A honeynet deployment method, device, and server

By deploying honeypot services on a service call chain basis in the honeynet deployment, the problems of unreasonable honeypot deployment and resource waste are solved, and the efficient and reasonable deployment of the honeynet system is achieved.

CN115987633BActive Publication Date: 2026-06-30CHINA TELECOM NETWORK SECURITY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM NETWORK SECURITY TECH CO LTD
Filing Date
2022-12-22
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In existing honeynet deployment schemes, honeypot deployment is unreasonable, resulting in serious waste of computing resources, and it is difficult to deploy efficiently in complex service call chains.

Method used

Using the service call chain as a unit, the probability of attack is determined based on the entry service, the target service is selected to deploy the honeypot service, and the trapping path is generated to build a honeynet system.

Benefits of technology

It reduces the complexity of service call chains, enables the rational deployment of honeypot services, and reduces the waste of computing resources and the amount of real-time computing.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115987633B_ABST
    Figure CN115987633B_ABST
Patent Text Reader

Abstract

This application relates to the field of network security technology, and in particular to a honeynet deployment method, apparatus, and server, to address the problem of unreasonable honeypot deployment in existing honeynet deployment schemes. The method involves: based on any entry service exposed to the external network within the target network, obtaining each service in the service call chain of that entry service; if, based on each service, the probability of compromise of the service call chain of the entry service is determined to be not less than a threshold, then selecting the target service from among the services to deploy the honeypot service, matching the honeypot service to the target service, and generating a trapping path for the service call chain of the entry service; finally, after completing the honeypot service deployment for each entry service's service call chain within the target network, obtaining the honeynet system within the target network based on the generated trapping paths; thus, by using services as the basic unit for honeypot service deployment, rational deployment of honeypot services is achieved, reducing computational resource waste and resource consumption.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a honeynet deployment method, apparatus and server. Background Technology

[0002] With the continuous development of internet technology, more and more electronic devices are connected to the network, making the network environment increasingly complex and network attacks more frequent. To protect target networks, honeynets are often deployed within them. These honeypots lure attackers to launch attacks, allowing attackers to capture and analyze the attacks, delay and defend against them, and ultimately protect data security.

[0003] Research into attacker behavior reveals that attackers typically lack knowledge of the target network's topology, service deployment, and internal security measures before launching an attack. They can only begin by exploiting the target network's entry point to the external network. Only after compromising a node within that entry point can attackers use it as a base to penetrate the target network and carry out further attacks. Once inside the network, attackers can only choose their next target from the associated nodes of the compromised nodes, gradually expanding their control until they ultimately steal sensitive data flowing through that link.

[0004] Therefore, vulnerabilities in the application code, external dependencies, or operating system of any node in the target network increase the likelihood of being compromised. Under current technology, honeynet deployment is done from the node's perspective. Therefore, in the aforementioned attack process, if an attacker accidentally targets a node with a honeypot deployed, their attack will be recorded by the honeynet system and the network administrator will be notified, causing the attack to fail.

[0005] However, in actual use, there are often more than one service call chain in the target network, and due to the existence of shared services, there are many overlapping parts between the service call chains. The honeypots deployed from the perspective of nodes under the existing technology are very complex under the description of the full service call chain, and there are problems such as unreasonable honeypot deployment and serious waste of computing resources. Summary of the Invention

[0006] This application provides a honeypot deployment method, apparatus, and server, which uses services as the basic unit for deploying honeypot services on a service call chain, effectively reducing the complexity of the call chain itself and reducing the real-time computation and resource consumption of dynamic honeypot deployment strategies.

[0007] The specific technical solutions provided in this application are as follows:

[0008] In a first aspect, embodiments of this application provide a honeycomb deployment method, including:

[0009] Based on any entry service within the target network, obtain each service in the service call chain where the entry service is located, wherein the entry service is a service exposed by the target network to the external network.

[0010] Based on each of the aforementioned services, the probability of breaching the service call chain containing the entry service is determined.

[0011] If the attack probability is not less than the threshold, then the target service for which the honeypot service needs to be deployed is selected from the various services, the honeypot service is matched for the target service, and based on the target service and the matched honeypot service, the trapping path of the service call chain where the entry service is located is generated.

[0012] After the honeypot service deployment is completed for each entry service in the target network, the honeynet system in the target network is obtained based on the generated trapping paths.

[0013] In some possible embodiments, before obtaining the services in the service call chain of any entry service within the target network, the method further includes:

[0014] Received a honeynet deployment instruction, wherein the honeynet deployment instruction is an initial honeynet deployment instruction or a honeynet reset instruction;

[0015] If the honeynet deployment instruction is the honeynet reset instruction, then after receiving the honeynet deployment instruction and before obtaining each service in the service call chain of any entry service within the target network, the process further includes:

[0016] Delete the list of deployed honeypot services, the list of trapping path start points, and the list of trapping path end points within the target network;

[0017] Delete all honeypot services within the target network.

[0018] In some possible embodiments, obtaining each service in the service call chain of any entry service within the target network includes:

[0019] Based on any entry service within the target network, obtain each first service that has a service call relationship with the entry service;

[0020] Based on each of the first services, obtain the second service that has a service call relationship with each of the first services;

[0021] Based on the entry service, each first service, and each second service, the services on the service call chain where the entry service is located are obtained.

[0022] In some possible embodiments, selecting the target service from the various services to which the honeypot service needs to be deployed includes:

[0023] The services that meet the preset conditions are selected from the services, wherein the preset conditions include some or all of the following conditions: services that run preset type software, services that are not isolated services, services that are not the entry service, and services that are not log services.

[0024] The services that meet the preset conditions are sorted based on their in-degree and / or out-degree.

[0025] The service ranked first is selected as the target service for which the honeypot service needs to be deployed.

[0026] In some possible embodiments, matching the honeypot service to the target service includes:

[0027] Obtain all undeployed honeypots;

[0028] From the various undeployed honeypots, remove those honeypots that have been associated with any of the services that meet the preset conditions to obtain a candidate honeypot set;

[0029] Based on the weights of each undeployed honeypot in the candidate honeypot set, a honeypot service matching the target service is determined.

[0030] In some possible embodiments, after generating the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service, the method further includes:

[0031] The matched honeypot services are persistently stored in the list of deployed honeypot services;

[0032] The identification information ID of the target service is persistently stored as the starting point of the trapping path in the trapping path starting point list.

[0033] The ID of the matched honeypot service is persistently stored as the endpoint of the trapping path in the trapping path endpoint list.

[0034] Based on the aforementioned services, the probability of compromise in the service call chain of the entry service is determined; if the probability of compromise is not less than the threshold, the parameters of the matched honeypot service are adjusted so that the probability of compromise is less than the threshold.

[0035] In some possible embodiments, after obtaining the honeynet system within the target network based on the generated trapping paths, the method further includes:

[0036] In response to the service adjustment operation performed by the target network, each service in the service call chain where the seed service is located is obtained based on the seed service, wherein the seed service is the service adjusted by the service adjustment operation;

[0037] The entry services in each service in the service call chain where the seed service is located are sorted according to a preset sorting rule, and the entry service with the first sorting information is selected.

[0038] Update the current timestamp to the changed timestamp directory of the first entry service, and after a preset time, retrieve the changed timestamp from the changed timestamp directory and compare the changed timestamp with the current timestamp;

[0039] If they are consistent, then no adjustments will be made to the service calls within the honeynet system;

[0040] If there is a discrepancy, the service calls within the honeycomb system will be adjusted based on the service adjustment operation. And when it is determined that the probability of attacking any seed service in the service call chain within the target network after adjustment is not less than the threshold, the honeypot service of the seed service will be optimized.

[0041] In some possible embodiments, the service adjustment operation includes at least one of adding a service, adding a service call relationship, deleting a service, and deleting a service call relationship. The adjustment of service calls within the honeynet system based on the service adjustment operation includes:

[0042] If the service adjustment operation is the new service operation, then the ID, service name, service running software name, service type, and whether it is an entry service corresponding to the new service operation are stored.

[0043] If the service adjustment operation is the operation of adding a new service call relationship, then the ID of the service call relationship corresponding to the operation of adding a new service call relationship, the associated service name, the ID of the starting service, and the ID of the ending service are stored.

[0044] If the service adjustment operation is the service deletion operation, then delete the service call relationship, honeypot service, and trapping path associated with the service corresponding to the service deletion operation;

[0045] If the service adjustment operation is the deletion of service call relationship operation, then delete the list of service call relationships corresponding to the deletion of service call relationship operation, the starting service, and the sublist of the ending service or edge device.

[0046] Secondly, embodiments of this application provide a honeycomb deployment device, comprising:

[0047] The first obtaining unit is used to obtain each service in the service call chain where the entry service is located, based on any entry service in the target network, wherein the entry service is a service exposed by the target network to the external network.

[0048] The determining unit is used to determine the probability of attacking the service call chain where the entry service is located based on each of the services.

[0049] The deployment unit is used to select a target service from the services that needs to be deployed with a honeypot service if the attack probability is not less than a threshold, match a honeypot service for the target service, and generate a trapping path for the service call chain where the entry service is located based on the target service and the matched honeypot service.

[0050] The second obtaining unit is used to obtain the honeypot system in the target network based on the generated trapping paths after completing the honeypot service deployment of the service call chain where each entry service in the target network is located.

[0051] In some possible embodiments, the first obtaining unit is further configured to:

[0052] Before obtaining each service in the service call chain of any entry service within the target network, a honeynet deployment instruction is received, wherein the honeynet deployment instruction is either a honeynet initial deployment instruction or a honeynet reset instruction.

[0053] If the honeynet deployment instruction is the honeynet reset instruction, then the first obtaining unit is further configured to:

[0054] After receiving the honeypot deployment instruction, and before obtaining each service in the service call chain of any entry service in the target network, delete the list of deployed honeypot services, the list of trapping path start points, and the list of trapping path end points in the target network.

[0055] Delete all honeypot services within the target network.

[0056] In some possible embodiments, the first obtaining unit is specifically used for:

[0057] Based on any entry service within the target network, obtain each first service that has a service call relationship with the entry service;

[0058] Based on each of the first services, obtain the second service that has a service call relationship with each of the first services;

[0059] Based on the entry service, each first service, and each second service, the services on the service call chain where the entry service is located are obtained.

[0060] In some possible embodiments, the deployment unit is specifically used for:

[0061] The services that meet the preset conditions are selected from the services, wherein the preset conditions include some or all of the following conditions: services that run preset type software, services that are not isolated services, services that are not the entry service, and services that are not log services.

[0062] The services that meet the preset conditions are sorted based on their in-degree and / or out-degree.

[0063] The service ranked first is selected as the target service for which the honeypot service needs to be deployed.

[0064] In some possible embodiments, the deployment unit is specifically used for:

[0065] Obtain all undeployed honeypots;

[0066] From the various undeployed honeypots, remove those honeypots that have been associated with any of the services that meet the preset conditions to obtain a candidate honeypot set;

[0067] Based on the weights of each undeployed honeypot in the candidate honeypot set, a honeypot service matching the target service is determined.

[0068] In some possible embodiments, the deployment unit is further configured to:

[0069] After generating the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service, the matched honeypot service is persistently stored in the list of deployed honeypot services.

[0070] The identification information ID of the target service is persistently stored as the starting point of the trapping path in the trapping path starting point list.

[0071] The ID of the matched honeypot service is persistently stored as the endpoint of the trapping path in the trapping path endpoint list.

[0072] Based on the aforementioned services, the probability of compromise in the service call chain of the entry service is determined; if the probability of compromise is not less than the threshold, the parameters of the matched honeypot service are adjusted so that the probability of compromise is less than the threshold.

[0073] In some possible embodiments, the second obtaining unit is further configured to:

[0074] After obtaining the honeynet system within the target network based on the generated trapping paths, in response to the service adjustment operation performed by the target network, the services on the service call chain where the seed service is located are obtained based on the seed service, wherein the seed service is the service adjusted by the service adjustment operation;

[0075] The entry services in each service in the service call chain where the seed service is located are sorted according to a preset sorting rule, and the entry service with the first sorting information is selected.

[0076] Update the current timestamp to the changed timestamp directory of the first entry service, and after a preset time, retrieve the changed timestamp from the changed timestamp directory and compare the changed timestamp with the current timestamp;

[0077] If they are consistent, then no adjustments will be made to the service calls within the honeynet system;

[0078] If there is a discrepancy, the service calls within the honeycomb system will be adjusted based on the service adjustment operation. And when it is determined that the probability of attacking any seed service in the service call chain within the target network after adjustment is not less than the threshold, the honeypot service of the seed service will be optimized.

[0079] In some possible embodiments, the service adjustment operation includes at least one of adding a service, adding a service call relationship, deleting a service, and deleting a service call relationship, and the second obtaining unit is specifically used for:

[0080] If the service adjustment operation is the new service operation, then the ID, service name, service running software name, service type, and whether it is an entry service corresponding to the new service operation are stored.

[0081] If the service adjustment operation is the operation of adding a new service call relationship, then the ID of the service call relationship corresponding to the operation of adding a new service call relationship, the associated service name, the ID of the starting service, and the ID of the ending service are stored.

[0082] If the service adjustment operation is the service deletion operation, then delete the service call relationship, honeypot service, and trapping path associated with the service corresponding to the service deletion operation;

[0083] If the service adjustment operation is the deletion of service call relationship operation, then delete the list of service call relationships corresponding to the deletion of service call relationship operation, the starting service, and the sublist of the ending service or edge device.

[0084] Thirdly, embodiments of this application provide a server, including a processor and a memory.

[0085] The memory is used to store computer programs or instructions;

[0086] The processor is configured to execute computer programs or instructions in memory, such that the method described in any one of the first aspects is performed.

[0087] Fourthly, embodiments of this application provide a computer-readable storage medium having computer program instructions stored thereon, which, when executed by a processor, implement the steps of the method described in any of the first aspects above.

[0088] The beneficial effects of this application include at least the following:

[0089] In this embodiment, based on any entry service exposed to the external network within the target network, each service in the service call chain of that entry service is obtained. Then, if, based on each service, the probability of compromise of the service call chain of the entry service is determined to be no less than a threshold, a target service for deploying honeypot services is selected from among the services, a honeypot service is matched for the target service, and a trapping path for the service call chain of the entry service is generated based on the target service and the matched honeypot service. Finally, after completing the honeypot service deployment for each entry service call chain within the target network, a honeynet system within the target network is obtained based on the generated trapping paths. In this way, services can be used as the basic unit for honeypot service deployment, and honeypot services can be deployed for the service call chains within the target network, effectively reducing the complexity of the service call chains themselves, realizing the rational deployment of honeypot services, and reducing the waste and occupation of computing resources. Attached Figure Description

[0090] Figure 1 This is a schematic diagram illustrating an application scenario in an embodiment of this application;

[0091] Figure 2 This is a flowchart illustrating a honeycomb deployment method according to an embodiment of this application;

[0092] Figure 3 This is a schematic diagram of a process for determining each service in the service call chain of any entry service in an embodiment of this application;

[0093] Figure 4 A flowchart illustrating a method for determining a target service in an embodiment of this application;

[0094] Figure 5 This is a flowchart illustrating the method for determining a honeypot service that matches the target service in an embodiment of this application.

[0095] Figure 6 This is a schematic diagram of a process for recording a trapping path in an embodiment of this application;

[0096] Figure 7 This is a schematic diagram illustrating the implementation process of an incremental deployment method in an embodiment of this application;

[0097] Figure 8 This is a schematic diagram of the logical architecture of a honeycomb deployment device in an embodiment of this application;

[0098] Figure 9 This is a schematic diagram of the physical architecture of the server in the embodiments of this application. Detailed Implementation

[0099] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of the embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0100] It should be noted that the terms "first," "second," "third," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in sequences other than those illustrated or described herein.

[0101] To address the problems of unreasonable honeypot deployment and significant waste of computing resources in existing honeynet deployment schemes, this application embodiment constructs a dynamic honeynet deployment system at the data processing layer of the distributed registry service center (etcd). This dynamic honeynet deployment system executes the honeynet deployment method provided in this application embodiment. The method includes: obtaining each service on the service call chain of any entry service exposed to the external network within the target network; then, if, based on each service, it is determined that the attack probability of the service call chain of the entry service is not less than a threshold, selecting the target service from among the services to deploy the honeypot service, matching the honeypot service for the target service, and generating a trapping path for the service call chain of the entry service based on the target service and the matched honeypot service; finally, after completing the honeypot service deployment for each entry service call chain within the target network, obtaining the honeynet system within the target network based on the generated trapping paths.

[0102] The honeynet deployment method provided in this application uses services in the target network as the basic unit for honeypot service deployment. It deploys honeypot services for the service call chain in the target network, effectively reducing the complexity of the service call chain itself, thereby achieving rational deployment of honeypot services and reducing the real-time computation and resource consumption of dynamic honeynet deployment strategies.

[0103] The preferred embodiments of this application will be further described in detail below with reference to the accompanying drawings. It should be understood that the preferred embodiments described herein are only for illustration and explanation of this application and are not intended to limit this application. Furthermore, the embodiments of this application and the features in the embodiments can be combined with each other without conflict.

[0104] Figure 1 A schematic diagram illustrating an application scenario of an embodiment of this application is shown. (See attached diagram.) Figure 1 As shown in the embodiments of this application, the above application scenario includes a monitoring client 100, a dynamic honeynet deployment system 101, and a target network 102. The monitoring client 100 is used to respond to preset operations, sending a honeynet initial deployment command or a honeynet reset command to the dynamic honeynet deployment system 101, and monitoring the operation of the honeynet system in real time. The dynamic honeynet deployment system 101 is used to deploy the honeynet system within the target network, which includes multiple service call chains. The honeynet system is used to protect the target network, serving as a defense plane within the target network. It includes multiple trapping paths, with the starting point of each trapping path being a service within the target network and the ending point being a honeypot service. The honeynet system is used to promptly detect attack behaviors within the target network 102 and trap attackers to delay or even defend against attacks, ensuring the secure operation of each service call chain within the target network 102.

[0105] It should be noted that the above application scenarios are merely examples and are not intended to limit this application. Accordingly, in actual applications, the scenarios applicable to the honeynet deployment method provided in the embodiments of this application include, but are not limited to, industry-academia-research attack and defense confrontation scenarios, passive defense scenarios, etc.

[0106] After introducing the application scenarios of the embodiments of this application, the specific process for the initial deployment of a honeynet for a target network will be described below. (See also...) Figure 2 The diagram illustrates the implementation flow of a honeycomb deployment method provided in this application embodiment. The implementation flow of this method is as follows:

[0107] Step 200: Based on any entry service within the target network, obtain each service in the service call chain where the entry service is located, where the entry service is a service exposed by the target network to the external network.

[0108] In this embodiment, the user triggers the dynamic honeynet deployment system via a listening client to analyze the software types of the software running within the target network. Based on the analyzed software types, the system defines honeypot service types within the honeynet system. For example, the honeypot service types in the honeynet system may be general external software, secondary development software, and dedicated self-developed software. Then, the system analyzes the existing software infrastructure within the honeynet system and adds data collection functionality to enable honeypot creation. After completing the above preparations, the user triggers the initial honeynet deployment command via the listening client, enabling the dynamic honeynet deployment system to deploy the honeynet system for the target network.

[0109] In this embodiment, after receiving the initial honeynet deployment instruction, the dynamic honeynet deployment system executes step 200. Specifically, when executing step 200, refer to... Figure 3 As shown, the services in the service call chain where the entry service is located are obtained through the following steps:

[0110] Step 2001: Based on any entry service within the target network, obtain each first service that has a service call relationship with that entry service.

[0111] In specific implementation, when executing step 2001, the identification information (Identity document, ID) of any known entry service in the target network is obtained, that is, the ID of the service exposed to the external network in the target network. Then, based on the ID of the entry service, the ID of each service call relationship associated with the ID of the entry service is obtained from the service call relationship list of etcd.

[0112] Then, based on the ID of each service call relationship associated with the ID of the entry service, the ID of the first service of each service call relationship is obtained from the list of service call relationship start points and service call relationship end points in etcd. The ID of the first service may be the ID of the start service in the service call relationship corresponding to the first service, or it may be the ID of the end service in the service call relationship corresponding to the first service.

[0113] Step 2002: Based on each first service, obtain the second service that has a service call relationship with each first service.

[0114] In specific implementation, when executing step 2002, the ID of each service call relationship associated with each first service is obtained in the same way as in step 2001; then, the ID of the second service associated with each service call relationship associated with each first service is obtained. The ID of the second service may be the ID of the starting service in the service call relationship corresponding to the second service, or it may be the ID of the ending service in the service call relationship corresponding to the second service.

[0115] Step 2003: Based on the entry service, each first service, and each second service, obtain the services in the service call chain where the entry service is located.

[0116] In specific implementation, when executing step 2003, based on the ID of the entry service, the ID of each first service, and the ID of each second service, a breadth-first search algorithm is used to search within the target network to obtain the IDs of each service in the entire service call chain where the entry service is located, thereby obtaining each service in the entire service call chain where the entry service is located.

[0117] Step 210: Based on the above services, determine the probability of compromise of the service call chain where the entry service is located.

[0118] In this embodiment of the application, after executing step 210, the attack probability of the service call chain where the entry service is located, determined based on the above services, is compared with a threshold. If the attack probability is less than the threshold, it is not necessary to deploy a honeypot service for the service call chain where the entry service is located; if the attack probability is not less than the threshold, then step 220 is executed.

[0119] Step 220: If the probability of breach is not less than the threshold, select the target service from the various services that needs to deploy the honeypot service, match the honeypot service for the target service, and generate the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service.

[0120] In this embodiment of the application, if the probability of breach is not less than the threshold when performing step 220, it indicates that the service call chain is relatively easy to breach. In this case, a honeypot service needs to be deployed for the service call chain where the entry service is located, so as to lure the attacker to call the honeypot service when the attacker attacks the service call chain, thereby preventing the sensitive data of the target network from being maliciously stolen.

[0121] In the embodiments of this application, see the following: Figure 4 As shown, when selecting the target service from various services to deploy the honeypot in step 210, the specific steps are as follows:

[0122] Step 400: Select services that meet the preset conditions from the various services. The preset conditions include some or all of the following: services that run preset type software, services that are not isolated services, services that are not entry services, and services that are not log services.

[0123] In this embodiment of the application, the loss to the target network is less after an isolated service is compromised. Therefore, when setting up a honeynet service for services in the target network, an isolated service may not be selected. Log services can usually know the specific behavior of service callers after entering the target network. Therefore, log services should not be selected when setting up a honeynet service for services in the target network.

[0124] In some preferred embodiments, when performing step 400, the isolated service, entry service, log service, and service running preset type software can be removed from each service in the service call chain where the entry service is located.

[0125] Step 410: Sort the services that meet the preset conditions based on in-degree and / or out-degree.

[0126] In this embodiment of the application, it is assumed that the services are sorted in ascending order based on the in-degree (i.e., the number of times they are called). Then, when executing step 410, the services that meet the preset conditions are sorted in ascending order based on the in-degree (i.e., the number of times they are called).

[0127] It should be noted that the above sorting method can be flexibly set based on the actual application scenario. In this embodiment, the scheme is only described by taking ascending sorting based on in-degree as an example, and will not be elaborated in the following content.

[0128] Step 420: Select the service ranked first in the ranking information and use it as the target service for which the honeypot service needs to be deployed.

[0129] In this embodiment of the application, it is still assumed that the services are sorted in ascending order based on the in-degree (i.e. the number of times they are called). Then, when executing step 420, the service with the first-ranked sorting information is selected from the sorted services obtained after executing step 410, and the service with the first-ranked sorting information is determined as the target service for which the honeypot service needs to be deployed.

[0130] Then, after identifying the target service where the honeypot service needs to be deployed, refer to... Figure 5 As shown, when matching honeypot services for the target service in step 220, the following steps are specifically performed:

[0131] Step 500: Obtain each undeployed honeypot.

[0132] In practice, when executing step 500, each undeployed honeypot is retrieved from etcd. These undeployed honeypots are either pre-configured in etcd before the honeynet is first deployed, or created based on pre-configured data collection functions.

[0133] Step 510: Remove honeypots that have been associated with services in the candidate set from each undeployed honeypot to obtain the candidate honeypot set.

[0134] In specific implementation, when executing step 510, honeypots that have established associations with services in the candidate set are removed from each undeployed honeypot, resulting in the selected honeypot set.

[0135] Step 520: Based on the weights of each undeployed honeypot in the candidate honeypot set, determine the honeypot service that matches the target service.

[0136] In practice, based on the honeypot weight list in etcd, the weight of each undeployed honeypot in the candidate honeypot set is determined. The weight is set according to the importance of the service in the application scenario corresponding to the target network. Then, according to the weight of each unconfigured honeypot in the candidate honeypot set from high to low, the unconfigured honeypots in the candidate honeypot set are sorted, and the unconfigured honeypot with the highest weight value is determined as the honeypot service that matches the target service.

[0137] In this embodiment of the application, after determining the target service in the target network and the honeypot service matched by the target service, step 220 is executed to generate the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service.

[0138] Specifically, the target service is taken as the starting point of the trapping path, and the honeypot matched by the target service is taken as the ending point of the trapping path. Based on the starting point and the ending point, the trapping path of the service call chain where the entry service is located is generated.

[0139] Then, after executing the trapping path based on the target service and the matched honeypot service, generating the service call chain of the entry service, refer to... Figure 6 As shown, the dynamic honeynet deployment system further performs the following steps:

[0140] Step 600: Persistently store the matched honeypot service in the list of deployed honeypot services.

[0141] Step 610: Persistently store the ID of the target service as the starting point of the trapping path in the trapping path starting point list.

[0142] Step 620: Persistently store the ID of the matched honeypot service as the endpoint of the trapping path in the trapping path endpoint list.

[0143] Step 630: Based on each service, determine the attack probability of the service call chain where the entry service is located; if the attack probability is not less than the threshold, adjust the parameters of the matched honeypot service so that the attack probability is less than the threshold.

[0144] In this embodiment of the application, by executing step 220, a honeypot service can be deployed on the target service in the service call chain where the entry service with a compromise probability of not less than a threshold is located. In this way, in actual use, if an attacker launches an attack on the target service, the honeypot service can be used to lure the attacker along the trapping path to launch the attack, thereby delaying the attacker's attack on the target network, or even resisting the attacker's attack on the target network, causing the attacker's attack to fail.

[0145] Furthermore, a well-deployed honeynet system can collect attackers' network entry traces, facilitating subsequent analysis of these traces, patching vulnerabilities in the target network, and developing defensive measures against such attacks.

[0146] Step 230: After completing the honeypot service deployment of each entry service in the target network, the honeynet system in the target network is obtained based on the generated trapping paths.

[0147] In this embodiment of the application, by executing steps 200 to 220, a honeypot service can be deployed for each entry service in the target network with a probability of attack not less than a threshold in the service call chain, generating a trapping path. Then, after the honeypot service deployment for each entry service in the target network is completed, the honeynet system in the target network is obtained based on the generated trapping paths, that is, the honeynet system has been deployed for the target network.

[0148] In some feasible embodiments, after obtaining the honeynet system within the target network based on the generated trapping paths, the system state of the honeynet system can be modified to an incremental deployment state. This allows the dynamic honeynet deployment system to detect service adjustment operations performed by the target network after subsequent network changes. Based on the changed network state, the system can analyze the current architecture of the honeynet system. If it is determined that the current architecture needs adjustment, the honeynet system is incrementally deployed. If it is determined that no adjustment is needed, the current architecture of the honeynet system is maintained to protect the target network. In this way, the dynamic honeynet deployment system can achieve dynamic deployment of the honeynet system.

[0149] In some possible embodiments, after executing step 230, if a service adjustment occurs in the target network, i.e., the service call plane within the target network changes, the dynamic honeynet deployment system will detect this service adjustment operation performed by the target network, and then refer to... Figure 7 As shown, the incremental deployment of the honeynet system within the target network is achieved by executing the following incremental deployment process:

[0150] Step 700: Respond to the service adjustment operation executed by the target network, and obtain the services in the service call chain where the seed service is located based on the seed service, wherein the seed service is the service adjusted by the service adjustment operation.

[0151] In this embodiment of the application, when performing step 700, a service adjustment operation is performed in response to the target network. The service adjusted by the service adjustment operation is recorded as a seed service. Based on the seed service, a breadth-first search algorithm is used to search in the target network to obtain each service on the service call chain where the seed service is located.

[0152] Because shared services exist within the target network, service call chains often overlap. Therefore, a single service call chain may contain more than one entry service. If a service adjustment operation is detected in the target network—that is, updating the change timestamp list of all entry services—then, during drastic changes to the target network, if the batch-updated change timestamp lists are not in the same database, high-concurrency updates can lead to inconsistencies where different entry services on the same service call chain have different timestamps. Conversely, if the batch-updated change timestamp lists are in the same database, it can result in numerous long transactions, thus reducing etcd's processing performance.

[0153] Furthermore, in this embodiment of the application, considering that the target network may change drastically at a certain point in time, if optimization is performed for each change, there may be a situation where the optimization is not yet finished, but the target network has already undergone new changes, requiring optimization to be performed again. Therefore, in the incremental deployment process under the incremental deployment state, an optimistic locking process is added, namely steps 710 to 750, to avoid invalid calculations and invalid deployments.

[0154] Step 710: Sort the entry services in each service according to the preset sorting rules, and select the entry service that ranks first in the sorting information.

[0155] In this embodiment of the application, the preset sorting rule is to sort the entry service IDs in each service in ascending order according to the lexicographical order. Therefore, when executing step 710, the entry service IDs in each service are sorted in ascending order according to the lexicographical order, and the entry service with the first sorting information is selected from the sorted entry services.

[0156] Step 720: Update the current timestamp to the change timestamp directory of the top-ranked entry service.

[0157] Step 730: After a preset duration, retrieve the change timestamp from the change timestamp directory and compare the change timestamp with the current timestamp mentioned above.

[0158] In this embodiment of the application, when comparing the changed timestamp with the current timestamp in step 730, if the changed timestamp and the current timestamp are consistent, then step 740 is executed; if the changed timestamp and the current timestamp are inconsistent, then steps 750 to 760 are executed.

[0159] Step 740: If they are consistent, then no adjustments will be made to the service calls within the honeynet system.

[0160] Step 750: If there is a discrepancy, adjust the service calls within the honeynet system based on the service adjustment operation.

[0161] In this embodiment, the service adjustment operation includes at least one of adding a service, adding a service call relationship, deleting a service, and deleting a service call relationship. Therefore, when executing step 750, depending on the specific content of the service adjustment operation, the following operations are specifically performed:

[0162] Operation 1: If the service adjustment operation is a new service operation, the service ID, service name, service running software name, service type, and whether it is an entry service will be stored.

[0163] Seed services are the services corresponding to the new service operation.

[0164] Operation 2: If the service adjustment operation is to add a service call relationship, then store the ID of the service call relationship, the name of the associated service, the ID of the starting service, and the ID of the ending service corresponding to the new service call relationship operation.

[0165] Among them, seed services are the starting service and / or ending service included in the service call relationship corresponding to the new service call relationship operation.

[0166] Operation 3: If the service adjustment operation is a service deletion operation, then delete the service call relationship, honeypot service, and trapping path associated with the service corresponding to the service deletion operation.

[0167] Among them, the seed service is each service that has a service call relationship with the service corresponding to the delete service operation.

[0168] Operation 4: If the service adjustment operation is a service call relationship deletion operation, then delete the list of service call relationships, the starting service, and the sublist of the ending service or edge device corresponding to the service call relationship deletion operation.

[0169] The seed service is each service that has a service call relationship with the starting service and / or the ending service, which is included in the service call relationship corresponding to the delete service call relationship operation.

[0170] In this way, through the optimistic locking process described above, timestamps can be used to determine whether incremental optimization is needed. When incremental optimization is determined to be needed, the incremental deployment process provided in this application embodiment can maximize the use of the honeypot services already deployed in the target network, more effectively reduce deployment latency, reduce the computing and hardware / software resources consumed by high-frequency modifications within the honeynet system under multiple changes, and minimize invalid computing and invalid deployment.

[0171] Step 760: When it is determined that the probability of attacking any service call chain containing a seed service in the adjusted target network is not less than the threshold, perform honeypot service optimization on the service call chain containing that seed service.

[0172] In this embodiment of the application, after executing step 750, if it is determined that the attack probability of any seed service in the target network's service call chain is not less than a threshold, then step 760 is executed to deploy a honeypot service for the target service on the service call chain where the seed service is located. Alternatively, the parameters of the honeypot service for any service on the service call chain where the seed service is located can be adjusted so that the attack probability of the service call chain where the seed service is located is less than the threshold. The specification service on the service call chain where the seed service is located can be obtained using steps 2001 to 2003 above. The target service can be determined using steps 400 to 420 above. The honeypot service matching the target service can be obtained using steps 500 to 520 above.

[0173] Thus, in this embodiment of the application, by executing steps 700 to 760, the honeynet system can make incremental deployment optimization responses for the four types of service call plane change events in the target network: adding new services, adding new service call relationships, deleting services, and deleting service call relationships. This allows the honeynet system to adjust the service call plane in the target network recorded in the honeynet system according to the real-time situation, thereby enhancing the real-time performance and controllability of the honeynet system.

[0174] However, in practical applications, due to performance considerations for etcd, the initial and incremental deployment processes of the honeynet in the service call chain are not placed in the same database transaction. This can lead to discrepancies between the generated honeynet deployment scheme and the actual one that should be generated, resulting in data inconsistency. Furthermore, as the target network changes, some service call chains may experience over-optimization issues where removing some honeypot services results in unnecessary resource consumption by redundant honeypot services. The discrepancies caused by these two situations can gradually accumulate, leading to significant resource waste or decreased security protection capabilities in the honeynet system. Therefore, it is necessary to periodically or immediately deploy and reset the honeynet system to promptly correct the discrepancies caused by data inconsistency and excessive optimization of computing resources.

[0175] This application provides a honeynet reconstruction process. The user sends a honeynet reset command to the dynamic honeynet system through a monitoring client or after the reset period is reached. After receiving the honeynet reset command, the dynamic honeynet deployment system deletes the list of deployed honeypot services, the list of trapping path start points, and the list of trapping path end points in the target network. Then, it deletes all honeypot services in the target network. Then, it executes steps 200 to 230 to rebuild the honeynet system in the target network to achieve dynamic honeynet deployment.

[0176] In this way, the honeynet reset process described above can correct deviations caused by both non-strong data consistency and over-optimization in a timely manner, thus facilitating the persistent maintenance of the honeynet system.

[0177] Based on the same inventive concept, see [reference] Figure 8 As shown, this application embodiment provides a honeycomb deployment device, including:

[0178] The first obtaining unit 810 is used to obtain each service in the service call chain where the entry service is located based on any entry service in the target network, wherein the entry service is a service exposed by the target network to the external network.

[0179] The determining unit 820 is used to determine the probability of attacking the service call chain where the entry service is located based on each of the services.

[0180] Deployment unit 830 is used to select a target service from the services that need to deploy honeypot services if the attack probability is not less than a threshold, match honeypot services for the target service, and generate a trapping path for the service call chain where the entry service is located based on the target service and the matched honeypot services.

[0181] The second obtaining unit 840 is used to obtain the honeypot system in the target network based on the generated trapping paths after completing the honeypot service deployment of each entry service in the service call chain within the target network.

[0182] In some possible embodiments, the first obtaining unit 810 is further configured to:

[0183] Before obtaining each service in the service call chain of any entry service within the target network, a honeynet deployment instruction is received, wherein the honeynet deployment instruction is either a honeynet initial deployment instruction or a honeynet reset instruction.

[0184] If the honeynet deployment instruction is the honeynet reset instruction, then the first obtaining unit 810 is further configured to:

[0185] After receiving the honeypot deployment instruction, and before obtaining each service in the service call chain of any entry service in the target network, delete the list of deployed honeypot services, the list of trapping path start points, and the list of trapping path end points in the target network.

[0186] Delete all honeypot services within the target network.

[0187] In some possible embodiments, the first obtaining unit 810 is specifically used for:

[0188] Based on any entry service within the target network, obtain each first service that has a service call relationship with the entry service;

[0189] Based on each of the first services, obtain the second service that has a service call relationship with each of the first services;

[0190] Based on the entry service, each first service, and each second service, the services on the service call chain where the entry service is located are obtained.

[0191] In some possible embodiments, the deployment unit 830 is specifically used for:

[0192] The services that meet the preset conditions are selected from the services, wherein the preset conditions include some or all of the following conditions: services that run preset type software, services that are not isolated services, services that are not the entry service, and services that are not log services.

[0193] The services that meet the preset conditions are sorted based on their in-degree and / or out-degree.

[0194] The service ranked first is selected as the target service for which the honeypot service needs to be deployed.

[0195] In some possible embodiments, the deployment unit 830 is specifically used for:

[0196] Obtain all undeployed honeypots;

[0197] From the various undeployed honeypots, remove those honeypots that have been associated with any of the services that meet the preset conditions to obtain a candidate honeypot set;

[0198] Based on the weights of each undeployed honeypot in the candidate honeypot set, a honeypot service matching the target service is determined.

[0199] In some possible embodiments, the deployment unit 830 is further configured to:

[0200] After generating the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service, the matched honeypot service is persistently stored in the list of deployed honeypot services.

[0201] The identification information ID of the target service is persistently stored as the starting point of the trapping path in the trapping path starting point list.

[0202] The ID of the matched honeypot service is persistently stored as the endpoint of the trapping path in the trapping path endpoint list.

[0203] Based on the aforementioned services, the probability of compromise in the service call chain of the entry service is determined; if the probability of compromise is not less than the threshold, the parameters of the matched honeypot service are adjusted so that the probability of compromise is less than the threshold.

[0204] In some possible embodiments, the second obtaining unit 840 is further configured to:

[0205] After obtaining the honeynet system within the target network based on the generated trapping paths, in response to the service adjustment operation performed by the target network, the services on the service call chain where the seed service is located are obtained based on the seed service, wherein the seed service is the service adjusted by the service adjustment operation;

[0206] The entry services in each service in the service call chain where the seed service is located are sorted according to a preset sorting rule, and the entry service with the first sorting information is selected.

[0207] Update the current timestamp to the changed timestamp directory of the first entry service, and after a preset time, retrieve the changed timestamp from the changed timestamp directory and compare the changed timestamp with the current timestamp;

[0208] If they match, then the honeypot service within the target network will not be optimized.

[0209] If there is a discrepancy, the service calls within the honeycomb system will be adjusted based on the service adjustment operation. And when it is determined that the probability of attacking any seed service in the service call chain within the target network after adjustment is not less than the threshold, the honeypot service of the seed service will be optimized.

[0210] In some possible embodiments, the service adjustment operation includes at least one of adding a service operation, adding a service call relationship operation, deleting a service operation, and deleting a service call relationship operation, and the second obtaining unit 840 is specifically used for:

[0211] If the service adjustment operation is the new service operation, then the ID, service name, service running software name, service type, and whether it is an entry service corresponding to the new service operation are stored.

[0212] If the service adjustment operation is the operation of adding a new service call relationship, then the ID of the service call relationship corresponding to the operation of adding a new service call relationship, the associated service name, the ID of the starting service, and the ID of the ending service are stored.

[0213] If the service adjustment operation is the service deletion operation, then delete the service call relationship, honeypot service, and trapping path associated with the service corresponding to the service deletion operation;

[0214] If the service adjustment operation is the deletion of service call relationship operation, then delete the list of service call relationships corresponding to the deletion of service call relationship operation, the starting service, and the sublist of the ending service or edge device.

[0215] See Figure 9 As shown, this application provides a server 900, including: a processor 901 and a memory 902;

[0216] Memory 902 is used to store computer programs executed by processor 901. Memory 902 can be volatile memory, such as random-access memory (RAM); memory 902 can also be non-volatile memory, such as read-only memory, flash memory, hard disk drive (HDD), or solid-state drive (SSD); or memory 902 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. Memory 902 can be a segment of the above-mentioned memories.

[0217] The processor 901 may include one or more central processing units (CPUs), graphics processing units (GPUs), or digital processing units, etc.

[0218] This application embodiment does not limit the specific connection medium between the memory 902 and the processor 901. This application embodiment... Figure 9 The memory 902 and the processor 901 are connected via a bus 903, and the bus 903 is in Figure 9 The bus 903, represented by thick lines, can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 9 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0219] The memory stores program code, which, when executed by the processor 901, causes the processor 901 to perform any of the methods described in the above embodiments.

[0220] Since this server is the same server that executes the honeynet deployment method in the embodiments of this application, and the principle of the server in solving the problem is similar to that of the honeynet deployment method, the implementation of the server can be referred to the implementation of the method, and the repeated parts will not be described again.

[0221] Based on the same inventive concept, embodiments of this application provide a computer-readable storage medium storing computer program instructions thereon, which, when executed by a processor, implement any one of the methods in the above embodiments.

[0222] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0223] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in one or more blocks of the flowchart illustrations and / or one or more blocks of the block diagrams.

[0224] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means that implement the functions specified in one or more flows in a flowchart and / or one or more blocks in a block diagram.

[0225] These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions specified in one or more processes in the flowchart and / or one or more blocks in the block diagram.

[0226] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method of deploying a honeycomb, characterized by, include: Based on any entry service within the target network and the service call relationship between services within the target network, obtain each first service that has a service call relationship with the entry service; Based on each of the first services, obtain the second service that has a service call relationship with each of the first services; Based on the entry service, each first service and each second service, a search is performed within the target network to obtain each service on the service call chain where the entry service is located, wherein the entry service is a service exposed by the target network to the external network. Based on each of the aforementioned services, the probability of breaching the service call chain containing the entry service is determined. If the attack probability is not less than the threshold, then services that meet the preset conditions are selected from the services, wherein the preset conditions include some or all of the following conditions: services that run preset type software, services that are not isolated services, services that are not the entry service, and services that are not log services. The services that meet the preset conditions are sorted based on their in-degree and / or out-degree. Select the service that ranks first in the sorting information, and use the service that ranks first in the sorting information as the target service for which the honeypot service needs to be deployed; Match a honeypot service to the target service, and generate a trapping path for the service call chain where the entry service is located based on the target service and the matched honeypot service, wherein the starting point of the trapping path is the target service and the ending point is the matched honeypot service; After the honeypot service deployment is completed for each entry service in the target network, the honeynet system in the target network is obtained based on the generated trapping paths.

2. The method of claim 1, wherein, Before obtaining each service in the service call chain of any entry service within the target network, the process also includes: Received a honeynet deployment instruction, wherein the honeynet deployment instruction is an initial honeynet deployment instruction or a honeynet reset instruction; If the honeynet deployment instruction is the honeynet reset instruction, then after receiving the honeynet deployment instruction and before obtaining each service in the service call chain of any entry service within the target network, the process further includes: Delete the list of deployed honeypot services, the list of trapping path start points, and the list of trapping path end points within the target network; Delete all honeypot services within the target network.

3. The method of claim 1, wherein, The process of matching honeypot services for the target service includes: Obtain all undeployed honeypots; From the various undeployed honeypots, remove those honeypots that have been associated with any of the services that meet the preset conditions to obtain a candidate honeypot set; Based on the weights of each undeployed honeypot in the candidate honeypot set, a honeypot service matching the target service is determined.

4. The method according to any one of claims 1 to 3, characterized in that, After generating the trapping path of the service call chain where the entry service is located based on the target service and the matched honeypot service, the method further includes: The matched honeypot services are persistently stored in the list of deployed honeypot services; The identification information ID of the target service is persistently stored as the starting point of the trapping path in the trapping path starting point list. The ID of the matched honeypot service is persistently stored as the endpoint of the trapping path in the trapping path endpoint list. Based on the aforementioned services, the probability of compromise in the service call chain of the entry service is determined; if the probability of compromise is not less than the threshold, the parameters of the matched honeypot service are adjusted so that the probability of compromise is less than the threshold.

5. The method of claim 4, wherein, After obtaining the honeynet system within the target network based on the generated trapping paths, the process further includes: In response to the service adjustment operation performed by the target network, each service in the service call chain where the seed service is located is obtained based on the seed service, wherein the seed service is the service adjusted by the service adjustment operation; The entry services in each service in the service call chain where the seed service is located are sorted according to a preset sorting rule, and the entry service with the first sorting information is selected. Update the current timestamp to the changed timestamp directory of the first entry service, and after a preset time, retrieve the changed timestamp from the changed timestamp directory and compare the changed timestamp with the current timestamp; If they are consistent, then no adjustments will be made to the service calls within the honeynet system; If there is a discrepancy, the service calls within the honeycomb system will be adjusted based on the service adjustment operation. And when it is determined that the probability of attacking any seed service in the service call chain within the target network after adjustment is not less than the threshold, the honeypot service of the seed service will be optimized.

6. The method as described in claim 5, characterized in that, The service adjustment operation includes at least one of adding a service, adding a service call relationship, deleting a service, and deleting a service call relationship. The adjustment of service calls within the honeycomb system based on the service adjustment operation includes: If the service adjustment operation is the new service operation, then the ID, service name, service running software name, service type, and whether it is an entry service corresponding to the new service operation are stored. If the service adjustment operation is the operation of adding a new service call relationship, then the ID of the service call relationship corresponding to the operation of adding a new service call relationship, the associated service name, the ID of the starting service, and the ID of the ending service are stored. If the service adjustment operation is the service deletion operation, then delete the service call relationship, honeypot service, and trapping path associated with the service corresponding to the service deletion operation; If the service adjustment operation is the deletion of service call relationship operation, then delete the list of service call relationships corresponding to the deletion of service call relationship operation, the starting service, and the sublist of the ending service or edge device.

7. A honeycomb deployment device, characterized in that, include: The first obtaining unit is used to obtain each first service that has a service call relationship with the entry service based on any entry service in the target network and the service call relationship between services in the target network; Based on each of the first services, obtain the second service that has a service call relationship with each of the first services; Based on the entry service, each first service and each second service, a search is performed within the target network to obtain each service on the service call chain where the entry service is located, wherein the entry service is a service exposed by the target network to the external network. The determining unit is used to determine the probability of attacking the service call chain where the entry service is located based on each of the services. The deployment unit is configured to, if the attack probability is not less than a threshold, select services that meet preset conditions from the services, wherein the preset conditions include some or all of the following conditions: services running preset type software, not isolated services, not the entry service, and not log services; and sort the services that meet the preset conditions based on in-degree and / or out-degree. Select the service that ranks first in the sorting information, and use the service that ranks first in the sorting information as the target service for which the honeypot service needs to be deployed; Match a honeypot service to the target service, and generate a trapping path for the service call chain where the entry service is located based on the target service and the matched honeypot service, wherein the starting point of the trapping path is the target service and the ending point is the matched honeypot service; The second obtaining unit is used to obtain the honeypot system in the target network based on the generated trapping paths after completing the honeypot service deployment of the service call chain where each entry service in the target network is located.

8. A server, characterized in that, Including processor and memory, The memory is used to store computer programs or instructions; The processor is configured to execute a computer program or instructions in the memory, such that the method of any one of claims 1-6 is performed.