Device and method for capturing malicious samples through targeted dynamic deployment of honeypots

Abstract

This application relates to a device and method for capturing malicious samples through targeted dynamic deployment of honeypots. The device includes a virtual honeypot, a central control system, and a cloud deployment platform; the present invention uses a virtual honeypot to capture attack activities and attack characteristics; a virtual honeypot Upload the captured attack signatures to the central control system; the central control system analyzes the uploaded attack signatures; the cloud deployment platform starts a high-interaction honeypot containing the vulnerability corresponding to the attack signature; imports the virtual honeypot traffic into the activated high-interaction honeypot In the honeypot, the corresponding high-interaction honeypot is infected. The present invention uses a low-interaction honeypot to cooperate with a high-interaction honeypot based on a vulnerability service or system, uses the low-interaction honeypot to quickly discover the existence of malicious samples, and uses a cloud deployment platform to quickly deploy a high-interaction service or system based on a vulnerability Honeypots, which cooperate with high-interaction honeypots and low-interaction honeypots based on vulnerability services or systems to capture malicious samples.

Description

technical field [0001] The invention belongs to the field of computer network security, and in particular relates to a device and method for capturing malicious samples through targeted dynamic deployment of honeypots. Background technique [0002] Honeypots are computer devices that are carefully designed and deployed to attract intruders to collect information for research and analysis or to extend the attacker's attack intent. Honeypots are divided into low-interaction honeypots, medium-interaction honeypots, and high-interaction honeypots according to their interaction capabilities. The main feature of low-interaction honeypots is simulation. The deception technology is implemented by simulating operating systems and services. The attacker has only a small amount of interaction with the honeypot, so the attack information obtained is relatively small, and it is more suitable for capturing automatic attack tools or For attacks launched by network worms, low-interaction h...

AI Technical Summary

Problems solved by technology

[0005] First, the existing malicious sample acquisition technology is difficult to simulate a large number of vulnerable services or systems; when multiple PCs spread malicious samples at the same time, there may be a large number of identical or different attack characteristics occurring at the same time, and the existing technology is very difficult. Difficult to capture all kinds of malicious samples attacked at the same time

[0006] Second, in the prior art, malicious samples exploiting vulnerabilities cannot be accurately forwarded to high-interaction honeypots containing corresponding vulnerable services or systems. It cannot be guaranteed to be correctly infected, making it difficult to capture malicious samples based on vulnerability attacks

[0007] Third, existing technologies cannot be dynamically deployed for the vulnerabilities used in attacks

[0008] Fourth, the capture of existing malicious samples requires a large amount of computing resources, and the cost of large-scale deployment of high-interaction honeypots is very high

Images