CN105429996B - A method of intelligence discovery and positioning address conversion equipment - Google Patents

A method of intelligence discovery and positioning address conversion equipment Download PDF

Info

Publication number
CN105429996B
CN105429996B CN201510940543.6A CN201510940543A CN105429996B CN 105429996 B CN105429996 B CN 105429996B CN 201510940543 A CN201510940543 A CN 201510940543A CN 105429996 B CN105429996 B CN 105429996B
Authority
CN
China
Prior art keywords
nat device
information
equipment
program
suspicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510940543.6A
Other languages
Chinese (zh)
Other versions
CN105429996A (en
Inventor
杨玲
傅如毅
蒋行杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yuanwang Information Co Ltd
Original Assignee
Zhejiang Yuanwang Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yuanwang Information Co Ltd filed Critical Zhejiang Yuanwang Information Co Ltd
Priority to CN201510940543.6A priority Critical patent/CN105429996B/en
Publication of CN105429996A publication Critical patent/CN105429996A/en
Application granted granted Critical
Publication of CN105429996B publication Critical patent/CN105429996B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal

Abstract

The invention discloses the methods of a kind of intelligence discovery and positioning address conversion equipment, it is based on the one monitoring device hardware of bypass on the core switch of control network, the monitoring device hardware is internally embedded core monitoring program, data analysis program and equipment scanner program, the core monitoring program will pass through all communication data packet mirror images of core switch to local server in real time, the data analysis program unpack to the communication data packet of mirror image to local server and acquisition characteristics information, and analyze the IP address of suspicious NAT device, the equipment scanner program carries out from main scanning suspicious NAT device, directly acquire the information of suspicious NAT device.A kind of method of intelligence discovery and positioning address conversion equipment of the present invention, have the function of that NAT device is independently found, pass through feature modeling analysis and Similarity-Weighted algorithm, realize the efficient controllability and pipe of network boundary, the stability for improving network, strengthens the information security under ad hoc network environment.

Description

A method of intelligence discovery and positioning address conversion equipment
[technical field]
The present invention relates to dedicated network border control control technical field, in particular to it is a kind of intelligence discovery and positioningly The method of location conversion equipment.
[background technique]
While the deep development and technological progress of network application, the networks such as unauthorized access, malicious attack, viral transmission Security threat is also increasingly severe.It is more and more huger in scale, under the ad hoc network environment that structure becomes increasingly complex, many users Supervision is accessed or escaped in order to facilitate equipment, and terminal computer is linked into pipe by address-translating device (NAT device) privately It controls in network, and unauthorized access intranet resources.And network monitoring management means at this stage can not have in time The such access behavior of the discovery of effect, it is even more impossible to which the terminal device of access is positioned and controlled, and this unlawful practice changes The topological structure of whole network, makes whole network be in imperfect supervision state, so that network boundary knot can not be grasped in time The situation of change of structure, intranet resources information easily bring adverse consequences there are great security risk.
In order to improve network security, reinforces the information security under ad hoc network environment, prevent to build privately by NAT device The problem of Webweb and unauthorized device access, Strengthening Management person realize the controllability and pipe on dedicated network boundary Automatic identification and position positioning to NAT device, it is necessary to the method for proposing a kind of intelligence discovery and positioning address conversion equipment.
[summary of the invention]
It is an object of the invention to overcome above-mentioned the deficiencies in the prior art, a kind of intelligently find and positioning address conversion is provided The method of equipment aims to solve the problem that NAT device builds Webweb and unauthorized device access, dedicated network privately in the prior art The controllability and the poor technical problem of pipe on boundary.
To achieve the above object, the invention proposes the method for a kind of intelligence discovery and positioning address conversion equipment, bases In bypassing a monitoring device hardware on the core switch in control network, the monitoring device hardware is internally embedded core Monitoring program, data analysis program and equipment scanner program, the core monitoring program will pass through core switch in real time All communication data packet mirror images are to local server, communication data of the data analysis program to mirror image to local server Packet unpack and acquisition characteristics information, by existing NAT device Characteristic Analysis Model to data characteristic information collected Modeling and feature difference analysis are carried out, analyzes the IP address of suspicious NAT device, the equipment scanner program is to suspicious NAT device carries out directly acquiring the information of suspicious NAT device from main scanning, the specific steps are as follows:
A), mirror image obtains network packet: the hardware-initiated core monitoring program of the monitoring device bypassed on core switch, All communication data packet mirror image portions of core switch to local server will be passed through;
B), parse communication data packet: the data analysis program in monitoring device hardware leads to mirror image to local server Letter data packet carries out analysis of unpacking, and acquires the characteristic information of communication data packet, the characteristic information include request source IP address, Source port, destination port, communication protocol type;
C), characteristic information: communication of the data analysis program according to existing NAT device Characteristic Analysis Model to acquisition is analyzed Data, protocol information, IP address, port numbers and content characteristic information including communication data carry out modeling and feature difference Property analysis, analyze suspicious NAT device IP address;
D), equipment scans: after analyzing and locking the IP address of suspicious NAT device, setting inside monitoring device hardware Standby scanner program is actively scanned the suspicious NAT device of the IP address, directly acquires the related letter of the suspicious NAT device Breath;
E), carry out equipment confirmation: reaffirming characteristic information content acquired in equipment scanner program, and confirm that this sets Standby type goes to step F if it is confirmed that being NAT device);If it is confirmed that not being NAT device, then step C is returned back to);
F), check: current identified NAT device being compared with historical data, if the NAT device feature is believed again Breath repeatedly occurs, and carries out similarity weight accumulation process;If the NAT device characteristic information does not occur in the historical data, Carry out the processing of similarity weight regressive;
G), accurately identify NAT device: being calculated by the assignment of the similarity weight to NAT device, improve and find NAT The accuracy of equipment.
Preferably, the step B) in communication protocol type include transport protocol and application layer protocol.
Preferably, the step C) in feature difference analysis include application protocol difference analysis, operating system Difference analysis and application feature difference are analyzed.
Preferably, the step D) in suspicious NAT device relevant information include suspicious NAT device system information, Hardware information and manufacturer's information.
Preferably, the step E) in the information of suspicious NAT device include device systems information, hardware information, factory Quotient's information.
Preferably, the step E) in equipment confirmation be by current NAT device information be confirmed before obtained The relevant information of the equipment matched.
Preferably, the matching object includes OS Type, port, protocol type characteristic information.
Beneficial effects of the present invention: compared with prior art, it is provided by the invention it is a kind of intelligence discovery and positioning address turn The method of exchange device has the advantages that 1. NAT device is found automatically: legacy network devices management is largely based on assets The mode manually put on record, it is passive and can not dynamic supervision, and this method can be believed in administration network by communication data packet feature The content analyses such as breath, automatic discovery and positioning NAT device, are realized to network boundary dynamic supervision purpose;2. equipment feature modeling Analysis: utilizing network packet analytical technology, feature modeling analytical technology, to the communication data feature by NAT device conversion Content carries out big data comprehensive analysis, finds NAT device in time;3. Similarity-Weighted algorithm: passing through the superposition to feature, history The comparison and calculating of data are realized and are calculated the assignment of NAT device similarity, improve the accuracy of discovery, can accurately and early Reject NAT device.A kind of method of intelligence discovery and positioning address conversion equipment of the present invention, realizes the efficient of dedicated network boundary Controllability and pipe, strengthen the information security under ad hoc network environment.
Feature and advantage of the invention will be described in detail by embodiment combination attached drawing.
[Detailed description of the invention]
Fig. 1 is the flow diagram of the method for a kind of intelligence discovery of the present invention and positioning address conversion equipment.
[specific embodiment]
In order to make the objectives, technical solutions and advantages of the present invention clearer, right below by attached drawing and embodiment The present invention is further elaborated.However, it should be understood that specific embodiment described herein is only used to explain this hair Range that is bright, being not intended to restrict the invention.In addition, in the following description, descriptions of well-known structures and technologies are omitted, with Avoid unnecessarily obscuring idea of the invention.
Refering to fig. 1, the embodiment of the present invention provides the method for a kind of intelligence discovery and positioning address conversion equipment, is based on It manages and bypasses a monitoring device hardware on the core switch of network, the monitoring device hardware is internally embedded core monitoring Procedure, data analyzes program and equipment scanner program, and the core monitoring program will pass through all of core switch in real time Communication data packet mirror image to local server, the data analysis program to the communication data packet of mirror image to local server into Row is unpacked and acquisition characteristics information, is carried out by existing NAT device Characteristic Analysis Model to data characteristic information collected Modeling and feature difference analysis, and the IP address of suspicious NAT device is analyzed, the equipment scanner program is to suspicious NAT Equipment carries out directly acquiring the information of suspicious NAT device from main scanning.
The dynamic supervision that administration network boundary is realized by core monitoring program, improves current legacy network devices management Major part is the mode manually put on record based on assets, it is passive and can not dynamic supervision status, improve the real-time of network supervision Property, the stability of dedicated network is improved, all data are parsed by data analysis program realization, one by one screening investigation Afterwards, the IP address for analyzing suspicious NAT device carries out equipment belonging to suspicious IP address by equipment scanner program autonomous Scanning, by determining whether current equipment is NAT device after matching.Core monitoring program, data analysis program and equipment are swept Program three linkage is retouched, monitors, analyze automatically and position, the efficient controllability and pipe on dedicated network boundary is realized, reinforces Information security under ad hoc network environment.
Specific step is as follows:
A), mirror image obtains network packet: the hardware-initiated core monitoring program of the monitoring device bypassed on core switch, All communication data packet mirror image portions of core switch to local server will be passed through.
B), parse communication data packet: the data analysis program in monitoring device hardware leads to mirror image to local server Letter data packet carries out analysis of unpacking, and acquires the characteristic information of communication data packet, the characteristic information include request source IP address, Source port, destination port, communication protocol type.
Wherein, communication protocol type includes transport protocol and application layer protocol.
C), characteristic information: communication of the data analysis program according to existing NAT device Characteristic Analysis Model to acquisition is analyzed Data, protocol information, IP address, port numbers and content characteristic information including communication data carry out modeling and feature difference Property analysis, analyze suspicious NAT device IP address.
Wherein, feature difference analysis includes that application protocol difference analysis, operating system difference analysis and application are special Levy difference analysis.According to different application protocol results, different operating system results and different characteristic results, then into Row big data comprehensive improvement analyzes the system, agreement and the characteristic information of application of specific IP address.
It is special to the communication data by NAT device conversion using network packet analytical technology, feature modeling analytical technology Reference breath carries out big data comprehensive analysis, and finds NAT device in time according to otherness judging result, improves NAT device hair Existing timeliness prevents the significant data in dedicated network from revealing, improves the safeguard protection of network.
D), equipment scans: after analyzing and locking the IP address of suspicious NAT device, setting inside monitoring device hardware Standby scanner program is actively scanned the suspicious NAT device of the IP address, directly acquires the related letter of the suspicious NAT device Breath.
Wherein, the relevant information of suspicious NAT device includes system information, hardware information and the manufacturer's letter of suspicious NAT device Breath.
E), carry out equipment confirmation: reaffirming characteristic information content acquired in equipment scanner program, and confirm that this sets Standby type goes to step F if it is confirmed that being NAT device);If it is confirmed that not being NAT device, then step C is returned back to).
Wherein, the information of suspicious NAT device includes device systems information, hardware information, goes out manufacturer's information.
Further, equipment confirmation is the phase by current NAT device information and the equipment obtained before unconfirmed It closes information to be matched, matching object includes OS Type, port, protocol type characteristic information.
F), check: current identified NAT device being compared with historical data, if the NAT device feature is believed again Breath repeatedly occurs, and carries out similarity weight accumulation process;If the NAT device characteristic information does not occur in the historical data, Carry out the processing of similarity weight regressive.
G), accurately identify NAT device: being calculated by the assignment of the similarity weight to NAT device, improve and find NAT The accuracy of equipment.
By Similarity-Weighted algorithm, the superposition of characteristic information, the comparison and calculating of historical data are carried out to NAT device, It realizes and the assignment of NAT device similarity is calculated, the dubiety of the more high then NAT device of similarity weight is bigger, once the NAT is set The standby administration network of access again, so that it may which previous similarity weight identifies it according to its, and is rejected in time, improves The accuracy of NAT device discovery, the case where prevent fish that has escape the net and accidentally pick.
Hardware monitoring device proposed by the present invention is bypassed on the core switch of control network, so that it may easily efficiently automatic It was found that and identify NAT device, and accuracy of identification is high, solves NAT device in the prior art and builds Webweb and unauthorized privately Equipment access, the controllability and the poor problem of pipe on dedicated network boundary, improves the safety of administration network.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modification, equivalent replacement or improvement etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (7)

1. it is a kind of intelligence discovery and positioning address conversion equipment method, based on control network core switch on bypass One monitoring device hardware, the monitoring device hardware are internally embedded core monitoring program, data analysis program and equipment and sweep Program is retouched, the core monitoring program will pass through all communication data packet mirror images of core switch to local service in real time Device, the data analysis program unpack to the communication data packet of mirror image to local server and acquisition characteristics information, leads to It crosses existing NAT device Characteristic Analysis Model and modeling and feature difference analysis is carried out to data characteristic information collected, and The IP address of suspicious NAT device is analyzed, the equipment scanner program directly obtain from main scanning to suspicious NAT device Take the information of suspicious NAT device, it is characterised in that: specific step is as follows:
A), mirror image obtains network packet: the hardware-initiated core monitoring program of the monitoring device bypassed on core switch will lead to All communication data packet mirror image portions of core switch are crossed to local server;
B), communication data packet: the communication number of data analysis program in monitoring device hardware to mirror image to local server is parsed Analysis of unpacking is carried out according to packet, and acquires the characteristic information of communication data packet, the characteristic information includes request source IP address, source Mouth, destination port, communication protocol type;
C), analyze characteristic information: data analysis program is according to existing NAT device Characteristic Analysis Model to the communication number of acquisition According to protocol information, IP address, port numbers and content characteristic information including communication data carry out modeling and feature difference Analysis, analyzes suspicious NAT device IP address;
D), equipment scans: after analyzing and locking the IP address of suspicious NAT device, the equipment inside monitoring device hardware is swept It retouches program to be actively scanned the suspicious NAT device of the IP address, directly acquires the relevant information of the suspicious NAT device;
E), carry out equipment confirmation: reaffirming characteristic information content acquired in equipment scanner program, and confirm the equipment class Type goes to step F if it is confirmed that being NAT device);If it is confirmed that not being NAT device, then step C is returned back to);
F), check: current identified NAT device being compared with historical data, if the NAT device characteristic information is more again Secondary appearance carries out similarity weight accumulation process;If the NAT device characteristic information does not occur in the historical data, carry out The processing of similarity weight regressive;
G), accurately identify NAT device: being calculated by the assignment of the similarity weight to NAT device, improve and find NAT device Accuracy.
2. the method for a kind of intelligence discovery and positioning address conversion equipment as described in claim 1, it is characterised in that: the step Rapid B) in communication protocol type include transport protocol and application layer protocol.
3. the method for a kind of intelligence discovery and positioning address conversion equipment as described in claim 1, it is characterised in that: the step Rapid C) in feature difference analysis include application protocol difference analysis, operating system difference analysis and apply feature difference Property analysis.
4. the method for a kind of intelligence discovery and positioning address conversion equipment as described in claim 1, it is characterised in that: the step Rapid D) in suspicious NAT device relevant information include suspicious NAT device system information, hardware information and manufacturer's information.
5. the method for a kind of intelligence discovery and positioning address conversion equipment as described in claim 1, it is characterised in that: the step Rapid E) in characteristic information content acquired in equipment scanner program include device systems information, hardware information, go out manufacturer's information.
6. the method for a kind of intelligence discovery and positioning address conversion equipment as described in claim 1, it is characterised in that: the step Rapid E) in equipment confirmation be by current NAT device information and it is unconfirmed before the relevant information of the equipment obtained carry out Match.
7. the method for a kind of intelligence discovery and positioning address conversion equipment as claimed in claim 6, it is characterised in that: described It include OS Type, port, protocol type characteristic information with object.
CN201510940543.6A 2015-12-15 2015-12-15 A method of intelligence discovery and positioning address conversion equipment Active CN105429996B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510940543.6A CN105429996B (en) 2015-12-15 2015-12-15 A method of intelligence discovery and positioning address conversion equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510940543.6A CN105429996B (en) 2015-12-15 2015-12-15 A method of intelligence discovery and positioning address conversion equipment

Publications (2)

Publication Number Publication Date
CN105429996A CN105429996A (en) 2016-03-23
CN105429996B true CN105429996B (en) 2019-05-31

Family

ID=55507937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510940543.6A Active CN105429996B (en) 2015-12-15 2015-12-15 A method of intelligence discovery and positioning address conversion equipment

Country Status (1)

Country Link
CN (1) CN105429996B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107222330A (en) * 2017-04-26 2017-09-29 浙江远望信息股份有限公司 A kind of intelligent identifying system request and the method for response sensitive content
CN107483651A (en) * 2017-07-11 2017-12-15 浙江远望信息股份有限公司 A kind of NAT borders based on terminal time change find method
CN107454202A (en) * 2017-07-11 2017-12-08 浙江远望信息股份有限公司 A kind of NAT borders based on http protocol analysis find method
CN108173834A (en) * 2017-12-25 2018-06-15 北京计算机技术及应用研究所 Terminal fingerprints technology identifies " all-purpose card " network terminal
CN110120948B (en) * 2019-05-06 2020-12-15 四川英得赛克科技有限公司 Illegal external connection monitoring method based on wireless and wired data stream similarity analysis

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812373A (en) * 2005-01-28 2006-08-02 三星电子株式会社 Communication system, method and apparatus for providing mirroring service in the communication system
CN1909504A (en) * 2006-01-11 2007-02-07 郑凯 Method for controlling LAN host machine public net message based on by-pass interception technology
CN101212338A (en) * 2006-12-30 2008-07-02 上海复旦光华信息科技股份有限公司 Detecting probe interlock based network security event tracking system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405211B1 (en) * 1999-07-08 2002-06-11 Cohesia Corporation Object-oriented representation of technical content and management, filtering, and synthesis of technical content using object-oriented representations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812373A (en) * 2005-01-28 2006-08-02 三星电子株式会社 Communication system, method and apparatus for providing mirroring service in the communication system
CN1909504A (en) * 2006-01-11 2007-02-07 郑凯 Method for controlling LAN host machine public net message based on by-pass interception technology
CN101212338A (en) * 2006-12-30 2008-07-02 上海复旦光华信息科技股份有限公司 Detecting probe interlock based network security event tracking system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于网络流量特征的NAT识别方法;高骥翔;《中国优秀硕士学位论文全文数据库信息科技辑》;20130115;I139-44

Also Published As

Publication number Publication date
CN105429996A (en) 2016-03-23

Similar Documents

Publication Publication Date Title
CN105429996B (en) A method of intelligence discovery and positioning address conversion equipment
CN109325351B (en) Security hole automatic verification system based on public testing platform
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
CN100399750C (en) System and method of facilitating the identification of a computer on a network
WO2018188558A1 (en) Method and apparatus for identifying account permission
CN110213212A (en) A kind of classification method and device of equipment
CN107624238A (en) To the safe access control of the application based on cloud
CN106603507A (en) Method and system for automatically completing network security self checking
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN105554009B (en) A method of passing through Network Data Capture device operating system information
CN101635730A (en) Method and system for safe management of internal network information of small and medium-sized enterprises
CN110971569A (en) Network access authority management method and device and computing equipment
CN104221024A (en) Unified scan engine
CN110968848B (en) User-based rights management method and device and computing equipment
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN107463839A (en) A kind of system and method for managing application program
CN109995582A (en) Asset equipment management system and method based on real-time status
CN109495508A (en) Firewall configuration method based on service access data
CN107786487A (en) A kind of authentification of message processing method, system and relevant device
CN104333538B (en) A kind of network equipment access method
CN114679292B (en) Honeypot identification method, device, equipment and medium based on network space mapping
CN105187446B (en) A kind of home gateway detection and the system and method for shielding user's business of networking
Li et al. Iot-apiscanner: Detecting api unauthorized access vulnerabilities of iot platform
CN201789524U (en) Device for detecting trojan programs by analyzing network behaviors
CN110971570A (en) Network access authority control method and device and computing equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant