honeypot and intranet security from 0 to 1 (2)

Posted by millikan at 2020-02-25

The contents of the plan are divided into the following parts: 1. Honeypot and intranet security topics; 2. Honeypot technology popularization and development overview (2016) - this paper; 3. Common intranet attack types and detection ideas; 4. Multiple open source honeypot data samples and application analysis; 5. Attack sequence, attack mode and attacker tag; 6 Attack pattern matching algorithm proposed 7. Demo system design 8. Some technical points in the implementation of demo 9. Testing process in the laboratory environment 10. Summary of my paper (with a list of references)

I am also reflecting on a learning method I used to use recently, which is commonly known as "learning for 5 minutes, taking notes for half an hour". Then I forgot what I learned and didn't want to review the notes because I didn't cooperate with the practice. This method actually discourages people's enthusiasm for learning. For example, I want to spend 5 minutes reading an English story every day, so it takes half an hour to check the new words every time Hold on for two days and give up as soon as you are busy. In fact, if the purpose of reading English stories is to cultivate interest in reading, it's better not to look up new words, understand the general idea of the story and keep an interest. The meaning of many words is slowly understood with the help of context.

If you are just interested in honeypot now, just take 5 minutes to read it. You can ignore the reference materials temporarily. When you really need to expand later, you can remember to have this article for reference.

This article is a bit like an overview. I'm a little embarrassed to post it. In the next article, I will write about the types of Intranet attacks, which are related to the actual operation. In terms of update frequency, I also try to keep one article a week, not too much.

In a dissertation, "the current situation at home and abroad" is an essential part. On the basis of understanding the research situation, we can expand our vision and modify our research direction at the same time. Combined with dozens of articles that were searched and read at that time, this paper can be regarded as a brief introduction to the development of honeypot technology. Later, it will give some reference reading articles for honeypot technology, which is convenient for friends who want to know about honeypot technology to read. Finally, it will also give the references I quoted in this part. If college students want to study this topic, they can read through searching related papers.

Honeypot is usually defined as a kind of security resource. It doesn't need to provide practical application. The value of honeypot is to induce and record the attack behavior, so as to understand the attacker's invasion methods and means, and delay the attack process. Then, according to the captured attack behavior data, analyze the attack methods and tools used by the attacker, so as to make the defense policy opposite Enhance the safety protection ability of the system [8].

Honeypots usually have the functions of data acquisition, data analysis and data control [34]. Data capture mainly collects host data or network data. The host can capture the attacker's TCP connection, executed commands, various log information, etc. network data includes protection system log, network traffic data, etc. But the value of honeypot usually needs to be reflected after analyzing the captured data, mainly including network protocol type analysis, attack behavior analysis and attack packet content analysis [35]. Data control mainly refers to the external data transmission and network restriction of honeypot, so that when the honeypot system is attacked by the attacker, it will not cause more harm. Data control is mainly used to ensure the safety of honeypot [36].

Based on the research of literature, this paper classifies honeypots from the perspective of interaction degree and specific implementation [37, 8]. It can be reclassified from a different perspective. Here are two simple examples.

Classification by degree of interaction

The interaction degree of honeypot usually depends on the simulation degree of honeypot to corresponding service. (1) Low interaction honeypots usually only provide a small amount of interaction functions. Honeypots monitor connections and record data packets on specific ports, which can be used to detect port scanning and brute force cracking [38]. The low interaction honeypot has a simple structure and is easy to install and deploy. Due to the low degree of simulation and less functions, it has limited information collection but low risk [39]. (2) High interaction honeypot high interaction honeypot is usually built based on the real application environment, which can provide real services. The high cross honeypot can be used to obtain a large amount of information, which can capture a variety of operation behaviors of attackers, so it has the ability to discover new attack methods and vulnerability utilization methods [40]. As the high cross honeypot provides a relatively real application environment for attackers, it has a high risk and usually pays attention to the function of data control [41].

Classification by specific implementation

Honeypot can be divided into physical honeypot and virtual honeypot according to the way of implementation. (1) Physical honeypot physical honeypot usually refers to the real physical computer, which has the corresponding operating system and network environment. It can provide some or completely real application services. Physical honeypots usually cost more. (2) Virtual honeypot virtual honeypot is usually simulated by virtual machine technology, and its cost is lower than physical honeypot. However, due to the characteristics of the virtual machine itself, the virtual honeypot is easy to be identified by experienced attackers [42]. There are also two years of popular docker based honeypots.

In the process of Internet development, it has been under the threat of various network security problems [2]. With the development of technology, the means of attack and protective measures are also constantly playing games. However, due to the different angles of attack and defense, the defense side is often in a passive situation. The attacker only needs to find a breakthrough point to attack successfully. The defense side not only needs to consider the overall situation, but also has fast detection and emergency mechanism to ensure the information system security as much as possible. Honeypot technology is a more active protection technology to change this passive protection situation [3]. Honeypot is a kind of security resource. It does not need to provide practical application. The existence value of honeypot is to induce and record the attack behavior, so as to understand the attacker's invasion methods and means, and delay the attack process. More and more security practitioners at home and abroad have begun to pay attention to honeypot, a new network security technology.


In 1989, honeypot technology was first proposed. In the development process, driven by the Honeynet Project and other open-source technology teams, honeypot software tools to deal with different types of network security problems emerged. Honeypot technology has also developed from honeypot to Honeynet, distributed honeynet and honeyfarm. Honeypot technology is also constantly applied to malicious sample capture, intrusion detection, attack technique analysis, network forensics, botnet investigation and other security directions.

Honeypot network project is a well-known organization to research and promote honeypot technology. It is an open source technology research organization composed of many volunteers at home and abroad. Around 2000, Honeynet Project team mainly carried out theoretical verification and model honeypot system test. According to the research and test results, the theory of the first generation of Honeynet was put forward and the feasibility and effectiveness related verification was carried out. From 2002 to 2004, Honeynet Project team mainly studied the theory and technology related to data control, data capture and data analysis, then released the second generation Honeynet model framework, and focused on how to simplify the deployment of the dense network. Since 2005, the convenience, data acquisition and data analysis of the secret network have become the research focus of Honeynet Project team, and the third generation Honeynet structure framework has also been released in this period [6].

At present, researchers of honeypot technology have developed many types and functions of honeypots. It is worth mentioning that the modern honey network project, which greatly simplifies the deployment of honeypots, allows researchers to quickly deploy honeypot system to capture attack data. In recent years, the MHN open source project community has been active, constantly updated, and has a good application prospect [7]. MHN supports a variety of open-source honeypot software and an open-source communication protocol hpfeeds [7].


In recent years, the research and application of honeypot technology by domestic researchers are not extensive enough in terms of domestic open academic papers, technical communities and other literature [8]. Since 2006, honeypot technology has been used to detect worms [9, 10]. Since 2008, honeypot technology has been applied to port detection [11], intrusion detection [12] and attack warning [13]. Since then, some researchers have applied honeypot technology to the construction of Secure Campus Network [14] and enterprise network [6], in addition to the application of wired network, there are also applications of wireless honeypot technology [15]. However, there are few documents about the application of honeypot technology to the intranet security, and the only one is the general honeypot architecture. By deploying the highly interactive honeypot to the intranet, we try to capture unknown attacks, find unknown system vulnerabilities, and understand the attacker's attack methods and tools [16].

In the application of honeypot technology to network security threats, the research results of the hunting goddess research team of Peking University are outstanding [17]. In 2004, the Peking University Institute of computing established the hunting goddess Honeynet Project team, and in 2005, the project team, as the only team in mainland China, successfully joined the Honeynet Project team, a world-famous honeynet technology research organization. The honeypot project team of hunting goddess has studied honeynet technology and network attack detection for many years. From the beginning, honeypot was used to collect attack characteristics, establish attack knowledge base and vulnerability knowledge base, and then honeypot technology was used to capture and learn the real network attack and defense knowledge of the Internet, and the research results were applied to the botnet monitoring and tracking, later based on Honeypot framework architecture Build network active security protection technology. Among them, Zhuge Jianwei, as one of the main research members, has been conducting research and practical application of honeypot technology since he was transferred to the security team of Tsinghua University [18], such as deploying KIPPO honeypot in CNCERT for SSH related attack detection and data analysis.

To sum up, the research status of honeypot technology and its application at home and abroad shows that honeypot technology has been more and more widely used by researchers at home and abroad, but up to now, the research of honeypot technology applied to solve the problem of internal network security is still less, and the existing honeypot technology schemes are often complex in structure and deployment, with high technical threshold, which is difficult to be more widely promoted Use. Therefore, this paper attempts to study and design a simple and convenient deployment of honeypot technology, and honeypot technology is applied to solve the security problems of the internal network.

I have re searched the read and some new popular science articles of honeypot. The links of the articles are as follows (I have paid attention to the easy-to-read articles in the front), which is convenient for friends who want to know about honeypot technology to read and reference:

Science popularization of Honeypot Technology

Actual deployment of KIPPO honeypot at CERNET (September 2011)

Introduction to Dionaea honeypot (September 23, 2011) low interactive honeypot introduction.pdf

Deployment practice of Dionaea low interactive honeypot (September 23, 2011) low interactive honeypot deployment practice.pdf

The past and present life of the hunting goddess (2011.11.28) past and present life of the hunting goddess/

From honeypot data to SSH honeypot typical attack analysis (June 1, 2017)

Deployment of actual combat

Details of Dionaea low interactive honeypot deployment (September 25, 2013)

Dionaea honeypot Guide (2015.1.13)

KIPPO honeypot Guide (2015.1.12)

Honeypot network (May 7, 2015)

Deployment of raspberry pie honeypot node based on MHN open source project (November 9, 2015)


There are many excellent articles on freebuf S = honeypot

The Honeynet Project

MHN modern dense network project

Safety companies and products

Several enterprises that I have been focusing on developing honeypot products are all Daniel teams, which can be referred to.

Jinhang technology magic cloud

Changting technology listening

Most of these documents are papers, usually the campus network access library system or some third-party paper library can be searched and accessed free of charge.

Series of articles, to be continued

Reprint: sosly rookie notes

WeChat rookie note: sosly official account is also welcome.