Research On Honeypot Host Technology Based On Protocol Stack Fingerprint Features

The development of the Internet has promoted the progress of society.However,some outlaws use the Internet to seek personal interests by dishonest means,which seriously infringes on the security of others' property information,and the network security protection technology has emerged in response to the requirement of society.As one of the most important network security protection technologies,operating system type identification technology lies in the fact that the target operating system type is the first step taken by invading hackers and network security personnel who perform system evaluation.In addition,traditional passive network protection technologies such as network firewalls have become “incapable”,and people need a proactive network protection technology,among which Honeypot technology outshines.Honeypots can collect information from attackers and work with firewalls and other technologies to prevent attacks efficiently.The most important aspect of honeypot technology research is the hiding and protection of honeypot identity.Firstly,in view of the fact that the existing operating system type identification technology is impossible to conceal and cannot identify the type of unknown operating system,this paper proposes an operating system identification technology based on passive monitoring that can identify unknown types.The technology is based on the passive operating system recognition method based on TCP/IP protocol stack,and introduces the recognition model based on feature-related C4.5 algorithm.The experiment results confirm that compared with the unknown operating system recognition method based on SVM and C4.5 algorithm,the operating system recognition technology based on feature-related C4.5 algorithm has higher recognition accuracy and efficiency.Secondly,targeting the possibility of its identity exposure as a consequence of some defects of Honeyd honeypot,this paper proposes an improved method of the Honeyd network protocol stack counterfeiting mechanism.Through research and analysis,it is found that Honeyd has two major defects:(1)timeout retransmission when TCP three-way handshake is not supported;(2)no evaluation of transport layer protocol type when IP fragment reassembly.This paper makes a partial modification to Honeyd,which makes Honeyd support timeout retransmission in TCP three-way handshake,and joins the decision module of the transport layer protocol type when Honeyd performs IP fragment reassembly.The validity and accuracy of the proposed method are verified by experiments.