A network active defense technology based on multi-layers deception in the distributed deception space is proposed to meet the needs of network countermeasure and network security. This technology simulates usual network service programs and forges vulnerabilities to lure the intruder. With operation control at kernel level, file system mirror and information deception, it creates the deceiving operating environment on the platform of Windows and Linux. Thus the process of intrusion is fully deceived, monitored and controlled. This technology breaks the limitation of a single layer deception used by other general honeypots, and obviously promotes the level of deception, interaction and ensures security.