CN107733581B - Rapid internet asset feature detection method and device based on whole network environment - Google Patents
Rapid internet asset feature detection method and device based on whole network environment Download PDFInfo
- Publication number
- CN107733581B CN107733581B CN201710944839.4A CN201710944839A CN107733581B CN 107733581 B CN107733581 B CN 107733581B CN 201710944839 A CN201710944839 A CN 201710944839A CN 107733581 B CN107733581 B CN 107733581B
- Authority
- CN
- China
- Prior art keywords
- target
- return
- message
- value
- port number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/1607—Details of the supervisory signal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/1607—Details of the supervisory signal
- H04L1/1671—Details of the supervisory signal the supervisory signal being transmitted together with control information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
- H04L43/0829—Packet loss
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
Abstract
The embodiment of the invention provides a rapid internet asset feature detection method and device based on a whole network environment, and belongs to the field of network security. Generating a serial number value according to a target IP and a target port number, generating a TCP message based on the serial number value, and then sending the TCP message to a target port for scanning and detection, thereby effectively improving the sending efficiency.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a device for rapidly detecting internet asset characteristics based on a whole network environment.
Background
Under the internet environment with information globalization developing at a high speed, individuals can rapidly deploy websites, and enterprises can rapidly deploy various servers such as a WEB server DNS server and the like in a network. Meanwhile, hackers (who illegally collect and steal relatively valuable data) in the network attack the server and steal enterprise data and sensitive information. The network security risk is caused, and under the high-speed development of big data, a hacker can attack different servers more easily by using the attack mode of the big data.
In enterprise network security, network asset statistics is the basis of information security, and information security can be further planned and safety equipment can be deployed only if the network assets of the user are known. In general, a user performs artificial asset statistics on an intranet, and performs asset statistics on a server, a PC (personal computer) and a port by using a scanner. Conventional network scanning typically utilizes SYN packets SYN (synchronous) as handshaking signals used when TCP/IP establishes a connection. When a normal TCP (transmission control protocol) network connection is established between a client and a server, the client first sends out a SYN message, the server indicates that the message is received using a SYN + ACK response, and finally the client responds with an ACK message. Such that a reliable TCP connection can be established between the client and the server and data can be transferred between the client and the server. However, the prior art has the technical problem that the full-network rapid scanning and asset detection cannot be achieved.
Disclosure of Invention
The invention provides a rapid internet asset feature detection method and device based on a whole network environment, and aims to solve the technical problems.
The invention provides a rapid internet asset feature detection method based on a whole network environment, which comprises the following steps: generating a serial number value according to the target IP and the target port number; generating a TCP message based on the serial number value; sending the TCP message to a target port corresponding to the target port number; acquiring a response message returned by a target server corresponding to the target port based on the TCP message; acquiring a return IP address and a return port number carried by the response message; judging whether the target IP corresponding to the serial number value is matched with the return IP address and whether the target port number corresponding to the serial number value is matched with the return port number; if yes, acquiring response data carried by the response message; and identifying the service type corresponding to the response data.
Preferably, the generating a sequence number value according to the destination IP and the destination port number includes: the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
Preferably, the acquiring the return IP address and the return port number carried in the response packet includes: acquiring a confirmation value corresponding to a confirmation character carried by the response message; and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
Preferably, the identifying the service type corresponding to the response data includes: acquiring characteristic characters carried by the response data; and searching the service type corresponding to the characteristic character.
Preferably, the identifying the service type corresponding to the response data further includes: and storing the response data to the local.
The invention provides a rapid internet asset characteristic detection device based on a whole network environment, which comprises: the first data acquisition unit is used for generating a serial number value according to the target IP and the target port number; a message generating unit, configured to generate a TCP message based on the sequence number value; a message sending unit, configured to send the TCP message to a destination port corresponding to the destination port number; a message obtaining unit, configured to obtain a response message returned by a target server corresponding to the target port based on the TCP message; a second data obtaining unit, configured to obtain a return IP address and a return port number that are carried in the response packet; the data processing unit is used for judging whether the target IP corresponding to the serial number value is matched with the return IP address or not and whether the target port number corresponding to the serial number value is matched with the return port number or not; the execution unit is used for acquiring the response data carried by the response message if the response data is positive; and the identification unit is used for identifying the service type corresponding to the response data.
Preferably, the first data obtaining unit is specifically configured to: the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
Preferably, the second data obtaining unit is specifically configured to: acquiring a confirmation value corresponding to a confirmation character carried by the response message; and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
Preferably, the identification unit is specifically configured to: acquiring characteristic characters carried by the response data; and searching the service type corresponding to the characteristic character.
Preferably, after the identification unit, the method further comprises: and the storage unit is used for storing the response data to the local.
The invention provides a rapid internet asset characteristic detection method and device based on the whole network environment, generating a serial number value according to the target IP and the target port number, thereby generating a TCP message based on the serial number value, then sending the message to the target port for scanning and detecting, therefore, the transmission efficiency is effectively improved, by acquiring the response message returned by the target server corresponding to the target port based on the TCP message, so as to analyze the response message to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number, and when the data are matched, the service type corresponding to the response data is identified, so that the user can quickly identify the internet assets, and the user is effectively helped to carry out effective safety risk assessment under the whole network environment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a block diagram of an electronic device according to an embodiment of the present invention;
FIG. 2 is a flowchart of a fast Internet asset feature detection method based on a full-network environment according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of TCP message transmission in the fast internet asset feature detection method based on the full-network environment shown in fig. 2;
fig. 4 is a schematic diagram of a response message returned by a target server in the fast internet asset feature detection method based on the full-network environment shown in fig. 2;
FIG. 5 is a schematic diagram illustrating service type identification in the fast Internet asset feature detection method based on the network-wide environment shown in FIG. 2;
FIG. 6 is a flowchart of a fast Internet asset feature detection method based on a full-network environment according to a second embodiment of the present invention;
fig. 7 is a functional block diagram of a fast internet asset feature detection device based on a full-network environment according to a third embodiment of the present invention;
fig. 8 is a functional block diagram of a fast internet asset feature detection device based on a full-network environment according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a block diagram of an electronic device according to an embodiment of the present invention. The electronic device 300 comprises a fast internet asset feature detection device based on a full network environment, a memory 302, a storage controller 303, a processor 304 and a peripheral interface 305.
The memory 302, memory controller 303, processor 304 and peripheral interface 305 are electrically connected to each other, directly or indirectly, to enable data transfer or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The fast internet asset feature detection device based on the whole network environment comprises at least one software functional module which can be stored in the memory 302 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the electronic device 300. The processor 304 is configured to execute executable modules stored in the memory 302, such as software functional modules or computer programs included in the fast internet asset feature detection apparatus based on the network-wide environment.
The Memory 302 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 302 is used for storing a program, and the processor 304 executes the program after receiving an execution instruction, and the method executed by the server 100 defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 304, or implemented by the processor 304.
The processor 304 may be an integrated circuit chip having signal processing capabilities. The Processor 304 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The peripheral interface 305 couples various input/output devices to the processor 304 as well as to the memory 302. In some embodiments, the peripheral interface 305, the processor 304, and the memory controller 303 may be implemented in a single chip. In other examples, they may be implemented separately from the individual chips.
Referring to fig. 2, a flowchart of a fast internet asset feature detection method based on a full-network environment according to a first embodiment of the present invention is shown. The specific process shown in fig. 2 will be described in detail below.
Step S101, generating a serial number value according to the target IP and the target port number.
In one embodiment, in a network-wide environment, a target IP and a target port number are constructed locally, so that a sequence number value is generated according to the target IP and the target port number. Specifically, the sequence number value satisfies: target IP + target port. Wherein, SEQ (sequence number) values indicate the sequence number values. The target IP represents an address of the target IP, and the target port represents a port number of the target port. For example, a target IP is 1.1.1.1 and a target port number is 1, where the SEQ value (1.1.1 +1) is 123456. As another example, a target IP is 253.253.253.253 and a target port number is 65533, where the SEQ value is (253.253.253.253+65533) ═ 56789. And adding the target port to the target IP to form a numerical value according to a preset rule.
The sequence number value refers to a numerical value corresponding to a sequence number in a tcp (transmission Control protocol) protocol.
And step S102, generating a TCP message based on the serial number value.
The TCP packet is a packet that includes the sequence number value and is based on a transmission control protocol.
In one embodiment, the sequence number value is inserted into the TCP header to generate the TCP packet.
Step S103, the TCP message is sent to a target port corresponding to the target port number.
In this embodiment, preferably, the TCP packet is sent to the destination port corresponding to the destination port number in a concurrent manner, as shown in fig. 3.
In this embodiment, in order to quickly improve the transmission efficiency, instead of separately waiting for a return packet, a separate port is preferably opened to wait for the target server to continuously report back.
In this embodiment, after step S103, it is preferable to further include continuously waiting for the target server to return data.
And step S104, acquiring a response message returned by the target server corresponding to the target port based on the TCP message.
The TCP packet is used as a detection packet for detecting the target IP port, as shown in fig. 4.
Step S105, obtaining the return IP address and the return port number carried by the response message.
Wherein, the return IP address refers to the IP address carried by the response message. The return port number refers to a port number carried by the response message.
As an implementation manner, obtaining a confirmation value corresponding to a confirmation character carried by the response message; and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
Wherein, the acknowledgement character refers to ack (acknowledgement) carried by the response message. And performing reverse operation on the ACK to obtain a return IP address and a return port number corresponding to the ACK.
Step S106, judging whether the target IP corresponding to the serial number value is matched with the return IP address and whether the target port number corresponding to the serial number value is matched with the return port number.
In this embodiment, for example, the IP address carried by the response message is 10.0.0.1, and the port is 80. Subtracting 1 from the ACK value to obtain an SEQ value, that is, the SEQ value is ACK value-1, and restoring a target IP and a target port number corresponding to the ACK value by using a reverse algorithm. And comparing the target IP with the return IP address carried by the response message and comparing the target port number with the return port number carried by the response message. Therefore, whether the target IP is the same as the return IP address carried by the response message or not and whether the target port number is the same as the return port number carried by the response message or not are judged.
And step S107, if yes, acquiring response data carried by the response message.
In this embodiment, if the two TCP packets are the same, that is, the target server correctly responds to the TCP packet, it can be determined that the target port is open. And acquiring response data carried by the response message.
If the difference is not the same, namely the message which represents the response of the target server is not the TCP message, the data is discarded.
And step S108, identifying the service type corresponding to the response data.
Wherein the service type may be an http service, an ftp service, a telnet service, and/or an SMTP service. Here, the number of the carbon atoms is not particularly limited.
As an implementation manner, acquiring a characteristic character carried by the response data; and searching the service type corresponding to the characteristic character. As shown in fig. 5, different service types are returned by different servers.
Wherein, the characteristic character refers to a character string carried in the response data. For example, in HTTP service, the string "HTTP/1.1200 forkded" is carried in the returned response data. As another example, ftp services carry the string "" data "in a return packet: "220- -Welcomato Pure-FTPd [ privsep ]". Here, the number of the carbon atoms is not particularly limited.
The step of searching for the service type corresponding to the characteristic character means that if the header in the response data carries "HTTP/1.1200", it is determined that the service opened by the target IP and the target port number is an HTTP service.
Referring to fig. 6, a flowchart of a fast internet asset feature detection method based on a full-network environment according to a second embodiment of the present invention is shown. The specific flow shown in fig. 6 will be described in detail below.
Step S201, a serial number value is generated according to the target IP and the target port number.
Step S202, generating a TCP message based on the sequence number value.
Step S203, sending the TCP packet to a destination port corresponding to the destination port number.
Step S204, obtaining a response message returned by the target server corresponding to the target port based on the TCP message.
Step S205, obtaining the return IP address and the return port number carried in the response packet.
Step S206, determining whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number.
Step S207, if yes, acquiring the response data carried by the response message.
And step S208, identifying the service type corresponding to the response data.
For the detailed implementation of steps S201 to S208, please refer to the corresponding steps in the first embodiment, which are not described herein again.
Step S209, store the response data to local.
In this embodiment, the data that satisfies the response data carried in the response packet in step S206 and the service type of the response data has been identified is stored locally.
Fig. 7 is a functional module diagram of a fast internet asset feature detection device based on a full-network environment according to a third embodiment of the present invention. The fast internet asset characteristic detecting apparatus 400 includes: a first data acquisition unit 410, a message generation unit 420, a message sending unit 430, a message acquisition unit 440, a second data acquisition unit 450, a data processing unit 460, an execution unit 470 and an identification unit 480.
A first data obtaining unit 410, configured to generate a sequence number value according to the destination IP and the destination port number.
The first data obtaining unit 410 is specifically configured to: the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
A message generating unit 420, configured to generate a TCP message based on the sequence number value.
A message sending unit 430, configured to send the TCP message to a destination port corresponding to the destination port number.
A message obtaining unit 440, configured to obtain a response message returned by the target server corresponding to the target port based on the TCP message.
The second data obtaining unit 450 is configured to obtain a return IP address and a return port number that are carried in the response packet.
The second data obtaining unit 450 is specifically configured to: acquiring a confirmation value corresponding to a confirmation character carried by the response message; and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
A data processing unit 460, configured to determine whether the target IP corresponding to the sequence number value matches the return IP address and whether the target port number corresponding to the sequence number value matches the return port number.
And if so, acquiring the response data carried by the response message.
The identifying unit 480 is configured to identify a service type corresponding to the response data.
Please refer to fig. 8, which is a functional module diagram of a fast internet asset feature detection apparatus based on a full-network environment according to a fourth embodiment of the present invention. The fast internet asset characteristic detecting apparatus 500 includes: a first data acquisition unit 510, a message generation unit 520, a message sending unit 530, a message acquisition unit 540, a second data acquisition unit 550, a data processing unit 560, an execution unit 570, an identification unit 580, and a storage unit 590.
A first data obtaining unit 510, configured to generate a sequence number value according to the destination IP and the destination port number.
The first data obtaining unit 510 is specifically configured to: the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
A message generating unit 520, configured to generate a TCP message based on the sequence number value.
A message sending unit 530, configured to send the TCP message to a destination port corresponding to the destination port number.
A message obtaining unit 540, configured to obtain a response message returned by the target server corresponding to the target port based on the TCP message.
A second data obtaining unit 550, configured to obtain a return IP address and a return port number that are carried in the response packet.
The second data obtaining unit 550 is specifically configured to: acquiring a confirmation value corresponding to a confirmation character carried by the response message; and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
The data processing unit 560 is configured to determine whether the target IP corresponding to the sequence number value matches the return IP address and whether the target port number corresponding to the sequence number value matches the return port number.
And the execution unit 570, configured to, if yes, obtain response data carried in the response packet.
The identifying unit 580 is configured to identify a service type corresponding to the response data.
The storage unit 590 is configured to store the response data locally.
In summary, the present invention provides a method and an apparatus for fast detecting internet asset characteristics based on the whole network environment, generating a serial number value according to the target IP and the target port number, thereby generating a TCP message based on the serial number value, then sending the message to the target port for scanning and detecting, therefore, the transmission efficiency is effectively improved, by acquiring the response message returned by the target server corresponding to the target port based on the TCP message, so as to analyze the response message to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number, and when the data are matched, the service type corresponding to the response data is identified, so that the user can quickly identify the internet assets, and the user is effectively helped to carry out effective safety risk assessment under the whole network environment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Claims (10)
1. A rapid Internet asset feature detection method based on a whole network environment is characterized by comprising the following steps:
generating a serial number value according to the target IP and the target port number;
generating a TCP message based on the serial number value;
sending the TCP message to a target port corresponding to the target port number;
acquiring a response message returned by a target server corresponding to the target port based on the TCP message;
acquiring a return IP address and a return port number carried by the response message;
judging whether the target IP corresponding to the serial number value is matched with the return IP address and whether the target port number corresponding to the serial number value is matched with the return port number;
if yes, acquiring response data carried by the response message;
and identifying the service type corresponding to the response data, wherein the service type is http service, ftp service, telnet service and/or SMTP service.
2. The method of claim 1, wherein generating a sequence number value based on the destination IP and the destination port number comprises:
the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
3. The method according to claim 1, wherein said obtaining the return IP address and the return port number carried in the response packet comprises:
acquiring a confirmation value corresponding to a confirmation character carried by the response message;
and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
4. The method of claim 1, wherein the identifying the service type corresponding to the response data comprises:
acquiring characteristic characters carried by the response data;
and searching the service type corresponding to the characteristic character.
5. The method of claim 1, wherein the identifying the service type corresponding to the response data further comprises:
and storing the response data to the local.
6. A quick internet asset characteristic detection device based on the whole network environment is characterized by comprising:
the first data acquisition unit is used for generating a serial number value according to the target IP and the target port number;
a message generating unit, configured to generate a TCP message based on the sequence number value;
a message sending unit, configured to send the TCP message to a destination port corresponding to the destination port number;
a message obtaining unit, configured to obtain a response message returned by a target server corresponding to the target port based on the TCP message;
a second data obtaining unit, configured to obtain a return IP address and a return port number that are carried in the response packet;
the data processing unit is used for judging whether the target IP corresponding to the serial number value is matched with the return IP address or not and whether the target port number corresponding to the serial number value is matched with the return port number or not;
the execution unit is used for acquiring the response data carried by the response message if the response data is positive;
and the identification unit is used for identifying the service type corresponding to the response data, and the service type is http service, ftp service, telnet service and/or SMTP service.
7. The apparatus according to claim 6, wherein the first data obtaining unit is specifically configured to:
the sequence number value satisfies: a target IP + target port, wherein the SEQ (sequence number) value represents the sequence number value.
8. The apparatus of claim 6, wherein the second data obtaining unit is specifically configured to:
acquiring a confirmation value corresponding to a confirmation character carried by the response message;
and performing reverse operation on the confirmation value to obtain a return IP address and a return port number corresponding to the confirmation value.
9. The apparatus according to claim 6, wherein the identification unit is specifically configured to:
acquiring characteristic characters carried by the response data;
and searching the service type corresponding to the characteristic character.
10. The apparatus of claim 6, wherein the identifying unit is followed by further comprising:
and the storage unit is used for storing the response data to the local.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710944839.4A CN107733581B (en) | 2017-10-11 | 2017-10-11 | Rapid internet asset feature detection method and device based on whole network environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710944839.4A CN107733581B (en) | 2017-10-11 | 2017-10-11 | Rapid internet asset feature detection method and device based on whole network environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107733581A CN107733581A (en) | 2018-02-23 |
| CN107733581B true CN107733581B (en) | 2020-12-25 |
Family
ID=61210319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710944839.4A Active CN107733581B (en) | 2017-10-11 | 2017-10-11 | Rapid internet asset feature detection method and device based on whole network environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107733581B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109118118A (en) * | 2018-09-06 | 2019-01-01 | 平安科技(深圳)有限公司 | Methods of risk assessment, storage medium and the server of business event |
| CN111385260B (en) * | 2018-12-28 | 2022-01-25 | 广州市百果园信息技术有限公司 | Port detection method, system, server and storage medium |
| CN110677414A (en) * | 2019-09-27 | 2020-01-10 | 北京知道创宇信息技术股份有限公司 | Network detection method and device, electronic equipment and computer readable storage medium |
| CN111726337A (en) * | 2020-05-14 | 2020-09-29 | 北京邮电大学 | Equipment asset detection method and device |
| CN113872953B (en) * | 2021-09-18 | 2024-03-26 | 杭州迪普信息技术有限公司 | Access message processing method and device |
| CN114513329A (en) * | 2021-12-31 | 2022-05-17 | 徐工汉云技术股份有限公司 | Industrial Internet information security assessment method and device |
| CN114584477B (en) * | 2022-02-10 | 2023-06-27 | 烽台科技(北京)有限公司 | Industrial control asset detection method, device, terminal and storage medium |
| CN117499267B (en) * | 2023-12-29 | 2024-03-26 | 深圳万物安全科技有限公司 | Asset mapping method and device for network equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100934138B1 (en) * | 2002-05-06 | 2009-12-29 | 퀄컴 인코포레이티드 | System and method for registering IP address of wireless communication device |
| CN203492034U (en) * | 2013-05-13 | 2014-03-19 | 北京百度网讯科技有限公司 | Data center server and asset management system, and server management device |
| CN105373899A (en) * | 2015-12-03 | 2016-03-02 | 广州云新信息技术有限公司 | Server asset management method and apparatus |
| CN106230800A (en) * | 2016-07-25 | 2016-12-14 | 恒安嘉新(北京)科技有限公司 | A kind of to assets active probe with the method for leak early warning |
| CN106888106A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | The extensive detecting system of IT assets in intelligent grid |
| CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
-
2017
- 2017-10-11 CN CN201710944839.4A patent/CN107733581B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100934138B1 (en) * | 2002-05-06 | 2009-12-29 | 퀄컴 인코포레이티드 | System and method for registering IP address of wireless communication device |
| CN203492034U (en) * | 2013-05-13 | 2014-03-19 | 北京百度网讯科技有限公司 | Data center server and asset management system, and server management device |
| CN105373899A (en) * | 2015-12-03 | 2016-03-02 | 广州云新信息技术有限公司 | Server asset management method and apparatus |
| CN106888106A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | The extensive detecting system of IT assets in intelligent grid |
| CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
| CN106230800A (en) * | 2016-07-25 | 2016-12-14 | 恒安嘉新(北京)科技有限公司 | A kind of to assets active probe with the method for leak early warning |
Non-Patent Citations (1)
| Title |
|---|
| 智能盘点提高资产管理效率;屠萍,祝海云;《通信企业管理》;20160810;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107733581A (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107733581B (en) | Rapid internet asset feature detection method and device based on whole network environment | |
| US11019094B2 (en) | Methods and systems for malicious message detection and processing | |
| US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| US10157280B2 (en) | System and method for identifying security breach attempts of a website | |
| TWI593266B (en) | Malicious message detection and processing | |
| EP3417590B1 (en) | Phishing attack detection and mitigation | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US20130247192A1 (en) | System and method for botnet detection by comprehensive email behavioral analysis | |
| US10021133B1 (en) | System and method for anti-phishing system | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| JP6904709B2 (en) | Technology for detecting malicious electronic messages | |
| KR20180031570A (en) | Technique for Detecting Suspicious Electronic Messages | |
| US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
| WO2021018440A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
| KR101541244B1 (en) | System and method for pharming attack prevention through dns modulation such as the pc and access point | |
| CN113726818B (en) | Method and device for detecting lost host | |
| EP3195140B1 (en) | Malicious message detection and processing | |
| US9740858B1 (en) | System and method for identifying forged emails | |
| US8438637B1 (en) | System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device | |
| CN113965418B (en) | Attack success judgment method and device | |
| US20220182347A1 (en) | Methods for managing spam communication and devices thereof | |
| CN108848076A (en) | A kind of method and apparatus for being kidnapped by user equipment detection DNS | |
| EP3848822B1 (en) | Data classification device, data classification method, and data classification program | |
| CN113328976B (en) | Security threat event identification method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310000 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Anheng Information Technology Co.,Ltd. Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: DBAPPSECURITY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |