Honeypot safety state determination method, electronic equipment and computer readable storage medium

A technology for determining the method and security status, applied in the field of network security, can solve the problem of lack of accuracy in the method of judging the security status of honeypots, and achieve the effect of improving reliability and accuracy and avoiding inaccurate judgment.

Active Publication Date: 2022-05-13
山东云天安全技术有限公司
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The embodiment of the present invention provides a method for determining the security state of a honeypot, an electronic device, and a computer-readable storage medium, aiming to solve the technical problem of lack of accuracy in the way of judging the security state of a honeypot in the related art

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Honeypot safety state determination method, electronic equipment and computer readable storage medium
  • Honeypot safety state determination method, electronic equipment and computer readable storage medium

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0028] figure 1 A flow chart of a method for determining a honeypot security state according to an embodiment of the present invention is shown.

[0029] Such as figure 1 As shown, the method for determining the security state of a honeypot according to an embodiment of the present invention includes:

[0030] Step 102, in response to the honeypot actively sending an initial signal to the outside, determine whether the connection protocol to which the initial signal belongs is the TCP protocol, wherein, if the initial signal is the first SYN message in the three-way handshake process before the TCP connection is established, It is determined that the connection protocol to which the initial signal belongs is the TCP protocol, and proceed to step 104, and if the connection protocol to which the initial signal belongs is a non-TCP protocol, proceed to step 106.

[0031] Step 104, based on the detection method corresponding to the TCP protocol, determine whether the honeypot is...

Embodiment 2

[0042] For the TCP protocol, based on the detection method corresponding to the TCP protocol, determine whether the honeypot is in a compromised state, including: if the long connection heartbeat packet corresponding to the TCP protocol is detected, and / or, if the TCP protocol If the connection duration of the corresponding persistent connection is greater than the specified duration threshold, it is determined that the honeypot is in a compromised state.

[0043] When the honeypot establishes a long-term connection with the external object through the TCP protocol, the honeypot and the external object will send a heartbeat packet to indicate that the long-term connection persists. Therefore, once the long-term connection heartbeat packet is detected, it means that the honeypot and the external object have established a long-term connection The connection is used for communication, and there is a risk of data leakage to external objects, so it can be determined that the honeypo...

Embodiment 3

[0045] If it is detected that the honeypot uses an abnormal port outside the local open port whitelist for communication, it is determined that the honeypot is in a compromised state.

[0046] Specifically, for any type of non-TCP protocol, a whitelist of open ports can be set locally, and the ports in the whitelist of ports are determined to be legal communication ports. If the honeypot communicates through the non-TCP protocol, it uses an abnormal port other than the port whitelist, indicating that this communication behavior is not a safe and legal communication behavior. Therefore, the active contract sending of the honeypot is a risky behavior, and it can be determined that the honeypot is under attack.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a honeypot safety state determination method, electronic equipment and a computer readable storage medium, and the method comprises the steps: responding to a honeypot, actively sending an initial signal outwards, and judging whether a connection protocol to which the initial signal belongs is a TCP protocol; if the initial signal is a first packet SYN message in the first three handshake processes of TCP connection establishment, determining that a connection protocol to which the initial signal belongs is the TCP protocol, and determining whether the honeypot is in an attacked state based on a detection mode corresponding to the TCP protocol; and otherwise, determining that the connection protocol to which the initial signal belongs is a non-TCP protocol, and determining that the honeypot is in an attacked state under the condition that the honeypot meets a specified attacked condition. According to the technical scheme, the safety state of the honeypot can be accurately and effectively determined according to different connection protocols, the possibility of inaccurate judgment caused by a single judgment mode is avoided, and the reliability and accuracy of judgment of the safety state of the honeypot are effectively improved.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method for determining a honeypot security state, electronic equipment and a computer-readable storage medium. Background technique [0002] At present, in the field of network security, honeypots are often set up to protect the security of actual systems. Specifically, a honeypot can be a host, network service, or information used as a bait to induce an attacker to attack it, so as to capture and analyze the attack behavior, and use this as a basis to enhance the security protection capability of the actual system. In related technologies, this process often regards the honeypot as a completely passive response device. Once the honeypot takes an active action, it is determined that the honeypot has been compromised and subsequent security protection measures are triggered. [0003] However, the honeypot itself may also have some necessary interactions with the outsid...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L9/40H04L69/163
CPCH04L63/1491H04L69/163
Inventor 李峰孙晓鹏王绍密和希文时伟强赵田雨林晔陈英涛
Owner 山东云天安全技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap