Design And Implementation Of Deception And Defense System Based On Honeypot

Information security has developed to the extent of today's prosperity.Traditional security detection schemes are still based on passive defense techniques that detect static signatures.Most security managers are more concerned about attacks from outside the network,and ignored the issue of intranet security construction.In fact,with the emergence of a new APT attack method with sufficient purpose and readiness,attackers can use social engineering methods such as phishing or watering hole attack to obtain intranet user's login credentials,and then further deploy the Intranet lateral penetration to obtain more valuable internal sensitive information.Therefore,Simply deploying external or internal defense security detection solutions is difficult to achieve security resources covering the entire network.After read a lot of papers,this article summarizes the mainstream spoof defense technologies,studies the basic principles of different honeypot technologies,compares the advantages and disadvantages of open source honeypot projects at home and abroad,finally designs and implements the deception and defense system which has external network threat awareness and internal network attack detection ability.The specific work and innovation of this article are as follows:1.This paper designs and implements a honeynet agent that can be deployed lightly and flexibly based on traffic forwarding technology.The system does not need to deploy a real honeypot service on each network segment.The honeynet agent can achieve the same deception effect as the real honeypot service,which effectively improves the detection coverage of the system.2.This paper designs and implements a variety of new types of honeypots with different interaction types,solving the problem that the fingerprint information of the open source honeypots is obvious and easy to be identified by attackers.According to the different attack characteristics of the DMZ area and the intranet area,a more targeted deployment scheme is proposed.(1)Aiming at the DMZ area with obvious scanning characteristics and weak security,this paper designs and implements the decetive environment consisting of Cowrie honeypot,Wordpress fishing honeypot,Shadow honeypot and Mysql_fake attack counter honeypot.The deceptive environment construction mechanism can effectively detect and record scanning and attack behaviors from extranal network,and provide real-time perception of external network threats through Kibana.(2)Aiming at the intranet area where the attacker is highly hidden and has obvious attack characteristics,this paper designs and implements a highly interactive honeypot environment based on Docker containers and containing known vulnerabilities.The WebLogic honeypot,ThinkPHP honeypot,Struts2 honeypot etc,combined with spoofing technologies such as breadcrumbs and database bait.The system can effectively detect the attack behavior hidden in the internal network and trigger the honeynet management system alarm in time.3.This paper designs and implements a system behavior capture mechanism based on Sysdig Falco.The system can effectively perform bash command audit and file audit of the Docker high-interaction honeypot container system.System behavior capture based on Sysdig Falco and traffic monitoring based on Packetbeat form a more complete threat data capture architecture.