CN113949568B - Middleware identification method, device, computing equipment and storage medium - Google Patents
Middleware identification method, device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN113949568B CN113949568B CN202111209038.6A CN202111209038A CN113949568B CN 113949568 B CN113949568 B CN 113949568B CN 202111209038 A CN202111209038 A CN 202111209038A CN 113949568 B CN113949568 B CN 113949568B
- Authority
- CN
- China
- Prior art keywords
- middleware
- version
- network
- determining
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000003993 interaction Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 5
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a middleware identification method, a middleware identification device, a computing device and a storage medium, wherein the method comprises the following steps: acquiring a rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version; when the network traffic interacted by the current network equipment is detected, the rule knowledge base is utilized to conduct feature recognition on the network traffic; when the network traffic is identified to have the same target feature as the feature information in the rule knowledge base, determining a corresponding middleware name and middleware version according to the target feature. According to the scheme, middleware running on the network equipment can be identified, and the middleware is not blocked by the safety protection equipment.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a middleware identification method, a middleware identification device, computing equipment and a storage medium.
Background
Middleware is independent software, standardizes application interfaces provided by different operating systems, unifies protocols, and shields details of specific operations. By running these middleware on the network device, the middleware is utilized to provide functions such as communication support, application support, and public services.
Middleware installed on network devices is generally open-sourced, and some vulnerabilities exist in the open-sourced middleware, and the vulnerabilities can be repaired through iteration of the middleware's own version. However, in a local area network environment of a network device, there may be hysteresis in updating a middleware version, and an attacker may launch an attack on the network device by using the middleware with a vulnerability, which brings a great risk to the security of the network device. Therefore, it is necessary to identify the middleware name and the middleware version installed on the network device, so as to prompt the user to update the middleware version in time.
At present, the middleware is identified by comprehensively scanning the network equipment, but the network equipment is required to be subjected to authorization, otherwise, the scanning process is blocked by the safety protection equipment in the network equipment, and therefore, the middleware identification method not blocked by the safety protection equipment needs to be provided.
Disclosure of Invention
Based on the problem that the middleware is blocked by the safety protection equipment in the prior art, the embodiment of the invention provides a middleware identification method, a device, a computing device and a storage medium, which can identify the middleware running on the network equipment without being blocked by the safety protection equipment.
In a first aspect, an embodiment of the present invention provides a middleware identification method, including:
acquiring a rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version;
when the network traffic interacted by the current network equipment is detected, carrying out feature recognition on the network traffic by utilizing the rule knowledge base;
and when the network traffic is identified to have the same target characteristics as the characteristic information in the rule knowledge base, determining the corresponding middleware name and middleware version according to the target characteristics.
Preferably, the obtaining a rule knowledge base includes:
determining at least one middleware to be identified;
determining at least one version of each middleware;
for each version of each middleware, determining characteristic information of network equipment in the network traffic when the network equipment interacts with the network traffic based on the middleware of the version;
and generating a rule knowledge base according to the characteristic information corresponding to each version of each middleware.
Preferably, the determining the characteristic information of the network device in the network traffic when the network device interacts with the network traffic based on the middleware of the version includes:
Installing the version of middleware in the virtual machine;
utilizing a third party tool to perform network interaction with the middleware, and capturing the interacted network traffic;
and determining the characteristic information for characterizing the middleware of the version according to the grabbed network traffic.
Preferably, after installing the version of the middleware in the virtual machine, the method further comprises:
and acquiring Logo files and/or URL information of the middleware of the version, and determining the Logo files and/or URL information as characteristic information of the middleware of the version.
Preferably, the middleware that installs the version is executed in a virtual machine of several types of operating systems.
Preferably, the identified target feature is a plurality;
the determining the corresponding middleware name and middleware version according to the target feature comprises the following steps:
determining the middleware name and the middleware version corresponding to each target feature according to the rule knowledge base;
classifying a plurality of target features according to different middleware versions;
calculating the total matching score of the target features included under each category by using the matching score preset for the feature information;
and determining the middleware names and the middleware versions corresponding to the target features based on the total matching scores corresponding to each category.
Preferably, before determining the corresponding middleware name and middleware version according to the target feature, the method further comprises: determining target network equipment corresponding to the target characteristics; the target network device is current network device or opposite end network device interacted with the current network device;
after determining the corresponding middleware name and middleware version according to the target feature, the method further comprises the following steps: and determining the determined middleware name and middleware version as the installed middleware in the target network equipment.
In a second aspect, an embodiment of the present invention further provides a middleware identification device, including:
the acquisition unit is used for acquiring the rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version;
the feature recognition unit is used for carrying out feature recognition on the network traffic by utilizing the rule knowledge base when the network traffic interacted with by the current network equipment is detected;
and the result determining unit is used for determining the corresponding middleware name and the middleware version according to the target characteristics when the target characteristics which are the same as the characteristic information in the rule knowledge base are identified in the network traffic.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a middleware identification method, a device, a computing device and a storage medium, wherein a flow detection device in network equipment can detect network flow interacted with the network equipment so as to detect source port information, destination port information and the like of the network flow, so that the network flow can be identified by utilizing an acquired rule knowledge base when the flow detection device detects the network flow interacted with the network equipment, and the name and the middleware version of the middleware installed in the network equipment can be identified according to the network flow. Therefore, the method and the device can identify the name and the version of the middleware installed in the network equipment, and the identification process is identified on the basis of detecting the network traffic, so that the network traffic is not blocked by the safety network equipment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a middleware identification method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a rule knowledge base acquisition method according to an embodiment of the present invention;
FIG. 3 is a hardware architecture diagram of a computing device according to one embodiment of the present invention;
fig. 4 is a block diagram of a middleware identification device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
In the related art, the middleware installed on the network device is identified by comprehensively scanning the network device. If the network equipment is not fully scanned, the network equipment is blocked by safety protection equipment installed in the network equipment. And normally the network device owner will not typically authorize the full scan process. In consideration of normal conditions, the flow detection device in the network device detects the network flow interacted in the network device to detect source port information, destination port information and the like of the network flow, and the network device is usually realized by using middleware when the network flow is interacted, so that the characteristic information of the middleware possibly exists in the network flow, and the detected network flow can be used for determining which middleware is utilized by the network device on the basis of detecting the network flow, thereby completing the identification of the middleware.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a middleware identification method, which includes:
step 100, obtaining a rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version.
And 102, when the network traffic interacted by the current network equipment is detected, performing feature recognition on the network traffic by using the rule knowledge base.
And 104, when the network traffic is identified to have the same target characteristics as the characteristic information in the rule knowledge base, determining the corresponding middleware name and the middleware version according to the target characteristics.
In the embodiment of the invention, the flow detection equipment in the network equipment can detect the network flow interacted by the network equipment so as to detect the source port information, the destination port information and the like of the network flow, so that the network flow can be identified by utilizing the acquired rule knowledge base when the flow detection equipment detects the network flow interacted by the network equipment, and the middleware name and the middleware version installed in the network equipment can be identified according to the network flow. Therefore, the method and the device can identify the name and the version of the middleware installed in the network equipment, and the identification process is identified on the basis of detecting the network traffic, so that the network traffic is not blocked by the safety network equipment.
The manner in which the individual steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, a rule knowledge base is obtained; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version.
In order to identify middleware by using network traffic, a rule knowledge base for identification needs to be constructed in advance, and in one embodiment of the present invention, please refer to fig. 2, the rule knowledge base may be obtained at least in the following manner:
step 200, determining at least one middleware to be identified.
Various middleware such as Hadoop, linux virtual servers, static website servers, dynamic application servers, etc. are typically installed in network devices. In order to be able to identify middleware installed by a network device, it is necessary to determine the middleware to be identified.
At step 202, at least one version of each middleware is determined.
Since different middleware may perform version iteration periodically or aperiodically, in order to be able to identify the middleware version, it is necessary to determine each version that each middleware has.
For example, version A1, version A2, … … may be included for middleware a; version B1, version B2, etc. may be included for middleware B. It can be seen that each middleware has at least one version.
Step 204, for each version of each middleware, determining characteristic information in network traffic when the network device interacts with the network traffic based on the middleware of the version.
In the embodiment of the invention, since the middleware is identified by utilizing the network traffic, in order to identify the middleware by utilizing the network traffic, characteristic information in the network traffic is needed for the network equipment when the network traffic is interacted with by the middleware based on the version. Specifically, it can be determined by:
s1: installing the version of middleware in the virtual machine;
s2: utilizing a third party tool to perform network interaction with the middleware, and capturing the interacted network traffic;
s3: and determining the characteristic information for characterizing the middleware of the version according to the grabbed network traffic.
In one embodiment of the present invention, in step S1, the middleware for installing the version may be executed in a virtual machine of several types of operating systems. Such as Windows different versions of the operating system, linux operating system, windows XP operating system, etc. The middleware of the version is respectively installed in the virtual machine of each type of operating system to determine the characteristic information, the characteristic information of the middleware of the same version under different types of operating systems can be distinguished, and when the characteristic information is utilized to identify the middleware, the operating system type of the network equipment can be utilized to identify the middleware, and the different characteristic information can be utilized to identify the middleware, so that the accuracy of middleware identification can be improved.
The middleware generally uses a network protocol specific to itself, or uses a common network protocol but adds a keyword feature of itself at a specific position in the network protocol, so when determining the feature information of the middleware for characterizing the version in S3, the middleware can analyze network traffic based on the network interaction of the middleware, determine whether the network protocol used by the network traffic is the network protocol specific to itself, or whether the keyword feature is added at the specific position of the common network protocol, and determine the feature information of the middleware of the version according to the analysis result.
For example, the network traffic obtained by middleware interaction based on the Minio open source storage service is parsed to obtain the following network protocol:
Response Headers:
Connection:close
Content-Length:637
Content-Type:application/json
Date:Fri,17Sep 2021 06:48:26GMT
Server:MinIO Console
Set-Cookie:token=ACXCWkf00KuIB/6JuPBs0X+LELf(qntA/2rr5ZUcBojih2oZLpnKFvi8qsPhQYOuwkQgsTax7HTUzDq0G3uaWcm6VXLw/RYMK3EoXatxBFehsVPhfsEc
according to the network protocol obtained by analysis, at least the feature information of the middleware can be determined, wherein the feature information comprises: the key feature at the Server location is MinIO Console.
Continuing with the example, parsing network traffic resulting from middleware interaction based on virtualized platform PVEs results in the following network protocol:
Response Headers:
Connection:Keep-Alive
Content-Length:17305
Content-Type:image/png
Date:Wed,29Sep 2021 01:48:31 GMT
Last-Modified:Thu,16 May 2019 14:44:49 GMT
Server:pve-api-daemon/3.0
according to the network protocol obtained by analysis, at least the feature information of the middleware can be determined, wherein the feature information comprises: the key feature at the Server location is pve-api-daemon/3.0 with a version number of 3.0.
It should be noted that, for the same middleware, different versions of middleware may have the same feature information, and in order to be able to identify the version of the middleware, when determining the feature information, the version number may be determined as the feature information.
Further, in order to satisfy the usability, the middleware may be matched with the Web service of itself in deployment, and uses Logo files, URLs and the like featuring the features of itself in the Web service, so in one embodiment of the present invention, after step S1, the method may further include: and acquiring Logo files and/or URL information of the middleware of the version, and determining the Logo files and/or URL information as characteristic information of the middleware of the version.
Keyword features extracted from the network protocol, logo files in Web services and URL information are used as feature information of the middleware, so that the content of the feature information is enriched, and the identification accuracy is improved when the feature information is used for identifying the middleware in the follow-up process.
In step S2, the third party tool may be a browser, a client, or the like. For example, a browser is used in a virtual machine to log in to a Web interface of the middleware and operate on the Web interface to interact network traffic with a Web server.
In one embodiment of the present invention, after determining the corresponding feature information for a certain version of middleware, in order to ensure the accuracy that the feature information is used to characterize the version of middleware, the determined feature information may be further verified.
Specifically, the verification process may include: generating a corresponding identification statement for the feature information determined for the middleware of the version; performing network interaction with the middleware of the version by using a third party tool, performing feature recognition on the interacted network traffic by using the recognition statement, and if the middleware of the version is recognized, verifying the feature information obtained for the middleware of the version; if the middleware of the version is not identified, the verification is not passed, and further extraction of the feature information is required.
And 206, generating a rule knowledge base according to the characteristic information corresponding to each version of each middleware.
After obtaining the feature information of each version of each middleware, in order to use the feature information to perform middleware identification, a rule knowledge base that can be issued to the flow detection device may be generated using the feature information.
In one embodiment of the invention, the rule knowledge base may be a snort rule knowledge base. Corresponding identification rules are generated aiming at the middleware names, the middleware version information and the feature information of the corresponding middleware and are stored in the snort rule knowledge base, so that the flow detection equipment can directly conduct feature identification on network flow according to each identification rule in the snort rule knowledge base, and the identification speed of the middleware is improved.
For example, the recognition rules in the snort rule knowledge base may be: when the content of the Server field is pve-api-daemon/3.0 identified in the network protocol obtained by analyzing the network traffic, the network traffic is preliminarily determined to be based on pve-api-daemon middleware with the version number of 3.0 for realizing interaction.
Further, the knort rule knowledge base may further include a corresponding operating system type.
When the rule knowledge base is generated, the Logo files and URLs can be stored in the rule knowledge base in a characteristic value mode, so that when the Logo files and URLs are identified in characteristic identification, whether the Logo files and URLs stored in the rule knowledge base are matched with the Logo files and URLs can be determined in a characteristic value calculation mode, and the probability of error identification is reduced.
In one embodiment of the invention, when the middleware is determined to have a new version, the feature information of the new version of the middleware is determined according to step 100 for the new version of the middleware, and the generated rule knowledge base is updated, so that timeliness of the feature information in the rule knowledge base is ensured, and further, accuracy of the middleware identification result is ensured.
And then, for step 102, when the network traffic interacted with by the current network equipment is detected, the rule knowledge base is utilized to perform feature recognition on the network traffic.
And the rule knowledge base is issued to flow detection equipment in each network equipment, and when the flow detection equipment detects the network flow interacted with the current network equipment, the rule knowledge base is further utilized to perform characteristic recognition on the network flow on the basis of original detection.
When the feature recognition is carried out, the network traffic can be analyzed, and the network traffic can be recognized one by one according to recognition rules included in a rule knowledge base.
In one embodiment of the invention, before the feature recognition is performed, the operation system types of the current network equipment and the destination network equipment interacting with the current network equipment can be determined, and then the feature recognition is performed by utilizing the recognition rules corresponding to the operation system types in the rule knowledge base, so that all the recognition rules included in the rule knowledge base are not required to be recognized, and the recognition time is greatly saved.
Finally, for step 104, when it is identified that the network traffic has the same target feature as the feature information in the rule knowledge base, determining a corresponding middleware name and middleware version according to the target feature.
Continuing with the above description, assume that the following target features are identified: the content of the identified Server field in the network protocol parsed from the network traffic is pve-api-daemon/3.0. Then the middleware name for the target feature may be determined to be pve-api-daemon with middleware version 3.0.
In one embodiment of the invention, when a network traffic is identified as having the same target feature as feature information in the rule knowledge base, the corresponding middleware name and middleware version are determined by using the target feature. It is also possible to set an identification period, for example, 1 day, and determine the corresponding middleware name and middleware version by using the target features obtained in the identification period.
In one embodiment of the present invention, if the identified target features are multiple, the middleware names and middleware versions corresponding to the multiple target features in the rule knowledge base are determined as the middleware names and versions installed in the network device. In order to improve accuracy of the recognition result, the corresponding middleware name and middleware version may also be determined by:
p1: and determining the middleware name and the middleware version corresponding to each target feature according to the rule knowledge base.
P2: and classifying a plurality of target features according to different middleware versions.
P3: and calculating the total matching score of the target features included in each category by using the matching score preset for the feature information.
P4: and determining the middleware names and the middleware versions corresponding to the target features based on the total matching scores corresponding to each category.
For example, the identified plurality of target features are respectively: the method comprises the steps of feature information A11, feature information A12, feature information A13, feature information B11, feature information B12 and feature information C11, wherein in a rule knowledge base, the feature information A11, the feature information A12 and the feature information A13 correspond to middleware A and are in version A1, the feature information B11 and the feature information B12 correspond to middleware B and are in version B1, the feature information C11 corresponds to middleware C and are in version C1, and then the target features can be divided into three types. Taking middleware a with version A1 in the first class as an example, the matching scores of the feature information a11, the feature information a12 and the feature information a13 are respectively: and X1, X2 and X3, adding the three matching scores to obtain a total matching score of X1, X2 and X3, determining that the middleware A with the version A1 is installed in the network equipment when the total matching score is not smaller than a set score threshold, and if the total matching score is smaller than the set score threshold, failing to install the middleware A with the version A1 in the network equipment.
By calculating the total matching score of the target features included under each category and utilizing the total matching score to comprehensively determine whether the middleware of the version is installed, the identification accuracy can be improved.
It should be noted that, the matching score set for the feature information may be set according to an empirical value, for example, the matching score corresponding to the feature information determined from the network protocol is higher than the matching score using the Logo file/URL.
In one embodiment of the present invention, the network traffic interacted with by the current network device is generated not only by the current network device but also by the opposite network device interacted with the current network device, so, in order to identify which network device the middleware is installed on, before step P4, it may further include: determining target network equipment corresponding to the target characteristics; the target network device is current network device or opposite end network device interacted with the current network device; after step P4, further comprising: and determining the determined middleware name and middleware version as the installed middleware in the target network equipment.
Continuing with the above example, if the feature information a11, the feature information a12, and the feature information a13 are all corresponding to the current network device, it may be determined that the middleware a of the version A1 is installed on the current network device.
Therefore, the embodiment of the invention not only can identify the middleware installed in the current network equipment, but also can identify the middleware installed on the opposite-end network equipment interacted with the current network equipment, thereby expanding the identification range of the middleware, ensuring that a user can determine the risk level of the opposite-end network equipment according to the identification result, further carrying out information protection of different measures and further improving the information security.
Further, after the middleware name and the middleware version of the middleware installed in the network device are identified, whether the middleware version is the latest version of the middleware can be determined based on the identification result, and if not, the user is prompted to prompt the user to update the version of the middleware in time. Therefore, the middleware names and middleware versions of the installed middleware in the network equipment are identified, so that the weak points which can be utilized and are easy to expose in the network equipment can be identified.
As shown in fig. 3 and 4, the embodiment of the invention provides a middleware identification device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 3, a hardware architecture diagram of a computing device where a middleware identification device provided in an embodiment of the present invention is located, in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 3, a computing device where the device is located in an embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 4, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located. The middleware identification device provided in this embodiment includes:
An obtaining unit 401, configured to obtain a rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version;
a feature recognition unit 402, configured to perform feature recognition on network traffic by using the rule knowledge base when network traffic interacted with by a current network device is detected;
and a result determining unit 403, configured to determine, when it is identified that the network traffic has the same target feature as the feature information in the rule knowledge base, a corresponding middleware name and middleware version according to the target feature.
In one embodiment of the present invention, the obtaining unit 401 specifically includes: determining at least one middleware to be identified; determining at least one version of each middleware; for each version of each middleware, determining characteristic information of network equipment in the network traffic when the network equipment interacts with the network traffic based on the middleware of the version; and generating a rule knowledge base according to the characteristic information corresponding to each version of each middleware.
In one embodiment of the present invention, when executing the determining that the network device interacts with the network traffic based on the middleware of the version, the obtaining unit 401 specifically includes: installing the version of middleware in the virtual machine; utilizing a third party tool to perform network interaction with the middleware, and capturing the interacted network traffic; and determining the characteristic information for characterizing the middleware of the version according to the grabbed network traffic.
In one embodiment of the present invention, the obtaining unit 401 is further configured to obtain Logo files and/or URL information of the middleware of the version, and determine the Logo files and/or URL information as feature information of the middleware of the version.
In one embodiment of the invention, the middleware that installs the version is executed in a virtual machine of several types of operating systems.
In one embodiment of the invention, the identified target feature is a plurality;
the result determining unit 403 specifically includes: determining the middleware name and the middleware version corresponding to each target feature according to the rule knowledge base; classifying a plurality of target features according to different middleware versions; calculating the total matching score of the target features included under each category by using the matching score preset for the feature information; and determining the middleware names and the middleware versions corresponding to the target features based on the total matching scores corresponding to each category.
In one embodiment of the present invention, the result determining unit 403 is further configured to determine a target network device corresponding to the target feature; the target network device is current network device or opposite end network device interacted with the current network device; and determining the determined middleware name and middleware version as the installed middleware in the target network equipment.
It should be understood that the structure illustrated in the embodiments of the present invention does not constitute a specific limitation on a middleware recognition device. In other embodiments of the invention, a middleware recognition device may include more or fewer components than those shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the middleware identification method in any embodiment of the invention when executing the computer program.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored thereon, which when executed by a processor causes the processor to perform a middleware recognition method according to any of the embodiments of the present invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in one embodiment of the present invention, since the flow detection device in the network device detects the network flow interacted with the network device to detect the source port information, the destination port information, and the like of the network flow, the feature identification can be performed on the network flow by using the obtained rule knowledge base when the flow detection device detects the network flow interacted with the network device, so as to identify the middleware name and the middleware version installed in the network device according to the network flow. Therefore, the method and the device can identify the name and the version of the middleware installed in the network equipment, and the identification process is identified on the basis of detecting the network traffic, so that the network traffic is not blocked by the safety network equipment.
2. In one embodiment of the invention, the corresponding feature information is respectively determined for the middleware with different versions, so that the middleware installed in the network equipment can be identified, and the version of the middleware can be accurately identified when the feature identification is performed by utilizing the rule knowledge base generated by the feature information.
3. In one embodiment of the invention, the middleware of the version is respectively installed in the virtual machine of each type of operating system to determine the characteristic information, the characteristic information of the middleware of the same version under different types of operating systems can be distinguished, and when the characteristic information is utilized to identify the middleware, the operating system type of the network equipment can be utilized to identify the middleware, and thus, the accuracy of the middleware identification can be improved.
4. In one embodiment of the invention, the keyword features extracted from the network protocol, the Logo files and the URL information in the Web service are used as the feature information of the middleware, so that the content of the feature information is enriched, and the identification accuracy is improved when the middleware is identified by the feature information later.
5. In one embodiment of the invention, when the rule knowledge base is generated, the Logo files and URLs can be stored in the rule knowledge base in a characteristic value mode, so that when the Logo files and URLs are identified in characteristic identification, whether the Logo files and URLs stored in the rule knowledge base are matched with the Logo files and URLs can be determined in a characteristic value calculation mode, and the probability of error identification is reduced.
6. In one embodiment of the invention, when the middleware is determined to have a new version, the feature information of the middleware with the new version is determined for the middleware with the new version, and the generated rule knowledge base is updated, so that the timeliness of the feature information in the rule knowledge base is ensured, and the accuracy of the middleware identification result is further ensured.
7. In one embodiment of the invention, before the feature recognition is performed, the operation system types of the current network equipment and the destination network equipment interacting with the current network equipment can be determined, and then the feature recognition is performed by utilizing the recognition rules corresponding to the operation system types in the rule knowledge base, so that all the recognition rules included in the rule knowledge base are not required to be recognized, and the recognition time is greatly saved.
8. In one embodiment of the invention, when the identified target features are a plurality of, the plurality of target features can be classified according to different middleware versions, and the accuracy of identification can be improved by calculating the total matching score of the target features included in each classification and comprehensively determining whether the middleware of the version is installed or not by utilizing the total matching score.
9. In one embodiment of the invention, because the network traffic is generated by the network interaction between the current network equipment and the opposite-end network equipment, the middleware installed on the current network equipment can be identified by determining the target network equipment corresponding to the target characteristics and further determining the middleware installed on the target network equipment, the middleware installed on the opposite-end network equipment interacted with the current network equipment can be identified, the identification range of the middleware is enlarged, and a user can determine the risk level of the opposite-end network equipment according to the identification result, so that information protection of different measures is performed, and the information security is further improved.
10. In one embodiment of the invention, after the middleware name and the middleware version of the middleware installed in the network equipment are identified, whether the middleware version is the latest version of the middleware can be determined based on the identification result, and if not, the user is prompted to prompt the user to update the version of the middleware in time. Therefore, the middleware names and middleware versions of the installed middleware in the network equipment are identified, so that the weak points which can be utilized and are easy to expose in the network equipment can be identified.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of additional identical elements in a process, method, article or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. The middleware identification method is used for identifying the names and the versions of the middleware installed on the network equipment in the local area network, and comprises the following steps:
acquiring a rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version; the characteristic information includes: keyword features extracted from specific positions of common network protocols used by middleware, logo files and/or URL information for representing self features in Web services;
When the network traffic interacted by the current network equipment is detected, carrying out feature recognition on the network traffic by utilizing the rule knowledge base;
when the network traffic is identified to have the same target characteristics as the characteristic information in the rule knowledge base, determining a corresponding middleware name and a middleware version according to the target characteristics;
the obtaining the rule knowledge base includes: determining at least one middleware to be identified; determining at least one version of each middleware; for each version of each middleware, determining characteristic information of network equipment in the network traffic when the network equipment interacts with the network traffic based on the middleware of the version; generating a rule knowledge base according to the characteristic information corresponding to each version of each middleware;
the determining the characteristic information of the network device when the network device interacts the network traffic based on the middleware of the version comprises the following steps: installing the version of middleware in the virtual machine; utilizing a third party tool to perform network interaction with the middleware, and capturing the interacted network traffic; determining feature information for characterizing the version of middleware according to the grabbed network traffic; generating a corresponding identification statement for the feature information determined for the middleware of the version; performing network interaction with the middleware of the version by using a third party tool, performing feature recognition on the interacted network traffic by using the recognition statement, and if the middleware of the version is recognized, verifying the feature information obtained for the middleware of the version; if the middleware of the version is not identified, the verification is not passed, and the feature information needs to be further extracted; the third party tool is a browser, logs in the Web interface of the middleware by using the browser, and operates on the Web interface to interact network traffic with the Web server.
2. The method of claim 1, wherein the middleware that installs the version is executed in a virtual machine of several types of operating systems.
3. The method of claim 1, wherein the identified target feature is a plurality;
the determining the corresponding middleware name and middleware version according to the target feature comprises the following steps:
determining the middleware name and the middleware version corresponding to each target feature according to the rule knowledge base;
classifying a plurality of target features according to different middleware versions;
calculating the total matching score of the target features included under each category by using the matching score preset for the feature information;
and determining the middleware names and the middleware versions corresponding to the target features based on the total matching scores corresponding to each category.
4. A method according to any one of claims 1 to 3, wherein,
before determining the corresponding middleware name and middleware version according to the target feature, the method further comprises the following steps: determining target network equipment corresponding to the target characteristics; the target network device is current network device or opposite end network device interacted with the current network device;
After determining the corresponding middleware name and middleware version according to the target feature, the method further comprises the following steps: and determining the determined middleware name and middleware version as the installed middleware in the target network equipment.
5. A middleware identification device, for identifying a middleware name and a middleware version installed on a network device in a local area network, comprising:
the acquisition unit is used for acquiring the rule knowledge base; the rule knowledge base comprises characteristic information, and a corresponding middleware name and a middleware version; the characteristic information includes: keyword features extracted from specific positions of common network protocols used by middleware, logo files and/or URL information for representing self features in Web services;
the feature recognition unit is used for carrying out feature recognition on the network traffic by utilizing the rule knowledge base when the network traffic interacted with by the current network equipment is detected;
a result determining unit, configured to determine, when it is identified that the network traffic has the same target feature as feature information in the rule knowledge base, a corresponding middleware name and middleware version according to the target feature;
the acquisition unit specifically includes: determining at least one middleware to be identified; determining at least one version of each middleware; for each version of each middleware, determining characteristic information of network equipment in the network traffic when the network equipment interacts with the network traffic based on the middleware of the version; generating a rule knowledge base according to the characteristic information corresponding to each version of each middleware;
The obtaining unit, when executing the feature information of the network device in the network traffic when the network device interacts the network traffic based on the middleware of the version, specifically includes: installing the version of middleware in the virtual machine; utilizing a third party tool to perform network interaction with the middleware, and capturing the interacted network traffic; determining feature information for characterizing the version of middleware according to the grabbed network traffic; generating a corresponding identification statement for the feature information determined for the middleware of the version; performing network interaction with the middleware of the version by using a third party tool, performing feature recognition on the interacted network traffic by using the recognition statement, and if the middleware of the version is recognized, verifying the feature information obtained for the middleware of the version; if the middleware of the version is not identified, the verification is not passed, and the feature information needs to be further extracted; the third party tool is a browser, logs in the Web interface of the middleware by using the browser, and operates on the Web interface to interact network traffic with the Web server.
6. The apparatus of claim 5, wherein the middleware to install the version is performed in a virtual machine of several types of operating systems.
7. The apparatus of claim 5, wherein the identified target feature is a plurality;
the result determining unit specifically includes: determining the middleware name and the middleware version corresponding to each target feature according to the rule knowledge base; classifying a plurality of target features according to different middleware versions; calculating the total matching score of the target features included under each category by using the matching score preset for the feature information; and determining the middleware names and the middleware versions corresponding to the target features based on the total matching scores corresponding to each category.
8. The apparatus according to any one of claims 5-7, wherein the result determining unit is further configured to determine a target network device corresponding to the target feature; the target network device is current network device or opposite end network device interacted with the current network device; and determining the determined middleware name and middleware version as the installed middleware in the target network equipment.
9. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-4 when the computer program is executed.
10. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111209038.6A CN113949568B (en) | 2021-10-18 | 2021-10-18 | Middleware identification method, device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111209038.6A CN113949568B (en) | 2021-10-18 | 2021-10-18 | Middleware identification method, device, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113949568A CN113949568A (en) | 2022-01-18 |
| CN113949568B true CN113949568B (en) | 2023-11-10 |
Family
ID=79330962
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111209038.6A Active CN113949568B (en) | 2021-10-18 | 2021-10-18 | Middleware identification method, device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949568B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045363A (en) * | 2010-12-31 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Establishment, identification control method and device for network flow characteristic identification rule |
| CN109327461A (en) * | 2018-11-12 | 2019-02-12 | 广东省信息安全测评中心 | Distributed asset identification and change cognitive method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10216553B2 (en) * | 2011-06-30 | 2019-02-26 | International Business Machines Corporation | Message oriented middleware with integrated rules engine |
| CN102752204A (en) * | 2012-07-03 | 2012-10-24 | 中兴通讯股份有限公司 | Service platform and service realization method of ubiquitous network |
-
2021
- 2021-10-18 CN CN202111209038.6A patent/CN113949568B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045363A (en) * | 2010-12-31 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Establishment, identification control method and device for network flow characteristic identification rule |
| CN109327461A (en) * | 2018-11-12 | 2019-02-12 | 广东省信息安全测评中心 | Distributed asset identification and change cognitive method and system |
Non-Patent Citations (1)
| Title |
|---|
| 《一种企业移动信息服务平台中间件的研究设计》;张静;《信息科技》(第2014年第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113949568A (en) | 2022-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113240258B (en) | Industrial asset detection method, equipment and device | |
| CN110602029B (en) | Method and system for identifying network attack | |
| US11170113B2 (en) | Management of security vulnerabilities | |
| US20150067832A1 (en) | Client Side Phishing Avoidance | |
| US11288376B2 (en) | Identifying hard-coded secret vulnerability inside application source code | |
| US10482240B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| CN108256322B (en) | Security testing method and device, computer equipment and storage medium | |
| CN113032792A (en) | System service vulnerability detection method, system, equipment and storage medium | |
| CN112272186A (en) | Network flow detection framework, method, electronic equipment and storage medium | |
| US11550920B2 (en) | Determination apparatus, determination method, and determination program | |
| US11290481B2 (en) | Security threat detection by converting scripts using validation graphs | |
| US20180097833A1 (en) | Method of network monitoring and device | |
| CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN112613893A (en) | Method, system, equipment and medium for identifying malicious user registration | |
| CN113949568B (en) | Middleware identification method, device, computing equipment and storage medium | |
| US11836258B2 (en) | Detecting exploitable paths in application software that uses third-party libraries | |
| KR101816868B1 (en) | Apparatus and method for verifying rules for malware detection | |
| CN113037746B (en) | Method and device for extracting client fingerprint, identifying identity and detecting network security | |
| CN109214212B (en) | Information leakage prevention method and device | |
| CN111695113A (en) | Method and device for detecting installation compliance of terminal software and computer equipment | |
| KR101725450B1 (en) | Reputation management system provides safety in html5 and method of the same | |
| CN113098847B (en) | Supply chain management method, system, storage medium and electronic device | |
| US11625318B2 (en) | System and method for identifying software behavior | |
| US20230359463A1 (en) | Active testing techniques for identifying vulnerabilities in computing interfaces using dependency resolution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |