CN108011893A - A kind of asset management system based on networked asset information gathering - Google Patents

A kind of asset management system based on networked asset information gathering Download PDF

Info

Publication number
CN108011893A
CN108011893A CN201711432433.4A CN201711432433A CN108011893A CN 108011893 A CN108011893 A CN 108011893A CN 201711432433 A CN201711432433 A CN 201711432433A CN 108011893 A CN108011893 A CN 108011893A
Authority
CN
China
Prior art keywords
fingerprint
host
information
data
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711432433.4A
Other languages
Chinese (zh)
Inventor
邹洪
沈伍强
吴勤勤
温柏坚
刘晔
魏理豪
余志文
周安
陈敏
胡海生
曾纪钧
梁哲恒
刘超颖
陈志华
张润妹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Guangdong Power Grid Co Ltd
Original Assignee
Information Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Guangdong Power Grid Co Ltd filed Critical Information Center of Guangdong Power Grid Co Ltd
Priority to CN201711432433.4A priority Critical patent/CN108011893A/en
Publication of CN108011893A publication Critical patent/CN108011893A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Abstract

The invention discloses a kind of asset management system based on networked asset information gathering, including networked asset information acquisition system, which includes:Basic information collection module, it is configured to find networked hosts, the fingerprint recognition of host operating system is carried out, to detect the OS Type of remote target host;Application component fingerprint-collection module, it is configured to find to include one or more application programs or the component finger print information in the version, serve port, protocol interaction feature of web application or component;Fragility sensing module, it is configured to carry out perception analysis to the fragility of network host and application system, to find the tender spots of operating system, service, application component.The asset management system of the invention based on networked asset information gathering can accurately and reliably find and the security breaches of timely restoration information system.

Description

A kind of asset management system based on networked asset information gathering
Technical field
The present invention relates to the network information security, especially a kind of asset management system based on networked asset information gathering.
Background technology
With developing rapidly for internet, the security breaches of disparate networks assets and information system are the great of information security Hidden danger.Security breaches are certain classes that information system produces in each stage (process such as design, realization, O&M) of life cycle Problem, these problems can have an impact the safety (confidentiality, integrality, availability) of system.Due to software defect, using and The error configurations of information technoloy equipment, and conventional mistake and other reasons, can all have new loophole to occur general using leakage at present daily Hole scanning system periodically carries out vulnerability scanning or periodically carries out safety inspection to find security breaches and then carry out repairing and reinforcement work Make, there is following deficiency:
Manual operation is relied on, lacks automation, standardized instrument;
There are hysteresis quality with disposal for the discovery of loophole;
The information of information assets is not grasped completely, it is difficult to promptly and accurately finds loophole and reparation.
Wherein, how to establish a kind of networked asset management system, realize much sooner, effectively, reliably, gather net exactly Network assets information, is prior art urgent problem to be solved so as to preferably find and repair security breaches in time.
The content of the invention
It is a primary object of the present invention in view of the deficiencies of the prior art, there is provided a kind of based on networked asset information gathering The asset management system.
To achieve the above object, the present invention uses following technical scheme:
A kind of asset management system based on networked asset information gathering, including networked asset information acquisition system, it is described Networked asset information acquisition system includes:
Basic information collection module, it is configured to find networked hosts, carries out the fingerprint recognition of host operating system, with Detect the OS Type of remote target host;
Application component fingerprint-collection module, it is configured to find version, the service for including web application or component One or more application programs or component finger print information in port, protocol interaction feature;
Fragility sensing module, it is configured to carry out perception analysis to the fragility of network host and application system, with It was found that operating system, service, the tender spots of application component.
Further:
The basic information collection module receives answer number by sending a series of TCP and UDP message bag to destination host According to bag, and each data item in reply data bag is detected, then contrasted with fingerprint database, detected far by analyzing contrast The OS Type of journey destination host.
The basic information collection module includes:
Detecting host submodule, it is configured to that objective area is converted into IP according to setting strategy, inquiry IP address storehouse Scope, sets multiple scan procedures and/or thread, detection target machine corresponding port, each port receives one kind according to scanning It is legal to respond bag, then judge open-ended, each host only has an open port, then judges that host is survived, will deposit The IP of host living, the port of opening and protocol information deposit mobile host computers storehouse;Preferably, the setting strategy includes scanning target Area, scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule, it is configured to send specific detection bag, find each node in network with And their interconnected relationships;Preferably, the node includes router and host;
System fingerprint information collects submodule, it, which is configured to utilize, establishes different operating system, the finger of different agreement stack Line database, detects TCP the and UDP reply data bags of destination host, identifying system and Protocol fingerprint information;
Service finger print information and collect submodule, its be configured to from service fingerprint base choose corresponding detection fingerprint send to Corresponding port, is matched by the fingerprint in the bag of return, is judged whether containing corresponding component.
The system fingerprint information collect submodule identified using ICP/IP protocol stack fingerprint different operating system and Equipment, it is preferable that the system fingerprint information is collected submodule and is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of system known to foundation, this fingerprint characteristic deposit system fingerprint storehouse is made For the sample storehouse of fingerprint contrast;
Initialization system detection task, selects the destination host of detecting, then activation system detection task;The task is chosen respectively An opening and a port closed are selected, is sent to return by pre-set TCP/UDP/ICMP data packets, detection The data packet returned simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is from mobile host computers Selection;
The fingerprint for detecting generation is contrasted with system fingerprint storehouse, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
The application component fingerprint-collection module by carry out based on Web service, service end instruction, Web Development Frameworks, One or more in Web applications, front end storehouse and third party's component recognition collect finger print information.
Wherein Web Development Frameworks are identified by using Component service Detection Techniques, wherein being detected by the application component page Which kind of language technology and Component service Detection Techniques detection Web site backstage use, wherein detecting skill by the serviced component page Art is applied to detect Web, and one or several pages for preferably capturing website are corresponding to differentiate to the fingerprint matches of fingerprint base Web application, wherein using page Detection Techniques detection Web spaces, preferably page Detection Techniques include passing through the page CLASSID be identified.
The fragility sensing module is carried out in system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings It is one or more;Preferably, the fragility sensing module carries out certainly the loophole scanned by the vulnerability database that backstage is established Dynamic matching, and automatically confirm that the CVE numberings of loophole and whether have Land use systems.
Vulnerability scanning is based on Port Scanning Technology, is learnt after port scan on port and port that destination host is opened Network service, these relevant informations are matched with the vulnerability database being provided previously by, wherein by simulation the system is attacked Hitter's method, checks whether with the presence of the loophole for meeting matching condition;Preferably, aggressive safety is carried out to target host systems Vulnerability scanning, it is preferred to use test weak tendency password, if simulated strike success, showing target host systems, there are security breaches.
Using rule-based matching technique, the network system vulnerability database of formation, forms corresponding on basis herein With rule, the work of vulnerability scanning is carried out automatically by scanning imaging system, if being matched the condition of satisfaction, be considered as there are loophole, Client is returned the result to after the completion of detection;Preferably, if the rule not being matched, the network connection of system is forbidden;It is excellent Selection of land, loophole data are separated from scan code, to be updated to scanning engine.
The networked asset information acquisition system further includes the one or more with lower module:
Task management module, it is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding appoint by strategy Business, dynamically monitors the running state information of each collection module in real time and carries out load balancing and the allotment of task in real time, To ensure that each collection module can reasonably work;
Data filtering module, it is configured to acquisition strategies and initial data is matched, to the data of redundancy into Row filtering;
Data transmission module, it is configured to gathered data being sent to and the networked asset information by hidden subnet The management subsystem of acquisition system connection.
The asset management system further includes the one or more in following subsystem:
Subsystem is managed, it, which is configured, provides data display, query analysis and operation management function, and is data manipulation people Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem, it, which is configured, provides bug excavation instrument, builds the general operations environment of bug excavation, real Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, it is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem, it is configured offer security tool, including for destination OS and intended application into Row penetration attack, and realize that long-term control is kept.
Beneficial effects of the present invention:
The present invention provides a kind of asset management system based on networked asset information gathering, is believed by networked asset therein Cease acquisition system, can in time, reliably detect the mobile host computers for finding particular network area, and realize to its operating system and The collection of application component information, especially carries out targetedly vulnerability information collection, is provided for follow-up penetration attack/test Data supporting and utilize resource.Networked asset information acquisition system in the present invention can accurately and reliably find complex information system Security breaches, the security breaches for asset management system's restoration information system in time provide advantage and good guarantor Barrier.
Brief description of the drawings
Fig. 1 is the structure diagram of the asset management system based on networked asset information gathering of an embodiment of the present invention;
Fig. 2 is the vulnerability scanning system assumption diagram based on network system vulnerability database in the preferred embodiment of the present invention.
Embodiment
Elaborate below to embodiments of the present invention.It is emphasized that what the description below was merely exemplary, The scope being not intended to be limiting of the invention and its application.
Refering to Fig. 1, in one embodiment, a kind of asset management system based on networked asset information gathering, including net Network assets information acquisition system, the networked asset information acquisition system include:Basic information collection module, it is configured to find Networked hosts, carry out the fingerprint recognition of host operating system, to detect the OS Type of remote target host;Using group Part fingerprint-collection module, it is configured to find version, serve port, the protocol interaction spy for including web application or component One or more application programs or component finger print information in sign;Fragility sensing module, its be configured to network host and The fragility of application system carries out perception analysis, to find the tender spots of operating system, service, application component.
In certain embodiments, networked asset information acquisition system collects (including host by using network foundation information It was found that, the detecting of port scan, operating system, using detecting and IP address storehouse) and fragility cognition technology, it can be found that ad hoc networks Mobile host computers in network region, and realize and its OS Type and version, application component type and version information are collected, root Targetedly vulnerability information is carried out according to system type and application component to collect.
In certain embodiments, networked asset information acquisition system can use IP address positioning, detecting host and port to sweep Retouch, the detecting of operating system and application type, network application scanning, vulnerability scanning, advanced escape technology (AET), fire wall/IDS The technology such as evade, realize networked asset information gathering.
In an exemplary embodiment, networked asset information acquisition system includes basic information collection module, application component refers to Line collection module and fragility sensing module.
(1) basic information collection module
This module is configured to find networked hosts, and carries out the fingerprint recognition of host operating system.By to target Host sends a series of TCP and UDP message bag, receives reply data bag, and detects each data item in reply data bag, Contrasted again with fingerprint database, the OS Type of remote target host can be detected finally by analysis contrast.
In a preferred embodiment, basic information collection module specifically includes:
Detecting host submodule:Detecting host module sets strategy, including scanning objective area, scanning association according to user View, port range, the scanning technique used and evade technology etc., objective area is converted into IP scopes, root by inquiry IP address storehouse (line) journey is scanned into according to scanning setting is multiple, detection target machine corresponding port, each port receives legal time a kind of It should wrap, then judge open-ended, each host only has an open port, then judges that host is survived, and by the IP for host of surviving, opens The port put and protocol information deposit mobile host computers storehouse.
Topology Discovery submodule:Network topology is a kind of table of interconnecting relation between the entity of each interconnection in network Show.Topological structure is usually modeled as a figure, and equipment (router, host etc.) is represented with node, is represented and connected with Bian Lai Relation (physically or logically).Topology Discovery be by sending specific detection bag, find each node in network and it Interconnected relationship.
System fingerprint information collects submodule:Using establish different operating system, different agreement stack fingerprint database, inspection Survey TCP the and UDP reply data bags of destination host, identifying system and Protocol fingerprint information.
The system identifies different operating system and equipment preferably using ICP/IP protocol stack fingerprint.In RFC specifications, Some realizations of place to TCP/IP do not have mandatory provision, thus may have the specific of oneself in different TCP/IP schemes Mode.The system mainly judges the type of operating system according to the difference in these details.In preferred embodiment In, specific implementation is as follows:
First, sorts of systems feature is analyzed, the fingerprint characteristic of system known to foundation, system fingerprint is stored in by this fingerprint characteristic Storehouse, the sample storehouse as fingerprint contrast;
Initialization system detection task, selects the destination host (preferably being selected from mobile host computers, avoid ineffective detection) of detecting, Then activation system detection task;The task selects an opening (open) and closes the port of (closed), Xiang Qifa respectively The excessively pre-set TCP/UDP/ICMP data packets of the warp let-off, a system fingerprint is generated according to the data packet of return;
The fingerprint for detecting generation is contrasted with system fingerprint storehouse, searches matched system;
If can not match, possible system is included with Probability Forms.
Service finger print information and collect submodule:Corresponding detection fingerprint is chosen since being serviced fingerprint base to send to corresponding Fingerprint matching judges whether containing corresponding component in the bag that port passes through return.
(2) application component fingerprint-collection module
This module is configured to find that version, serve port, protocol interaction feature of web application or component etc. refer to Line information.
This module can be supported to be based on Web service, service end instruction, Web Development Frameworks, Web applications, front end storehouse and third party Component etc. identifies.
Web Development Frameworks are a kind of service routines, and server externally provides service by some port, handles from client The request sent, such as the Tomcat containers in JAVA, IIS the or PWS frames of ASP, this module is detected by using Component service Technology can identify Web Development Frameworks, for example can detect Tomcat frames by sending finger print information " URI/status ".
This module can use application component page Detection Techniques and service Component service Detection Techniques detection Web site backstage Using which kind of language, specific method is included by meta information, script labels, header information, session, error The fingerprints such as some contents of page including webpage judge.
This module can realize the detection of Web applications using serviced component page Detection Techniques.By capture website one A or several pages can differentiate corresponding web application with the fingerprint matches of fingerprint base.
Page Detection Techniques detection Web spaces can be used.For example, CLASSID's for passing through the page etc identifies.
(3) fragility sensing module
This module is configured to perceive the fragility of network host and application system, analyzes, discovery operating system, Service, the tender spots of application component, its integrated system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings etc. are a variety of Whether instrument, can carry out Auto-matching by the vulnerability database that backstage is established to loophole, and automatically confirm that the CVE numberings of loophole with There are Land use systems.
In a preferred embodiment, the vulnerability scanning architecture based on network system vulnerability database is as shown in Figure 2.
Vulnerability-scanning technology is built upon on the basis of Port Scanning Technology.From the analysis to attack and collection It is most both for some network service from the point of view of loophole, that is, for some specific port.Therefore, exist In preferred embodiment, the Vulnerability-scanning technology used is scanned with the thinking same with Port Scanning Technology to carry out.Vulnerability scanning Technology preferably checks that destination host whether there is loophole by the following method:Learn what destination host was opened after port scan Network service on port and port, the vulnerability database progress that these relevant informations and Network Vulnerability Scanning System are provided Match somebody with somebody.By simulating the attacking ways to the system, check whether with the presence of the loophole for meeting matching condition.Preferably, to target Host computer system carries out aggressive security scan, such as tests weak tendency password.If simulated strike success, shows target master There are security breaches for machine system.
The system uses rule-based matching technique, i.e., according to security expert to network system security loophole, Hei Kegong Hit the analysis of case and practical experience that system manager configures network system security, form the leakage of standard set network system Cave depot, forms corresponding matched rule on basis herein, carries out the work of vulnerability scanning on one's own initiative by scanning imaging system.Preferably Ground, if the rule not being matched, forbids the network connection of system.
In preferred embodiment, the system vulnerability storehouse provided by vulnerability scanning system is matched, if meeting condition, depending on For there are loophole.Client is returned the result to after the completion of the detection of server, and generates and intuitively reports.In server end Rule match storehouse can be the set of many shared routings, store various scanning attack methods.Loophole data are from scan code Separation, enables users to voluntarily be updated scanning engine.
In a more preferred embodiment, present networks assets information acquisition system can also include task management module.
(4) task management module
Task management module is configured to receive assignment instructions, and dispatches multiple collection modules and complete corresponding appoint by strategy Business, task management module need dynamically to monitor the running state information of each collection module in real time and carry out task in real time Load balancing and allotment, to ensure that each collection module can reasonably work.
In a more preferred embodiment, present networks assets information acquisition system can also include data filtering module.
(5) data filtering module
Data filtering module is configured to match initial data by acquisition strategies, and the data of redundancy were carried out Filter.
In a more preferred embodiment, present networks assets information acquisition system can also include data transmission module.
(6) data transmission module
Data transmission module is configured is sent to management subsystem by gathered data by hidden subnet.
The asset management system of the present invention uses the networked asset information acquisition system of above-described embodiment, networked asset information The detectable mobile host computers for finding particular network area of acquisition system, and realize the receipts to its operating system and application component information Collection, and carry out targetedly vulnerability information and collect, provide data supporting and using resource for follow-up penetration attack/test, So as to the present invention the asset management system can much sooner, effectively, reliably, exactly gather networked asset information, so as to It is enough preferably to find simultaneously the security breaches of restoration information system in time.
In a preferred embodiment, the asset management system can also include the one or more in following subsystem:
Subsystem is managed, it, which is configured, provides data display, query analysis and operation management function, and is data manipulation people Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem, it, which is configured, provides bug excavation instrument, builds the general operations environment of bug excavation, real Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, it is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem, it is configured offer security tool, including for destination OS and intended application into Row penetration attack, and realize that long-term control is kept.
Preferably but not compulsorily, as shown in Figure 1, the asset management system based on networked asset information gathering of the present invention Including networked asset information acquisition system and management subsystem.Specifically, management subsystem can provide to information gathering subsystem, The results such as bug excavation subsystem, vulnerability exploit verification subsystem, security tool carry out the ability of data display, can also be to upper State system and carry out operation management, while provide the work system of a query analysis, this system includes a regulation management The task processing environment of pattern, and a series of analysis tool of man-machine interactives, analysis personnel can be completed by it each Kind data analysis task.In addition, there is system individual operation desktop (workbench) and information for different rights user to converge It is poly- to show interface.Shown eventually through the configuration management in the complete paired data area of the system and the analysis of Various types of data and report, and Human-computer interaction interface, which is provided, for data manipulation personnel carries out corresponding business operation.
Preferably but not compulsorily, the asset management system of the invention based on networked asset information gathering can also be into one Step includes bug excavation subsystem.Bug excavation subsystem is based on typical bug excavation technological means, passes through integrated leakage Hole digging tool and the bug excavation instrument of exploitation customization, build the general operations environment of bug excavation, realize to object run The bug excavation of system and intended application software, and for newfound loophole exploitation vulnerability exploit sample.
Preferably but not compulsorily, the asset management system of the invention based on networked asset information gathering can also be into one Step includes vulnerability exploit verification subsystem.Loophole and the verification environment of vulnerability exploit method can be built, to vulnerability exploit Sample is verified, and assesses the effect of vulnerability exploit.
Preferably but not compulsorily, the asset management system of the invention based on networked asset information gathering can also be into one Step includes security tool subsystem.It can be directed to destination OS with customized development security tool and intended application is oozed Attack thoroughly, and realize that long-term control is kept.
Above content is to combine specific/preferred embodiment further description made for the present invention, it is impossible to is recognized The specific implementation of the fixed present invention is confined to these explanations.For general technical staff of the technical field of the invention, Without departing from the inventive concept of the premise, it can also make some replacements or modification to the embodiment that these have been described, And these are substituted or variant should all be considered as belonging to protection scope of the present invention.

Claims (10)

1. a kind of asset management system based on networked asset information gathering, including networked asset information acquisition system, its feature It is, the networked asset information acquisition system includes:
Basic information collection module, it is configured to find networked hosts, the fingerprint recognition of host operating system is carried out, with detection Go out the OS Type of remote target host;
Application component fingerprint-collection module, its be configured to find to include the version of web application or component, serve port, One or more application programs or component finger print information in protocol interaction feature;
Fragility sensing module, it is configured to carry out perception analysis to the fragility of network host and application system, to find Operating system, service, the tender spots of application component.
2. the asset management system as claimed in claim 1, it is characterised in that the basic information collection module is by target Host sends a series of TCP and UDP message bag, receives reply data bag, and detects each data item in reply data bag, Contrasted again with fingerprint database, the OS Type of remote target host is detected by analyzing contrast.
3. the asset management system as claimed in claim 1 or 2, it is characterised in that the basic information collection module includes:
Detecting host submodule, it is configured to that objective area is converted into IP scopes according to setting strategy, inquiry IP address storehouse, Multiple scan procedures and/or thread are set according to scanning, detection target machine corresponding port, each port receives one kind and meets rule Response bag then, then judge open-ended, and each host only has an open port, then judges that host is survived, by host of surviving IP, the port and protocol information deposit mobile host computers storehouse of opening;Preferably, it is described setting strategy include scanning objective area, Scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule, it is configured to send specific detection bag, find each node in network and it Interconnected relationship;Preferably, the node includes router and host;
System fingerprint information collects submodule, it, which is configured to utilize, establishes different operating system, the fingerprint number of different agreement stack According to storehouse, TCP the and UDP reply data bags of destination host, identifying system and Protocol fingerprint information are detected;
Service finger print information and collect submodule, it is configured to send to corresponding from the corresponding detection fingerprint of service fingerprint base selection Port, matched, judged whether containing corresponding component by the fingerprint in the bag of return.
4. the asset management system as claimed in claim 3, it is characterised in that the system fingerprint information is collected submodule and used ICP/IP protocol stack fingerprint identifies different operating system and equipment, it is preferable that the system fingerprint information collects submodule It is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of system known to foundation, is stored in system fingerprint storehouse, as finger by this fingerprint characteristic The sample storehouse of line contrast;
Initialization system detection task, selects the destination host of detecting, then activation system detection task;The task selects one respectively A opening and the port of a closing, are sent to, by pre-set TCP/UDP/ICMP data packets, detect return Data packet simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is selected from mobile host computers;
The fingerprint for detecting generation is contrasted with system fingerprint storehouse, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
5. such as Claims 1-4 any one of them asset management system, it is characterised in that the application component fingerprint-collection Module is by carrying out based on Web service, service end instruction, Web Development Frameworks, Web applications, front end storehouse and third party's component recognition In one or more collect finger print information, wherein identify Web Development Frameworks by using Component service Detection Techniques, wherein Detect which kind of language Web site backstage uses by application component page Detection Techniques and Component service Detection Techniques, wherein logical Serviced component page Detection Techniques are crossed to detect Web applications, preferably capture one or several pages and fingerprint base of website Fingerprint matches differentiate corresponding web application, wherein using page Detection Techniques detection Web spaces, the preferably page Detection Techniques include being identified by the CLASSID of the page.
6. such as claim 1 to 5 any one of them asset management system, it is characterised in that the fragility sensing module into One or more in the scanning of row system vulnerability, database vulnerability scanning, Web application vulnerability scannings;Preferably, the fragility Sensing module carries out Auto-matching by the vulnerability database that backstage is established to the loophole scanned, and automatically confirms that the CVE of loophole is compiled Number and whether have Land use systems.
7. the asset management system as claimed in claim 6, it is characterised in that vulnerability scanning is based on Port Scanning Technology, is holding The network service on port and port that destination host is opened is learnt after mouthful scanning, by these relevant informations and is provided previously by Vulnerability database is matched, wherein by simulating the attacking ways to the system, checks whether to meet that the loophole of matching condition is deposited ;Preferably, aggressive security scan is carried out to target host systems, it is preferred to use test weak tendency password, if simulation Success attack, then show that there are security breaches for target host systems.
8. the asset management system as claimed in claims 6 or 7, it is characterised in that use rule-based matching technique, formed Network system vulnerability database, herein basis on form corresponding matched rule, vulnerability scanning is carried out by scanning imaging system automatically Work, if being matched the condition of satisfaction, is considered as there are loophole, client is returned the result to after the completion of detection;Preferably, If the rule not being matched, forbids the network connection of system;Preferably, loophole data are separated from scan code, so as to right Scanning engine is updated.
9. such as claim 1 to 8 any one of them asset management system, it is characterised in that the networked asset information gathering System further includes the one or more with lower module:
Task management module, it is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding task by strategy, moves Monitor to state the running state information of each collection module in real time and carry out load balancing and the allotment of task in real time, to ensure Each collection module can reasonably work;
Data filtering module, it is configured to acquisition strategies and initial data is matched, and the data of redundancy were carried out Filter;
Data transmission module, it is configured to gathered data being sent to and the networked asset information gathering by hidden subnet The management subsystem of system connection.
10. such as claim 1 to 8 any one of them asset management system, it is characterised in that further include in following subsystem It is one or more:
Subsystem is managed, it, which is configured, provides data display, query analysis and operation management function, and is carried for data manipulation personnel Corresponding business operation is carried out for human-computer interaction interface;
Bug excavation subsystem, it, which is configured, provides bug excavation instrument, builds the general operations environment of bug excavation, realization pair The bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, it is configured the verification environment for providing structure loophole and vulnerability exploit method, to loophole profit Verified with sample, and assess the effect of vulnerability exploit;
Security tool subsystem, it is configured offer security tool, including is oozed for destination OS and intended application Attack thoroughly, and realize that long-term control is kept.
CN201711432433.4A 2017-12-26 2017-12-26 A kind of asset management system based on networked asset information gathering Pending CN108011893A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711432433.4A CN108011893A (en) 2017-12-26 2017-12-26 A kind of asset management system based on networked asset information gathering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711432433.4A CN108011893A (en) 2017-12-26 2017-12-26 A kind of asset management system based on networked asset information gathering

Publications (1)

Publication Number Publication Date
CN108011893A true CN108011893A (en) 2018-05-08

Family

ID=62061536

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711432433.4A Pending CN108011893A (en) 2017-12-26 2017-12-26 A kind of asset management system based on networked asset information gathering

Country Status (1)

Country Link
CN (1) CN108011893A (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183895A (en) * 2017-12-26 2018-06-19 广东电网有限责任公司信息中心 A kind of networked asset information acquisition system
CN108881284A (en) * 2018-07-17 2018-11-23 深圳市极限网络科技有限公司 A kind of cyberspace loophole merger platform long-range attack control system
CN109088790A (en) * 2018-07-20 2018-12-25 南京方恒信息技术有限公司 A kind of scanning of multi engine exposed assets and management system
CN109413104A (en) * 2018-12-11 2019-03-01 中国电子科技网络信息安全有限公司 A kind of stateless TCP network scanning method
CN109684588A (en) * 2018-12-24 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of asset management system and method
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment
CN110336684A (en) * 2019-03-21 2019-10-15 北京天防安全科技有限公司 A kind of networked asset intelligent identification Method and system
CN110532756A (en) * 2018-05-23 2019-12-03 中国移动通信集团浙江有限公司 A kind of system fingerprint recognition methods, device, electronic equipment and storage medium
CN110555308A (en) * 2018-06-01 2019-12-10 北京安天网络安全技术有限公司 Terminal application behavior tracking and threat risk assessment method and system
CN111010405A (en) * 2019-12-30 2020-04-14 上海电子信息职业技术学院 SaaS-based website security monitoring system
CN111028085A (en) * 2019-03-29 2020-04-17 哈尔滨安天科技集团股份有限公司 Network shooting range asset information acquisition method and device based on active and passive combination
CN111695034A (en) * 2020-06-05 2020-09-22 安徽三实信息技术服务有限公司 Monitoring management system of internet assets
CN111737106A (en) * 2019-03-25 2020-10-02 歌乐株式会社 Test scenario generation device, test scenario generation method, and test scenario generation program
CN111931182A (en) * 2020-07-10 2020-11-13 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN112101716A (en) * 2020-08-07 2020-12-18 广东电网有限责任公司 Terminal asset management method based on hierarchical decoupling
CN112312075A (en) * 2019-08-02 2021-02-02 广州弘度信息科技有限公司 Operation and maintenance system and method for video monitoring network
CN112334901A (en) * 2018-06-27 2021-02-05 亚马逊科技公司 Automated packet-free network reachability analysis
CN112731906A (en) * 2020-12-24 2021-04-30 烽台科技(北京)有限公司 Information acquisition device
CN112804241A (en) * 2021-01-25 2021-05-14 豪越科技有限公司 Intelligent monitoring method and system for computer room network
CN112995207A (en) * 2021-04-16 2021-06-18 远江盛邦(北京)网络安全科技股份有限公司 Fingerprint identification and exposed surface risk assessment method for network assets
CN113904800A (en) * 2021-09-02 2022-01-07 成都仁达至信科技有限公司 Internal network risk asset detection and analysis system
CN114301676A (en) * 2021-12-28 2022-04-08 国网宁夏电力有限公司 Nondestructive asset detection method of power monitoring system
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics
CN114826726A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Network asset vulnerability detection method and device, computer equipment and storage medium
CN115208634A (en) * 2022-06-17 2022-10-18 江苏信息职业技术学院 Supervision engine of network assets
CN115296891A (en) * 2022-08-02 2022-11-04 中国电子科技集团公司信息科学研究院 Data detection system and data detection method
CN116308115A (en) * 2023-01-31 2023-06-23 国网辽宁省电力有限公司信息通信分公司 Power information asset identification and analysis method based on network detection technology
CN116915476A (en) * 2023-07-29 2023-10-20 上海螣龙科技有限公司 Fingerprint identification method, system, equipment and medium of host operating system

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102402723A (en) * 2011-11-03 2012-04-04 北京谷安天下科技有限公司 Method and system for detecting security of information assets
CN102750602A (en) * 2012-04-20 2012-10-24 广东电网公司信息中心 Cloud platform isomerism integration resource management system
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN
CN104243496A (en) * 2014-10-11 2014-12-24 北京邮电大学 Software defined network cross-domain security agent method and software defined network cross-domain security agent system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN105635112A (en) * 2015-12-18 2016-06-01 国家电网公司 Information system security performance assessment method
US20160197943A1 (en) * 2014-06-24 2016-07-07 Leviathan, Inc. System and Method for Profiling System Attacker
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
WO2017059279A1 (en) * 2015-09-11 2017-04-06 Beyondtrust Software, Inc. Systems and methods for detecting vulnerabilities and privileged access using cluster outliers
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
CN108183895A (en) * 2017-12-26 2018-06-19 广东电网有限责任公司信息中心 A kind of networked asset information acquisition system
WO2019018829A1 (en) * 2017-07-20 2019-01-24 Fractal Industries, Inc. Advanced cybersecurity threat mitigation using behavioral and deep analytics

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102402723A (en) * 2011-11-03 2012-04-04 北京谷安天下科技有限公司 Method and system for detecting security of information assets
CN102750602A (en) * 2012-04-20 2012-10-24 广东电网公司信息中心 Cloud platform isomerism integration resource management system
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN
US20160197943A1 (en) * 2014-06-24 2016-07-07 Leviathan, Inc. System and Method for Profiling System Attacker
CN104243496A (en) * 2014-10-11 2014-12-24 北京邮电大学 Software defined network cross-domain security agent method and software defined network cross-domain security agent system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
WO2017059279A1 (en) * 2015-09-11 2017-04-06 Beyondtrust Software, Inc. Systems and methods for detecting vulnerabilities and privileged access using cluster outliers
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
CN105635112A (en) * 2015-12-18 2016-06-01 国家电网公司 Information system security performance assessment method
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
WO2019018829A1 (en) * 2017-07-20 2019-01-24 Fractal Industries, Inc. Advanced cybersecurity threat mitigation using behavioral and deep analytics
CN108183895A (en) * 2017-12-26 2018-06-19 广东电网有限责任公司信息中心 A kind of networked asset information acquisition system

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183895A (en) * 2017-12-26 2018-06-19 广东电网有限责任公司信息中心 A kind of networked asset information acquisition system
CN108183895B (en) * 2017-12-26 2021-03-12 广东电网有限责任公司信息中心 Network asset information acquisition system
CN110532756A (en) * 2018-05-23 2019-12-03 中国移动通信集团浙江有限公司 A kind of system fingerprint recognition methods, device, electronic equipment and storage medium
CN110555308B (en) * 2018-06-01 2021-11-12 北京安天网络安全技术有限公司 Terminal application behavior tracking and threat risk assessment method and system
CN110555308A (en) * 2018-06-01 2019-12-10 北京安天网络安全技术有限公司 Terminal application behavior tracking and threat risk assessment method and system
CN112334901A (en) * 2018-06-27 2021-02-05 亚马逊科技公司 Automated packet-free network reachability analysis
CN108881284A (en) * 2018-07-17 2018-11-23 深圳市极限网络科技有限公司 A kind of cyberspace loophole merger platform long-range attack control system
CN109088790A (en) * 2018-07-20 2018-12-25 南京方恒信息技术有限公司 A kind of scanning of multi engine exposed assets and management system
CN109413104A (en) * 2018-12-11 2019-03-01 中国电子科技网络信息安全有限公司 A kind of stateless TCP network scanning method
CN109684588A (en) * 2018-12-24 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of asset management system and method
CN109684588B (en) * 2018-12-24 2020-11-20 北京神州绿盟信息安全科技股份有限公司 Asset management system and method
CN110336684A (en) * 2019-03-21 2019-10-15 北京天防安全科技有限公司 A kind of networked asset intelligent identification Method and system
CN110336684B (en) * 2019-03-21 2022-03-18 北京天防安全科技有限公司 Intelligent network asset identification method and system
CN111737106A (en) * 2019-03-25 2020-10-02 歌乐株式会社 Test scenario generation device, test scenario generation method, and test scenario generation program
CN111028085A (en) * 2019-03-29 2020-04-17 哈尔滨安天科技集团股份有限公司 Network shooting range asset information acquisition method and device based on active and passive combination
CN110324310B (en) * 2019-05-21 2022-04-29 国家工业信息安全发展研究中心 Network asset fingerprint identification method, system and equipment
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment
CN112312075A (en) * 2019-08-02 2021-02-02 广州弘度信息科技有限公司 Operation and maintenance system and method for video monitoring network
CN111010405B (en) * 2019-12-30 2021-10-22 上海电子信息职业技术学院 SaaS-based website security monitoring system
CN111010405A (en) * 2019-12-30 2020-04-14 上海电子信息职业技术学院 SaaS-based website security monitoring system
CN111695034B (en) * 2020-06-05 2024-04-19 安徽三实软件科技有限公司 Internet asset monitoring management system
CN111695034A (en) * 2020-06-05 2020-09-22 安徽三实信息技术服务有限公司 Monitoring management system of internet assets
CN111931182A (en) * 2020-07-10 2020-11-13 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN111931182B (en) * 2020-07-10 2022-06-21 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN112101716A (en) * 2020-08-07 2020-12-18 广东电网有限责任公司 Terminal asset management method based on hierarchical decoupling
CN112731906B (en) * 2020-12-24 2022-04-08 烽台科技(北京)有限公司 Information acquisition device
CN112731906A (en) * 2020-12-24 2021-04-30 烽台科技(北京)有限公司 Information acquisition device
CN112804241A (en) * 2021-01-25 2021-05-14 豪越科技有限公司 Intelligent monitoring method and system for computer room network
CN112995207B (en) * 2021-04-16 2021-09-10 远江盛邦(北京)网络安全科技股份有限公司 Fingerprint identification and exposed surface risk assessment method for network assets
CN112995207A (en) * 2021-04-16 2021-06-18 远江盛邦(北京)网络安全科技股份有限公司 Fingerprint identification and exposed surface risk assessment method for network assets
CN113904800A (en) * 2021-09-02 2022-01-07 成都仁达至信科技有限公司 Internal network risk asset detection and analysis system
CN113904800B (en) * 2021-09-02 2024-01-26 成都仁达至信科技有限公司 Internal network risk asset detection and analysis system
CN114301676A (en) * 2021-12-28 2022-04-08 国网宁夏电力有限公司 Nondestructive asset detection method of power monitoring system
CN114301676B (en) * 2021-12-28 2023-07-18 国网宁夏电力有限公司 Nondestructive asset detection method and device for power monitoring system and storage medium
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics
CN114826726A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Network asset vulnerability detection method and device, computer equipment and storage medium
CN114826726B (en) * 2022-04-22 2024-02-23 南方电网数字电网研究院有限公司 Network asset vulnerability detection method, device, computer equipment and storage medium
WO2023241202A1 (en) * 2022-06-17 2023-12-21 江苏信息职业技术学院 Supervision engine for network assets
CN115208634A (en) * 2022-06-17 2022-10-18 江苏信息职业技术学院 Supervision engine of network assets
CN115296891B (en) * 2022-08-02 2023-12-22 中国电子科技集团公司信息科学研究院 Data detection system and data detection method
CN115296891A (en) * 2022-08-02 2022-11-04 中国电子科技集团公司信息科学研究院 Data detection system and data detection method
CN116308115A (en) * 2023-01-31 2023-06-23 国网辽宁省电力有限公司信息通信分公司 Power information asset identification and analysis method based on network detection technology
CN116915476A (en) * 2023-07-29 2023-10-20 上海螣龙科技有限公司 Fingerprint identification method, system, equipment and medium of host operating system

Similar Documents

Publication Publication Date Title
CN108011893A (en) A kind of asset management system based on networked asset information gathering
CN108183895B (en) Network asset information acquisition system
CN108712396A (en) Networked asset management and loophole governing system
CN109525427A (en) Distributed assets information detection method and system
CN109327461A (en) Distributed asset identification and change cognitive method and system
US11902322B2 (en) Method, apparatus, and system to map network reachability
US11336669B2 (en) Artificial intelligence cyber security analyst
Foresti et al. Visual correlation of network alerts
CN108769064A (en) Realize the distributed asset identification and change cognitive method and system that loophole is administered
US7930752B2 (en) Method for the detection and visualization of anomalous behaviors in a computer network
Morin et al. A logic-based model to support alert correlation in intrusion detection
US8272061B1 (en) Method for evaluating a network
EP1665011B1 (en) Method and system for displaying network security incidents
Williams et al. An interactive attack graph cascade and reachability display
CN104509034B (en) Pattern merges to identify malicious act
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
CN106888106A (en) The extensive detecting system of IT assets in intelligent grid
JP2006518080A (en) Network audit and policy assurance system
CN104169937A (en) Opportunistic system scanning
CN114679292B (en) Honeypot identification method, device, equipment and medium based on network space mapping
US20230132703A1 (en) Capturing Importance In A Network Using Graph Theory
Al-Sanjary et al. Comparison and detection analysis of network traffic datasets using K-means clustering algorithm
CN114978614A (en) IP asset rapid scanning processing system
CN115186136A (en) Knowledge graph structure for network attack and defense confrontation
CN108173832A (en) Family's Internet of Things application system penetration testing method based on end cloud translocation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180508