CN115296928A - Port scanning method and device, computer equipment and readable storage medium - Google Patents
Port scanning method and device, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN115296928A CN115296928A CN202211186792.7A CN202211186792A CN115296928A CN 115296928 A CN115296928 A CN 115296928A CN 202211186792 A CN202211186792 A CN 202211186792A CN 115296928 A CN115296928 A CN 115296928A
- Authority
- CN
- China
- Prior art keywords
- scanning
- port
- risk level
- scanned
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a port scanning method, a port scanning device, computer equipment and a readable storage medium, and relates to the technical field of Internet, wherein the method comprises the following steps: dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the theoretical risk level output value corresponding to the scanning task in the front order is larger than the theoretical risk level output value corresponding to the scanning task in the back order; respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues; and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue. According to the scheme, more exposed attack surface information can be found in a shorter time, and missing of critical port opening information is avoided.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a port scanning method and apparatus, a computer device, and a readable storage medium.
Background
The open port is an interface between the network asset and the internet, and in order to clarify the port exposure condition and prevent hacker attacks, the full port scanning is required in asset security evaluation. Currently, port full scan has no specific scanning method, and traverses from port number 1 to port number 65535 basically in sequence. Since such a scanning method needs to send a large number of data packets to a target device (asset), it may affect the operation of the target device, or trigger a firewall policy of the target device, so that subsequent scanning cannot be completed, and the scanning method cannot discover as many open ports as possible in an early scanning process, so that critical open port information may be missed.
Disclosure of Invention
In view of this, embodiments of the present invention provide a port scanning method to solve the technical problem in the prior art that as many open ports as possible cannot be found within a limited time. The method comprises the following steps:
dividing ports of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which meets the requirement of scanning of the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task in the prior order is greater than the theoretical risk level output value corresponding to the scanning task in the next order;
respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
The embodiment of the invention also provides a port scanning device, which is used for solving the technical problem that the open port cannot be found as much as possible within a limited time in the prior art. The device comprises:
the task dividing module is used for dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the port included in each scanning task is a port required to be scanned and meeting the theoretical risk level output value corresponding to the scanning task;
the queue processing module is used for respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and the scanning module is used for triggering the execution of the scanning task of the current asset to be scanned in the next queue and executing the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than a preset risk level threshold value aiming at each queue and the scanning task of the current asset to be scanned in the queue is completed.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the above arbitrary port scanning method when executing the computer program, so as to solve the technical problem in the prior art that an open port cannot be found as much as possible within a limited time.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program for executing any of the above port scanning methods is stored, so as to solve a technical problem in the prior art that an open port cannot be found as much as possible within a limited time.
Compared with the prior art, the beneficial effects that can be achieved by the at least one technical scheme adopted by the embodiment of the specification at least comprise: dividing a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the theoretical risk level output value corresponding to the scanning task in the front order is greater than the theoretical risk level output value corresponding to the scanning task in the back order, further respectively storing the scanning tasks of each asset to be scanned into a plurality of queues, and finally respectively executing the scanning tasks in each queue, wherein when the scanning task of the current asset to be scanned in the queue is completed, when the risk level of the scanning result is less than a preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for the scanning tasks of the same asset to be scanned, the corresponding theoretical risk level output value can be reached after the scanning of each scanning task is finished, the theoretical risk level output value corresponding to the scanning task in the front order is greater, and the port scanning tasks with higher theoretical risk level are concentrated in a scanning stage, and more exposed attack surface information can be found in a shorter early time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is favorable for discovering the attack faces exposed by the assets as many as possible before being limited by a firewall or before being limited by the arrival time (namely, not causing great influence on the target service), therefore, the port scanning method can discover the attack faces exposed by the assets as many as possible on the premise of not causing great influence on the target service no matter whether the single asset scanning or the multi-asset scanning tasks are carried out, and further, the method is favorable for avoiding missing critical port opening information.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a port scanning method according to an embodiment of the present invention;
fig. 2 is a flowchart for implementing the port scanning method according to an embodiment of the present invention;
FIG. 3 is a timing diagram illustrating the execution of scan tasks by different queues according to an embodiment of the present invention;
FIG. 4 is a block diagram of a computer device according to an embodiment of the present invention;
fig. 5 is a block diagram of a port scanning apparatus according to an embodiment of the present invention.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
The following description of the embodiments of the present application is provided by way of specific examples, and other advantages and effects of the present application will be readily apparent to those skilled in the art from the disclosure herein. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. The present application is capable of other and different embodiments and its several details are capable of modifications and/or changes in various respects, all without departing from the spirit of the present application. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
In an embodiment of the present invention, a port scanning method is provided, as shown in fig. 1, the method includes:
step S101: dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which is a port required to be scanned and meets the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task which is in the front in sequence is larger than the theoretical risk level output value corresponding to the scanning task which is in the back in sequence;
step S102: respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
step S103: and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
As can be seen from the process shown in fig. 1, in the embodiment of the present invention, a port of each asset to be scanned is divided into a plurality of scanning tasks according to a plurality of theoretical risk level output values, the theoretical risk level output value corresponding to a scanning task that is sequentially before is greater than the theoretical risk level output value corresponding to a scanning task that is sequentially after, and then the plurality of scanning tasks of each asset to be scanned are respectively stored in a plurality of queues, and finally, the scanning tasks in each queue are respectively executed, when the scanning task of the current asset to be scanned in the queue is completed, for each queue, when the risk level of the scanning result is less than a preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for a plurality of scanning tasks of the same asset to be scanned, each scanning task can reach the corresponding theoretical risk level output value after the scanning task is completed, and the theoretical risk level output value corresponding to the scanning task that is sequentially before is greater, so that the scanning task of the port with a higher theoretical risk level is concentrated in an early scanning stage, and more ports can discover information within a shorter attack time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered and executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is beneficial to finding the attack surfaces exposed by the assets as much as possible before being limited by a firewall or limited by the arrival time (namely, the target service is not greatly influenced).
In particular embodiments, the description task may be quantified, e.g. expected to have been obtained, in the port scanning process, taking into account that the scanned asset risk level meets the requirements, requiring as short a scanning time as possibleThe time consumed in outputting the asset risk level of (%) isDue to timeAnd the number of scanned portsPositive correlation, therefore, can be evaluated by the number of scan ports, definedThe output problem is as follows: is predicted to have obtained(%) number of ports scanned at risk level outputSo far, only the determination is required(%) number of ports scanned at risk level outputThe minimum value of (3) is sufficient. In order to implement that the ports of the assets to be scanned can be divided into different scanning tasks according to the theoretical risk level output values, in this embodiment, it is proposed to divide the ports of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values in the following manner, for example, the open port risk level is determined according to the probability distribution of the service corresponding to the open port of the port and the quantized value of the service attack plane information;
and determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability and the port opening risk level of the ports, and dividing the minimum set of the ports into a scanning task.
In specific implementation, in the process of determining the minimum set of ports to be scanned to reach each theoretical risk level output value, a certain time in the port full-scale scanning process is not set, and the number of scanned ports isThe elapsed time isThe set of the swept-out open ports isSet of unscanned ports asLevel of risk of face of attack of an asset discoveredCan be expressed as:
wherein, the first and the second end of the pipe are connected with each other,is the open port risk level.
that is, at a given port scan order, the swept-out asset risk level is required to exceed the sum of all port risk levelsAt least the number of ports that need to be scanned. WhereinIn order to be the port open probability,the smaller, theThe fewer the number of ports required for output of the risk level (%), means that the scanning method is more efficient.
Therefore, in order to refine the scanning task so as to provide effective port information output when the scanning task is limited by a firewall or limited by arrival time, the scanning task is divided into ports, and then the scanning task is stored in each queue to realize queue design, so as to realize optimized scanning flow control.
For example, withThe method is characterized in that a (%) preset risk level output problem is taken as a reference, a port of a certain asset to be scanned needs to be divided into a plurality of scanning tasks, each scanning task is stored into a queue, and then a plurality of queues, namely design queues, are formedCollecting:
wherein, the firstA queue for storingA scanning task, i.e. firstThe scanning tasks should satisfy: finish the firstThe theoretical risk level output of port scan in one scan task accounts for all the remaining theoretical risk levels(%), therefore, the firstPort set included in scanning taskShould be the minimum set that satisfies the following conditions:
wherein the content of the first and second substances,is a collection of ports that are not scanned,is as followsThe set of ports contained in each scan job,is a firstThe theoretical risk level output value corresponding to each scanning task is completedThe theoretical risk level that should be covered for each scanning session,is the open port risk level.
In particular, port open probabilityMeans the probability that a particular port is open, and each port is independent of the other. Because the default configuration exists in the port for monitoring the service and the obvious rule exists in the possibility that different services are exposed to the Internet, the opening probability of the port is higher than the opening probability of the portThe value of (c) can be determined speculatively based on port open frequency statistics.
Open port risk level when embodiedIs based on the probability distribution of port corresponding servicesAnd service attack plane information quantization valueThe determination of, for example,
wherein, the service attack plane information quantization valueIs determined according to the value of the service implication, the contained loophole and the service utilization difficulty,is based onIn order to correspond toIs the expectation of the probability distribution of random variables.
In specific implementation, as default configuration exists in a port monitored by a service and obvious rules exist in the possibility that different services are exposed to the Internet, the probability distribution of the port corresponding to the serviceThe open port value of (a) may be determined speculatively based on service detection statistics.
In specific implementation, the value is quantized aiming at the service attack plane informationClassification can be performed, for example, for database type services, remote connection type services, HTTP type services, etc., and different types of services have different implications. Therefore, the quantitative value of the service attack surface information can be determined by the network security knowledge such as the service implication value, the included vulnerability and the service utilization difficulty. Specifically, statistics of data such as service implication value, contained bugs and service utilization difficulty can be carried out on different types of services according to the systemThe counting data deduces the information quantization values of different service attack planesCorresponding relation with service implication value, contained loophole and service utilization difficulty, and determining service attack face information quantization value according to the corresponding relation in practical applicationAnd (4) finishing.
During specific implementation, in the process of dividing the port of each asset to be scanned into a plurality of scanning tasks, the ports may be sequentially divided into port sets included in the plurality of scanning tasks according to the port order, so that the order of the scanning tasks is consistent with the port order, that is, the scanning task including the port ranked before is ranked also before, and the scanning task including the port ranked after is ranked also after.
In specific implementation, the theoretical risk level output value corresponding to the scanning task may be a ratio of a risk level output when the scanning task is finished to risk levels of all ports of the same asset to be scanned, and in order to find attack surfaces exposed by the asset in a short time as much as possible before being limited by a firewall or before reaching time (i.e., without causing a large influence on a target service), the theoretical risk level output value corresponding to a scanning task in the front order is set to be greater than the theoretical risk level output value corresponding to a scanning task in the back order.
In specific implementation, in order to further discover as many attack surfaces exposed by assets as possible before being limited by a firewall or limited by arrival time (i.e., without greatly affecting target services), in this embodiment, a designated queue is set outside the queues, and in the process of executing scanning tasks in the queues, when a scanning task of a current asset to be scanned in the current queue is completed, and when a risk level of a scanning result is greater than a preset risk level threshold, an unscanned scanning task of the current asset to be scanned is moved to the designated queue, where the designated queue is a queue outside the queues; and continuing to execute the scanning task of the current asset to be scanned in the specified queue before the firewall is not triggered or the time limit is not reached.
For example, the queue set is:
wherein the content of the first and second substances,representing that the scanning task in the first queue will be overwritten(ii) (%) theoretical risk level output value,indicating that the second queue will be overwrittenThe remaining theoretical risk level in (%),indicating that the third queue will be covered(%) residual theoretical risk level, and so on. In particular, the designated queue is used to store all assets having a risk level exceeding a preset risk level threshold after completion of any non-scanning queueThe scanning task of (1).
In particular, a queue may be set for a port of an asset to be scanned, e.g.,
wherein, the first and the second end of the pipe are connected with each other,the scanning task aiming at the certain asset to be scanned in the queue comprises about 100 ports, and can cover 90% of theoretical risk level;the scanning task aiming at the certain asset to be scanned in the queue comprises about 1000 ports, and can cover 8% of theoretical risk level;the scanning task aiming at the certain asset to be scanned in the queue comprises about 5000 ports, and the theoretical risk level can be covered by 1.6%;a given queue contains all ports that the asset to be scanned had not yet entered the queue, and before the firewall is not triggered or the time limit is not reached,the designated queue performs the full scan task for the remaining ports.
In specific implementation, in order to further improve scanning efficiency, in this embodiment, the scanning tasks in different queues are executed in parallel by different scanning devices, that is, the scanning task in each queue is executed by one scanning device, and there are several scanning devices in several queues, so as to implement parallel execution of the scanning tasks in different queues.
In specific implementation, the port scanning method is suitable for a multi-asset single-scanning scene under the condition of least knowledge, and can discover the attack surface exposed by the asset as much as possible under the condition of only knowing the IP address of the target asset before the limit of a firewall or the limit of arrival time (namely, without causing great influence on target service).
In specific implementation, the following describes in detail a process for implementing the port scanning method, taking scanning of multiple assets as an example, and setting 4 queues as an example, to divide a port of each asset into 3 scanning tasks, as shown in fig. 2, the process is as follows:
1. outputting asset IP addresses and aligning queuesThe port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, only the queue is used at this timeWhile performing the scan task for asset 1, no scan is performed by the other queues;
2. judging whether the risk level of the scanning result exceeds a preset risk level threshold value or notIf yes, moving the scanning task of the asset 1 which is not scanned to the queueAnd step 6 is executed and the queue pair is startedScanning a port set included in the scanning task of the asset 2; if not, executing the next operation and starting to align the queuesScanning a port set included in a scanning task of the asset 2;
3. pair queueThe port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, at this time, the queueWhile performing the scanning task for asset 2, the queuePerforming a scanning task for asset 1;
4. judging whether the risk level of the scanning result exceeds a preset risk level threshold value or notIf yes, moving the scanning task of the asset 1 which is not scanned to the queueAnd step 6 is executed and the queue pair is startedScanning a port set included in a scanning task of the asset 2; if not, executing the next operation and starting to align the queuesScanning a port set included in a scanning task of the asset 2;
5. pair queueThe port set included in the scanning task of asset 1 is scanned, and the scanning result is stored in the database, as shown in fig. 3, at this time, the queueWhile performing the scanning task for asset 3, the queueQueue in executing asset 2 scan taskPerforming a scanning task for asset 1;
6. pair queueScanning the port set of each asset which is not scanned, and storing the scanning result in a database;
7. the full port scan is complete.
In the above flow, with reference to fig. 2 and fig. 3, if the sequential asset scanning mode in the prior art is adopted, all scanning tasks (equal to the number of devices executing tasks) of 4 assets are completed within 1 port full scanning task time, and the asset scanning mode of the optimized port scanning method will complete a large number of queues of scanning tasks within the same time, that is, covering 90% of the theoretical risk level of these tasks. If the scanning task is interrupted due to the fact that a target firewall strategy is triggered or time limit is reached when any queue scanning task is finished, the scanning result database of the port scanning method is more likely to store more open port information compared with sequential scanning.
In this embodiment, a computer device is provided, as shown in fig. 4, and includes a memory 401, a processor 402, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement any of the above-mentioned port scanning methods.
In particular, the computer device may be a computer terminal, a server or a similar computing device.
In the present embodiment, there is provided a computer-readable storage medium storing a computer program for executing any of the above-described port scanning methods.
In particular, computer-readable storage media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable storage medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Based on the same inventive concept, the embodiment of the present invention further provides a port scanning apparatus, as described in the following embodiments. Because the principle of the port scanning apparatus for solving the problem is similar to the port scanning method, the implementation of the port scanning apparatus can refer to the implementation of the port scanning method, and the repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a port scanning device according to an embodiment of the present invention, and as shown in fig. 5, the device includes:
a task dividing module 501, configured to divide a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, where a port included in each scanning task is a port that needs to be scanned to meet a theoretical risk level output value corresponding to the scanning task;
a queue processing module 502, configured to store a plurality of scanning tasks of each asset to be scanned into a plurality of queues respectively;
the scanning module 503 is configured to, for each queue, when the scanning task of the current asset to be scanned in the queue is completed, trigger to execute the scanning task of the current asset to be scanned in the next queue and execute the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than the preset risk level threshold.
In one embodiment, the task partitioning module includes:
the risk level determining unit is used for determining the risk level of the open port according to the probability distribution of the service corresponding to the open port of the port and the service attack plane information quantization value;
and the task dividing unit is used for determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability of the ports and the risk level of the opening ports, and dividing the minimum set of the ports into a scanning task.
In one embodiment, the task partitioning unit determines the minimum set of scanned ports required to reach each theoretical risk level output value by the following formula:
wherein the content of the first and second substances,is a collection of ports that are not scanned,is as followsThe set of ports contained in each scan job,is a firstThe theoretical risk level output value corresponding to each scanning task,in order to open the risk level of the port,is the port opening probability.
In one embodiment, the risk level of the open port is determined according to probability distribution of a service corresponding to the port and a quantized value of service attack plane information, wherein the quantized value of the service attack plane information is determined according to the implied value of the service, the contained vulnerabilities and the difficulty of utilizing the service.
In one embodiment, the open port risk level is determined according to the probability distribution of the corresponding service of the port and the quantized value of the service attack plane information by the following formula:
wherein the content of the first and second substances,in order to open the risk level of the port,the probability distribution of the corresponding service for an open port,the value is quantized for the service attack plane information,is based onIn order to correspond toIs the expectation of the probability distribution of random variables.
In one embodiment, the apparatus further comprises:
the task processing module is used for moving the unscanned scanning tasks of the current assets to be scanned into a designated queue when the risk level of the scanning result is greater than a preset risk level threshold value when the scanning tasks of the current assets to be scanned in the current queue are completed, wherein the designated queue is a queue out of a plurality of queues;
and the scanning module is also used for executing the scanning task of the current asset to be scanned in the appointed queue before the firewall is not triggered or the time limit is not reached.
In one embodiment, the scanning module is further configured to execute the scanning tasks in different queues in parallel by different scanning devices.
The embodiment of the invention realizes the following technical effects: dividing a port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, storing the plurality of scanning tasks of each asset to be scanned into a plurality of queues respectively, and finally executing the scanning tasks in each queue respectively, wherein when the scanning task of the current asset to be scanned in each queue is completed, when the risk level of the scanning result is less than a preset risk level threshold value, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and the scanning task of the next asset to be scanned in the queue is executed, so that for the plurality of scanning tasks of the same asset to be scanned, the corresponding theoretical risk level output value can be reached after the scanning of each scanning task is completed, the theoretical risk level output value corresponding to the scanning task in the front sequence is larger, and the port scanning tasks with higher theoretical risk level are concentrated in a scanning stage, and more attack face information can be found in a shorter early time; meanwhile, when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is smaller than the preset risk level threshold, the scanning task of the current asset to be scanned in the next queue is triggered to be executed, and meanwhile, the scanning task of the next asset to be scanned in the current queue is executed, so that the scanning tasks of a plurality of assets to be scanned are executed in parallel, and further, the method is favorable for discovering the attack faces exposed by the assets as many as possible before being limited by a firewall or before being limited by the arrival time (namely, not causing great influence on the target service), therefore, the port scanning method can discover the attack faces exposed by the assets as many as possible on the premise of not causing great influence on the target service no matter whether the single asset scanning or the multi-asset scanning tasks are carried out, and further, the method is favorable for avoiding missing critical port opening information.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized in a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that it may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be executed out of order, or separately as individual integrated circuit modules, or multiple modules or steps may be implemented as a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for port scanning, comprising:
dividing each port of the assets to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein each scanning task comprises a port which is a port required to be scanned and meets the theoretical risk level output value corresponding to the scanning task, and the theoretical risk level output value corresponding to the scanning task which is in the front in sequence is larger than the theoretical risk level output value corresponding to the scanning task which is in the back in sequence;
respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and for the current queue, when the scanning task of the current asset to be scanned in the current queue is completed, and the risk level of the scanning result is smaller than a preset risk level threshold, triggering to execute the scanning task of the current asset to be scanned in the next queue, and executing the scanning task of the next asset to be scanned in the current queue.
2. The port scanning method of claim 1, wherein dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values comprises:
determining the risk level of an open port according to the probability distribution of the service corresponding to the open port of the port and the service attack plane information quantization value;
and determining a minimum set of ports required to be scanned to reach the output value of each theoretical risk level according to the port opening probability of the ports and the risk level of the opening ports, and dividing the minimum set of the ports into a scanning task.
3. The port scanning method of claim 2, wherein determining the minimum set of ports to scan to achieve each theoretical risk level output value is accomplished by the following equation:
wherein the content of the first and second substances,is a collection of ports that are not scanned,is a firstThe set of ports contained in each scan job,is a firstThe theoretical risk level output value corresponding to each scanning task,in order to open the port risk level,the port open probability.
4. The port scanning method as claimed in claim 2, wherein the risk level of the open port is determined according to a probability distribution of a service corresponding to the port and a quantized value of service attack plane information, wherein the quantized value of service attack plane information is determined according to a service implication value, a contained vulnerability and a difficulty of service utilization.
5. The port scanning method of claim 2, wherein the open port risk level is determined according to the probability distribution of the corresponding service of the port and the quantized value of the service attack plane information by the following formula:
wherein the content of the first and second substances,in order to open the risk level of the port,the probability distribution of the corresponding service for an open port,the value is quantized for the service attack plane information,is based onIn order to correspond toIs the expectation of the probability distribution of random variables.
6. The port scanning method of any of claims 1 to 5, further comprising:
when the scanning task of the current asset to be scanned in the current queue is completed, when the risk level of the scanning result is greater than a preset risk level threshold value, moving the scanning task which is not scanned of the current asset to be scanned into a specified queue, wherein the specified queue is a queue other than a plurality of queues;
and executing the scanning task of the current asset to be scanned in the specified queue before the firewall is not triggered or the time limit is not reached.
7. The port scanning method of any of claims 1 to 5, further comprising:
the scanning tasks in different queues are executed in parallel by different scanning devices.
8. A port scanning device, comprising:
the task dividing module is used for dividing the port of each asset to be scanned into a plurality of scanning tasks according to a plurality of theoretical risk level output values, wherein the port included in each scanning task is a port required to be scanned and meeting the theoretical risk level output value corresponding to the scanning task;
the queue processing module is used for respectively storing a plurality of scanning tasks of each asset to be scanned into a plurality of queues;
and the scanning module is used for triggering the execution of the scanning task of the current asset to be scanned in the next queue and executing the scanning task of the next asset to be scanned in the queue when the risk level of the scanning result is smaller than a preset risk level threshold value aiming at each queue and the scanning task of the current asset to be scanned in the queue is completed.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the port scanning method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the port scanning method of any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211186792.7A CN115296928B (en) | 2022-09-28 | 2022-09-28 | Port scanning method and device, computer equipment and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211186792.7A CN115296928B (en) | 2022-09-28 | 2022-09-28 | Port scanning method and device, computer equipment and readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115296928A true CN115296928A (en) | 2022-11-04 |
CN115296928B CN115296928B (en) | 2023-02-03 |
Family
ID=83834868
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211186792.7A Active CN115296928B (en) | 2022-09-28 | 2022-09-28 | Port scanning method and device, computer equipment and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115296928B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111580946A (en) * | 2020-04-28 | 2020-08-25 | 北京达佳互联信息技术有限公司 | Port scanning method, device, equipment and storage medium |
CN111898898A (en) * | 2020-07-25 | 2020-11-06 | 江苏锐创软件技术有限公司 | Risk equipment positioning monitoring method, device and system and storage medium |
US20210185073A1 (en) * | 2019-12-13 | 2021-06-17 | Disney Enterprises, Inc. | Techniques for analyzing network vulnerabilities |
CN113037765A (en) * | 2021-03-23 | 2021-06-25 | 寇英翰 | Port scanning device |
CN114050940A (en) * | 2022-01-10 | 2022-02-15 | 北京华云安信息技术有限公司 | Asset vulnerability detection method and device and electronic equipment |
-
2022
- 2022-09-28 CN CN202211186792.7A patent/CN115296928B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210185073A1 (en) * | 2019-12-13 | 2021-06-17 | Disney Enterprises, Inc. | Techniques for analyzing network vulnerabilities |
CN111580946A (en) * | 2020-04-28 | 2020-08-25 | 北京达佳互联信息技术有限公司 | Port scanning method, device, equipment and storage medium |
CN111898898A (en) * | 2020-07-25 | 2020-11-06 | 江苏锐创软件技术有限公司 | Risk equipment positioning monitoring method, device and system and storage medium |
CN113037765A (en) * | 2021-03-23 | 2021-06-25 | 寇英翰 | Port scanning device |
CN114050940A (en) * | 2022-01-10 | 2022-02-15 | 北京华云安信息技术有限公司 | Asset vulnerability detection method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN115296928B (en) | 2023-02-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11025667B2 (en) | System and method for applying a plurality of interconnected filters to protect a computing device from a distributed denial-of-service attack | |
US10541857B1 (en) | Public DNS resolver prioritization | |
CN109194684B (en) | Method and device for simulating denial of service attack and computing equipment | |
CN110839017B (en) | Proxy IP address identification method, device, electronic equipment and storage medium | |
US20170048261A1 (en) | Selecting from computing nodes for correlating events | |
CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
CN112532538A (en) | Flow control method and device, electronic equipment and computer readable storage medium | |
CN109657463B (en) | Method and device for defending message flooding attack | |
CN111262875B (en) | Server safety monitoring method, device, system and storage medium | |
CN115296928B (en) | Port scanning method and device, computer equipment and readable storage medium | |
CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
CN112532610B (en) | Intrusion prevention detection method and device based on TCP segmentation | |
CN106357688B (en) | A kind of method and apparatus for defending ICMP flood attack | |
CN113783850A (en) | Network protection method, device, equipment and machine readable storage medium | |
EP3396920B1 (en) | System and method of traffic filtering upon detection of a ddos attack | |
CN113905092A (en) | Method, device, terminal and storage medium for determining reusable agent queue | |
CN111106982B (en) | Information filtering method and device, electronic equipment and storage medium | |
CN109617893A (en) | A kind of means of defence, device and the storage medium of Botnet ddos attack | |
CN114143083B (en) | Blacklist policy matching method and device, electronic equipment and storage medium | |
CN112437093B (en) | Method, device and equipment for determining safety state | |
CN114244543B (en) | Network security defense method, device, computing equipment and computer storage medium | |
CN115913784A (en) | Network attack defense system, method and device and electronic equipment | |
CN114641001A (en) | Dynamic anti-attack method under 5G network, network equipment and storage medium | |
CN115987684A (en) | Distributed denial of service (DDoS) defense system, method, equipment and medium | |
CN115941298A (en) | VPP & DPDK-based firewall security domain isolation method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |