Honeypot system of cloud computing platform and cloud access processing method and device

Abstract

The application discloses a honeypot system of a cloud computing platform and a cloud access processing method and device, and relates to the technical field of cloud computing. A specific embodiment of the method comprises the following steps: in response to detecting a target access request for a VPC, determining a target strategy matched by the target access request from at least one pre-acquired routing strategy, and determining a target range address contained in the target strategy as a destination address; using a pre-established transmission channel between a probe and a destination target range indicated by the destination address, forwarding the target access request to the destination target range, so that the destination target range records behavior data of an initiator of the target access request. The embodiment can guarantee the performance of a user VPC and the normal maintenance of a target range.

Description

Technical Field

[0001] This invention relates to the field of cloud computing technology, and in particular to a honeypot system for a cloud computing platform, as well as a cloud access processing method and apparatus. Background Technology

[0002] A honeypot is a technique for enticing and recording attackers. It involves deploying decoy hosts, network services, or information to lure attackers into launching attacks. The attacker's actions are then captured and analyzed to understand their tools and methods, infer their intent and motives, and ultimately allow the defender to understand the security threats to their system. This enables targeted improvements to enhance the system's security capabilities. In practical applications, a honeypot system may consist of a honeycomb network comprised of probe components and multiple target range components. Probes monitor malicious access and forward it to the target ranges, which contain specific system vulnerabilities to lure attackers and record their attacks.

[0003] Currently, when deploying honeypots on cloud computing platforms, probes and test ranges can only be deployed in the user's VPC (Virtual Private Cloud). Since the test range is a heavyweight component, this deployment method will affect the performance of the user's VPC. At the same time, the user's VPC does not grant access permissions to the administrator, making it impossible to maintain the test range. Summary of the Invention

[0004] In view of this, embodiments of the present invention provide a honeypot system for a cloud computing platform, as well as a cloud access processing method and apparatus. By establishing a specific VPC independent of the user's VPC to deploy the target range, the target range does not need to be deployed in the user's VPC, thereby ensuring the performance of the user's VPC and the normal maintenance of the target range.

[0005] To achieve the above objectives, according to one aspect of the present invention, a cloud access processing method is provided.

[0006] The cloud access processing method of this invention is executed by a probe deployed on a user's Virtual Private Cloud (VPC) on a cloud computing platform. The method includes: in response to detecting a target access request for the VPC, determining a target policy matching the target access request from at least one pre-acquired routing policy, and determining a target address contained in the target policy as the destination address; wherein, the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target address, the target address and the probe forming a honeypot system; using a pre-established transmission channel between the probe and the target target address indicated by the destination address, forwarding the target access request to the target target address, so that the target target address records the behavioral data of the initiator of the target access request.

[0007] Optionally, the routing policy represents the mapping relationship between the feature information of the access request and the target address; and the step of determining the target policy matching the target access request from at least one pre-acquired routing policy includes: determining the routing policy whose feature information is consistent with the feature information of the target access request as the target policy.

[0008] Optionally, the method further includes: periodically obtaining the latest routing policy from the cloud host where the target is located by using a pre-established transmission channel between the probe and any target in the specific VPC; wherein the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

[0009] Optionally, the method further includes: if a new target range is determined from the latest routing policy, establishing a transmission channel between the probe and the new target range using the target range address of the new target range in the latest routing policy; and if a deleted target range is determined from the latest routing policy, closing the pre-established transmission channel between the probe and the deleted target range.

[0010] Optionally, the user's VPC is created by multiple cloud service providers, and a probe is deployed in one of the user's VPCs in the form of an installation package or a container engine. The honeypot system further includes: a probe deployed in the user's Internet Data Center (IDC); the target address includes the target's IP address and port, and the specific VPC further has a load balancing component for forwarding the target access request.

[0011] To achieve the above objectives, according to another aspect of the present invention, a cloud access processing apparatus is provided.

[0012] The cloud access processing device of this invention is configured on a probe deployed in a user's Virtual Private Cloud (VPC) on a cloud computing platform. The device includes: a matching unit, configured to: in response to detecting a target access request for the VPC, determine a target policy matching the target access request from at least one pre-acquired routing policy, and determine the target address contained in the target policy as the destination address; wherein the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target address, the target address and the probe forming a honeypot system; and a forwarding unit, configured to: use a pre-established transmission channel between the probe and the target target address to forward the target access request to the target target address, so that the target target address records the behavioral data of the initiator of the target access request.

[0013] To achieve the above objectives, according to another aspect of the present invention, a honeypot system for a cloud computing platform is provided.

[0014] The honeypot system of the cloud computing platform in this embodiment of the invention includes probes and target ranges. The cloud computing platform includes: virtual private clouds (VPCs) of multiple users and specific VPCs independent of the users' VPCs; wherein, probes are deployed in the users' VPCs; each specific VPC has at least one cloud host, and each cloud host deploys at least one target range; after detecting a target access request for its VPC, the probe forwards the target access request to a destination target range in the target range, so that the destination target range records the behavioral data of the initiator of the target access request.

[0015] Optionally, the specific VPC further includes: a load balancing component that connects the probe and the target range and is used to forward the target access request; each cloud host in the specific VPC is isolated by a security group.

[0016] Optionally, the user's VPC is created by multiple cloud service providers, and a probe is deployed in one of the user's VPCs in the form of an installation package or a container engine; the system further includes: a probe deployed in the user's Internet Data Center (IDC), which, after detecting a specific access request for the IDC, forwards the specific access request to a corresponding target field in the specific VPC, so that the corresponding target field records the behavioral data of the initiator of the specific access request.

[0017] Optionally, the probe deployed in the user's VPC determines the target policy that the target access request matches from at least one pre-acquired routing policy, determines the target range address contained in the target policy as the destination address, and uses the pre-established transmission channel between the probe and the target range indicated by the destination address to forward the target access request to the target range through the load balancing component.

[0018] Optionally, the routing policy represents the mapping relationship between the feature information of the access request and the target address; the probe deployed in the user's VPC determines the routing policy whose feature information is consistent with the feature information of the target access request as the target policy; the probe uses a pre-established transmission channel with any target in the specific VPC to periodically obtain the latest routing policy from the cloud host where the target is located; wherein, the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

[0019] To achieve the above objectives, according to another aspect of the present invention, an electronic device is provided.

[0020] An electronic device according to the present invention includes: one or more processors; and a storage device for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors implement the cloud access processing method provided by the present invention.

[0021] To achieve the above objectives, according to another aspect of the present invention, a computer-readable storage medium is provided.

[0022] The present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the cloud access processing method provided by the present invention.

[0023] According to the technical solution of the present invention, the embodiments described above have the following advantages or beneficial effects:

[0024] In a cloud computing platform, a dedicated VPC, independent of the user's VPC, is created by an administrator account to deploy the heavyweight component of the honeypot system—the target range. Only lightweight probes need to be deployed in the user's VPC. The probes use routing policies configured on the web interface to locate the target range for malicious access (i.e., target access requests) and forward the malicious access through the load balancing component in the dedicated VPC. This solves the performance degradation and maintainability issues associated with deploying the target range in the user's VPC, ensuring both user VPC performance and the maintainability of the target range. To maximize data security in the user's VPC, the link for the probe to obtain the routing policy is consistent with the link for forwarding malicious requests. Specifically, the routing policy configured on the front-end page is written to the database and then retrieved by the cloud host deploying the target range in the dedicated VPC. The probe then pulls the routing policy from the cloud host. This allows the routing policy to be transmitted through the existing transmission channel between the user's VPC and the dedicated VPC, avoiding the addition of extra access channels in the user's VPC. Furthermore, the embodiments of the present invention further design a matching method between probes and target ranges based on routing policies, as well as the processing logic for probes when adding or deleting target ranges. Moreover, based on the lightweight nature of deploying probes only in user VPCs, the above honeypot deployment scheme can also be applied to multi-cloud systems, which helps to improve the security protection performance of multi-cloud systems.

[0025] The further effects of the aforementioned unconventional alternative methods will be explained below in conjunction with specific implementation methods. Attached Figure Description

[0026] The accompanying drawings are provided to better understand the invention and are not intended to unduly limit the scope of the invention. Wherein:

[0027] Figure 1 This is a schematic diagram of the honeypot system of the cloud computing platform in an embodiment of the present invention;

[0028] Figure 2 This is a schematic diagram of the main steps of the cloud access processing method in an embodiment of the present invention;

[0029] Figure 3 This is a schematic diagram of the components of the cloud access processing device in an embodiment of the present invention;

[0030] Figure 4 This is an exemplary system architecture diagram that can be applied thereto according to embodiments of the present invention;

[0031] Figure 5 This is a schematic diagram of the electronic device structure used to implement the cloud access processing method in the embodiments of the present invention. Detailed Implementation

[0032] The following description, in conjunction with the accompanying drawings, illustrates exemplary embodiments of the present invention, including various details to aid understanding. These details should be considered merely exemplary. Therefore, those skilled in the art will recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of the invention. Similarly, for clarity and brevity, descriptions of well-known functions and structures are omitted in the following description.

[0033] It should be noted that, unless otherwise specified, the embodiments of the present invention and the technical features thereof can be combined with each other.

[0034] Figure 1 This is a schematic diagram of the honeypot system of the cloud computing platform in an embodiment of the present invention, as shown below. Figure 1 As shown, a cloud computing platform contains multiple users, each with at least one VPC to create components such as cloud hosts (i.e., cloud servers) and cloud databases. In the field of cloud computing technology, a VPC is a user's private network, referring to an isolated virtual network environment built for resources such as cloud hosts, cloud containers, and cloud databases, which is configured and managed by the user. It can improve the security of the user's cloud resources and simplify the user's network deployment. A user's VPC is a user's private network and generally does not grant regular access permissions to the outside world (including administrators).

[0035] A honeypot is a technique for inducing and recording attackers. By deploying decoy hosts, network services, or information, it lures attackers into launching attacks, thereby capturing and analyzing the attack behavior. This allows the attacker to understand the tools and methods used, infer their attack intentions and motives, and ultimately inform the defender of the security threats to their system, enabling targeted improvements to enhance their system's security capabilities. In specific applications, a honeypot system may include a honeycomb consisting of probe components and multiple target range components. Probes monitor malicious access and forward it to the target ranges. Different target ranges provide realistic system vulnerability environments to induce attackers to launch attacks, which are then recorded. As can be seen, the honeypot system in this embodiment is a highly interactive honeypot system. It does not simply simulate certain protocols or services but provides a realistic attack system, allowing the attacker's attack methods to be understood, facilitating targeted protection.

[0036] In the existing cloud computing platform honeypot deployment process, probes and target ranges are generally deployed in the user's VPC. Since the target range is a heavyweight component, this deployment method will affect the performance of the user's VPC. At the same time, the user's VPC does not grant access permissions to the administrator, making it impossible to maintain the target range.

[0037] Based on the above considerations, in the technical solution of this invention, a specific VPC is created on the cloud computing platform using an administrator account. This specific VPC is completely independent of the user VPC and is used only for the deployment of the honeypot system, without deploying any business systems to prevent the honeypot from affecting business systems. Specifically, one or more cloud hosts are created in the specific VPC, and each cloud host is connected to a security group to achieve isolation and prevent attackers from moving laterally after a successful attack. Each cloud host deploys one or more target ranges. To ensure high availability of the target ranges, in a real-world scenario, only one target range can be deployed on a single cloud host. It is understood that different target ranges generally have different types of vulnerability environments set up to lure corresponding attackers and attack behaviors. In specific applications, the container management tool Kubernetes can be used to uniformly maintain each target range and generate an IP address (which can be a virtual IP address) and port for each target range. These IP addresses and ports constitute the target range address, which can be used to locate the target range.

[0038] By deploying a heavyweight target range within a honeypot system on a specific VPC, the availability and maintainability issues associated with deploying target ranges on user VPCs can be resolved. Only lightweight probes need to be deployed on the user VPC, without impacting its performance. Probes can be deployed via installation packages or container engines (such as Docker). Generally, only one probe needs to be deployed in a VPC to monitor and forward malicious access. Of course, multiple probes can be deployed in larger VPCs. Additionally, probes can be deployed in the user's Internet Data Center (IDC). Probes deployed in the IDC have similar functionality to those deployed in the user's VPC, and they also form a honeypot system with the target range within the specific VPC.

[0039] Within a specific VPC, request forwarding and load balancing strategies are executed by connecting load balancing components to various probes and test ranges. The load balancing components can support listening services on different ports for various protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), TLS (Transport Layer Security), HTTP (Hypertext Transfer Protocol), and HTTPS (Hypertext Transfer Protocol over SecureSocket Layer) to facilitate request forwarding and load balancing decisions.

[0040] In this embodiment of the invention, probes deployed in user VPCs and user IDCs, upon detecting malicious access, forward the malicious access to the corresponding target range for processing. The routing method of the target range is described below. Taking a probe deployed in a user VPC as an example, firstly, the probe checks whether the user VPC it resides in has received a target access request. In practical applications, the target access request can be a malicious access request. If the probe detects a target access request, it forwards the target access request to the destination target range in the specific VPC, so that the destination target range records the behavioral data of the initiator of the target access request (i.e., the attacker). It can be understood that the above behavioral data can include the attacker's relevant operations and actions, and can also include the attacker's characteristics such as IP address.

[0041] As a preferred solution, probes deployed in a user's VPC can utilize pre-stored local routing policies to locate the target target environment. These routing policies characterize the mapping relationship between access request features (e.g., request frequency) and target environment addresses. Specifically, after detecting a target access request, the probe deployed in the user's VPC first obtains the target access request's feature information through preset logic. Then, it determines the target policy matching the target access request from at least one pre-obtained routing policy. For example, the routing policy whose feature information matches that of the target access request is determined as the target policy. Subsequently, the probe can determine the target environment address contained in the target policy as the destination address, which is the target environment address of the target environment.

[0042] After the target range is determined, the probes deployed in the user's VPC can use the pre-established transmission channel between the probes and the target range to forward the target access requests to the target range through the load balancing component, thereby realizing the honeypot function.

[0043] Preferably, the above routing strategy can be configured and used in the following way. First, staff configure the routing strategy through a front-end page (the front-end component executing this function is the strategy configuration component). The configured routing strategy is then written to a preset database. Subsequently, cloud hosts in a specific VPC periodically pull the latest routing strategy from the database and write it locally. Meanwhile, probes periodically pull the latest routing strategy from the pre-established transmission channel between the probe and any target instance within the specific VPC. As can be seen, the path by which the probe obtains the routing strategy is consistent with the path used to forward the target access request. This minimizes external access channels to the user's VPC, thereby ensuring the data security of the user's VPC.

[0044] In real-world scenarios, when a probe determines from the latest routing policy that a new target range exists, it can establish a transmission channel between the probe and the new target range using the target range address in the latest routing policy, facilitating subsequent request forwarding. After the transmission channel is established, the probe can periodically check its availability and reopen it if it detects that the channel is unavailable due to a fault. When the probe determines from the latest routing policy that a target range is to be deleted (a target range that is about to be deleted), it closes the pre-established transmission channel between the probe and the deleted target range to conserve resources.

[0045] Furthermore, the honeypot system of this invention can also be applied to multi-cloud systems, that is, multiple user VPCs of a cloud computing platform are created by multiple cloud service providers. It is understood that the solution of this invention only deploys lightweight probes in user VPCs, thus enabling the integration of highly interactive honeypot functionality into multi-cloud systems, which helps improve the security performance of multi-cloud systems.

[0046] In the technical solution of this invention, a heavyweight component of the honeypot system—the target range—is deployed in a specific VPC independent of the user's VPC within a cloud computing platform using an administrator account. Only a lightweight probe needs to be deployed in the user's VPC. The probe locates the target range for malicious access through routing policies configured on the web interface and forwards the malicious access via a load balancing component in the specific VPC. This solves the performance degradation and maintainability issues caused by deploying the target range in the user's VPC, ensuring both user VPC performance and the maintainability of the target range. To maximize data security in the user's VPC, the link for the probe to obtain the routing policy is consistent with the link for forwarding malicious requests. Specifically, the routing policy configured on the front-end page is written to the database and then obtained by the cloud host deploying the target range in the specific VPC. The probe then pulls the routing policy from the cloud host. This allows the routing policy to be transmitted through the existing transmission channel between the user's VPC and the specific VPC, avoiding the addition of extra access channels in the user's VPC. Furthermore, the embodiments of the present invention further design a matching method between probes and target ranges based on routing policies, as well as the processing logic for probes when adding or deleting target ranges. Moreover, based on the lightweight nature of deploying probes only in user VPCs, the above honeypot deployment scheme can also be applied to multi-cloud systems, which helps to improve the security protection performance of multi-cloud systems.

[0047] Figure 2 This is a schematic diagram of the main steps of the cloud access processing method according to an embodiment of the present invention.

[0048] like Figure 2 As shown, the cloud access processing method of this invention can be executed by a probe deployed on a user's Virtual Private Cloud (VPC) on a cloud computing platform. The specific steps are as follows:

[0049] Step S201: In response to detecting a target access request for the VPC, determine the target policy matching the target access request from at least one pre-acquired routing policy, and determine the target address contained in the target policy as the destination address; wherein, the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target address, and the target address and the probe forming a honeypot system. Step S202: Using a pre-established transmission channel between the probe and the target target address indicated by the destination address, forward the target access request to the target target address, so that the target target address records the behavioral data of the initiator of the target access request. Since the execution details have been described above, they will not be repeated here.

[0050] In this embodiment of the invention, the routing policy represents the mapping relationship between the feature information of the access request and the target address; and the step of determining the target policy matching the target access request from at least one pre-acquired routing policy includes: determining the routing policy whose feature information is consistent with the feature information of the target access request as the target policy.

[0051] In a specific application, the method further includes: periodically obtaining the latest routing policy from the cloud host where the target is located by using a pre-established transmission channel between the probe and any target in the specific VPC; wherein the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

[0052] As a preferred embodiment, the method further includes: if a new target range is determined from the latest routing policy, establishing a transmission channel between the probe and the new target range using the target range address of the new target range in the latest routing policy; and if a target range is determined from the latest routing policy to be deleted, closing the pre-established transmission channel between the probe and the deleted target range.

[0053] Furthermore, in this embodiment of the invention, the user's VPC is created by multiple cloud service providers, and a probe is deployed in one of the user's VPCs in the form of an installation package or a container engine. The honeypot system further includes: a probe deployed in the user's Internet Data Center (IDC); the target address includes the target's IP address and port, and the specific VPC further has a load balancing component for forwarding the target access request.

[0054] According to the technical solution of this invention, a heavyweight component of the honeypot system—the target range—is deployed in a specific VPC independent of the user's VPC within a cloud computing platform using an administrator account. Only a lightweight probe needs to be deployed in the user's VPC. The probe locates the target range for malicious access through routing policies configured on the web interface and forwards the malicious access via a load balancing component in the specific VPC. This solves the performance degradation and maintainability issues caused by deploying the target range in the user's VPC, ensuring both user VPC performance and the maintainability of the target range. To maximize data security in the user's VPC, the link for the probe to obtain the routing policy is consistent with the link for forwarding malicious requests. Specifically, the routing policy configured on the front-end page is written to the database and then obtained by the cloud host deploying the target range in the specific VPC. The probe then pulls the routing policy from the cloud host. This allows the routing policy to be transmitted through the existing transmission channel between the user's VPC and the specific VPC, avoiding the addition of extra access channels in the user's VPC. Furthermore, the embodiments of the present invention further design a matching method between probes and target ranges based on routing policies, as well as the processing logic for probes when adding or deleting target ranges. Moreover, based on the lightweight nature of deploying probes only in user VPCs, the above honeypot deployment scheme can also be applied to multi-cloud systems, which helps to improve the security protection performance of multi-cloud systems.

[0055] It should be noted that, for the sake of ease of description, the foregoing method embodiments are described as a series of actions. However, those skilled in the art should understand that the present invention is not limited to the described order of actions, and some steps may actually be performed in other orders or simultaneously. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are preferred embodiments, and the actions and modules involved are not necessarily essential for implementing the present invention.

[0056] To facilitate better implementation of the above-described solutions of the embodiments of the present invention, related apparatus for implementing the above-described solutions is also provided below.

[0057] Please see Figure 3 As shown, the cloud access processing device 300 provided in this embodiment of the invention is set on the probe of the virtual private cloud (VPC) of the cloud computing platform user, and may include: a matching unit 301 and a forwarding unit 302.

[0058] The matching unit 301 can be used to: in response to detecting a target access request for the VPC, determine the target policy matching the target access request from at least one pre-acquired routing policy, and determine the target address contained in the target policy as the destination address; wherein, the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target, the target and the probe forming a honeypot system; the forwarding unit 302 can be used to: use a pre-established transmission channel between the probe and the target target indicated by the destination address to forward the target access request to the target target, so that the target target records the behavioral data of the initiator of the target access request.

[0059] In practical applications, the routing strategy represents the mapping relationship between the feature information of the access request and the target address; and the matching unit 301 can be further used to: determine the routing strategy whose feature information is consistent with the feature information of the target access request as the target strategy.

[0060] Preferably, the device 300 may further include a policy acquisition unit, configured to: periodically acquire the latest routing policy from the cloud host where the target is located using a pre-established transmission channel between the probe and any target in the specific VPC; wherein the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

[0061] In one embodiment, the device 300 may further include a channel management unit, configured to: if a new target range is determined from the latest routing policy, establish a transmission channel between the probe and the new target range using the target range address of the new target range in the latest routing policy; and if a deleted target range is determined from the latest routing policy, close the pre-established transmission channel between the probe and the deleted target range.

[0062] Furthermore, in this embodiment of the invention, the user's VPC is created by multiple cloud service providers, and a probe is deployed in one of the user's VPCs in the form of an installation package or a container engine. The honeypot system further includes: a probe deployed in the user's Internet Data Center (IDC); the target address includes the target's IP address and port, and the specific VPC further has a load balancing component for forwarding the target access request.

[0063] According to the technical solution of this invention, a heavyweight component of the honeypot system—the target range—is deployed in a specific VPC independent of the user's VPC within a cloud computing platform using an administrator account. Only a lightweight probe needs to be deployed in the user's VPC. The probe locates the target range for malicious access through routing policies configured on the web interface and forwards the malicious access via a load balancing component in the specific VPC. This solves the performance degradation and maintainability issues caused by deploying the target range in the user's VPC, ensuring both user VPC performance and the maintainability of the target range. To maximize data security in the user's VPC, the link for the probe to obtain the routing policy is consistent with the link for forwarding malicious requests. Specifically, the routing policy configured on the front-end page is written to the database and then obtained by the cloud host deploying the target range in the specific VPC. The probe then pulls the routing policy from the cloud host. This allows the routing policy to be transmitted through the existing transmission channel between the user's VPC and the specific VPC, avoiding the addition of extra access channels in the user's VPC. Furthermore, the embodiments of the present invention further design a matching method between probes and target ranges based on routing policies, as well as the processing logic for probes when adding or deleting target ranges. Moreover, based on the lightweight nature of deploying probes only in user VPCs, the above honeypot deployment scheme can also be applied to multi-cloud systems, which helps to improve the security protection performance of multi-cloud systems.

[0064] Figure 4 An exemplary system architecture 400 is shown that can be applied to the cloud access processing method or cloud access processing apparatus of the present invention.

[0065] like Figure 4 As shown, system architecture 400 may include terminal devices 401, 402, and 403, network 404, and server 405 (this architecture is merely an example; the components included in a specific architecture may be adjusted according to the specific application). Network 404 serves as the medium for providing a communication link between terminal devices 401, 402, and 403 and server 405. Network 404 may include various connection types, such as wired or wireless communication links or fiber optic cables.

[0066] Attackers can use terminal devices 401, 402, and 403 to interact with server 405 via network 404 to receive or send messages, etc. Various communication client applications can be installed on terminal devices 401, 402, and 403.

[0067] Terminal devices 401, 402, and 403 can be various electronic devices with displays that support web browsing, including but not limited to smartphones, tablets, laptops, and desktop computers.

[0068] A 405 error can occur on a server providing various services, such as a cloud server pre-deployed with a honeypot system in a cloud computing platform. The cloud server can process received access requests from the target and record attacker behavior data for subsequent analysis.

[0069] It should be noted that the cloud access processing method provided in this embodiment of the invention is generally executed by server 405, and correspondingly, the cloud access processing device is generally located in server 405.

[0070] It should be understood that Figure 4 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0071] The present invention also provides an electronic device. The electronic device according to an embodiment of the present invention includes: one or more processors; and a storage device for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors implement the cloud access processing method provided by the present invention.

[0072] The following is for reference. Figure 5 It shows a schematic diagram of the structure of a computer system 500 suitable for implementing an electronic device according to embodiments of the present invention. Figure 5 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present invention.

[0073] like Figure 5 As shown, the computer system 500 includes a central processing unit (CPU) 501, which can perform various appropriate actions and processes based on programs stored in read-only memory (ROM) 502 or programs loaded from storage section 508 into random access memory (RAM) 503. The RAM 503 also stores various programs and data required for the operation of the computer system 500. The CPU 501, ROM 502, and RAM 503 are interconnected via a bus 504. An input / output (I / O) interface 505 is also connected to the bus 504.

[0074] The following components are connected to I / O interface 505: an input section 506 including a keyboard, mouse, etc.; an output section 507 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 508 including a hard disk, etc.; and a communication section 509 including a network interface card such as a LAN card, modem, etc. The communication section 509 performs communication processing via a network such as the Internet. A drive 510 is also connected to I / O interface 505 as needed. A removable medium 511, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on drive 510 as needed so that computer programs read from it can be installed into storage section 508 as needed.

[0075] In particular, according to the embodiments disclosed in this invention, the processes described in the above main step diagrams can be implemented as computer software programs. For example, embodiments of this invention include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the main step diagrams. In the above embodiments, the computer program can be downloaded and installed from a network via communication section 509, and / or installed from removable medium 511. When the computer program is executed by central processing unit 501, it performs the functions defined in the system of this invention.

[0076] It should be noted that the computer-readable medium shown in this invention can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this invention, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium may be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0077] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0078] The units described in the embodiments of the present invention can be implemented in software or hardware. The described units can also be housed in a processor; for example, a processor can be described as including a matching unit and a forwarding unit. The names of these units do not necessarily limit the specific unit; for example, a matching unit can also be described as "a unit that provides a destination address to the forwarding unit."

[0079] In another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or it may exist independently and not assembled into the device. The computer-readable medium carries one or more programs, which, when executed by the device, cause the device to perform the following steps: in response to detecting a target access request for a given VPC, determining a target policy matching the target access request from at least one pre-acquired routing policy, and determining a target address contained in the target policy as the destination address; wherein the cloud computing platform includes specific VPCs independent of user VPCs, the specific VPC having at least one cloud host with a pre-deployed target address, the target address and probe forming a honeypot system; and using a pre-established transmission channel between the probe and the target target address, forwarding the target access request to the target target address, so that the target target address records the behavioral data of the initiator of the target access request.

[0080] In the technical solution of this invention, a heavyweight component of the honeypot system—the target range—is deployed in a specific VPC independent of the user's VPC within a cloud computing platform using an administrator account. Only a lightweight probe needs to be deployed in the user's VPC. The probe locates the target range for malicious access through routing policies configured on the web interface and forwards the malicious access via a load balancing component in the specific VPC. This solves the performance degradation and maintainability issues caused by deploying the target range in the user's VPC, ensuring both user VPC performance and the maintainability of the target range. To maximize data security in the user's VPC, the link for the probe to obtain the routing policy is consistent with the link for forwarding malicious requests. Specifically, the routing policy configured on the front-end page is written to the database and then obtained by the cloud host deploying the target range in the specific VPC. The probe then pulls the routing policy from the cloud host. This allows the routing policy to be transmitted through the existing transmission channel between the user's VPC and the specific VPC, avoiding the addition of extra access channels in the user's VPC. Furthermore, the embodiments of the present invention further design a matching method between probes and target ranges based on routing policies, as well as the processing logic for probes when adding or deleting target ranges. Moreover, based on the lightweight nature of deploying probes only in user VPCs, the above honeypot deployment scheme can also be applied to multi-cloud systems, which helps to improve the security protection performance of multi-cloud systems.

[0081] The specific embodiments described above do not constitute a limitation on the scope of protection of this invention. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can occur depending on design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of this invention should be included within the scope of protection of this invention.

Claims

1. A cloud access processing method, characterized in that, Performed by a probe deployed in a user's Virtual Private Cloud (VPC) on a cloud computing platform; the method includes: In response to detecting a target access request for the VPC, the target policy matching the target access request is determined from at least one pre-acquired routing policy, and the target address contained in the target policy is determined as the destination address; wherein, the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target, and the target and the probe forming a honeypot system; Using a pre-established transmission channel between the probe and the target range indicated by the target address, the target access request is forwarded to the target range, so that the target range records the behavioral data of the initiator of the target access request; The method further includes: periodically obtaining the latest routing policy from the cloud host where the target is located by using a pre-established transmission channel between the probe and any target in the specific VPC; wherein the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

2. The method according to claim 1, characterized in that, The routing policy characterizes the mapping relationship between the feature information of the access request and the target address; and determining the target policy matching the target access request from at least one pre-acquired routing policy includes: The routing strategy whose contained feature information is consistent with the feature information of the target access request is determined as the target strategy.

3. The method according to claim 1, characterized in that, The method further includes: If a new target range is determined from the latest routing policy, a transmission channel between the probe and the new target range is established using the target range address of the new target range in the latest routing policy. If the latest routing policy determines that a target range needs to be deleted, the transmission channel between the pre-established probe and the target range will be closed.

4. The method according to any one of claims 1-3, characterized in that, The user's VPC is created by multiple cloud service providers. A probe is deployed in one of the user's VPCs in the form of an installation package or a container engine. The honeypot system further includes: a probe deployed in the user's Internet Data Center (IDC). The target address includes the target's IP address and port, and the specific VPC further includes a load balancing component for forwarding the target access request.

5. A cloud access processing device, characterized in that, The probe is set up and deployed in the virtual private cloud (VPC) of a user on a cloud computing platform; the device includes: A matching unit is configured to: in response to detecting a target access request for a given VPC, determine a target policy matching the target access request from at least one pre-acquired routing policy, and determine the target address contained in the target policy as the destination address; wherein, the cloud computing platform further includes a specific VPC independent of the user's VPC, the specific VPC having at least one cloud host with a pre-deployed target, and the target and the probe forming a honeypot system; The forwarding unit is used to: forward the target access request to the target target using a pre-established transmission channel between the probe and the target target indicated by the target address, so that the target target records the behavioral data of the initiator of the target access request; The device is further configured to: periodically obtain the latest routing policy from the cloud host where the target is located by using a pre-established transmission channel between the probe and any target in the specific VPC; wherein the latest routing policy is written to a preset database after the front-end page is configured, and is read from the database and stored locally by the cloud host where the target is located.

6. A honeypot system for a cloud computing platform, characterized in that, The cloud computing platform includes: virtual private clouds (VPCs) for multiple users and specific VPCs independent of the users' VPCs; wherein... A probe is deployed in the user's VPC; the probe is configured to perform the cloud access processing method according to any one of claims 1-4; The specific VPC has at least one cloud host, and each cloud host has at least one target range deployed. After detecting a target access request for its VPC, the probe forwards the target access request to the target range in the target range, so that the target range records the behavioral data of the initiator of the target access request.

7. The system according to claim 6, characterized in that, The specific VPC further includes: a load balancing component that connects the probe and the target range and is used to forward the target access request; Each cloud host in the specific VPC is isolated by a security group.

8. The system according to claim 6, characterized in that, The user's VPC is created by multiple cloud service providers, and a probe is deployed in one of the user's VPCs either as an installation package or as a container engine. The system further includes: a probe deployed in the user's Internet Data Center (IDC), which, upon detecting a specific access request for the IDC, forwards the specific access request to a corresponding target field in the specific VPC, so that the corresponding target field records the behavioral data of the initiator of the specific access request.

9. The system according to claim 7, characterized in that, The probe deployed in the user's VPC determines the target policy that the target access request matches from at least one pre-acquired routing policy, identifies the target range address contained in the target policy as the destination address, and uses the pre-established transmission channel between the probe and the target range indicated by the destination address to forward the target access request to the target range through the load balancing component.

10. The system according to claim 9, characterized in that, The routing policy represents the mapping relationship between the feature information of the access request and the target address; the probes deployed in the user's VPC determine the routing policy whose feature information is consistent with the feature information of the target access request as the target policy.

11. An electronic device, characterized in that, include: One or more processors; Storage device for storing one or more programs. When the one or more programs are executed by the one or more processors, the one or more processors implement the method as described in any one of claims 1-4.

12. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1-4.

Images