CN110505195A - The dispositions method and system of fictitious host computer - Google Patents

The dispositions method and system of fictitious host computer Download PDF

Info

Publication number
CN110505195A
CN110505195A CN201910561171.4A CN201910561171A CN110505195A CN 110505195 A CN110505195 A CN 110505195A CN 201910561171 A CN201910561171 A CN 201910561171A CN 110505195 A CN110505195 A CN 110505195A
Authority
CN
China
Prior art keywords
host
network
physical host
virtual
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910561171.4A
Other languages
Chinese (zh)
Inventor
田毅
陶晓龙
郭海鸿
郭军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Wanwei Information Technology Co Ltd
Original Assignee
China Telecom Wanwei Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Wanwei Information Technology Co Ltd filed Critical China Telecom Wanwei Information Technology Co Ltd
Priority to CN201910561171.4A priority Critical patent/CN110505195A/en
Publication of CN110505195A publication Critical patent/CN110505195A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides a kind of dispositions method of fictitious host computer and systems, for rationally utilizing the hardware resource deployment camouflage host of physical host.The dispositions method of fictitious host computer provided by the present application includes: that deployment system receives the monitoring request that UE is sent;In the physical host network that deployment system monitoring is made of multiple physical hosts, if there are idle target physical hosts;If it exists, then deployment system disposes multiple fictitious host computers by virtualization technology on target physical host, fictitious host computer is used to bear the behavior record of network attack and collection network attack, fictitious host computer is also used to upload behavior record to server, and server is used to store behavior record and Behavior-based control records and analyzes the attack of network attack;Deployment system determines that the corresponding intended gateway equipment of target physical host, intended gateway equipment are transmitted for local area network where management objectives physical host and the data between external network;Deployment system sends instruction information to intended gateway equipment, indicate that the data packet of local area network where information is used to indicate intended gateway equipment interconnection receipts address direction target physical host is not dealt with, instruction information is also used to indicate that springboard when target physical host initiates springboard attack, is attacked corresponding aggressive data packet and carry out network limitation processing by intended gateway equipment.

Description

Virtual host deployment method and system
Technical Field
The present application relates to the field of computer network security, and in particular, to a method and a system for deploying a virtual host.
Background
The importance of information security is self-evident because the scale and speed of information transmission in the internet industry is increasing due to the rapid development of computer technology and the use of networks as transmission media, and at the same time, network attacks in the form of information theft, lemonades, etc. threaten the healthy development of the internet industry.
Enterprises often build network security defense systems from operating systems, application systems, anti-viruses, firewalls, intrusion detection, network monitoring, information auditing, communication encryption, disaster recovery, and security scanning to block, filter, or analyze network attacks.
In practical application, if a new network attack mode occurs, the existing network security defense still has the possibility of being broken through, therefore, enterprises can also deploy disguised hosts to attract network attacks, the network attacks can be analyzed on the premise of greatly reducing the threat, the defense mechanism of the enterprise network security defense can be updated and strengthened according to the analysis result, and the security defense effect is improved.
It is easy to understand that the deployment of the masquerading host means that a large amount of hardware resources need to be invested, and therefore, how to reasonably reduce the hardware resources for deploying the masquerading host still needs to be optimized.
Disclosure of Invention
The application provides a virtual host deployment method and system, which are used for deploying a disguised host by reasonably utilizing hardware resources of a physical host.
In a first aspect, the present application provides a method for deploying a virtual host, the method including:
a deployment system receives a monitoring request sent by User Equipment (UE);
the deployment system monitors whether an idle target physical host exists in a physical host network formed by a plurality of physical hosts;
if the network attack behavior record exists, the deployment system deploys a plurality of virtual hosts on the target physical host through a virtualization technology, the virtual hosts are used for bearing the network attack and collecting the behavior record of the network attack, the virtual hosts are also used for uploading the behavior record to a server, and the server is used for storing the behavior record and analyzing the attack behavior of the network attack based on the behavior record;
the deployment system determines target gateway equipment corresponding to a target physical host, wherein the target gateway equipment is used for managing data transmission between a local area network where the target physical host is located and an external network;
the deployment system sends indication information to the target gateway device, wherein the indication information is used for indicating the target gateway device to perform network limitation processing on an aggressive data packet corresponding to the springboard attack when the virtual host initiates the springboard attack, and the springboard attack comprises an attack behavior initiated by the target physical host as a transfer station under the action of attack traffic of an external network.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, the deploying, by the deployment system, a plurality of virtual hosts on the target physical host through a virtualization technology includes:
the deployment system determines a target network segment where a target physical host is located;
the deployment system deploys a virtual network which induces network attacks through disguise processing on a target physical host through a virtualization technology, the virtual network is composed of a plurality of virtual hosts, and the disguise processing comprises starting of services with the same service type as the target network segment, configuration of host attributes which are the same as those of other physical hosts except the target physical host in the target network segment or configuration of at least one preset bug.
With reference to the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, the deploying, by the deployment system, a plurality of virtual hosts on the target physical host through a virtualization technology includes:
the deployment system acquires a host service identifier of a target physical host, wherein the host service identifier is used for identifying host service pre-configured by the target physical host;
the deployment system determines the configuration identification of the virtual host according to the host service identification and the virtual host list, wherein the virtual host list comprises the corresponding relation between different host service identifications and different configuration identifications of the virtual machine;
the deployment system acquires the configuration file of the virtual host corresponding to the configuration identifier from a database, wherein the database is used for storing the configuration files of different virtual hosts;
and the deployment system deploys a plurality of virtual hosts on the target physical host through the configuration file and the virtualization technology.
With reference to the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, the monitoring, by the deployment system, whether there is an idle target physical host in a physical host network formed by a plurality of physical hosts includes:
the deployment system monitors whether the occupancy rate of the storage resources of the physical host is lower than a preset idle utilization rate or not in the physical host network; or,
the deployment system monitors whether a physical host is in a dormant state all the time in a preset monitoring period in a physical host network; or,
the deployment system monitors whether a physical host has an idle identifier in a physical host network;
if so, the deployment system determines that the target physical host exists.
With reference to the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, before the deploying system monitors whether there is an idle target physical host in a physical host network formed by a plurality of physical hosts, the method further includes:
the deployment system monitors whether a new service is online in the service system or not compared with the last monitoring period;
if yes, the system is deployed to position the physical host network corresponding to the new service.
With reference to the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, the method further includes:
the deployment system receives feedback information sent by the server, wherein the feedback information is used for indicating that the server completes analysis of attack behaviors of the network attack and is also used for indicating vulnerabilities aimed at by the network attack;
the deployment system avoids the bug on the target physical host through the virtualization technology, and redeployes a plurality of new virtual hosts.
With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the method further includes:
the deployment system receives feedback information sent by the server, wherein the feedback information is used for indicating that the virtual host does not upload behavior records to the server within preset time;
the deployment system reclaims a plurality of virtual hosts on the target physical host.
With reference to the first aspect of the present application, in a seventh possible implementation manner of the first aspect of the present application, the network restriction processing includes limiting the number of network connections corresponding to the target physical host to be less than or equal to a preset number, where the network connections are connections established between the target physical host and devices other than a local area network where the target physical host is located.
With reference to the first aspect of the present application, in an eighth possible implementation manner of the first aspect of the present application, the network restriction processing includes discarding processing or modifying processing, where the modifying processing is used to discard an aggressive packet, and the modifying processing is used to make the aggressive packet not constitute a hazard.
In a second aspect, the present application provides a deployment system of a virtual host, the system including:
a receiving unit, configured to receive a monitoring request sent by a UE;
the monitoring unit is used for monitoring whether an idle target physical host exists in a physical host network formed by a plurality of physical hosts, and if the idle target physical host exists, the deployment unit is triggered;
the deployment unit is used for deploying a plurality of virtual hosts on a target physical host through a virtualization technology, the virtual hosts are used for bearing network attacks and collecting behavior records of the network attacks, the virtual hosts are also used for uploading the behavior records to a server, and the server is used for storing the behavior records and analyzing attack behaviors of the network attacks based on the behavior records;
the system comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining target gateway equipment corresponding to a target physical host, and the target gateway equipment is used for managing data transmission between a local area network where the target physical host is located and an external network;
and the sending unit is used for sending indication information to the target gateway equipment, wherein the indication information is used for indicating the target gateway equipment to perform network limitation processing on an aggressive data packet corresponding to the springboard attack when the virtual host launches the springboard attack, and the springboard attack comprises an attack behavior launched by the target physical host as a transfer station under the action of attack flow of an external network.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the deployment unit is specifically configured to:
determining a target network segment where a target physical host is located;
the virtual network inducing the network attack through disguise processing is deployed on a target physical host through a virtualization technology, the virtual network is composed of a plurality of virtual hosts, and the disguise processing comprises starting of a service with the same service type as the target network segment, configuration of host attributes the same as other physical hosts except the target physical host in the target network segment or configuration of at least one preset bug.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the deployment unit is specifically configured to:
acquiring a host service identifier of a target physical host, wherein the host service identifier is used for identifying host service pre-configured by the target physical host;
determining a configuration identifier of the virtual host according to the host service identifier and a virtual host list, wherein the virtual host list comprises corresponding relations between different host service identifiers and different configuration identifiers of the virtual machine;
acquiring a configuration file of the virtual host corresponding to the configuration identifier from a database, wherein the database is used for storing the configuration files of different virtual hosts;
through configuration files and virtualization technologies, a plurality of virtual hosts are deployed on a target physical host.
With reference to the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the monitoring unit is specifically configured to:
monitoring whether the occupancy rate of the storage resources of the physical host is lower than a preset idle utilization rate or not in the physical host network; or,
monitoring whether a physical host is in a dormant state all the time in a preset monitoring period in a physical host network; or,
monitoring whether a physical host has an idle mark in a physical host network;
if yes, determining that the target physical host exists.
With reference to the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the monitoring unit is further configured to:
monitoring whether a new service is online in a service system or not compared with the last monitoring period;
and if so, positioning the physical host network corresponding to the new service.
With reference to the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the receiving unit is further configured to:
receiving feedback information sent by a server, wherein the feedback information is used for indicating that the server completes analysis of attack behaviors of the network attack and is also used for indicating vulnerabilities aimed at by the network attack;
a deployment unit further to:
and by adopting a virtualization technology, bugs are avoided on the target physical host, and a plurality of new virtual hosts are redeployed.
With reference to the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the receiving unit is further configured to:
receiving feedback information sent by a server, wherein the feedback information is used for indicating that the virtual host does not upload behavior records to the server within preset time;
a deployment unit further to:
a plurality of virtual hosts are reclaimed on a target physical host.
With reference to the second aspect of the present application, in a seventh possible implementation manner of the second aspect of the present application, the network restriction processing includes limiting the number of network connections corresponding to the target physical host to be less than or equal to a preset number, where the network connections are connections established between the target physical host and devices outside a local area network where the target physical host is located.
With reference to the second aspect of the present application, in an eighth possible implementation manner of the second aspect of the present application, the network restriction processing includes a discarding processing or a modifying processing, where the modifying processing is used to discard an aggressive packet, and the modifying processing is used to make the aggressive packet not constitute a hazard.
In a third aspect, the present application provides a server comprising a processor for implementing any of the steps of the method for processing a video file according to the first aspect as described above when executing a computer program stored in a memory.
In a fourth aspect, the present application provides a readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the steps of the method of processing a video file as described above in the first aspect.
According to the technical scheme, the method has the following advantages:
when an enterprise constructs network security defense, a deployment system of a virtual host simulates a plurality of physical (virtual) hosts on an idle target physical host by a virtualization technology through monitoring the idle state of the physical host, and the simulated hosts operate in an isolation environment, so that the enterprise can be conveniently controlled, and network attacks from network hackers cannot be known, and the network attacks can be induced and analyzed.
Under the arrangement, a plurality of hosts with the same hardware resources can be simulated to attract network attacks under the condition that one physical host has limited hardware resources, and idle physical hosts can be found from the plurality of physical hosts and utilized for the hardware resources, so that the physical host resources and the hardware resources of the target physical host can be reasonably utilized in the fixed and limited physical host resources of an enterprise under the current condition, and the disguised host can be deployed with high resource utilization rate to catch the network attacks.
And the deployment system of the virtual host also indicates the target gateway device to perform network limitation processing on the offensive data packet corresponding to the springboard attack initiated by the virtual host through the indication information, so that the offensive data packet of the network attack can be effectively isolated on the virtual host in the target physical host, the network attack can be captured locally by the virtual host, meanwhile, the network attack can be prevented from infecting or attacking the external target gateway device or other physical hosts, and the safety of the deployment disguised host in actual application is improved.
Especially, if the target gateway device is infected or attacked, the normal operation of other physical hosts in the enterprise may be affected, so that the physical isolation between the disguised host (target physical host) and the target gateway device obviously greatly improves the security of deploying the disguised host in practical application.
Drawings
FIG. 1 illustrates a schematic view of a scenario of the present application;
FIG. 2 is a flow chart illustrating a deployment method of a virtual host according to the present application;
FIG. 3 shows another schematic view of the present application;
FIG. 4 is a flow chart illustrating the deployment of a virtual host on a target physical host according to the present application;
FIG. 5 illustrates another flow diagram of the present application for deploying a virtual host on a target physical host;
FIG. 6 is a flow chart illustrating the monitoring of idle target physical hosts according to the present application;
FIG. 7 is a schematic structural diagram of a deployment system of a virtual host according to the present application;
fig. 8 shows another structural diagram of the deployment system of the virtual host according to the present application.
Detailed Description
The application provides a virtual host deployment method and system, which are used for deploying a disguised host by reasonably utilizing hardware resources of a physical host.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Moreover, the terms "comprises," "comprising," and any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules explicitly listed, but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps appearing in the present application does not mean that the steps in the method flow have to be executed in the chronological/logical order indicated by the naming or numbering, and the named or numbered process steps may be executed in a modified order depending on the technical purpose to be achieved, as long as the same or similar technical effects are achieved.
The division of the modules presented in this application is a logical division, and in practical applications, there may be another division, for example, multiple modules may be combined or integrated into another system, or some features may be omitted, or not executed, and in addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some interfaces, and the indirect coupling or communication connection between the modules may be in an electrical or other similar form, which is not limited in this application. The modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purpose of the present disclosure.
First, before introducing the present application, a physical host, a virtual host, a gateway device, a UE, and a deployment system related to the present application will be introduced.
The physical host is an entity device with hardware resources, can also be a physical server device, and has data processing capability and communication capability, and each of the enterprise platforms.
The Virtual host is a non-entity host obtained by establishing a Virtual environment through a virtualization technology on the basis of hardware resources on a physical host and simulating the physical host in the Virtual environment, because the Virtual host exists in the form of an application program and only occupies a part of hardware resources of the physical host, a plurality of Virtual hosts can be deployed on one physical host, each Virtual host can be respectively allocated with different Internet Protocol (IP) addresses, and the establishment of the Virtual environment and the Virtual machine can be realized through platform tools such as VMware, Virtual Box or Virtual PC.
The gateway device is a device for managing data transmission and providing data conversion service between different networks. I.e. communication between physical hosts within different networks is performed via the gateway device.
The UE may specifically be a terminal device such as a smart phone, a notebook computer, a desktop computer, a computer all-in-one machine, and a Personal Digital Assistant (PDA), which can access the deployment system and initiate a monitoring request to the deployment system.
The deployment system can be an independent physical host, or can also be composed of a plurality of physical hosts which bear application programs of the deployment system in the enterprise platform; the deployment system can be further divided into a server side and a user side to be deployed on the enterprise side and the user side respectively.
Referring to fig. 1, fig. 1 shows a schematic view of a scenario provided by the present application, in which a deployment system deploys a plurality of virtual hosts on an idle target physical host by using a deployment method of the virtual hosts provided by the present application to induce and analyze network attacks, deploys a disguised host in a fixed and limited physical host resource of an enterprise under current conditions with high resource utilization, and greatly improves security of deploying the disguised host in actual application because of physical isolation between the disguised host (target physical host) and a target gateway device.
Next, based on the description of the above scenario, a detailed description of the deployment method of the virtual host provided in the present application is started.
Referring to fig. 2 and fig. 2, a flowchart of the deployment method of the virtual host according to the present application is shown in fig. 2, specifically, the deployment method of the virtual host according to the present application may include the following steps:
step S201, a deployment system receives a monitoring request sent by UE;
the deployment system executes the deployment task of the virtual host, and relevant workers on the UE side can access the deployment system through the UE and initiate a monitoring request.
Step S202, a deployment system monitors whether an idle target physical host exists in a physical host network formed by a plurality of physical hosts, and if so, the step S203 is started;
after receiving a monitoring request initiated by the UE, the deployment system can monitor the idle physical host in a preset physical host network.
The physical host network may be preset with a corresponding host list, where the host list identifies a host Identity (ID) of each physical host added to the physical host network, where the identity specifically includes information of a host number, a host address, a network address, or an IP address, which can locate the physical host, and the deployment system locates each physical host in the physical host network according to the host list and monitors an idle state of the physical host.
The deployment system is previously provided with an idle state judgment strategy of the physical host, and whether the current physical host is in an idle state or not is judged according to the strategy.
Step S203, the deployment system deploys a plurality of virtual hosts on the target physical host through a virtualization technology;
the virtual host is used for bearing network attacks and collecting behavior records of the network attacks, the virtual host is also used for uploading the behavior records to the server, and the server is used for storing the behavior records and analyzing attack behaviors of the network attacks based on the behavior records.
After monitoring the idle physical host, the deployment system can determine the target physical host and deploy the virtual host on the target physical host.
By deploying multiple virtual hosts on a target physical host, a physical host outside the target physical host, or a device such as a UE, can recognize multiple physical hosts (which are masquerading) from the target physical host, and thus, because the virtual host runs in the virtual environment realized on the basis of programs, the method is convenient for quick deployment, flexible control and safe isolation, therefore, the device can be specially used for attracting and bearing network attacks from the outside under the condition of lower cost, and because the virtual host does not provide actual service, the accuracy of the behavior record of the network attack which can be captured by the virtual host is higher, the virtual host can be also configured with a corresponding uploading program, collects the behavior record of the network attack and uploads the behavior record to the server, and the server performs corresponding storage and analysis to determine the behavior characteristic and the source of the network attack.
Step S204, the deployment system determines a target gateway device corresponding to the target physical host;
the target gateway device is used for managing data transmission between the local area network where the target physical host is located and an external network, and the target gateway device is the only connection point between the virtual host and the external network.
On the other hand, the deployment system also needs to perform corresponding configuration on the target gateway device corresponding to the target physical host, and therefore, the deployment system also needs to determine the target gateway device of the local area network where the target physical host is located.
For example, the target physical host and the target gateway device are in the same network segment, and the deployment system can locate the target gateway device by locating the gateway address (IP address) of the network segment where the target physical host is located.
Step S205, the deployment system sends instruction information to the target gateway device.
The indication information is used for indicating the target gateway device to perform network limitation processing on an aggressive data packet corresponding to the springboard attack when the virtual host initiates the springboard attack, wherein the springboard attack comprises an attack behavior initiated by the target physical host as a transfer station under the action of attack traffic of an external network.
After determining the target gateway device corresponding to the target physical host, the deployment system can complete the relevant configuration of the target gateway device by sending the indication information.
It can be understood that there is a springboard attack mode in the attack modes of the network attack, and the springboard attack breaks through a certain node in the target system, controls the node and uses the node as a springboard to implement the network attack on the target system inside the target system.
Therefore, in combination with another scenario diagram shown in fig. 3 of the present application, a scenario is taken that a virtual host initiates a springboard attack, and when the virtual host bears a network attack and sends out an aggressive data packet as a springboard in the springboard attack, a target gateway device performs network restriction processing on the aggressive data packet to prevent the aggressive data packet from flowing out of an external network and restricting the threat of the aggressive data packet; for the network traffic that needs to enter the local area network where the target gateway device is located, the target gateway device normally treats and accesses the local area network, and the network restriction processing is not additionally adopted, so that the virtual host can attract and bear the network attack from the external network.
When the virtual host is monitored to be attacked by the network in the form of the springboard attack, the data packet sent by the virtual host can be identified as an offensive data packet through the analysis of the springboard attack and the warning sent by the server.
It can be seen from the above that, when an enterprise constructs network security defense, the deployment system of the virtual host simulates a plurality of physical (virtual) hosts through monitoring the idle state of the physical host on an idle target physical host by using a virtualization technology, and the simulated hosts operate in an isolated environment, so that not only is the enterprise convenient to control, but also the network attack from a network hacker cannot be known, and the network attack can be induced and analyzed.
Under the arrangement, a plurality of hosts with the same hardware resources can be simulated to attract network attacks under the condition that one physical host has limited hardware resources, and idle physical hosts can be found from the plurality of physical hosts and utilized for the hardware resources, so that the physical host resources and the hardware resources of the target physical host can be reasonably utilized in the fixed and limited physical host resources of an enterprise under the current condition, and the disguised host can be deployed with high resource utilization rate to catch the network attacks.
And the deployment system of the virtual host also indicates the target gateway device to perform network limitation processing on the offensive data packet corresponding to the springboard attack initiated by the virtual host through the indication information, so that the offensive data packet of the network attack can be effectively isolated on the virtual host in the target physical host, the network attack can be captured locally by the virtual host, meanwhile, the network attack can be prevented from infecting or attacking the external target gateway device or other physical hosts, and the safety of the deployment disguised host in actual application is improved.
Especially, if the target gateway device is infected or attacked, the normal operation of other physical hosts in the enterprise may be affected, so that the physical isolation between the disguised host (target physical host) and the target gateway device obviously greatly improves the security of deploying the disguised host in practical application.
Continuing with fig. 4, fig. 4 is a schematic flow chart illustrating the deployment of the virtual host on the target physical host according to the present application, and in particular, the deployment of the virtual host on the target physical host according to the present application can be implemented by the following steps:
step S401, the deployment system determines a target network segment where a target physical host is located;
in some embodiments, the virtual hosts may be deployed specifically according to characteristics of a network segment on which the virtual hosts are located.
Therefore, in the process of deploying the virtual host, a target network segment where a target physical host bearing the virtual host is located is determined first.
And a deployment system S402, wherein the deployment system deploys a virtual network which induces network attacks through disguise processing on the target physical host through a virtualization technology.
The virtual network is composed of a plurality of virtual hosts, and the disguising processing comprises starting a service with the same service type as the target network segment, configuring host attributes the same as other physical hosts except the target physical host in the target network segment or configuring at least one preset bug.
When a plurality of virtual hosts are deployed, the deployment system can also construct a virtual network by the virtual hosts, so that the virtual hosts can be disguised as an important local host network of an enterprise to attract network attacks from an external network.
Meanwhile, the same/different disguises can be performed for each virtual host through the disguise processing, so that the disguise effect and the attraction effect of the virtual hosts are improved.
In another embodiment, referring to fig. 5, fig. 5 shows another schematic flow chart of the present application for deploying a virtual host on a target physical host, and in particular, the present application for deploying a virtual host on a target physical host can be further implemented by the following steps:
step S501, a deployment system acquires a host service identifier of a target physical host;
the host service identifier is used for identifying a host service pre-configured by the target physical host.
In the present application, each physical host may be preconfigured with a corresponding host service identifier to identify the host service provided by each physical host.
When the virtual host is deployed on the target physical host, the virtual host configured correspondingly can be deployed by specifically combining the host service provided by the target physical host, and for this reason, the deployment system needs to acquire the service identifier of the target physical host first.
For example, the physical hosts may provide services such as database servers, application servers, Web servers, proxy servers, location servers, Graphics Processing Unit (GPU) servers, and the like.
Step S502, the deployment system determines the configuration identifier of the virtual host according to the host service identifier and the virtual host list;
the virtual host list comprises corresponding relations between different host service identifiers and different configuration identifiers of the virtual machine.
In addition to pre-configuring the host service identifier for the physical host, the corresponding relationship between different host service identifiers and different configuration identifiers of the virtual machine can be pre-configured, so that the configuration identifier of the corresponding virtual machine can be searched according to the host service identifier of the current target physical host, and the configuration file identified by the configuration identifier can be acquired.
Step S503, the deployment system acquires the configuration file of the virtual host corresponding to the configuration identifier from the database;
the database is used for storing configuration files of different virtual hosts.
Different configuration files required by different virtual hosts can be stored in a database in advance, and after the deployment system obtains the virtual host identifier corresponding to the current target physical host, the deployment system can extract the corresponding configuration file of the virtual host from the database according to the virtual host identifier.
Step S504, the deployment system deploys a plurality of virtual hosts on the target physical host through the configuration file and the virtualization technology.
After the configuration files of the virtual hosts are obtained, the deployment system can deploy a plurality of virtual hosts on the hardware resources of the target physical host through the virtualization technology, and attract network attacks from the external network through the disguised hosts.
In another embodiment, referring to fig. 6, fig. 6 is a schematic flow chart illustrating the idle target physical host monitoring method, specifically, the idle target physical host monitoring method can be implemented by the following steps:
step S601, a deployment system monitors whether the occupancy rate of the storage resources of a physical host in a physical host network is lower than a preset idle utilization rate, if so, step S605 is triggered, and if not, step S602 is triggered;
it can be understood that when the storage resources of the target physical host are too low, waste of hardware resources is obviously caused, and therefore, the method can be used for deploying the virtual host to induce a network attack so as to reasonably utilize the hardware resources of the target physical host.
Step S602, the deployment system monitors whether there is a physical host in a sleep state in a preset monitoring period in the physical host network, if yes, step S605 is triggered, and if no, step S603 is triggered;
it can be understood that when the target physical host sleeps for a long time and does not actually work, the hardware resources are obviously wasted, and therefore, the method can be used for deploying the virtual host to attract network attacks, so as to reasonably utilize the hardware resources of the target physical host.
Step S603, the deployment system monitors whether there is a physical host with an idle identifier in the physical host network, if yes, step S605 is triggered, and if no, step S604 is triggered;
or, an idle identifier can be introduced into the idle state mechanism, so that the idle identifier can be added to the physical host in a manual or automatic detection mode under special conditions, such as artificial elimination and cleaned data, and the system can determine that the physical host is an idle target physical host according to the identifier.
Step S604, the deployment system determines that no target physical host exists;
according to the triggering of any step from step S601 to step S603, if the deployment system determines that the target physical host does not exist currently, the deployment of the subsequent virtual host is not triggered.
In step S605, the deployment system determines that the target physical host exists.
According to the triggering of any step from step S601 to step S603, the deployment system determines that the target physical host currently exists, and can locate the target physical host, and then can trigger the deployment of the virtual host.
In the present application, any one or any combination of steps S601 to S603 may be selected to monitor the idle target physical host.
In another embodiment, the monitoring of the idle target physical host may also be related to online of a new service, and the deployment system may be docked with a service system of an enterprise and perform monitoring, specifically:
the deployment system monitors whether a new service is online in the service system or not compared with the last monitoring period;
if so, the system is deployed to position a physical host network corresponding to the new service, the physical host network is a physical host network formed by the plurality of physical hosts, and the physical host network is used for bearing the new service.
In another embodiment, after receiving the behavior record of the network attack reported by the virtual host, the server may analyze the network attack, such as behavior characteristics, attack sources, and the like, and after completing the analysis of the network attack, the server may further send feedback information to the deployment system to indicate that the server has completed the analysis of the attack behavior of the network attack and a bug of the virtual host targeted by the network attack, so that the deployment system avoids the bug on the target physical host through a virtualization technology, and redeployes a plurality of new virtual hosts, so as to continuously attract and capture the new network attack.
In another embodiment, if the server does not receive the behavior record of the network attack reported by the virtual host, the server may also send feedback information to the deployment system to indicate that the virtual host does not upload the behavior record of the network attack to the server within the preset time.
In yet another embodiment, the network restriction processing includes limiting the number of network connections corresponding to the target physical host to be less than a preset number, where the network connections are connections established between the target physical host and devices outside the local area network where the target physical host is located, and avoiding network attacks, such as typical DOS attacks and DDOS attacks, initiated when the virtual host is used as a patch board in a patch board attack through the limitation of the network connections.
In yet another embodiment, the network restriction process includes a drop process for dropping the offending packets or a modification process for rendering the offending packets non-detrimental.
The above is an introduction of the deployment method of the virtual host of the present application, and the following begins to introduce the deployment system of the virtual host of the present application.
Referring to fig. 7, fig. 7 is a schematic structural diagram illustrating a deployment system of a virtual host according to the present application, specifically, the deployment system of the virtual host may include the following structure:
a receiving unit 701, configured to receive a monitoring request sent by a UE;
a monitoring unit 702, configured to monitor whether an idle target physical host exists in a physical host network formed by multiple physical hosts, and if so, trigger the deployment unit 703;
a deployment unit 703, configured to deploy a plurality of virtual hosts on a target physical host through a virtualization technique;
the virtual host is used for bearing network attacks and collecting behavior records of the network attacks, the virtual host is also used for uploading the behavior records to the server, and the server is used for storing the behavior records and analyzing attack behaviors of the network attacks based on the behavior records.
A determining unit 704, configured to determine a target gateway device corresponding to a target physical host;
the target gateway device is used for managing data transmission between the local area network where the target physical host is located and an external network.
A sending unit 705, configured to send the indication information to the target gateway device.
The indication information is used for indicating that the target gateway device performs network restriction processing on an aggressive data packet corresponding to the springboard attack when the virtual host initiates the springboard attack, wherein the springboard attack comprises an attack behavior initiated by the target physical host as a transfer station under the action of attack traffic of an external network.
In an embodiment, the deployment unit 703 is specifically configured to:
determining a target network segment where a target physical host is located;
through the virtualization technology, a virtual network which induces network attacks through disguise processing is deployed on a target physical host.
The virtual network is composed of a plurality of virtual hosts, and the disguising processing comprises starting a service with the same service type as the target network segment, configuring host attributes the same as other physical hosts except the target physical host in the target network segment or configuring at least one preset bug.
In another embodiment, the deployment unit 703 is specifically configured to:
acquiring a host service identifier of a target physical host;
the host service identifier is used for identifying a host service pre-configured by the target physical host.
Determining a configuration identifier of the virtual host according to the host service identifier and the virtual host list;
the virtual host list comprises corresponding relations between different host service identifiers and different configuration identifiers of the virtual machine.
Acquiring a configuration file of the virtual host corresponding to the configuration identifier from a database;
the database is used for storing configuration files of different virtual hosts.
Through configuration files and virtualization technologies, a plurality of virtual hosts are deployed on a target physical host.
In an embodiment, the monitoring unit 702 is specifically configured to:
monitoring whether the occupancy rate of the storage resources of the physical host is lower than a preset idle utilization rate or not in the physical host network; or,
monitoring whether a physical host is in a dormant state all the time in a preset monitoring period in a physical host network; or,
monitoring whether a physical host has an idle mark in a physical host network;
if yes, determining that the target physical host exists.
In a further embodiment, the monitoring unit 702 is further configured to:
monitoring whether a new service is online in a service system or not compared with the last monitoring period;
and if so, positioning the physical host network corresponding to the new service.
In another embodiment, the receiving unit 701 is further configured to:
receiving feedback information sent by a server;
the feedback information is used for indicating that the server completes analysis of the attack behavior of the network attack, and the feedback information is also used for indicating the vulnerability targeted by the network attack.
A deployment unit 703, further configured to:
and by adopting a virtualization technology, bugs are avoided on the target physical host, and a plurality of new virtual hosts are redeployed.
In another embodiment, the receiving unit 701 is further configured to:
receiving feedback information sent by a server;
the feedback information is used for indicating that the virtual host does not upload the behavior record to the server within the preset time.
A deployment unit 703, further configured to:
a plurality of virtual hosts are reclaimed on a target physical host.
In yet another embodiment, the network restriction processing includes restricting the number of network connections corresponding to the target physical host to be less than a preset number, where the network connections are connections established between the target physical host and devices outside the local area network where the target physical host is located.
In yet another embodiment, the network restriction process includes a drop process for dropping the offending packets or a modification process for rendering the offending packets non-detrimental.
Referring to fig. 8, fig. 8 shows another schematic structural diagram of the deployment system of the virtual host provided in the present application, specifically, the deployment system of the virtual host provided in the present application includes a processor 801, and when the processor 801 is used to execute a computer program stored in a memory 802, each step of the deployment method of the virtual host in any embodiment corresponding to fig. 1 to fig. 6 is implemented; alternatively, the processor 801 is configured to implement the functions of the units in the corresponding embodiment of fig. 7 when executing the computer program stored in the memory 802.
Illustratively, a computer program may be partitioned into one or more modules/units, which are stored in the memory 802 and executed by the processor 801 to accomplish the present application. One or more modules/units may be a series of computer program instruction segments capable of performing certain functions, the instruction segments being used to describe the execution of a computer program in a computer device.
The deployment system of the virtual host can include, but is not limited to, a processor 801, a memory 802. Those skilled in the art will appreciate that the illustration is merely an example of a computer apparatus and is not meant to be a limitation of the deployment system of the virtual host, and may include more or less components than those shown, or some components may be combined, or different components, for example, the deployment system of the virtual host may further include an input/output device, a network access device, a bus, etc., and the processor 801, the memory 802, the input/output device, the network access device, etc., are connected via the bus.
The Processor 801 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being the control center of the computer device and the various interfaces and lines connecting the various parts of the overall computer device.
The memory 802 may be used to store computer programs and/or modules, and the processor 801 may implement various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 802 and invoking data stored in the memory 802. The memory 802 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, video data, etc.) created according to the use of the cellular phone, etc. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a flash memory Card (FlashCard), at least one magnetic disk storage device, a flash memory device, or other volatile solid state storage device.
The present application further provides a readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the deployment method of a virtual host according to any embodiment corresponding to fig. 1 to 6 is implemented.
It will be appreciated that the integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the above-described deployment system of the virtual host and the specific working process of the unit thereof may refer to the description of the deployment method of the virtual host in the embodiments corresponding to fig. 1 to fig. 6, and details are not described herein again.
In summary, when an enterprise constructs network security defense, the deployment system of the virtual host simulates a plurality of physical (virtual) hosts through monitoring the idle state of the physical host on an idle target physical host by using a virtualization technology, and the simulated hosts operate in an isolated environment, so that not only is the management and control of the enterprise facilitated, but also the network attack from a network hacker cannot be known, and the network attack can be induced and analyzed.
Under the arrangement, a plurality of hosts with the same hardware resources can be simulated to attract network attacks under the condition that one physical host has limited hardware resources, and idle physical hosts can be found from the plurality of physical hosts and utilized for the hardware resources, so that the physical host resources and the hardware resources of the target physical host can be reasonably utilized in the fixed and limited physical host resources of an enterprise under the current condition, and the disguised host can be deployed with high resource utilization rate to catch the network attacks.
And the deployment system of the virtual host also indicates the target gateway device to perform network limitation processing on the offensive data packet corresponding to the springboard attack initiated by the virtual host through the indication information, so that the offensive data packet of the network attack can be effectively isolated on the virtual host in the target physical host, the network attack can be captured locally by the virtual host, meanwhile, the network attack can be prevented from infecting or attacking the external target gateway device or other physical hosts, and the safety of the deployment disguised host in actual application is improved.
Especially, if the target gateway device is infected or attacked, the normal operation of other physical hosts in the enterprise may be affected, so that the physical isolation between the disguised host (target physical host) and the target gateway device obviously greatly improves the security of deploying the disguised host in practical application.
In the embodiments provided in the present application, it should be understood that the disclosed deployment system of virtual hosts and units thereof may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A method for deploying a virtual host, the method comprising:
a deployment system receives a monitoring request sent by User Equipment (UE);
the deployment system monitors whether an idle target physical host exists in a physical host network formed by a plurality of physical hosts;
if the network attack behavior record exists, the deployment system deploys a plurality of virtual hosts on the target physical host through a virtualization technology, the virtual hosts are used for bearing network attacks and collecting behavior records of the network attacks, the virtual hosts are also used for uploading the behavior records to a server, and the server is used for storing the behavior records and analyzing attack behaviors of the network attacks based on the behavior records;
the deployment system determines target gateway equipment corresponding to the target physical host, wherein the target gateway equipment is used for managing data transmission between a local area network where the target physical host is located and an external network;
the deployment system sends indication information to the target gateway device, wherein the indication information is used for indicating that the target gateway device carries out network limitation processing on an aggressive data packet corresponding to the springboard attack when the virtual host machine launches the springboard attack, and the springboard attack comprises an attack behavior launched by the target physical host machine as a transfer station under the action of attack flow of the external network.
2. The method of claim 1, wherein the deploying system deploys a plurality of virtual hosts on the target physical host through virtualization techniques comprises:
the deployment system determines a target network segment where the target physical host is located;
the deployment system deploys a virtual network which induces the network attack through disguise processing on the target physical host through the virtualization technology, wherein the virtual network is composed of a plurality of virtual hosts, and the disguise processing comprises starting of a service with the same service type as the target network segment, configuration of host attributes which are the same as those of other physical hosts except the target physical host in the target network segment, or configuration of at least one preset bug.
3. The method of claim 1, wherein the deploying system deploys a plurality of virtual hosts on the target physical host through a virtualization technique comprises:
the deployment system acquires a host service identifier of the target physical host, wherein the host service identifier is used for identifying a host service configured in advance by the target physical host;
the deployment system determines the configuration identifier of the virtual host according to the host service identifier and a virtual host list, wherein the virtual host list comprises the corresponding relation between different host service identifiers and different configuration identifiers of the virtual machine;
the deployment system acquires the configuration file of the virtual host corresponding to the configuration identifier from a database, wherein the database is used for storing the configuration files of different virtual hosts;
the deployment system deploys a plurality of the virtual hosts on the target physical host through the configuration file and the virtualization technology.
4. The method of claim 1, wherein the monitoring, by the deployment system, whether there is an idle target physical host in a physical host network comprising a plurality of physical hosts comprises:
the deployment system monitors whether the occupancy rate of the storage resources of the physical host is lower than a preset idle utilization rate or not in the physical host network; or,
the deployment system monitors whether the physical host is in a dormant state all the time in a preset monitoring period in the physical host network; or,
the deployment system monitors whether a physical host has an idle identifier in the physical host network;
if yes, the deployment system determines that the target physical host exists.
5. The method of claim 1, wherein the deployment system monitors a physical host network comprising a plurality of physical hosts for the presence of a target physical host that is idle, and wherein the method further comprises:
the deployment system monitors whether a new service is online in the service system or not compared with the last monitoring period;
if so, the deployment system locates the physical host network corresponding to the new service.
6. The method of claim 1, further comprising:
the deployment system receives feedback information sent by the server, wherein the feedback information is used for indicating that the server completes analysis of the attack behavior of the network attack and is also used for indicating the vulnerability targeted by the network attack;
and the deployment system avoids the bug on the target physical host through the virtualization technology and redeployes a plurality of new virtual hosts.
7. The method of claim 1, further comprising:
the deployment system receives feedback information sent by the server, wherein the feedback information is used for indicating that the virtual host does not upload the behavior record to the server within preset time;
the deployment system reclaims a plurality of the virtual hosts on the target physical host.
8. The method according to claim 1, wherein the network restriction processing includes restricting a number of network connections corresponding to the target physical host to be less than a preset number, where the network connections are connections established between the target physical host and devices outside a local area network where the target physical host is located.
9. The method of claim 1, wherein the network restriction process comprises a discard process or a modification process, wherein the modification process is used to discard the offending data packet and wherein the modification process is used to render the offending data packet non-hazardous.
10. A deployment system for a virtual host, the system comprising:
a receiving unit, configured to receive a monitoring request sent by a user equipment UE;
the monitoring unit is used for monitoring whether an idle target physical host exists in a physical host network formed by a plurality of physical hosts, and if the idle target physical host exists, the deployment unit is triggered;
the deployment unit is used for deploying a plurality of virtual hosts on the target physical host through a virtualization technology, the virtual hosts are used for bearing network attacks and collecting behavior records of the network attacks, the virtual hosts are also used for uploading the behavior records to a server, and the server is used for storing the behavior records and analyzing attack behaviors of the network attacks based on the behavior records;
a determining unit, configured to determine a target gateway device corresponding to the target physical host, where the target gateway device is configured to manage data transmission between a local area network where the target physical host is located and an external network;
and the sending unit is used for sending indication information to the target gateway device, wherein the indication information is used for indicating the target gateway device to perform network restriction processing on an aggressive data packet corresponding to the springboard attack when the virtual host initiates the springboard attack, and the springboard attack comprises an attack behavior initiated by the target physical host as a transfer station under the action of the attack traffic of the external network.
CN201910561171.4A 2019-06-26 2019-06-26 The dispositions method and system of fictitious host computer Pending CN110505195A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910561171.4A CN110505195A (en) 2019-06-26 2019-06-26 The dispositions method and system of fictitious host computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910561171.4A CN110505195A (en) 2019-06-26 2019-06-26 The dispositions method and system of fictitious host computer

Publications (1)

Publication Number Publication Date
CN110505195A true CN110505195A (en) 2019-11-26

Family

ID=68585715

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910561171.4A Pending CN110505195A (en) 2019-06-26 2019-06-26 The dispositions method and system of fictitious host computer

Country Status (1)

Country Link
CN (1) CN110505195A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094510A (en) * 2021-04-01 2021-07-09 广州巨时信息科技股份有限公司 Intelligent processing method and device for network security data mapping

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN101593134A (en) * 2009-06-29 2009-12-02 北京航空航天大学 Virtual machine CPU resource allocation method and device
CN102232282A (en) * 2010-10-29 2011-11-02 华为技术有限公司 Method and apparatus for realizing load balance of resources in data center
CN102307133A (en) * 2011-03-25 2012-01-04 国云科技股份有限公司 A method for scheduling virtual machines on a public cloud platform
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN104935580A (en) * 2015-05-11 2015-09-23 国家电网公司 Information safety control method and system based on cloud platform
CN105553948A (en) * 2015-12-08 2016-05-04 国云科技股份有限公司 A Virtual Machine-Based Elastic Anti-Attack Method
CN107168774A (en) * 2017-06-14 2017-09-15 北京云联万维技术有限公司 It is a kind of based on the virtual machine migration method being locally stored and system
US9935851B2 (en) * 2015-06-05 2018-04-03 Cisco Technology, Inc. Technologies for determining sensor placement and topology
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN101593134A (en) * 2009-06-29 2009-12-02 北京航空航天大学 Virtual machine CPU resource allocation method and device
CN102232282A (en) * 2010-10-29 2011-11-02 华为技术有限公司 Method and apparatus for realizing load balance of resources in data center
CN102307133A (en) * 2011-03-25 2012-01-04 国云科技股份有限公司 A method for scheduling virtual machines on a public cloud platform
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN104935580A (en) * 2015-05-11 2015-09-23 国家电网公司 Information safety control method and system based on cloud platform
US9935851B2 (en) * 2015-06-05 2018-04-03 Cisco Technology, Inc. Technologies for determining sensor placement and topology
CN105553948A (en) * 2015-12-08 2016-05-04 国云科技股份有限公司 A Virtual Machine-Based Elastic Anti-Attack Method
CN107168774A (en) * 2017-06-14 2017-09-15 北京云联万维技术有限公司 It is a kind of based on the virtual machine migration method being locally stored and system
CN109617878A (en) * 2018-12-13 2019-04-12 烽台科技(北京)有限公司 A kind of construction method and system, computer readable storage medium of honey net
CN109768993A (en) * 2019-03-05 2019-05-17 中国人民解放军32082部队 A kind of high covering Intranet honey pot system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘烃等: "《信息物理融合系统综合安全威胁与防御研究_刘烃》", 《自动化学报》 *
董国锋: "《基于协同的虚拟蜜网实现与分析》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094510A (en) * 2021-04-01 2021-07-09 广州巨时信息科技股份有限公司 Intelligent processing method and device for network security data mapping

Similar Documents

Publication Publication Date Title
US10992704B2 (en) Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US10404661B2 (en) Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
US10230689B2 (en) Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network
US10015198B2 (en) Synchronizing a honey network configuration to reflect a target network environment
US9516054B2 (en) System and method for cyber threats detection
CN107426242B (en) Network security protection method, device and storage medium
US9356950B2 (en) Evaluating URLS for malicious content
US20150326587A1 (en) Distributed system for bot detection
CN112738071B (en) Method and device for constructing attack chain topology
CN104038466B (en) Intruding detection system, method and apparatus for cloud computing environment
CN110798482B (en) A system-level honeypot network isolation system based on linux network filter
Srinivasa et al. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots
US8713306B1 (en) Network decoys
CN108270722A (en) A kind of attack detection method and device
WO2013176711A2 (en) Methods, systems, and media for inhibiting attacks on embedded devices
CN107483386A (en) Analyze the method and device of network data
JP6738013B2 (en) Attack content analysis program, attack content analysis method, and attack content analysis device
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN110505195A (en) The dispositions method and system of fictitious host computer
Kishimoto et al. An adaptive honeypot system to capture ipv6 address scans
KR101375375B1 (en) Zombie pc detection and protection system based on gathering of zombie pc black list
US8661102B1 (en) System, method and computer program product for detecting patterns among information from a distributed honey pot system
JP2023177332A (en) Arrangement and method of threat detection in computer or computer network
EP2815350A2 (en) Methods, systems, and media for inhibiting attacks on embedded devices
Skrzewski Monitoring malware activity on the lan network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191126

RJ01 Rejection of invention patent application after publication