CN112165486B - Network address set splitting method and device - Google Patents

Network address set splitting method and device Download PDF

Info

Publication number
CN112165486B
CN112165486B CN202011031150.0A CN202011031150A CN112165486B CN 112165486 B CN112165486 B CN 112165486B CN 202011031150 A CN202011031150 A CN 202011031150A CN 112165486 B CN112165486 B CN 112165486B
Authority
CN
China
Prior art keywords
network
address
data element
addresses
network segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011031150.0A
Other languages
Chinese (zh)
Other versions
CN112165486A (en
Inventor
杨圣华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202011031150.0A priority Critical patent/CN112165486B/en
Publication of CN112165486A publication Critical patent/CN112165486A/en
Application granted granted Critical
Publication of CN112165486B publication Critical patent/CN112165486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/604Address structures or formats
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The specification provides a network address set splitting method and device, wherein the method comprises the following steps: for the network address set to be loophole scanned, a preset number N is allocated, which means that the network address set is split into M address groups, the first M-1 address groups comprise N network addresses, and the M address groups comprise no more than N network addresses. Where N is determined based on the upper performance limit of the single vulnerability scanning device, that is, N cannot be greater than the maximum number of network addresses that the single vulnerability scanning device can withstand to maintain normal scanning efficiency. The technical idea of splitting the network address set for parallel scanning is adopted, so that the number of network addresses carried by each vulnerability scanning device can ensure that the vulnerability scanning device maintains normal scanning efficiency.

Description

Network address set splitting method and device
Technical Field
The present disclosure relates to the field of computer application technologies, and in particular, to a method and apparatus for splitting a network address set.
Background
Network vulnerability scanning refers to security scanning by a vulnerability scanning device for each network address involved in a network environment to discover security vulnerabilities that may exist in the network environment.
However, in practice, the performance of the vulnerability scanning device is limited, and if the number of network addresses involved in the network environment is too large, a great processing pressure is caused to the vulnerability scanning device, so that the efficiency of network vulnerability scanning is reduced.
Disclosure of Invention
In order to solve the problem that the vulnerability scanning device in the related art is difficult to scan a network address set with a large number of addresses, the specification provides a network address set splitting method and device.
According to a first aspect of embodiments of the present specification, there is provided a network address set splitting method, the method comprising:
acquiring a network address set to be loophole scanned; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device;
sorting the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
determining M address groups based on the set of data elements; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
According to a second aspect of embodiments of the present specification, there is provided a network address set splitting apparatus, comprising:
a network address set acquisition unit, configured to acquire a network address set to be subjected to vulnerability scanning; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device;
a network address set arrangement unit, configured to arrange the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
an address group determining unit configured to determine M address groups based on the set of data elements; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
According to a third aspect of embodiments of the present specification, there is provided a computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the network address set splitting method as described in the first aspect of the embodiments of the present specification.
In one or more embodiments of the present disclosure, a technical idea of splitting a network address set to perform parallel scanning is adopted, so that the number of network addresses carried by each vulnerability scanning device can ensure that the vulnerability scanning device maintains normal scanning efficiency. Specifically, for the network address set to be loophole scanned, a preset number N is allocated, which means that the network address set is split into M address groups, the first M-1 address groups contain N network addresses, and the mth address group contains no more than N network addresses. Where N is determined based on the upper performance limit of the single vulnerability scanning device, that is, N cannot be greater than the maximum number of network addresses that the single vulnerability scanning device can withstand to maintain normal scanning efficiency.
The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects: by parallel scanning, the network address scanned by a single vulnerability scanning device is reduced, the processing pressure of the vulnerability scanning device is reduced, and the efficiency of network vulnerability scanning is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is a flow chart of a method illustrated in the present specification according to an exemplary embodiment.
Fig. 2 is a flowchart diagram of a method according to another exemplary embodiment of the present description.
Fig. 3 is a block diagram of an apparatus according to an exemplary embodiment of the present description.
Fig. 4 is a hardware configuration diagram of a computer device in which the file processing apparatus according to the embodiment of the present invention is located.
Detailed Description
Currently, network vulnerability scanning systems including multiple detection engines are typically employed for network vulnerability scanning. Each detection engine can be regarded as a vulnerability scanning device, and different detection engines are responsible for scanning network vulnerabilities from different application directions.
However, if the network environment involves an excessive number of network addresses, on the one hand, because the performance of the single detection engine is limited, a relatively large performance pressure is caused to the single detection engine, and the scanning efficiency of the single detection engine is reduced; on the other hand, some detection engines may not be suitable for scanning a large number of network addresses, and when some detection engines scan a large number of network addresses, a large number of resources of the vulnerability scanning system are occupied, so that normal operation of other detection engines is affected, and the scanning efficiency of the whole vulnerability scanning system is also reduced.
In addition, in practical application, one vulnerability scanning device may be used to scan network vulnerabilities from multiple application directions. In this case, a single vulnerability scanning device may still suffer from reduced scanning efficiency in situations where it is difficult to scan a large number of network addresses with limited performance.
In order to solve the above technical problems, in one or more embodiments of the present disclosure, a technical idea of splitting a network address set to perform parallel scanning is adopted, so that the number of network addresses carried by each vulnerability scanning device can ensure that the vulnerability scanning device maintains normal scanning efficiency. Specifically, for the network address set to be loophole scanned, a preset number N is allocated, which means that the network address set is split into M address groups, the first M-1 address groups contain N network addresses, and the mth address group contains no more than N network addresses. Where N is determined based on the upper performance limit of the single vulnerability scanning device, that is, N cannot be greater than the maximum number of network addresses (referred to herein as the number of regular scans) that the single vulnerability scanning device can withstand to maintain normal scanning efficiency.
In addition, in one or more embodiments of the present description, to promote the efficiency of splitting a set of network addresses, the set of network addresses is consolidated into a set of data elements. Wherein each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the segments represented by the different data elements do not join and do not overlap each other. Thus, when address group splitting is performed based on the data element set, M address groups can be determined with fewer splitting times, and the determined M address groups do not include duplicate network addresses.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Next, embodiments of the present specification will be described in detail.
As shown in fig. 1, fig. 1 is a flow chart of a network address set splitting method according to an exemplary embodiment of the present disclosure, including the following steps:
in step 102, a set of network addresses to be vulnerability scanned is obtained.
Generally, the number of network addresses in the network address set is relatively large, at least greater than the preset number N. And N is no greater than a conventional number of scans determined based on the performance of the vulnerability scanning device.
In some embodiments, the particular form of the set of network addresses may be at least one network segment, each network segment containing at least one consecutive network address. It should be noted that, for a single discrete network address, it may also be considered as a network segment, where the start address and the end address of the network segment are both the discrete network address itself. Wherein different network segments may contain duplicate network addresses; the end address of one network segment may be the same as the start address of another network segment.
The set of network addresses is consolidated into a set of data elements at step 104.
Generally, the network addresses in the network address set are in a dot decimal format, and in some embodiments, the data format of each data element in the data element set is an integer type, so in step S104, conversion of the data format is required. For example, the network address 192.168.0.1 in the decimal format is subjected to format conversion, and 3232235521 in the integer type format is obtained.
In addition, in step S104, there are various ways to sort the network address set into the data element set, but the following needs to be satisfied: each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the segments represented by the different data elements do not join and do not overlap each other.
In other words, the process of sorting the network address set into the data element set actually involves performing operations such as network address deduplication, merging consecutive network addresses into one network segment, and so on the network address set.
In the resulting set of data elements, the data elements may be arranged in a certain order. Further, each data element in the set of data elements may be ordered prior to determining M address groups based on the set of data elements; in the ordered set of data elements, the end address of the previous data element is less than the start address of the next data element.
At step 106, M address groups are determined based on the set of data elements.
In step S106, a plurality of implementation manners of M address groups are determined based on the data element set. For example, the following implementation manner one may be adopted:
iteratively performing the following steps until the set of data elements is empty: creating an address group corresponding to the iteration and completing a target flow;
the target flow comprises the following steps:
setting the target number as N, and taking out a first data element from the data element set;
if the number of the addresses corresponding to the fetched data elements is equal to the target number, adding the network segments represented by the data elements into the address group;
if the number of addresses corresponding to the data element is greater than the target number, adding the previous target number of network addresses in the network segment represented by the data element into the address group, updating the data element based on the rest of network addresses in the network segment represented by the data element, and putting the updated data element back into the data element set;
if the number of the addresses corresponding to the data elements is smaller than the target number, adding the network segment represented by the data elements into the address group; and resetting the target number as: and the difference value between the target number and the address number is used for continuously taking out the next data element from the data element set until the address number in the address group reaches N.
As another example, the following implementation manner two is also possible:
iteratively performing the following steps until the set of data elements is empty: creating an address group corresponding to the iteration and completing a target flow;
the target flow comprises the following steps:
taking out a first data element from the data element set, and adding a network segment represented by the data element into the address group;
when the number of network addresses in the address group is greater than N, determining the number o of network addresses in the address group; taking out the latter o-M network addresses in the address group, and taking the latter o-M network addresses as a data element again, and adding the data element to the forefront end of the data element set (namely, the data element taken out next time is the data element);
and when the number of the network addresses in the address group is smaller than N, continuing to fetch the next data element from the data element set.
Other implementations will be readily apparent to those skilled in the art, and will not be described in detail herein, with reference to the two implementations described above.
After obtaining the M address groups, the network vulnerability scanning may be performed in a parallel execution manner based on the M address groups.
By the method shown in fig. 1, the technical idea of splitting the network address set to perform parallel scanning is adopted, so that the number of network addresses carried by each vulnerability scanning device can ensure that the vulnerability scanning device maintains normal scanning efficiency. Specifically, for the network address set to be loophole scanned, a preset number N is allocated, which means that the network address set is split into M address groups, the first M-1 address groups contain N network addresses, and the mth address group contains no more than N network addresses. Where N is determined based on the upper performance limit of the single vulnerability scanning device, that is, N cannot be greater than the maximum number of network addresses (referred to herein as the number of regular scans) that the single vulnerability scanning device can withstand to maintain normal scanning efficiency.
In addition, in one or more embodiments of the present description, to promote the efficiency of splitting a set of network addresses, the set of network addresses is consolidated into a set of data elements. Wherein each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the segments represented by the different data elements do not join and do not overlap each other. Thus, when address group splitting is performed based on the data element set, M address groups can be determined with fewer splitting times, and the determined M address groups do not include duplicate network addresses.
Further, in some embodiments, the set of network addresses may be a set of a series of network addresses entered by the user. Typically, the user inputs the network address in the form of input strings, each containing at least one network address in a dot decimal format, but the specific form of the string input by the user at a time may be varied.
Sometimes, the character string entered by the user may contain a network address in a single point decimal format, such as 192.168.1.1. Sometimes, the character string entered by the user may contain a range of network addresses in a decimal format, such as 192.168.1.1-192.168.1.9. Sometimes, the character string input by the user may be a character string with a mask, for example 192.168.2.1/24, and then the start-stop address of the network address needs to be calculated through the mask. Of course, in practice, the character string form input by the user may be more complex, and will not be described in detail herein.
For the above situation, when the network address set is arranged into the data element set, for each character string in the character string set, if the character string contains a dot-decimal format network segment, the dot-decimal format network segment is converted into an integer type format network segment; based on each obtained integer type format network segment, a set of data elements is obtained. If the character string does not contain a dot-decimal format network segment, a dot-decimal format network segment is calculated based on the character string, and the dot-decimal format network segment is converted into an integer type format network segment.
For example, the set of network addresses entered by the user is:
192.168.0.1-192.168.0.25;192.168.0.10-192.168.0.25;192.168.0.50;192.168.1.1;192.168.2.1/24;1.1.1.1;1001::0001;1111:2222:3333:4444:5555:6666:7777:8888;
after finishing, the following data element sets are obtained:
IPRange{low=16843009,high=16843009},
IPRange{low=3232235521,high=3232235570},IPRange{low=3232235777,3232235777},IPRange{low=3232236032,high=3232236287},
IPRange{low=21272840229417188794089443460814733313,high=21272840229417188794089443460814733313},
IPRange{low=22685837286468424649968941046919825544,high=22685837286468424649968941046919825544},
where each IPRange is a data element, low represents a start address and high represents an end address. The network address of the point decimal system represented by the data element set is shown below, and for convenience of description, the specific splitting method in the following example is represented by the network address of the point decimal system.
1.1.1.1-1.1.1.1;192.168.0.1-192.168.0.50;192.168.1.1-192.168.1.1;192.168.2.0-192.168.2.255;1001:0:0:0:0:0:0:1-1001:0:0:0:0:0:0:1;
1111:2222:3333:4444:5555:6666:7777:8888-1111:2222:3333:4444:5555:6666:7777:8888;
Along the above example, according to the flowchart shown in fig. 2, in a specific embodiment of the present invention, the splitting is performed by the following method:
setting a target number n=20, and extracting the first data element from the data element set
1.1.1.1-1.1.1.1, judging that the number of network addresses contained in the data element is smaller than the target number 20, adding the data element into an address group, judging that the number of network addresses contained in the data element is not equal to the target number, and resetting the target number to 19.
At this time, the obtained address group is: 1.1.1.1-1.1.1.1.
And then judging that the data element set is not empty, taking out the next data element 192.168.0.1-192.168.0.50 from the data element set, judging that the number of addresses contained in the data element is larger than the target number 19, taking the first 19 network addresses of the data element, adding an address group, redefining the data element, and putting back the data element, and adding an end mark after the address group, wherein the end mark can be comma.
At this time, the obtained address group is: 1.1.1.1-1.1.1.1;192.168.0.1-192.168.0.19,.
And so on, finally, continuously and circularly splitting the data element set until the splitting is finished, and obtaining an address group set as follows:
1.1.1.1-1.1.1.1;192.168.0.1-192.168.0.19,192.168.0.20-192.168.0.39,
192.168.0.40-192.168.0.50;192.168.1.1-192.168.1.1;192.168.2.0-192.168.2.7,
192.168.2.8-192.168.2.27,192.168.2.28-192.168.2.47,
192.168.2.48-192.168.2.67,192.168.2.68-192.168.2.87,
192.168.2.88-192.168.2.107,192.168.2.108-192.168.2.127,
192.168.2.128-192.168.2.147,192.168.2.148-192.168.2.167,
192.168.2.168-192.168.2.187,192.168.2.188-192.168.2.207,
192.168.2.208-192.168.2.227,192.168.2.228-192.168.2.247,
192.168.2.248-192.168.2.255;1001:0:0:0:0:0:0:1-1001:0:0:0:0:0:0:1;
1111:2222:3333:4444:5555:6666:7777:8888-1111:2222:3333:4444:5555:6666:7777:8888;
wherein the address groups separated by commas are one address group.
As shown in fig. 3, fig. 3 is a block diagram of an apparatus according to an exemplary embodiment of the present description, the apparatus comprising:
a network address set obtaining unit 310, configured to obtain a network address set to be subjected to vulnerability scanning; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device;
a network address set sorting unit 320, configured to sort the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
an address group determining unit 330 for determining M address groups based on the set of data elements; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
Accordingly, as shown in fig. 4, the present disclosure also provides a computer device including one or more processors; a memory for storing processor-executable instructions; wherein the processor is configured to:
acquiring a network address set to be loophole scanned; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device;
sorting the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
determining M address groups based on the set of data elements; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.

Claims (8)

1. A method for splitting a set of network addresses, the method comprising:
acquiring a network address set to be loophole scanned, which is input by a user; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device; the network address set comprises at least one network segment, each network segment containing at least one continuous network address; the different network segments contain duplicate network addresses;
sorting the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
iteratively performing the following steps until the set of data elements is empty: creating an address group corresponding to the iteration and completing a target flow;
the target flow comprises the following steps:
setting the target number as N, and taking out a first data element from the data element set;
if the number of the addresses corresponding to the fetched data elements is equal to the target number, adding the network segments represented by the data elements into the address group;
if the number of addresses corresponding to the data element is greater than the target number, adding the previous target number of network addresses in the network segment represented by the data element into the address group, updating the data element based on the rest of network addresses in the network segment represented by the data element, and putting the updated data element back into the data element set;
if the number of the addresses corresponding to the data elements is smaller than the target number, adding the network segment represented by the data elements into the address group; and resetting the target number as: the difference value between the target number and the address number is used for continuously taking out the next data element from the data element set until the address number in the address group reaches N; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
2. The method of claim 1, wherein obtaining the set of network addresses to be loophole scanned input by the user specifically comprises:
acquiring a character string set input by a user; each character string contains at least one network address in a dot decimal format;
the network address set is arranged into a data element set, which specifically comprises the following steps:
for each character string in the character string set, if the character string comprises a dot-decimal format network segment, converting the dot-decimal format network segment into an integer type format network segment;
based on each obtained integer type format network segment, a set of data elements is obtained.
3. The method according to claim 2, wherein the method further comprises:
and for each character string in the character string set, if the character string does not contain a dot-decimal format network segment, calculating a dot-decimal format network segment based on the character string, and converting the dot-decimal format network segment into an integer type format network segment.
4. The method of claim 1, wherein prior to determining M address groups based on the set of data elements, the method further comprises:
ordering the data elements in the data element set; in the ordered set of data elements, the end address of the previous data element is less than the start address of the next data element.
5. The method according to claim 1, wherein the method further comprises:
and based on the M address groups, scanning network loopholes in a parallel execution mode.
6. A network address set splitting apparatus, the apparatus comprising:
the network address set acquisition unit is used for acquiring a network address set to be loophole scanned, which is input by a user; the number of network addresses corresponding to the network address set is larger than a preset number N, and N is not larger than a conventional scanning number, wherein the conventional scanning number is determined based on the performance of the vulnerability scanning device; the network address set comprises at least one network segment, each network segment containing at least one continuous network address; the different network segments contain duplicate network addresses;
a network address set arrangement unit, configured to arrange the network address set into a data element set; each data element comprises a start address and an end address for representing a network segment comprising at least one consecutive network address; the network segments represented by different data elements are not connected and are not overlapped with each other;
an address group determining unit for iteratively executing the following steps until the data element set is empty: creating an address group corresponding to the iteration and completing a target flow; the target flow comprises the following steps: setting the target number as N, and taking out a first data element from the data element set; if the number of the addresses corresponding to the fetched data elements is equal to the target number, adding the network segments represented by the data elements into the address group; if the number of addresses corresponding to the data element is greater than the target number, adding the previous target number of network addresses in the network segment represented by the data element into the address group, updating the data element based on the rest of network addresses in the network segment represented by the data element, and putting the updated data element back into the data element set; if the number of the addresses corresponding to the data elements is smaller than the target number, adding the network segment represented by the data elements into the address group; and resetting the target number as: the difference value between the target number and the address number is used for continuously taking out the next data element from the data element set until the address number in the address group reaches N; wherein the first M-1 address groups contain N network addresses, and the Mth address group contains no more than N network addresses.
7. The apparatus according to claim 6, wherein the network address set acquisition unit is specifically configured to:
acquiring a character string set input by a user; each character string contains at least one network address in a dot decimal format;
the network address set arrangement unit specifically comprises:
the data type conversion unit is used for converting the point decimal format network segment into an integer type format network segment if the character string comprises the point decimal format network segment aiming at each character string in the character string set;
the data element set acquisition unit is used for acquiring a data element set based on each acquired integer type format network segment.
8. A computer device, the computer device comprising:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the network address set splitting method of any of claims 1 to 5.
CN202011031150.0A 2020-09-27 2020-09-27 Network address set splitting method and device Active CN112165486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011031150.0A CN112165486B (en) 2020-09-27 2020-09-27 Network address set splitting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011031150.0A CN112165486B (en) 2020-09-27 2020-09-27 Network address set splitting method and device

Publications (2)

Publication Number Publication Date
CN112165486A CN112165486A (en) 2021-01-01
CN112165486B true CN112165486B (en) 2023-04-25

Family

ID=73864276

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011031150.0A Active CN112165486B (en) 2020-09-27 2020-09-27 Network address set splitting method and device

Country Status (1)

Country Link
CN (1) CN112165486B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI797676B (en) * 2021-07-14 2023-04-01 中華電信股份有限公司 Pre-processing method and system for nuclear network risk dection and computer readable medium thererof

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004100011A1 (en) * 2003-04-29 2004-11-18 Threatguard, Inc. System and method for network security scanning
CN104821950A (en) * 2015-05-12 2015-08-05 携程计算机技术(上海)有限公司 Distributed host vulnerability scanning method
CN106161450A (en) * 2016-07-20 2016-11-23 上海携程商务有限公司 Distributed HTTPS monitors method
EP3319287A1 (en) * 2016-11-04 2018-05-09 Nagravision SA Port scanning
CN108183916A (en) * 2018-01-15 2018-06-19 华北电力科学研究院有限责任公司 A kind of network attack detecting method and device based on log analysis
CN110012124A (en) * 2019-03-29 2019-07-12 新华三信息安全技术有限公司 The method and device that a kind of pair of network address range section is split
CN111541686A (en) * 2020-04-20 2020-08-14 杭州迪普科技股份有限公司 Method and device for calling scanner

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7761918B2 (en) * 2004-04-13 2010-07-20 Tenable Network Security, Inc. System and method for scanning a network
US9191409B2 (en) * 2013-11-25 2015-11-17 Level 3 Communications, Llc System and method for a security asset manager

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004100011A1 (en) * 2003-04-29 2004-11-18 Threatguard, Inc. System and method for network security scanning
CN104821950A (en) * 2015-05-12 2015-08-05 携程计算机技术(上海)有限公司 Distributed host vulnerability scanning method
CN106161450A (en) * 2016-07-20 2016-11-23 上海携程商务有限公司 Distributed HTTPS monitors method
EP3319287A1 (en) * 2016-11-04 2018-05-09 Nagravision SA Port scanning
CN108183916A (en) * 2018-01-15 2018-06-19 华北电力科学研究院有限责任公司 A kind of network attack detecting method and device based on log analysis
CN110012124A (en) * 2019-03-29 2019-07-12 新华三信息安全技术有限公司 The method and device that a kind of pair of network address range section is split
CN111541686A (en) * 2020-04-20 2020-08-14 杭州迪普科技股份有限公司 Method and device for calling scanner

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
尹春勇等.网络安全扫描工具的分析与设计.《滨州师专学报》.2003,(第04期), *

Also Published As

Publication number Publication date
CN112165486A (en) 2021-01-01

Similar Documents

Publication Publication Date Title
CN108459964B (en) Test case selection method, device, equipment and computer readable storage medium
EP3292481B1 (en) Method, system and computer program product for performing numeric searches
CN108536745B (en) Shell-based data table extraction method, terminal, equipment and storage medium
CN111144402A (en) OCR recognition accuracy calculation method, device, equipment and storage medium
EP3582115A1 (en) Method and system for log data analytics based on superminhash signatures
CN104036187A (en) Method and system for determining computer virus types
CN112165486B (en) Network address set splitting method and device
CN108415998B (en) Application dependency relationship updating method, terminal, device and storage medium
CN112463859A (en) User data processing method based on big data and business analysis and big data platform
CN109583201A (en) The system and method for identifying malice intermediate language file
CN111723097A (en) Application program interface configuration method and device, computer equipment and storage medium
CN110457348B (en) Data processing method and device
CN115018081A (en) Feature selection method, application program prediction method and device
CN102184195B (en) Method, device and device for acquiring similarity between character strings
US11182342B2 (en) Identifying common file-segment sequences
CN116627460A (en) Firmware upgrading method and device
EP3514730A1 (en) Boundary search test support device and boundary search test support method
CN114064125B (en) Instruction analysis method and device and electronic equipment
CN113935034A (en) Malicious code family classification method and device based on graph neural network and storage medium
CN114299517A (en) Image processing method, apparatus, device, storage medium, and computer program product
CN111444253A (en) Data import method and device, computer readable storage medium and computer equipment
EP2813954A1 (en) Information search apparatus and information search method
CN112732819A (en) ETL-based data processing method, device, equipment and storage medium
CN108319600B (en) Data mining method and device
JP5188290B2 (en) Annotation apparatus, annotation method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant