Search

CN-122001597-A - Honeypot system, flow processing method, flow processing device, storage medium, and program product

CN122001597ACN 122001597 ACN122001597 ACN 122001597ACN-122001597-A

Abstract

The embodiment of the application provides a honeypot system, a flow processing method, equipment, a storage medium and a program product. In the embodiment of the application, the IP address and the port of the service node providing the normal application service in the VPC network are used for providing the target service to simulate the attacked object, and the honey pot node does not need to be independently deployed in each VPC network, namely, the honey pot node does not need to be distributed with an independent IP address and an independent port, so that the resource consumption of a honey pot system crossing the VPC network, such as network resources of the IP address, the port and the like, can be reduced. The target service and the application service for the decoy attacker are arranged on the same service node, are not independently arranged on one service node, and can reduce the consumption of the computing resources of the honeypot service. On the other hand, attack traffic is led to the honeypot service system through the client side capability and the traffic forwarding capability of the host security service, the isolation limit of the VPC network is broken through, and honeypot drainage across the VPC network scene is realized.

Inventors

  • LIN LONG

Assignees

  • 阿里云计算有限公司

Dates

Publication Date
20260508
Application Date
20241101

Claims (13)

  1. 1. The honeypot system is characterized by comprising a plurality of virtual private networks, at least one service node is deployed in each virtual private network, a target port is started on the service node and used for providing target services so as to simulate an attacked object, and the target services are different from application services provided by the service node; The honey pot system also comprises a host security service node and a honey pot service system, wherein the network where the host security service node and the honey pot service system are located is different from the plurality of virtual private networks; The host security agent component is used for monitoring the target port and forwarding the access request to the host security service node under the condition that the target port monitors the access request; The host security service node is used for forwarding the access request to the honeypot service system; The honey pot service system is used for processing the access request.
  2. 2. The system of claim 1, wherein the honey service system comprises a honey node and a honey management node, the honey node exposing a port to the host security service node; the host security service node is used for forwarding the access request to a port of the honeypot node; the honeypot service system is specifically configured to, when processing the access request: the honey pot node is used for sending the access request to the honey pot management and control node under the condition that the access request has attack risk; and the honeypot management node is used for determining risk information associated with the access request and outputting the risk information.
  3. 3. The system of claim 1 or 2, wherein the host security service node and the honeypot service system are in the same intranet and the internet protocol address of the host security service node is exposed externally.
  4. 4. A traffic processing method is suitable for a host security proxy component deployed on a service node in a virtual private network, and is characterized in that the service node is started with a target port, the target port provides a target service to simulate an attacked object, the target service is different from an application service provided by the service node, and the method comprises the following steps: Monitoring the target port; under the condition that the target port monitors an access request, forwarding the access request to a host security service node so that the host security service node forwards the access request to a honey pot service system for processing; wherein the host security service node and the honeypot service system are located in a network different from the virtual private network.
  5. 5. The method of claim 4, wherein forwarding the access request to a host security service node comprises: Carrying the identity of the host security agent component in the access request; and forwarding the access request carrying the identification of the host security agent component to the host security service node so that the host security service node forwards the access request carrying the identification of the host security agent component to the honeypot service system for processing.
  6. 6. A traffic handling method suitable for a host security service node, the method comprising: The method comprises the steps of receiving an access request forwarded by a host security agent component, deploying the host security agent component at a service node in a virtual private network, monitoring the access request from a target port of the service node, providing target service by the target port so as to simulate an attacked object, and enabling the target service to be different from an application service provided by the service node; and forwarding the access request to a honey pot service system for processing, wherein the network where the host security service node and the honey pot service system are located is different from the virtual private network.
  7. 7. A traffic handling method for a honeypot node, the method comprising: The method comprises the steps of receiving an access request sent by a host security service node, wherein the access request is sent by a host security proxy component on the service node in a virtual private network, and the host security proxy component is used for monitoring the access request from a target port of the service node, wherein the target port provides target service to simulate an attacked object, and the target service is different from an application service provided by the service node; Under the condition that the attack risk exists in the access request, the access request is sent to the honey pot management and control node, so that the honey pot management and control node can determine and output risk information associated with the access request; the network where the honey pot node, the honey pot management and control node and the host security service node are located is different from the virtual private network.
  8. 8. The method of claim 7, wherein the method further comprises: Determining that the received access request has attack risk; Or alternatively If the source internet protocol address of the access request does not exist in the permitted list, determining that the access request has attack risk; Or alternatively And detecting risk of the access request according to pre-collected clue data, wherein the clue data comprises attribute information of the request determined to be at risk of attack, and if the attribute information of the access request is consistent with the attribute information of the request at risk of attack, determining that the access request is at risk of attack.
  9. 9. A traffic handling method, adapted for a honeypot control node, the method comprising: Receiving an access request sent by a honey pot node; the access request is sent to a host security service node by a host security proxy component on a service node in a virtual private network and forwarded to the honey-comb node by the host security service node, wherein the host security proxy component is used for monitoring the access request from a target port of the service node, the target port provides target service to simulate an attacked object, and the target service is different from an application service provided by the service node; And determining risk information of the access request and outputting the risk information, wherein the network where the honey pot node, the honey pot control node and the host security service node are located is different from the virtual private network.
  10. 10. The method of claim 9, wherein the access request carries an identification of the host security agent component, and wherein the determining risk information for the access request comprises: acquiring attribute information of the service node attacked by the access request from the host security service node according to the identification of the host security agent component; And determining the risk information according to the attribute information of the service node attacked by the access request and the access request.
  11. 11. The electronic device is characterized by comprising a memory and a processor, wherein the memory is used for storing a computer program; The processor is coupled to the memory for executing the computer program for performing the steps in the method of any of claims 4-10.
  12. 12. A computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the steps in the method of any of claims 4-10.
  13. 13. A computer program product comprising a computer program which, when executed by one or more processors, causes the one or more processors to perform the steps in the method of any of claims 4-10.

Description

Honeypot system, flow processing method, flow processing device, storage medium, and program product Technical Field The present application relates to the field of cloud security technologies, and in particular, to a honeypot system, a flow processing method, a device, a storage medium, and a program product. Background Honeypot (Honeypot) is an attack decoy system that simulates one or more vulnerable hosts and services using Honeypot to provide an attacker with an easily attacked target, disguising as a user's application, and making the attacker misinterpret as the target object to be attacked. Honeypots are widely used in the security field as a common information collection system. The deployment cost of honeypots is high, not only is the host required to deploy honeypot services, but also a large number of internet protocol (Internet Protocol, IP) addresses and common ports are required to be occupied for masquerading as a real online host. In a cloud computing environment, a private network can be created through a virtual private (Virtual Private Cloud, VPC) network, so that isolation and control of resources are realized. Deployment of the honeypot system across the VPC network consumes a significant amount of resources due to the isolation of the VPC network. Disclosure of Invention Aspects of the present application provide a honeypot system, traffic processing method, apparatus, storage medium, and program product to reduce resource consumption of the honeypot system across a VPC network. In a first aspect, an embodiment of the present application provides a honeypot system, including a plurality of virtual private networks, each virtual private network being deployed with at least one service node, the service node being started with a target port for providing a target service to simulate an attacked object, the target service being different from an application service provided by the service node; The honey pot system also comprises a host security service node and a honey pot service system, wherein the network where the host security service node and the honey pot service system are located is different from the plurality of virtual private networks; The host security agent component is used for monitoring the target port and forwarding the access request to the host security service node under the condition that the target port monitors the access request; The host security service node is used for forwarding the access request to the honeypot service system; The honey pot service system is used for processing the access request. In a second aspect, an embodiment of the present application further provides a traffic processing method, which is applicable to a host security proxy component deployed on a service node in a virtual private network, where the service node starts a target port, where the target port provides a target service to simulate an attacked object, where the target service is different from an application service provided by the service node, and the method includes: Monitoring the target port; under the condition that the target port monitors an access request, forwarding the access request to a host security service node so that the host security service node forwards the access request to a honey pot service system for processing; wherein the host security service node and the honeypot service system are located in a network different from the virtual private network. In a third aspect, an embodiment of the present application further provides a traffic processing method, which is applicable to a host security service node, where the method includes: The method comprises the steps of receiving an access request forwarded by a host security agent component, deploying the host security agent component at a service node in a virtual private network, monitoring the access request from a target port of the service node by the host security agent component, providing target service by the target port so as to simulate an attacked object, wherein the target service is different from an application service provided by the service node; and forwarding the access request to a honey pot service system for processing, wherein the network where the host security service node and the honey pot service system are located is different from the virtual private network. In a fourth aspect, an embodiment of the present application further provides a traffic processing method, which is applicable to a honeypot node, where the method includes: The method comprises the steps of receiving an access request sent by a host security service node, wherein the access request is sent by a host security proxy component on the service node in a virtual private network, monitoring the access request from a target port of the service node by the host security proxy component, providing target service by the target port so as to simulate an attacked object, and providing application service by the t