CN-122027363-A - Honey array driven network security situation awareness method and system

Abstract

The invention provides a honey array driven network security situation awareness method and system, and relates to the technical field of network security management. The method provided by the invention comprises the steps of receiving threat event report from the honey array trapping nodes, extracting the behavior path, session content and triggering characteristics of an attacker, carrying out first attack path correction according to the topological position of the nodes and the attack flow direction information, when a plurality of honey array trapping nodes capture events from the same attack source at the same time, calculating the propagation delay and path deviation of an attack chain in a network through time synchronization and event matching among the honey array trapping nodes, carrying out real-time adjustment on the attack situation, and correcting the projection error of the attack propagation path in the network topology. The sensing system realizes the cooperative work of distributed trap nodes by introducing a honey array driving mechanism, calculates the propagation delay and path deviation of an attack chain by time synchronization and event matching, and greatly improves the space precision of threat positioning.

Inventors

• Qiu Rixuan
• XI NING
• ZHANG YUANYU
• Zhao Shuangrui
• CAO NA
• LI LUMING
• Jing Sitong
• PENG QIUYING
• XU BO
• SHEN YULONG
• FAN RUIXIANG
• ZHANG ZHIWEI

Assignees

• 国网江西省电力有限公司信息通信分公司
• 西安电子科技大学

Dates

Publication Date

20260512

Application Date

20260413

Claims (10)

1. 1. A honey array driven network security situation awareness method is characterized by comprising the following steps: the method comprises the steps of deploying a honey array trapping node in a target network, binding positioning reference information, acquiring attack interaction data based on the honey array trapping node, and carrying out structuring processing to acquire threat event data; extracting an attacker behavior path in the threat event data, and carrying out preliminary correction on the attacker behavior path based on the positioning reference information to obtain a preliminary corrected attack path; If a plurality of honey array trapping nodes capture events from the same attack source, carrying out time synchronization and event matching between the honey array trapping nodes, calculating propagation delay and path deviation of an attack chain, obtaining a high-confidence attack chain based on multi-node cross verification, and carrying out projection error correction on the primarily corrected attack path based on the path deviation and the high-confidence attack chain to obtain a corrected attack path, otherwise, taking the primarily corrected attack path as the corrected attack path; Calculating position errors and coverage correction of threats in global network topology based on the corrected attack paths and the propagation delay, and determining key node sets and potential diffusion directions of attack; Fusing the threat situation parameters with a safety data source to construct a network safety situation map; and providing threat visualization view and defense decision basis based on the network security situation map.
2. 2. The method of claim 1, wherein deploying the honey trap node in the target network and binding the positioning reference information, acquiring attack interaction data based on the honey trap node and performing structuring processing, and obtaining threat event data comprises: The positioning reference information comprises a network topology position, an IP/port portrait and a system fingerprint, wherein the attack interaction data comprises an original data packet and tracing information, wherein the original data packet comprises TCP/IP handshakes, application layer protocol interactions and load contents, the tracing information comprises an attack source IP and port, an interaction behavior sequence and a tool fingerprint, and the threat event data comprises an original data packet abstract, an attacker behavior sequence, trigger characteristics and node positioning information; The method comprises the steps of deploying honey array trapping nodes in a target network, binding positioning reference information for each honey array trapping node, capturing attack interaction data based on the honey array trapping nodes, carrying out protocol analysis on the original data packet, converting interaction behavior into event sequences marked with key operations, and carrying out tracing association based on an IP reputation library, autonomous system number information and time window clusters to obtain threat event data.
3. 3. The method of claim 1, wherein when the preliminary correction is performed on the attacker behavior path based on the positioning reference information, the method comprises performing topology consistency check on the attacker behavior path, detecting abnormal jump across network segments and logical region constraint conflict, and correcting path node sequence according to detection results.
4. 4. The method of claim 1, wherein obtaining the preliminary modified attack path comprises inferring an attack propagation direction and identifying an initial intrusion point based on the preliminary modified attack path and a traffic direction marker, and performing comprehensive threat assessment based on vulnerability severity, behavior harmfulness and node sensitivity in combination with the number of nodes and topology distribution involved in the preliminary modified attack path, and outputting threat intensity scores and propagation range grades.
5. 5. The method of claim 1, wherein performing time synchronization and event matching between the honey trap nodes, and when calculating propagation delay and path deviation of an attack chain, comprises: The method comprises the steps of unifying local time stamps of all honey array trapping nodes to a global time reference based on a time synchronization protocol, generating an attack source unique identifier based on a composite characteristic, extracting behavior sequence fragments of the attack source unique identifier in all the honey array trapping nodes, splicing the attack chains according to a global time sequence, and marking a logic connection relation; and comparing the actual observation node access sequence of the attack chain with an expected path based on network logic connectivity, and calculating path deviation.
6. 6. The method of claim 1, wherein obtaining a high confidence attack chain based on multi-node cross-validation comprises verifying logical consistency of behavior and tool fingerprint consistency of the same attack source at different nodes, eliminating low confidence events of logical contradictions or tool fingerprint conflicts, and obtaining a high confidence attack chain.
7. 7. The method of claim 1, wherein when the projection error correction is performed on the primarily corrected attack path based on the path deviation and the high-confidence attack chain, the method comprises the steps of judging that the projection error exists when the path deviation exceeds a preset threshold value, remapping the node topological position and the connection relation in the primarily corrected attack path according to the node access sequence and the interaction content in the high-confidence attack chain, performing consistency check on the remapped attack path and the positioning reference information, and outputting the corrected attack path and the spatial precision rating thereof.
8. 8. The method of claim 1, wherein calculating a position error and a coverage correction of the threat in the global network topology based on the modified attack path and the propagation delay, determining a set of key nodes and a potential diffusion direction of the attack, calculating threat parameters based on the set of key nodes, and outputting threat situation parameters including a propagation speed, an attack angle and an attack coverage radius; Comparing the actual physical position of each node in the modified attack path with the expected position in the topological graph, calculating a position error, adjusting a logic area affected by threat according to the position error and the topological connectivity, and obtaining a coverage correction amount and a key node set of attack, predicting a potential diffusion direction based on a network adjacency relationship of the key node set and a behavior mode in the high-confidence attack chain; Calculating an attack angle based on the topological relative position of the key node set by taking an initial invading honey array trapping node as an origin, and calculating an attack coverage radius based on the topological hop count or the physical distance of the node farthest from the origin in the key node set; and fusing the position error, the coverage correction, the key node set, the potential diffusion direction and the threat parameters, and outputting threat situation parameters.
9. 9. The method of claim 1, wherein fusing the threat situation parameters with a security data source to construct a network security situation map comprises: the threat situation parameters and the security data source are subjected to standardized conversion and characteristic alignment to generate a standardized security event set, wherein the asset, the attack action and the threat in the standardized security event set are taken as nodes, and the connection relationship between the assets, the mapping relationship between the threat and the attack and the interaction relationship between the attack and the asset are taken as edges to construct and dynamically update the network security situation map; The security data source comprises an intrusion detection system, a flow analysis system and a vulnerability scanning tool.
10. 10. The honey array driven network security situation awareness system is characterized by comprising: The data acquisition module is used for deploying the honey array trapping nodes in the target network and binding positioning reference information, acquiring attack interaction data based on the honey array trapping nodes and carrying out structural processing to acquire threat event data; the preliminary correction module is used for extracting an attacker behavior path in the threat event data, and carrying out preliminary correction on the attacker behavior path based on the positioning reference information to obtain a preliminary corrected attack path; The secondary correction module is used for carrying out time synchronization and event matching on the honey array trapping nodes if a plurality of honey array trapping nodes capture events from the same attack source, calculating propagation delay and path deviation of an attack chain, obtaining a high-confidence attack chain based on multi-node cross verification, and carrying out projection error correction on the primarily corrected attack path based on the path deviation and the high-confidence attack chain to obtain a corrected attack path; The parameter output module is used for calculating the position error and coverage correction of the threat in the global network topology based on the corrected attack path and the propagation delay, and determining a key node set and a potential diffusion direction of the attack; The map generation module is used for fusing the threat situation parameters with the security data source to construct a network security situation map, and providing threat visualization view and defense decision basis based on the network security situation map.

Description

Honey array driven network security situation awareness method and system Technical Field The invention relates to the technical field of network security management, in particular to a honey array driven network security situation awareness method and system. Background The honeyarray (honeymesh) is a decoy network system formed by a plurality of distributed Honeypot (Honeypot) and honeynet (Honeynet) nodes in a cooperative mode according to a certain topological structure, not only can single-point trap an attacker, but also can form a three-dimensional defense pattern through cooperation among the nodes, along with popularization of the Internet and the Internet of things, the network attack is evolved from traditional single-point destruction to chained, multi-stage and cross-domain attack, threat forms show hidden, automatic and intelligent trends, and network security situation perception is realized by collecting, fusing and analyzing multi-source network security data to form global cognition on the current security state and forecast potential threat trends. However, in the threat situation calculation link, most of the technologies only stay in statistical analysis based on the number of events or threat level, and key situation indexes such as the propagation speed, the invasion direction and the coverage range of the attack cannot be quantified, and the defects directly affect the subsequent automatic response strategy generation, because the strategies need to rely on accurate space and time positioning information, the reliability and timeliness of situation maps are insufficient, and reliable support cannot be provided for real-time defense decisions. It is therefore desirable to provide a solution to the above-mentioned problems. Disclosure of Invention The invention aims to provide a honey array driven network security situation awareness method and system, which can solve the problems of inaccurate security situation awareness and lack of basis for automated decision-making caused by the fact that dynamic propagation characteristics of attacks cannot be quantified in the prior art. In a first aspect, the invention provides a honey array driven network security situation awareness method, which includes: the method comprises the steps of deploying a honey array trapping node in a target network, binding positioning reference information, acquiring attack interaction data based on the honey array trapping node, and carrying out structuring processing to acquire threat event data; extracting an attacker behavior path in the threat event data, and carrying out preliminary correction on the attacker behavior path based on the positioning reference information to obtain a preliminary corrected attack path; If a plurality of honey array trapping nodes capture events from the same attack source, carrying out time synchronization and event matching between the honey array trapping nodes, calculating propagation delay and path deviation of an attack chain, obtaining a high-confidence attack chain based on multi-node cross verification, and carrying out projection error correction on the primarily corrected attack path based on the path deviation and the high-confidence attack chain to obtain a corrected attack path, otherwise, taking the primarily corrected attack path as the corrected attack path; Calculating position errors and coverage correction of threats in global network topology based on the corrected attack paths and the propagation delay, and determining key node sets and potential diffusion directions of attack; Fusing the threat situation parameters with a safety data source to construct a network safety situation map; and providing threat visualization view and defense decision basis based on the network security situation map. According to the honey array driving network security situation sensing method provided by the invention, the sensing system realizes the cooperative work of distributed trapping nodes by introducing a honey array driving mechanism, calculates the propagation delay and path deviation of an attack chain by time synchronization and event matching, greatly improves the space precision of threat positioning, and greatly improves the space precision of threat positioning. Optionally, disposing a honey array trapping node in the target network and binding positioning reference information, and acquiring attack interaction data based on the honey array trapping node and carrying out structuring processing, wherein the method comprises the following steps of: The positioning reference information comprises a network topology position, an IP/port portrait and a system fingerprint, wherein the attack interaction data comprises an original data packet and tracing information, wherein the original data packet comprises TCP/IP handshakes, application layer protocol interactions and load contents, the tracing information comprises an attack source IP and port, an interaction b