Design And Implementation Of Honeynet Active Defense System Based On Reinforcement Learning

With the rapid development of the Internet,the problem of network security has become increasingly serious.Traditional security defense mechanisms such as firewall and intrusion detection system have been difficult to deal with the new network threats of high concealment,persistence and intelligence.Active defense technologies such as honeypot and honeynet are playing an increasingly important role.However,the existing honeypot Honeynet protection system mainly adopts static deployment,which is difficult to respond dynamically with the change of attack means,and is easy to be identified and bypassed by experienced attackers.With the development of artificial intelligence,reinforcement learning,game theory,case-based reasoning and other related technologies have good performance in intelligent decision-making,dynamic interaction,anti recognition and so on.Therefore,the combination of artificial intelligence technology and honeynet technology has become a research hotspot in the field of active deception defense.This paper focuses on Honeynet active defense technology based on reinforcement learning.(1)For the classification response of different attacks,this paper proposes an attack connection classification mechanism based on credibility reasoning.In this paper,the attack connection is divided into two types,automatic attack and man-made attack.Firstly,the inference knowledge base of different conclusions is established according to the characteristics of attack connection,and then the credibility and trust growth of each knowledge in the knowledge base are evaluated.In view of the advantages of uncertainty reasoning based on credibility in fuzzy information processing,this paper calculates the overall joint credibility of different conclusions through the uncertainty algorithm of combined evidence based on the established reasoning knowledge base.Finally,according to the comparison credibility value,the attack connection classification results are obtained.(2)This paper designs and proposes an adaptive honeypot model based on Q-learning algorithm.Firstly,the process of adaptive honeypot response attack is modeled based on Markov decision process.The attacker's command set and the response action set taken by honeypot are mapped to the state space and action space of honeypot model respectively,and a reward function is designed to maximize the collection of automatic attack commands.On this basis,the adaptive honeypot can interact with the attacker to learn,and generate the best interaction strategy to make the attacker expose more valuable attack data.(3)In this paper,a Honeynet architecture based on phased response is designed,and a Honeynet active defense system based on reinforcement learning is implemented.The system consists of static request response module,attack connection classification module,attack behavior capture module and log management module.Finally,the Honeynet active defense system is tested to prove the availability and stability of the system.The results show that the system can respond to network attacks in stages,simulate the current network environment,control the attacker's traffic,monitor and record the attacker's behavior of scanning,detecting and attacking Honeynet,and display the Honeynet log effectively.Compared with the traditional interactive honeypot,the adaptive honeypot can capture more attack commands and has good adaptability;Compared with other honeypots with reinforcement learning,the MDP modeling method proposed in this paper can converge faster in the learning process,and can make the response behavior have a clearer priority in the training process,which proves the correctness and effectiveness of the modeling method proposed in this paper.