CN115664855A - Network attack defense method, electronic equipment and computer readable medium - Google Patents
Network attack defense method, electronic equipment and computer readable medium Download PDFInfo
- Publication number
- CN115664855A CN115664855A CN202211652880.1A CN202211652880A CN115664855A CN 115664855 A CN115664855 A CN 115664855A CN 202211652880 A CN202211652880 A CN 202211652880A CN 115664855 A CN115664855 A CN 115664855A
- Authority
- CN
- China
- Prior art keywords
- honeypot
- attack
- attacker
- virtual machine
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000007123 defense Effects 0.000 title claims abstract description 39
- 230000002159 abnormal effect Effects 0.000 claims abstract description 33
- 230000006399 behavior Effects 0.000 claims description 44
- 238000012545 processing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 7
- 238000005516 engineering process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000035515 penetration Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000003111 delayed effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 241000251468 Actinopterygii Species 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The disclosure relates to the technical field of network security, and provides a network attack defense method, which comprises the following steps: deploying a plurality of honeypot virtual machines, wherein honeypot databases storing false data are deployed in the honeypot virtual machines, and the false data have the same characteristics as real data; when any honeypot virtual machine detects abnormal access, guiding the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines; and acquiring the characteristic information of the abnormal access, and sending the characteristic information to the honeypot server. The disclosure also provides a defense method of network attack of the application and the honeypot server, an electronic device and a computer readable medium. The method and the device improve the defense effect on the network attack.
Description
Technical Field
The disclosed embodiments relate to the field of network security technologies, and in particular, to a method for defending against a network attack, an electronic device, and a computer-readable medium.
Background
With the rapid development of new information technologies such as mobile internet, big data, cloud computing, artificial intelligence and the like, services and applications taking networks and data as cores develop rapidly. The abundant application scenes also expose more and more network security hidden dangers, and attackers have higher and higher attack frequency, higher and higher identification difficulty of attack behaviors and stronger destructiveness aiming at enterprises.
The honeypot technology is a technology for guiding attackers, and by arranging honeypots serving as baits, the attackers are induced to attack the honeypots, so that attack behaviors can be captured and analyzed. However, with the development of technology, an attacker has the ability to identify whether an attack target is a honeypot, for example, the attacker can identify whether the attack target is a honeypot according to whether important data exists in the honeypot. When finding that the attack target is the honeypot, the attacker can convert the attack target and continuously attack other hosts so as to achieve the purpose of stealing or destroying data, and great loss is easily caused to enterprises.
At present, a scheme for effectively defending against network attacks is needed.
Disclosure of Invention
The embodiment of the disclosure provides a network attack defense method, electronic equipment and a computer readable medium.
In a first aspect, an embodiment of the present disclosure provides a method for defending against a network attack, including:
deploying a plurality of honeypot virtual machines, wherein honeypot databases storing false data are deployed in the honeypot virtual machines, and the false data have the same characteristics as real data;
when any honeypot virtual machine detects abnormal access, guiding the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines;
and acquiring the characteristic information of the abnormal access, and sending the characteristic information to the honeypot server.
In some embodiments, deploying a plurality of honeypot virtual machines comprises:
deploying the honeypot virtual machines on a path connecting an external network and an internal network, wherein the honeypot virtual machines cover a plurality of network segments and a plurality of IP addresses.
In some embodiments, deploying the honeypot virtual machine on a path connecting an extranet and an intranet includes:
creating the honeypot virtual machine;
simulating a plurality of pieces of false data according to fields in a real database, wherein the fields corresponding to the false data and the real data are the same;
deploying the honeypot database storing the dummy data in the honeypot virtual machine.
In some embodiments, deploying the honeypot virtual machine on a path connecting an extranet and an intranet further comprises:
setting security weaknesses in the honeypot virtual machine to induce an attacker to attack the honeypot virtual machine.
In some embodiments, the defense method further comprises:
and detecting the abnormal access according to the operation behavior of the honeypot database.
In a second aspect, an embodiment of the present disclosure provides a method for defending against a network attack, including:
receiving characteristic information of abnormal access sent by the honeypot virtual machine;
determining attack behavior information of an attacker according to the characteristic information;
and carrying out attack defense processing according to the attack behavior information.
In some embodiments, determining attack behavior information of an attacker according to the characteristic information includes:
generating an attacker portrait according to the characteristic information so as to position the attacker;
and determining the attack intention and the attack mode of the attacker according to the attacker figure.
In some embodiments, performing attack defense processing according to the attack behavior information includes:
and isolating the host in the intranet according to the attack behavior information.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
one or more processors;
a memory on which one or more programs are stored, the one or more programs, when executed by the one or more processors, causing the one or more processors to implement the method for defending against a network attack as described in the first aspect of the embodiments of the present disclosure and/or the method for defending against a network attack as described in the second aspect of the embodiments of the present disclosure;
one or more I/O interfaces connected between the processor and the memory and configured to enable information interaction between the processor and the memory.
In a fourth aspect, the present disclosure provides a computer readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for defending against a network attack according to the first aspect of the present disclosure and/or the method for defending against a network attack according to the second aspect of the present disclosure.
In the defense method for network attack provided by the embodiment of the disclosure, a plurality of honeypot virtual machines are deployed, and honeypot databases for storing false data are deployed in the honeypot virtual machines, so that an attacker can be induced to identify the false data as real data, and the attacker is prevented from converting an attack target to attack other hosts; the honeypot virtual machine can also find the attack behavior of an attacker through detection of abnormal access, and guide the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines, so that the effect of guiding the attacker layer by layer deeply is realized, and the attacker is limited in the honeypot network; the honeypot virtual machine can also acquire the characteristic information of abnormal access and send the characteristic information to the honeypot server, so that the honeypot server can analyze the attack behavior of an attacker and further adopt defense processing such as isolation and the like aiming at related hosts. Through the defense strategy, the sight of an attacker can be disturbed, the attack process is delayed, and real data are indirectly protected; the attack behavior can be trapped in an active mode, the characteristics of the attack behavior are analyzed, and the effect of defending network attacks in advance is achieved.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the principles of the disclosure and not to limit the disclosure. In the drawings:
FIG. 1 is a flowchart of a defending method of a network attack according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a defense architecture in accordance with an embodiment of the present disclosure;
FIG. 3 is a flowchart of a defending method of a network attack according to an embodiment of the present disclosure;
FIG. 4 is a block diagram of an electronic device according to an embodiment of the disclosure;
FIG. 5 is a block diagram of a computer-readable medium according to an embodiment of the disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present disclosure, the network attack defense method, the electronic device, and the computer readable medium provided in the present disclosure are described in detail below with reference to the accompanying drawings.
Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, but which may be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Embodiments of the disclosure and features of the embodiments may be combined with each other without conflict.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," and/or "made from" \8230; \8230 ";" made from ";" specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
In some related art, conventional defense strategies aim to defend against cyber attacks by excluding attackers from the door. However, with the increasing diversity, concealment, and complexity of attack methods, the above conventional defense strategies are not ideal. The inventors of the present disclosure believe that the traditional defense strategies suffer mainly from the following drawbacks: (1) Traditional defense strategies are mainly passive and cannot discover attack behaviors in time. For example, some security products identify an attack behavior using a 0-day bug according to rules and a feature library, security operation and maintenance personnel can only repair when a problem occurs, and at the moment, an attacker usually enters an intranet and remains latent for a long time, so that the attacker can easily collect data by scanning and perform transverse penetration attack to break through hosts such as a database and the like to obtain internal important data; (2) In a traditional defense strategy, honeypots are usually deployed in an external network, a host in an internal network isolated from the external network lacks a defense mechanism aiming at network attack, and usually more security holes exist, so that once an attacker enters contents, transverse scanning and penetration are easy to perform; (3) In some network attacks, after an attacker completes outer network boundary breakthrough and initial authority improvement, the attacker searches a next foothold in an inner network, transversely moves and controls more hosts until reaching a core target, and the traditional defense mode of 'heavy outer network and light inner network' is difficult to find the broken speech behavior of the attacker in the inner network, particularly the means of the attacker for forging processes and flow, and often becomes the net-leaking fish for attack detection.
The method aims to realize large-range coverage of the intranet by deploying a probe supporting coverage of multiple network segments and multiple Internet Protocol (IP) addresses aiming at the intranet penetration behavior of an attacker, and assists a defensive party to quickly discover suspicious behaviors: the method comprises the steps that baits and traps are deployed on a key path invaded by an attacker, important assets in an intranet are simulated, information such as vulnerabilities, weak passwords, danger ports and the like is exposed, the attacker is induced to attack the baits and the traps, the attacker attacks false targets after entering the intranet, and unreal data is obtained; in the attack interaction process, the behavior of an attacker is completely recorded, and advanced unknown attacks are captured, so that the fact that the attacker hurts real assets is avoided.
In view of this, in a first aspect, with reference to fig. 1, an embodiment of the present disclosure provides a method for defending against a network attack, including:
s11, deploying a plurality of honeypot virtual machines, wherein honeypot databases storing false data are deployed in the honeypot virtual machines, and the false data and the real data have the same characteristics;
s12, when any honeypot virtual machine detects abnormal access, guiding the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines;
and S13, acquiring the characteristic information of the abnormal access and sending the characteristic information to the honeypot server.
In the disclosed embodiment, the dummy data is obtained by simulating the real data, so that the dummy data has the same characteristics as the real data. When an attacker attacks the honeypot virtual machine, the attacker can identify the false data as real data, so that the attacker is prevented from converting an attack target to attack other hosts.
The common features of the real data and the dummy data are not particularly limited in the embodiments of the present disclosure. For example, the spurious data has the same characteristics as the real data, which may mean that fields in the honeypot database are the same as fields in the real database; it can also mean that the honeypot database at least has fields corresponding to important data in the real database.
In the embodiment of the disclosure, a plurality of honeypot virtual machines form a honeypot network, and each honeypot virtual machine can detect abnormal access so as to discover the attack behavior of an attacker. When the honeypot virtual machine finds abnormal access, the flow of the abnormal access can be redirected, the flow of the abnormal access is guided into the honeypot network, and the effect of guiding an attacker layer by layer is achieved, so that the attacker can be limited in the honeypot network, and the attacker can only attack the honeypot virtual machine and cannot attack other hosts.
As shown in fig. 2, the defense architecture of the embodiment of the present disclosure is that an attacker attacks a Web application, and the Web application is connected to a real database in a real host and a honeypot database in a honeypot virtual machine. In the disclosed embodiment, the attack of the attacker is induced into the honeypot database. When the honeypot virtual machine detects abnormal access, the honeypot virtual machine can also acquire the characteristic information of the abnormal access and send the characteristic information to the honeypot server, so that the honeypot server can analyze the attack behavior of an attacker and further adopt defense processing such as isolation and the like aiming at a related host.
In the defense method for network attack provided by the embodiment of the disclosure, a plurality of honeypot virtual machines are deployed, and honeypot databases storing false data are deployed in the honeypot virtual machines, so that an attacker can be induced to identify the false data as real data, and the attacker is prevented from converting an attack target to attack other hosts; the honeypot virtual machine can also find the attack behavior of an attacker through detection of abnormal access, and guide the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines, so that the effect of guiding the attacker layer by layer deeply is achieved, and the attacker is limited in the honeypot network; the honeypot virtual machine can also acquire the characteristic information of abnormal access and send the characteristic information to the honeypot server, so that the honeypot server can analyze the attack behavior of an attacker and further adopt defense processing such as isolation aiming at relevant hosts. Through the defense strategy, the sight of an attacker can be disturbed, the attack process is delayed, and real data are indirectly protected; the attack behavior can be trapped in an active mode, the characteristics of the attack behavior are analyzed, and the effect of defending network attacks in advance is achieved.
The deployment position of the honeypot virtual machine is not particularly limited in the embodiment of the disclosure.
In some embodiments, deploying a plurality of honeypot virtual machines comprises:
deploying the honeypot virtual machines on a path connecting an external network and an internal network, wherein the honeypot virtual machines cover a plurality of network segments and a plurality of IP addresses.
In the embodiment of the present disclosure, the path connecting the extranet and the intranet refers to a path that is necessary to go from the extranet to the intranet or from the intranet to the extranet. The honeypot virtual machine is deployed on a path connecting the external network and the internal network, so that an attacker can be prevented from directly attacking the internal network by bypassing the honeypot virtual machine, the effect of inducing the attacking behavior of the honeypot virtual machine to the attacker can be fully exerted, and network attack can be effectively prevented.
The embodiment of the disclosure does not specially limit how to deploy the honeypot virtual machine.
In some embodiments, deploying the honeypot virtual machine on a path connecting an extranet with an intranet includes:
creating the honeypot virtual machine;
simulating a plurality of pieces of false data according to fields in a real database, wherein the fields corresponding to the false data and the real data are the same;
deploying the honeypot database storing the dummy data in the honeypot virtual machine.
The number of simulated dummy data is not particularly limited in the embodiments of the present disclosure. For example, tens or hundreds of thousands of false data are simulated from the fields of the real database.
In some embodiments, deploying the honeypot virtual machine on a path connecting an extranet with an intranet, further comprises:
setting security weaknesses in the honeypot virtual machine to induce an attacker to attack the honeypot virtual machine.
In the embodiment of the disclosure, the security weakness is set in the honeypot virtual machine, an attacker can be induced to attack the honeypot virtual machine in a mode of actively exposing the weakness, and the probability that the attacker preferentially attacks the honeypot virtual machine but not the real host is provided, so that the attacker is effectively induced.
The security weakness set in the honeypot virtual machine is not specially limited in the embodiment of the disclosure. For example, the security vulnerabilities include at least one of a low version data block, an open port, a weak password, and the like.
The embodiment of the disclosure does not specially limit the discovery of the attack behavior of the honeypot virtual machine through the detection of abnormal access.
In some embodiments, the defense method further comprises:
and detecting the abnormal access according to the operation behavior of the honeypot database.
The embodiment of the present disclosure does not make any special limitation on the operation behavior for the honeypot database. For example, the operation behavior includes accessing a honeypot database and performing operations such as dragging a library. It should be noted that, dragging a library refers to exporting data from a database, and specifically refers to an operation of an attacker stealing a database file.
In a second aspect, referring to fig. 3, an embodiment of the present disclosure provides a method for defending against a network attack, including:
s21, receiving characteristic information of abnormal access sent by the honeypot virtual machine;
s22, determining attack behavior information of an attacker according to the characteristic information;
and S23, carrying out attack defense processing according to the attack behavior information.
As shown in fig. 2, the defense architecture of the embodiment of the disclosure is that when detecting abnormal access, the honeypot virtual machine can acquire characteristic information of the abnormal access and send the characteristic information to the honeypot server, so that the honeypot server can analyze the attack behavior of an attacker and further adopt defense processing such as isolation for a relevant host.
The embodiment of the present disclosure does not make any special limitation on the attack behavior information.
In some embodiments, determining attack behavior information of an attacker according to the characteristic information includes:
generating an attacker portrait according to the characteristic information so as to position the attacker;
and determining the attack intention and the attack mode of the attacker according to the attacker figure.
In some embodiments, the honeypot service end analyzes the characteristic information, can form information such as browser fingerprints, legacy files, internet Protocol (IP) addresses, threat information and the like of the attacker, and comprehensively analyzes to form the attacker portrait.
In some embodiments, in determining the attack behavior information of the attacker, the security operation and maintenance personnel can analyze the flow of a software package (PCAP) according to log playback and process characteristics and deeply analyze the attack intention and attack means of the attacker.
The embodiment of the present disclosure does not make any special limitation on how to perform attack defense processing according to the attack behavior information.
In some embodiments, performing attack defense processing according to the attack behavior information includes:
and isolating the host in the intranet according to the attack behavior information.
In the embodiment of the disclosure, under the condition that the attack intention and the attack mode of the attacker are determined, the host corresponding to the attack intention of the attacker and/or the host having the bug corresponding to the attack mode of the attacker are isolated, or the bug is repaired in time, so that the defense capability against network attack is improved.
In a third aspect, referring to fig. 4, an embodiment of the present disclosure provides an electronic device, including:
one or more processors 101;
a memory 102, on which one or more programs are stored, which, when executed by one or more processors, cause the one or more processors to implement the method for defending against a network attack according to the first aspect of the embodiments of the present disclosure and/or the method for defending against a network attack according to the second aspect of the embodiments of the present disclosure;
one or more I/O interfaces 103 coupled between the processor and the memory and configured to enable information interaction between the processor and the memory.
The processor 101 is a device with data processing capability, which includes but is not limited to a Central Processing Unit (CPU), etc.; memory 102 is a device having data storage capabilities including, but not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), FLASH memory (FLASH); an I/O interface (read/write interface) 103 is connected between the processor 101 and the memory 102, and can realize information interaction between the processor 101 and the memory 102, which includes but is not limited to a data Bus (Bus) and the like.
In some embodiments, the processor 101, memory 102, and I/O interface 103 are interconnected via a bus 104, which in turn connects with other components of the computing device.
In a fourth aspect, referring to fig. 5, an embodiment of the present disclosure provides a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for defending against a network attack according to the first aspect of the embodiment of the present disclosure and/or the method for defending against a network attack according to the second aspect of the embodiment of the present disclosure.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, or suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purposes of limitation. In some instances, features, characteristics and/or elements described in connection with a particular embodiment may be used alone or in combination with features, characteristics and/or elements described in connection with other embodiments, unless expressly stated otherwise, as would be apparent to one skilled in the art. Accordingly, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the disclosure as set forth in the appended claims.
Claims (10)
1. A method of defending against cyber attacks, comprising:
deploying a plurality of honeypot virtual machines, wherein honeypot databases storing false data are deployed in the honeypot virtual machines, and the false data have the same characteristics as real data;
when any honeypot virtual machine detects abnormal access, guiding the flow of the abnormal access to a honeypot network consisting of a plurality of honeypot virtual machines;
and acquiring the characteristic information of the abnormal access, and sending the characteristic information to the honeypot server.
2. The defense method of claim 1, wherein deploying a plurality of honeypot virtual machines comprises:
and deploying the honeypot virtual machines on a path connecting the external network and the internal network, wherein the plurality of honeypot virtual machines cover a plurality of network segments and a plurality of IP addresses.
3. The defense method of claim 2, wherein deploying the honeypot virtual machine on a path connecting an extranet and an intranet comprises:
creating the honeypot virtual machine;
simulating a plurality of the dummy data according to fields in a real database, wherein the fields corresponding to the dummy data and the real data are the same;
deploying the honeypot database storing the dummy data in the honeypot virtual machine.
4. The defense method of claim 3 wherein deploying the honeypot virtual machine on a path connecting an extranet and an intranet further comprises:
setting security weaknesses in the honeypot virtual machine to induce an attacker to attack the honeypot virtual machine.
5. The defence method of any one of claims 1 to 4, wherein the defence method further includes:
and detecting the abnormal access according to the operation behavior of the honeypot database.
6. A method for defending against cyber attacks, comprising:
receiving characteristic information of abnormal access sent by the honeypot virtual machine;
determining attack behavior information of an attacker according to the characteristic information;
and carrying out attack defense processing according to the attack behavior information.
7. The defense method of claim 6, wherein determining attack behavior information of an attacker from the characteristic information comprises:
generating an attacker portrait according to the characteristic information so as to position the attacker;
and determining the attack intention and the attack mode of the attacker according to the attacker portrait.
8. The defense method according to claim 6 or 7, wherein the attack defense processing according to the attack behavior information includes:
and isolating the host in the intranet according to the attack behavior information.
9. An electronic device, comprising:
one or more processors;
memory having one or more programs stored thereon that, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-8;
one or more I/O interfaces connected between the processor and the memory and configured to enable information interaction between the processor and the memory.
10. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211652880.1A CN115664855A (en) | 2022-12-22 | 2022-12-22 | Network attack defense method, electronic equipment and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211652880.1A CN115664855A (en) | 2022-12-22 | 2022-12-22 | Network attack defense method, electronic equipment and computer readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115664855A true CN115664855A (en) | 2023-01-31 |
Family
ID=85022912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211652880.1A Pending CN115664855A (en) | 2022-12-22 | 2022-12-22 | Network attack defense method, electronic equipment and computer readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664855A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104978520A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Honey pot data construction method and system on the basis of actual business system |
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| US10110629B1 (en) * | 2016-03-24 | 2018-10-23 | Amazon Technologies, Inc. | Managed honeypot intrusion detection system |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111478892A (en) * | 2020-04-02 | 2020-07-31 | 广州锦行网络科技有限公司 | Attacker portrait multi-dimensional analysis method based on browser fingerprints |
| CN112417444A (en) * | 2020-12-03 | 2021-02-26 | 南京邮电大学 | Attack trapping system based on firmware simulation |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
| CN113946560A (en) * | 2021-08-31 | 2022-01-18 | 北京中安星云软件技术有限公司 | Database security management method and system |
| CN115333804A (en) * | 2022-07-27 | 2022-11-11 | 阿里云计算有限公司 | Honeypot flow guiding method and device, electronic equipment and readable storage medium |
-
2022
- 2022-12-22 CN CN202211652880.1A patent/CN115664855A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104978520A (en) * | 2014-11-26 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Honey pot data construction method and system on the basis of actual business system |
| US10110629B1 (en) * | 2016-03-24 | 2018-10-23 | Amazon Technologies, Inc. | Managed honeypot intrusion detection system |
| CN107819731A (en) * | 2016-09-13 | 2018-03-20 | 北京长亭科技有限公司 | A kind of network security protection system and correlation technique |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111478892A (en) * | 2020-04-02 | 2020-07-31 | 广州锦行网络科技有限公司 | Attacker portrait multi-dimensional analysis method based on browser fingerprints |
| CN112417444A (en) * | 2020-12-03 | 2021-02-26 | 南京邮电大学 | Attack trapping system based on firmware simulation |
| CN113946560A (en) * | 2021-08-31 | 2022-01-18 | 北京中安星云软件技术有限公司 | Database security management method and system |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
| CN115333804A (en) * | 2022-07-27 | 2022-11-11 | 阿里云计算有限公司 | Honeypot flow guiding method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107426242B (en) | Network security protection method, device and storage medium | |
| US10097573B1 (en) | Systems and methods for malware defense | |
| CN107819731B (en) | Network security protection system and related method | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| CN111490970A (en) | Tracing analysis method for network attack | |
| Chung et al. | Allergy attack against automatic signature generation | |
| CN104468632A (en) | Loophole attack prevention method, device and system | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN111385270A (en) | WAF-based network attack detection method and device | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN113422779B (en) | Active security defense system based on centralized management and control | |
| CN111835694A (en) | Network security vulnerability defense system based on dynamic camouflage | |
| Surnin et al. | Probabilistic estimation of honeypot detection in Internet of things environment | |
| CN114143096A (en) | Security policy configuration method, device, equipment, storage medium and program product | |
| CN114500026A (en) | Network traffic processing method, device and storage medium | |
| CN113810423A (en) | Industrial control honey pot | |
| CN115664855A (en) | Network attack defense method, electronic equipment and computer readable medium | |
| Mahajan et al. | Performance analysis of honeypots against flooding attack | |
| Li-Juan | Honeypot-based defense system research and design | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| US20120005206A1 (en) | Apparatus and method for analysis of data traffic | |
| Katsinis et al. | A framework for intrusion deception on web servers | |
| CN115643118B (en) | Method, electronic equipment and medium for defending threat attack of TDA | |
| Mahajan et al. | Malware Detection and Analysis using Modern Honeypot Allied with Machine Learning: A Performance Evaluation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230131 |
|
| RJ01 | Rejection of invention patent application after publication |