CN107579973B - Network space detection method and device and computing equipment - Google Patents
Network space detection method and device and computing equipment Download PDFInfo
- Publication number
- CN107579973B CN107579973B CN201710780893.XA CN201710780893A CN107579973B CN 107579973 B CN107579973 B CN 107579973B CN 201710780893 A CN201710780893 A CN 201710780893A CN 107579973 B CN107579973 B CN 107579973B
- Authority
- CN
- China
- Prior art keywords
- target
- random numbers
- data packet
- feedback
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network space detection method, a device and a computing device, wherein the computing device is in communication connection with a plurality of target hosts, and each target host has a corresponding target parameter, and the method comprises the following steps: acquiring target parameters of each target host to be detected; performing randomized sequencing on the obtained target parameters to generate corresponding target detection sequences; according to the sequence of each target parameter in the target detection sequence, sequentially sending a detection data packet to a target host corresponding to the target parameter so that the target host can feed back the detection data packet; receiving feedback data packets corresponding to the sent detection data packets; analyzing each feedback data packet to acquire corresponding feedback information and an associated feedback state; and if the feedback state indicates that the feedback data packet is a normal data packet, extracting target host information from the feedback information, and storing the target host information and the corresponding target parameters in a correlation manner.
Description
Technical Field
The present invention relates to the field of computer networks, and in particular, to a network space detection method, device, and computing device.
Background
With the continuous development of internet technology, more and more people begin to access the internet through various terminal devices to obtain required information and enjoy life convenience brought by internet services. In order to make better use of the internet, it is necessary to probe the network space of the internet to ascertain the terminal devices present therein.
When the existing network space detection method is used for detecting batch target IP addresses or batch target ports, the number of counters is mostly accumulated, and the detected target equipment is performed according to a certain rule, such as increasing, and has strong regularity. And some network nodes in the network space are provided with a scanning prevention device system, generally an intrusion detection device, which can sense the detection behavior of the network space and cut off the connection with the detection source once the detection source of the network space is identified. Especially, when the detection behavior has regularity, the detection rule of the intrusion detection equipment is easier to trigger, so that the detection behavior is sensed, and the detection success rate is reduced. Therefore, a new cyberspace detection scheme is required to improve the above process.
Disclosure of Invention
To this end, the present invention provides a technical solution for cyber-spatial detection in an attempt to solve or at least alleviate the above existing problems.
According to an aspect of the present invention, there is provided a cyber-space detecting method, adapted to be executed in a computing device, the computing device being communicatively connected to a plurality of target hosts, each target host having corresponding target parameters, the method comprising the steps of: acquiring target parameters of each target host to be detected; performing randomized sequencing on the obtained target parameters to generate corresponding target detection sequences; according to the sequence of each target parameter in the target detection sequence, sequentially sending a detection data packet to a target host corresponding to the target parameter so that the target host can feed back the detection data packet; receiving feedback data packets corresponding to the sent detection data packets; analyzing each feedback data packet to acquire corresponding feedback information and an associated feedback state; and if the feedback state indicates that the feedback data packet is a normal data packet, extracting target host information from the feedback information, and storing the target host information and the corresponding target parameters in a correlation manner.
Optionally, in the network space probing method according to the present invention, the target parameter is a target IP address and/or a target port.
Optionally, in the network space probing method according to the present invention, the step of performing randomized ordering on the obtained target parameters to generate a corresponding target probing sequence includes: acquiring the total number of target parameters as a first number; generating random numbers in a first number of preset first value intervals, and sequentially distributing the random numbers to each target parameter; and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
Optionally, in the network space probing method according to the present invention, the step of performing randomized ordering on the obtained target parameters to generate a corresponding target probing sequence includes: for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected; acquiring the total number of the target parameter pairs as a second number; generating a second number of random numbers in a preset second numerical interval, and sequentially distributing the random numbers to each target parameter pair; and sequencing the random numbers in a descending order, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences.
Optionally, in the network space probing method according to the present invention, the step of performing randomized ordering on the obtained target parameters to generate a corresponding target probing sequence includes: acquiring the total number of the target parameters as a third number; sequentially generating a third number of random numbers in a preset third numerical value interval from small to large, and randomly distributing the random numbers to each target parameter; and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
Optionally, in the network space probing method according to the present invention, the probing packet is an abnormal packet.
Optionally, in the cyberspace detecting method according to the present invention, the target host information includes a system, version, protocol and/or time stamp of the target host.
Optionally, in the network space detecting method according to the present invention, further comprising: and if the feedback state indicates that the feedback data packet is an abnormal data packet, sending the detection data packet corresponding to the feedback state again after a preset time interval.
According to yet another aspect of the present invention, there is provided a cyber-space detecting apparatus adapted to reside in a computing device communicatively coupled to a plurality of target hosts, each target host having corresponding target parameters, the apparatus comprising an obtaining module, a randomizing module, a transmitting module, a receiving module, a parsing module, and a storing module. The acquisition module is suitable for acquiring target parameters of each target host to be detected; the randomization module is suitable for performing randomization sequencing on the acquired target parameters to generate corresponding target detection sequences; the sending module is suitable for sending detection data packets to a target host corresponding to the target parameters in sequence according to the sequence of the target parameters in the target detection sequence so that the target host can feed back the detection data packets; the receiving module is suitable for receiving the feedback data packets corresponding to the sent detection data packets; the analysis module is suitable for analyzing each feedback data packet to acquire corresponding feedback information and an associated feedback state; and the storage module is suitable for extracting the target host information from the feedback information and storing the target host information and the corresponding target parameters in a correlation manner when the feedback state indicates that the feedback data packet is a normal data packet.
According to yet another aspect of the present invention, there is provided a computing device comprising a cyber-space detecting apparatus according to the present invention.
According to yet another aspect of the invention, there is provided a computing device comprising one or more processors, memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing the cyberspace detection method according to the invention.
According to yet another aspect of the present invention, there is also provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform a cyber-space detecting method according to the present invention.
According to the technical scheme of the network space detection, target parameters of target hosts to be detected are randomized and sequenced to generate corresponding target detection sequences, detection data packets are sequentially sent to the target hosts corresponding to the target parameters according to the sequence of the target parameters, so that the target hosts can feed back the detection data packets, each received feedback data packet is analyzed to obtain corresponding feedback information and an associated feedback state, and if the feedback state indicates that the feedback data packet is a normal data packet, target host information is extracted from the feedback information and is stored in association with the target parameters corresponding to the feedback information. In the above scheme, when performing randomized ordering on each target parameter, considering that a target host may have multiple target ports to be detected, for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected, then obtaining the total number of the target parameter pairs, generating a total number of random numbers and sequentially allocating the random numbers to each target parameter pair, ordering the random numbers in the order from small to large, and ordering the target parameter pairs corresponding to the random numbers according to the ordering result to generate corresponding target detection sequences. Based on the method, the detection data packets with the number consistent with that of the target ports to be detected are sent to the target host with the target ports to be detected, the sending sequence of the detection data packets is random, the detection integrity is guaranteed, the possibility that the detection behavior is sensed is reduced, and the detection success rate is improved.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a network system 100 according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of a computing device 200, according to an embodiment of the invention;
FIG. 3 illustrates a flow diagram of a script execution method 300 according to one embodiment of the invention; and
FIG. 4 is a diagram illustrating a script execution apparatus 400 according to one embodiment of the present invention
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 shows a schematic diagram of a network system 100 according to an embodiment of the invention. It should be noted that the network system 100 in fig. 1 is only exemplary, in a specific practical situation, there may be different numbers of computing devices and target hosts in the network system 100, and the number of target hosts is usually very large, and the invention does not limit the number of computing devices and target hosts included in the network system 100. As shown in fig. 1, network system 100 includes computing device 200, target host 500, target host 600, and target host 700. Where computing device 200 is communicatively coupled to target hosts 500, 600, and 700, respectively. Specifically, the computing device 200 first obtains target parameters of the target hosts 500, 600, and 700 to be detected, performs randomized ordering on the obtained target parameters to generate corresponding target detection sequences, and sequentially sends detection packets to the target hosts corresponding to the target parameters according to the order of the target parameters in the target detection sequences, so that the target hosts feed back the detection packets. When receiving the corresponding detection data packets, the target hosts 500, 600, and 700 feed back the detection data packets, and respectively send corresponding feedback data packets to the computing device 200, and after receiving the feedback data packets corresponding to the sent detection data packets, the computing device 200 performs analysis processing on the feedback data packets to obtain corresponding feedback information and associated feedback states, and if the feedback states indicate that the feedback data packets are normal data packets, extracts target host information from the feedback information, and stores the target host information and corresponding target parameters in an associated manner.
FIG. 2 is a block diagram of a computing device 200, according to one embodiment of the invention. In a basic configuration 202, computing device 200 typically includes system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. The processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216. Example processor cores 214 may include Arithmetic Logic Units (ALUs), Floating Point Units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 206 may include an operating system 220, one or more programs 222, and program data 224. In some implementations, the program 222 can be arranged to execute instructions on the operating system with the program data 224 by the one or more processors 204.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 can include a serial interface controller 254 and a parallel interface controller 256, which can be configured to facilitate communications with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to facilitate communications with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
Computing device 200 may be implemented as a server, such as a file server, a database server, an application server, a WEB server, etc., or as part of a small-form factor portable (or mobile) electronic device, such as a cellular telephone, a Personal Digital Assistant (PDA), a personal media player device, a wireless WEB-browsing device, a personal headset device, an application-specific device, or a hybrid device that include any of the above functions. Computing device 200 may also be implemented as a personal computer including both desktop and notebook computer configurations. In some embodiments, the computing device 200 is configured to perform a cyber-spatial detection method 300 in accordance with the present invention. The program 222 includes a cyberspace detecting apparatus 400 according to the present invention.
Fig. 3 shows a flow diagram of a cyber-space detecting method 300 according to one embodiment of the invention. The cyber-space detecting method 300 is suitable for execution in a computing device, such as the computing device 200 shown in FIG. 2. As shown in fig. 3, the method 300 begins at step S310. In step S310, a target parameter of each target host to be detected is obtained, where the target parameter is a target IP address and/or a target port. According to an embodiment of the present invention, the target hosts to be detected are 10 in total, which are respectively marked as a1, a2, A3, … …, a9 and a10, the target parameters are target IP addresses, the target IP addresses of the target hosts a1 to a10 are B1, B2, B3, … …, B9 and B10 in sequence, and a target port to be detected of each target host is C1. Table 1 shows an example of association between a target host and a target parameter according to an embodiment of the present invention, which is specifically as follows:
| target host | Destination IP address | Target port |
| A1 | B1 | C1 |
| A2 | B2 | C1 |
| A3 | B3 | C1 |
| … | … | … |
| A9 | B9 | C1 |
| A10 | B10 | C1 |
TABLE 1
Subsequently, step S320 is performed to perform randomized ordering on the acquired target parameters to generate a corresponding target detection sequence. According to one embodiment of the present invention, the target detection sequence may be generated from the target parameters in the following manner. Firstly, the total number of target parameters is obtained as a first number, random numbers in a first number preset value interval are generated and are sequentially distributed to the target parameters, the random numbers are sequenced from small to large, and the target parameters corresponding to the random numbers are sequenced according to the sequencing result to generate corresponding target detection sequences. In this embodiment, the target parameter is a target IP address, and the first value range is preset to [1,100], which represents a value range of not less than 1 and not more than 100. The total number of the target IP addresses is acquired as a first number, the first number is 10, then 10 random numbers which are not less than 1 and not more than 100 are generated, the random numbers are respectively 56, 23, 17, 90, 25, 6, 78, 11, 63 and 39, and the random numbers are sequentially distributed to the target IP addresses B1-B10. Table 2 shows an example of a correspondence relationship between a target IP address and a random number according to an embodiment of the present invention, which is specifically as follows:
| destination IP address | Random number |
| B1 | 56 |
| B2 | 23 |
| B3 | 17 |
| … | … |
| B9 | 63 |
| B10 | 39 |
TABLE 2
Then, the random numbers are sorted from small to large, the sorted random numbers are 6, 11, 17, 23, 25, 39, 56, 63, 78 and 90 in sequence, and the target IP addresses corresponding to the random numbers are sorted according to the sorting result to generate corresponding target detection sequences, wherein the target IP addresses in the target detection sequences are B6, B8, B3, B2, B5, B10, B1, B9, B7 and B4 in sequence. Table 3 shows an example of an object detection sequence according to an embodiment of the present invention, as follows:
| sequence of events | Destination IP address |
| 1 | B6 |
| 2 | B8 |
| 3 | B3 |
| … | … |
| 9 | B7 |
| 10 | B4 |
TABLE 3
Considering that one target host may have a plurality of target ports to be detected, when performing randomized sequencing on target parameters corresponding to each target host, each target port to be detected corresponding to the same target IP address also needs to participate in the sequencing, thereby generating a target detection sequence. According to another embodiment of the present invention, the target hosts to be detected total 10, which are respectively marked as a1, a2, A3, … …, a9, and a10, the target parameters are target IP addresses, then the target IP addresses of the target hosts a1 to a10 are B1, B2, B3, … …, B9, and B10 in sequence, the target ports to be detected of the target host a1 are C1, C2, and C3, the target ports to be detected of the target host a2 are C1 and C3, and the target ports to be detected of the target hosts A3 to a10 are all C1. Table 4 shows an example of association between a target host and a target parameter according to another embodiment of the present invention, which is specifically as follows:
TABLE 4
In the case that the number of target ports to be probed by the target host may be more than one, the target probing sequence may be generated in the following manner. Firstly, for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected, then acquiring the total number of the target parameter pairs as a second number, generating random numbers in a second number preset second value interval, sequentially allocating the random numbers to the target parameter pairs, finally sequencing the random numbers according to the sequence from small to large, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences. In this embodiment, the second numerical range is preset to [1,200], and represents a numerical range of not less than 1 and not more than 200. Firstly, one or more target ports to be detected of the target hosts A1-A10 are associated with the target IP addresses of the target hosts to generate target parameter pairs with the same number as the target ports to be detected. For example, for the target host a1, it has 3 target ports to be probed, which are C1, C2, and C3, respectively, and associates the target ports C1, C2, and C3 with the target IP address B1, so as to obtain 3 target parameter pairs (B1, C1), (B1, C2), and (B1, C3). Based on this, target parameter pairs of the target hosts a 2-a 10 are obtained, and table 5 shows an example of association between the target hosts and the target parameter pairs according to another embodiment of the present invention, which is specifically as follows:
TABLE 5
Then, the total number of the target parameter pairs is obtained as the second number, and the obtained second number is 13, then 13 random numbers not less than 1 and not more than 200, respectively 135, 46, 34, 2, 98, 177, 15, 72, 85, 61, 191, 144 and 29, are generated, and the 13 random numbers are sequentially allocated to each target parameter pair. Table 6 shows an example of correspondence between the target parameter pair and the random number according to another embodiment of the present invention, which is specifically as follows:
TABLE 6
Next, the random numbers are sorted in descending order, the sorted random numbers are sequentially 2, 15, 29, 34, 46, 61, 72, 85, 98, 135, 144, 177 and 191, and the target parameter pairs corresponding to the random numbers are sorted according to the sorting result to generate corresponding target detection sequences, wherein the target parameter pairs in the target detection sequences are sequentially (B2, C1), (B4, C1), (B10, C1), (B1, C3), (B1, C2), (B7, C1), (B5, C1), (B6, C1), (B2, C3), (B1, C1), (B9, C1), (B1, C1) and (B1, C1). Table 7 shows an example of an object detection sequence according to yet another embodiment of the present invention, as follows:
| sequence of events | Target parameter pair |
| 1 | (B2,C1) |
| 2 | (B4,C1) |
| 3 | (B10,C1) |
| … | … |
| 12 | (B3,C1) |
| 13 | (B8,C1) |
TABLE 7
In addition, when performing the randomized ordering on each target parameter, according to another embodiment of the present invention, the total number of the target parameters may be further obtained as a third number, the random numbers in a third number of preset third value intervals are sequentially generated in a descending order and randomly allocated to each target parameter, then the random numbers are ordered in a descending order, and the target parameters corresponding to the random numbers are ordered according to the ordering result to generate a corresponding target probing sequence. In this embodiment, referring to table 1, an example of association between the target host and the target parameter is shown, and the third value range is preset to [1,100], which represents a value range of not less than 1 and not more than 100. The total number of the target IP addresses is obtained as a third number, the third number is 10, random numbers with the numbers not less than 1 and not more than 100, namely 3, 15, 26, 37, 42, 51, 69, 77, 86 and 98, are sequentially generated from small to large, and are randomly allocated to the target IP addresses B1-B10, so that the random numbers corresponding to the target IP addresses B1-B10 are 37, 77, 98, 3, 15, 69, 42, 26, 86 and 51. Table 8 shows an example of a correspondence relationship between a target IP address and a random number according to an embodiment of the present invention, which is specifically as follows:
| destination IP address | Random number |
| B1 | 37 |
| B2 | 77 |
| B3 | 98 |
| … | … |
| B9 | 86 |
| B10 | 51 |
TABLE 8
Next, the random numbers are sorted in descending order, the sorted random numbers are 3, 15, 26, 37, 42, 51, 69, 77, 86 and 98 in order, and the target IP addresses corresponding to the random numbers are sorted according to the sorting result to generate corresponding target probing sequences, and the target IP addresses in the target probing sequences are B4, B5, B8, B1, B7, B10, B6, B2, B9 and B3 in order. Table 9 shows an example of an object detection sequence according to yet another embodiment of the present invention, as follows:
| sequence of events | Destination IP address |
| 1 | B4 |
| 2 | B5 |
| 3 | B8 |
| … | … |
| 9 | B9 |
| 10 | B3 |
TABLE 9
In addition, when the target parameter is the target port, when performing randomized ordering on each target port to generate the corresponding target probing sequence, the above-described manner of performing randomized ordering on each target IP address to generate the corresponding target probing sequence may be adopted for processing, and details are not described here again. The present invention is not limited to the above specific algorithms for generating the target probing sequence by randomized sequence, which are easily conceivable by those skilled in the art and are within the scope of the present invention, and therefore, they are not described herein again.
After the corresponding target probing sequence is generated, step S330 is performed, and probe packets are sequentially sent to the target host corresponding to the target parameters according to the order of the target parameters in the target probing sequence, so that the target host feeds back the probe packets. According to an embodiment of the present invention, the probe packet is an abnormal packet, the target parameter is a target IP address, and an example of the target probe sequence refers to table 3. According to the order of each target IP address in the target detection sequence as shown in table 3, the abnormal data packets Q1, Q2, Q3, Q4, Q5, Q6, Q7, Q8, Q9, and Q10 are sequentially sent to the target hosts corresponding to the target IP addresses B6, B8, B3, B2, B5, B10, B1, B9, B7, and B4, that is, the abnormal data packets Q1 to Q10 are sequentially sent to the target hosts A6, A8, A3, a2, A5, a10, a1, a9, A7, and A4, so that each target host feeds back the abnormal data packets. Table 10 shows an example of a correspondence relationship between the target host and the probe packet according to an embodiment of the present invention, which is specifically as follows:
| target host | Detection data packet (abnormal data packet) |
| A6 | Q1 |
| A8 | Q2 |
| A3 | Q3 |
| … | … |
| A7 | Q9 |
| A4 | Q10 |
Watch 10
The abnormal data packet is a data packet which does not conform to the definition of RFC (request For comments) specification, and the RFC standard can be intentionally violated by utilizing a loophole containing a data packet head value to form an artificially defined abnormal data packet. For four types of data packets, i.e., an IP data packet, a UDP data packet, a TCP data packet, and an ICMP data packet, the corresponding abnormal data packet can be formed by setting the abnormal characteristics of the header field, for example, the version number of the IP data packet header, the length of the IP data packet header, the IP address, the packet length of the UDP data packet, the result of checking the TCP data packet header, the port number of the ICMP data packet, and the TCP flag combination value of the ICMP data packet are set as abnormal values. The invention is not limited to the method for generating the abnormal data packet, which is easily conceivable for those skilled in the art and is within the protection scope of the present invention, and will not be described herein. After receiving each probe packet sent by the computing device 200, each target host generates a corresponding feedback packet in response to the probe packet, and sends each feedback packet to the computing device 200. The feedback data packet comprises feedback information and an associated feedback state, and the feedback state is used for indicating whether the feedback data packet is a normal data packet or an abnormal data packet. The probe packets Q1-Q10 correspond to the feedback packets R1, R2, R3, R4, R5, R6, R7, R8, R9, and R10, respectively. Table 11 shows an example of a correspondence relationship between the target host and the probe packet and the feedback packet according to an embodiment of the present invention, which is specifically as follows:
| target host | Detection data packet (abnormal data packet) | Feedback data packet |
| A6 | Q1 | R1 |
| A8 | Q2 | R1 |
| A3 | Q3 | R3 |
| … | … | … |
| A7 | Q9 | R9 |
| A4 | Q10 | R10 |
TABLE 11
In step S340, the computing device 200 receives the feedback data packet corresponding to each transmitted probe data packet. According to one embodiment of the invention, the computing device 200 receives feedback data packets R1-R10. Then, step S350 is executed to perform parsing processing on each feedback data packet to obtain corresponding feedback information and associated feedback status. According to an embodiment of the present invention, the feedback data packets R1 to R10 are respectively analyzed to obtain corresponding feedback information and associated feedback states, the feedback information included in the feedback data packets R1 to R10 is T1, T2, T3, T4, T5, T6, T7, T8, T9, and T10 in sequence, and the associated feedback states are 1, and 0 in sequence. The feedback state indicates that the associated feedback data packet is a normal data packet by 1, and indicates that the associated feedback data packet is an abnormal data packet by 0. Table 12 shows an example of a corresponding relationship between a feedback data packet and feedback information and a feedback state according to an embodiment of the present invention, which is specifically shown as follows:
| feedback data packet | Feedback information | Feedback status |
| R1 | T1 | 1 |
| R1 | T2 | 1 |
| R3 | T3 | 1 |
| … | … | … |
| R9 | T9 | 1 |
| R10 | T10 | 0 |
TABLE 12
And after the received feedback data packet is analyzed, executing step S360, if the feedback state indicates that the feedback data packet is a normal data packet, extracting the target host information from the feedback information, and storing the target host information and the corresponding target parameter in an associated manner. According to one embodiment of the invention, the target host information includes a system, version, protocol, and/or timestamp of the target host. In this embodiment, as can be seen from the feedback status, if the feedback packets R1 to R9 are normal packets and the feedback packet R10 is an abnormal packet, the corresponding target host information is extracted from the feedback information T1 to T9, so that the obtained target host information is V1, V2, V3, V4, V5, V6, V7, V8 and V9 in sequence, and the target host information V1 to V9 is stored in association with the corresponding target IP addresses B6, B8, B3, B2, B5, B10, B1, B9 and B7. Table 13 shows an example of a storage relationship between the target parameter and the target host information according to an embodiment of the present invention, which is specifically as follows:
watch 13
In order to facilitate the viewing of the target host information, the order of the storage relationship between the target parameters and the target host information may be adjusted according to the order of the target parameters before the randomized ordering. Table 14 shows an example of a storage relationship between the target parameter and the target host information after sequential adjustment, where an example before sequential adjustment is shown in table 13, and table 14 is specifically shown as follows:
| target parameter (target IP address) | Target host information |
| B1 | V7 |
| B2 | V4 |
| B3 | V3 |
| B5 | V5 |
| B6 | V1 |
| B7 | V9 |
| B8 | V2 |
| B9 | V8 |
| B10 | V6 |
TABLE 14
Further, if the feedback state indicates that the feedback data packet is an abnormal data packet, the detection data packet corresponding to the feedback state is sent again after a preset time interval. In this embodiment, the time interval is preset to 10 minutes, and since the feedback packet R10 is an abnormal packet, the computing device 200 will send the probe packet Q10 to the target host a4 again after 10 minutes.
Fig. 4 shows a schematic diagram of a cyberspace detecting apparatus 400 according to an embodiment of the present invention. As shown in fig. 4, the network space detecting device 400 includes an obtaining module 410, a randomizing module 420, a transmitting module 430, a receiving module 440, a parsing module 450, and a storing module 460.
The obtaining module 410 is adapted to obtain target parameters of each target host to be detected. The target parameter is a target IP address or a target port. The details of the obtaining module 410 performing the above operations can be seen in step S310 of the method 300, which is not described herein.
The randomizing module 420 is connected to the acquiring module 410 and is adapted to perform randomized ordering on the acquired target parameters to generate a corresponding target probing sequence. The randomization module 420 is further adapted to obtain the total number of target parameters as a first number; generating random numbers in a first number of preset first value intervals, and sequentially distributing the random numbers to each target parameter; and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence. The randomization module 420 is further adapted to associate, for each target host, one or more target ports to be probed by the target host with its target IP address to generate the same number of target parameter pairs as the number of target ports to be probed; acquiring the total number of the target parameter pairs as a second number; generating a second number of random numbers in a preset second numerical interval, and sequentially distributing the random numbers to each target parameter pair; and sequencing the random numbers in a descending order, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences. The randomization module 420 is further adapted to obtain the total number of target parameters as a third number; sequentially generating a third number of random numbers in a preset third numerical value interval from small to large, and randomly distributing the random numbers to each target parameter; and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence. The details of the randomizing module 420 for performing the above operations can be referred to as step S320 in the method 300, which are not described herein.
The sending module 430 is connected to the randomizing module 420, and is adapted to send the probe packet to the target host corresponding to each target parameter in the target probe sequence in sequence, so that the target host feeds back the probe packet. The sending module 430 is further adapted to send the detection data packet corresponding to the feedback status again after a preset time interval when the feedback status indicates that the feedback data packet is an abnormal data packet. Wherein, the detection data packet is an abnormal data packet. For details of the sending module 430 to perform the above operations, reference may be made to step S330 in the method 300, which is not described herein again.
The receiving module 440 is connected to the sending module 430 and is adapted to receive a feedback data packet corresponding to each sent probe data packet. For details of the receiving module 440 performing the above operations, reference may be made to step S340 in the method 300, which is not described herein again.
The parsing module 450 is connected to the receiving module 440 and is adapted to parse each feedback data packet to obtain corresponding feedback information and associated feedback status. The details of the analysis module 450 for performing the above operations can be seen in step S350 of the method 300, which is not described herein.
The storage module 460 is respectively connected to the randomizing module 420 and the parsing module 450, and is adapted to extract the target host information from the feedback information and store the target host information and the corresponding target parameter in association when the feedback status indicates that the feedback data packet is a normal data packet. Wherein the target host information includes a system, version, protocol, and/or timestamp of the target host. For details of the operation performed by the storage module 460, reference may be made to step S360 in the method 300, which is not described herein.
When the existing network space detection method is used for detecting batch target IP addresses or target ports, the number of counters is mostly cumulative, the detected target equipment is performed according to a certain rule, such as increasing, and has strong regularity, the detection rule of intrusion detection equipment is easily triggered, and the detection success rate is reduced. According to the technical scheme of the network space detection of the embodiment of the invention, the target parameters of the target hosts to be detected are randomized and sequenced to generate corresponding target detection sequences, the detection data packets are sequentially sent to the target hosts corresponding to the target parameters according to the sequence of the target parameters,
and if the feedback state indicates that the feedback data packet is a normal data packet, extracting target host information from the feedback information, and storing the target host information and the corresponding target parameters in an associated manner. In the above scheme, when performing randomized ordering on each target parameter, considering that a target host may have multiple target ports to be detected, for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected, then obtaining the total number of the target parameter pairs, generating a total number of random numbers and sequentially allocating the random numbers to each target parameter pair, ordering the random numbers in the order from small to large, and ordering the target parameter pairs corresponding to the random numbers according to the ordering result to generate corresponding target detection sequences. Based on the method, the detection data packets with the number consistent with that of the target ports to be detected are sent to the target host with the target ports to be detected, the sending sequence of the detection data packets is random, the detection integrity is guaranteed, the possibility that the detection behavior is sensed is reduced, and the detection success rate is improved.
A7. The method of any of a1-6, the target host information comprising a system, version, protocol, and/or timestamp of the target host.
A8. The method of any one of a1-7, further comprising:
and if the feedback state indicates that the feedback data packet is an abnormal data packet, sending the detection data packet corresponding to the feedback state again after a preset time interval.
B10. The apparatus of B9, wherein the destination parameter is a destination IP address or a destination port.
B11. The apparatus of B9 or 10, the randomization module further adapted to:
acquiring the total number of target parameters as a first number;
generating random numbers in a first number of preset first value intervals, and sequentially distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
B12. The apparatus of B10, the randomization module further adapted to:
for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected;
acquiring the total number of the target parameter pairs as a second number;
generating a second number of random numbers in a preset second numerical interval, and sequentially distributing the random numbers to each target parameter pair;
and sequencing the random numbers in a descending order, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences.
B13. The apparatus of B9 or 10, the randomization module further adapted to:
acquiring the total number of the target parameters as a third number;
sequentially generating a third number of random numbers in a preset third numerical value interval from small to large, and randomly distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
B14. The apparatus of any of B9-13, wherein the probe packet is an exception packet.
B15. The apparatus of any of B9-14, the target host information comprising a system, version, protocol, and/or timestamp of the target host.
B16. The apparatus of any one of B9-15, the sending module further adapted to:
and when the feedback state indicates that the feedback data packet is an abnormal data packet, sending the detection data packet corresponding to the feedback state again after a preset time interval.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or groups of devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. Modules or units or groups in embodiments may be combined into one module or unit or group and may furthermore be divided into sub-modules or sub-units or sub-groups. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the cyber-space detecting method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (19)
1. A cyber-space detection method, adapted to be executed in a computing device communicatively coupled to a plurality of target hosts, each target host having corresponding target parameters, the method comprising:
acquiring target parameters of each target host to be detected;
performing randomized sequencing on the obtained target parameters to generate corresponding target detection sequences;
according to the sequence of each target parameter in the target detection sequence, sequentially sending a detection data packet to a target host corresponding to the target parameter so that the target host can feed back the detection data packet;
receiving feedback data packets corresponding to the sent detection data packets;
analyzing each feedback data packet to acquire corresponding feedback information and an associated feedback state;
and if the feedback state indicates that the feedback data packet is a normal data packet, extracting target host information from the feedback information, and storing the target host information and the corresponding target parameters in an associated manner.
2. The method of claim 1, wherein the target parameter is a target IP address and/or a target port.
3. The method according to claim 1 or 2, wherein the step of performing a randomized ordering on the acquired target parameters to generate a corresponding target probing sequence comprises:
acquiring the total number of target parameters as a first number;
generating random numbers in a first number of preset first value intervals, and sequentially distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
4. The method according to claim 2, wherein the step of performing a randomized ordering on the acquired target parameters to generate a corresponding target probing sequence comprises:
for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected;
acquiring the total number of the target parameter pairs as a second number;
generating a second number of random numbers in a preset second numerical interval, and sequentially distributing the random numbers to each target parameter pair;
and sequencing the random numbers in a descending order, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences.
5. The method according to claim 1 or 2, wherein the step of performing a randomized ordering on the acquired target parameters to generate a corresponding target probing sequence comprises:
acquiring the total number of the target parameters as a third number;
sequentially generating a third number of random numbers in a preset third numerical value interval from small to large, and randomly distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
6. A method as claimed in claim 1 or 2, wherein the probe packet is an exception packet.
7. The method of claim 1 or 2, the target host information comprising a system, version, protocol and/or timestamp of the target host.
8. The method of claim 1 or 2, further comprising:
and if the feedback state indicates that the feedback data packet is an abnormal data packet, sending the detection data packet corresponding to the feedback state again after a preset time interval.
9. A cyber-space detecting apparatus adapted to reside in a computing device communicatively coupled to a plurality of target hosts, each target host having corresponding target parameters, the apparatus comprising:
the acquisition module is suitable for acquiring target parameters of each target host to be detected;
the randomization module is suitable for performing randomization sequencing on the acquired target parameters to generate corresponding target detection sequences;
the sending module is suitable for sending detection data packets to a target host corresponding to the target parameters in sequence according to the sequence of the target parameters in the target detection sequence so that the target host can feed back the detection data packets;
the receiving module is suitable for receiving the feedback data packets corresponding to the sent detection data packets;
the analysis module is suitable for analyzing each feedback data packet to acquire corresponding feedback information and an associated feedback state;
and the storage module is suitable for extracting the target host information from the feedback information and storing the target host information and the corresponding target parameters in a correlation manner when the feedback state indicates that the feedback data packet is a normal data packet.
10. The apparatus of claim 9, the target parameter is a target IP address or a target port.
11. The apparatus of claim 9 or 10, the randomization module further adapted to:
acquiring the total number of target parameters as a first number;
generating random numbers in a first number of preset first value intervals, and sequentially distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
12. The apparatus of claim 10, the randomization module further adapted to:
for each target host, associating one or more target ports to be detected of the target host with a target IP address thereof to generate target parameter pairs with the same number as the target ports to be detected;
acquiring the total number of the target parameter pairs as a second number;
generating a second number of random numbers in a preset second numerical interval, and sequentially distributing the random numbers to each target parameter pair;
and sequencing the random numbers in a descending order, and sequencing the target parameter pairs corresponding to the random numbers according to the sequencing result to generate corresponding target detection sequences.
13. The apparatus of claim 9 or 10, the randomization module further adapted to:
acquiring the total number of the target parameters as a third number;
sequentially generating a third number of random numbers in a preset third numerical value interval from small to large, and randomly distributing the random numbers to each target parameter;
and sequencing the random numbers in a descending order, and sequencing the target parameters corresponding to the random numbers according to the sequencing result to generate a corresponding target detection sequence.
14. The apparatus of claim 9 or 10, wherein the probe packet is an exception packet.
15. The apparatus of claim 9 or 10, the target host information comprising a system, version, protocol, and/or timestamp of the target host.
16. The apparatus of claim 9 or 10, the sending module further adapted to:
and when the feedback state indicates that the feedback data packet is an abnormal data packet, sending the detection data packet corresponding to the feedback state again after a preset time interval.
17. A computing device comprising the cyberspace detecting apparatus of any of claims 9-16.
18. A computing device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing any of the methods of claims 1-8.
19. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform any of the methods of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710780893.XA CN107579973B (en) | 2017-09-01 | 2017-09-01 | Network space detection method and device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710780893.XA CN107579973B (en) | 2017-09-01 | 2017-09-01 | Network space detection method and device and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107579973A CN107579973A (en) | 2018-01-12 |
| CN107579973B true CN107579973B (en) | 2019-12-31 |
Family
ID=61030719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710780893.XA Active CN107579973B (en) | 2017-09-01 | 2017-09-01 | Network space detection method and device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107579973B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109840403B (en) * | 2019-01-14 | 2020-12-22 | 腾讯科技(深圳)有限公司 | Application login method and device, computer readable storage medium and computer equipment |
| CN110380925B (en) * | 2019-06-28 | 2021-02-02 | 中国科学院信息工程研究所 | Port selection method and system in network equipment detection |
| CN114024877B (en) * | 2021-10-29 | 2023-02-17 | 恒安嘉新(北京)科技股份公司 | Host survival detection method and device, computer equipment and storage medium |
| CN114025014B (en) * | 2021-10-29 | 2024-01-30 | 北京恒安嘉新安全技术有限公司 | Asset detection method and device, electronic equipment and storage medium |
| CN114697389A (en) * | 2022-03-16 | 2022-07-01 | 奇安信科技集团股份有限公司 | Data transmission method and device and scanning engine |
| CN115314425B (en) * | 2022-07-12 | 2024-02-23 | 清华大学 | Network scanning device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114965A (en) * | 2007-08-21 | 2008-01-30 | 当代天启技术(北京)有限公司 | Method and system for binding wireless terminal equipment and gateway in LAN |
| CN101459585A (en) * | 2007-12-14 | 2009-06-17 | 中国科学院声学研究所 | P2P stream media data request method |
| CN103281336A (en) * | 2013-06-19 | 2013-09-04 | 上海众恒信息产业股份有限公司 | Network intrusion detection method |
| CN104158748A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Topology detection method based on cloud computing network |
| CN105046525A (en) * | 2015-06-30 | 2015-11-11 | 腾讯科技(北京)有限公司 | Advertisement delivery system, device and method |
-
2017
- 2017-09-01 CN CN201710780893.XA patent/CN107579973B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114965A (en) * | 2007-08-21 | 2008-01-30 | 当代天启技术(北京)有限公司 | Method and system for binding wireless terminal equipment and gateway in LAN |
| CN101459585A (en) * | 2007-12-14 | 2009-06-17 | 中国科学院声学研究所 | P2P stream media data request method |
| CN103281336A (en) * | 2013-06-19 | 2013-09-04 | 上海众恒信息产业股份有限公司 | Network intrusion detection method |
| CN104158748A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Topology detection method based on cloud computing network |
| CN105046525A (en) * | 2015-06-30 | 2015-11-11 | 腾讯科技(北京)有限公司 | Advertisement delivery system, device and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107579973A (en) | 2018-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107579973B (en) | Network space detection method and device and computing equipment | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| WO2015051720A1 (en) | Method and device for detecting suspicious dns, and method and system for processing suspicious dns | |
| CN106470214B (en) | Attack detection method and device | |
| CN110830445B (en) | Method and device for identifying abnormal access object | |
| CN111083157B (en) | Method and device for processing message filtering rules | |
| US9942252B1 (en) | Graph-based techniques for detecting coordinated network attacks | |
| CN103475746B (en) | A kind of terminal service method and device | |
| CN107622197B (en) | Equipment identification method and device, and weight calculation method and device for equipment identification | |
| CN104579970B (en) | A kind of strategy matching device of IPv6 messages | |
| CN109299619B (en) | Data query method, computing device and system | |
| KR102476126B1 (en) | Network traffic preparation system for high-speed analysis | |
| CN111641619B (en) | Method and device for constructing hacker portrait based on big data and computer equipment | |
| CN106533947B (en) | Message processing method and device | |
| US10630588B2 (en) | System and method for range matching | |
| US8365045B2 (en) | Flow based data packet processing | |
| CN110581835B (en) | Vulnerability detection method and device and terminal equipment | |
| CN107577550B (en) | Method and device for determining whether response of access request is abnormal | |
| TWI242713B (en) | Method and apparatus for updating security records in a cache | |
| CN111447233A (en) | Message filtering method and device based on VX L AN | |
| CN106713242A (en) | Data request processing method and device | |
| CN110876072B (en) | Batch registered user identification method, storage medium, electronic device and system | |
| CN106682508A (en) | Method and device for searching and killing viruses | |
| CN103532852B (en) | A kind of routing scheduling method, device and the network equipment | |
| CN110784553B (en) | Message encapsulation method, device and domain name resolution system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing 100102 Applicant after: Beijing Zhichuangyu Information Technology Co., Ltd. Address before: 100097 Jinwei Building 803, 55 Lanindichang South Road, Haidian District, Beijing Applicant before: Beijing Knows Chuangyu Information Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |