Implemention Of Application Layer Honeypots Based On Sandbox Technology

As a traditional industry,Electricity's core is power production.How to protect the core production and the manage system is an important issue for the power company.The traditional protection for power manage system is using isolation device(GAP)to isolate the core production system(power application).This is a safe measure based on the equipment which is in physical controllable range.But with the development of new business and technology,traditional isolation schemes cannot protect the power system.In this paper,a honeypot software is implemented to protect the electrical information acquisition system(an electric power business application system),and to identify,monitor and analyze the network attacks from the acquisition terminal side.The realization content includes three aspects.(1)We use the sandbox technology to implement an application layer honeypot software.The software has the characteristics of the honeypot,that is,to capture the attack from the network,to record and analyze the network access,database access,and operating system access,which can provide the conditions for the analysis of unknown network attack behavior.Using sandbox technology,virtual running environment can be established through Hook API and so on,making it possible to run real power business application directly on Honeypot software.This method solves many problems of the traditional honeypot software,such as the need to restore the function of the simulation object,do not run the power application,and can not execute the real power service request.(2)This paper extends the scope of virtual operation environment built by sandbox technology through SQL proxy.It makes the sandbox not only take over the operating system access and network access,but also takes over more important data access to the power application,thus establishing a comprehensive application layer protection.(3)Through the realization of the analysis and monitoring function of the 1376.1 protocol(the terminal call protocol of the electrical information acquisition system),the software can analyze the specific power application such as the electrical information acquisition system to improve the depth of the analysis and meet the needs of the specific protection.Through the realization of the above functions,a honeypot system which can monitor,analyze and protect the power business application system is finally realized,and the network security of the power business application system is guaranteed.