Research And Implementation Of Intranet Threat Capture System Based On Honeypot

With the rapid development of the digital world and the increasing number of malicious attacks,honeypot technology is an effective solution.It can imitate a series of vulnerable software services,attracting attackers to use them as attack targets,to protecting the real server.However,the honeypot technology itself also has certain limitations.As a software service,there will inevitably be certain vulnerabilities.If they are discovered and exploited by an attacker,they will likely pose a threat to the enterprise's intranet and cause serious accidents.Moreover,springboard attacks have become a common method for attackers.How to trace the source and recover the losses after being attacked is also a topic worthy of study.Aiming at the security problems of the honeypot itself in the actual application environment,this article starts from the flow analysis method and draws on the virtualization technology to strengthen the security of the honeypot.Aiming at the current difficulty of attackers' traceability,a preference-based attack pattern extraction algorithm is proposed.The algorithm can analyze the attack data generated by the honeypot,calculate the degree of similarity between the attackers,and conduct a comparison and analysis of accuracy.Specifically,the research content and innovation results of this article mainly cover the following points:(1)A honeypot anti-infiltration algorithm based on Server Name Indication is proposed.When the attacker uses HTTPS to encrypt the transmission data,the SNI data is used to replace the original DNS status in the traffic analysis,and the attacker's encrypted communication is blocked in a targeted manner to affect the attacker's attack process,so as to protect the honeypot.The purpose of the experiment proves the effectiveness of the algorithm.(2)A preference-based attack pattern extraction algorithm is proposed.The attacker's most frequent attack items are taken to characterize the attacker's attack characteristics.When facing attackers with different attack preferences but overlapping attack items,it can reflect the difference between different attackers better than bitwise or algorithms.This avoids the problem of too high similarity when calculating the similarity in this scenario by the bitwise OR method.Experiments have proved the effectiveness of the algorithm and its advantages compared to the bitwise OR method.(3)A honeypot-based intranet threat capture system is implemented.Aiming at the network environment of the corporate intranet,through analyzing the system requirements,a honeypot-based intranet threat capture system was designed.The system organizes different honeypots and strengthens the honeypot system itself by carrying the SNI anti-infiltration system.The data collected by different honeypots will be concentrated on the central server for display,and the attack pattern extraction algorithm based on preference will be used for traceability analysis.Using Docker in combination not only improves the security of the dense network system,but also facilitates deployment and maintenance.Experimental results show that this system has the ability to collect and capture common threats,as well as good performance and security.