408 results about "Honeypot" patented technology

The present invention discloses a vulnerability simulation overload honeypot method which comprises a host computer, a port scanning deception simulating module, a vulnerability scanning deception simulating module, a vulnerability scanning deception simulating module, a vulnerability attach deception simulating module, a data auditing module and a vulnerability utilizing module. When the attach sequence arrives at the simulated honeypot, a simulated honeypot system is used for processing according to the situation. When an attacker executes vulnerability scanning to the virtual host computer, the simulated honeypot responds and processes according to the vulnerability configuration information. Afterwards, these vulnerabilities are used for further attacking. Hereon, the simulated honeypot system transmits the vulnerability attack data flow to a vulnerability honeypot system. The vulnerability utilization attach of the attacker is processed and responded by a vulnerability attack simulating module. Finally, when the attacker successfully obtains the control power through the vulnerability attack, the attack data hereon is transmitted to a physical honeypot module. All attack processes and related data are recorded by a data auditing module for analyzing comprehensively. The method reduces the number of hardware devices in the honeynet and reduces the cost.

The invention discloses a method for detecting and finding an online water army, which comprises the following steps: firstly, building honeypot accounts; uniformly planning all honeypot accounts by an account management module; determining the posting and attention paying strategy of the honeypot accounts; detecting the account of a robot from collected accounts; describing an account characteristic vector by an account characteristic module, wherein the vector comprises multiple dimensions; detecting the online water army for the collected accounts by the account detection module according to the degree for the account characteristic vector conforming to a robot account characteristic; and finding more robot accounts and water armies by the detected robot accounts. According to the method, more robot accounts or water army accounts can be found from a social network to determine the distribution of the water army group.

The invention provides a network attack information processing method. The network attack information processing method comprises the following steps: acquiring attack traffic for attacking a target system; in response to the acquired attack traffic, triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the category of the attack traffic; triggering a port forwarding process based on an identification result of the attack information classification model, and forwarding the attack traffic. The invention further provides a network attack information processing device, electronic equipment and a storage medium. According to the invention, the attack traffic can be forwarded tothe corresponding honeypot systems of different types, the network attack information processing efficiency of the honeypot systems is improved, the number of deployed servers is reduced, the cost ofa user is saved, and the large-scale deployment of the honeypot systems is realized.

The invention provides an implementation method and device of an application-type honeypot. The implementation method comprises the following steps: obtaining application service to be simulated and the attribute information and the application environment of the application service to be simulated, and deploying the same application service and application environment into the honeypot; setting the corresponding attributes of the honeypot, for example, a login account of the application service of the honeypot is set to be the same with the application service to be simulated, and the known controllable security holes of at least one application service is opened; according to a user flag, carrying out decryption processing on all pieces of business data in the application service, applying a confounding algorithm to carry out deformation processing on all pieces of business data, and then, importing the business data into the application service of the honeypot; and importing newly-added business data into the application service of the honeypot in fixed time or real time. The invention also provides corresponding equipment. The application-type honeypot can be combined with the real business data of the user to confuse an attacker to a maximum degree, and the attacker is enabled to think that the honeypot is the real application service data of the user.

The invention relates to the technical field of network security, discloses an SDN-based virtual honeynet dynamic deployment method, and solves the technical problems of difficulty in dynamic construction and active induction, inflexibility in configuration and maintenance, poor expandability and low decoy degree of a honeynet in the prior art. The method comprises the steps of A, scanning a honeynet to obtain a network entity, performing clustering analysis according to attributes of the network entity to obtain a clustering result set, and setting a shadow honeypot candidate set according tothe clustering result set; b, performing intrusion detection on the access traffic, and redirecting suspicious traffic according to a matching rule; and C, performing rewards and punishment operations on behaviors of deployed honeypots based on environmental feedback, updating the behavior probability of a set of deployed honeypots, obtaining the current honeynet deployment quality through calculation of the honeynet global threat degree, and then selecting the honeypots from the shadow honeypot candidate set according to the quality scores for dynamic deployment. In addition, the invention also discloses an SDN-based dynamic deployment system for the virtual honeynet, and the system is suitable for dynamic deployment of the virtual honeynet.

The invention is a method and system for detecting attackers that are interested in attacking an organization's infrastructure during the reconnaissance phase of an Advanced Persistent Threat (APT). APTs are very sophisticated attacks and incorporate advanced methods for evading current security mechanisms. Therefore, the present invention uses an innovative social network honeypot.

Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

The invention provides a novel honeypot networking method and a honeypot system, and belongs to the technical field of network security. The invention provides a honeypot networking method, and the method comprises the following steps: listing idle services of a real business host, listing attacker common services, selecting some idle services from the idle services of the real business host according to the attacker common services, deploying the idle services as trapping nodes, deploying one trapping node for each selected idle service, and deploying one trapping node for each selected trapping node; binding the trapping node with the honeypot; when an attacker accesses an idle service, introducing attacker access flow into the honeypot, enabling the honeypot system to analyze the attacker access flow, automatically downloading a countering program and countering the attacker. According to the method, the trapping nodes are deployed on the idle service of the real service host, so that a large number of special servers or special virtual machines created on the idle servers are saved for deploying the trapping nodes, the capture efficiency is high, and the idle service is utilized.

The invention discloses a method for forwarding attack traffic to a honeypot. A gateway agent mode is adopted; a gateway and a flow forwarding module are simply deployed; request access to a sensitiveport on a real service server is forwarded to a gateway; the gateway carries out flow forwarding module rule configuration, forwards the request of the attacker to the honeypot, the honeypot carriesout attack evidence obtaining and replies the access request of the attacker, forwarding of the data packet is easily achieved through the gateway, and the situation that the whole communication quality is affected by instability generated in the agent disguising process is prevented. Intrusion detection is carried out, deployment is easy and convenient, operability is high, network safety and enterprise service safety and stability are maintained, and convenience is provided for disguise agency deployment of small and medium-sized enterprises.

The invention relates to an attack data acquisition method and device of a honeypot system. The method comprises the steps that real industrial control equipment, virtual industrial control equipmentand an upper computer in the honeypot system are operated; wherein the upper computer is used for sending a control instruction to the real industrial control equipment and the virtual industrial control equipment and reading state data; and the flow monitoring device monitors the communication flow information of the honeypot system, and analyzes and records attack behavior data in the communication flow information. By adopting the method, the simulation degree of the honeypot system can be improved, and an cracking of an attacker is prevented.

A computer network security system is provided. The system offers a last line of defense against malicious software through a novel software adapted to detect and deploy defensive action against the presence of malicious activity in a shared file environment. The novel software allows the administrator to create random honeypot files of known parameters that can be stored in vulnerable folders in a user-friendly manner. The novel software constantly monitors those files. If the novel software detects any unwanted action on the monitored honeypot files, through detection of a change in the known parameters, the present invention deploys defensive actions to protect the server including establishing fire walls and cessation of file sharing. Once defensive actions have been taken, the software reports all active sessions and open files as of the time of detection.

A system and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. At least one DDoS honeypot in operative communication with a central controller in the networked computing system is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller. The central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

The invention discloses an Internet of Things honeynet system based on SOAP service simulation, and belongs to the technical field of Internet of Things security. The objective of the invention is tomonitor and collect the security state of the Internet of Things, capture the malicious request of a hacker for the Internet of Things, and collect malicious samples. According to the method, a middle-high interaction honeypot is designed according to a router SOAP service vulnerability CVE-2017-17215;; in order to prevent the situation that a hacker performs injecting service details which are not completed by the simulation serviceand the simulation service honeypot cannot respond and cannot capture subsequent malicious codes and samples, the function of supplementing the simulation servicehoneypot with the honeypot for providing the real SOAP service is realized by using equipment firmware with vulnerabilities; in order to capture more types of SOAP attacks, the SOAP port exposed mostin 2018 is analyzed, and a corresponding multi-port honeypot is manufactured. The honeypots are deployed to a plurality of nodes, a control center is designed at the same time to distribute commands and transmit files, and Docker technology packaging is assisted to achieve rapid deployment. Hackers cannot control the Internet of Things equipment through SOAP service vulnerabilities, so that the security of the Internet of Things is improved.

The invention discloses an attack perception method, device and equipment based on honeypot induction and a medium. The method comprises the following steps: filtering a captured data package to obtain a first target data package, and outputting the first target data package to a user mode process; determining a target communication induction strategy corresponding to the first target data packetin a user mode process, and communicating with a source Internet protocol address corresponding to the first target data packet based on the target communication induction strategy to capture at leastone second target data packet sent by the source Internet protocol address; and determining the first target data packet and/or the second target data packet corresponding to the first target data packet as a to-be-analyzed data packet, analyzing the to-be-analyzed data packet based on a preset analysis rule set, and analyzing an attack behavior according to an analysis result. The system has thedual advantages of an intrusion detection system and a honeypot system, attack information can be captured more comprehensively, and the safety of the network is protected.

The invention discloses a system and method for detecting Ethereum digital currency stealing attacks. The method comprises the steps: deploying an Ethereum honeypot, inducing a network attacker to quickly find a honeypot host, transmitting a detection request, and capturing a malicious request from the attacker; storing the malicious request from the attacker in a database; and analyzing the attack data, associating the malicious request, detecting an attack behavior, identifying an attack method used by an attacker, tracking the attacker, and generating a detection result. According to the method, the malicious request sent by the attacker is attracted and captured, and the attack technique used by the attacker is further recognized, and weak points of an existing system are effectively found, so that the Ethereum system is better protected.

Techniques for using honeypots to lure attackers and gather data about attackers and attack patterns on Infrastructure-as-a-Service (IaaS) instances. The gathered data may then be analyzed and used to proactively prevent such attacks.

The invention discloses a honeypot bait distribution method and device, a storage medium and electronic equipment, and belongs to the field of network security. The method comprises the following steps: acquiring attack behavior data of a network attack source for executing an attack event; generating an attack path of the attack event according to the attack behavior data, wherein the attack path comprises a plurality of key nodes attacked by the network attack source; and distributing honeypot bait on the key node of the attack path. Through the method and the device, the technical problem that a honeypot in the related technology cannot defend attacks in a targeted manner is solved, and the defense efficiency of a honeypot network is improved.

A virtual honeypot is configured within a security appliance by configuring one or more network addresses associated with the virtual honeypot. The security appliance receives network traffic destined for the virtual honeypot sent to the one or more network addresses associated with the virtual honeypot, and forwards the traffic to a remote honeypot such that the remote honeypot appears to be connected to a network local to the security appliance.

The invention discloses an attack defense method, device and equipment, a storage medium and a system. The method comprises the following steps: receiving access requests of attackers forwarded by a plurality of probe nodes; collecting attack behavior information according to each access request; according to the attack behavior information, extracting attack behavior characteristics for defendingagainst attacks. According to the invention, the monitoring in a larger range can be realized based on a small amount of high-interaction honeypot, the cost is effectively reduced, the deployment andimplementation are simple, the occupied resources are less, and the problems that a small amount of honeypot nodes are difficult to play a honeypot role and the protection range is not comprehensiveenough in the prior art are solved.

The invention belongs to the technical field of network security, and discloses an industrial control honeypot interaction system based on time sequence prediction. According to the invention, prediction is carried out by using the prediction data, so that the data security is improved. Most industrial control data is periodic and has a certain rule, prediction data is used for prediction, real data is prevented from being input again, and the real-time performance of honeypot interaction is guaranteed. The real equipment state change condition in the industrial control scene is predicted fora long time by using the time sequence prediction method, deep simulation of the industrial control equipment is completed by combining the honeypot technology, instant response information conformingto the industrial control scene is made to an attacker, the fraudulence of honeypots is improved. Attack information can be collected while attackers are lured to attack for multiple times, portraying of the attackers is facilitated, passivity is changed into initiative, and the safety of the industrial control network is better maintained.

The invention belongs to the technical field of network security, and particularly relates to a network protection method and system based on false topology generation and a system architecture, and the method comprises the steps: constructing different false network topologies for different real host nodes in a network according to network related information, wherein the network related information at least comprises honeypot information, the number of subnets and real host node information; adjusting the response message delay and link bandwidth of the destination host node according to the position of the destination host node in the false network topology; and identifying the malicious traffic source host by combining the related data packet transmitted to the honeypot and utilizing the SDN controller to carry out flow rule traffic statistics on the SDN switch, and isolating the identified host. In order to solve the problem that real network configuration is easy to obtain by network investigation in the existing static network, the invention uses the idea of mimicry defense to cheat internal attackers by constructing a false network topology so as to protect a benign host in the network and improve the stability and reliability of network operation.

The invention belongs to the field of network security, discloses a method for expanding attack traffic traction capability in a honeypot scene, and solves the problems of limited traction traffic, relatively large traction control granularity and poor compatibility caused by adopting a routing protocol or gateway control in an attack traffic traction scheme in the prior art. The technical schemeis summarized as follows: a message modification module captures and modifies attack traffic by using iptables+ipset on a service server application layer, releases connection resources with normal services, modifies a request destination port and a response source port to redirect the attack traffic to a message forwarding module, controls traction and forwarding of a message in a fine-grained manner, attack traffic traction is directly carried out on an attacked service server, and the compatibility is high; and the message forwarding module monitors the attack traffic on the application layer of the service server, and encapsulates and forwards the attack traffic to the agent after establishing agent connection with the attack traffic, and the agent forwards the traffic to the real honeypot server and directly carries out attack traffic traction on the attacked service server.