CN114500346A - Network space mapping method and device - Google Patents
Network space mapping method and device Download PDFInfo
- Publication number
- CN114500346A CN114500346A CN202210362926.XA CN202210362926A CN114500346A CN 114500346 A CN114500346 A CN 114500346A CN 202210362926 A CN202210362926 A CN 202210362926A CN 114500346 A CN114500346 A CN 114500346A
- Authority
- CN
- China
- Prior art keywords
- port
- protocol
- information
- product
- asset information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/065—Generation of reports related to network devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network space mapping method and a device, wherein the method comprises the following steps: and carrying out stateless port scanning on the network space to obtain port information of each port, and carrying out protocol identification according to the port information of each port to obtain asset information of the product. Compared with the traditional single technology, the method has the advantages of higher efficiency, higher accuracy and more complete data.
Description
Technical Field
The embodiment of the invention relates to the technical field of network assets, in particular to a network space surveying and mapping method and device.
Background
Currently, network space scanning is a single technology, and the technology is as follows:
1. ZMap is a piece of scanning software that produces good results and is also very fast. The internet is scanned completely within an hour.
2. Masscan is an internet-level high-performance port scanning tool, and is called to be capable of scanning all the IP of the whole internet within 5 minutes by using a SYN packet detection technology.
3. Nmap is a security scanner that discovers hosts and services on a computer network, thereby creating a "map" of the network. To achieve its goal, the Nmap sends a specific packet to the target host and then analyzes the response.
ZMap can only scan one port at a time. As a rule of thumb, Zmap scanning is still slow even if multiple jobs are running simultaneously; the performance of the Nmap is slow when the number of targets is large, the Nmap is not accurate in protocol identification, time-consuming and unstable, and is not preferable when the whole network mapping is carried out; masscan has less accurate results when scanning a larger port range at a high rate.
The technology has poor identification quantity and effect on UDP; the method is not user-friendly, the user cannot directly search and count, query results, cannot query history and the like; traditionally, the data is released in a single software form, and certain cost is required for obtaining the data.
Disclosure of Invention
The embodiment of the invention provides a network space mapping method and device, which can improve the efficiency, accuracy and safety of network asset acquisition.
In a first aspect, an embodiment of the present invention provides a network space mapping method, including:
carrying out stateless port scanning on a network space to obtain port information of each port;
and carrying out protocol identification according to the port information of each port to obtain the asset information of the product.
Optionally, the performing protocol identification according to port information of each port to obtain asset information of the product includes:
determining the legality of the parameters according to the IP, the port type and the protocol type of the port in the port information to obtain all protocols of the port corresponding to the port information;
and sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
Optionally, the sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product includes:
if the banner is not empty, traversing protocol identification is carried out, and the successfully identified protocol is returned to the asset information of the product;
and (4) carrying out an appointed protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, carrying out traversal protocol judgment again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
Optionally, the method further comprises:
and (4) using a crawler technology for successfully identifying the protocol, capturing the first page, and extracting key information into the asset information of the product.
Optionally, the method further comprises:
carrying out data validity analysis, IP geographical position information association and information extraction on the obtained asset information of the product;
setting product types and storing the asset information of the products into a database;
and a foreground interactive interface for displaying the asset information of the product stored in the database.
In a second aspect, the present invention provides a cyberspace mapping apparatus, comprising:
the scanning unit is used for carrying out stateless port scanning on the network space to obtain port information of each port;
and the processing unit is used for carrying out protocol identification according to the port information of each port to obtain the asset information of the product.
Optionally, the processing unit is specifically configured to:
determining the legality of the parameters according to the IP, the port type and the protocol type of the port in the port information to obtain all protocols of the port corresponding to the port information;
and sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
Optionally, the processing unit is specifically configured to:
if the banner is not empty, traversing protocol identification is carried out, and the successfully identified protocol is returned to the asset information of the product;
and (4) carrying out an appointed protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, carrying out traversal protocol judgment again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
Optionally, the processing unit is further configured to:
and (4) using a crawler technology for successfully identifying the protocol, capturing the first page, and extracting key information into the asset information of the product.
Optionally, the processing unit is further configured to:
carrying out data validity analysis, IP geographical position information association and information extraction on the obtained asset information of the product;
setting product types and storing the asset information of the products into a database;
and a foreground interactive interface for displaying the asset information of the product stored in the database.
In a third aspect, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the network space mapping method according to the obtained program.
In a fourth aspect, the embodiments of the present invention also provide a computer-readable non-volatile storage medium, which includes computer-readable instructions, when read and executed by a computer, cause the computer to execute the network space mapping method.
In the embodiment of the invention, stateless port scanning is carried out on the network space to obtain the port information of each port, and protocol identification is carried out according to the port information of each port to obtain the asset information of the product. Compared with the traditional single technology, the method has the advantages of higher efficiency, higher accuracy and more complete data.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a network space mapping method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network space mapping apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 illustrates an exemplary system architecture, which may be a server 100, including a processor 110, a communication interface 120, and a memory 130, to which embodiments of the present invention are applicable.
The communication interface 120 is used for communicating with a terminal device, and transceiving information transmitted by the terminal device to implement communication.
The processor 110 is a control center of the server 100, connects various parts of the entire server 100 using various interfaces and routes, performs various functions of the server 100 and processes data by operating or executing software programs and/or modules stored in the memory 130 and calling data stored in the memory 130. Alternatively, processor 110 may include one or more processing units.
The memory 130 may be used to store software programs and modules, and the processor 110 executes various functional applications and data processing by operating the software programs and modules stored in the memory 130. The memory 130 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to a business process, and the like. Further, the memory 130 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention does not limit this.
Fig. 2 schematically illustrates a process of network space mapping provided by an embodiment of the present invention, which may be performed by a network space mapping apparatus.
As shown in fig. 2, the process specifically includes:
In the embodiment of the invention, a stateless port scanning technology is used, the advantages of the Zmap software, the Masscan software and the Nmap software are combined, and the UDP is improved (the content of the original UDP is improved, and other UDP packets are added). And finally, the optical fiber is packaged, so that the optical fiber is more flexible to use, and the port can be expanded at any time. At least return IP/type (tcp, udp)/port.
Specifically, firstly, according to the IP, the port type, and the protocol type of the port in the port information, the validity of the parameter is determined, and all protocols of the port corresponding to the port information are obtained. And then, sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
When the successfully identified protocol is returned to the asset information of the product, if the banner is not empty, the protocol identification is traversed, and the successfully identified protocol is returned to the asset information of the product; and carrying out a specified protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, judging the traversal protocol again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
In practical application, in protocol identification, the protocol is extensible, the protocol, the port, the weight and the like are corresponded in detail, and the obtained content is deeply analyzed, converted and the like. The speed and the quality of protocol identification are greatly improved. Return IP/type (tcp, udp)/port/protocol/banner, etc. The method comprises the following specific steps:
a) an IP is received, PORT TYPE.
b) And judging the legality of the parameters.
c) And screening all protocols corresponding to the port.
d) And sequentially identifying according to the weight of the protocol, and directly returning if the identification is successful.
e) And if the banner is not empty, performing traversal protocol identification. (judge the agreement according to the banner characteristic), return if successful.
f) A specified protocol retry mechanism is performed. (the common protocol performs recognition retry/random packet retry), and returns if success. Randomly sending out a bag: some random packets can return information for judgment.
g) And if the banner is not empty, judging the traversal protocol again, and returning if the traversal protocol is successful.
h) No recognition, no mark recognition.
i) And returning.
In addition, a crawler technology can be used for successfully identifying the protocol, the home page is captured, and key information is extracted into asset information of the product.
Namely, adding a crawler technology: and (3) capturing the home page, analyzing and extracting key information (such as domain, host, cert, title, dom tree and the like), and if the host exists in the body, continuing to issue the newly found host to the crawler. Return to body/header/icon, etc.
Further, data effectiveness analysis, IP geographical position information association and information extraction can be carried out on the obtained asset information of the product; setting product types and storing the asset information of the products into a database; and a foreground interactive interface for displaying the asset information of the product stored in the database.
That is, data aggregation is increased: data validity analysis, ip geographic position information association, information extraction and the like. And (3) adding product identification: the product rules are classified. It is a huacheng router, a hewlett packard printer, etc. (a fingerprint rule is simply an inquiry statement that can be used to identify a certain type of device or software). A database for storing data (for storing the extracted data) is added. Foreground operation pages (for interacting with the user, retrieving, submitting data, etc.) are added.
The embodiment of the invention adds data association, extraction, storage, page and the like, so that a user can directly inquire and analyze real-time scanning data/historical data and the like, and the use is more convenient and friendly.
The above embodiment shows that stateless port scanning is performed on a network space to obtain port information of each port, and protocol identification is performed according to the port information of each port to obtain asset information of a product. Compared with the traditional single technology, the method has the advantages of higher efficiency, higher accuracy and more complete data.
Based on the same technical concept, fig. 3 exemplarily shows a structure of a cyber-space mapping apparatus provided by an embodiment of the present invention, and the apparatus can perform a cyber-space mapping procedure.
As shown in fig. 3, the apparatus may include:
a scanning unit 301, configured to perform stateless port scanning on a network space to obtain port information of each port;
the processing unit 302 is configured to perform protocol identification according to the port information of each port, so as to obtain asset information of the product.
Optionally, the processing unit 302 is specifically configured to:
determining the legality of the parameters according to the IP, the port type and the protocol type of the port in the port information to obtain all protocols of the port corresponding to the port information;
and sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
Optionally, the processing unit 302 is specifically configured to:
if the banner is not empty, traversing protocol identification is carried out, and the successfully identified protocol is returned to the asset information of the product;
and (4) carrying out an appointed protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, carrying out traversal protocol judgment again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
Optionally, the processing unit 302 is further configured to:
and (4) using a crawler technology for successfully identifying the protocol, capturing the first page, and extracting key information into the asset information of the product.
Optionally, the processing unit 302 is further configured to:
carrying out data validity analysis, IP geographical position information association and information extraction on the obtained asset information of the product;
setting product types and storing the asset information of the products into a database;
and a foreground interactive interface for displaying the asset information of the product stored in the database.
Based on the same technical concept, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the network space mapping method according to the obtained program.
Based on the same technical concept, embodiments of the present invention further provide a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer-readable instructions are read and executed by a computer, the computer is caused to execute the network space mapping method.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method of networked spatial mapping, comprising:
carrying out stateless port scanning on a network space to obtain port information of each port;
and carrying out protocol identification according to the port information of each port to obtain the asset information of the product.
2. The method of claim 1, wherein the performing protocol identification according to the port information of each port to obtain asset information of the product comprises:
determining the legality of the parameters according to the IP, the port type and the protocol type of the port in the port information to obtain all protocols of the port corresponding to the port information;
and sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
3. The method of claim 1, wherein the sequentially identifying according to the weight of each agreement, and returning the successfully identified agreement to the asset information of the product comprises:
if the banner is not empty, traversing protocol identification is carried out, and the successfully identified protocol is returned to the asset information of the product;
and (4) carrying out an appointed protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, carrying out traversal protocol judgment again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
4. The method of claim 1, wherein the method further comprises:
and (4) using a crawler technology for successfully identifying the protocol, capturing the first page, and extracting key information into the asset information of the product.
5. The method of any of claims 1 to 4, further comprising:
carrying out data validity analysis, IP geographical position information association and information extraction on the obtained asset information of the product;
setting product types and storing the asset information of the products into a database;
and a foreground interactive interface for displaying the asset information of the product stored in the database.
6. A cyberspace mapping apparatus, comprising:
the scanning unit is used for carrying out stateless port scanning on the network space to obtain port information of each port;
and the processing unit is used for identifying the protocol according to the port information of each port to obtain the asset information of the product.
7. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
determining the legality of the parameters according to the IP, the port type and the protocol type of the port in the port information to obtain all protocols of the port corresponding to the port information;
and sequentially identifying according to the weight of each protocol, and returning the successfully identified protocol to the asset information of the product.
8. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
if the banner is not empty, traversing protocol identification is carried out, and the successfully identified protocol is returned to the asset information of the product;
and (4) carrying out an appointed protocol retry mechanism, returning the successfully identified protocol to the asset information of the product, if the banner is not empty, carrying out traversal protocol judgment again, returning the successfully identified protocol to the asset information of the product, and marking the unrecognized protocol as unidentified.
9. A computing device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any one of claims 1 to 5 in accordance with the obtained program.
10. A computer-readable non-transitory storage medium including computer-readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210362926.XA CN114500346B (en) | 2022-04-08 | 2022-04-08 | Network space mapping method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210362926.XA CN114500346B (en) | 2022-04-08 | 2022-04-08 | Network space mapping method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500346A true CN114500346A (en) | 2022-05-13 |
| CN114500346B CN114500346B (en) | 2022-08-02 |
Family
ID=81488559
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210362926.XA Active CN114500346B (en) | 2022-04-08 | 2022-04-08 | Network space mapping method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500346B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208963A (en) * | 2022-07-02 | 2022-10-18 | 北京华顺信安科技有限公司 | Multi-dimensional IP asset calibration method |
| CN116846690A (en) * | 2023-09-01 | 2023-10-03 | 湘潭大学 | IPv6 network space mapping method based on industry classification and probability model |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050071485A1 (en) * | 2003-09-26 | 2005-03-31 | Arun Ramagopal | System and method for identifying a network resource |
| CN109347892A (en) * | 2018-08-03 | 2019-02-15 | 北京奇安信科技有限公司 | A kind of Internet Industry assets scanning processing method and device |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
-
2022
- 2022-04-08 CN CN202210362926.XA patent/CN114500346B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050071485A1 (en) * | 2003-09-26 | 2005-03-31 | Arun Ramagopal | System and method for identifying a network resource |
| CN109347892A (en) * | 2018-08-03 | 2019-02-15 | 北京奇安信科技有限公司 | A kind of Internet Industry assets scanning processing method and device |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208963A (en) * | 2022-07-02 | 2022-10-18 | 北京华顺信安科技有限公司 | Multi-dimensional IP asset calibration method |
| CN116846690A (en) * | 2023-09-01 | 2023-10-03 | 湘潭大学 | IPv6 network space mapping method based on industry classification and probability model |
| CN116846690B (en) * | 2023-09-01 | 2023-11-03 | 湘潭大学 | IPv6 network space mapping method based on industry classification and probability model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500346B (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114500346B (en) | Network space mapping method and device | |
| CN109802953B (en) | Industrial control asset identification method and device | |
| CN112714045B (en) | Rapid protocol identification method based on device fingerprint and port | |
| CN110650128B (en) | System and method for detecting digital currency stealing attack of Etheng | |
| CN110401614B (en) | Malicious domain name tracing method and device | |
| CN113242236B (en) | Method for constructing network entity threat map | |
| CN108282489A (en) | A kind of vulnerability scanning method, server-side and system | |
| CN107145779B (en) | Method and device for identifying offline malicious software log | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN114531259B (en) | Attack result detection method, device, system, computer equipment and medium | |
| CN111130947B (en) | Network space mapping method based on service verification | |
| CN110351251B (en) | Industrial control equipment asset detection method based on filtering technology | |
| CN110061921B (en) | Cloud platform data packet distribution method and system | |
| CN111935185B (en) | Method and system for constructing large-scale trapping scene based on cloud computing | |
| CN114826671A (en) | Network asset identification method and device based on fingerprint hierarchical matching | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| CN112769635B (en) | Service identification method and device for multi-granularity feature analysis | |
| CN113746849A (en) | Method, device, equipment and storage medium for identifying equipment in network | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method | |
| CN112003884B (en) | Method for collecting network assets and retrieving natural language | |
| CN112839055A (en) | Network application identification method and device for TLS encrypted traffic | |
| CN110825947B (en) | URL deduplication method, device, equipment and computer readable storage medium | |
| CN114697066A (en) | Network threat detection method and device | |
| CN110381174B (en) | High-speed domain name resolution method based on stateless scanning | |
| CN113055420A (en) | HTTPS service identification method and device and computing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |