CN113645242A - Honeypot source tracing method, device and related equipment - Google Patents

Honeypot source tracing method, device and related equipment Download PDF

Info

Publication number
CN113645242A
CN113645242A CN202110920729.0A CN202110920729A CN113645242A CN 113645242 A CN113645242 A CN 113645242A CN 202110920729 A CN202110920729 A CN 202110920729A CN 113645242 A CN113645242 A CN 113645242A
Authority
CN
China
Prior art keywords
tracing
honeypot
traceability
script
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110920729.0A
Other languages
Chinese (zh)
Other versions
CN113645242B (en
Inventor
陈学亮
范渊
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110920729.0A priority Critical patent/CN113645242B/en
Publication of CN113645242A publication Critical patent/CN113645242A/en
Application granted granted Critical
Publication of CN113645242B publication Critical patent/CN113645242B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a honeypot source tracing method, which is applied to honeypot nodes and comprises the steps of receiving a page access request; loading a tracing script from a tracing server according to the page access request; executing the tracing script to obtain tracing information; sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end; the honeypot traceability method can realize the quick update of the honeypot node traceability function and improve the maintainability of the honeypot traceability system. The application also discloses a honeypot traceability device, a honeypot traceability system, honeypot traceability equipment and a computer-readable storage medium, which have the beneficial effects.

Description

Honeypot source tracing method, device and related equipment
Technical Field
The application relates to the technical field of computer security, in particular to a honeypot source tracing method, and further relates to a honeypot source tracing device, system, equipment and a computer readable storage medium.
Background
The honeypot technology is a technology for cheating attackers essentially, the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of an actual system is enhanced through technical and management means.
In the current deception trapping technology, the traceability capability of honeypots is a very important index, traceability scripts (traceability js) are developed by collecting characteristics of different websites, and when an attacker attacks honeypots, the honeypots can acquire social identity information of a plurality of social websites of the attacker through traceability calculation. Generally, the tracing js is a js script developed according to the vulnerability characteristics of different social sites, and by integrating the tracing js, the honeypot system has the tracing capability. However, in a general situation, when these tracing js are widely used, the vulnerability of the website corresponding to the social site is also closed by the related companies, so that the original tracing js is not available, which results in that the deployed tracing honeypot capability is disabled, and the tracing js must be updated to continue working. In addition, in the attack and defense actual combat, if an attacker discovers the tracing js of honeypots, other honeypots can be matched in batches according to the js fingerprints, so that the other honeypots are exposed, and at the moment, the tracing ability of the honeypots needs to be closed in time for a defender to prevent the defender from exposing the defender.
However, referring to fig. 1, fig. 1 is a schematic structural diagram of a honeypot traceability system in the prior art, a conventional honeypot traceability system needs to deploy many honeypot nodes to enlarge a coverage area, and a conventional honeypot traceability function is usually integrated in a monitor program in the honeypot nodes, and obviously, in this architectural mode, it becomes extremely difficult to update or maintain traceability in batches.
Therefore, how to realize the quick update of the honeypot node tracing function and improve the maintainability of the honeypot tracing system is a problem to be solved by the technical personnel in the field.
Disclosure of Invention
The honeypot node traceability method can realize quick updating of a honeypot node traceability function and improve maintainability of a honeypot traceability system; another object of the present application is to provide a honeypot traceability device, system, apparatus and computer readable storage medium, all having the above-mentioned advantages.
In a first aspect, the present application provides a honeypot source tracing method, applied to honeypot nodes, including:
receiving a page access request;
loading a tracing script from a tracing server according to the page access request;
executing the tracing script to obtain tracing information;
and sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end.
Preferably, the loading a tracing script from a tracing server according to the page access request includes:
determining a reverse proxy rule in the nginx configuration file;
and loading the tracing script from the tracing server by utilizing the reverse proxy rule.
Preferably, the honeypot traceability method further comprises:
receiving a control instruction corresponding to the reverse proxy rule;
and starting or closing the source tracing function of the honeypot nodes according to the control instruction.
Preferably, the honeypot traceability method further comprises:
and the management terminal updates the tracing script in the tracing server to obtain an updated tracing script.
Preferably, the honeypot traceability method further comprises:
the management terminal judges whether script exposure information exists in the tracing information or not;
if yes, a key shutdown instruction is sent to the source tracing server.
Preferably, the honeypot traceability method further comprises:
and the management terminal sends the tracing information to a visual interface for displaying.
In a second aspect, the present application further discloses a honeypot source tracing device, which is applied to honeypot nodes, and includes:
the request receiving module is used for receiving a page access request;
the script loading module is used for loading a tracing script from a tracing server according to the page access request;
the script execution module is used for executing the tracing script to obtain tracing information;
and the information uploading module is used for sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end.
In a third aspect, the present application further discloses a honeypot traceability system, comprising:
the honeypot node is used for loading a tracing script from the tracing server according to the received page access request; executing the tracing script to obtain tracing information; uploading the tracing information to the tracing server;
the traceability server is used for providing the traceability script for the honeypot nodes and uploading the traceability information to a management end;
and the management terminal is used for receiving and storing the tracing information.
In a fourth aspect, the present application further discloses a honeypot traceability device, including:
a memory for storing a computer program;
a processor for implementing the steps of any of the honeypot traceability methods described above when the computer program is executed.
In a fifth aspect, the present application further discloses a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the honeypot traceability methods described above.
The honeypot source tracing method is applied to honeypot nodes and comprises the steps of receiving a page access request; loading a tracing script from a tracing server according to the page access request; executing the tracing script to obtain tracing information; and sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end.
Therefore, the honey pot traceability method provided by the application deploys the traceability script in an independent traceability server, so that each honey pot node can load the traceability script to realize the traceability function, and further the traceability information is acquired, therefore, the decoupling of the honey pot nodes and the traceability function is realized, and further, the traceability server is used to enable a plurality of honey pot nodes to have traceability capability.
The honeypot traceability device, the honeypot traceability system, the honeypot traceability device and the computer readable storage medium have the beneficial effects and are not described in detail herein.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
FIG. 1 is a schematic diagram of a honeypot traceability system in the prior art;
FIG. 2 is a schematic flow chart of a method for tracing honeypots provided by the present application;
FIG. 3 is a schematic structural diagram of a honeypot traceability system provided in the present application;
fig. 4 is a schematic structural diagram of a honeypot traceability device provided in the present application;
fig. 5 is a schematic structural diagram of a honeypot traceability device provided in the present application.
Detailed Description
The core of the application is to provide a honeypot traceability method, which can realize the quick update of a honeypot node traceability function and improve the maintainability of a honeypot traceability system; another core of the present application is to provide a honeypot traceability device, system, device and computer readable storage medium, which also have the above beneficial effects.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a honeypot source tracing method.
Referring to fig. 2, fig. 2 is a schematic flow chart of a honey tracing method provided in the present application, where the honey tracing method is applied to a honey node, and may include:
s101: receiving a page access request;
it should be noted that a large number of honeypot nodes are generally deployed in the honeypot traceability system to expand the coverage area and obtain more traceability information, and the honeypot traceability method provided by the present application can be applied to each honeypot node in the honeypot traceability system.
The above steps are intended to enable the reception of a page access request, wherein the page access request is initiated by a visitor (typically an attacker) towards the honeypot node for opening/accessing/reading a web service page in the honeypot node.
S102: loading a tracing script from a tracing server according to a page access request;
the method aims to realize the loading of the tracing script, and the tracing script is used for realizing the tracing function of the honeypot nodes. Specifically, in the honeypot traceability system, a traceability server capable of performing data communication (wired connection/wireless connection) with each honeypot node is deployed in advance for realizing deployment of a traceability script, so that for each honeypot node in the honeypot traceability system, when a page access request is received, the traceability script can be loaded from the traceability server, and a traceability function is realized based on the traceability script, thereby realizing acquisition of traceability information.
Obviously, the tracing script is deployed in an independent tracing server instead of deploying the tracing function on each honeypot node, so that the tracing script in the tracing server can be directly updated when the tracing script is updated, the tracing function of each honeypot node does not need to be updated, the tracing script is rapidly updated, and the tracing function of the honeypot nodes is rapidly updated.
As a preferred embodiment, the loading the tracing script from the tracing server according to the page access request may include: determining a reverse proxy rule in the nginx configuration file; and loading the tracing script from the tracing server by utilizing the reverse proxy rule.
The preferred embodiment provides a loading method of a tracing script, which is realized based on a reverse proxy rule in a honeypot node. Specifically, nginx (web server) can be deployed in each honeypot node of the honeypot traceability system, and a reverse proxy rule is added under the specified path of the nginx configuration file, the reverse proxy rule points to the traceability server, so that loading of the traceability script in the traceability server is facilitated, and the reverse proxy rule of each honeypot node in the traceability system is the same. Therefore, for the honeypot node, when a page access request is received, the reverse proxy rule in the nginx configuration file is determined first, and then the tracing script in the tracing server is automatically loaded based on the reverse proxy rule.
As a preferred embodiment, the honeypot tracing method may further include: receiving a control instruction corresponding to the reverse proxy rule; and starting or closing the source tracing function of the honeypot nodes according to the control instruction.
As mentioned above, the honeypot node can utilize the reverse proxy rule to realize the loading of the tracing script, and similarly, the honeypot node can also realize the opening and closing of the tracing function by controlling the reverse proxy rule. Specifically, when a control instruction about the reverse proxy rule is received, the start and the stop of the tracing function of the corresponding honeypot node can be realized based on the control instruction. Obviously, the turning on and off of the tracing function is directed to the current honeypot node itself, and is independent of other honeypot nodes in the tracing system.
S103: executing the tracing script to obtain tracing information;
the method comprises the steps of obtaining the tracing information by executing the tracing script, and for the honeypot nodes, directly executing the tracing script after the tracing script is loaded and obtained from the tracing server to obtain the tracing information. The source tracing information refers to data information about the visitor, such as social identity information, fingerprint information, attack behavior information and the like of the visitor on a plurality of social networking sites, and of course, the specific content does not affect the implementation of the technical scheme, and the application is not limited thereto. It can be understood that the more the variety and the amount of the tracing information are, the more the honeypot tracing system can better know the security threat brought by the current visitor.
S104: and sending the tracing information to a tracing server so that the tracing server sends the tracing information to a management end.
This step aims at realizing the feedback function of the tracing information. In the specific implementation process, the honey pot nodes firstly send the tracing information obtained based on the tracing script to the tracing server, and then the tracing server uploads the tracing information to the management terminal for subsequent analysis and processing, so that the information tracing based on the honey pot nodes is completed. Furthermore, in order to ensure the security of the tracing information, the tracing server may upload the tracing information to the management end through the encryption transmission channel, or encrypt the tracing information to obtain encrypted tracing information, and upload the encrypted tracing information to the management end.
As a preferred embodiment, the honeypot tracing method may further include: and the management terminal updates the tracing script in the tracing server to obtain the updated tracing script.
The honeypot tracing method provided by the preferred embodiment aims to realize the updating function of the tracing script, and the updating process can be realized based on a management end. Specifically, when the original tracing script in the tracing server is unavailable and the script needs to be updated, the new tracing script can be injected into the tracing server by the management terminal to obtain the updated tracing script. Therefore, the tracing function of each honeypot node in the tracing system is updated by updating one tracing script in one tracing server.
As a preferred embodiment, the honeypot tracing method may further include: the management terminal judges whether the script exposure information exists in the tracing information; if yes, a key shutdown instruction is sent to the tracing server.
The honeypot traceability method provided by the preferred embodiment aims to realize a one-key shutdown function of the traceability server, and the one-key shutdown process can be realized based on a management end. Specifically, after receiving the tracing information uploaded by the tracing server, the management terminal can analyze the tracing information, judge whether the script exposure information is included, namely judge whether the current tracing script is exposed, and when the script exposure information is determined to exist in the tracing information, a key-off instruction can be issued to the tracing server to ensure the security of each honeypot node in the tracing system, so that the tracing service in the tracing server is turned off by one key. Therefore, one-key shutdown is performed on the tracing service in one tracing server, and one-key shutdown of all honeypot node tracing functions in the tracing system is realized.
As a preferred embodiment, the honeypot tracing method may further include: and the management terminal sends the tracing information to a visual interface for displaying.
The honeypot traceability method provided by the preferred embodiment aims to realize the visual display function of traceability information, and the visual display process can be realized based on a management end. Particularly, the management terminal directly sends the traceability information fed back by each traceability node to a corresponding visual interface for displaying, so that technical personnel can know various data information of visitors quickly and intuitively more conveniently, and whether security threats exist at present is determined. Furthermore, the management terminal can also store each tracing information to a corresponding storage medium, so as to implement subsequent information tracing.
Therefore, the honey pot traceability method provided by the application deploys the traceability script in an independent traceability server, so that each honey pot node can load the traceability script to realize the traceability function, and further the traceability information is acquired, therefore, the decoupling of the honey pot nodes and the traceability function is realized, and further, the traceability server is used to enable a plurality of honey pot nodes to have traceability capability.
Based on the above embodiments, the present application provides another honeypot source tracing method.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a honeypot traceability system provided in the present application, the honeypot traceability system mainly includes a WEB management end, a traceability server and a plurality of honeypot nodes, and the corresponding implementation functions are as follows:
1. and the WEB management terminal is used for receiving and displaying the tracing information.
2. The tracing server is used for receiving the tracing requests sent by the honeypot nodes and sending corresponding tracing results (tracing information) to the WEB management end for displaying:
the tracing server is deployed with a tracing service, and specifically, a tracing program can be installed in an independent virtual machine, so that the tracing service can inject a tracing script into the honeypot node according to a tracing request, and the honeypot node can obtain social information of the attacker at different social sites by browsing a webpage segment by the attacker according to the tracing script and transmit the social information back to the tracing server. Further, the tracing server can upload the tracing information to the WEB management end through an encryption transmission channel when receiving the tracing information, and the tracing information is analyzed and visually presented.
3. The honeypot node is used for initiating a tracing request to the tracing server to load a tracing script, further obtaining tracing information by executing the tracing script, and uploading the tracing information to the tracing server:
firstly, a web service (nginx) is deployed in each honeypot node, and then a reverse proxy is realized based on the nginx, specifically, a reverse proxy rule can be added in a configuration file of the nginx through proxy _ pass; during deployment implementation, a reverse proxy rule pointing to the source tracing server can be added under the specified path of the nginx configuration file, and the reverse proxy rule in each honeypot node is the same. Further, when an attacker opens the WEB page of the honeypot node, the browser automatically loads a tracing script in the tracing server to trace the source of the information; during specific implementation, before the nginx returns a page response, the reverse proxy rule inserts the tracing script into the html response body to implement loading of the tracing script, and at the moment, the tracing script is executed, namely, a tracing action is triggered. Finally, when the honeypot nodes load the tracing script, the url of the tracing script can be proxied to the tracing server through proxy _ pass, and certainly, the tracing script requests of all the honeypot nodes are proxied to the tracing server; during specific implementation, a loading path of the tracing script can be inserted into the page when the page response is returned based on the sub-parser function of nginx, so that the browser end of the honeypot node loads the tracing script in the page after acquiring the page response, but the loading request is actually forwarded to the tracing server according to the proxy _ pass rule of nginx, and the tracing server returns the real tracing script.
In addition, when a new tracing script needs to be integrated, only the tracing main program in the tracing server needs to be replaced through the WEB management end, and at the moment, all honeypot nodes immediately have the latest tracing capability. And when the honeypot node faces exposure risk due to the tracing behavior, a key shutdown service can be started on the tracing server through the WEB management end, and at the moment, the attacker end cannot acquire the corresponding tracing script, so that honeypot exposure is avoided.
Therefore, according to the honey pot traceability method provided by the embodiment of the application, the traceability script is deployed in an independent traceability server, so that each honey pot node can load the traceability script to realize the traceability function, and further the traceability information is obtained, therefore, the decoupling of the honey pot nodes and the traceability function is realized, and further, the traceability server is used to enable a plurality of honey pot nodes to have traceability capability, meanwhile, the traceability capability can be rapidly and conveniently updated and expanded, so that the honey pot nodes can obtain more traceability information, and when the traceability capability is found, the traceability configuration can be rapidly cleared, the batch exposure of honey pots is prevented, and the maintainability of the honey pot traceability system is effectively improved.
In order to solve the above technical problem, the present application further provides a honeypot source tracing apparatus, please refer to fig. 4, where fig. 4 is a schematic structural diagram of the honeypot source tracing apparatus provided by the present application, and the honeypot source tracing apparatus is applied to honeypot nodes and may include:
a request receiving module 1, configured to receive a page access request;
the script loading module 2 is used for loading the tracing script from the tracing server according to the page access request;
the script execution module 3 is used for executing the tracing script to obtain tracing information;
and the information uploading module 4 is used for sending the tracing information to the tracing server so that the tracing server sends the tracing information to the management terminal.
Therefore, the honeypot traceability device provided by the embodiment of the application deploys the traceability script in an independent traceability server, so that each honeypot node can load the traceability script to realize the traceability function, and further, the traceability information is acquired, therefore, the decoupling of the honeypot nodes and the traceability function is realized, and further, the traceability server is used for enabling a plurality of honeypot nodes to have traceability capability.
As a preferred embodiment, the script loading module 2 may be specifically configured to determine a reverse proxy rule in the nginx configuration file; and loading the tracing script from the tracing server by utilizing the reverse proxy rule.
As a preferred embodiment, the honeypot traceability device may further include a traceability function control module, configured to receive a control instruction corresponding to the reverse proxy rule; and starting or closing the source tracing function of the honeypot nodes according to the control instruction.
For the introduction of the apparatus provided in the present application, please refer to the above method embodiments, which are not described herein again.
In order to solve the above technical problem, the present application further provides a honeypot traceability system, which may include:
the honeypot node is used for loading a tracing script from the tracing server according to the received page access request; executing the tracing script to obtain tracing information; uploading the tracing information to a tracing server;
the source tracing server is used for providing a source tracing script for the honeypot nodes and uploading source tracing information to the management end;
and the management terminal is used for receiving and storing the tracing information.
Therefore, the honeypot traceability system provided by the embodiment of the application deploys the traceability script in an independent traceability server, so that each honeypot node can load the traceability script to realize the traceability function, and further the traceability information is acquired, and therefore decoupling of the honeypot nodes and the traceability function is realized, and further, the traceability server is used to enable a plurality of honeypot nodes to have traceability capacity.
As a preferred embodiment, the management end may further be configured to update the tracing script in the tracing server to obtain an updated tracing script.
As a preferred embodiment, the management terminal may further be configured to determine whether the tracing information includes script exposure information; if yes, a key shutdown instruction is sent to the tracing server.
As a preferred embodiment, the management terminal may further be configured to send the traceability information to a visual interface for display.
For the introduction of the system provided by the present application, please refer to the above method embodiment, which is not described herein again.
To solve the above technical problem, the present application further provides a honeypot traceability device, please refer to fig. 5, where fig. 5 is a schematic structural diagram of the honeypot traceability device provided by the present application, and the honeypot traceability device may include:
a memory 10 for storing a computer program;
the processor 20, when executing the computer program, may implement the steps of any of the above-mentioned honeypot traceability methods.
For the introduction of the device provided in the present application, please refer to the above method embodiment, which is not described herein again.
To solve the above problem, the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, can implement the steps of any one of the above honey tracing methods.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.

Claims (10)

1. A honeypot source tracing method is applied to honeypot nodes and comprises the following steps:
receiving a page access request;
loading a tracing script from a tracing server according to the page access request;
executing the tracing script to obtain tracing information;
and sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end.
2. The honeypot traceability method of claim 1, wherein the loading of the traceability script from the traceability server according to the page access request comprises:
determining a reverse proxy rule in the nginx configuration file;
and loading the tracing script from the tracing server by utilizing the reverse proxy rule.
3. The honeypot traceability method of claim 2, further comprising:
receiving a control instruction corresponding to the reverse proxy rule;
and starting or closing the source tracing function of the honeypot nodes according to the control instruction.
4. The honeypot traceability method of claim 1, further comprising:
and the management terminal updates the tracing script in the tracing server to obtain an updated tracing script.
5. The honeypot traceability method of claim 1, further comprising:
the management terminal judges whether script exposure information exists in the tracing information or not;
if yes, a key shutdown instruction is sent to the source tracing server.
6. The honeypot traceability method of claim 1, further comprising:
and the management terminal sends the tracing information to a visual interface for displaying.
7. The utility model provides a honeypot device of tracing to source which characterized in that is applied to honeypot node, includes:
the request receiving module is used for receiving a page access request;
the script loading module is used for loading a tracing script from a tracing server according to the page access request;
the script execution module is used for executing the tracing script to obtain tracing information;
and the information uploading module is used for sending the tracing information to the tracing server so that the tracing server sends the tracing information to a management end.
8. A honeypot traceability system, comprising:
the honeypot node is used for loading a tracing script from the tracing server according to the received page access request; executing the tracing script to obtain tracing information; uploading the tracing information to the tracing server;
the traceability server is used for providing the traceability script for the honeypot nodes and uploading the traceability information to a management end;
and the management terminal is used for receiving and storing the tracing information.
9. The honeypot traceability device is characterized by comprising:
a memory for storing a computer program;
processor for implementing the steps of the honey traceability method of any of claims 1-6 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the honeypot traceability method of any one of claims 1 to 6.
CN202110920729.0A 2021-08-11 2021-08-11 Honeypot source tracing method, device and related equipment Active CN113645242B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110920729.0A CN113645242B (en) 2021-08-11 2021-08-11 Honeypot source tracing method, device and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110920729.0A CN113645242B (en) 2021-08-11 2021-08-11 Honeypot source tracing method, device and related equipment

Publications (2)

Publication Number Publication Date
CN113645242A true CN113645242A (en) 2021-11-12
CN113645242B CN113645242B (en) 2022-11-22

Family

ID=78420841

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110920729.0A Active CN113645242B (en) 2021-08-11 2021-08-11 Honeypot source tracing method, device and related equipment

Country Status (1)

Country Link
CN (1) CN113645242B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095245A (en) * 2021-11-18 2022-02-25 北京天融信网络安全技术有限公司 Tracing method, device, equipment and medium for network attack
CN115022077A (en) * 2022-06-30 2022-09-06 绿盟科技集团股份有限公司 Network threat protection method, system and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018223797A1 (en) * 2017-06-09 2018-12-13 腾讯科技(深圳)有限公司 Data response method, terminal apparatus, and server
CN111404934A (en) * 2020-03-16 2020-07-10 广州锦行网络科技有限公司 Network attack tracing method and system based on dynamic and static combination mode and honey mark technology
CN112134837A (en) * 2020-08-06 2020-12-25 瑞数信息技术(上海)有限公司 Method and system for detecting Web attack behavior
CN112528104A (en) * 2020-12-15 2021-03-19 江苏满运物流信息有限公司 Traceability system and traceability method based on sensitive data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018223797A1 (en) * 2017-06-09 2018-12-13 腾讯科技(深圳)有限公司 Data response method, terminal apparatus, and server
CN111404934A (en) * 2020-03-16 2020-07-10 广州锦行网络科技有限公司 Network attack tracing method and system based on dynamic and static combination mode and honey mark technology
CN112134837A (en) * 2020-08-06 2020-12-25 瑞数信息技术(上海)有限公司 Method and system for detecting Web attack behavior
CN112528104A (en) * 2020-12-15 2021-03-19 江苏满运物流信息有限公司 Traceability system and traceability method based on sensitive data

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095245A (en) * 2021-11-18 2022-02-25 北京天融信网络安全技术有限公司 Tracing method, device, equipment and medium for network attack
CN114095245B (en) * 2021-11-18 2024-02-02 北京天融信网络安全技术有限公司 Network attack tracing method, device, equipment and medium
CN115022077A (en) * 2022-06-30 2022-09-06 绿盟科技集团股份有限公司 Network threat protection method, system and computer readable storage medium
CN115022077B (en) * 2022-06-30 2023-05-16 绿盟科技集团股份有限公司 Network threat protection method, system and computer readable storage medium

Also Published As

Publication number Publication date
CN113645242B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
US11709945B2 (en) System and method for identifying network security threats and assessing network security
US10257199B2 (en) Online privacy management system with enhanced automatic information detection
CN103607385B (en) Method and apparatus for security detection based on browser
CN113645242B (en) Honeypot source tracing method, device and related equipment
CN105939326A (en) Message processing method and device
US20140310811A1 (en) Detecting and Marking Client Devices
CN109981653B (en) Web vulnerability scanning method
CN101682626A (en) Method and system for simulating a hacking attack on a network
US10972496B2 (en) Upload interface identification method, identification server and system, and storage medium
CN104468546B (en) A kind of web information processing method and firewall device, system
CN112751864B (en) Network attack countercheck system, method, device and computer equipment
CN105302707B (en) The leak detection method and device of application program
CN106982188B (en) Malicious propagation source detection method and device
CN113411314B (en) Method and device for attracting attacker to access honeypot system and electronic device
CN106789486B (en) Method and device for detecting shared access, electronic equipment and computer readable storage medium
CN110958239A (en) Method and device for verifying access request, storage medium and electronic device
CN110602134B (en) Method, device and system for identifying illegal terminal access based on session label
CN108737421B (en) Method, system, device and storage medium for discovering potential threats in network
CN116781331A (en) Reverse proxy-based honeypot trapping network attack tracing method and device
JP5682181B2 (en) COMMUNICATION DEVICE, METHOD, AND PROGRAM HAVING COMMUNICATION CONTROL FUNCTION
CN114024740A (en) Threat trapping method based on secret tag bait
CN109474572B (en) Method and system for monitoring and capturing horse release sites based on cluster botnet
CN114301607B (en) Certificate clearing method and device for browser, storage medium and processor
CN114666128B (en) Honeypot threat information sharing method, device and equipment and readable storage medium
Potocký et al. Advanced Anti-Forensic Protection of Mobile Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant