CN114866353A - Method and device for trapping attackers in expressway network and electronic equipment - Google Patents
Method and device for trapping attackers in expressway network and electronic equipment Download PDFInfo
- Publication number
- CN114866353A CN114866353A CN202210786225.9A CN202210786225A CN114866353A CN 114866353 A CN114866353 A CN 114866353A CN 202210786225 A CN202210786225 A CN 202210786225A CN 114866353 A CN114866353 A CN 114866353A
- Authority
- CN
- China
- Prior art keywords
- attacker
- attack
- trapping
- network
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B15/00—Arrangements or apparatus for collecting fares, tolls or entrance fees at one or more control points
- G07B15/06—Arrangements for road pricing or congestion charging of vehicles or vehicle users, e.g. automatic toll systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an attacker trapping method and device for a highway network and electronic equipment. The method comprises the following steps: mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of a highway toll network; when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is trapped by using a trapping honeypot; acquiring a login password of an attacker; and under the condition that the attack time belongs to the target time period, under the condition that the account number of the attacker belongs to the account number which is used for trapping the honeypot simulation and is related to the operation system and the business application, under the condition that the number of times that the login password is tried by the attacker is greater than a first threshold value, and under the condition that the weak password database contains the login password, the weak password for trapping the honeypot is replaced. The invention solves the technical problem that resources are damaged when an attacker attacks the highway toll network.
Description
Technical Field
The invention relates to the field of computers, in particular to an attacker trapping method and device for a highway network and electronic equipment.
Background
In the prior art, a large amount of toll collection and vehicle payment data are stored in a toll collection system of an expressway, such as the positions of an entrance, an exit and the like of the expressway, a road section management center, a toll collection center and the like. If an attacker attacks the toll collection system of the highway, the toll collection system of the highway is easily broken down, and further the highway cannot be normally used and resources are damaged.
Disclosure of Invention
The embodiment of the invention provides an attacker trapping method and device for an expressway network and electronic equipment, which are used for at least solving the technical problem that resources are damaged when the attacker attacks the expressway toll network.
According to an aspect of the embodiments of the present invention, there is provided an attacker trapping method for a highway network, including: mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of a highway toll network; when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is trapped by using the trapping honeypot; obtaining the login password of the attacker; judging whether the attack time of the attacker belongs to a target time period or not; under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to the account of the trapping honeypot simulated operating system and related to the service application; judging whether the number of times of the login password tried by the attacker is greater than a first threshold value or not under the condition that the account of the attacker belongs to the account of the trapping honeypot simulation operating system and is related to the service application; and when the number of times of the login password tried by the attacker is larger than the first threshold value and the weak password database contains the login password, the weak password of the honey trapping pot is replaced.
According to another aspect of the embodiments of the present invention, there is provided an attacker trapping device for a highway network, including: the mapping module is used for mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of the highway toll network; the trapping module is used for trapping the attack behavior of the attacker by using the trapping honeypot when the attacker attacks any one of the networking center, the road section center, the toll station level and the portal system of the highway toll network; the acquisition module is used for acquiring the login password of the attacker; the judging module is used for judging whether the attack time of the attacker belongs to the target time period or not; under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to the account of the trapping honeypot simulated operating system and related to the service application; judging whether the number of times of the login password tried by the attacker is greater than a first threshold value or not under the condition that the account of the attacker belongs to the account of the trapping honeypot simulation operating system and is related to the service application; and the replacing module is used for replacing the weak password of the honey trapping pot under the condition that the login password is tried by the attacker for more than the first threshold and the weak password database contains the login password.
As an optional example, the mapping module includes: the acquisition unit is used for acquiring the network structure and the service content of the networking center, the road section center, the toll station level and the portal system; and a constructing unit, configured to construct a micro network structure and micro service content that are consistent with the network structure and the service content, where a service capability provided by the micro service structure and the micro service content is N% of the service capability of the network structure and the service content, where N is a positive integer.
As an alternative example, the trapping module comprises: and a processing unit, configured to send an attack behavior of an attacker to the micro network structure and the micro service content when the attacker attacks any one of a networking center, a road segment center, a toll gate level, and a portal system of the highway toll network, and process the attack behavior of the attacker through the micro network structure and the micro service content.
As an optional example, the processing unit includes: and the response subunit is used for discarding M% of the attack behaviors in the attack behaviors and responding to the rest of the attack behaviors for the multiple attack behaviors of the attacker, wherein M is a positive integer.
As an optional example, the response subunit is further configured to: reducing the value of M when the number of times of the attack action of the attacker decreases per unit time; when the number of times of the attack action of the attacker per unit time is increased, the value of M is increased.
As an optional example, the processing unit includes: the determining subunit is used for determining an attack object of the attacker, wherein the attack object is any one of the networking center, the road section center, the toll station level and the portal system; and the processing subunit is used for processing the attack behavior of the attacker through the micro network structure and the micro service content of the attack object.
As an optional example, the processing unit further includes: and the statistic subunit is used for counting the attack data of the attacker to each attack object to obtain the attack record of the attack behavior of the attacker to each object.
As an optional example, the mapping module includes: the setting unit is used for setting the weak password for trapping the honeypots into a first character string, wherein the first character string is a character string in a weak password database, and the weak password database comprises a plurality of character strings.
As an alternative example, the setting unit includes: a selection subunit, configured to randomly select a character string from the weak password database as the first character string; or one character string with the least digit number of the character strings in the weak password database is used as the first character string.
As an alternative example, the replacement module includes: a selection unit for selecting again a character string from the weak password database; and a replacing unit for replacing the weak password for trapping the honeypots with the character string selected again.
As an optional example, the apparatus further includes: and the counting module is used for counting the attack targets of the attackers, the attack times of each attack target, the attack time of each attack, the account numbers of the attackers and the login passwords corresponding to the account numbers of the attackers for each attacker under the condition that the attackers are multiple.
According to still another aspect of the embodiments of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is executed by a processor to perform the above-mentioned attacker trapping method for a highway network.
According to still another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the above-mentioned attacker trapping method for a highway network through the computer program.
In the embodiment of the invention, honeypots are mapped and trapped in a networking center, a road section center, a toll station level and a portal system of a highway toll network; when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is trapped by using the trapping honeypot; obtaining the login password of the attacker; judging whether the attack time of the attacker belongs to a target time period or not; under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to the account of the trapping honeypot simulated operating system and related to the service application; judging whether the number of times of the login password tried by the attacker is greater than a first threshold value or not under the condition that the account of the attacker belongs to the account of the trapping honeypot simulation operating system and is related to the service application; in the method, the trapping honeypots are mapped in a networking center, a road section center, a toll station level and a portal system of a highway toll network, so that the attacking behaviors of attackers can be trapped. In addition, in the process, the specific attack behavior of the attacker is trapped, so that the trapping accuracy is improved, and the technical problem of resource damage caused by the fact that the attacker attacks the highway toll network is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
fig. 1 is a flowchart of an alternative attacker trapping method of a highway network according to an embodiment of the present invention;
fig. 2 is a block diagram of an alternative method of attacker trapping a highway network according to an embodiment of the present invention;
fig. 3 is a block diagram of an alternative method of attacker trapping a highway network according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an attacker trap device of an alternative highway network according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to a first aspect of the embodiments of the present invention, there is provided an attacker trapping method for a highway network, optionally as shown in fig. 1, the method including:
s102, mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of the highway toll network;
s104, when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacker is trapped by using a trapping honeypot;
s106, obtaining a login password of an attacker;
s108, judging whether the attack time of the attacker belongs to a target time period or not;
s110, under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to an account related to the service application of an operating system for trapping honeypot simulation;
s112, under the condition that the account of the attacker belongs to the account which is used for trapping the honeypot simulation and is related to the service application, judging whether the number of times of the attempts of the attacker on the login password is greater than a first threshold value;
s114, under the condition that the number of times of the login password tried by the attacker is larger than a first threshold value, and under the condition that the weak password database contains the login password, the weak password for trapping the honeypots is replaced.
Optionally, in this embodiment, the honeypots may be mapped in a networking center, a road section center, a toll station level, and a portal system of the highway toll network, when the honeypots are mapped, the honeypots of the machines may be mapped at a terminal such as a machine of a high-speed entrance/exit, the honeypots of the system may be mapped at an upper system side of the machine, and the honeypots of the server may be mapped at a server side of the system. That is, for the networking center, the road segment center, the toll booth level, the portal system, the respective honey traps may be mapped separately. If the attacker attacks the highway toll network, the trapping honeypots can be used to trap the attack behavior of the attacker.
For an attacker, at the time of trapping, a particular type of attacker may be trapped. If the attack time of the attacker belongs to the target time period, judging whether the attack time of the attacker belongs to the target time period; judging whether the account of the attacker belongs to an account of an operation system for trapping honeypot simulation and related to service application; it is determined whether the login password has been attempted a number of times by an attacker greater than a first threshold. Through a series of judgments, the identity of the attacker can be accurately determined, so that the weak password is changed, and the attacker is trapped to attack the trapping honeypot. The weak password for trapping the honeypots is weak in security and easy to break, so that the honeypots can be easily attacked by attackers, the attackers are trapped, and the attackers are prevented from attacking a real highway toll network.
In the method, the honeypots are mapped and trapped in the networking center, the road section center, the toll station level and the portal system of the highway toll network, so that the attack behavior of an attacker can be trapped. In addition, in the process, the specific attack behavior of the attacker is trapped, so that the trapping accuracy is improved, and the technical problem of resource damage caused by the fact that the attacker attacks the highway toll network is solved.
As an alternative example, the mapping of the trapping honeypots in the networking center, the road section center, the toll station level, and the portal system of the highway toll network described above includes:
acquiring network structures and service contents of a networking center, a road section center, a toll station level and a portal system;
and constructing a micro network structure and micro service content consistent with the network structure and the service content, wherein the service capacity provided by the micro service structure and the micro service content is N% of the service capacity of the network structure and the service content, and N is a positive integer.
In this embodiment, when an attacker attacks any one of the networking center, the road section center, the toll station level, and the portal system of the highway toll network, the act of trapping the attacker by using the honeypot includes:
when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is sent to the micro network structure and the micro service content, and the attacking behavior of the attacker is processed by the micro network structure and the micro service content.
Optionally, in this embodiment, when constructing the honey pot trap, for the networking center, the road section center, the toll station level, and the portal system, a micro-network structure and micro-service content of each of the four parts are constructed. For example, for the networking center, a micro network structure and micro service contents of the networking center are constructed, and the micro network structure and the micro service contents do not exceed the attack behavior of an attacker on the networking center. The micro-network structure and the micro-service content of the networking center have a part of the real processing capacity of the networking center. The quantity of the micro-network structure and the micro-service content can be small, and excessive resources cannot be occupied.
As an alternative example, the above-mentioned attack behavior of the attacker handled by the micro network structure and the micro service content includes:
for multiple attack behaviors of an attacker, M% of the attack behaviors are discarded, and the rest of the attack behaviors are responded, wherein M is a positive integer.
In this embodiment, for the multiple attack behaviors of the attacker, M% of the attack behaviors are discarded, and the response includes:
reducing the value of M when the number of times of attack behaviors of an attacker in unit time is reduced;
when the number of times of attack actions by an attacker per unit time is increased, the value of M is increased.
Optionally, in this embodiment, because the quantities of the micro network structure and the micro service content are small, multiple attack behaviors of the attacker can be screened, a large number of attack behaviors are deleted without responding, and M% of the attack behaviors are screened out for responding, so that an illusion can be given to the attacker, the attacker thinks that the attack is effective, actually, the attack behaviors of the attacker are trapped by the micro network structure and the micro service content, and although the quantities of the micro network structure and the micro service content are small, the requirement of trapping the attacker can be met by the processing method. If the attack frequency of the attacker in unit time is reduced, the attacker probably considers that the attack is effective, the attack frequency is reduced, at the moment, the value of M can be reduced, more response is given to the attack behavior of the attacker, the attacker is given illusion, namely, the object attacked by the attacker is recovered, and the attack behavior of the attacker is further trapped.
As an alternative example, the above-mentioned attack behavior of the attacker handled by the micro network structure and the micro service content includes:
determining an attack object of an attacker, wherein the attack object is any one of a networking center, a road section center, a toll station level and a portal system;
the attack behavior of the attacker is processed by the micro network structure and the micro service content of the attack object.
In this embodiment, the method further includes:
and counting the attack data of the attacker to each attack object to obtain the attack record of the attack behavior of the attacker to each object.
In this embodiment, the method further includes:
under the condition that a plurality of attackers exist, for each attacker, the attack targets of the attackers, the attack times of each attack target, the attack time of each attack, the account number of the attackers and the login password corresponding to the account number of the attackers are counted.
Optionally, in this embodiment, for each attacker, the attack target of the attacker, the attack times to each attack target, the attack time of each attack, the account of the attacker, and the login password corresponding to the account of the attacker are counted. By recording the attack record of each attacker to each attack target, the trapping of each attacker can be finely adjusted according to the actually counted data, such as increasing or reducing the trapping times of the attack behavior of the attacker, or pulling the attacker into a blacklist, and the like. The attackers pulled into the blacklist are considered to be non-aggressive or low-aggressive attackers, and do not need to consume a large amount of resources for trapping.
As an alternative example, the mapping of honeypots in the networking center, the road section center, the toll station level, and the portal system of the highway toll network comprises:
and setting the weak password for trapping the honeypots as a first character string, wherein the first character string is one character string in a weak password database, and the weak password database comprises a plurality of character strings.
In this embodiment, for each current character string in the weak password database, the type of each character included in the current character string is the same, and the number of bits of the current character string is smaller than the first threshold.
In this embodiment, the setting the weak password for trapping honeypots as the first character string includes:
randomly selecting a character string from a weak password database as a first character string; or
And taking a character string with the least digit of the character string in the weak password database as a first character string.
In this embodiment, when the number of times of the login password being tried by the attacker is greater than the first threshold and the weak password database contains the login password, the replacing the weak password trapping the honeypot includes:
selecting a character string from the weak password database again;
the weak password trapping the honeypots is replaced by a re-selected string.
Optionally, in this embodiment, a weak password database may be preset for the weak password for trapping honeypots, where the weak password database includes a plurality of character strings, and each character string is composed of a single kind of characters. For example, one string is composed of numbers, one string is composed of letters, one string is composed of symbols, and the like. The digit number of the character string is less than the first threshold value, and the character string is simple to compose. Randomly selecting a character string from a weak password database or selecting a character string with the minimum digit as a first character string. If an attacker attacks the highway toll collection system, the attacker can quickly acquire the first character string because the first character string is a weak password character string and is easy to acquire by the attacker, and the attacker logs in the highway toll collection network by taking the first character string as a login password, and the trapping honeypots can trap the attack behavior of the attacker, and actually the attacker logs in the trapping honeypots and thinks that the attacker logs in the highway toll collection network. When an attacker attacks the highway toll network, the trapped honeypots are actually attacked, and the attacker is not informed, so that a large amount of attack resources are wasted for attacking the trapped honeypots. By frequently changing the weak password, a trap can be formed for an attacker, the attacker can frequently acquire the weak password and attack and trap the honeypot by using the weak password, and resources of the attacker are wasted. The trapping honeypot has small volume and partially responds to the attack behavior of the attacker, so that a large amount of resources of the attacker can be dragged by using few resources, and when the attacker leaves, the trap is manufactured by adjusting the value of M to retain the attacker.
Fig. 2 is an architecture diagram of the present embodiment. In this embodiment:
an attacker: as an attacker to the highway toll network, the system can be trapped by a honeypot system and continuously attack the system;
and (4) honeypot: the service port and the weak password which are easy to be utilized are provided for logging in the disguised operating system and the service application;
honeypot simulation system: according to the characteristics of an antenna, a lane controller, a duplication elimination server, a charging server, an ETC network charging server, an MTC network charging server and the like of the highway charging network, analog simulation is carried out;
weak password database: and storing the account password preset in the honeypot, and inputting the account password of the attacker after the honeypot data analysis system analyzes.
In the embodiment, the honeypot continuously traps attackers to continuously attack, and different attackers can generate different attack behavior data including login password data; the honeypot transmits the acquired attacker behaviors and the operation data to the honeypot data analysis system completely, and the data analysis system judges the acquired attacker behaviors according to the set judgment conditions; mapping the honeypots to each layer of a toll network, wherein the honeypots comprise a network center, a road section center, a toll station level and a portal system; according to continuous analysis of the attack behavior of the attackers, the method and the tool can be adaptively matched according to means and tools of different attackers for the highway, thereby achieving the deception and the temptation of the honeypots.
Fig. 3 is a schematic view of the honeypot of the present embodiment. When the honeypot presets a highway service scene, continuously collecting and outputting attacker behavior data; the honeypot data analysis system analyzes the acquired attacker login password and judges according to judgment conditions in sequence, and the judgment conditions can be set and accumulated by self; for example, the attack time of a password input by a certain attacker is satisfied within a specified time, and the next judgment is carried out if the attack time is satisfied; whether the account conformity of the password meets the specified account related to the honeypot simulated operating system or the service application or not is judged to enter the next item if the account conformity of the password meets the specified account related to the honeypot simulated operating system or the service application; whether the password length of the password meets the specified length limit or not is judged, and if yes, the next judgment is carried out; whether the times of the password tried by the attacker meet the specified times or not is judged, and if the times meet the specified times, the next judgment is carried out; after conditions are met in sequence, the judgment result is output to a weak password database, the database carries out matching judgment on the password, whether the password exists or not is judged, if not, the password is recorded in the database, and the next stage is carried out; the honeypot data analysis system inputs the judgment result and the matching result into a honeypot control system, and the control system calls the password in the weak password database to formulate an automatic application strategy script and sends the automatic application strategy script to the honeypot; after the honeypot automatically runs the script, replacing the honeypot weak password; once the honeypot data analysis system judges that one or more conditions of the password are not met, the password is directly discarded, and the next input attacker password is continuously judged; the honeypot data analysis system can continuously evaluate and analyze the collected behavior data, and carry out cyclic judgment to realize adaptive replacement matching of honeypot weak passwords.
In the embodiment, the application condition of the honeypot weak password is determined according to the analysis result of the attack behavior of the attacker, the attack password is quickly matched, the attacker is induced to successfully attack and enter the background of the honeypot system, and richer attack behaviors and data are captured; the multi-condition and continuous weak password replacement judgment method for the circulating honeypot system can be used for applying the weak password of the honeypot system more pertinently and adaptively; the password of the honeypot system is changed in an automatic script running mode, and the method is more efficient and sustainable than manual operation.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiments of the present application, there is also provided an attacker trapping device for a highway network, as shown in fig. 4, including:
the mapping module 402 is used for mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of the highway toll network;
the trapping module 404 is used for trapping the attack behavior of the attacker by using the trapping honeypot when the attacker attacks any one of the networking center, the road section center, the toll station level and the portal system of the highway toll network;
an obtaining module 406, configured to obtain a login password of an attacker;
the judging module 408 is configured to judge whether the attack time of the attacker belongs to the target time period; under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to an account which is used for trapping the honeypot simulated operating system and is related to the service application; under the condition that the account of the attacker belongs to an account which is used for trapping the honeypot simulated operating system and is related to the service application, judging whether the number of times of the attempts of the attacker on the login password is greater than a first threshold value;
the replacing module 410 is used for replacing the weak password trapping the honeypots under the condition that the login password is tried by the attacker for more than a first threshold value and the weak password database contains the login password.
Optionally, in this embodiment, the honeypots may be mapped in a networking center, a road section center, a toll station level, and a portal system of the highway toll network, when the honeypots are mapped, the honeypots of the machines may be mapped at a terminal such as a machine of a high-speed entrance/exit, the honeypots of the system may be mapped at an upper system side of the machine, and the honeypots of the server may be mapped at a server side of the system. That is, for the networking center, the road segment center, the toll booth level, the portal system, the respective honey traps may be mapped separately. If an attacker attacks the highway toll network, a trapping honeypot may be used to trap the attack behavior of the attacker.
For an attacker, at the time of trapping, a particular type of attacker may be trapped. If the attack time of the attacker belongs to the target time period, judging whether the attack time of the attacker belongs to the target time period; judging whether the account of the attacker belongs to an account of an operation system for trapping honeypot simulation and related to service application; it is determined whether the login password has been attempted a number of times by an attacker greater than a first threshold. Through a series of judgments, the identity of the attacker can be accurately determined, so that the weak password is changed, and the attacker is trapped to attack the trapping honeypot. The weak password for trapping the honeypots is weak in security and easy to break, so that the honeypots can be easily attacked by attackers, the attackers are trapped, and the attackers are prevented from attacking a real highway toll network.
In the method, the honeypots are mapped and trapped in the networking center, the road section center, the toll station level and the portal system of the highway toll network, so that the attack behavior of an attacker can be trapped. In addition, in the process, the specific attack behavior of the attacker is trapped, so that the trapping accuracy is improved, and the technical problem of resource damage caused by the fact that the attacker attacks the highway toll network is solved.
For other examples of this embodiment, please refer to the above examples, which are not described herein.
Fig. 5 is a block diagram of an alternative electronic device according to an embodiment of the present application, as shown in fig. 5, including a processor 502, a communication interface 504, a memory 506, and a communication bus 508, where the processor 502, the communication interface 504, and the memory 506 are communicated with each other via the communication bus 508, and where,
a memory 506 for storing a computer program;
the processor 502, when executing the computer program stored in the memory 506, implements the following steps:
mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of a highway toll network;
when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is trapped by using a trapping honeypot;
acquiring a login password of an attacker;
judging whether the attack time of an attacker belongs to a target time period or not;
under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to an account which is used for trapping the honeypot simulated operating system and is related to the service application;
under the condition that the account of the attacker belongs to an account which is used for trapping the honeypot simulated operating system and is related to the service application, judging whether the number of times of the attempts of the attacker on the login password is greater than a first threshold value;
and in the case that the number of times that the login password is tried by the attacker is larger than a first threshold value, the weak password for trapping the honeypots is replaced in the case that the weak password database contains the login password.
Alternatively, in this embodiment, the communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 5, but this is not intended to represent only one bus or type of bus. The communication interface is used for communication between the electronic equipment and other equipment.
The memory may include RAM, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
As an example, the memory 506 may include, but is not limited to, the mapping module 402, the trapping module 404, the obtaining module 406, the judging module 408 and the replacing module 410 of the attacker trapping device of the highway network. In addition, the module may further include, but is not limited to, other module units in the processing apparatus of the request, which is not described in this example again.
The processor may be a general-purpose processor, and may include but is not limited to: a CPU (Central Processing Unit), an NP (Network Processor), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration, and the device implementing the method for trapping an attacker in a highway network may be a terminal device, and the terminal device may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.
According to still another aspect of embodiments of the present invention, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program, when executed by a processor, performs the steps in the above-mentioned attacker trapping method for a highway network.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially or partially implemented in the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, or network devices) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (15)
1. An attacker trapping method for a highway network is characterized by comprising the following steps:
mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of a highway toll network;
when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, using the trapping honeypot to trap the attack behavior of the attacker;
acquiring a login password of the attacker;
judging whether the attack time of the attacker belongs to a target time period or not;
under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to the account of the trapping honeypot simulated operating system related to the service application;
under the condition that the account of the attacker belongs to the account of the trapping honeypot simulation operating system related to business application, judging whether the number of times that the login password is tried by the attacker is larger than a first threshold value;
in case the number of times the login password is tried by the attacker is larger than the first threshold, the weak password of the honey trapping pot is replaced in case the weak password database contains the login password.
2. The method of claim 1, wherein mapping the mousetrap honeypots in a networking center, a segment center, a toll booth level, a portal system of a highway toll network comprises:
acquiring network structures and service contents of the networking center, the road section center, the toll station level and the portal system;
constructing a micro network structure and micro service content which are consistent with the network structure and the service content, wherein the service capacity provided by the micro service structure and the micro service content is N% of the service capacity of the network structure and the service content, and N is a positive integer.
3. The method according to claim 2, wherein the act of using the honeypot trap the attacker when the attacker attacks any one of a networking center, a road section center, a toll gate level, and a portal system of the highway toll network comprises:
when an attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network, the attacking behavior of the attacker is sent to the micro network structure and the micro service content, and the attacking behavior of the attacker is processed by the micro network structure and the micro service content.
4. The method of claim 3, wherein the processing of the aggressor's aggression by the micro network fabric and the micro service content comprises:
for multiple attack behaviors of the attacker, discarding M% of the attack behaviors, and responding to the rest attack behaviors, wherein M is a positive integer.
5. The method of claim 4, wherein for a plurality of attack behaviors of the attacker, M% of the attack behaviors are discarded, and responding to the remaining attack behaviors comprises:
reducing the value of M when the number of times of the attack behavior of the attacker in the unit time is reduced;
when the number of times of the attack action of the attacker per unit time is increased, the value of M is increased.
6. The method of claim 3, wherein the processing of the aggressor's aggression by the micro network fabric and the micro service content comprises:
determining an attack object of the attacker, wherein the attack object is any one of the networking center, the road section center, the toll station level and the portal system;
processing the attack behavior of the attacker by the micro network structure and micro service content of the attack object.
7. The method of claim 6, further comprising:
and counting the attack data of the attacker to each attack object to obtain the attack record of the attack behavior of the attacker to each object.
8. The method of claim 1, wherein mapping the mousetrap honeypots in a networking center, a segment center, a toll booth level, a portal system of a highway toll network comprises:
setting the weak password for trapping honeypots as a first character string, wherein the first character string is a character string in a weak password database, and the weak password database comprises a plurality of character strings.
9. The method of claim 8, wherein for each current string in the weak password database, a type of each character included in the current string is the same, and wherein a number of bits of the current string is less than a first threshold.
10. The method of claim 8, wherein said setting said honey traps' weak passwords as a first string comprises:
randomly selecting a character string from the weak password database as the first character string; or
And taking a character string with the least digit of the character strings in the weak password database as the first character string.
11. The method of claim 8, wherein the replacing the weak password of the honey traps if the login password is attempted by the attacker more than the first threshold, if a weak password database contains the login password, comprises:
selecting a character string from the weak password database again;
and replacing the weak password for trapping the honeypots with the character string selected again.
12. The method of claim 1, further comprising:
and under the condition that a plurality of attackers exist, counting the attack targets of the attackers, the attack times of each attack target, the attack time of each attack, the account numbers of the attackers and the login passwords corresponding to the account numbers of the attackers for each attacker.
13. An attacker trapping device for a highway network, comprising:
the mapping module is used for mapping and trapping honeypots in a networking center, a road section center, a toll station level and a portal system of the highway toll network;
the trapping module is used for trapping the attack behavior of the attacker by using the trapping honeypot when the attacker attacks any one of a networking center, a road section center, a toll station level and a portal system of the highway toll network;
the acquisition module is used for acquiring the login password of the attacker;
the judging module is used for judging whether the attack time of the attacker belongs to a target time period or not; under the condition that the attack time belongs to the target time period, judging whether the account of the attacker belongs to the account of the trapping honeypot simulated operating system related to the service application; under the condition that the account of the attacker belongs to the account of the trapping honeypot simulation operating system related to business application, judging whether the number of times that the login password is tried by the attacker is larger than a first threshold value;
the replacing module is used for replacing the weak password of the honey trapping pot under the condition that the login password is tried by the attacker for more than the first threshold and the weak password database contains the login password.
14. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 12.
15. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 12 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210786225.9A CN114866353B (en) | 2022-07-06 | 2022-07-06 | Method and device for trapping attackers in expressway network and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210786225.9A CN114866353B (en) | 2022-07-06 | 2022-07-06 | Method and device for trapping attackers in expressway network and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114866353A true CN114866353A (en) | 2022-08-05 |
| CN114866353B CN114866353B (en) | 2022-09-30 |
Family
ID=82626728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210786225.9A Active CN114866353B (en) | 2022-07-06 | 2022-07-06 | Method and device for trapping attackers in expressway network and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114866353B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110650128A (en) * | 2019-09-17 | 2020-01-03 | 西安电子科技大学 | System and method for detecting digital currency stealing attack of Etheng |
| CN111404935A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Honeypot service port self-adaptive application method and system based on attack behavior analysis |
| CN111797384A (en) * | 2020-05-14 | 2020-10-20 | 广州锦行网络科技有限公司 | Honeypot weak password self-adaptive matching method and system based on attack behavior analysis |
| CN112165459A (en) * | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN113037777A (en) * | 2021-04-09 | 2021-06-25 | 广州锦行网络科技有限公司 | Honeypot bait distribution method and device, storage medium and electronic equipment |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
| CN113691550A (en) * | 2021-08-27 | 2021-11-23 | 西北工业大学 | Behavior prediction system of network attack knowledge graph |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
-
2022
- 2022-07-06 CN CN202210786225.9A patent/CN114866353B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980423A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Advanced persistent threat trapping system and method |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110650128A (en) * | 2019-09-17 | 2020-01-03 | 西安电子科技大学 | System and method for detecting digital currency stealing attack of Etheng |
| CN111404935A (en) * | 2020-03-16 | 2020-07-10 | 广州锦行网络科技有限公司 | Honeypot service port self-adaptive application method and system based on attack behavior analysis |
| CN111797384A (en) * | 2020-05-14 | 2020-10-20 | 广州锦行网络科技有限公司 | Honeypot weak password self-adaptive matching method and system based on attack behavior analysis |
| CN112165459A (en) * | 2020-09-08 | 2021-01-01 | 广州锦行网络科技有限公司 | Application method for automatically switching to host honeypot based on alarm honeypot information analysis |
| CN113037777A (en) * | 2021-04-09 | 2021-06-25 | 广州锦行网络科技有限公司 | Honeypot bait distribution method and device, storage medium and electronic equipment |
| CN113098906A (en) * | 2021-05-08 | 2021-07-09 | 广州锦行网络科技有限公司 | Application method of micro honeypots in modern families |
| CN113691550A (en) * | 2021-08-27 | 2021-11-23 | 西北工业大学 | Behavior prediction system of network attack knowledge graph |
| CN114205127A (en) * | 2021-11-29 | 2022-03-18 | 中国铁路北京局集团有限公司北京通信段 | Network safety monitoring method and system for railway |
Non-Patent Citations (1)
| Title |
|---|
| 蔡权慧: "高速公路联网收费***网络安全浅析", 《中国交通信息化》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114866353B (en) | 2022-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107659583A (en) | A kind of method and system attacked in detection thing | |
| CN109729044B (en) | Universal internet data acquisition reverse-crawling system and method | |
| CN107222511B (en) | Malicious software detection method and device, computer device and readable storage medium | |
| CN109257326A (en) | The method, apparatus and storage medium and electronic equipment for defending data flow to attack | |
| CN106547793A (en) | The method and apparatus for obtaining proxy server address | |
| CN111224994A (en) | Botnet detection method based on feature selection | |
| CN112532605B (en) | Network attack tracing method and system, storage medium and electronic device | |
| CN109600336A (en) | Store equipment, identifying code application method and device | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN109450955A (en) | A kind of flow processing method and device based on network attack | |
| CN114338064B (en) | Method, device, system, equipment and storage medium for identifying network traffic type | |
| CN107454040A (en) | The login method and device of application | |
| CN110365637A (en) | Internetbank login detecting method, device, electronic equipment and storage medium | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN110995745B (en) | Method and device for separating and identifying illegal machine card of Internet of things | |
| CN110457601B (en) | Social account identification method and device, storage medium and electronic device | |
| CN109450880A (en) | Detection method for phishing site, device and computer equipment based on decision tree | |
| CN108322354B (en) | Method and device for identifying running-stealing flow account | |
| CN111125702A (en) | Virus identification method and device | |
| CN114866353B (en) | Method and device for trapping attackers in expressway network and electronic equipment | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN116389166B (en) | Malicious DOS traffic detection method and device, electronic equipment and storage medium | |
| CN117294497A (en) | Network traffic abnormality detection method and device, electronic equipment and storage medium | |
| CN109600361B (en) | Hash algorithm-based verification code anti-attack method and device, electronic equipment and non-transitory computer readable storage medium | |
| CN115208678B (en) | Intelligent network security protection method, system, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |