CN115296928A - Port scanning method and device, computer equipment and readable storage medium - Google Patents

Port scanning method and device, computer equipment and readable storage medium Download PDF

Info

Publication number
CN115296928A
CN115296928A CN202211186792.7A CN202211186792A CN115296928A CN 115296928 A CN115296928 A CN 115296928A CN 202211186792 A CN202211186792 A CN 202211186792A CN 115296928 A CN115296928 A CN 115296928A
Authority
CN
China
Prior art keywords
scanning
port
risk level
scanned
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211186792.7A
Other languages
Chinese (zh)
Other versions
CN115296928B (en
Inventor
熊方成城
李季
赵远杰
胡维
梁露露
陈幼雷
韩冰
李可
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yuanbao Technology Co ltd
Original Assignee
Beijing Yuanbao Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yuanbao Technology Co ltd filed Critical Beijing Yuanbao Technology Co ltd
Priority to CN202211186792.7A priority Critical patent/CN115296928B/en
Publication of CN115296928A publication Critical patent/CN115296928A/en
Application granted granted Critical
Publication of CN115296928B publication Critical patent/CN115296928B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a port scanning method, a port scanning device, computer equipment and a readable storage medium, and relates to the technical field of Internet, wherein the method comprises the following steps: dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the theoretical risk level output value corresponding to the scanning task in the front order is larger than the theoretical risk level output value corresponding to the scanning task in the back order; respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues; and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue. According to the scheme, more exposed attack surface information can be found in a shorter time, and missing of critical port opening information is avoided.

Description

Port scanning method and device, computer equipment and readable storage medium
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a port scanning method and apparatus, a computer device, and a readable storage medium.
Background
The open port is an interface between the network asset and the internet, and in order to clarify the port exposure condition and prevent hacker attacks, the full port scanning is required in asset security evaluation. Currently, port full scan has no specific scanning method, and traverses from port number 1 to port number 65535 basically in sequence. Since such a scanning method needs to send a large number of data packets to a target device (asset), it may affect the operation of the target device, or trigger a firewall policy of the target device, so that subsequent scanning cannot be completed, and the scanning method cannot discover as many open ports as possible in an early scanning process, so that critical open port information may be missed.
Disclosure of Invention
In view of this, embodiments of the present invention provide a port scanning method to solve the technical problem in the prior art that as many open ports as possible cannot be found within a limited time. The method comprises the following steps:
dividing ports of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which meets the requirement of scanning of the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task in the prior order is greater than the theoretical risk level output value corresponding to the scanning task in the next order;
respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
The embodiment of the invention also provides a port scanning device, which is used for solving the technical problem that the open port cannot be found as much as possible within a limited time in the prior art. The device comprises:
the task dividing module is used for dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the port included in each scanning task is a port required to be scanned and meeting the theoretical risk level output value corresponding to the scanning task;
the queue processing module is used for respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and the scanning module is used for triggering the execution of the scanning task of the current asset to be scanned in the next queue and executing the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than a preset risk level threshold value aiming at each queue and the scanning task of the current asset to be scanned in the queue is completed.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the above arbitrary port scanning method when executing the computer program, so as to solve the technical problem in the prior art that an open port cannot be found as much as possible within a limited time.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program for executing any of the above port scanning methods is stored, so as to solve a technical problem in the prior art that an open port cannot be found as much as possible within a limited time.
Compared with the prior art, the beneficial effects that can be achieved by the at least one technical scheme adopted by the embodiment of the specification at least comprise: dividing a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the theoretical risk level output value corresponding to the scanning task in the front order is greater than the theoretical risk level output value corresponding to the scanning task in the back order, further respectively storing the scanning tasks of each asset to be scanned into a plurality of queues, and finally respectively executing the scanning tasks in each queue, wherein when the scanning task of the current asset to be scanned in the queue is completed, when the risk level of the scanning result is less than a preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for the scanning tasks of the same asset to be scanned, the corresponding theoretical risk level output value can be reached after the scanning of each scanning task is finished, the theoretical risk level output value corresponding to the scanning task in the front order is greater, and the port scanning tasks with higher theoretical risk level are concentrated in a scanning stage, and more exposed attack surface information can be found in a shorter early time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is favorable for discovering the attack faces exposed by the assets as many as possible before being limited by a firewall or before being limited by the arrival time (namely, not causing great influence on the target service), therefore, the port scanning method can discover the attack faces exposed by the assets as many as possible on the premise of not causing great influence on the target service no matter whether the single asset scanning or the multi-asset scanning tasks are carried out, and further, the method is favorable for avoiding missing critical port opening information.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a port scanning method according to an embodiment of the present invention;
fig. 2 is a flowchart for implementing the port scanning method according to an embodiment of the present invention;
FIG. 3 is a timing diagram illustrating the execution of scan tasks by different queues according to an embodiment of the present invention;
FIG. 4 is a block diagram of a computer device according to an embodiment of the present invention;
fig. 5 is a block diagram of a port scanning apparatus according to an embodiment of the present invention.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
The following description of the embodiments of the present application is provided by way of specific examples, and other advantages and effects of the present application will be readily apparent to those skilled in the art from the disclosure herein. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. The present application is capable of other and different embodiments and its several details are capable of modifications and/or changes in various respects, all without departing from the spirit of the present application. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
In an embodiment of the present invention, a port scanning method is provided, as shown in fig. 1, the method includes:
step S101: dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which is a port required to be scanned and meets the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task which is in the front in sequence is larger than the theoretical risk level output value corresponding to the scanning task which is in the back in sequence;
step S102: respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
step S103: and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
As can be seen from the process shown in fig. 1, in the embodiment of the present invention, a port of each asset to be scanned is divided into a plurality of scanning tasks according to a plurality of theoretical risk level output values, the theoretical risk level output value corresponding to a scanning task that is sequentially before is greater than the theoretical risk level output value corresponding to a scanning task that is sequentially after, and then the plurality of scanning tasks of each asset to be scanned are respectively stored in a plurality of queues, and finally, the scanning tasks in each queue are respectively executed, when the scanning task of the current asset to be scanned in the queue is completed, for each queue, when the risk level of the scanning result is less than a preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for a plurality of scanning tasks of the same asset to be scanned, each scanning task can reach the corresponding theoretical risk level output value after the scanning task is completed, and the theoretical risk level output value corresponding to the scanning task that is sequentially before is greater, so that the scanning task of the port with a higher theoretical risk level is concentrated in an early scanning stage, and more ports can discover information within a shorter attack time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered and executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is beneficial to finding the attack surfaces exposed by the assets as much as possible before being limited by a firewall or limited by the arrival time (namely, the target service is not greatly influenced).
In particular embodiments, the description task may be quantified, e.g. expected to have been obtained, in the port scanning process, taking into account that the scanned asset risk level meets the requirements, requiring as short a scanning time as possible
Figure 256436DEST_PATH_IMAGE001
The time consumed in outputting the asset risk level of (%) is
Figure 191122DEST_PATH_IMAGE002
Due to time
Figure 118801DEST_PATH_IMAGE002
And the number of scanned ports
Figure DEST_PATH_IMAGE003
Positive correlation, therefore, can be evaluated by the number of scan ports, defined
Figure 295221DEST_PATH_IMAGE001
The output problem is as follows: is predicted to have obtained
Figure 44128DEST_PATH_IMAGE004
(%) number of ports scanned at risk level output
Figure 792815DEST_PATH_IMAGE003
So far, only the determination is required
Figure 586502DEST_PATH_IMAGE001
(%) number of ports scanned at risk level output
Figure 10495DEST_PATH_IMAGE003
The minimum value of (3) is sufficient. In order to implement that the ports of the assets to be scanned can be divided into different scanning tasks according to the theoretical risk level output values, in this embodiment, it is proposed to divide the ports of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values in the following manner, for example, the open port risk level is determined according to the probability distribution of the service corresponding to the open port of the port and the quantized value of the service attack plane information;
and determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability and the port opening risk level of the ports, and dividing the minimum set of the ports into a scanning task.
In specific implementation, in the process of determining the minimum set of ports to be scanned to reach each theoretical risk level output value, a certain time in the port full-scale scanning process is not set, and the number of scanned ports is
Figure 231435DEST_PATH_IMAGE003
The elapsed time is
Figure DEST_PATH_IMAGE005
The set of the swept-out open ports is
Figure 646847DEST_PATH_IMAGE006
Set of unscanned ports as
Figure 244225DEST_PATH_IMAGE007
Level of risk of face of attack of an asset discovered
Figure DEST_PATH_IMAGE008
Can be expressed as:
Figure 67341DEST_PATH_IMAGE009
wherein, the first and the second end of the pipe are connected with each other,
Figure DEST_PATH_IMAGE010
is the open port risk level.
Then can be connected with
Figure 804580DEST_PATH_IMAGE001
The (%) risk level output problem is expressed as:
Figure 527860DEST_PATH_IMAGE011
that is, at a given port scan order, the swept-out asset risk level is required to exceed the sum of all port risk levels
Figure 368077DEST_PATH_IMAGE001
At least the number of ports that need to be scanned. Wherein
Figure DEST_PATH_IMAGE012
In order to be the port open probability,
Figure 609481DEST_PATH_IMAGE013
the smaller, the
Figure 136671DEST_PATH_IMAGE001
The fewer the number of ports required for output of the risk level (%), means that the scanning method is more efficient.
Therefore, in order to refine the scanning task so as to provide effective port information output when the scanning task is limited by a firewall or limited by arrival time, the scanning task is divided into ports, and then the scanning task is stored in each queue to realize queue design, so as to realize optimized scanning flow control.
For example, with
Figure 987917DEST_PATH_IMAGE001
The method is characterized in that a (%) preset risk level output problem is taken as a reference, a port of a certain asset to be scanned needs to be divided into a plurality of scanning tasks, each scanning task is stored into a queue, and then a plurality of queues, namely design queues, are formedCollecting:
Figure DEST_PATH_IMAGE014
wherein, the first
Figure 112385DEST_PATH_IMAGE015
A queue for storing
Figure 459227DEST_PATH_IMAGE015
A scanning task, i.e. first
Figure 458450DEST_PATH_IMAGE015
The scanning tasks should satisfy: finish the first
Figure 392208DEST_PATH_IMAGE015
The theoretical risk level output of port scan in one scan task accounts for all the remaining theoretical risk levels
Figure DEST_PATH_IMAGE016
(%), therefore, the first
Figure 719292DEST_PATH_IMAGE015
Port set included in scanning task
Figure 681826DEST_PATH_IMAGE017
Should be the minimum set that satisfies the following conditions:
Figure 524054DEST_PATH_IMAGE018
wherein the content of the first and second substances,
Figure 505960DEST_PATH_IMAGE019
is a collection of ports that are not scanned,
Figure 491670DEST_PATH_IMAGE020
is as follows
Figure 553384DEST_PATH_IMAGE021
The set of ports contained in each scan job,
Figure 894410DEST_PATH_IMAGE022
is a first
Figure 941965DEST_PATH_IMAGE021
The theoretical risk level output value corresponding to each scanning task is completed
Figure 26639DEST_PATH_IMAGE021
The theoretical risk level that should be covered for each scanning session,
Figure 969624DEST_PATH_IMAGE023
is the open port risk level.
In particular, port open probability
Figure 153655DEST_PATH_IMAGE024
Means the probability that a particular port is open, and each port is independent of the other. Because the default configuration exists in the port for monitoring the service and the obvious rule exists in the possibility that different services are exposed to the Internet, the opening probability of the port is higher than the opening probability of the port
Figure 809021DEST_PATH_IMAGE025
The value of (c) can be determined speculatively based on port open frequency statistics.
Open port risk level when embodied
Figure 431806DEST_PATH_IMAGE026
Is based on the probability distribution of port corresponding services
Figure 229297DEST_PATH_IMAGE027
And service attack plane information quantization value
Figure 496339DEST_PATH_IMAGE028
The determination of, for example,
Figure 379281DEST_PATH_IMAGE029
wherein, the service attack plane information quantization value
Figure 805757DEST_PATH_IMAGE028
Is determined according to the value of the service implication, the contained loophole and the service utilization difficulty,
Figure 690711DEST_PATH_IMAGE030
is based on
Figure 243308DEST_PATH_IMAGE027
In order to correspond to
Figure 908819DEST_PATH_IMAGE028
Is the expectation of the probability distribution of random variables.
In specific implementation, as default configuration exists in a port monitored by a service and obvious rules exist in the possibility that different services are exposed to the Internet, the probability distribution of the port corresponding to the service
Figure 550150DEST_PATH_IMAGE027
The open port value of (a) may be determined speculatively based on service detection statistics.
In specific implementation, the value is quantized aiming at the service attack plane information
Figure 328093DEST_PATH_IMAGE028
Classification can be performed, for example, for database type services, remote connection type services, HTTP type services, etc., and different types of services have different implications. Therefore, the quantitative value of the service attack surface information can be determined by the network security knowledge such as the service implication value, the included vulnerability and the service utilization difficulty
Figure 821565DEST_PATH_IMAGE028
. Specifically, statistics of data such as service implication value, contained bugs and service utilization difficulty can be carried out on different types of services according to the systemThe counting data deduces the information quantization values of different service attack planes
Figure 319770DEST_PATH_IMAGE028
Corresponding relation with service implication value, contained loophole and service utilization difficulty, and determining service attack face information quantization value according to the corresponding relation in practical application
Figure 556891DEST_PATH_IMAGE028
And (4) finishing.
During specific implementation, in the process of dividing the port of each asset to be scanned into a plurality of scanning tasks, the ports may be sequentially divided into port sets included in the plurality of scanning tasks according to the port order, so that the order of the scanning tasks is consistent with the port order, that is, the scanning task including the port ranked before is ranked also before, and the scanning task including the port ranked after is ranked also after.
In specific implementation, the theoretical risk level output value corresponding to the scanning task may be a ratio of a risk level output when the scanning task is finished to risk levels of all ports of the same asset to be scanned, and in order to find attack surfaces exposed by the asset in a short time as much as possible before being limited by a firewall or before reaching time (i.e., without causing a large influence on a target service), the theoretical risk level output value corresponding to a scanning task in the front order is set to be greater than the theoretical risk level output value corresponding to a scanning task in the back order.
In specific implementation, in order to further discover as many attack surfaces exposed by assets as possible before being limited by a firewall or limited by arrival time (i.e., without greatly affecting target services), in this embodiment, a designated queue is set outside the queues, and in the process of executing scanning tasks in the queues, when a scanning task of a current asset to be scanned in the current queue is completed, and when a risk level of a scanning result is greater than a preset risk level threshold, an unscanned scanning task of the current asset to be scanned is moved to the designated queue, where the designated queue is a queue outside the queues; and continuing to execute the scanning task of the current asset to be scanned in the specified queue before the firewall is not triggered or the time limit is not reached.
For example, the queue set is:
Figure 177621DEST_PATH_IMAGE031
wherein the content of the first and second substances,
Figure 841995DEST_PATH_IMAGE032
representing that the scanning task in the first queue will be overwritten
Figure 186825DEST_PATH_IMAGE033
(ii) (%) theoretical risk level output value,
Figure 967917DEST_PATH_IMAGE034
indicating that the second queue will be overwritten
Figure 213128DEST_PATH_IMAGE035
The remaining theoretical risk level in (%),
Figure 954653DEST_PATH_IMAGE036
indicating that the third queue will be covered
Figure 285314DEST_PATH_IMAGE037
(%) residual theoretical risk level, and so on. In particular, the designated queue is used to store all assets having a risk level exceeding a preset risk level threshold after completion of any non-scanning queue
Figure 100123DEST_PATH_IMAGE038
The scanning task of (1).
In particular, a queue may be set for a port of an asset to be scanned, e.g.,
Figure 465420DEST_PATH_IMAGE039
wherein, the first and the second end of the pipe are connected with each other,
Figure 701622DEST_PATH_IMAGE040
the scanning task aiming at the certain asset to be scanned in the queue comprises about 100 ports, and can cover 90% of theoretical risk level;
Figure 519580DEST_PATH_IMAGE041
the scanning task aiming at the certain asset to be scanned in the queue comprises about 1000 ports, and can cover 8% of theoretical risk level;
Figure 872500DEST_PATH_IMAGE042
the scanning task aiming at the certain asset to be scanned in the queue comprises about 5000 ports, and the theoretical risk level can be covered by 1.6%;
Figure 4413DEST_PATH_IMAGE043
a given queue contains all ports that the asset to be scanned had not yet entered the queue, and before the firewall is not triggered or the time limit is not reached,
Figure 417376DEST_PATH_IMAGE044
the designated queue performs the full scan task for the remaining ports.
In specific implementation, in order to further improve scanning efficiency, in this embodiment, the scanning tasks in different queues are executed in parallel by different scanning devices, that is, the scanning task in each queue is executed by one scanning device, and there are several scanning devices in several queues, so as to implement parallel execution of the scanning tasks in different queues.
In specific implementation, the port scanning method is suitable for a multi-asset single-scanning scene under the condition of least knowledge, and can discover the attack surface exposed by the asset as much as possible under the condition of only knowing the IP address of the target asset before the limit of a firewall or the limit of arrival time (namely, without causing great influence on target service).
In specific implementation, the following describes in detail a process for implementing the port scanning method, taking scanning of multiple assets as an example, and setting 4 queues as an example, to divide a port of each asset into 3 scanning tasks, as shown in fig. 2, the process is as follows:
1. outputting asset IP addresses and aligning queues
Figure 486744DEST_PATH_IMAGE045
The port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, only the queue is used at this time
Figure 643356DEST_PATH_IMAGE045
While performing the scan task for asset 1, no scan is performed by the other queues;
2. judging whether the risk level of the scanning result exceeds a preset risk level threshold value or not
Figure 983244DEST_PATH_IMAGE046
If yes, moving the scanning task of the asset 1 which is not scanned to the queue
Figure 561250DEST_PATH_IMAGE047
And step 6 is executed and the queue pair is started
Figure 88220DEST_PATH_IMAGE045
Scanning a port set included in the scanning task of the asset 2; if not, executing the next operation and starting to align the queues
Figure 48522DEST_PATH_IMAGE045
Scanning a port set included in a scanning task of the asset 2;
3. pair queue
Figure 149168DEST_PATH_IMAGE048
The port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, at this time, the queue
Figure 668048DEST_PATH_IMAGE045
While performing the scanning task for asset 2, the queue
Figure 924060DEST_PATH_IMAGE048
Performing a scanning task for asset 1;
4. judging whether the risk level of the scanning result exceeds a preset risk level threshold value or not
Figure 186588DEST_PATH_IMAGE046
If yes, moving the scanning task of the asset 1 which is not scanned to the queue
Figure 235490DEST_PATH_IMAGE047
And step 6 is executed and the queue pair is started
Figure 155298DEST_PATH_IMAGE048
Scanning a port set included in a scanning task of the asset 2; if not, executing the next operation and starting to align the queues
Figure 922440DEST_PATH_IMAGE048
Scanning a port set included in a scanning task of the asset 2;
5. pair queue
Figure 865215DEST_PATH_IMAGE049
The port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, at this time, the queue
Figure 34203DEST_PATH_IMAGE045
While performing the scanning task for asset 3, the queue
Figure 136631DEST_PATH_IMAGE048
Queue in executing asset 2 scan task
Figure 125490DEST_PATH_IMAGE050
Performing a scanning task for asset 1;
6. pair queue
Figure 729820DEST_PATH_IMAGE047
Scanning the port set of each asset which is not scanned, and storing the scanning result in a database;
7. the full port scan is complete.
In the above flow, with reference to fig. 2 and fig. 3, if the sequential asset scanning mode in the prior art is adopted, all scanning tasks (equal to the number of devices executing tasks) of 4 assets are completed within 1 port full scanning task time, and the asset scanning mode of the optimized port scanning method will complete a large number of queues of scanning tasks within the same time, that is, covering 90% of the theoretical risk level of these tasks. If the scanning task is interrupted due to the fact that a target firewall strategy is triggered or time limit is reached when any queue scanning task is finished, the scanning result database of the port scanning method is more likely to store more open port information compared with sequential scanning.
In this embodiment, a computer device is provided, as shown in fig. 4, and includes a memory 401, a processor 402, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement any of the above-mentioned port scanning methods.
In particular, the computer device may be a computer terminal, a server or a similar computing device.
In the present embodiment, there is provided a computer-readable storage medium storing a computer program for executing any of the above-described port scanning methods.
In particular, computer-readable storage media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable storage medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Based on the same inventive concept, the embodiment of the present invention further provides a port scanning apparatus, as described in the following embodiments. Because the principle of the port scanning apparatus for solving the problem is similar to the port scanning method, the implementation of the port scanning apparatus can refer to the implementation of the port scanning method, and the repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a port scanning device according to an embodiment of the present invention, and as shown in fig. 5, the device includes:
a task dividing module 501, configured to divide a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, where a port included in each scanning task is a port that needs to be scanned to meet a theoretical risk level output value corresponding to the scanning task;
a queue processing module 502, configured to store a plurality of scanning tasks of each asset to be scanned into a plurality of queues respectively;
the scanning module 503 is configured to, for each queue, when the scanning task of the current asset to be scanned in the queue is completed, trigger to execute the scanning task of the current asset to be scanned in the next queue and execute the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than the preset risk level threshold.
In one embodiment, the task partitioning module includes:
the risk level determining unit is used for determining the risk level of the open port according to the probability distribution of the service corresponding to the open port of the port and the service attack plane information quantization value;
and the task dividing unit is used for determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability of the ports and the risk level of the opening ports, and dividing the minimum set of the ports into a scanning task.
In one embodiment, the task partitioning unit determines the minimum set of scanned ports required to reach each theoretical risk level output value by the following formula:
Figure 983341DEST_PATH_IMAGE051
wherein the content of the first and second substances,
Figure 784899DEST_PATH_IMAGE019
is a collection of ports that are not scanned,
Figure 898795DEST_PATH_IMAGE020
is as follows
Figure 548562DEST_PATH_IMAGE021
The set of ports contained in each scan job,
Figure 426562DEST_PATH_IMAGE022
is a first
Figure 864933DEST_PATH_IMAGE021
The theoretical risk level output value corresponding to each scanning task,
Figure 828384DEST_PATH_IMAGE023
in order to open the risk level of the port,
Figure 270123DEST_PATH_IMAGE024
is the port opening probability.
In one embodiment, the risk level of the open port is determined according to probability distribution of a service corresponding to the port and a quantized value of service attack plane information, wherein the quantized value of the service attack plane information is determined according to the implied value of the service, the contained vulnerabilities and the difficulty of utilizing the service.
In one embodiment, the open port risk level is determined according to the probability distribution of the corresponding service of the port and the quantized value of the service attack plane information by the following formula:
Figure 2630DEST_PATH_IMAGE029
wherein the content of the first and second substances,
Figure 282267DEST_PATH_IMAGE026
in order to open the risk level of the port,
Figure 974759DEST_PATH_IMAGE027
the probability distribution of the corresponding service for an open port,
Figure 724584DEST_PATH_IMAGE028
the value is quantized for the service attack plane information,
Figure 311597DEST_PATH_IMAGE030
is based on
Figure 121464DEST_PATH_IMAGE027
In order to correspond to
Figure 29814DEST_PATH_IMAGE028
Is the expectation of the probability distribution of random variables.
In one embodiment, the apparatus further comprises:
the task processing module is used for moving the unscanned scanning tasks of the current assets to be scanned into a designated queue when the risk level of the scanning result is greater than a preset risk level threshold value when the scanning tasks of the current assets to be scanned in the current queue are completed, wherein the designated queue is a queue out of a plurality of queues;
and the scanning module is also used for executing the scanning task of the current asset to be scanned in the appointed queue before the firewall is not triggered or the time limit is not reached.
In one embodiment, the scanning module is further configured to execute the scanning tasks in different queues in parallel by different scanning devices.
The embodiment of the invention realizes the following technical effects: dividing a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, storing the plurality of scanning tasks of each asset to be scanned into a plurality of queues respectively, and finally executing the scanning tasks in each queue respectively, wherein when the scanning task of the current asset to be scanned in each queue is completed, when the risk level of the scanning result is less than a preset risk level threshold value, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for the plurality of scanning tasks of the same asset to be scanned, the corresponding theoretical risk level output value can be reached after the scanning of each scanning task is completed, the theoretical risk level output value corresponding to the scanning task in the front sequence is larger, and the port scanning tasks with higher theoretical risk level are concentrated in a scanning stage, and more attack face information can be found in a shorter early time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is favorable for discovering the attack faces exposed by the assets as many as possible before being limited by a firewall or before being limited by the arrival time (namely, not causing great influence on the target service), therefore, the port scanning method can discover the attack faces exposed by the assets as many as possible on the premise of not causing great influence on the target service no matter whether the single asset scanning or the multi-asset scanning tasks are carried out, and further, the method is favorable for avoiding missing critical port opening information.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized in a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that it may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be executed out of order, or separately as individual integrated circuit modules, or multiple modules or steps may be implemented as a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for port scanning, comprising:
dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which is a port required to be scanned and meets the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task which is in the front in sequence is larger than the theoretical risk level output value corresponding to the scanning task which is in the back in sequence;
respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
2. The port scanning method of claim 1, wherein dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values comprises:
determining the risk level of an open port according to the probability distribution of the service corresponding to the open port of the port and the service attack plane information quantization value;
and determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability of the ports and the risk level of the opening ports, and dividing the minimum set of the ports into a scanning task.
3. The port scanning method of claim 2, wherein determining the minimum set of ports to scan to achieve each theoretical risk level output value is accomplished by the following equation:
Figure 492196DEST_PATH_IMAGE001
wherein the content of the first and second substances,
Figure 932009DEST_PATH_IMAGE002
is a collection of ports that are not scanned,
Figure 770695DEST_PATH_IMAGE003
is a first
Figure 465025DEST_PATH_IMAGE004
The set of ports contained in each scan job,
Figure 592424DEST_PATH_IMAGE005
is a first
Figure 499243DEST_PATH_IMAGE004
The theoretical risk level output value corresponding to each scanning task,
Figure 626915DEST_PATH_IMAGE006
in order to open the port risk level,
Figure 288884DEST_PATH_IMAGE007
the port open probability.
4. The port scanning method as claimed in claim 2, wherein the risk level of the open port is determined according to a probability distribution of a service corresponding to the port and a quantized value of service attack plane information, wherein the quantized value of service attack plane information is determined according to a service implication value, a contained vulnerability and a difficulty of service utilization.
5. The port scanning method of claim 2, wherein the open port risk level is determined according to the probability distribution of the corresponding service of the port and the quantized value of the service attack plane information by the following formula:
Figure 876815DEST_PATH_IMAGE008
wherein the content of the first and second substances,
Figure 614089DEST_PATH_IMAGE009
in order to open the risk level of the port,
Figure 427367DEST_PATH_IMAGE010
the probability distribution of the corresponding service for an open port,
Figure 466429DEST_PATH_IMAGE011
the value is quantized for the service attack plane information,
Figure 427475DEST_PATH_IMAGE012
is based on
Figure 355251DEST_PATH_IMAGE010
In order to correspond to
Figure 288615DEST_PATH_IMAGE013
Is the expectation of the probability distribution of random variables.
6. The port scanning method of any of claims 1 to 5, further comprising:
when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is greater than a preset risk level threshold value, moving the scanning task which is not scanned of the current asset to be scanned into a specified queue, wherein the specified queue is a queue other than a plurality of queues;
and executing the scanning task of the current asset to be scanned in the specified queue before the firewall is not triggered or the time limit is not reached.
7. The port scanning method of any of claims 1 to 5, further comprising:
the scanning tasks in different queues are executed in parallel by different scanning devices.
8. A port scanning device, comprising:
the task dividing module is used for dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the port included in each scanning task is a port required to be scanned and meeting the theoretical risk level output value corresponding to the scanning task;
the queue processing module is used for respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and the scanning module is used for triggering the execution of the scanning task of the current asset to be scanned in the next queue and executing the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than a preset risk level threshold value aiming at each queue and the scanning task of the current asset to be scanned in the queue is completed.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the port scanning method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the port scanning method of any one of claims 1 to 7.
CN202211186792.7A 2022-09-28 2022-09-28 Port scanning method and device, computer equipment and readable storage medium Active CN115296928B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211186792.7A CN115296928B (en) 2022-09-28 2022-09-28 Port scanning method and device, computer equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211186792.7A CN115296928B (en) 2022-09-28 2022-09-28 Port scanning method and device, computer equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN115296928A true CN115296928A (en) 2022-11-04
CN115296928B CN115296928B (en) 2023-02-03

Family

ID=83834868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211186792.7A Active CN115296928B (en) 2022-09-28 2022-09-28 Port scanning method and device, computer equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115296928B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111580946A (en) * 2020-04-28 2020-08-25 北京达佳互联信息技术有限公司 Port scanning method, device, equipment and storage medium
CN111898898A (en) * 2020-07-25 2020-11-06 江苏锐创软件技术有限公司 Risk equipment positioning monitoring method, device and system and storage medium
US20210185073A1 (en) * 2019-12-13 2021-06-17 Disney Enterprises, Inc. Techniques for analyzing network vulnerabilities
CN113037765A (en) * 2021-03-23 2021-06-25 寇英翰 Port scanning device
CN114050940A (en) * 2022-01-10 2022-02-15 北京华云安信息技术有限公司 Asset vulnerability detection method and device and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210185073A1 (en) * 2019-12-13 2021-06-17 Disney Enterprises, Inc. Techniques for analyzing network vulnerabilities
CN111580946A (en) * 2020-04-28 2020-08-25 北京达佳互联信息技术有限公司 Port scanning method, device, equipment and storage medium
CN111898898A (en) * 2020-07-25 2020-11-06 江苏锐创软件技术有限公司 Risk equipment positioning monitoring method, device and system and storage medium
CN113037765A (en) * 2021-03-23 2021-06-25 寇英翰 Port scanning device
CN114050940A (en) * 2022-01-10 2022-02-15 北京华云安信息技术有限公司 Asset vulnerability detection method and device and electronic equipment

Also Published As

Publication number Publication date
CN115296928B (en) 2023-02-03

Similar Documents

Publication Publication Date Title
US11025667B2 (en) System and method for applying a plurality of interconnected filters to protect a computing device from a distributed denial-of-service attack
US10541857B1 (en) Public DNS resolver prioritization
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
CN110839017B (en) Proxy IP address identification method, device, electronic equipment and storage medium
US20170048261A1 (en) Selecting from computing nodes for correlating events
CN108809749B (en) Performing upper layer inspection of a stream based on a sampling rate
CN112532538A (en) Flow control method and device, electronic equipment and computer readable storage medium
CN109657463B (en) Method and device for defending message flooding attack
CN111262875B (en) Server safety monitoring method, device, system and storage medium
CN115296928B (en) Port scanning method and device, computer equipment and readable storage medium
CN109474623B (en) Network security protection and parameter determination method, device, equipment and medium thereof
CN112532610B (en) Intrusion prevention detection method and device based on TCP segmentation
CN106357688B (en) A kind of method and apparatus for defending ICMP flood attack
CN113783850A (en) Network protection method, device, equipment and machine readable storage medium
EP3396920B1 (en) System and method of traffic filtering upon detection of a ddos attack
CN113905092A (en) Method, device, terminal and storage medium for determining reusable agent queue
CN111106982B (en) Information filtering method and device, electronic equipment and storage medium
CN109617893A (en) A kind of means of defence, device and the storage medium of Botnet ddos attack
CN114143083B (en) Blacklist policy matching method and device, electronic equipment and storage medium
CN112437093B (en) Method, device and equipment for determining safety state
CN114244543B (en) Network security defense method, device, computing equipment and computer storage medium
CN115913784A (en) Network attack defense system, method and device and electronic equipment
CN114641001A (en) Dynamic anti-attack method under 5G network, network equipment and storage medium
CN115987684A (en) Distributed denial of service (DDoS) defense system, method, equipment and medium
CN115941298A (en) VPP & DPDK-based firewall security domain isolation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant