CN113535632A - Honeypot system, attack information capturing method, and storage medium - Google Patents
Honeypot system, attack information capturing method, and storage medium Download PDFInfo
- Publication number
- CN113535632A CN113535632A CN202110812479.9A CN202110812479A CN113535632A CN 113535632 A CN113535632 A CN 113535632A CN 202110812479 A CN202110812479 A CN 202110812479A CN 113535632 A CN113535632 A CN 113535632A
- Authority
- CN
- China
- Prior art keywords
- peripheral
- protocol
- honeypot
- processor
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G06F15/177—Initialisation or configuration control
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/76—Architectures of general purpose stored program computers
- G06F15/78—Architectures of general purpose stored program computers comprising a single central processing unit
- G06F15/7807—System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4405—Initialisation of multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4411—Configuring for operating with peripheral devices; Loading of device drivers
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
- G06F9/505—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Computer And Data Communications (AREA)
Abstract
The disclosure provides a honeypot system, an attack information capturing method and a computer readable storage medium, and relates to the technical field of information security. This honeypot system includes: the system-on-chip (SoC) comprises a plurality of processors, wherein different processors adopt different processor architectures; a plurality of peripheral IP cores, different peripheral IP cores adopting different protocols; the IO modules correspond to the peripheral IP cores one by one; a memory for storing executable instructions of the processor; the processors, the peripheral IP cores and the IO modules can form various subsystems for capturing attack information under different processor architectures. The honeypot system disclosed by the invention supports the capture of attack information under different protocols, breaks through the limitation that the honeypot system only supports a single protocol in the related technology, widens the application range, and is particularly favorable for being applied to the industrial Internet related to various industrial control protocols.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a honeypot system, an attack information capturing method, and a computer-readable storage medium.
Background
Honeypot technology is an active defense technology against network attacks, and through arranging a device (namely, a honeypot system) as a bait, an attacker is induced to carry out an attack on the honeypot system, so that attack information is captured and analyzed, and the corresponding active defense is implemented.
In the related art, most honeypot systems only support a single protocol, and attack information cannot be captured in scenes beyond the protocol, so that the application range of the honeypot systems is greatly limited.
Disclosure of Invention
The present disclosure provides a honeypot system, an attack information capturing method, and a computer-readable storage medium, thereby solving, at least to some extent, a problem that the honeypot system supports only a single protocol.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the present disclosure, there is provided a honeypot system comprising: a system on chip (SoC) integrated with a plurality of processors; a plurality of peripheral IP cores embedded in the SoC, wherein at least two peripheral IP cores adopt different protocols; the IO modules correspond to the peripheral IP cores one by one; a memory for storing executable instructions of the processor; the processors, the peripheral IP cores and the IO modules can form various subsystems and are used for capturing attack information under different protocols.
Optionally, the processor architectures adopted by at least two of the plurality of processors are different.
Optionally, the processor architecture adopted by the processor includes any of the following: x86 architecture, ARM architecture, MIPS architecture, C51 architecture.
Optionally, the protocol adopted by the peripheral IP core includes any of the following: TCP/IP protocol, BACnet protocol, Modbus protocol, MQTT protocol, AMQP protocol, CoAP protocol, WiFi protocol, Bluetooth protocol, Zigbee protocol, NFC protocol, GPS protocol, LORA protocol, 2G wireless communication protocol, 3G wireless communication protocol, 4G wireless communication protocol and 5G wireless communication protocol.
According to a second aspect of the present disclosure, there is provided an attack information capturing method applied to the honeypot system according to the first aspect, the method including: configuring at least one processor, at least one peripheral IP core and at least one IO module of the honeypot system according to honeypot configuration information to form a subsystem corresponding to the honeypot configuration information; and capturing attack information under a protocol adopted by the peripheral IP core by utilizing the subsystem.
Optionally, the honeypot system includes a first processor, a first peripheral IP core, and a first IO module, where the first peripheral IP core corresponds to the first IO module; before configuring at least one processor, at least one peripheral IP core, and at least one IO module of the honeypot system according to honeypot configuration information, the method further includes: when the honeypot system is started, loading a bootstrap program by using the first processor so as to configure the first peripheral IP core and the first IO module to be in a working state; registering to a main control device through the first peripheral IP core and the first IO module; and after the main control equipment is registered, initializing other processors except the first processor, other peripheral IP cores except the first peripheral IP core and other IO modules except the first IO module.
Optionally, after the registration with the master control device is completed, the method further includes: and receiving the honeypot configuration information sent by the main control equipment.
Optionally, when capturing attack information, the method further includes: and sending the workload information to the main control equipment, so that the main control equipment updates the honeypot configuration information according to the workload information.
Optionally, after capturing the attack information, the method further includes: and when the attack information is successfully matched with the preset rule, sending the attack information to the main control equipment.
According to a third aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which, when executed by a processor, implements the attack information capture method of the second aspect described above and possible implementations thereof.
The technical scheme of the disclosure has the following beneficial effects:
the honeypot system integrates different IP cores in an SoC mode. On one hand, the method can support the capture of attack information under different protocols, breaks through the limitation that a honeypot system only supports a single protocol in the related technology, widens the application range, is particularly beneficial to being applied to industrial internets involving various industrial control protocols, has good clipping characteristics, and can be flexibly adjusted according to a target scene. On the other hand, the scheme is functionally equivalent to the arrangement of a plurality of honeypot physical machines, and compared with the scheme, the mode of integrating a plurality of IP cores in the SoC saves the total PCB area and occupied space of the equipment, and reduces the power consumption and the dimensionality difficulty.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is apparent that the drawings in the following description are only some embodiments of the present disclosure, and that other drawings can be obtained from those drawings without inventive effort for a person skilled in the art.
FIG. 1 shows a schematic block diagram of a honeypot system in the present exemplary embodiment;
FIG. 2 shows a schematic diagram of a system architecture in the present exemplary embodiment;
fig. 3 shows a flowchart of an attack information capturing method in the present exemplary embodiment;
FIG. 4 illustrates a flow diagram of system initialization in the exemplary embodiment;
fig. 5 shows a schematic flowchart of an attack information capturing method in the present exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the steps. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
With the increasing demand of the industrial internet for information security, the honeypot technology is applied to the industrial internet more and more. However, compared to the traditional internet, the industrial internet involves more kinds of industrial control protocols, and in a large industrial control system, communication protocols of the traditional internet and a plurality of industrial control protocols may be involved, and the current honeypot system cannot completely cover the protocols, so that attack information cannot be sufficiently captured.
In view of the above, exemplary embodiments of the present disclosure provide a honeypot system. Referring to fig. 1, the honeypot system 100 can include: a SoC (System-on-Chip) 110 on which a plurality of processors (111, 112, 113) are integrated; a plurality of peripheral IP cores (Intellectual Property cores) (121, 122, 123) embedded in the SoC 110; a plurality of IO (Input/Output) modules (131, 132, 133); a memory 140.
It should be understood that the number of components in fig. 1 is merely exemplary, and any number of processors, peripheral IP cores, IO modules, etc. may be provided as desired. In addition, the honeypot system 100 can also include other components not shown in FIG. 1, such as a display module, a sensor module, and the like.
The SoC110 may be a Hardware Description Language (HDL) based SoC chip, including but not limited to VHDL (Very-High-Speed-Integrated Circuit (VHI) HDL), Verilog HDL, and the like. The SoC110 may be, for example, an integrated circuit such as an EPLD (Erasable Programmable Logic Device), a CPLD (Complex Programmable Logic Device), an FPGA (Field Programmable Gate Array), or a hybrid FPGA (Field Programmable Gate Array).
In one embodiment, the SoC110 may adopt a hybrid CPU-FPGA architecture, and the plurality of processors (111, 112, 113) may include a CPU built in the FPGA, and may also include an MCU (Microcontroller Unit) formed based on an IP core (Intellectual Property core).
In one embodiment, the processor architectures employed by at least two of the plurality of processors (111, 112, 113) are different, i.e., the processor architectures employed by the processors in the honeypot system 100 are not identical, and may include any of the following processor architectures: an X86 architecture, an ARM (Advanced RISC Machine) architecture, an MIPS (Microprocessor without Interlocked pipeline Stages) architecture, a C51 architecture (a 51-core-level single chip architecture), and the like. Illustratively, the processor 111 may be a CPU built in the SoC110 of a hybrid CPU-FPGA architecture, employing an X86 architecture; the processor 112 may employ an ARM architecture; the processor 113 may employ the C51 architecture.
The plurality of peripheral IP cores (121, 122, 123) are peripheral modules based on IP cores, and may be soft cores that implement various functions, where at least two of the peripheral IP cores use different protocols, that is, the protocols used by the peripheral IP cores in the honeypot system 100 are not exactly the same, and may include any of the following protocols: TCP/IP Protocol (Transmission Control Protocol/Internet Protocol), BACnet Protocol (Building Automation and Control network Protocol), Modbus Protocol (a serial Communication Protocol published by Modicon corporation), MQTT Protocol (Message Queuing Telemetry Transport), AMQP Protocol (Advanced Message Queuing Protocol), CoAP Protocol (Constrained Application Protocol, limited Application Protocol), WiFi Protocol (Wireless Communication Protocol), bluetooth Protocol, Zigbee Protocol (Zigbee Protocol), NFC Protocol (Near Field Communication Protocol), GPS Protocol (Global Positioning System, Long distance Positioning System Protocol), Long distance Radio (Long distance ra, Radio G2G 5/ra, etc.). Illustratively, the peripheral IP core 121 may employ the TCP/IP protocol; the peripheral IP core 122 may employ a Modbus protocol; the peripheral IP core 123 may employ a 2G/3G/4G/5G wireless communication protocol.
Different processors (111, 112, 113) and different peripheral IP cores (121, 122, 123) in the SoC110 may be connected by an internal Bus, which may be an AHB (Advanced High Performance Bus) or the like.
The IO modules (131, 132, 133) may be peripheral circuit modules corresponding to the peripheral IP cores (121, 122, 123), for example, analog and radio frequency circuits, so as to implement corresponding functions. Illustratively, the IO module 131 may be a PHY (physical layer) circuit module of ethernet; the IO module 132 may be an RS422, an RS485 (both RS422 and RS485 are serial data interface standards), a CANBus (ControLLer Area Network Bus), or other peripheral driving circuit modules; the IO module 133 may be an LTE (Long Term Evolution) peripheral driver circuit.
The memory 140 is used to store executable instructions of the processor, such as may include a honeypot program. In one embodiment, the memory 140 may include a non-volatile memory 141 and a volatile memory 142. The nonvolatile Memory 141 may be a PROM (Programmable Read-Only Memory), EPROM (Erasable PROM), EEPROM (Electrically EPROM, Electrically Erasable PROM), NOR Flash (NOR Flash), NAND Flash, or the like; the volatile memory may be a DDR (Double Data Rate), DDR2 (2 nd generation DDR), DDR3 (3 rd generation DDR), or the like. Generally, honeypot programs can be stored in non-volatile memory 141, loaded into volatile memory 142 at runtime, and program instructions read from volatile memory 142 and executed by a processor.
In the honeypot system 100, one processor, one peripheral IP core, and one IO module may form a system capable of performing data interaction with the outside and performing data processing, which is referred to as a subsystem of the honeypot system 100 in this exemplary embodiment. It should be noted that the subsystem usually needs a certain storage space to store the program run by the subsystem and related data, and the subsystem may also include a memory. In general, the memory 140 is shared by the subsystems without separately providing a memory for each subsystem, and thus, a part of the memory is omitted herein when explaining the composition of the subsystems. The subsystem can run the honeypot program to be used as a relatively independent honeypot device for capturing attack information. The exemplary embodiment may form a plurality of subsystems by differently combining the plurality of processors (111, 112, 113), the plurality of peripheral IP cores (121, 122, 123), and the plurality of IO modules (131, 132, 133), and each subsystem may capture attack information based on the peripheral IP core in the subsystem under a protocol adopted by the peripheral IP core. That is, the honeypot system 100 can implement the capture of attack information under different protocols.
Three subsystems are illustrated below:
(1) SoC110 adopts a hybrid CPU-FPGA architecture, processor 111 is a CPU built in SoC110, adopts an X86 architecture, outer core IP core 121 is an ethernet IP core, adopts a TCP/IP protocol, IO module 131 is a PHY circuit module of ethernet, and processor 111, peripheral IP core 121, and IO module 131 form subsystem 1. The subsystem 1 can perform data interaction with the outside based on a TCP/IP protocol, and attack information can be captured under the TCP/IP protocol by running a honeypot program on the subsystem 1, so that the application of honeypot technology in a traditional Internet scene is realized.
(2) The processor 112 adopts a C51 architecture, the peripheral IP core 122 adopts a Modbus protocol, the IO module 132 is an RS422 peripheral driver circuit module, and the processor 112, the peripheral IP core 122, and the IO module 132 form a subsystem 2. The subsystem 2 can carry out data interaction with the outside based on a Modbus protocol, attack information can be captured under the Modbus protocol by running a honeypot program on the subsystem 2, and application of honeypot technology in industrial internet scenes is achieved.
(3) The processor 113 adopts an ARM architecture, the peripheral IP core 123 adopts a 4G communication protocol, the IO module 133 is an LTE peripheral driving circuit module, and the processor 113, the peripheral IP core 123, and the IO module 133 form a subsystem 3. The subsystem 3 can perform data interaction with the outside based on a 4G wireless communication protocol, and attack information can be captured under the 4G wireless communication protocol by running a honeypot program on the subsystem 3, so that the application of honeypot technology in mobile communication scenes such as telephones, short messages and the like is realized.
As can be seen from the above, the honeypot system of the present exemplary embodiment integrates different IP cores by means of SoC. On one hand, the method can support the capture of attack information under different protocols, breaks through the limitation that a honeypot system only supports a single protocol in the related technology, widens the application range, is particularly beneficial to being applied to industrial internets involving various industrial control protocols, has good clipping characteristics, and can be flexibly adjusted according to a target scene. On the other hand, the scheme is functionally equivalent to setting a plurality of honeypot physical machines, and compared with the scheme, the mode of integrating a plurality of IP cores in the SoC saves the total PCB (Printed Circuit Board) area and occupied space of the equipment, and reduces the power consumption and the dimensionality difficulty.
Exemplary embodiments of the present disclosure also provide an attack information capturing method. Fig. 2 shows a system architecture of an environment in which the method operates, and may include the honeypot system 100 and the master device 200. The main control device 200 may be a server or a PC (Personal Computer) for controlling the honeypot system 100. The honeypot system 100 and the master control device 200 can be connected through a wired or wireless link for data interaction, for example, the two can be connected based on ethernet and TCP/IP protocol.
The attack information capturing method in the present exemplary embodiment can be applied to the honeypot system 100 described above. Fig. 3 shows an exemplary flow of the attack information capturing method, which may include the following steps S310 and S320:
step S310, configuring at least one processor, at least one peripheral IP core and at least one IO module of the honeypot system according to the honeypot configuration information to form a subsystem corresponding to the honeypot configuration information.
The honeypot configuration information is information for configuring architecture and protocol of a honeypot system, and may be information configured in a honeypot program. Generally, according to the architecture and protocol required in the honeypot configuration information, the corresponding processor, peripheral IP core, and IO module may be configured to a working state, thereby forming a specific subsystem.
In one embodiment, the honeypot system can include a first processor, a first peripheral IP core, and a first IO module. The first processor may be a main processor on the SoC, such as a processor responsible for running an operating system. The first peripheral IP core corresponds to the first IO module, for example, the first peripheral IP core may be an ethernet IP core, and the first IO module may be a PHY circuit module of an ethernet. Before configuring at least one processor, at least one peripheral IP core, and at least one IO module of the honeypot system according to the honeypot configuration information, as shown in fig. 4, the following steps S410 to S430 may be performed:
step S410, when the honeypot system is started, a first processor is used for loading a bootstrap program so as to configure a first peripheral IP core and a first IO module to be in a working state;
step S420, registering to the main control equipment through the first peripheral IP core and the first IO module;
step S430, after the registration to the main control device is completed, initializing other processors except the first processor, other peripheral IP cores except the first peripheral IP core, and other IO modules except the first IO module.
The starting of the honeypot system refers to powering on and starting up the system, and the boot program may be an initialization program after starting up, and includes configuring the first peripheral IP core and the first IO module to a working state. The first peripheral IP core and the first IO module are IP cores and IO modules related to the Ethernet, and after the first processor finishes loading the bootstrap program, the honeypot system can be connected with the outside through the Ethernet and further registered with the main control equipment.
From the above, the first processor, the first peripheral IP core and the first IO module may form a minimized subsystem for running the honeypot system, including the basic processor unit and the communication unit. Certainly, the first processor, the first peripheral IP core, and the first IO module are not limited in this disclosure, for example, a boot program may be loaded by a processor with the lowest power consumption, the first processor may be a 51-core-level 8-bit monolithic computer chip, the honeypot system and the main control device may also be connected to the Modbus protocol through the RS422 port, the first peripheral IP core may be an IP core using the Modbus protocol, and the first IO module may be an RS422 peripheral driver circuit module.
The registration is mainly an authentication process, for example, the honeypot system establishes a connection, such as a long connection, with the master control device, and then sends authentication information and the like to the master control device, and after the master control device passes the authentication, the subsequent honeypot deployment can be performed; of course, the honeypot system can also authenticate the master control device, that is, both sides perform mutual authentication. The registration may also include a process of information synchronization, for example, the honeypot system sends system information, current state information, and the like to the master device, so that the master device can make corresponding control decisions.
After the registration is completed, the honeypot system further initializes other processors, other peripheral IP cores, and other IO modules. It should be understood that the honeypot system can initialize only the required processors, peripheral IP cores, IO modules.
In one embodiment, honeypot configuration information may be deployed by a master device, for example, relevant feature data including system architecture, implementation tasks, task timing, whether to upload workload information, and the like may be edited on the master device by a worker to form honeypot configuration information. After the honeypot system is registered with the main control device, the honeypot system can receive honeypot configuration information sent by the main control device, namely, after the honeypot system is started each time, the main control device sends the honeypot configuration information to the honeypot system so as to configure the system.
In one embodiment, the honeypot configuration information can be directly deployed on the honeypot system, and if one or more sets of preset honeypot configuration information can be stored in the memory of the honeypot system, the honeypot system can read the honeypot configuration information from the memory after completing the initialization to configure the system.
In one embodiment, multiple processors with different processor architectures may be configured to form heterogeneous subsystems, for example, a 51-chip microprocessor and an STM32 (an embedded-type single-chip microprocessor) processor are configured into one subsystem, and the subsystem includes a C51 architecture and an ARM architecture, so that diversity and flexibility of the subsystem are increased.
Step S320, capturing attack information under the protocol adopted by the peripheral IP core by using the subsystem.
After the configuration of the relevant processor, the peripheral IP core and the IO module is completed to form a subsystem, the relevant instructions of the honeypot program can be executed, and the attack information is captured under the protocol adopted by the configured peripheral IP core. For example, in the honeypot system 100 of fig. 1, the subsystem 1 is formed by configuring the processor 111, the peripheral IP core 121, and the IO module 131, and attack information is captured under a TCP/IP protocol; or the subsystem 2 is formed by configuring the processor 112, the peripheral IP core 122 and the IO module 132, and attack information is captured under the Modbus protocol; the processor 113, the peripheral IP core 123, and the IO module 133 are configured to form the subsystem 3, and attack information is captured under a 4G wireless communication protocol.
Based on the method shown in fig. 3, the processor, the peripheral IP core, and the IO module of the honeypot system can be configured according to actual requirements to form a corresponding subsystem, attack information is captured under a target protocol, and a plurality of processors, a plurality of peripheral IP cores, and a plurality of IO modules can be configured to capture attack information under a plurality of protocols at the same time.
In one embodiment, the attack information capturing method may further include the steps of:
and when the attack information is captured, sending the workload information to the main control equipment, so that the main control equipment updates the honeypot configuration information according to the workload information.
The workload information refers to the load condition of each component on the honeypot system, and includes the utilization rate of the processor, the utilization rate of the memory, the utilization rate of the IO module, the total power consumption, and the like. The main control equipment can correspondingly adjust the configuration of the honeypot system according to the workload information so as to update the honeypot configuration information. For example, when the workload is high, a part of the processors, the peripheral IP cores, and the IO modules in the working state may be reduced, or the processors, the peripheral IP cores, and the IO modules with low power consumption may be used; when the workload is low, a part of the processor, the peripheral IP core, and the IO module which are not in the working state may be configured to be in the working state, or the processor, the peripheral IP core, and the IO module with high power consumption may be used. And the honeypot system adjusts the configuration of each processor, the peripheral IP core and the IO module according to the updated honeypot configuration information so as to change the architecture of the subsystem. Therefore, the dynamic adjustment of the system architecture in the attack information capturing process can be realized, and the flexibility of the honeypot system is further improved.
For example, the honeypot system can include various cores with different performances, such as STM32 Cortex M3, M4, M7 and M33, and the performance of the cores is gradually enhanced, and the power consumption is gradually increased. The master control device may change the kernel to be used when the workload of the honeypot system changes significantly, so as to obtain honeypot configuration information, and the honeypot system adjusts the kernel according to the honeypot configuration information, for example, when the workload increases, the kernel is changed from the kernel using M7 to the kernel using M4.
In one embodiment, the attack information capturing method may further include the steps of:
after the attack information is captured, when the attack information is successfully matched with the preset rule, the attack information is sent to the main control equipment.
The preset rule refers to a judgment rule determined according to the characteristics of various types of attack information, and may be a regular expression or the like. And when the attack information is successfully matched with the preset rule, the attack information really belongs to related attack and penetration behaviors, the information data is sent to the main control equipment for storage, and the information data can be analyzed subsequently to determine a corresponding active defense strategy. In addition, the honeypot system can capture attack information of different protocols, and therefore correlation analysis can be conducted on the attack information to obtain a deeper analysis result.
Fig. 5 shows a schematic flow of an attack information capturing method, including:
step S510, the honeypot system is powered on and started, the first processor loads a bootstrap program, and the first peripheral IP core and the first IO module are started;
step S520, the honeypot system performs data interaction with the main control equipment through the first peripheral IP core and the first IO module, and if the honeypot system can register with the main control equipment;
step S530, receiving honeypot configuration information sent by the main control equipment, and loading the honeypot configuration information;
step S540, determining whether the architecture needs to be adjusted, if yes, performing step S550, and if no, performing step S560;
step S550, receiving the updated honeypot configuration information sent by the master control device, and continuing to execute step S560;
step S560, configuring the processor, the peripheral IP core and the IO module according to the honeypot configuration information to form a subsystem with a specific architecture;
step S570, the honeypot program is operated through the subsystem, and attack information under a relevant protocol is captured;
step S580, sending attack information and workload information to the master control device, where the attack information is used to analyze an attack behavior pattern of an attacker, and the workload information is used to update honeypot configuration information.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium, which may be implemented in the form of a program product, including program code for causing an electronic device to perform the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned "exemplary method" section of this specification, when the program product is run on the electronic device. In one embodiment, the program product may be embodied as a portable compact disc read only memory (CD-ROM) and include program code, and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the following claims.
Claims (10)
1. A honeypot system, comprising:
a system on chip (SoC) integrated with a plurality of processors;
the system comprises a plurality of peripheral intellectual property IP cores embedded in the SoC, wherein at least two peripheral IP cores adopt different protocols;
the input/output IO modules correspond to the peripheral IP cores one by one;
a memory for storing executable instructions of the processor;
the processors, the peripheral IP cores and the IO modules can form various subsystems and are used for capturing attack information under different protocols.
2. The honeypot system of claim 1 in which at least two of the plurality of processors employ different processor architectures.
3. The honeypot system of claim 2 wherein the processor architecture employed by the processor comprises any of: x86 architecture, ARM architecture, MIPS architecture, C51 architecture.
4. The honeypot system of claim 1 wherein the protocol employed by the peripheral IP core includes any of: TCP/IP protocol, BACnet protocol, Modbus protocol, MQTT protocol, AMQP protocol, CoAP protocol, WiFi protocol, Bluetooth protocol, Zigbee protocol, NFC protocol, GPS protocol, LORA protocol, 2G wireless communication protocol, 3G wireless communication protocol, 4G wireless communication protocol and 5G wireless communication protocol.
5. An attack information capturing method applied to the honeypot system according to any one of claims 1 to 4, the method comprising:
configuring at least one processor, at least one peripheral IP core and at least one IO module of the honeypot system according to honeypot configuration information to form a subsystem corresponding to the honeypot configuration information;
and capturing attack information under a protocol adopted by the peripheral IP core by utilizing the subsystem.
6. The method of claim 5, wherein the honeypot system comprises a first processor, a first peripheral IP core, a first IO module, the first peripheral IP core corresponding to the first IO module; before configuring at least one processor, at least one peripheral IP core, and at least one IO module of the honeypot system according to honeypot configuration information, the method further includes:
when the honeypot system is started, loading a bootstrap program by using the first processor so as to configure the first peripheral IP core and the first IO module to be in a working state;
registering to a main control device through the first peripheral IP core and the first IO module;
and after the main control equipment is registered, initializing other processors except the first processor, other peripheral IP cores except the first peripheral IP core and other IO modules except the first IO module.
7. The method of claim 6, wherein after the registration with the master device is completed, the method further comprises:
and receiving the honeypot configuration information sent by the main control equipment.
8. The method of claim 6, wherein in capturing attack information, the method further comprises:
and sending the workload information to the main control equipment, so that the main control equipment updates the honeypot configuration information according to the workload information.
9. The method of claim 6, wherein after capturing attack information, the method further comprises:
and when the attack information is successfully matched with the preset rule, sending the attack information to the main control equipment.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 5 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110812479.9A CN113535632A (en) | 2021-07-19 | 2021-07-19 | Honeypot system, attack information capturing method, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110812479.9A CN113535632A (en) | 2021-07-19 | 2021-07-19 | Honeypot system, attack information capturing method, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113535632A true CN113535632A (en) | 2021-10-22 |
Family
ID=78128633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110812479.9A Pending CN113535632A (en) | 2021-07-19 | 2021-07-19 | Honeypot system, attack information capturing method, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113535632A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040963A (en) * | 2023-10-09 | 2023-11-10 | 成都亿佰特电子科技有限公司 | Method and system for quick communication of distributed IO master and slave |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1910571A (en) * | 2003-07-25 | 2007-02-07 | 国际商业机器公司 | A single chip protocol converter |
| CN110875904A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
| US20200280568A1 (en) * | 2017-09-18 | 2020-09-03 | Cyber Sepio Systems Ltd | Improved system, method, and computer program product for securing a computer system from threats introduced by malicious transparent network devices |
| CN113132293A (en) * | 2019-12-30 | 2021-07-16 | 中国移动通信集团湖南有限公司 | Attack detection method and device and public honeypot system |
-
2021
- 2021-07-19 CN CN202110812479.9A patent/CN113535632A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1910571A (en) * | 2003-07-25 | 2007-02-07 | 国际商业机器公司 | A single chip protocol converter |
| US20200280568A1 (en) * | 2017-09-18 | 2020-09-03 | Cyber Sepio Systems Ltd | Improved system, method, and computer program product for securing a computer system from threats introduced by malicious transparent network devices |
| CN110875904A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
| CN113132293A (en) * | 2019-12-30 | 2021-07-16 | 中国移动通信集团湖南有限公司 | Attack detection method and device and public honeypot system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040963A (en) * | 2023-10-09 | 2023-11-10 | 成都亿佰特电子科技有限公司 | Method and system for quick communication of distributed IO master and slave |
| CN117040963B (en) * | 2023-10-09 | 2023-12-26 | 成都亿佰特电子科技有限公司 | Method and system for quick communication of distributed IO master and slave |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7581029B2 (en) | Updating machines while disconnected from an update source | |
| US11316683B2 (en) | Systems and methods for providing IoT security service using hardware security module | |
| US20100275243A1 (en) | Securing wakeup network events | |
| CA2817738C (en) | Context-based dynamic policy system for mobile devices and supporting network infrastructure | |
| DE102017009171A1 (en) | EMBEDDED APPENDIX | |
| US9519338B2 (en) | Task processing apparatus and method including scheduling current and next-level task processing apparatus | |
| CN111338673B (en) | Equipment debugging method and device, electronic equipment and storage medium | |
| Amiri-Kordestani et al. | A survey on embedded open source system software for the internet of things | |
| US8650387B2 (en) | IC chip, information processing apparatus, software module control method, information processing system, information processing method, and program | |
| CN110753088A (en) | System deployment method and device | |
| CN101925057B (en) | Power system mobile phone terminal security reinforcing system | |
| WO2012009898A1 (en) | A wireless access device and method | |
| CN110417871A (en) | A kind of smart machine upgrade method | |
| DE112021003656T5 (en) | ROLE DELEGATION IN ATTESTATION VERIFIERS | |
| KR100960123B1 (en) | Method of operating test component of middleware and its device | |
| CN115904447A (en) | Version updating system, method, electronic equipment and storage medium | |
| CN110868453A (en) | Communication method, communication device, readable storage medium, and electronic apparatus | |
| CN103024023B (en) | Digital Reading Room network audit method | |
| CN113535632A (en) | Honeypot system, attack information capturing method, and storage medium | |
| CN113014452A (en) | Network flow testing method, device, testing end and storage medium | |
| KR102227947B1 (en) | Method and apparatus for executing instruction for artificial intelligence chip | |
| CN104424142B (en) | The method and apparatus of shared resource is accessed in a kind of multi-core processor system | |
| CN114221829B (en) | Edge side intelligent home management method and system | |
| CN108713199B (en) | Authority management method and system, mobile terminal, shared charging equipment and server | |
| CN111638871A (en) | Equipment information processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |