CN113645234B - Honeypot-based network defense method, system, medium and device - Google Patents

Honeypot-based network defense method, system, medium and device Download PDF

Info

Publication number
CN113645234B
CN113645234B CN202110913734.9A CN202110913734A CN113645234B CN 113645234 B CN113645234 B CN 113645234B CN 202110913734 A CN202110913734 A CN 202110913734A CN 113645234 B CN113645234 B CN 113645234B
Authority
CN
China
Prior art keywords
page
preset
request
type
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110913734.9A
Other languages
Chinese (zh)
Other versions
CN113645234A (en
Inventor
陆久彬
孙科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oriental Fortune Information Co ltd
Original Assignee
Oriental Fortune Information Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oriental Fortune Information Co ltd filed Critical Oriental Fortune Information Co ltd
Priority to CN202110913734.9A priority Critical patent/CN113645234B/en
Publication of CN113645234A publication Critical patent/CN113645234A/en
Application granted granted Critical
Publication of CN113645234B publication Critical patent/CN113645234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a honeypot-based network defense method, a system, a medium and a device, which comprise the following steps: presetting a corresponding relation between a host field of a malicious flow request header and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type of script or a second type of script based on the host field; when a first type of script is called, identifying the attack type of the malicious traffic based on the label of the malicious traffic, and returning to a corresponding preset page based on the attack type; when a second type of script is called, a request path of the malicious flow is identified, the request type of the malicious flow is identified based on the request path, and a corresponding preset page is returned based on the request type. The method is used for merging interception and honeypot, namely combining application protection system protection and honeypot, giving corresponding different feedbacks based on various attack methods of malicious flow, flexibly and quickly returning response content, and confusing the malicious flow.

Description

Honeypot-based network defense method, system, medium and device
Technical Field
The invention relates to the technical field of information security, in particular to a honeypot-based network defense method, system, medium and device.
Background
In the current popular WAF (Application protection system (also known as Web Application level intrusion prevention system, WAF)), most of the identified attacks are simply returning 403 or pages with tokens that identify the WAF product. Currently, the market is generally provided with a separate WAF product and a honeypot system, the WAF product prevents malicious access of an attacker, and the honeypot system is separately configured, introduces the attacker and then analyzes and operates the behavior of the attacker.
In the course of implementing the present invention, the inventors found that the prior art has at least the following problems.
The existing interception and honeypot are separated to protect the safety of business, so that the use and maintenance cost of equipment is increased, and the cost of operation and maintenance personnel is higher.
Therefore, the problem that the existing protection is that the interception is separated from the honeypot, and the use and maintenance cost of equipment is high is hopefully solved.
Disclosure of Invention
In view of the above disadvantages of the prior art, an object of the present invention is to provide a honeypot based network defense method, system, medium and apparatus, which are used to solve the problems in the prior art that the existing protection is interception and honeypot separation, and the use and maintenance costs of the equipment are high.
In order to achieve the above objects and other related objects, the present invention provides a honeypot-based network defense method, which includes the following steps: presetting a corresponding relation between a host field of a malicious flow request header and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type of script or a second type of script based on the host field; when a first type of script is called, identifying the attack type of the malicious traffic based on the label of the malicious traffic, and returning to a corresponding preset page based on the attack type; when a second type of script is called, a request path of the malicious flow is identified, the request type of the malicious flow is identified based on the request path, and a corresponding preset page is returned based on the request type.
In an embodiment of the present invention, when the first type of script is called, identifying an attack type of the malicious traffic based on the tag of the malicious traffic, and returning to a corresponding preset page based on the attack type includes the following steps: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label; when the attack type is a preset attack type, identifying whether the request path of the malicious traffic is a preset request path; when the request path is a preset request path, returning a preset page based on the preset request path; and when the request path is not the preset request path, returning to the first default page.
In an embodiment of the present invention, when the first type of script is called, identifying an attack type of the malicious traffic based on the tag of the malicious traffic, and returning to a corresponding preset page based on the attack type includes the following steps: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label, and if so, judging whether the attack type of the malicious traffic is the preset attack type; identifying whether the request parameter of the malicious traffic is a preset request parameter or not; when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter; and when the request parameter is not the preset request parameter, returning to the first default page.
In an embodiment of the present invention, the identifying the request path of the malicious traffic when there is no tag, identifying the request type of the malicious traffic based on the request path, and returning to the corresponding preset page based on the request type includes the following steps: identifying whether the request path is an ingress path; when the path is an entrance path, returning to an entrance page; when the request path is not the entry path, identifying whether the request path is a login request path; when the flow is a login request path, acquiring a request user name and a request password of the malicious flow, and judging whether the request user name and the request password of the malicious flow are consistent with a preset user name and a preset password; if the login page is consistent with the preset login page, returning to the preset login success page; if the login page is inconsistent with the preset login page, returning to the preset login unsuccessful page; when the request path is not the login request path, identifying whether the request path is a download page after successful login submission; when the page is downloaded, returning a preset download file; when the page is not downloaded, identifying whether the request path is a preset resource; when the resource is the preset resource, returning to the preset resource; and when the resource is not the preset resource, returning to the second default page.
In an embodiment of the present invention, the identifying the request path of the malicious traffic, identifying the request type of the malicious traffic based on the request path, and returning to the corresponding preset page based on the request type includes the following steps: using a host field in the request header as a judgment use corresponding script; identifying whether the request path is a preset request path; and when the request path is a preset request path, returning the preset webpage based on a preset script.
In one embodiment of the present invention, the attack types include, but are not limited to, any one or more of the following: in an embodiment of the present invention, the SQL injection, the xss attack, the crawler attack, the CC attack, the webshell attack, and the CSRF attack are performed in a preset page corresponding to the SQL injection, where the preset page includes any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises: presetting a popup window page; the preset page corresponding to the crawler attack comprises: a preset service page; the preset page corresponding to the CC attack comprises: presetting a data information page with successful access and a fault reporting page with failed page access; the webshell attack corresponding preset page comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error information page or a submission success page.
In an embodiment of the present invention, the returning of the corresponding preset page based on the request type includes the following steps: presetting a function into the lua virtual machine by using a Go language; calling a corresponding preset function in the lua virtual machine by adopting a lua script based on the request type to obtain a calling result; and returning a corresponding preset page based on the calling result.
In an embodiment of the present invention, the request type includes any one or more of the following types: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information.
In order to achieve the above object, the present invention further provides a honeypot-based network defense system, including: the device comprises a receiving module, an identification module and a return module; the receiving module is used for presetting a corresponding relation between a host field of a malicious flow request head and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type script or a second type script based on the host field; the identification module is used for identifying the attack type of the malicious flow based on the label of the malicious flow when a first type of script is called, and returning to a corresponding preset page based on the attack type; the return module is used for identifying a request path of the malicious flow when a second type script is called, identifying a request type of the malicious flow based on the request path, and returning a corresponding preset page based on the request type.
In an embodiment of the present invention, the identifying module is configured to identify an attack type of the malicious traffic based on the tag of the malicious traffic when the first type of script is called, and returning to the corresponding preset page based on the attack type includes: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label, and if so, judging whether the attack type of the malicious traffic is the preset attack type; identifying whether the request path of the malicious traffic is a preset request path; when the request path is a preset request path, returning a preset page based on the preset request path; and when the request path is not the preset request path, returning to the first default page.
In an embodiment of the present invention, the identifying module is configured to identify an attack type of the malicious traffic based on the tag of the malicious traffic when the first type of script is called, and returning to the corresponding preset page based on the attack type includes: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label, and if so, judging whether the attack type of the malicious traffic is the preset attack type; identifying whether the request parameter of the malicious traffic is a preset request parameter or not; when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter; and when the request parameter is not the preset request parameter, returning to the first default page.
In an embodiment of the present invention, the returning module is configured to, when a second type of script is called, identify a request path of the malicious traffic, identify a request type of the malicious traffic based on the request path, and return, based on the request type, a corresponding preset page including: identifying whether the request path is an ingress path; when the path is an entrance path, returning to an entrance page; when the request path is not the entry path, identifying whether the request path is a login request path; when the traffic flow is a login request path, acquiring a request user name and a request password of the malicious traffic flow, and judging whether the request user name and the request password of the malicious traffic flow are consistent with a preset user name and a preset password; if the login page is consistent with the preset login page, returning to the preset login success page; if the login page is inconsistent with the preset login page, returning to the preset login unsuccessful page; when the request path is not the login request path, identifying whether the request path is a download page after the login is successfully submitted; when the page is downloaded, returning a preset download file; when the page is not downloaded, identifying whether the request path is a preset resource; when the resource is the preset resource, returning to the preset resource; and when the resource is not the preset resource, returning to the second default page.
In an embodiment of the present invention, the identifying the request path of the malicious traffic, identifying the request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes: using a host field in the request header as a judgment to use a corresponding script; identifying whether the request path is a preset request path; and when the request path is a preset request path, returning the preset webpage based on a preset script.
In an embodiment of the present invention, the attack types include, but are not limited to, any one or more of the following: SQL injection, xss attack, crawler attack, CC attack, webshell attack, CSRF attack.
In an embodiment of the present invention, the preset page corresponding to the SQL injection includes any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises the following steps: presetting a popup window page; the preset page corresponding to the crawler attack comprises the following steps: a preset service page; the preset page corresponding to the CC attack comprises: presetting a data information page with successful access and a fault reporting page with failed page access; the webshell attack corresponding preset page comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error reporting information page or a submission success page.
In an embodiment of the present invention, the returning the corresponding preset page based on the request type includes: presetting a function into the lua virtual machine by using a Go language; calling a corresponding preset function in the lua virtual machine by adopting a lua script based on the request type to obtain a calling result; and returning a corresponding preset page based on the calling result.
In an embodiment of the invention, the request type includes any one or more of the following: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information.
To achieve the above object, the present invention further provides a computer-readable storage medium having a computer program stored thereon, which when executed by a processor, implements any of the above honeypot based network defense methods.
In order to achieve the above object, the present invention further provides a honeypot-based network defense apparatus, including: a processor and a memory; the memory is used for storing a computer program; the processor is connected with the memory and is used for executing the computer program stored in the memory so as to enable the honeypot-based network defense device to execute any one of the above honeypot-based network defense methods.
In order to achieve the purpose, the invention also provides a honeypot-based network defense system, which comprises a honeypot-based network defense device and an application protection system; the application protection system is used for judging whether access traffic is malicious traffic or not and labeling the access traffic as the malicious traffic based on the type of the malicious traffic; the honeypot-based network defense device is used for receiving access traffic which is judged to be malicious traffic by an application protection system and identifying whether the malicious traffic has a label; when a tag exists, identifying the attack type of the malicious traffic based on the tag, and returning to a corresponding preset page based on the attack type; and when no label exists, identifying a request path of the malicious flow, identifying a request type of the malicious flow based on the request path, and returning a corresponding preset page based on the request type.
As described above, the honeypot-based network defense method, system, medium, and apparatus of the present invention have the following advantages: the method is used for merging interception and honeypots, namely combining application protection system protection and honeypots, giving corresponding different feedbacks based on various attack methods of malicious traffic, returning response content flexibly and quickly, and confusing the malicious traffic.
Drawings
FIG. 1a is a schematic view of a honeypot based network defense method according to an embodiment of the present invention;
FIG. 1b is a flowchart of a honeypot based network defense method of the present invention in one embodiment;
FIG. 1c is a flow chart of a honeypot based network defense method of the present invention in another embodiment;
FIG. 1d is a flow chart of a honeypot based network defense method of the present invention in yet another embodiment;
FIG. 1e is a flow chart of a honeypot based network defense method of the present invention in a further embodiment;
FIG. 2 is a schematic diagram of a honeypot based defense system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of a honeypot based network defense apparatus of the present invention;
FIG. 4 is a schematic diagram of a honeypot based network defense apparatus according to another embodiment of the present invention;
FIG. 5 is a schematic diagram of a honeypot based defense system according to another embodiment of the present invention.
Description of the element reference numerals
21. Receiving module
22. Identification module
23. Return module
31. Processor with a memory having a plurality of memory cells
32. Memory device
41. Processing unit
42. Memory cell
421. Random access memory
422. Cache memory
423. Storage system
424. Program/utility tool
4241. Program module
43. Bus line
44. Input/output interface
45. Network adapter
51. Honeypot-based network defense device
52. Application protection system
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, so that the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, the type, quantity and proportion of the components in actual implementation can be changed freely, and the layout of the components can be more complicated.
The honeypot-based network defense method, system, medium and device are used for combining WAF protection and honeypots, giving corresponding different feedbacks based on various attack methods of malicious traffic, flexibly and quickly returning response contents, and confusing the malicious traffic.
As shown in fig. 1a, the honeypot-based network defense method, system, medium, and apparatus of the present invention are applied in an application scenario in which an existing application protection system identifies a request traffic. And identifying the request flow by the WAF, judging whether the request flow is malicious flow, and introducing the normal flow into a service server if the request flow is the malicious flow. If the traffic is malicious, the interception center processes the traffic. The interception center performs different processing on the malicious traffic, and is used for merging interception and honeypot, namely WAF protection and honeypot are combined, corresponding different feedbacks are given based on various attack methods of the malicious traffic, response content is returned flexibly and quickly, and the malicious traffic is puzzled.
The existing interception and honeypot are separated to protect the safety of business, so that the use and maintenance cost of equipment is increased, and the cost of operation and maintenance personnel is higher.
The method is characterized in that interception on the service is combined with honeypots, the method is more suitable for service scenes, no influence is caused to normal visitors, but for attackers, each page which can be acquired is a designed honeypot, and all attack behaviors are recorded in a log system. The source tracing and marking work in the later period is facilitated. By the method, the pressure of normal service processing malicious access can be reduced, the cost is reduced, the unified probability and management of all attacks and interception can be performed, the efficiency of operation and maintenance personnel can be improved, and the time cost of tracing can be reduced.
As shown in fig. 1b, in an embodiment, the honeypot-based network defense method of the present invention includes the following steps:
step S11, presetting a corresponding relation between a host field of a malicious flow request head and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type script or a second type script based on the host field.
Specifically, the request Header refers to a Header of the HTTP protocol, which is a data area and is divided into two types, a request Header and a response Header, where a request time zone for the client to send a request to the service area is the request Header, and a response time zone for the server to respond to the client data is the response Header. The request header is mainly some basic information of the client, UA (user-agent) is a part of the request header, and the response header is some information of the response data, and the server requests the client to process the instructions of the response data. The Host field is a request header field added in the HTTP 1.1 protocol, and can well solve the problem that one ip address corresponds to a plurality of domain names. When the server receives a request from the browser, it accesses which site according to the host field in the request header.
Specifically, the corresponding relationship between the host field and the call script is preset, that is, the type of the call script can be determined according to the host field.
Specifically, the first type of script is a script that needs to identify a tag of traffic to determine an attack type. The second type of script is a script which does not need to identify a label of the flow to judge the type of the request.
Specifically, the existing WAF determines whether the access traffic is malicious traffic, and corresponding tags are marked on different malicious traffic. The label is used for distinguishing the attack type of the malicious traffic, and the malicious traffic is correspondingly fed back based on the label.
In particular, malicious traffic may be tagged, and the type of tagging required may be determined based on the attack type of the malicious traffic. For example, according to the specific types of the following attacks, a label corresponding to the attack type is marked, SQL injection corresponds to an SQL injection label, xss attack corresponds to xss attack, crawler attack corresponds to crawler attack label, CC attack corresponds to CC attack, webshell attack corresponds to webshell attack label, and CSRF attack corresponds to CSRF attack.
Specifically, SQL: the SQL injection refers to inserting an SQL command into a Query string submitted by a Web form or input of a domain name or a page request, and finally achieving to cheat a server to execute a malicious SQL command. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine for execution by existing applications, which can get a database on a website with security holes by entering (malicious) SQL statements in the Web form, instead of executing SQL statements as the designer intends. The XSS attack is a full name of cross site scripting attack, and is not confused with the abbreviation of Cascading Style Sheets (CSS), so the cross site scripting attack is abbreviated as XSS, which is a computer security hole in web applications and allows malicious web users to implant codes into pages provided for other users. The crawler attack means that if the internet is compared with a large spider web, the data on a computer is a prey on the spider web, and the crawler program is a small spider which grabs the prey/data wanted by the spider web. Definition of the crawler: and a program for initiating a request to a website, and analyzing and extracting useful data after acquiring resources. The CC attack means that an attacker generates a legal request pointing to a victim host by means of a proxy server to realize DDOS and disguise as to call: CC (ChallengeCollapsar). webshell attack: the webshell is a code execution environment in the form of webpage files such as asp, php, jsp or cgi, and is mainly used for operations such as website management, server management and authority management. The application method is simple, and a lot of daily operations can be carried out by only uploading a code file and accessing through the website, thereby greatly facilitating the management of the user on the website and the server. Therefore, the webshell attack is also the purpose of using the modified code as a backdoor program to control the website server. As the name implies, "web" means that the server is obviously required to open a web service, and "shell" means to fetch commands that operate to some extent on the server. The webshell is mainly used for website and server management, and due to the strong convenience and functions of the webshell, the webshell after being specially modified is also used as a website backdoor tool by some people. CSRF attacks, commonly abbreviated as CSRF or XSRF, refer to Cross-site request forgery (Cross-site request for ger) which is an attack that enforces unintended operations that a user performs on a currently logged-in Web application, and CSRF exploits trust of a Web site in the user's Web browser.
And S12, when the first type of script is called, identifying the attack type of the malicious flow based on the label of the malicious flow, and returning to a corresponding preset page based on the attack type.
Specifically, when a first type of script is called, the label of the malicious traffic indicates the attack type of the malicious traffic. The label is rule. Thus, the attack type of the malicious traffic may be determined based on the tag. The attack types include: a crawler attack or a CC attack. The crawler attack is an attack of a program which initiates a request to a website, acquires resources, and analyzes and extracts useful data. CC attack means that an attacker generates a legal request pointing to a victim host by means of a proxy server to realize DDOS (distributed denial of service) and pretend to be CC (challenge Collapsar). The CC is mainly used to attack pages. For example, when a forum is visited, if the forum is large, there are many visitors, the speed of opening pages is slow, the number of visitors is large, the number of pages of the forum is large, the database pressure is high, the visiting frequency is high, and the occupied system resources are considerable. The principle of the CC attack is that an attacker controls some hosts to continuously send a large number of data packets to an opposite server to cause the exhaustion of server resources until the downtime collapses. The CC is mainly used for attacking the page, when the number of people accessing one page is extremely large, the page is slowly opened, the CC simulates a plurality of users (how many threads are the users) to access the page needing a large amount of data operation (namely, a large amount of CPU time) continuously, the resource waste of the server is caused, the CPU is 100% for a long time, the connection which cannot be processed is always available until the network is congested, and the normal access is stopped.
In an embodiment, as shown in fig. 1c, in the honeypot-based network defense method of the present invention, when the first type of script is called, the method identifies an attack type of the malicious traffic based on the tag of the malicious traffic, and returns to the corresponding preset page based on the attack type includes the following steps:
and step S121, judging whether the attack type of the malicious traffic is a preset attack type or not based on the label.
Specifically, when a tag is present, the tag indicates the attack type of the malicious traffic. The label is rule. Therefore, the attack type of the malicious traffic can be judged based on the label. The preset attack type comprises any one or more of the following types: SQL injection, xss attack, crawler attack, CC attack, webshell attack, CSRF attack.
Specifically, the preset page corresponding to the SQL injection includes any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises: presetting a popup window page; the preset page corresponding to the crawler attack comprises the following steps: a preset service page; the preset page corresponding to the CC attack comprises the following steps: presetting a data information page with successful access and a fault reporting page with failed page access; the webshell attack corresponding preset page comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error information page or a submission success page. That is, after judging that the attack type of the malicious traffic is a preset attack type based on the tag; and identifying a preset request path corresponding to the request path of the malicious traffic, wherein the preset request path corresponds to a preset page, and the corresponding page can be returned according to the request path.
And step S122, when the request path is the preset attack type, identifying whether the request path of the malicious traffic is the preset request path.
And S123, when the request path is the preset request path, returning to a preset page based on the preset request path.
Specifically, the request path is uri. uri, a uniform resource identifier, is used to uniquely identify a resource. Every resource available on the Web, such as HTML documents, images, video clips, programs, etc., is located by a source uri. uri generally consists of three parts: a naming mechanism for accessing the resource; storing the host name of the resource; the name of the resource itself, represented by the path, emphasizes the resource. Thus, the label indicates the attack type of the malicious traffic, and the request path confirms the specific page which the malicious traffic wants to acquire.
Specifically, the preset page refers to a page corresponding to the request path. For example, the first page is a page corresponding to a request path of the first path. The second page is a page corresponding to a request path of the second path.
And step S124, returning to the first default page when the request path is not the preset request path or the attack type is not the preset attack type.
Specifically, as shown in fig. 1d, in an embodiment shown in the following code, step S121 determines whether an attack type of the malicious traffic is a first type or a second type based on the tag. The first type corresponds to the rule a, the second type corresponds to the rule B, the first type or the second type is a generic finger, and may be many types, only the first type or the second type is written in this embodiment, and the preset attack type may include: a first type, a second type, a third type, or a fourth type, etc. And step S122, when the request path is the preset attack type, identifying whether the request path of the malicious traffic is the preset request path. Identifying whether a request path of the malicious traffic is a first path or a second path. The request path may also include a plurality of predetermined request paths. Judging whether the attack type of the malicious traffic is a first type or not based on the tag rule: a rule; or a second type: and B, rule. And S123, when the request path is the preset request path, returning to a preset page based on the preset request path. When it is of the first type: and the rule A identifies whether the request path of the malicious traffic is an a request path or a b request path. And returning to a preset page a when the path is the path a, wherein the preset page a is a random page in preset pages A, B and C. Or when the request path of the malicious traffic is identified as a preset b request path in the rule A, returning to a preset b page, for example, the preset b page is a random page in preset penta, hexan and hepta pages. And step S124, when the request path is not the preset request path or the attack type is not preset, returning to the first default page. The first default page is also a preset default page, and can be any preset page.
In an embodiment, when the first type of script is called, identifying an attack type of the malicious traffic based on the tag of the malicious traffic, and returning to a corresponding preset page based on the attack type includes the following steps: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label; when the attack type is a preset attack type, identifying whether the request parameter of the malicious flow is a preset request parameter; when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter; and when the request parameter is not the preset request parameter, returning to the first default page. Specifically, the request parameter is placed in the body.
In an embodiment, the identifying a request path of the malicious traffic when the second type of script is called, identifying a request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes the following steps:
and step S1211, identifying whether the request path is a login request path.
And step S1212, when the path is the login request path, acquiring whether the request user name and the request password of the malicious traffic are consistent with the preset user name and the preset password, and returning a preset login success page when the request user name and the request password are consistent with the preset user name and the preset password. And returning to a preset login unsuccessful page when the login page is inconsistent.
Further comprising the steps of: and when the request path is an exe file request path, returning a preset exe file. And when the request path is a static resource request path, returning the preset static resource. Therefore, corresponding pages, files or resources are returned based on different request paths, and an attacker thinks that the content which is needed to be obtained is obtained and is not easy to discover.
Specifically, in an embodiment shown in the following code, the identifying a request path of the malicious traffic when the second type of script is called, identifying a request type of the malicious traffic based on the request path, and returning to a corresponding preset page based on the request type includes the following steps:
in an embodiment, when a second type of script is called, identifying a request path of the malicious traffic, identifying a request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes the following steps: identifying whether the request path is a login request path: and (4) an A path. And when the malicious traffic is the login request path, acquiring whether the request user name and the request password of the malicious traffic are consistent with a preset user name and a preset password, and returning a preset login success page when the request user name and the request password are consistent with the preset user name and the preset password. And returning to a preset login unsuccessful page when the login page is inconsistent. When it is the login request path: and during the path A, acquiring whether the request user name and the request password of the malicious flow are consistent with a preset user name and a preset password, and returning a preset login success page when the request user name and the request password are consistent with the preset user name and the preset password: "200", "ok". And returning to a preset login unsuccessful page when the login page is inconsistent: "200", "not-ok". Further comprising the steps of: and when the request path is an exe file request path, returning a preset exe file. And when the request path is a static resource request path, returning to the preset static resource. When the request path is not any one of the request paths, returning to a preset default error page: the "at 404" is the same as the "at 404", defaults and beta-cyclodextrin. Therefore, corresponding pages, files or resources are returned based on different request paths, and an attacker thinks that the content which is needed to be obtained is obtained and is not easy to discover. Therefore, when access of a certain malicious traffic comes, the following logic judgment is carried out, which generally aims to prevent hackers from crawling online services and mainly plays a role in intercepting. The code of the described embodiment is as follows,
Figure BDA0003204863050000111
in an embodiment, the identifying a request path of the malicious traffic when the second type of script is called, identifying a request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes the following steps:
using a host field in the request header as a judgment use corresponding script;
identifying whether the request path is a preset request path;
and when the request path is a preset request path, returning the preset webpage based on a preset script.
In an embodiment, the identifying the request path of the malicious traffic, identifying the request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes the following steps:
the corresponding script is used as a judgment by the host field in the request header. The corresponding script is judged to be used according to the host field, and the corresponding relation between the host field of the malicious traffic request header and the calling script is preset. The host field a.com inside the request header is changed to b.com in advance. The request header refers to the information that the header is generally used for storing some cookies and tokens.
And identifying whether the request path is a preset request path. And identifying whether the request path is a preset management system request path.
And when the request path is a preset request path, returning the preset webpage based on a preset script.
And returning the preset webpage based on the preset script. Com to execute the logic to judge the request based on this script of b.com, rather than the script of a.com.
Lua script is assumed to be named b.com.lua and is specially used for luring attackers to access.
Assuming that a business website with the name of a.com exists on the network, normal access is to a given place, only when a hacker accesses the network, a link which is not used by normal business, such as a.com/admin. Php, is input, at this time, the hacker wants to access the management system of the website through the link, because the link is not accessed normally, but some websites can also put the management system of the website in the link of the/admin. Php and allow public network access. Com the web site does not have any information on the link, at which time the invention can create a false web site through lua scripts. The hacker has given himself access to the administration page, which is actually a fake page returned by the lua script through the hacker's request. First, the host field a.com in the request header is changed into b.com in the previous step, and then the host field is imported into the system, so that the b.com script can be used for executing logic for judging the request instead of the processing of the a.com script.
In an embodiment, as shown in fig. 1e, when the second type of script is called, identifying a request path of the malicious traffic, identifying a request type of the malicious traffic based on the request path, and returning to a corresponding preset page based on the request type includes the following steps:
and S131, identifying whether the request path is an entrance path. The request path is uri. uri, a uniform resource identifier, is used to uniquely identify a resource.
And step S132, returning to the entrance page when the path is the entrance path. The portal page is a preset portal page, for example, an initial page of a certain website.
And step S133, when the request path is not the entrance path, identifying whether the request path is a login request path. The login request path refers to a request for logging in a certain third-party account, for example, a request for logging in a hundred-degree cloud page account.
And step S134, when the flow is a login request path, acquiring a request user name and a request password of the malicious flow, and judging whether the request user name and the request password of the malicious flow are consistent with a preset user name and a preset password. For example, the user name is preset to admin and the password is preset to 1234. At this time, whether the request user name and the request password of the malicious traffic are admin and 1234 is judged, and if yes, the two are consistent.
And step S1351, returning to a preset login success page when the login page is consistent with the preset login page. The preset login success page is also a page displayed after the preset login account is successful.
And step S1352, returning to a preset login unsuccessful page when the login page is inconsistent with the preset login unsuccessful page. The preset login unsuccessful page is also a page displayed after the preset login account fails.
And step S136, when the request path is not the login request path, identifying whether the request path is a download page after the successful login is submitted. The download page refers to a path for downloading resources such as videos and documents.
And step S137, returning to the preset download file when the page is the download page. The download file may be a file in a predetermined format, such as a compressed package or a word document.
And step S138, when the page is not downloaded, identifying whether the request path is a preset resource. And identifying the preset resource based on the request path. The preset resources refer to preset specific format resources, and preset picture format resources, document format resources and installation package format resources. Only the resources with the preset format are the preset resources.
In step S1391, when the resource is a preset resource, the preset resource is returned. I.e. the resource corresponding to the format specified by the request path. Therefore, corresponding pages, files or resources are returned based on different request paths, so that an attacker thinks that the content which is required to be obtained is obtained and is not easy to find.
And step S1392, when the resource is not the preset resource, returning to a second default page. The second default page is also a preset default page, and may be any preset page.
In an embodiment, the identifying the request path of the malicious traffic, identifying the request type of the malicious traffic based on the request path, and returning a corresponding preset page based on the request type includes the following steps: identifying whether the request path is a login request path. And when the malicious traffic is the login request path, acquiring whether the request user name and the request password of the malicious traffic are consistent with a preset user name and a preset password, and returning a preset login success page when the request user name and the request password are consistent with the preset user name and the preset password. And returning to a preset login unsuccessful page when the login page is inconsistent.
In an embodiment, the returning the corresponding preset page based on the request type includes the following steps:
and presetting a function into the lua virtual machine by using the Go language.
And calling a corresponding preset function in the lua virtual machine by adopting the lua script based on the request type to obtain a calling result.
And returning a corresponding preset page based on the calling result.
In an embodiment, the returning the corresponding preset page based on the request type includes the following steps:
and presetting a function into the lua virtual machine by using the Go language. The Go language is the second open source programming language issued by *** 2009. The Go language is specially optimized for the programming of the application program of the multiprocessor system, and the program compiled by using Go can be comparable to the speed of C or C + + code and is safer and supports parallel processes. The request type includes any one or more of: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information. The Go language preset function is a calling function corresponding to the request type. Specifically, the header refers to an HTTP Message header, in a request and response Message of a Hypertext Transfer Protocol (HTTP), components of the Protocol header, the cookie refers to data stored on a local terminal of a user for identifying the user identity and performing session tracking by some websites, and MD5 Message-Digest Algorithm 5 (information-Digest Algorithm 5) is used for ensuring the integrity and consistency of information transmission, and is one of hash algorithms (Digest Algorithm and hash Algorithm) widely used by computers, and the mainstream programming language is generally implemented by MD5, and data (such as chinese characters) is operated to another fixed-length value, which is a basic principle of the hash Algorithm, and the precursor of MD5 includes MD2, MD3, and MD4, and redirection: (Redirect) is to Redirect various network requests to other locations by various methods (e.g., web page redirection, domain name redirection, routing change is also a kind of redirection of data messages via path). Specifically, var: acquiring parameters in a request packet; set _ header: modifying the head; set _ cookie: adding a cookie; send _ text: returning the characters; send _ html: returning the page; set _ tag: setting a tag (for querying in a log); match: matching the character strings; md5sum: setting an md5 value; randomMD5: setting a random number md5 value; send _ off: whether to send the log; send _ static: sending static data; send _ file: sending a file; redirect: redirecting; alert: and providing alarm information.
And calling a corresponding preset function in the lua virtual machine by adopting the lua script based on the request type to obtain a calling result. The preset function is a calling function corresponding to the request type. The parent key of the request type is http, so the calling methods in the lua function are http.
And returning a corresponding preset page based on the calling result. And after various response functions are registered through the lua virtual machine in the Go language, the real-time response user request can be called and operated in the lua script, and the geographic position of an attacker and log transmission are acquired in real time. The method comprises the steps of using golang (Go language) and lua (script language) as development languages of projects, utilizing a lua virtual machine in the Go language for interactive operation with lua scripts, and using fasthttp as a web framework (a web server for building Go by using fasthttp) to respond to requests. And registering the method in the Go language to the lua virtual machine, providing the lua script for calling operation, and enabling the lua script to perform real-time updating operation so as to change the response strategy in real time. The strategy of intercepting the attacker can be modified in real time through the lua script, new interception measures can be updated in time, and the method has stronger flexibility.
In the prior art, protection operation is generally performed on equipment of a third party, so that the equipment is difficult to be completely fused into a service server. The invention is directly embedded in the formal business and combines the interception and honeypot on the business, so compared with the auxiliary equipment on the market, the invention is more appropriate to the real use scene.
As shown in fig. 2, in an embodiment, the honeypot-based network defense system of the present invention includes a receiving module 21, an identifying module 22, and a returning module 23; the receiving module is used for presetting a corresponding relation between a host field of a malicious flow request head and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type of script or a second type of script based on the host field; the identification module is used for identifying the attack type of the malicious flow based on the label of the malicious flow when a first type of script is called, and returning to a corresponding preset page based on the attack type; the return module is used for identifying a request path of the malicious flow when a second type script is called, identifying a request type of the malicious flow based on the request path, and returning a corresponding preset page based on the request type.
Specifically, the identifying module is configured to identify an attack type of the malicious traffic based on the tag of the malicious traffic when the first type of script is called, and returning to a corresponding preset page based on the attack type includes: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label, and if so, judging whether the attack type of the malicious traffic is the preset attack type; identifying whether the request path of the malicious traffic is a preset request path; when the request path is a preset request path, returning a preset page based on the preset request path; and when the request path is not the preset request path, returning to the first default page.
Specifically, the identifying module is configured to identify an attack type of the malicious traffic based on the tag of the malicious traffic when a first type of script is called, and returning to a corresponding preset page based on the attack type includes: judging whether the attack type of the malicious traffic is a preset attack type or not based on the label, and if so, judging whether the attack type of the malicious traffic is the preset attack type; identifying whether the request parameter of the malicious traffic is a preset request parameter or not; when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter; and when the request parameter is not the preset request parameter, returning to the first default page.
Specifically, the returning module is configured to, when a second-class script is called, identify a request path of the malicious traffic, identify a request type of the malicious traffic based on the request path, and return a corresponding preset page based on the request type, where the returning module includes: identifying whether the request path is an ingress path; when the path is an entrance path, returning to an entrance page; when the request path is not the entry path, identifying whether the request path is a login request path; when the traffic flow is a login request path, acquiring a request user name and a request password of the malicious traffic flow, and judging whether the request user name and the request password of the malicious traffic flow are consistent with a preset user name and a preset password; when the login page is consistent with the preset login page, returning to the preset login success page; if the login page is inconsistent with the preset login page, returning to the preset login unsuccessful page; when the request path is not the login request path, identifying whether the request path is a download page after the login is successfully submitted; when the page is downloaded, returning a preset download file; when the page is not downloaded, identifying whether the request path is a preset resource; when the resource is the preset resource, returning to the preset resource; and when the resource is not the preset resource, returning to the second default page.
Specifically, the identifying a request path of the malicious traffic, identifying a request type of the malicious traffic based on the request path, and returning to a corresponding preset page based on the request type includes: using a host field in the request header as a judgment use corresponding script; identifying whether the request path is a preset request path; and when the request path is a preset request path, returning the preset webpage based on a preset script.
Specifically, the attack types include, but are not limited to, any one or more of the following: SQL injection, xss attack, crawler attack, CC attack, webshell attack, CSRF attack.
Specifically, the preset page corresponding to the SQL injection includes any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises: presetting a popup window page; the preset page corresponding to the crawler attack comprises: a preset service page; the preset page corresponding to the CC attack comprises the following steps: presetting a data information page with successful access and a fault reporting page with failed page access; the preset page corresponding to the webshell attack comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error reporting information page or a submission success page.
Specifically, the returning of the corresponding preset page based on the request type includes: presetting a function into the lua virtual machine by using a Go language; calling a corresponding preset function in the lua virtual machine by adopting a lua script based on the request type to obtain a calling result; and returning a corresponding preset page based on the calling result.
Specifically, the request type includes any one or more of the following: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information.
It should be noted that the structures and principles of the receiving module 21, the identifying module 22 and the returning module 23 correspond to the steps in the above-mentioned honeypot-based network defense method one by one, and therefore are not described herein again.
It should be noted that the division of the modules of the above system is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can all be implemented in the form of software invoked by a processing element; or can be implemented in the form of hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the x module may be a processing element separately set up, or may be integrated into a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a processing element of the apparatus calls and executes the function of the x module. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Specific Integrated circuits (ASICs), or one or more Microprocessors (MPUs), or one or more Field Programmable Gate Arrays (FPGAs), etc. For another example, when one of the above modules is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. For another example, these modules may be integrated together and implemented in the form of a system-on-a-chip (SOC).
In an embodiment of the present invention, the present invention further includes a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements any of the above-mentioned honeypot-based network defense methods.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the above method embodiments may be performed by hardware associated with a computer program. The aforementioned computer program may be stored in a computer readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
As shown in fig. 3, in an embodiment, the honeypot-based network defense apparatus of the present invention includes: a processor 31 and a memory 32; the memory 32 is for storing a computer program; the processor 31 is connected to the memory 32, and is configured to execute the computer program stored in the memory 32, so as to enable the honeypot-based cyber defense apparatus to execute any one of the honeypot-based cyber defense methods.
Specifically, the memory 32 includes: various media that can store program codes, such as ROM, RAM, magnetic disk, U-disk, memory card, or optical disk.
Preferably, the Processor 31 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components.
FIG. 4 shows a block diagram of a tank-based network defense apparatus suitable for use in implementing embodiments of the present invention.
The tank-based network defense apparatus shown in fig. 4 is only an example, and should not bring any limitation to the function and the range of use of the embodiment of the present invention.
As shown in fig. 4, the tank-based cyber defense apparatus is in the form of a general purpose computing device. Components of the tank-based network defense may include, but are not limited to: one or more processors or processing units 41, a memory unit 42, and a bus 43 that couples the various system components including the memory unit 42 and the processing unit 41.
Bus 43 represents one or more of any of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The tank-based network defense device typically includes a variety of computer system readable media. These media may be any available media that can be accessed by the tank-based network defense device, including volatile and non-volatile media, removable and non-removable media.
The storage unit 42 may include computer system readable media in the form of volatile memory units, such as a random access memory unit (RAM) 421 and/or a cache memory unit 422. The tank-based network defense may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 423 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard disk drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 43 by one or more data media interfaces. Storage unit 42 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program/utility 424 having a set (at least one) of program modules 4241 may be stored, for example, in storage unit 42, such program modules 4241 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 4241 generally perform the functions and/or methods of the described embodiments of the invention.
The tank-based network defense apparatus may also communicate with one or more external devices (e.g., keyboard, pointing device, display, etc.), with one or more devices that enable a user to interact with the tank-based network defense apparatus, and/or with any devices (e.g., network card, modem, etc.) that enable the tank-based network defense apparatus to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 44. Also, the tank-based cyber defense may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) through the network adapter 45. As shown in fig. 4, the network adapter 45 communicates with the other modules of the tank-based network defense device via the bus 43. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the tank-based network defense, including but not limited to: microcode, device drivers, redundant processing units, external disk drive Arrays, RAID systems (Redundant Arrays of Independent Disks), tape drives, and data backup storage systems, among others.
To achieve the above object, as shown in fig. 5, the present invention further provides a honeypot based network defense system, which includes a honeypot based network defense device 51 and an application protection system 52; the application protection system is used for judging whether access traffic is malicious traffic or not and labeling the access traffic as the malicious traffic based on the type of the malicious traffic; the honeypot-based network defense device is used for receiving access traffic which is judged to be malicious traffic by an application protection system and identifying whether the malicious traffic has a label; when a tag exists, identifying the attack type of the malicious traffic based on the tag, and returning to a corresponding preset page based on the attack type; and when no label exists, identifying a request path of the malicious flow, identifying a request type of the malicious flow based on the request path, and returning a corresponding preset page based on the request type.
In summary, the honeypot-based network defense method, system, medium and apparatus of the present invention are used to merge interception and honeypot, that is, combine WAF protection and honeypot, and give corresponding different feedbacks based on various attack methods of malicious traffic, so as to flexibly and quickly return response contents and confuse the malicious traffic. Therefore, the invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.

Claims (17)

1. A method of network defense, comprising the steps of:
presetting a corresponding relation between a host field of a malicious flow request header and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type of script or a second type of script based on the host field;
when a first type of script is called, identifying the attack type of the malicious flow based on the label of the malicious flow, and returning to a corresponding preset page based on the attack type; the label is used for distinguishing the attack type of the malicious traffic;
when a second type of script is called, identifying a request path of the malicious flow, identifying a request type of the malicious flow based on the request path, and returning a corresponding page, file or resource based on the request type;
when the first type of script is called, identifying the attack type of the malicious flow based on the label of the malicious flow, and returning to a corresponding preset page based on the attack type comprises the following steps:
judging whether the attack type of the malicious traffic is a preset attack type or not based on the label;
when the malicious traffic is a preset attack type, identifying whether the request path of the malicious traffic is a preset request path;
when the request path is a preset request path, returning a preset page based on the preset request path;
when the request path is not the preset request path, returning to the first default page;
or, when the first type of script is called, identifying the attack type of the malicious traffic based on the tag of the malicious traffic, and returning to the corresponding preset page based on the attack type includes the following steps:
judging whether the attack type of the malicious traffic is a preset attack type or not based on the label;
when the malicious traffic is a preset attack type, identifying whether the request parameter of the malicious traffic is a preset request parameter;
when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter;
and when the request parameter is not the preset request parameter, returning to the first default page.
2. The method for defending a network according to claim 1, wherein the step of identifying a request path of the malicious traffic when the second type of script is invoked, the step of identifying a request type of the malicious traffic based on the request path, and the step of returning a corresponding page, file or resource based on the request type comprises the following steps:
identifying whether the request path is an ingress path;
when the path is an entrance path, returning to an entrance page;
when the request path is not the entry path, identifying whether the request path is a login request path;
when the flow is a login request path, acquiring a request user name and a request password of the malicious flow, and judging whether the request user name and the request password of the malicious flow are consistent with a preset user name and a preset password;
when the login page is consistent with the preset login page, returning to the preset login success page;
if the login page is inconsistent with the preset login page, returning to the preset login unsuccessful page;
when the request path is not the login request path, identifying whether the request path is a download page after successful login submission;
when the page is downloaded, returning a preset download file;
when the page is not downloaded, identifying whether the request path is a preset resource;
when the resource is the preset resource, returning to the preset resource;
and when the resource is not the preset resource, returning to the second default page.
3. The method of claim 1, wherein the identifying a request path of the malicious traffic, the identifying a request type of the malicious traffic based on the request path, and the returning a corresponding page, file, or resource based on the request type comprises:
using a host field in the request header as a judgment to use a corresponding script;
identifying whether the request path is a preset request path;
and when the request path is preset, returning the corresponding page, file or resource based on a preset script.
4. The method of claim 1, wherein the attack types include, but are not limited to, any one or more of: SQL injection, xss attack, crawler attack, CC attack, webshell attack, CSRF attack.
5. The method according to claim 4, wherein the SQL injection of the corresponding preset page comprises any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises: presetting a popup page; the preset page corresponding to the crawler attack comprises: a preset service page; the preset page corresponding to the CC attack comprises: presetting a data information page with successful access and a fault reporting page with failed page access; the preset page corresponding to the webshell attack comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error reporting information page or a submission success page.
6. The method of claim 1, wherein the returning the corresponding page, file or resource based on the request type comprises:
presetting a function into the lua virtual machine by using a Go language;
calling a corresponding preset function in the lua virtual machine by adopting a lua script based on the request type to obtain a calling result;
and returning the corresponding page, file or resource based on the calling result.
7. The method of claim 6, wherein the request type comprises any one or more of: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information.
8. A network defense system, comprising: the device comprises a receiving module, an identification module and a return module;
the receiving module is used for presetting a corresponding relation between a host field of a malicious flow request head and a calling script, receiving access flow which is judged to be malicious flow by an application protection system, and judging whether to call a first type of script or a second type of script based on the host field;
the identification module is used for identifying the attack type of the malicious flow based on the label of the malicious flow when a first type of script is called, and returning to a corresponding preset page based on the attack type; the label is used for distinguishing the attack type of the malicious traffic;
the return module is used for identifying a request path of the malicious flow when a second type script is called, identifying a request type of the malicious flow based on the request path, and returning a corresponding page, file or resource based on the request type;
the identification module is used for identifying the attack type of the malicious flow based on the label of the malicious flow when a first type of script is called, and the step of returning to the corresponding preset page based on the attack type comprises the following steps:
judging whether the attack type of the malicious traffic is a preset attack type or not based on the label;
when the malicious traffic is a preset attack type, identifying whether the request path of the malicious traffic is a preset request path;
when the request path is a preset request path, returning a preset page based on the preset request path;
when the request path is not the preset request path, returning to the first default page;
or, the identification module is used for identifying the attack type of the malicious flow based on the label of the malicious flow when the first type of script is called, and the step of returning to the corresponding preset page based on the attack type comprises the following steps:
judging whether the attack type of the malicious traffic is a preset attack type or not based on the label;
when the malicious traffic is a preset attack type, identifying whether the request parameter of the malicious traffic is a preset request parameter;
when the request parameter is a preset request parameter, returning to a preset page based on the preset request parameter;
and when the request parameter is not the preset request parameter, returning to the first default page.
9. The network defense system of claim 8, wherein the return module is configured to identify a request path of the malicious traffic when the second type of script is invoked, identify a request type of the malicious traffic based on the request path, and return a corresponding page, file, or resource based on the request type, including:
identifying whether the request path is an ingress path;
when the path is an entrance path, returning to an entrance page;
when the request path is not the entry path, identifying whether the request path is a login request path;
when the traffic flow is a login request path, acquiring a request user name and a request password of the malicious traffic flow, and judging whether the request user name and the request password of the malicious traffic flow are consistent with a preset user name and a preset password;
when the login page is consistent with the preset login page, returning to the preset login success page;
if the login page is inconsistent with the preset login page, returning to the preset login unsuccessful page;
when the request path is not the login request path, identifying whether the request path is a download page after the login is successfully submitted;
when the page is downloaded, returning a preset download file;
when the page is not downloaded, identifying whether the request path is a preset resource;
when the resource is the preset resource, returning to the preset resource;
and when the resource is not the preset resource, returning to the second default page.
10. The system of claim 8, wherein the identifying a request path for the malicious traffic, the identifying a request type for the malicious traffic based on the request path, and the returning a corresponding page, file, or resource based on the request type comprises:
using a host field in the request header as a judgment use corresponding script;
identifying whether the request path is a preset request path;
and when the request path is preset, returning the corresponding page, file or resource based on a preset script.
11. The network defense system of claim 8, wherein the attack types include, but are not limited to, any one or more of: SQL injection, xss attack, crawler attack, CC attack, webshell attack, CSRF attack.
12. The system of claim 11, wherein the SQL injection corresponding to the preset page comprises any one or more of the following: presetting an injection failure page, an injection error reporting information page or an injection success page; the preset page corresponding to the xss attack comprises the following steps: presetting a popup page; the preset page corresponding to the crawler attack comprises: a preset service page; the preset page corresponding to the CC attack comprises: presetting a data information page with successful access and a fault reporting page with failed page access; the webshell attack corresponding preset page comprises the following steps: presetting a page with successful access submission, a page with failed submission and a page without permission; the preset page corresponding to the CSRF attack comprises: and presetting a submission failure page, a submission error reporting information page or a submission success page.
13. The system of claim 8, wherein the returning a corresponding page, file, or resource based on the request type comprises:
presetting a function into the lua virtual machine by using a Go language;
calling a corresponding preset function in the lua virtual machine by adopting a lua script based on the request type to obtain a calling result;
and returning the corresponding page, file or resource based on the calling result.
14. The network defense system of claim 13, wherein the request types include any one or more of: obtaining parameters in a request packet, modifying a header, adding cookies, returning characters, setting a log label on a returned page, matching character strings, setting an md5 value, setting a random number md5 value, sending a log or not, sending static data, sending a file, redirecting and providing alarm information.
15. A computer-readable storage medium having a computer program stored thereon, the computer program being executable by a processor to implement the network defense method of any one of claims 1 to 7.
16. A network defense apparatus, comprising: a processor and a memory;
the memory is used for storing a computer program;
the processor is coupled to the memory for executing the computer program stored in the memory to cause the apparatus to perform the network defense method of any one of claims 1 to 7.
17. A network defense system, comprising: the network defense apparatus and application defense system of claim 16;
the application protection system is used for judging whether access traffic is malicious traffic or not and marking a label for the malicious traffic based on the type of the malicious traffic;
the network defense device is used for receiving access traffic which is judged to be malicious traffic by an application protection system and identifying whether the malicious traffic has a label; when a tag exists, identifying the attack type of the malicious traffic based on the tag, and returning to a corresponding preset page based on the attack type; and when no label exists, identifying a request path of the malicious flow, identifying a request type of the malicious flow based on the request path, and returning a corresponding preset page based on the request type.
CN202110913734.9A 2021-08-10 2021-08-10 Honeypot-based network defense method, system, medium and device Active CN113645234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110913734.9A CN113645234B (en) 2021-08-10 2021-08-10 Honeypot-based network defense method, system, medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110913734.9A CN113645234B (en) 2021-08-10 2021-08-10 Honeypot-based network defense method, system, medium and device

Publications (2)

Publication Number Publication Date
CN113645234A CN113645234A (en) 2021-11-12
CN113645234B true CN113645234B (en) 2022-12-13

Family

ID=78420526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110913734.9A Active CN113645234B (en) 2021-08-10 2021-08-10 Honeypot-based network defense method, system, medium and device

Country Status (1)

Country Link
CN (1) CN113645234B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257438B (en) * 2021-12-16 2024-01-23 南方电网数字平台科技(广东)有限公司 Electric power monitoring system management method and device based on honeypot and computer equipment
CN115037526B (en) * 2022-05-19 2024-04-19 咪咕文化科技有限公司 Anticreeper method, device, equipment and computer storage medium
CN115086405B (en) * 2022-06-10 2024-05-31 上海莉莉丝科技股份有限公司 Data processing method, system, device, medium and program product for server
CN115664843B (en) * 2022-11-21 2023-03-10 北京长亭未来科技有限公司 Active spoofing defense method, system, equipment and medium for Web attack

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2604544A1 (en) * 2005-04-18 2006-10-26 The Trustees Of Columbia University In The City Of New York Systems and methods for detecting and inhibiting attacks using honeypots
CN107707576A (en) * 2017-11-28 2018-02-16 深信服科技股份有限公司 A kind of network defense method and system based on Honeypot Techniques
CN111865960A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Network intrusion scene analysis processing method, system, terminal and storage medium

Also Published As

Publication number Publication date
CN113645234A (en) 2021-11-12

Similar Documents

Publication Publication Date Title
US10798202B2 (en) Security systems for mitigating attacks from a headless browser executing on a client computer
CN113645234B (en) Honeypot-based network defense method, system, medium and device
US10834082B2 (en) Client/server security by executing instructions and rendering client application instructions
US10212173B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10868819B2 (en) Systems for detecting a headless browser executing on a client computer
US8464318B1 (en) System and method for protecting web clients and web-based applications
US7752662B2 (en) Method and apparatus for high-speed detection and blocking of zero day worm attacks
US9438625B1 (en) Mitigating scripted attacks using dynamic polymorphism
US20210152598A1 (en) Network application firewall
US10447726B2 (en) Mitigating attacks on server computers by enforcing platform policies on client computers
US8578481B2 (en) Method and system for determining a probability of entry of a counterfeit domain in a browser
CN110362992B (en) Method and apparatus for blocking or detecting computer attacks in cloud-based environment
Nithya et al. A survey on detection and prevention of cross-site scripting attack
US10778687B2 (en) Tracking and whitelisting third-party domains
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
CN111585956A (en) Website anti-brushing verification method and device
US11128639B2 (en) Dynamic injection or modification of headers to provide intelligence
US20060200566A1 (en) Software proxy for securing web application business logic
Selvamani et al. Protection of web applications from cross-site scripting attacks in browser side
CN112836186A (en) Page control method and device
US11425092B2 (en) System and method for analytics based WAF service configuration
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
Frühwirt Automated discovery of secure website domains
WO2016186817A1 (en) Client/server security by an intermediary executing instructions received from a server and rendering client application instructions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Lu Jiubin

Inventor after: Sun Ke

Inventor before: Lu Jiubin

GR01 Patent grant
GR01 Patent grant