A dynamic security defense method and system based on thermal migration and deep learning
By employing a dynamic security defense method based on hot migration and deep learning, combined with an SDN controller and TCP_REPAIR proxy, the problems of slow connection switching speed and low identification accuracy in hybrid honeypot systems are solved. This enables accurate identification of encrypted traffic and seamless, rapid switching, thereby improving system security and honeypot cluster utilization.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUILIN UNIV OF ELECTRONIC TECH
- Filing Date
- 2022-12-01
- Publication Date
- 2026-06-26
Smart Images

Figure CN116318779B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network defense technology, specifically to a dynamic security defense method and system based on hot migration and deep learning. Background Technology
[0002] With the continuous development of the internet, the security threats it faces are also constantly escalating. Faced with complex and ever-changing attack methods and techniques, traditional network defense technologies such as firewalls, intrusion detection systems, and intrusion prevention systems (IPS) are insufficient for quickly processing and responding to unknown and complex attack events, such as encrypted malicious traffic. To address the ever-emerging new types of cyberattacks and better improve the security of internet information, the application of proactive defense technologies has become an urgent need in today's network security defense technology landscape.
[0003] Honeypots, a proactive defense technology widely researched in recent years, can be categorized into high-interaction honeypots and low-interaction honeypots based on their interaction capabilities with attackers. High-interaction honeypots are typically built using real system environments, making it relatively easy to construct complex honeypot environments with deceptive features. Low-interaction honeypots, on the other hand, are usually built using virtual simulation software, isolating the real environment. They are simple to build and have low costs, but because they are virtual environments, they are easier for attackers to detect. Hybrid honeypots combine the advantages and disadvantages of both high-interaction and low-interaction honeypots. The basic idea is to deploy a large number of low-interaction honeypots at the front end and a small number of high-interaction honeypots at the back end, using traffic migration to capture and analyze attacks. However, traditional honeypots, due to their coarse-grained data control, suffer from several shortcomings, including significant time and space consumption during connection transfers and low accuracy in connection transfers.
[0004] Encrypted malicious traffic identification technology mainly analyzes the statistical and time-series characteristics of data streams and uses machine learning algorithms (such as support vector machines, decision trees, random forests, etc.) and statistical models such as Gaussian mixture models to identify and classify encrypted traffic. Although the above methods can solve many problems that port-based and payload-based methods cannot, there are still problems such as the inability to automatically extract and select features, the easy expiration of features, and the need for continuous updates.
[0005] Existing TCP connection switching technologies in hybrid honeypots mainly employ the following methods: Using traditional proxy functions to redirect traffic, but this method lacks traffic filtering, resulting in a large number of invalid connections consuming the backend and increasing the overall system load; using SDN store-and-forward strategies to replay previously stored packets and establish connections with the new host during connection switching, but this solution places excessive storage requirements, as storing massive amounts of malicious traffic packets during a large-scale attack would overburden the system; and using NAT address translation devices to achieve redirection, then processing TCP Seq, ACK, and window size before replaying the packets to achieve connection switching. Because this solution uses NAT address translation, the switching process is perceptible during actual connection switching.
[0006] Based on the above information, the following drawbacks of traditional hybrid honeypot systems can be identified: The TCP connection switching speed is slow when encountering malicious traffic; the identification of malicious traffic relies mainly on intrusion detection systems, resulting in low accuracy; hybrid honeypot systems cannot identify encrypted malicious traffic, even though current traffic is increasingly being encrypted; hybrid honeypot systems lack traffic filtering capabilities, leading to a large amount of invalid connections consuming the backend; connection replay-based TCP connection switching in hybrid honeypot systems requires significant storage space for TCP packets, causing a heavy system burden; and the traditional TCP connection switching process in hybrid honeypot systems has substantial latency, which attackers may perceive. Summary of the Invention
[0007] (a) Technical problems to be solved
[0008] To address the shortcomings of existing technologies, this invention provides a dynamic security defense method and system based on hot migration and deep learning. It solves several problems: the slow TCP connection switching speed in hybrid honeypot systems when encountering malicious traffic; the low accuracy of hybrid honeypot systems relying primarily on intrusion detection systems to identify malicious traffic; the inability of hybrid honeypot systems to identify encrypted malicious traffic, even though current traffic is increasingly being encrypted; the lack of traffic filtering functionality in hybrid honeypot systems, leading to a large amount of invalid connections occupying the backend; the need for extensive storage of TCP packets during connection replay-based TCP connection switching in hybrid honeypot systems, causing a significant system burden; and the substantial latency of traditional TCP connection switching processes in hybrid honeypot systems, which makes the switching process perceptible to attackers.
[0009] (II) Technical Solution
[0010] To achieve the above objectives, the present invention provides the following technical solution: a dynamic security defense method based on hot migration and deep learning, specifically including the following steps:
[0011] Step 1: When traffic enters the system, the intrusion detection system in the switch performs a preliminary traffic assessment. If the traffic is detected as normal and encrypted, proceed to Step 2.
[0012] Step 2: Use a deep learning-based malicious traffic detection module to check whether the traffic is malicious. If it is normal traffic, send it to a normal host. If it is malicious traffic, proceed to Step 3.
[0013] Step 3: The SDN controller issues flow tables to forward traffic to the low-interaction honeypot created by the honeypot management system. When the attack depth reaches the critical point, the honeypot management system activates the normal host replicas of the periodic snapshots as high-interaction honeypots. At the same time, sensitive data is overwritten using random padding. Then, the TCP_REPAIR proxy redirection engine is used to switch the connection to the high-interaction honeypot.
[0014] The present invention is further configured such that the malicious traffic detection module of deep learning in step two specifically includes: generating labeled data and unlabeled data by processing the original dataset, wherein a portion of the unlabeled data is used for testing and a portion is used for training, mini-batch gradient descent is used for optimization, and the finally processed data and the originally reserved unlabeled data are sent together to a one-dimensional convolutional neural network model for training, and the new traffic is input into the trained model to output the prediction result.
[0015] The present invention is further configured as follows: In step one, the traffic arrives at the intrusion detection system. The intrusion detection system detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. If the traffic is encrypted, it proceeds to step two and is input into the deep learning-based malicious traffic detection module for testing again. After the deep learning-based malicious traffic detection module tests, if the traffic is normal traffic, it is marked as 0 (at this time, the traffic is marked as 00). Then, it is determined that this traffic is normal traffic. The traffic is forwarded directly to the normal host by the switch through the flow table issued by the SDN controller, and the payload of the subsequent traffic is normal.
[0016] If the subsequent payload is detected as abnormal by the intrusion detection system or the deep learning-based malicious traffic detection module, the TCP_REPAIR proxy is started, and then the traffic is directly forwarded to the high-interaction honeypot of the corresponding service.
[0017] The present invention is further configured as follows: In step one, the traffic arrives at the intrusion detection system. The intrusion detection system detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. Then it is input into the deep learning-based malicious traffic detection module for testing again. After the deep learning-based malicious traffic detection module tests, if the traffic is abnormal, it is marked as 1 (at this time the traffic is marked as 01). This traffic is forwarded to the low-interaction honeypot corresponding to the request port.
[0018] If the payload of the attack process is identified by the intrusion detection system's preset alarm list as needing to be forwarded to a high-interaction honeypot, the TCP_REPAIR proxy is started to transfer the traffic originally connected to the low-interaction honeypot to the high-interaction honeypot.
[0019] The invention is further configured such that the intrusion detection system needs to have the function of triggering preset alarm information based on traffic information, such as triggering preset alarms according to the port and IP network segment of the access server. For example, if the Snort intrusion detection system is running in Network Intrusion Detection mode and alarm settings are configured, such as altertcpanyany->10.37.23.59 / 1822(logto:”ssh”; msg:”high interaction honeypot”;), TCP traffic accessing port 22 of network 10.37.23.59 / 18 will trigger this warning, and the warning rule name is “ssh”, and the content is “high interaction honeypot”.
[0020] The present invention is further configured such that: the specific steps of using the TCP_REPAIR proxy redirection engine to switch the connection to the high-interaction honeypot in step three are as follows:
[0021] S1: An attacker attempts to establish a full TCP connection with the real system via a TCP three-way handshake. Since the attacker hasn't yet launched the actual attack, the SDN controller first uses OpenFlow 1.5 to send flow rules matching relevant TCP keywords to the switches, intercepting the three-way handshake packets between the attacker and the real system. The controller records the TCP negotiation parameters. Then, the SDN controller sends flow tables to the switches, which then forward the connection packets to the real system. During the three-way handshake, all TCP packets are sent to the intrusion detection system (IDS) for inspection. The IDS sends alarm information to the SDN controller for decision-making. This step successfully isolates a large amount of scanning data in the network.
[0022] S2: After receiving the PSH packet, the SDN controller first extracts the key fields from the data packet, including but not limited to the sequence number, response number, and identification number, and saves the connection information.
[0023] S3: When the SDN controller receives an alarm from the Snort intrusion detection system indicating a high-interaction honeypot or encrypted traffic being marked as 1 by a deep learning-based malicious traffic detection module, the SDN controller initiates a TCP connection switch. The SDN controller sends a Flow-Mod to the switch, temporarily taking over the attacker's connection to the real system. The attacker's packets are input into the SDN controller via Packet-In to prevent responses from the real system and avoid further data leakage. A socket is then created through the TCP_REPAIR proxy, and a new regular socket is created to connect to the high-interaction honeypot. When the SDN controller issues a "200 OK" confirmation that the system is normal, the TCP_REPAIR socket and the previously saved connection information from the SDN controller are used. The parameters negotiated by the real system's three-way handshake are encapsulated into an ACK packet with the latest acknowledgment number and sent to a new regular socket, establishing a connection between the two sockets. When the SDN controller receives a "200 OK" from the TCP_REPAIR proxy and confirms readiness, it transmits the attacker's and real system's packets, temporarily taken over by the SDN controller, to the TCP_REPAIR proxy via Packet-Out. The SDN controller then sends a Flow-Mod to the switch, replacing the real system's MAC and IP addresses with the MAC and IP addresses of the TCP_REPAIR proxy's high-interaction honeypot. This redirects subsequent traffic directly to the TCP_REPAIR proxy, and subsequent packets of this connection are submitted to the high-interaction honeypot through the proxy, completing the connection transfer.
[0024] This invention also discloses a dynamic security defense system based on hot migration and deep learning, including a custom software-defined network (SDN) module, wherein the custom software-defined network (SDN) module includes a forwarding decision engine and a redirection forwarding engine TCP_REPAIR proxy;
[0025] Forwarding decision engine: includes an intrusion detection system and a deep learning-based malicious traffic detection module;
[0026] Honeypot systems include high-interaction honeypots and low-interaction honeypots.
[0027] (III) Beneficial Effects
[0028] This invention provides a dynamic security defense method and system based on hot migration and deep learning. It has the following beneficial effects:
[0029] (1) This invention accurately identifies encrypted or unencrypted attack traffic and its variants and diverts them. Normal traffic reaches the actual system for operation, while the marked malicious traffic quickly and dynamically selects honeypots to respond according to the attack process and the actual network conditions, effectively improving the utilization rate and deception capability of the honeypot cluster.
[0030] (2) This invention does not require storing a large number of network data packets for replaying data packets during connection switching. It only needs to use the TCP_REPAIR proxy function to perform hot migration of the connection at any stage of the TCP connection and achieve fast and seamless connection switching through the underlying network communication of Linux.
[0031] (3) This invention introduces a one-dimensional convolutional neural network to sample and detect traffic features. Compared with traditional network defense systems that mainly identify malicious traffic by matching keywords in data packets through intrusion detection systems and can only identify unencrypted traffic, this invention can identify encrypted traffic by extracting traffic features, and thus accurately identify encrypted malicious traffic.
[0032] (4) By introducing Software Defined Network (SDN), this invention integrates network devices, intrusion detection systems and TCP connection conversion, making management and function upgrades more convenient.
[0033] (5) This invention uses a dual traffic filtering system of intrusion detection system and convolutional neural network to accurately divert access traffic. While ensuring normal access to the real system, it collects new attack processes, improves the system's security defense capabilities, and avoids the backend being occupied by a large number of invalid connections. Attached Figure Description
[0034] Figure 1 This is a system architecture diagram of the present invention;
[0035] Figure 2 This is a flowchart illustrating the operation of the deep learning-based malicious traffic detection module of this invention.
[0036] Figure 3 This is a diagram showing the overall architecture of the deep learning-based malicious traffic detection module of this invention.
[0037] Figure 4 This is a flowchart of the traffic forwarding process of the present invention;
[0038] Figure 5 This is a flowchart of the TCP connection and data exchange process under normal circumstances according to the present invention;
[0039] Figure 6 This is a flowchart of the TCP connection switching process of the present invention. Detailed Implementation
[0040] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
[0041] Please see Figure 1-6 This invention provides a technical solution: a dynamic security defense method based on hot migration and deep learning, as shown in the attached figure. Figure 4 As shown, it mainly includes the following four working modes:
[0042] The first scenario: Traffic arrives at the Snort intrusion detection system. Snort detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. If the traffic is encrypted, it is input into the 1D-CNN module for malicious traffic detection based on deep learning for testing again. If the traffic is normal after testing by the 1D-CNN module for malicious traffic detection based on deep learning, it is marked as 0 (at this time, the traffic is marked as 00). This determines that the traffic is normal. The traffic is then forwarded directly to the normal host by the switch through the flow table issued by the Ryu controller, and the payload of subsequent traffic is normal.
[0043] The second approach: Based on the first approach, if the subsequent payload is detected as abnormal by the intrusion detection system Snort or the deep learning-based intrusion detection module 1D-CNN (i.e., the traffic is marked as 1), the traffic will be directly forwarded to the high-interaction honeypot of the corresponding service.
[0044] The third scenario: The traffic arrives at the Snort intrusion detection system. Snort detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. Then, it is input into the 1D-CNN deep learning-based malicious traffic detection module for testing again. After the 1D-CNN deep learning-based malicious traffic detection module tests, the traffic is abnormal and is marked as 1 (at this time, the traffic is marked as 01). This traffic is forwarded to the low-interaction honeypot corresponding to the requested port.
[0045] The fourth method: Based on the second method, if the payload of the attack process is determined by the action in the preset alarm message msg of the intrusion detection system Snort to need to be forwarded to a high-interaction honeypot, the TCP_REPAIR proxy is started to transfer the traffic originally connected to the low-interaction honeypot to the high-interaction honeypot.
[0046] As a preferred option, Snort is recommended for intrusion detection systems. Snort has three main modes: Sniffer, PacketLogger, and NetworkIntrusionDetection System. The Sniffer mode simply captures data packets from the network and displays them on the terminal; the PacketLogger mode can save data packets to disk; and the NetworkIntrusionDetection System mode is the most complex and highly configurable. It allows Snort to analyze network traffic and react according to user-defined rules. This invention prefers the NetworkIntrusionDetection System (NIDS) mode, which can respond by analyzing network traffic.
[0047] As a preferred solution, the Snort alarm rules are as follows:
[0048] alter protocol source -ip source -port packet flow direction (->, <-, <>) destination -ip destination -port
[0049] Where logto: "rule name"; msg: "alarm message"; sid: sequence number; priority: sequence number; content: "search for a specific pattern string in the payload of the data packet".
[0050] To further explain, for example: altertcpanyany->10.37.23.59 / 1822(logto:”ssh”;msg:”HIH”;), TCP traffic accessing port 22 of network 10.37.23.59 / 18 will trigger this warning, and the warning rule name is ssh, and the content is HIH.
[0051] Due to the warning rules, four actions are created in the warning message content: Real_System, 1D_CNN, Low Interaction Honeypot (LIH), and High Interaction Honeypot (HIH). These represent forwarding to a normal host, forwarding to the deep learning-based malicious traffic detection module 1D_CNN, forwarding to the low interaction honeypot, and forwarding to the high interaction honeypot, respectively. Forwarding to a specific honeypot requires the Ryu controller to issue flow tables to the switch. Therefore, after the alarm is transmitted using Snort sockets, the Ryu controller handles the forwarding. The connection selection engine algorithm is as follows:
[0052] Data:Payloadpkt;
[0053] Result: Decision;
[0054] 1. Decision-Making Method;
[0055] 2. If payloadthen;
[0056] 3. The payload packet is sent to Snort;
[0057] 4. Snort uses rules to detect load packets and generate Altermsg messages;
[0058] 5. Ifmsg==”1D_CNN”then;
[0059] 6. The encrypted stream is sent to 1D_CNN;
[0060] 7. Endif;
[0061] 8. Snort sends alarm information to the Ryu controller;
[0062] 9. Endif.
[0063] As a preferred option, see attached Figure 5 As shown, the area above the gray line represents the TCP three-way handshake, while the area below the gray line represents the data exchange after the TCP connection is established. Using the TCP_REPAIR mode in Linux, connection hot migration can be performed at any stage of the TCP connection, greatly reducing the time and throughput loss of the switching process through Linux's underlying communication.
[0064] As detailed in the attached document Figure 6 As shown, the specific steps for switching a connection to a high-interaction honeypot using the TCP_REPAIR redirection engine proxy are as follows:
[0065] S1: An attacker attempts to establish a full TCP connection with the real system via a TCP three-way handshake. Since the attacker hasn't yet launched the actual attack, the Ryu controller first uses OpenFlow 1.5 to send flow rules matching relevant TCP keywords to the switch, intercepting the three-way handshake packets between the attacker and the real system. It records the TCP negotiation parameters. Then, the Ryu controller sends flow tables to the switch, which forwards the connection packets to the real system. During the three-way handshake, all TCP packets are sent to the Snort intrusion detection system for inspection. The Snort system then sends alarm messages (msg) to the Ryu controller for decision-making. This step successfully isolates a large amount of scanning data from the network.
[0066] S2: After receiving the PSH packet, the Ryu controller first extracts the key fields from the data packet, including but not limited to the sequence number, response number, and identification number, and saves the connection information.
[0067] S3: When the Ryu controller receives an alarm message (msg) from the Snort intrusion detection system (HIH) or encrypted traffic is marked as 1 by the 1D-CNN deep learning-based malicious traffic detection module, the Ryu controller initiates a TCP connection switch. The Ryu controller sends a Flow-Mod to the switch, temporarily taking over the attacker's connection to the real system. The attacker's packets are input into the Ryu controller via Packet-In to prevent responses from the real system and avoid further data leakage. Then, a socket is created through the TCP_REPAIR proxy, and a new regular socket is created for connecting to the high-voltage network. In an interactive honeypot, when the Ryu controller sends a "200 OK" confirmation that the system is normal, it encapsulates the TCP_REPAIR socket and the parameters of the three-way handshake negotiation with the real system stored in the Ryu controller into an ACK packet with the latest acknowledged sequence number, and sends it to a new regular socket, establishing a connection between the two sockets. When the Ryu controller receives the "200 OK" from the TCP_REPAIR proxy and confirms that it is ready, it passes the attacker's and real system's packets, temporarily taken over by the Ryu controller, to the TCP_REPAIR proxy via Packet-Out. The algorithm is as follows:
[0068] Data: Migrating data;
[0069] Result: Success or failure;
[0070] 1. Dynamic migration method:
[0071] 2. If the socket is not in the repair, then;
[0072] 3. Switch the socket to REPAIR mode;
[0073] 4. Endif;
[0074] 5. Configuring PortReuse;
[0075] 6. Send an ACK packet (content: negotiation data of the active TCP) with the latest confirmed Seq as the sequence number to the socket to be migrated;
[0076] 7. Backup and restore of active TCP data;
[0077] 8. End;
[0078] Sending a Flow-Mod message to the switch replaces the MAC and IP addresses of the real system with the MAC and IP addresses of the high-interaction honeypot proxies of TCP_REPAIR, causing subsequent traffic to be directly redirected to the TCP_REPAIR proxy. Subsequent packets of this connection are then submitted to the high-interaction honeypot through the proxy, completing the connection transfer.
Claims
1. A dynamic security defense method based on hot migration and deep learning, characterized in that, Specifically, the following steps are included: Step 1: When traffic enters the system, the intrusion detection system in the switch performs a preliminary traffic assessment. If the intrusion detection system detects that the traffic is normal and encrypted, proceed to Step 2. Step 2: Use a deep learning-based malicious traffic detection module to check whether the traffic is malicious. If it is normal traffic, send it to a normal host. If it is malicious traffic, proceed to Step 3. Step 3: The SDN controller issues flow tables to forward traffic to the low-interaction honeypot created by the honeypot management system. When the attack depth reaches the critical point, the honeypot management system activates the normal host replicas of the periodic snapshots as high-interaction honeypots. At the same time, it uses random filling to overwrite sensitive data. Then, it uses the TCP_REPAIR proxy redirection engine to switch the connection to the high-interaction honeypot. The specific steps for switching the connection to a high-interaction honeypot using the TCP_REPAIR redirection engine in step three are as follows: S1: An attacker attempts to establish a full TCP connection with the real system via a TCP three-way handshake. The SDN controller first sends flow rules matching relevant TCP keywords to the switch via OpenFlow 1.5 to intercept the three-way handshake packets between the attacker and the real system, and records the TCP negotiation parameters. The SDN controller then sends flow tables to the switch, which sends the connection packets to the real system. During the three-way handshake process, all TCP packets are sent to the intrusion detection system for detection, and the intrusion detection system sends alarm information to the SDN controller. S2: After receiving the PSH packet, the SDN controller extracts the key fields from the data packet and saves the connection information; S3: When the SDN controller receives an alarm from the intrusion detection system or when encrypted traffic is marked as 1 by a deep learning-based malicious traffic detection module, the SDN controller initiates a TCP connection switch. The SDN controller sends a Flow-Mod to the switch, temporarily taking over the attacker's connection to the real system. It then creates a socket through the TCP_REPAIR proxy and creates a new regular socket to connect to the high-interaction honeypot. When the SDN controller sends a "200 OK" confirmation that the system is normal, it encapsulates the TCP_REPAIR socket and the parameters from the three-way handshake negotiation with the real system stored in the original SDN controller into an ACK packet with the latest acknowledged sequence number and sends it to the new regular socket, establishing a connection between the two sockets. When the SDN controller receives the "200 OK" from the TCP_REPAIR proxy, it passes the attacker's and real system's temporarily taken-over packets to the TCP_REPAIR proxy via Packet-Out and sends a Flow-Mod to the switch, using the TCP_REPAIR proxy to store the real system's MAC address and IP address. The proxy replaces the MAC and IP addresses of the high-interaction honeypot, causing subsequent traffic to be directly redirected to the TCP_REPAIR proxy. Subsequent packets of this connection are then submitted to the high-interaction honeypot through the proxy, completing the connection transfer.
2. The dynamic security defense method based on hot migration and deep learning according to claim 1, characterized in that, The malicious traffic detection module in step two specifically includes: generating labeled and unlabeled data by processing the original dataset, with a portion of the unlabeled data used for testing and a portion used for training; after optimization using mini-batch gradient descent, the final processed data and the originally reserved unlabeled data are fed into a one-dimensional convolutional neural network model for training; and new traffic is input into the trained model to output prediction results.
3. The dynamic security defense method based on hot migration and deep learning according to claim 2, characterized in that, In step one, the traffic reaches the intrusion detection system. The intrusion detection system detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. If the traffic is encrypted, it proceeds to step two and is input into the deep learning-based malicious traffic detection module for testing again. After the deep learning-based malicious traffic detection module tests, if the traffic is normal traffic, it is marked as 0. At this time, the traffic is marked as 00, which determines that the traffic is normal traffic. The traffic is then forwarded directly to the normal host by the switch through the flow table issued by the SDN controller, and the payload of the subsequent traffic is normal. If the subsequent payload is detected as abnormal by the intrusion detection system or the deep learning-based malicious traffic detection module, the TCP_REPAIR proxy is started to forward the traffic directly to the high-interaction honeypot of the corresponding service.
4. The dynamic security defense method based on hot migration and deep learning according to claim 3, characterized in that, In step one, the traffic arrives at the intrusion detection system. The intrusion detection system detects the port and payload of the traffic. If the port is an open port of the system and the payload is normal, it is marked as 0. Then it is input into the deep learning-based malicious traffic detection module for testing again. After the deep learning-based malicious traffic detection module tests, if the traffic is abnormal, it is marked as 1. At this time, the traffic is marked as 01 and forwarded to the low-interaction honeypot corresponding to the port. If the payload of the attack process is identified by the intrusion detection system's preset alarm list as needing to be forwarded to a high-interaction honeypot, the TCP_REPAIR proxy is started to transfer the traffic originally connected to the low-interaction honeypot to the high-interaction honeypot.
5. A dynamic security defense method based on hot migration and deep learning according to claim 4, characterized in that, The intrusion detection system needs to have the function of triggering preset alarm information based on traffic information, and triggering preset alarms according to the port and IP network segment of the access server.
6. A dynamic security defense system based on hot migration and deep learning, implementing the dynamic security defense method based on hot migration and deep learning as described in claim 5, characterized in that, This includes a custom software-defined networking (SDN) module, which includes a forwarding decision engine and a redirection forwarding engine TCP_REPAIR proxy; Forwarding decision engine: includes an intrusion detection system and a deep learning-based malicious traffic detection module; Honeypot systems include high-interaction honeypots and low-interaction honeypots.