CN115297007A - Construction method and system of network space asset information map for cooperative network - Google Patents
Construction method and system of network space asset information map for cooperative network Download PDFInfo
- Publication number
- CN115297007A CN115297007A CN202210925760.8A CN202210925760A CN115297007A CN 115297007 A CN115297007 A CN 115297007A CN 202210925760 A CN202210925760 A CN 202210925760A CN 115297007 A CN115297007 A CN 115297007A
- Authority
- CN
- China
- Prior art keywords
- topology
- network
- equipment
- constructing
- physical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000010276 construction Methods 0.000 title claims description 40
- 238000004891 communication Methods 0.000 claims abstract description 137
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000009877 rendering Methods 0.000 claims abstract description 18
- 238000012423 maintenance Methods 0.000 claims abstract description 12
- 230000000007 visual effect Effects 0.000 claims abstract description 9
- 238000005259 measurement Methods 0.000 claims abstract description 6
- 238000007405 data analysis Methods 0.000 claims abstract description 4
- 230000006399 behavior Effects 0.000 claims description 117
- 238000001914 filtration Methods 0.000 claims description 13
- 238000004140 cleaning Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 10
- 230000000737 periodic effect Effects 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 7
- 230000003993 interaction Effects 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000007781 pre-processing Methods 0.000 claims description 5
- 230000003213 activating effect Effects 0.000 claims description 4
- 238000010845 search algorithm Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 abstract description 12
- 230000019771 cognition Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for constructing a network space asset information map for a cooperative network, which solve the one-sided and incomplete problems of the measurement result of the actual operation environment of an intranet in the conventional intranet mapping scheme; which comprises the following steps: step 1, constructing a physical topology of an intranet based on an SNMP (simple network management protocol), including acquiring and constructing a network layer topology and a link layer topology; step 2, generating a virtual asset topology in a software service dimension on the basis of a physical hardware topology architecture; step 3, constructing a dynamic communication behavior topology on the framework of the physical topology and the virtual asset topology; and 4, carrying out real-time data analysis and rendering on the topological data to construct a visual network space asset information map Web service. By the method and the device, the cognition of operation and maintenance personnel on the current network space operation condition can be comprehensively improved.
Description
Technical Field
The invention relates to the technical field of mapping of assets in an intranet, in particular to a method and a system for constructing a network space asset information map for a cooperative network.
Background
Intranet asset mapping refers to the process of mapping network devices (e.g., routers, switches, accessible switches, and terminals) within a local area network. The purpose of mapping intranet assets is to obtain and describe the topology of devices, device type information, etc. within their network. Through mapping of the intranet, a network administrator can rapidly troubleshoot faulty equipment, discover abnormal equipment and clarify the use condition of network resources.
In the field of intranet asset mapping, the physical topology measurement of the network layer and the data link layer is very mature, and a routing table, an SNMP protocol, an LLDP protocol, an STP protocol, etc. can be used to quickly determine their device types and topology structures, but such an intranet mapping method is limited to the physical topology layer, only measures the connection relationship between devices, cannot describe the actually running software services and communication traffic data in the intranet, lacks the knowledge of the actual running state and communication behavior of the intranet in the logical layer, does not consider the software services running on the devices as intranet software assets, and does not consider the communication behavior as another layer of dynamic communication behavior topology carried on the physical topology layer, resulting in the sidedness in mapping and management of the intranet assets.
Disclosure of Invention
The invention provides a construction method of a network space asset information map for a cooperative network, aiming at the technical problems that the cognition of the actual operation environment of an internal network is not comprehensive in the existing internal network measurement scheme and the cooperative network is mapped and managed by combining real-time information of software service and communication behavior operated in the internal network physical topology.
Another object of the present invention is to provide a system for constructing a cyberspace asset information map of a cooperative network, the system comprising: the system comprises a network layer topology data acquisition module, a link layer topology data acquisition module, a physical topology view construction module, a network equipment port scanning module, a terminal equipment port scanning module, a local packet capturing program issuing module, a communication behavior log receiving module, a communication behavior log preprocessing module, a communication behavior topology data processing module, a database module, a periodic task scheduling module, a Web service module and a remote login module, and is used for constructing a network space asset information map for a cooperative network.
Therefore, the technical scheme of the invention is that the method for constructing the network space asset information map of the cooperative network is a topological measurement result in the cooperative network, the network space asset information map comprises physical resources and non-entity resources, and the non-entity resources are software assets and real-time communication behavior data which are constructed on the physical resources, and the method comprises the following steps:
step 1, building a physical topology of an intranet based on an SNMP protocol, wherein the physical topology comprises the steps of collecting and building a network layer topology and a link layer topology;
step 2, performing software service identification on each equipment node on the framework of the physical hardware topology to generate a virtual asset topology in software service dimension;
step 3, monitoring the communication behavior of key network equipment in the intranet on the basis of the architectures of the physical topology and the virtual asset topology, and constructing the dynamic communication behavior topology of the whole network;
and 4, carrying out real-time data analysis and view rendering on topological data of the physical topology, the virtual asset topology and the dynamic communication behavior topology to construct a visual network space asset information map Web service.
Preferably, the cyberspace asset information map includes the following three parts:
(1) A physical topology formed by actual connection relations of devices of a network layer and a link layer;
(2) A virtual asset topology consisting of software service relationships running on network devices and terminal devices in a physical topology;
(3) A dynamic communication behavior topology based on physical topology and virtual asset topology that contains details of the communication behavior inside and outside.
Preferably, the method for constructing the physical topology of the intranet in step 1 includes the following specific steps:
step 1.1, collecting data for constructing a network layer topology, constructing the network layer topology, carrying out SNMP message interaction on equipment corresponding to an input seed IP address list, requesting routing information, and constructing the network layer topology by a breadth-first search algorithm, wherein the network layer topology comprises network segment nodes, three-layer network equipment nodes, the inclusion relationship between the network segments and the equipment, the routing relationship between the equipment, and detailed information of the network segments and the equipment;
step 1.2, collecting data for constructing a link layer topology, constructing the link layer topology, carrying out batch ICMP scanning on network segments found by each network layer topology, adding all active IP nodes into a graph database, establishing an inclusion relation with the network segment nodes, constructing a data link layer topology through an LLDP protocol, and calculating a topological connection relation between a terminal and a switch in an active IP list through a port forwarding table of the switch;
step 1.3, based on the topology data of the network layer and the data link layer, calculating a logical view and a physical view of the topology, wherein the logical topology view is a view of nodes and relations which only contain three layers of routes and network segments, and the physical view is a physical topology which does not contain actual network layers and data link layers of the network segments.
Preferably, step 2 comprises the steps of:
step 2.1, acquiring a list of real-time terminals in the network based on the topological data of the network layer and the data link layer;
step 2.2, carrying out batch port scanning on the active terminals in each network segment to obtain a list of exposed software service ports of each terminal;
step 2.3, carrying out duplicate removal, cleaning, filtering and formatting on the acquired software service data;
step 2.4, aiming at the obtained list of the real-time terminals in the network and the exposed software service ports thereof, constructing a virtual asset topology view constructed on a physical topology, and connecting each software service in a detection result as a virtual asset node with a terminal node on the physical topology node corresponding to the detected terminal;
and 2.5, periodically carrying out incremental maintenance updating on the virtual asset topology, periodically reconstructing the physics, and rescanning the terminal.
Preferably, the data source of the virtual asset topology construction in step 3 comes from a software service running on the physical topology and an actual network corresponding to the physical topology, and the construction method is to establish a connection relationship between the hardware device and the software service in a graph form.
Preferably, step 3 is performed in the following order of steps:
step 3.1, initializing a device list with cooperative network authority;
step 3.2, configuring authentication information of corresponding gateway equipment and a corresponding switch through Web service, and deploying and activating a local packet capturing program of the corresponding equipment through a remote login module;
step 3.3, capturing the IP protocol message of the equipment through a local packet capturing program, converting message information into a communication behavior log after passing through weighting, cleaning, filtering and formatting, and uploading the communication behavior log to a database module for storage and increment maintenance;
and 3.4, constructing a dynamic communication behavior topology on the basis of the physical topology and the virtual asset topology based on the communication behavior log data.
Preferably, step 4 is performed in the following order of steps:
step 4.1, based on the graph data of the network layer and the link layer in the database module, rendering a physical topology view which takes the router, the switch and the terminal equipment as nodes and takes the actual interface connection relationship as an edge;
step 4.2, rendering a virtual asset topology view based on the graph data identified by the terminal port in the database module and on the basis of physical topology;
and 4.3, rendering a topological view of the dynamic communication behaviors based on the graph data of the dynamic communication behaviors in the database module.
Preferably, the dynamic communication behavior topology construction in step 3 has the following specific characteristics:
(1) The data source is from a physical topology and a virtual asset topology, and real-time communication data of gateway and switch equipment, specifically, a source IP and a destination IP equipment node of the real-time communication data are positioned in the physical topology, a virtual asset node owned by the equipment node is searched in the virtual asset topology, and the virtual asset node is matched with a communication protocol;
(2) Connecting a target IP corresponding device and a source IP corresponding device to a directed edge with a communication protocol as a relation, and simultaneously constructing a virtual asset node, the source IP corresponding device and the edge of the communication behavior relation of the target IP corresponding device;
(3) A piece of dynamic communication behavior topological data is constructed on the basis of a physical topology and a virtual asset topology, and the dynamics of the topology comprises two aspects:
(3.1) describing the dynamic flow relationship from the source IP equipment to the destination IP equipment through the visual animation of the Web front end,
and (3.2) setting expiration time for the communication behavior relationship from the source IP equipment to the destination IP equipment, automatically deleting the expired communication behavior relationship, and dynamically updating the topological view of the dynamic communication behavior by acquiring and refreshing the communication behavior relationship through periodic communication behavior data.
Preferably, a system for constructing a cyberspace asset information map of a cooperative network is used for implementing the above-mentioned method for constructing a cyberspace asset information map of a cooperative network, which mainly comprises the following components: the system comprises a physical topology construction subsystem, a software service topology construction subsystem, a dynamic communication behavior topology construction subsystem and a system function related module.
Preferably, the physical topology constructing subsystem comprises a network layer topology data acquisition module, a link layer topology data acquisition module and a physical topology view constructing module; the software service topology construction subsystem comprises a network equipment port scanning module and a terminal equipment port scanning module; the dynamic communication behavior topology construction subsystem comprises a local packet capturing program publishing module, a communication behavior log receiving module, a communication behavior log preprocessing module and a communication behavior topology data processing module; the system function related module comprises a database module, a periodic task scheduling module, a Web service module, a remote login module and a system configuration module.
The invention has the advantages that the invention provides a method and a system for constructing the network space asset information map of the cooperative network, firstly, the method and the system provide a more comprehensive mapping scheme aiming at the cooperative network: on the basis of providing a physical topology view, a virtual asset topology based on equipment software service and a dynamic communication behavior topology containing internal and external communication behaviors are supplemented; secondly, the invention can provide richer real-time intranet information, and can integrate three-dimensional information comprehensive analysis when the intranet is abnormal by parallel acquisition and construction of physical topology, virtual asset topology and dynamic communication behavior topology, without respectively tracing historical log data, and is beneficial to tracing positioning and risk range evaluation after a network security event occurs; finally, the integrated visualization scheme of the three topologies can provide clear and intuitive views for operation and maintenance managers.
The method solves the problem that the existing intranet surveying and mapping scheme is incomplete in cognition on the actual operation environment of the intranet to a certain extent.
Drawings
FIG. 1 is a system architecture diagram of a method and system for constructing a cyberspace asset information map for a collaborative network according to the present invention;
FIG. 2 is an algorithm diagram of a method and system for constructing a cyber-space asset information map of a cooperative network according to the present invention.
Detailed Description
The present invention will be further described with reference to the following examples.
Fig. 1-2 illustrate an embodiment of a method and system for constructing a cyberspace asset information map for a collaborative network according to the present invention, where the cyberspace asset information map is defined as: a topology measurement result in a cooperative network comprises physical resources, and non-entity resources such as software assets and real-time communication behavior data which are constructed on the physical resources. The cyberspace asset information map includes the following three parts:
(1) The physical topology is formed by the actual connection relation and the network segment relation of the equipment of the network layer and the link layer;
(2) A virtual asset topology consisting of software service relationships running on network devices and terminal devices in a physical topology;
(3) A dynamic communication behavior topology based on physical topology and virtual asset topology that contains details of the inside-to-outside communication behavior.
A construction method of a network space asset information map for a cooperative network mainly comprises the following steps:
step 1, building the physical topology of the intranet based on the SNMP protocol, including acquiring and building a network layer topology and a link layer topology.
Further, the method for constructing the physical topology of the intranet in step 1 includes the specific steps of:
step 1.1, collecting data for constructing a network layer topology, and constructing the network layer topology. SNMP message interaction is carried out on equipment corresponding to the input seed IP address list, and the following information is requested: routing information including a routing type (direct or indirect route), a routing destination address, a subnet mask of the routing destination address, a local interface index of the route, and a routing next hop address; and constructing the network layer topology by a breadth-first search algorithm. Specifically, a queue Q1 with an element as an IP address is respectively constructed, the initial value of the queue Q1 is an input seed IP address, and a deduplication set S1 with an empty initial value is constructed, each time the queue Q1 is not empty, an element is taken out, if the element is not in the deduplication set S1, SNMP message interaction is performed on the IP address once, and the result processing is that an indirect routing connection relationship between a target IP and the target address and a direct connection relationship between a next hop routing address are respectively constructed in a graph database Neo4j, the obtained routing target address is added into the queue Q1, and the target IP address is added into the deduplication set S1. And circulating until the queue is empty, and constructing the network layer topology of the reachable network of the probe node into the graph database at the moment.
And step 1.2, collecting data for constructing the link layer topology and constructing the link layer topology. Firstly, establishing network segment nodes by taking a network segment discovered by each network layer topology as an object, and establishing connection with network layer equipment; secondly, carrying out batch ICMP scanning, traversing the network segment, constructing terminal nodes for all active IP nodes and IP addresses capable of communicating, and establishing connection with the network segment nodes; meanwhile, SNMP message interaction is carried out on the terminal nodes, and equipment basic information, ARP information, LLDP information, interfaceTable, port forwarding table, STP information and port flow information are obtained and stored in a non-relational database; in addition, the link layer topology is built up by the LLDP protocol data. Finally, calculating the topological connection relation between the terminal and the switch in the active IP list through a port forwarding table of the switch; the above topology data is stored in a Neo4j database in a database module.
And step 1.3, calculating a logic view and a physical view of the topology based on the topology data of the network layer and the data link layer. The logical topology view is a view of nodes and relations only comprising three layers of routes and network segments; the physical view is the physical topology of the actual network layer and data link layer that does not contain the network segment nodes.
And 2, performing software service identification on each equipment node on the framework of the physical hardware topology to generate a virtual asset topology in software service dimension.
And 2.1, traversing all equipment nodes in the physical topological data based on the topological data of the network layer and the data link layer, verifying the activity of the equipment nodes, and generating a list of real-time active equipment in the network.
Step 2.2, performing batch port scanning on the active equipment in each network segment, and verifying whether the equipment provides software service of the protocol or not by establishing a packet and trying to establish connection with the equipment, wherein the protocol comprises the following common ports and protocols: 21 (ftp), 22 (ssh), 23 (telnet), 80 (http), 102 (siemens), 443 (https), 445 (smb), 554 (rtsp), 1433 (mssql), 3306 (mysql), 6379 (redis), 8443 (http-https), 2181 (zookeeper), 5900 (vnc), 5901 (vnc), 5902 (vnc), 5903 (vnc), 1080 (socks 5), 3389 (rdp), etc., obtain a list of exposed software service ports for each device.
And 2.3, carrying out duplicate removal, cleaning, filtering and formatting on the acquired software service list. And after the port scanning result is obtained in a parallelization manner, the port scanning result is subjected to duplicate removal, then the port scanning result which does not meet the requirements of the filtering rule is screened according to the cleaning filtering rule configured by the user based on a formatted field matching mode, the verification, the filtering and the cleaning configured by the self-defined rule are supported, and the port scanning result is converted into formatted output aiming at a graph database.
And 2.4, constructing a virtual asset topology view constructed on the physical topology. And connecting each software service in the detection result as a virtual asset node with the terminal node on the physical topology node corresponding to the detected terminal. Specifically, a virtual asset topology view structured on a physical topology is constructed according to an acquired list of real-time equipment in a network and exposed software service ports of the real-time equipment. Traversing the equipment nodes of the physical topology, taking each software service discovered by the equipment as a virtual asset node, connecting the virtual asset node with a terminal node, and binding the fields of the virtual asset node as follows: the software service name, port number, payload (port connection status, message information, etc.), active time, update time, are stored in a database module in a database Neo4 j.
And 2.5, periodically carrying out incremental maintenance updating on the virtual asset topology. Periodically reconstructing the physical topology, and rescanning the virtual assets of the latest equipment node list when the latest equipment node list is changed; furthermore, the device nodes of the virtual asset topology are periodically rescanned, the failed virtual assets are deleted in the graph database Neo4j, and the records are stored as logs in a non-relational database.
And 3, monitoring the communication behavior of key network equipment in the intranet on the basis of the architectures of the physical topology and the virtual asset topology, and constructing a dynamic communication behavior topology.
The data source of the virtual asset topology construction comes from the physical topology and the software service running on the actual network corresponding to the physical topology, and the construction method is to establish the connection relationship between the hardware equipment and the software service in the form of a graph.
The dynamic communication behavior topology construction has the following specific characteristics:
(1) The data sources are real-time communication data from physical topologies and virtual asset topologies, as well as gateway and switch devices. Specifically, a device node of a source IP and a destination IP of real-time communication data is positioned in a physical topology, a virtual asset node owned by the device node is searched in a virtual asset topology, and the virtual asset node is matched with a communication protocol;
(2) The connection method of the nodes in the topology is that the destination IP corresponding equipment and the source IP corresponding equipment are connected with directed edges which take a communication protocol as a relation; meanwhile, edges of communication behavior relations between the virtual asset nodes and the devices corresponding to the source IP and the devices corresponding to the destination IP are established;
(3) And constructing a piece of dynamic communication behavior topological data on the physical topology and the virtual asset topology. The dynamics of the topology include two aspects:
and (3.1) describing the dynamic flow relationship from the source IP device to the destination IP device through the visual animation of the Web front end.
And (3.2) setting expiration time for the communication behavior relationship from the source IP equipment to the destination IP equipment, and automatically deleting the expired communication behavior relationship. And acquiring and refreshing the communication behavior relation through the periodic communication behavior data, so that the dynamic communication behavior topology view is dynamically updated.
And 3.1, initializing a device list of the cooperative network authority. Acquiring IP addresses of a gateway device and a switch list of the current topology through a network layer and link layer topology data acquisition module and by retrieving the device type described by the SNMP message in a graph database;
and 3.2, configuring authentication information of the corresponding gateway equipment and the corresponding switch through the Web service, and deploying and activating a local packet capturing program of the corresponding equipment through a remote login module. Specifically, a local packet capturing program of a corresponding device is deployed through a telnet protocol-based remote login module, authentication information of the corresponding gateway device and a corresponding switch is configured on Web service under the condition of a cooperative network, the gateway and the switch are remotely logged in, the packet capturing program is issued to the corresponding device through a remote file transfer protocol such as FTP (file transfer protocol) or SFTP (small form-factor pluggable) and the like, and fingerprint IDs of the gateway device and the switch with the cooperative network authority are stored in a non-relational database of a database module.
And 3.3, capturing the IP protocol message of the equipment through a local packet capturing program, and uploading the communication behavior log of the message information to a database module for storage and increment maintenance after the communication behavior log is subjected to repetition, cleaning, filtering and formatting. The method comprises the steps that a local packet capturing program deployed in a gateway and a switch is used for capturing an IP protocol message passing through a local network card, extracting communication behavior metadata comprising a protocol name, a destination IP, a source IP and a timestamp, screening the communication behavior metadata which do not meet the requirements of a filtering rule according to a cleaning filtering rule configured by a user based on a format field matching mode, supporting the verification, the filtering and the cleaning of a custom rule configuration, finally converting the communication behavior metadata into a format communication behavior log aiming at a database, and uploading the formatted communication behavior log to a non-relational database of a database module in batches for storage and increment maintenance after duplication removal.
And 3.4, constructing a dynamic communication behavior topology based on the physical topology and the virtual asset topology based on the communication behavior log data. And the view processing module periodically acquires the communication behavior metadata of the gateway and the switch of the database module, and divides the communication behavior into external communication behavior and internal communication behavior according to the destination IP classification. Locating the equipment node through a source IP and a destination IP in the physical topology, and searching whether the virtual asset node owned by the equipment node is matched with the communication protocol in the virtual asset topology: and if the matching exists, constructing dynamic communication behavior topology data on the physical topology and the virtual asset topology, and connecting the source IP corresponding equipment, the target IP corresponding equipment and the virtual asset node corresponding to the communication protocol. If the matching does not exist, only connecting the device corresponding to the source IP and the device corresponding to the destination IP, storing the record in a database module, and sending a notice to the operation and maintenance personnel on the Web service.
And 4, carrying out real-time data analysis and view rendering on topological data of the physical topology, the virtual asset topology and the dynamic communication behavior topology to construct a visual network space asset information map Web service.
Step 4.1, based on the graph data of the network layer and the link layer in the database module, rendering a physical topology view which takes the router, the switch and the terminal equipment as nodes and takes the actual interface connection relationship as an edge;
step 4.2, based on the graph data identified by the equipment port in the database module, rendering a virtual asset topological view on the basis of physical topology;
and 4.3, rendering a topological view of the dynamic communication behaviors based on the graph data of the dynamic communication behaviors in the database module.
Further, the method for constructing the network space asset information map Web service visualization in the step 4 specifically comprises the following steps:
and 4.1, based on the graph data of the network layer and the link layer in the database module, rendering a physical topological view which comprises the nodes of the router, the switch and the terminal equipment and the edges of which are actual interface connection relations. Specifically, a physical topology is constructed based on graph data of a network layer and a link layer, wherein the physical topology comprises a router, a switch and terminal equipment as nodes and an actual interface connection relationship as an edge; the node data comprises equipment type, an interface table, an ARP table, a routing table, a port forwarding table and updating time. In addition, on the basis of physical topology, a hybrid topology containing network segment nodes is constructed, wherein the hybrid topology comprises edges of direct and indirect routing relations between the network segment nodes and the router nodes and edges of sub-network affiliation relations between the network segment nodes, the terminals and the switches.
And 4.2, rendering a virtual asset topology view on the basis of the physical topology based on the graph data identified by the equipment port in the database module. Specifically, a virtual asset topology is constructed based on graph data identified by the device ports. On the basis of physical topology, various software services identified by equipment ports are created into virtual asset nodes, edges of the equipment nodes and the virtual asset nodes are constructed, and node data comprise virtual asset types, port numbers, effective loads and updating time. Thereby generating a virtual asset topology based on the physical topology.
And 4.3, rendering a topological view of the dynamic communication behaviors based on the graph data of the dynamic communication behaviors in the database module. Specifically, a dynamic communication behavior topology is constructed based on graph data of dynamic communication behaviors. Matching a destination IP and a source IP in the communication behavior metadata with equipment nodes of physical topology, and constructing directed edges which take a communication protocol as a relation between the equipment nodes; and simultaneously, matching the communication protocol in the communication behavior metadata with the virtual asset nodes of the virtual asset topology, and constructing edges of the communication behavior relations between the virtual asset nodes and the source IP corresponding equipment and the destination IP corresponding equipment, wherein the edge data comprises the communication protocol, the port number, the payload and the updating time. And generating a dynamic communication behavior topology on the basis of the physical topology and the virtual asset topology.
As shown in fig. 2, the present invention provides a system for constructing a cyberspace asset information map of a cooperative network, which mainly comprises the following parts: the system comprises a physical topology construction subsystem, a software service topology construction subsystem, a dynamic communication behavior topology construction subsystem and a system function related module. The physical topology construction subsystem comprises a network layer topology data acquisition module, a link layer topology data acquisition module and a physical topology view construction module; the software service topology construction subsystem comprises a network equipment port scanning module and a terminal equipment port scanning module; the dynamic communication behavior topology construction subsystem comprises a local packet capturing program publishing module, a communication behavior log receiving module, a communication behavior log preprocessing module and a communication behavior topology data processing module; the system function related module comprises a database module, a periodic task scheduling module, a Web service module, a remote login module and a system configuration module. The simple working flow of the system comprises the steps of firstly obtaining mapping task parameters of a configuration file, obtaining a small number of IP addresses input into an intranet as an initial detection target, generally known gateway equipment IP or core switch IP, respectively carrying out topology detection and construction of a network layer and a link layer, obtaining topology connection information of the network layer and the link layer through a network layer topology data acquisition module and a link layer topology data acquisition module based on SNMP protocol and LLDP protocol, storing the topology connection information into a graph database in a database module in real time, obtaining all reachable segments of detection points through obtaining routing relations of the equipment, obtaining all active interface nodes and equipment connection relations of the intranet through a link layer construction algorithm, and finally constructing a physical topology through a physical topology construction module; in addition, respectively constructing a software service topology and a dynamic communication behavior topology according to the result of the physical topology; detecting and constructing a software service topology through a network equipment port scanning module and a terminal equipment port scanning module; and acquiring dynamic communication behavior topology information by monitoring locally deployed packet capturing program data of the gateway equipment and the switch equipment, and storing the dynamic communication behavior topology information into a database in real time to construct a dynamic communication behavior topology. And finally, processing the graph data of the database module through a view processing module and a Web service module, rendering the graph data into a physical topology view, a virtual asset topology view and a dynamic communication behavior topology view, and rendering the graph data at the front end of the Web service.
The network layer topology data acquisition module is used for acquiring topology data aiming at network layer equipment (a router and a three-layer switch) and acquiring basic information and routing relation of the three-layer network equipment;
the link layer topology data acquisition module is used for acquiring topology data aiming at data link layer equipment (switches and terminals) and acquiring basic information and connection relation of the link layer equipment;
the physical topology construction module is used for receiving the topology connection relation data of the network layer and link layer topology data acquisition module, constructing physical topology in real time and storing the physical topology in a graph database;
the network equipment port scanning module and the terminal equipment port scanning module are used for receiving equipment node information of the physical topology building module, scanning common ports of the network equipment and the terminal equipment and collecting software services exposed to the outside by the intranet equipment;
the local packet capturing program management module is used for managing local packet capturing programs of the cooperative equipment with the authority, and comprises monitoring, activating, issuing and updating of the local packet capturing programs;
the communication behavior log receiving module is used for receiving data of the physical topology building module and communication behavior data captured by a local packet capturing program of the cooperative equipment with authority in real time at a high speed in parallel;
the communication behavior log preprocessing module is used for generating a communication behavior log after filtering, cleaning, duplicate removal and formatting communication behavior data received in real time and storing the communication behavior log into a database;
the communication behavior topology data processing module is used for generating a dynamic communication behavior topology, extracting and analyzing the entity and the relation of the preprocessed communication behavior log in real time, and constructing the dynamic communication behavior topology on the basis of the physical topology;
the database module comprises a database and a non-relational database and is used for storing the data collected by the data acquisition module. The graph database is used for storing topological data, and the non-relational database is used for storing other necessary data.
The periodic task scheduling module is used for periodically scheduling the topology detection and construction tasks to meet the real-time requirements of a topology view and intranet data;
the Web service module is used for providing a visual page, and generating a physical topology view, a logic topology view, a virtual asset topology view, a dynamic communication topology view and a mixed view through real-time calculation processing;
the remote login unit is used for providing login interface service of the whole network equipment, so that operation and maintenance personnel can conveniently perform operation and maintenance work on the basis of the visual information provided by the system;
the system configuration module is used for configuring system parameters of each sub-module;
however, the above description is only exemplary of the present invention, and the scope of the present invention should not be limited thereby, and the replacement of the equivalent components or the equivalent changes and modifications made according to the protection scope of the present invention should be covered by the claims of the present invention.
Claims (10)
1. A construction method of a cyberspace asset information map aiming at a cooperative network is characterized in that the cyberspace asset information map is a topological measurement result in the cooperative network, the cyberspace asset information map comprises physical resources and non-entity resources, and the non-entity resources are software assets and real-time communication behavior data constructed on the physical resources, and the method comprises the following steps:
step 1, constructing an intranet physical topology based on an SNMP protocol, wherein the intranet physical topology comprises a network layer topology and a link layer topology which are collected and constructed;
step 2, performing software service identification on each equipment node on the framework of the physical hardware topology to generate a virtual asset topology in software service dimension;
step 3, monitoring the communication behavior of key network equipment in the intranet on the basis of the architectures of the physical topology and the virtual asset topology, and constructing a dynamic communication behavior topology;
and 4, carrying out real-time data analysis and view rendering on topological data of the physical topology, the virtual asset topology and the dynamic communication behavior topology to construct a visual network space asset information map Web service.
2. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the cyberspace asset information map comprises the following three parts:
(1) A physical topology formed by actual connection relations of devices of a network layer and a link layer;
(2) A virtual asset topology consisting of software service relationships running on network devices and terminal devices in a physical topology;
(3) A dynamic communication behavior topology based on physical topology and virtual asset topology that contains details of the communication behavior inside and outside.
3. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the method for constructing the physical topology of the intranet in the step 1 includes:
step 1.1, collecting data for constructing a network layer topology, constructing the network layer topology, sequentially carrying out SNMP message interaction on target equipment by taking a small number of three-layer equipment IP and SNMP group numbers in an intranet as input through a breadth-first search algorithm, requesting detailed equipment information and routing information, constructing the network layer topology, and forming a physical topology map comprising network segment nodes, three-layer network equipment nodes, an inclusion relation between network segments and the equipment, a routing relation between the equipment and detailed information of the network segments and the equipment;
step 1.2, collecting data for constructing link layer topology, carrying out batch ICMP scanning on network segments found by each network layer topology, adding all active IP nodes into a graph database, and establishing an inclusion relationship with network segment nodes; constructing a data link layer topology through an LLDP protocol, and calculating the topological connection relation between a terminal node and a switch node in an active IP list through a port forwarding table, an STP table and the switch connection relation of a switch;
step 1.3, based on topology data of a network layer and a data link layer, calculating a logic view and a physical view of the topology, wherein the logic topology view is a view of nodes and relations only including three layers of routes and network segments, and the physical view is a physical topology of an actual network layer and a data link layer which do not include network segment nodes.
4. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the step 2 comprises the steps of:
step 2.1, acquiring a list of real-time network equipment and terminal equipment in the network based on topology data of a network layer and a data link layer;
step 2.2, carrying out batch port scanning on the active equipment nodes in each network segment, and acquiring the port number and protocol information of the exposed software service port of each equipment;
step 2.3, carrying out duplicate removal, cleaning, filtering and formatting on the acquired software service data;
step 2.4, aiming at the list of the software service ports exposed by the real-time active equipment in the network, constructing a virtual asset topology view constructed on the physical topology, and connecting each software service in the detection result as a virtual asset node with an equipment node on the physical topology node corresponding to the detected equipment;
and 2.5, periodically carrying out incremental maintenance updating on the virtual asset topology, periodically reconstructing a physical topology view, and rescanning the current network equipment and terminal equipment of the intranet.
5. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the construction data source of the virtual asset topology in the step 2 is from a physical topology and a software service running on an actual network corresponding to the physical topology, and the construction method is to establish a connection relationship between a hardware device and the software service in a graph form.
6. The method for constructing the cyberspace asset information map for the cooperative network according to claim 5, wherein the step 3 is performed in the following order:
step 3.1, initializing a device list with a cooperative network authority according to the configuration information;
step 3.2, configuring authentication information of corresponding gateway equipment and a corresponding switch through Web service, and deploying and activating a local packet capturing program of the corresponding equipment through a remote login module;
step 3.3, capturing the IP protocol message of the equipment through a local packet capturing program, removing the weight, cleaning, filtering and formatting mass message information, converting the information into a communication behavior log, and uploading the log to a database module for storage and increment maintenance;
and 3.4, constructing a dynamic communication behavior topology on the basis of the physical topology and the virtual asset topology based on the communication behavior log data.
7. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the step 4 is performed in the following order of steps:
step 4.1, based on the graph data of the network layer and the link layer in the database module, rendering a physical topological view which comprises the router, the switch and the terminal equipment as nodes and the actual interface connection relationship as edges;
step 4.2, based on the graph data identified by the device software service in the database module, rendering a virtual asset topology view on the basis of physical topology;
and 4.3, rendering a topological view of the dynamic communication behaviors based on the graph data of the dynamic communication behaviors in the database module.
8. The method for constructing the cyberspace asset information map for the cooperative network according to claim 1, wherein the dynamic communication behavior topology construction in the step 3 has the following specific characteristics:
(1) The data source is from a physical topology and a virtual asset topology, and real-time communication data of gateway and switch equipment, specifically, a source IP and a destination IP equipment node of the real-time communication data are positioned in the physical topology, a virtual asset node owned by the equipment node is searched in the virtual asset topology, and the virtual asset node is matched with a communication protocol;
(2) Connecting a target IP corresponding device and a source IP corresponding device to a directed edge with a communication protocol as a relation, and simultaneously constructing a virtual asset node, the source IP corresponding device and the edge of the communication behavior relation of the target IP corresponding device;
(3) A piece of dynamic communication behavior topological data is constructed on the basis of a physical topology and a virtual asset topology, and the dynamics of the topology comprises two aspects:
(3.1) displaying the real-time dynamic flow relationship from the source IP equipment to the destination IP equipment through the visual animation of the Web front end,
and (3.2) setting expiration time for the communication behavior relationship from the source IP equipment to the destination IP equipment, automatically deleting the expired communication behavior relationship, and dynamically updating the topological view of the dynamic communication behavior by acquiring and refreshing the communication behavior relationship through periodic communication behavior data.
9. A system for constructing a network space asset information map of a cooperative network, which is used for implementing the method for constructing the network space asset information map of the cooperative network as claimed in any one of claims 1 to 8, and mainly comprises the following components: the system comprises a physical topology construction subsystem, a software service topology construction subsystem, a dynamic communication behavior topology construction subsystem and a system function related module.
10. A system for constructing a cyberspace asset information map of a cooperative network according to claim 9, the physical topology construction subsystem comprising a network layer topology data acquisition module, a link layer topology data acquisition module and a physical topology view construction module; the software service topology construction subsystem comprises a network equipment port scanning module and a terminal equipment port scanning module; the dynamic communication behavior topology construction subsystem comprises a local packet capturing program issuing module, a communication behavior log receiving module, a communication behavior log preprocessing module and a communication behavior topology data processing module; the system function related module comprises a database module, a periodic task scheduling module, a Web service module, a remote login module and a system configuration module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210925760.8A CN115297007A (en) | 2022-08-03 | 2022-08-03 | Construction method and system of network space asset information map for cooperative network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210925760.8A CN115297007A (en) | 2022-08-03 | 2022-08-03 | Construction method and system of network space asset information map for cooperative network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115297007A true CN115297007A (en) | 2022-11-04 |
Family
ID=83826563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210925760.8A Withdrawn CN115297007A (en) | 2022-08-03 | 2022-08-03 | Construction method and system of network space asset information map for cooperative network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115297007A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116647443A (en) * | 2023-06-28 | 2023-08-25 | 广东昆仑信息科技有限公司 | Method and system for rapidly positioning network fault equipment in steel plant |
| CN116821155A (en) * | 2023-06-27 | 2023-09-29 | 上海螣龙科技有限公司 | Network asset data storage and query method, device and storage medium |
| CN116822804A (en) * | 2023-08-29 | 2023-09-29 | 合肥天帷信息安全技术有限公司 | Digital asset management analysis method, device and medium |
-
2022
- 2022-08-03 CN CN202210925760.8A patent/CN115297007A/en not_active Withdrawn
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116821155A (en) * | 2023-06-27 | 2023-09-29 | 上海螣龙科技有限公司 | Network asset data storage and query method, device and storage medium |
| CN116647443A (en) * | 2023-06-28 | 2023-08-25 | 广东昆仑信息科技有限公司 | Method and system for rapidly positioning network fault equipment in steel plant |
| CN116822804A (en) * | 2023-08-29 | 2023-09-29 | 合肥天帷信息安全技术有限公司 | Digital asset management analysis method, device and medium |
| CN116822804B (en) * | 2023-08-29 | 2024-04-26 | 合肥天帷信息安全技术有限公司 | Digital asset management analysis method, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11121947B2 (en) | Monitoring and analysis of interactions between network endpoints | |
| CN115297007A (en) | Construction method and system of network space asset information map for cooperative network | |
| CN107683597B (en) | Network behavior data collection and analysis for anomaly detection | |
| US8949418B2 (en) | Firewall event reduction for rule use counting | |
| Haddadi et al. | Network topologies: inference, modeling, and generation | |
| US7804787B2 (en) | Methods and apparatus for analyzing and management of application traffic on networks | |
| CN105493450B (en) | The method and system of service exception in dynamic detection network | |
| Chen et al. | Modelling the complex Internet topology | |
| CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
| CN109544349A (en) | One kind being based on networked asset information collecting method, device, equipment and storage medium | |
| CN102158360A (en) | Network fault self-diagnosis method based on causal relationship positioning of time factors | |
| CN108449210B (en) | Network routing fault monitoring system | |
| EP3222003B1 (en) | Inline packet tracing in data center fabric networks | |
| CN109995582A (en) | Asset equipment management system and method based on real-time status | |
| CN104333468A (en) | Web NMS-based (Network Management System) topology discovery and management method in EPON (Ethernet Passive Optical Network) | |
| CN112134720A (en) | Network topology discovery method | |
| CN106982164A (en) | A kind of method for discovering network topology and equipment | |
| Espinel-Villalobos et al. | Design and implementation of network monitoring system for campus infrastructure using software agents | |
| CN115297006A (en) | Map anomaly detection and isolation method and system based on cooperation network space asset information | |
| CN115277418A (en) | BGP network operation and maintenance system | |
| Pekar et al. | Towards threshold‐agnostic heavy‐hitter classification | |
| CN111901179A (en) | Method and system for managing Internet of things equipment | |
| CN115550192B (en) | Method and device for collecting and analyzing asset connection relation based on multi-source data in network | |
| CN112737819B (en) | Visualization method for small and medium-sized local area network structure | |
| Belkhiri et al. | Virtual Networks Link-Layer Topologies Discovery through Host-based Tracing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20221104 |
|
| WW01 | Invention patent application withdrawn after publication |