtained;Or
By honey jar host, the daily record data of access Web site honey jar is obtained.
Wherein, after getting the daily record data for accessing the Web site honey jar, further includes: establish described for storing
The database of daily record data.
S3: analyzing the daily record data, obtains the data attacked different Web sites.
Wherein, the analysis daily record data, obtains the data attacked different Web sites, further comprises: analysis
The behavioral data of visitor in daily record data extracts characteristic information relevant to Cyberthreat, obtains and attacks different Web sites
Data.
Further, described to extract characteristic information relevant to Cyberthreat, comprising: to extract net relevant to Cyberthreat
Network attacks keyword.
Wherein, after getting extraction characteristic information relevant to Cyberthreat, further includes:
According to the characteristic information relevant to Cyberthreat extracted, Cyberthreat record log is obtained;
By analyzing Cyberthreat record log, tool, method and the path for executing Cyberthreat are obtained.
Cyberthreat analysis method based on machine learning of the invention, further includes: be the visitor of the honey pot system
Distribute ID.
As an example, the present invention, which builds multiple internet financial platform website forms by Docker simulation, realizes the honey jar
System, and actual website environment is disposed as desired.
In addition to this, method of the invention distributes a unique ID by canvas fingerprint technique for each visitor.
According to the ID of visitor, the flowing of access of visitor is stored in the Elasticsearch database built up in advance,
In, access data include the Header information of request, visitor ip, request the information such as data, these data are that data are analyzed
Data source is provided.
As an example, obtaining the daily record data that attacker accesses internet financial web site honey jar.
Wherein, by firewall, intruding detection system IDS, and/or honey jar host, it is different to obtain access Web site honey jar
The different daily record datas of node.
After the daily record data for getting access internet financial web site honey jar, the daily record data generated in database is carried out
Analysis establishes grey black and produces keywords database, produces attack keyword according to grey black, extracts the attack logs in website, restore network prestige
Path is coerced, and analyzes grey black and produces attack tool, method.
The honey jar is realized by building multiple internet financial platform website forms, and grey black produces attack and visits the honey jar
It asks, system will record down the equipment feature of the hacker, and hacker may carry out black production to the website and permeate, including set foot-point, scan,
The hacker's behaviors such as attack, bug excavation are attempted, the data on flows of these behaviors can carry out full dose preservation in log module, be saved in
Database.
By data analysis system, the keyword for producing attack to grey black is analyzed, including attack keyword, is such as infused
Enter the keywords such as attack, vulnerability scanning, loophole trial, also includes the discovery that hacker hits library, the number of sweeping feature.It is obtained according to data analysis
Hacker IP, attack are taken, and makes attack early warning.
The present invention solves the honey jar demand of internet financial field, and by Web site honey jar, analysis is for internet finance
The network attack in field analyzes network attack sample, understands newest attack form, obtains attacker IP list, equipment feature name
The loophole etc. that single, attack utilizes.
Cyberthreat analysis method based on honey pot system of the invention solves the difficult point of defending against network attacks, identifies net
Network attack, enhancing internet financial company resist the ability of network attack.
It will be understood by those skilled in the art that realizing that all or part of the steps of above-described embodiment is implemented as by computer
The program (computer program) that data processing equipment executes.It is performed in the computer program, offer of the present invention is provided
The above method.Moreover, the computer program can store in computer readable storage medium, which can be with
It is the readable storage medium storing program for executing such as disk, CD, ROM, RAM, is also possible to the storage array of multiple storage medium compositions, such as disk
Or tape storage array.The storage medium is not limited to centralised storage, is also possible to distributed storage, such as based on cloud
The cloud storage of calculating.
The device of the invention embodiment is described below, which can be used for executing embodiment of the method for the invention.For
Details described in apparatus of the present invention embodiment should be regarded as the supplement for above method embodiment;For in apparatus of the present invention
Undisclosed details in embodiment is referred to above method embodiment to realize.
It will be understood by those skilled in the art that each module in above-mentioned apparatus embodiment can be distributed in device according to description
In, corresponding change can also be carried out, is distributed in one or more devices different from above-described embodiment.The mould of above-described embodiment
Block can be merged into a module, can also be further split into multiple submodule.
Fig. 2 is the Cyberthreat analytical equipment module architectures signal based on honey pot system of a specific embodiment of the invention
Figure;As shown in Fig. 2, the Cyberthreat analytical equipment of the invention based on machine learning, comprising: honey pot system establishes module, day
Will data capture module, Cyberthreat analysis module.
Honey pot system establishes module, and for establishing honey pot system, the honey pot system includes multiple Web site honey jars, respectively
Web site honey jar is for simulating different types of Web site.
Daily record data trapping module, for obtaining the daily record data for accessing the Web site honey jar.
Cyberthreat analysis module obtains the data attacked different Web sites for analyzing the daily record data.
Fig. 3 is that the honey pot system of the Cyberthreat analytical equipment of the invention based on honey pot system establishes module architectures signal
Figure;As shown in figure 3, honey pot system establishes module, further comprise: honey pot system establishes unit, for being established by Docker
The honey pot system including multiple Web site honey jars.
Further, honey pot system establishes module, further includes:
Web site honey jar builds unit, by internet financial web site template, builds Web site honey jar.
Fig. 4 is the honey pot system configuration diagram of the Cyberthreat analytical equipment of the invention based on honey pot system;Such as Fig. 4
Shown, honey pot system of the invention includes multiple Web site honey jars, and each Web site honey jar is virtual internet financial web site.
Fig. 5 is the daily record data of the Cyberthreat analytical equipment based on honey pot system of a specific embodiment of the invention
Trapping module configuration diagram;As shown in figure 5, daily record data trapping module of the invention, further comprises: firewall unit,
IDS unit, honey jar main computer unit.
Firewall unit, for obtaining the daily record data of access Web site honey jar by firewall.
IDS unit, for obtaining the daily record data of access Web site honey jar by intruding detection system IDS.
Honey jar main computer unit, for obtaining the daily record data of access Web site honey jar by honey jar host.
Fig. 6 is the log number of the Cyberthreat analytical equipment based on honey pot system of another specific embodiment of the invention
According to trapping module configuration diagram;As shown in fig. 6, daily record data trapping module of the invention, not only includes: firewall unit,
IDS unit, honey jar main computer unit, further includes: feature information extraction unit, Cyberthreat record log acquiring unit, network prestige
Coerce record log analytical unit.
Feature information extraction unit extracts and Cyberthreat phase for analyzing the behavioral data of visitor in daily record data
The characteristic information of pass obtains the data attacked different Web sites.
Wherein, feature information extraction unit further comprises: network attack keyword extraction subelement, for extract with
The relevant network attack keyword of Cyberthreat.
Cyberthreat record log acquiring unit, for obtaining according to the characteristic information relevant to Cyberthreat extracted
Take Cyberthreat record log.
Cyberthreat record log analytical unit, for obtaining and executing network prestige by analysis Cyberthreat record log
Tool, method and the path of the side of body.
Fig. 7 is that the Cyberthreat analytical equipment module architectures based on honey pot system of another specific embodiment of the invention show
It is intended to, as shown in fig. 7, the Cyberthreat analytical equipment of the invention based on machine learning, not only includes: that honey pot system establishes mould
Block, daily record data trapping module, Cyberthreat analysis module further include database module, and/or ID distribution module.
Database module, for establishing the database for storing the daily record data.
ID distribution module, for distributing ID for the visitor of the honey pot system.
Electronic equipment embodiment of the invention is described below, which can be considered as the method for aforementioned present invention
With the specific entity embodiment of Installation practice.For details described in electronic equipment embodiment of the present invention, should be regarded as pair
In the above method or the supplement of Installation practice;For undisclosed details, Ke Yican in electronic equipment embodiment of the present invention
It is realized according to the above method or Installation practice.
Fig. 8 is the structural block diagram of the exemplary embodiment of a kind of electronic equipment according to the present invention.It is retouched referring to Fig. 8
State the electronic equipment 200 of the embodiment according to the present invention.The electronic equipment 200 that Fig. 8 is shown is only an example, should not be right
The function and use scope of the embodiment of the present invention bring any restrictions.
As shown in fig. 7, electronic equipment 200 is showed in the form of universal computing device.The component of electronic equipment 200 can wrap
It includes but is not limited to: at least one processing unit 210, at least one storage unit 220, (including the storage of the different system components of connection
Unit 220 and processing unit 210) bus 230, display unit 240 etc..
Wherein, the storage unit is stored with program code, and said program code can be held by the processing unit 210
Row, so that the processing unit 210 executes described in this specification above-mentioned electronic prescription circulation processing method part according to this
The step of inventing various illustrative embodiments.For example, the processing unit 210 can execute step as shown in Figure 1.
The storage unit 220 may include the readable medium of volatile memory cell form, such as random access memory
Unit (RAM) 2201 and/or cache memory unit 2202 can further include read-only memory unit (ROM) 2203.
The storage unit 220 can also include program/practical work with one group of (at least one) program module 2205
Tool 2204, such program module 2205 includes but is not limited to: operating system, one or more application program, other programs
It may include the realization of network environment in module and program data, each of these examples or certain combination.
Bus 230 can be to indicate one of a few class bus structures or a variety of, including storage unit bus or storage
Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures
Local bus.
Electronic equipment 200 can also be with one or more external equipments 300 (such as keyboard, sensing equipment, bluetooth equipment
Deng) communication, can also be enabled a user to one or more equipment interact with the electronic equipment 200 communicate, and/or with make
Any equipment (such as the router, modulation /demodulation that the electronic equipment 200 can be communicated with one or more of the other calculating equipment
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 250.Also, electronic equipment 200 can be with
By network adapter 260 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network,
Such as internet) communication.Network adapter 260 can be communicated by bus 230 with other modules of electronic equipment 200.It should
Understand, although not shown in the drawings, other hardware and/or software module can be used in conjunction with electronic equipment 200, including but unlimited
In: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number
According to backup storage system etc..
Through the above description of the embodiments, those skilled in the art it can be readily appreciated that the present invention describe it is exemplary
Embodiment can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to this hair
The technical solution of bright embodiment can be embodied in the form of software products, which can store calculates at one
In the readable storage medium of machine (can be CD-ROM, USB flash disk, mobile hard disk etc.) or on network, including some instructions are so that one
Platform calculates equipment (can be personal computer, server or network equipment etc.) and executes according to the above method of the present invention.When
When the computer program is executed by a data processing equipment so that the computer-readable medium can be realized it is of the invention upper
State method, it may be assumed that establish honey pot system, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is for simulating
Different types of Web site;Obtain the daily record data for accessing the Web site honey jar;The daily record data is analyzed, is obtained to not
With the data of Web site attack.
The computer program can store on one or more computer-readable mediums, as shown in Figure 9.Computer can
Reading medium can be readable signal medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic,
Optical, electromagnetic, the system of infrared ray or semiconductor, device or device, or any above combination.Readable storage medium storing program for executing is more
Specific example (non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, deposits at random
It is access to memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable
Compact disk read-only memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The computer readable storage medium may include in a base band or the data as the propagation of carrier wave a part are believed
Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism
Signal, optical signal or above-mentioned any appropriate combination.Readable storage medium storing program for executing can also be any other than readable storage medium storing program for executing
Readable medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or
Person's program in connection.The program code for including on readable storage medium storing program for executing can transmit with any suitable medium, packet
Include but be not limited to wireless, wired, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., further include conventional
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating
Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far
Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind, including local area network (LAN) or wide area network
(WAN), it is connected to user calculating equipment, or, it may be connected to external computing device (such as utilize ISP
To be connected by internet).
In conclusion the present invention can be implemented in hardware, or the software to run on one or more processors
Module is realized, or is implemented in a combination thereof.It will be understood by those of skill in the art that micro process can be used in practice
The communications data processing units such as device or digital signal processor (DSP) come realize according to embodiments of the present invention in it is some or
The some or all functions of whole components.The present invention is also implemented as a part for executing method as described herein
Or whole device or device program (for example, computer program and computer program product).Such realization present invention
Program can store on a computer-readable medium, or may be in the form of one or more signals.Such letter
It number can be downloaded from an internet website to obtain, be perhaps provided on the carrier signal or be provided in any other form.
Particular embodiments described above has carried out further in detail the purpose of the present invention, technical scheme and beneficial effects
It describes in detail bright, it should be understood that the present invention is not inherently related to any certain computer, virtual bench or electronic equipment, various
The present invention also may be implemented in fexible unit.The above is only a specific embodiment of the present invention, is not limited to this hair
Bright, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in the present invention
Protection scope within.
Claims (10)
1. a kind of Cyberthreat analysis method based on honey pot system characterized by comprising
Honey pot system is established, the honey pot system includes multiple Web site honey jars, and each Web site honey jar is for simulating inhomogeneity
The Web site of type;
Obtain the daily record data for accessing the Web site honey jar;
The daily record data is analyzed, the data attacked different Web sites are obtained.
2. the method as described in claim 1, which is characterized in that described to establish honey pot system, the honey pot system includes multiple
Web site honey jar, each Web site honey jar are used to simulate different types of Web site, further comprise:
The honey pot system including multiple Web site honey jars is established by Docker.
3. such as method of any of claims 1-2, which is characterized in that further include:
By internet financial web site template, Web site honey jar is built.
4. method as claimed in any one of claims 1-3, which is characterized in that the acquisition accesses the Web site honey jar
Daily record data, further comprise:
By firewall, the daily record data of access Web site honey jar is obtained;Or
By intruding detection system IDS, the daily record data of access Web site honey jar is obtained;Or
By honey jar host, the daily record data of access Web site honey jar is obtained.
5. such as method of any of claims 1-4, which is characterized in that further include:
Establish the database for storing the daily record data.
6. method according to any one of claims 1 to 5, which is characterized in that the analysis daily record data, acquisition pair
The data of different Web site attacks further comprise:
The behavioral data of visitor in daily record data is analyzed, characteristic information relevant to Cyberthreat is extracted, is obtained to different Web
The data of website attack.
7. such as method of any of claims 1-6, which is characterized in that described to extract feature relevant to Cyberthreat
Information further comprises:
Extract network attack keyword relevant to Cyberthreat.
8. a kind of Cyberthreat analytical equipment based on machine learning characterized by comprising
Honey pot system establishes module, and for establishing honey pot system, the honey pot system includes multiple Web site honey jars, each Web net
Honey jar of standing is for simulating different types of Web site;
Daily record data trapping module, for obtaining the daily record data for accessing the Web site honey jar;
Cyberthreat analysis module obtains the data attacked different Web sites for analyzing the daily record data.
9. a kind of electronic equipment, wherein the electronic equipment includes:
Processor;And
The memory of computer executable instructions is stored, the executable instruction makes the processor execute basis when executed
Method of any of claims 1-7.
10. a kind of computer readable storage medium, wherein the computer-readable recording medium storage one or more program,
One or more of programs when being executed by a processor, realize method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910581198.XA CN110336811A (en) | 2019-06-29 | 2019-06-29 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910581198.XA CN110336811A (en) | 2019-06-29 | 2019-06-29 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110336811A true CN110336811A (en) | 2019-10-15 |
Family
ID=68144597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910581198.XA Pending CN110336811A (en) | 2019-06-29 | 2019-06-29 | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110336811A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110912887A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Bro-based APT monitoring system and method |
| CN111125702A (en) * | 2019-12-25 | 2020-05-08 | 成都知道创宇信息技术有限公司 | Virus identification method and device |
| CN111859234A (en) * | 2020-06-03 | 2020-10-30 | 北京神州泰岳智能数据技术有限公司 | Illegal content identification method and device, electronic equipment and storage medium |
| CN111885020A (en) * | 2020-07-08 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network attack behavior real-time capturing and monitoring system with distributed architecture |
| CN111885041A (en) * | 2020-07-17 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Attack scene reconstruction method based on honeypot threat data |
| CN111901325A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Service expansion method and device for honeypot node, electronic device and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN113542262A (en) * | 2021-07-13 | 2021-10-22 | 北京华圣龙源科技有限公司 | Intelligent early warning method and device for information security threat of information system |
| CN113965412A (en) * | 2021-11-22 | 2022-01-21 | 国家电网公司华中分部 | Method for analyzing and aggregating system of honeypot attack stage |
| CN115802356A (en) * | 2023-02-07 | 2023-03-14 | 北京航天驭星科技有限公司 | Data processing method, system, device and medium for satellite ground station management system |
| CN115833922A (en) * | 2023-02-16 | 2023-03-21 | 北京航天驭星科技有限公司 | Data processing method, system, equipment and medium for satellite ground station task plan |
| CN116074080A (en) * | 2023-01-28 | 2023-05-05 | 北京航天驭星科技有限公司 | Data processing method and platform of satellite ground station management system |
| CN116074105A (en) * | 2023-02-06 | 2023-05-05 | 鹏城实验室 | Network attack data set construction method and device, electronic equipment and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103746956A (en) * | 2012-09-28 | 2014-04-23 | 瞻博网络公司 | Virtual honeypot |
| CN104021344A (en) * | 2014-05-14 | 2014-09-03 | 南京大学 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
| US20150067848A1 (en) * | 2013-08-28 | 2015-03-05 | Bank Of America Corporation | Detecting automated site scans |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | ***股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN107566409A (en) * | 2017-10-20 | 2018-01-09 | 携程旅游网络技术(上海)有限公司 | Local area network scan behavioral value method, apparatus, electronic equipment, storage medium |
| CN107612924A (en) * | 2017-09-30 | 2018-01-19 | 北京奇虎科技有限公司 | Attacker's localization method and device based on wireless network invasion |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN108989101A (en) * | 2018-07-04 | 2018-12-11 | 北京奇艺世纪科技有限公司 | A kind of log output system, method and electronic equipment |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109561051A (en) * | 2017-09-26 | 2019-04-02 | 中兴通讯股份有限公司 | Content distributing network safety detection method and system |
-
2019
- 2019-06-29 CN CN201910581198.XA patent/CN110336811A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103746956A (en) * | 2012-09-28 | 2014-04-23 | 瞻博网络公司 | Virtual honeypot |
| US20150067848A1 (en) * | 2013-08-28 | 2015-03-05 | Bank Of America Corporation | Detecting automated site scans |
| CN104021344A (en) * | 2014-05-14 | 2014-09-03 | 南京大学 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | ***股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN109561051A (en) * | 2017-09-26 | 2019-04-02 | 中兴通讯股份有限公司 | Content distributing network safety detection method and system |
| CN107612924A (en) * | 2017-09-30 | 2018-01-19 | 北京奇虎科技有限公司 | Attacker's localization method and device based on wireless network invasion |
| CN107566409A (en) * | 2017-10-20 | 2018-01-09 | 携程旅游网络技术(上海)有限公司 | Local area network scan behavioral value method, apparatus, electronic equipment, storage medium |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN108989101A (en) * | 2018-07-04 | 2018-12-11 | 北京奇艺世纪科技有限公司 | A kind of log output system, method and electronic equipment |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
Non-Patent Citations (1)
| Title |
|---|
| 贾召鹏: "面向防御的网络欺骗技术研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110912887B (en) * | 2019-11-22 | 2021-08-20 | 上海交通大学 | Bro-based APT monitoring system and method |
| CN110912887A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Bro-based APT monitoring system and method |
| CN111125702A (en) * | 2019-12-25 | 2020-05-08 | 成都知道创宇信息技术有限公司 | Virus identification method and device |
| CN111859234A (en) * | 2020-06-03 | 2020-10-30 | 北京神州泰岳智能数据技术有限公司 | Illegal content identification method and device, electronic equipment and storage medium |
| CN111885020A (en) * | 2020-07-08 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network attack behavior real-time capturing and monitoring system with distributed architecture |
| CN111885041A (en) * | 2020-07-17 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Attack scene reconstruction method based on honeypot threat data |
| CN111901325B (en) * | 2020-07-20 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Service extension method and device for honeypot nodes, electronic device and storage medium |
| CN111901325A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Service expansion method and device for honeypot node, electronic device and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN113542262A (en) * | 2021-07-13 | 2021-10-22 | 北京华圣龙源科技有限公司 | Intelligent early warning method and device for information security threat of information system |
| CN113965412A (en) * | 2021-11-22 | 2022-01-21 | 国家电网公司华中分部 | Method for analyzing and aggregating system of honeypot attack stage |
| CN116074080A (en) * | 2023-01-28 | 2023-05-05 | 北京航天驭星科技有限公司 | Data processing method and platform of satellite ground station management system |
| CN116074080B (en) * | 2023-01-28 | 2023-06-16 | 北京航天驭星科技有限公司 | Data processing method and platform of satellite ground station management system |
| CN116074105A (en) * | 2023-02-06 | 2023-05-05 | 鹏城实验室 | Network attack data set construction method and device, electronic equipment and storage medium |
| CN115802356A (en) * | 2023-02-07 | 2023-03-14 | 北京航天驭星科技有限公司 | Data processing method, system, device and medium for satellite ground station management system |
| CN115802356B (en) * | 2023-02-07 | 2023-04-11 | 北京航天驭星科技有限公司 | Data processing method, system, device and medium for satellite ground station management system |
| CN115833922A (en) * | 2023-02-16 | 2023-03-21 | 北京航天驭星科技有限公司 | Data processing method, system, equipment and medium for satellite ground station task plan |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110336811A (en) | A kind of Cyberthreat analysis method, device and electronic equipment based on honey pot system | |
| US9998491B2 (en) | Forecasting and classifying cyber-attacks using neural embeddings based on pattern of life data | |
| US9253208B1 (en) | System and method for automated phishing detection rule evolution | |
| Costin et al. | A {Large-scale} analysis of the security of embedded firmwares | |
| CN107547555A (en) | A kind of web portal security monitoring method and device | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| CN108701066A (en) | Automatic honey jar supply system | |
| US9948666B2 (en) | Forecasting and classifying cyber-attacks using analytical data based neural embeddings | |
| CN102088379A (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN107885777A (en) | A kind of control method and system of the crawl web data based on collaborative reptile | |
| CN104683394A (en) | Cloud computing platform database benchmark test system for new technology and method thereof | |
| US20180084004A1 (en) | Forecasting and classifying cyber-attacks using crossover neural embeddings | |
| US11695791B2 (en) | System for extracting, classifying, and enriching cyber criminal communication data | |
| CN113496033A (en) | Access behavior recognition method and device and storage medium | |
| US9866580B2 (en) | Forecasting and classifying cyber-attacks using neural embeddings | |
| US10230751B2 (en) | Forecasting and classifying cyber attacks using neural embeddings migration | |
| CN110149307A (en) | A kind of IDC safety management system | |
| Hemdan et al. | Spark-based log data analysis for reconstruction of cybercrime events in cloud environment | |
| CN104683382A (en) | Benchmark testing system for cloud computing platform database of novel innovative algorithm | |
| CN111355628A (en) | Model training method, business recognition device and electronic device | |
| Eldos et al. | On the KDD'99 Dataset: Statistical Analysis for Feature Selection | |
| Li et al. | Understanding security risks of embedded devices through fine-grained firmware fingerprinting | |
| Zammit | A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data | |
| CN110348438A (en) | A kind of picture character identifying method, device and electronic equipment based on artificial nerve network model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 201500 room a3-5588, 58 Fumin Branch Road, Hengsha Township, Chongming District, Shanghai (Shanghai Hengtai Economic Development Zone) Applicant after: Qifu Shuke (Shanghai) Technology Co.,Ltd. Address before: 201500 room a3-5588, 58 Fumin Branch Road, Hengsha Township, Chongming District, Shanghai (Shanghai Hengtai Economic Development Zone) Applicant before: Shanghai Qifu Information Technology Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191015 |