CN108418727A - A kind of method and system of detection network equipment - Google Patents

A kind of method and system of detection network equipment Download PDF

Info

Publication number
CN108418727A
CN108418727A CN201810077929.2A CN201810077929A CN108418727A CN 108418727 A CN108418727 A CN 108418727A CN 201810077929 A CN201810077929 A CN 201810077929A CN 108418727 A CN108418727 A CN 108418727A
Authority
CN
China
Prior art keywords
port
equipment
network
network equipment
decision tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810077929.2A
Other languages
Chinese (zh)
Other versions
CN108418727B (en
Inventor
朱红松
刘松
李志�
于楠
孙利民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201810077929.2A priority Critical patent/CN108418727B/en
Publication of CN108418727A publication Critical patent/CN108418727A/en
Application granted granted Critical
Publication of CN108418727B publication Critical patent/CN108418727B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a kind of method and system of detection network equipment, wherein the method includes:According to the sequence of the decision tree nodes of the network port, the exploring sequence of port when obtaining detection network equipment;According to the exploring sequence of the port, the network equipment is detected successively, until detection recognizes the network equipment;Wherein, the decision tree of the network port is from root node to each child node, when corresponding to detection network equipment respectively, the port of utilization rate from high to low.Method provided by the invention, when carrying out network equipment detection, priority ranking is carried out to the given network port, when so that carrying out equipment update every time, for an internet device, without being detected to all ports, it is only necessary to detected according to the port order that decision tree provides, can at faster speed with less resource updates facility information.

Description

A kind of method and system of detection network equipment
Technical field
The present invention relates to fields of communication technology, more particularly, to a kind of method and system of detection network equipment.
Background technology
With popularizing for the network equipment, more and more terminal equipment access networks provide service for people.For example, in object In networked system, various smart mobile phones, computer and the various internet of things equipment for being linked into cyberspace.These equipment are being brought While convenience, corresponding security risk is also brought.In order to preferably grasp cyberspace assets distribution and prestige Risk profiles are coerced, quick detection is carried out to cyberspace equipment and are identified as a kind of necessary means.
Due to the dynamic characteristic of cyberspace address, the information for regularly updating each network equipment is needed.And it is universal at present The update method used is again each port in the given port set of detecting devices.
In the prior art, it when carrying out device information update every time, needs to detect each port, and it is big Subnetwork terminal device can support the end to multiple and different types to be attached and transmit simultaneously, in the prior art, every time When carrying out equipment update, since each equipment will detect all ports, lead to the consumption to resource and bandwidth all It is very huge.
Invention content
To solve in the prior art, when being updated to the network equipment, each equipment will visit all ports It surveys, leads to the problem all very huge to the consumption of resource and bandwidth, a kind of method and system of detection network equipment are provided.
According to an aspect of the present invention, a kind of method of detection network equipment is provided, including:
S1, according to the sequence of the decision tree nodes of the network port, the exploring sequence of port when obtaining detection network equipment;
S2 successively detects the network equipment according to the exploring sequence of the port, until detection recognizes institute State the network equipment;
Wherein, the decision tree of the network port is from root node to each child node, when corresponding to detection network equipment respectively, The port of utilization rate from high to low.
Wherein, further include before the step S1:
According to multiple network equipments in all given ports, the historical data that each port is identified, structure The decision tree of the network port.
Wherein, the decision tree of the structure network port specifically includes:
Receive the network equipment each port port poster, and to the port poster of each port into Row identification, obtains the recognition result of each port;According to the recognition result of each port, the network equipment is built Port identification state vector;The port identification state vector of port identification, structure are carried out according to multiple and different network equipments The decision tree preference pattern of the network port;Wherein, the recognition result includes recognizable, not recognizable and unknown;Wherein, described It can recognize that in recognition result and include:Recognize device type, equipment brand, unit type, equipment firmware version number, device port It is one or more in open service version number.
Wherein, the port poster to each port is identified, and obtains the recognition result tool of each port Body includes:
Multiple given ports of the network equipment are detected, obtain the port poster of each port respectively;It is right Classification is identified in the port poster, obtains the recognition result in the network equipment port detection.
Wherein, the port identification state vector of the structure network equipment specifically includes:
According to the recognition result of each port, the recognition result of the equipment is judged;By the recognition result of the port With the recognition result of equipment, port identification state vector is constituted, wherein each row represent one in the port identification state vector The recognition result of a port.
Wherein, it can recognize that in the recognition result specifically, working as what the network equipment obtained in arbitrary a port When port poster is recognizable, then judge that the equipment identification state is recognizable;It is not recognizable specific in the recognition result When the network equipment is when all of the port all can not obtain the identifiable port poster, then to judge that the equipment is known Other state is that not can recognize that;It is unknown specifically, when the network equipment is to the institute in the set of the port in the recognition result There is port not open, then judges that the equipment identification state is unknown.
Wherein, the port identification state vector that port identification is carried out according to multiple and different network equipments, builds net The Decision-Tree Classifier Model of network port specifically includes:
Port identification is carried out to multiple and different network equipments, obtains the port identification state vector of multiple network equipments, Build identification state matrix;According to the port identification state vector, the information gain of each port is calculated, chooses information gain Root node of the maximum port as decision tree;To the port other than the root node, the letter of each remaining port is recalculated Gain is ceased, the wherein maximum port of information gain is chosen as child node, until meeting the termination condition of decision tree generation, obtains The decision tree of final port selection.
Wherein, the decision tree generation termination condition is specially:When the node of the decision tree of structure can be to all-network When equipment is identified or when described information gain is less than predetermined threshold value, then stop decision tree structure.
Wherein, described classification is identified to the port poster to specifically include:The port is marked using device-fingerprint Language is classified;Or by way of machine learning, classified to the port poster using trained grader.
According to another aspect of the present invention, a kind of system of detection network equipment is provided, including:
Port order selecting module is used for the sequence of the decision tree nodes according to the network port, obtains detection network equipment When port exploring sequence;
Equipment identification module successively detects the network equipment, directly for the exploring sequence according to the port The network equipment is recognized to detection;
Wherein, the decision tree of the network port is from root node to each child node, when corresponding to detection network equipment respectively, The port of utilization rate from high to low.
Method provided by the invention carries out priority ranking when carrying out network equipment detection to the given network port, When so that carrying out equipment update every time, for an internet device, without being detected to all ports, it is only necessary to according to The port order that decision tree provides is detected, can at faster speed with less resource updates facility information.
Description of the drawings
Fig. 1 is a kind of flow chart of the method for detection network equipment that one embodiment of the invention provides;
The stream of Constructing Method for Decision in a kind of method for detection network equipment that Fig. 2 provides for another embodiment of the present invention Cheng Tu;
Decision tree builds flow chart in a kind of method for detection network equipment that Fig. 3 provides for another embodiment of the present invention;
Fig. 4 is a kind of structure chart of the system for detection network equipment that further embodiment of this invention provides.
Specific implementation mode
With reference to the accompanying drawings and examples, the specific implementation mode of the present invention is described in further detail.Implement below Example is not limited to the scope of the present invention for illustrating the present invention.
With reference to figure 1, Fig. 1 is a kind of flow chart of the method for detection network equipment that one embodiment of the invention provides, described Method includes:
S1, according to the sequence of the decision tree nodes of the network port, the exploring sequence of port when obtaining detection network equipment.Its In, the decision tree of the network port is from root node to each child node, and when corresponding to detection network equipment respectively, utilization rate is by height To low port.
Specifically, by using the decision tree of the network port built in advance, when needing to carry out network equipment detection, By the node sequence of the decision tree, to obtain the exploring sequence of port, wherein the decision tree of the network port is from root section Point arrives each child node, corresponds to the network port of utilization rate from high to low respectively.That is the root node of decision tree, corresponding all of the port The highest port of utilization rate in set, child node put in order representative in other remaining ports, and utilization rate is from high to low Port.Such as in the decision tree of a port, the corresponding network port of root node is the port 80 of the common opening of http agreements, The corresponding port order of child node is the port 23 of the port 21 and the common opening of telnet agreements of the common opening of ftp agreements, then When carrying out network equipment detection, port is 80,21,23 using sequence.
Wherein, the utilization rate of port is specially and can be detected to most network equipments in a network environment And recognize the port of most network equipments, then it is the highest port of utilization rate or some port attribute for the network equipment Final identification state there is better classification capacity, when information gain maximum, then this port is utilization rate highest Port.S2, according to the exploring sequence of the port, the network equipment is detected successively, until detection recognize institute State the network equipment.
Specifically, when carrying out network detection, the port exploring sequence determined by S1 passes sequentially through tactic end Mouth detects the network equipment, until detection recognizes the network equipment.Such as it is visited to some network equipment When survey, equipment is detected by 80 ports first, if successfully obtaining facility information when detection, can be stopped to this The detection of equipment, if not detecting the information for recognizing the equipment, continuation detects the equipment from 21 ports, if at Work(then detects stopping, and the port that next sequence is continued through if failure is detected, until detection host successfully obtains the net The information of network equipment.
By the method, when carrying out network equipment detection, priority ranking is carried out to the given network port so that every When secondary progress equipment update, for an internet device, without being detected to all ports, it is only necessary to according to decision tree The port order provided is detected, can at faster speed with less resource updates facility information.
On the basis of the above embodiments, further include before the step S1:
According to multiple network equipments in all given ports, the historical data that each port is identified, structure The decision tree of the network port.
Wherein, the decision tree of the structure network port specifically includes:
Receive the network equipment each port port poster, and to the port poster of each port into Row identification, obtains the recognition result of each port;According to the recognition result of each port, the network equipment is built Port identification state vector;The port identification state vector of port identification, structure are carried out according to multiple and different network equipments The decision tree preference pattern of the network port;
Wherein, the recognition result includes recognizable, not recognizable and unknown;It can recognize that in the recognition result and include: Recognize one in device type, equipment brand, unit type, equipment firmware version number, device port open service version number Kind is a variety of.
It is can recognize that in the recognition result specifically, when the port that the network equipment obtains in arbitrary a port is marked When language is recognizable, then judge that the equipment identification state is recognizable;
In the recognition result it is not recognizable specifically, when the network equipment can not all be obtained in all of the port it is recognizable The port poster when, then judge the equipment identification state be not can recognize that;
It is unknown specifically, all of the port in the network equipment gathers the port is not opened in the recognition result It puts, then judges that the equipment identification state is unknown.
Specifically, being scanned to multiple ports of equipment in cyberspace, the poster information of each port is obtained, In, the port includes at least the port 80 of the common opening of http agreements, the port 21 of the common opening of ftp agreements, telnet associations Discuss the port 23 of common opening, the port 22 of the common opening of ssh agreements, the port 554 of the common opening of rtsp agreements, onvif associations Discuss the port 3702 of common opening and the port set of multiple ports structures such as 8080 ports that are usually used in agency service.
Include but not limited to use Masscan, Zmap, Nmap, Zgrab scanning probe to network equipment acquisition poster method Tool.After carrying out port scan to the equipment, the equipment can be obtained in the port poster of each port, such as first set It is standby to be scanned in given port 80,21,22,23,554, it is hereby achieved that the first equipment each port end Mouth poster includes 5 ports in being gathered due to port, and the port poster obtained in total has 5.
Acquisition the network equipment after the recognition result of each port, can according to recognition result judge equipment in network Identification state in space further builds port identification state vector.
Such as first equipment, the port poster about the information of the first equipment can be obtained in 80 ports, 21,22,23 The port poster that port obtains is None- identified, and in 554 ports, it is not open to obtain port poster.According to the identification of its port Result phase can obtain the vector of 1*6 dimensions, such as [T, F, F, T, N, T], preceding 5 row in this vector, each row generation The identification state of table a port, last row represent identification state of first equipment in cyberspace.
The recognition result of prospecting tools includes but not limited to that equipment is for example properties:Device type, equipment brand, instrument factory Quotient, unit type, equipment firmware number and open-ended service release number etc..Wherein for can recognize that type, brand, type Number and firmware version number attribute in any one information, then it is recognizable to mark this port identification state, if recognition result does not have It is comprised in these attributes, then it is that not can recognize that mark this port identification state;If not collecting the port mark of equipment Language, then it is unknown to mark this port identification state.
Recognition result according to equipment in each port, if the identification state of equipment any one port in port is gathered It is recognizable, then the identification state of this equipment is recognizable;If equipment neither one port is identifiable state, and at least It is not distinguishable state there are one port status, then the identification state of this equipment is that not can recognize that;If all of the port shape of equipment State is unknown, then this equipment is unknown.
After carrying out port identification to multiple and different equipment, the port identification of multiple equipment in cyberspace can be obtained Vector sum equipment identification vector, select to the maximum port of equipment recognition reaction as decision tree root node into line splitting, with Continue iteration in child node afterwards to be calculated, the port in gathering the port other than root node port selects, and builds Child node, this process of continuous iteration, until constituting complete Decision-Tree Classifier Model.The sequence of the node of decision tree is to optimize Network equipment port exploring sequence.
By the method, the decision tree of port selection is constructed by way of decision optimization, when the equipment letter in network Breath need not detect each port for giving port set when being updated, it is only necessary to according to the port order of decision tree Detected, can at faster speed with less resource updates facility information.
On the basis of the above embodiments, the port poster to each port is identified, and obtains each The recognition result of port specifically includes:
Multiple given ports of the network equipment are detected, obtain the port poster of each port respectively;It is right Classification is identified in the port poster, obtains the recognition result in the network equipment port detection.
Specifically, identify the poster of each port using equipment identification facility, obtain equipment each port identification knot Fruit classifies to the recognition result of each port, is divided into recognizable, not recognizable and unknown three kinds of identification states.Equally, root According to the identification state of each port, it may be determined that identification state of the equipment in cyberspace is equally divided into identification, not can recognize that With unknown three kinds of identification states.
Such as to the first equipment during port identification, if set comprising first in the port poster information of 80 ports Standby equipment firmware information, the port poster information in other ports are the information of None- identified, then judge the first equipment Recognition result be recognizable;The port poster information that second equipment is obtained in 80 and 21 ports can not be identified, while 22, 23 and 554 ports do not collect port poster information, then the identification state of the second equipment is that not can recognize that;Third equipment is in institute Some ports all do not collect port poster information, then the identification state of third equipment is unknown.
By the method, to each equipment in cyberspace each port identification information into classification, obtain equipment In cyberspace middle port opening imformation and port identification result information.
On the basis of the above embodiments, the port identification state vector of the structure network equipment specifically includes:
According to the recognition result of each port, the recognition result of the equipment is judged;
By the recognition result of the recognition result of the port and equipment, port identification state vector is constituted, wherein the end It is each in mouth identification state vector to arrange the recognition result for representing a port.
Specifically, the recognition result according to equipment in each port, if equipment any one port in port is gathered Identification state is recognizable, then the identification state of this equipment is recognizable;If equipment neither one port is identifiable state, And at least one port status is not distinguishable state, then the identification state of this equipment is not can recognize that;If equipment All of the port state is unknown, then this equipment is unknown.
Such as to the first equipment during port identification, if set comprising first in the port poster information of 80 ports Standby equipment firmware information, the port poster information in other ports are the information of None- identified, then judge the first equipment Recognition result be recognizable;The port poster information that second equipment is obtained in 80 and 21 ports can not be identified, while 22, 23 and 554 ports do not collect port poster information, then the identification state of the second equipment is that not can recognize that;Third equipment is in institute Some ports all do not collect port poster information, then the identification state of third equipment is unknown.
After obtaining the port identification information of equipment, according to equipment in the recognition result of each port and in cyberspace In recognition result, structure equipment identification state vector.Such as it is combined into 80,21,22,23,554 network sky in device port collection Between in, to the first equipment be identified result can generate a 1*6 dimension vector [T, F, F, T, N, T], this vector before What five row represented is the corresponding identification state in each port in the set of 80,21,22,23,554 ports, what last row represented It is the identification state of this equipment.T is distinguishable state in vector, and F is that distinguishable state, N are not unknown state.
By the method, identification state of the equipment in cyberspace is indicated by the form of vector, is decision Tree structure provides foundation.
On the basis of the above embodiments, the port identification that port identification is carried out according to multiple and different network equipments State vector, the Decision-Tree Classifier Model for building the network port specifically include:
Port identification is carried out to multiple and different network equipments, obtains the port identification state vector of multiple network equipments, Build identification state matrix.According to the port identification state vector, the information gain of each port is calculated, chooses information gain Root node of the maximum port as decision tree;To the port other than the root node, the letter of each remaining port is recalculated Gain is ceased, the wherein maximum port of information gain is chosen as child node, until meeting the termination condition of decision tree generation, obtains The decision tree of final port selection.
Wherein, the decision tree generation termination condition is specially:When the node of the decision tree of structure can be to all-network When equipment is identified or when described information gain is less than predetermined threshold value, then stop decision tree structure.
Specifically, after multiple equipment is identified, the port identification state vector of each equipment can be obtained, into And identification state matrix is built, it, can after thering is M equipment to be identified when device port collection is combined into 80,21,22,23,554 To build the identification state matrix of a m*6.
For feature selecting, if some port attribute has preferably classification energy for the final identification state of the network equipment Power is then selected this feature to classify, is classified using maximum feature in the present embodiment first, information gain formula For:G (D, A)=H (D)-H (D | A), in formula, A is port status attribute, and D is equipment end-state attribute, H (D) be equipment most The comentropy of whole identification state, and H (D | A) it is the empirical condition entropy of final identification state under given port A.
Since root node, the information gain of all possible port is calculated node, selects the maximum end of information gain Feature of the mouth as node, child node is established by the different values of this feature;Again to child node recursive call above method, structure Decision tree;Until not having port diagnostic that can select, decision tree, which generates, terminates.
By the method, carry out the network equipment scanning probe after decision optimization, reduce the number of port detection and Decrease the device port of detection.So as to update facility information with less resource and faster speed.
Specifically, ought the feature of not no port can to carry out selection be that the node of the decision tree then built can be to all Equipment is identified, you can to stop the structure of decision tree, the port that existing decision tree provides enough sets all It is standby to carry out information update.Another method, after most equipment can be identified by the port order that decision tree provides, When remaining seldom equipment needs to use special port, continue the information gain meeting very little of port, therefore when calculating When the information gain of remaining port is less than predetermined threshold value, then it can also stop the structure of decision tree.
It is described classification is identified to the port poster to specifically include on the basis of the various embodiments described above:Using setting Standby fingerprint classifies to the port poster;Or by way of machine learning, using trained grader to the end Mouth poster is classified.
Specifically, when the poster to port is classified, the method that can be used includes but not limited to use device-fingerprint The knowledge for obtaining each port is classified port poster by device-fingerprint in recognition methods and machine learning recognition methods Other state, or by trained grader, to classify to the port poster information received.
In another embodiment of the invention, the identification knot that { 80,21,22,23,554 } obtain is combined into device port collection The Decision Tree Construction of this example is described in detail for fruit state.It is as shown in Figures 2 and 3 that it implements process.
Each equipment can obtain the vector of 1*6 dimensions according to the recognition result state of its port, such as [T, F, F, T, N, T], what this vectorial preceding 5 row represented is the corresponding identification state in each port in { 80,21,22,23,554 } set, What last 1 row represented is the identification state of this equipment.Wherein T is distinguishable state, and F is that distinguishable state, N are not unknown shape State.In the present embodiment, 8 equipment are shared, then may be constructed the identification state matrix of a 8*6.
For feature selecting, if some port attribute has better classification capacity for the final identification state of equipment, This feature is then selected to classify first.Maximum feature is used herein to classify.Information gain formula is:g(D,A) =H (D)-H (D | A), wherein:A is port status attribute, and D is equipment end-state attribute, and H (D) is the final identification state of equipment Comentropy, H (D | A) is the empirical condition entropy of final identification state under given port A.
Since root node, the information gain of all possible port is calculated node, selects the maximum end of information gain Feature of the mouth as node, child node is established by the different values of this feature;Again to child node recursive call above method, structure Decision tree;Until not having port diagnostic that can select, decision tree, which generates, terminates.To generating the port sequence of decision tree, then It can obtain a device port exploring sequence.Port exploring sequence is 80,21 in this example.
By the method, the decision tree of structure one device port detection passes through the decision when carrying out equipment update Tree reduces the number of port detection and decreases the device port of detection.So as to less resource and faster Speed update facility information.
With reference to figure 4, Fig. 4 is a kind of structure chart of the system for detection network equipment that further embodiment of this invention provides, institute The system of stating includes:Port order selecting module 41 and equipment identification module 42.
Wherein, port order selecting module 41 is used for the sequence of the decision tree nodes according to the network port, obtains detection network The exploring sequence of port when network equipment.
The decision tree of the wherein described network port is from root node to each child node, when corresponding to detection network equipment respectively, The port of utilization rate from high to low.
Specifically, by using the decision tree of the network port built in advance, when needing to carry out network equipment detection, By the node sequence of the decision tree, to obtain the exploring sequence of port, wherein the decision tree of the network port is from root section Point arrives each child node, corresponds to the network port of utilization rate from high to low respectively.That is the root node of decision tree, corresponding all of the port The highest port of utilization rate in set, child node put in order representative in other remaining ports, and utilization rate is from high to low Port.Such as in the decision tree of a port, the corresponding network port of root node is the port 80 of the common opening of http agreements, The corresponding port order of child node is the port 23 of the port 21 and the common opening of telnet agreements of the common opening of ftp agreements, then When carrying out network equipment detection, port is 80,21,23 using sequence.
Wherein, equipment identification module 42 is used for the exploring sequence according to the port, is carried out successively to the network equipment Detection, until detection recognizes the network equipment.
Specifically, when carrying out network detection, the port exploring sequence determined by S1 passes sequentially through tactic end Mouth detects the network equipment, until detection recognizes the network equipment.Such as it is visited to some network equipment When survey, equipment is detected by 80 ports first, if successfully obtaining facility information when detection, can be stopped to this The detection of equipment, if not detecting the information of the equipment, continuation detects the equipment from 21 ports, if success, Detection stops, and the port that next sequence is continued through if failure is detected, until detection host successfully obtains the network and sets Standby information.
By this system, when carrying out network detection, priority ranking is carried out to the given network port so that every time into When row equipment updates, for an internet device, without being detected to all ports, it is only necessary to be provided according to decision tree Port order detected, can at faster speed with less resource updates facility information.
On the basis of the above embodiments, the system also includes decision trees to build module, for being set according to multiple networks For in all given ports, the historical data that each port is identified builds the decision tree of the network port.
Specifically, being scanned to multiple ports of equipment in cyberspace, the poster information of each port is obtained, In, the port includes at least the port 80 of the common opening of http agreements, the port 21 of the common opening of ftp agreements, telnet associations Discuss the port 23 of common opening, the port 22 of the common opening of ssh agreements, the port 554 of the common opening of rtsp agreements, onvif associations Discuss the port 3702 of common opening and the port set of multiple ports structures such as 8080 ports that are usually used in agency service.
Include but not limited to use Masscan, Zmap, Nmap, Zgrab scanning probe to network equipment acquisition poster method Tool.After carrying out port scan to the equipment, the equipment can be obtained in the port poster of each port, such as first set It is standby to be scanned in given port 80,21,22,23,554, it is hereby achieved that the first equipment each port end Mouth poster includes 5 ports in being gathered due to port, and the port poster obtained in total has 5.
Acquisition equipment after the recognition result of each port, can according to recognition result judge equipment in cyberspace In identification state, further build port identification state vector.
The recognition result of prospecting tools includes but not limited to that equipment is for example properties:Device type, equipment brand, instrument factory Quotient, unit type, equipment firmware number and open-ended service release number etc..Wherein for can recognize that type, brand, type Number and firmware version number attribute in any one information, then it is recognizable to mark this port identification state, if recognition result does not have It is comprised in these attributes, then it is that not can recognize that mark this port identification state;If not collecting the port mark of equipment Language, then it is unknown to mark this port identification state.
Recognition result according to equipment in each port, if the identification state of equipment any one port in port is gathered It is recognizable, then the identification state of this equipment is recognizable;If equipment neither one port is identifiable state, and at least It is not distinguishable state there are one port status, then the identification state of this equipment is that not can recognize that;If all of the port shape of equipment State is unknown, then this equipment is unknown.
After carrying out port identification to multiple and different equipment, the port identification of multiple equipment in cyberspace can be obtained Vector sum equipment identification vector, select to the maximum port of equipment recognition reaction as decision tree root node into line splitting, with Continue iteration in child node afterwards to be calculated, the port in gathering the port other than root node port selects, and builds Child node, this process of continuous iteration, until constituting complete Decision-Tree Classifier Model.The sequence of the node of decision tree is to optimize Network equipment port exploring sequence.
By this system, the decision tree of port selection is constructed by way of decision optimization, when the equipment letter in network Breath need not detect each port for giving port set when being updated, it is only necessary to according to the port order of decision tree Detected, can at faster speed with less resource updates facility information.
Finally, the present processes are only preferable embodiment, are not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in the protection of the present invention Within the scope of.

Claims (10)

1. a kind of method of detection network equipment, which is characterized in that including:
S1, according to the sequence of the decision tree nodes of the network port, the exploring sequence of port when obtaining detection network equipment;
S2 successively detects the network equipment according to the exploring sequence of the port, until detection recognizes the net Network equipment;
Wherein, the decision tree of the network port is from root node to each child node, when corresponding to detection network equipment respectively, uses The port of rate from high to low.
2. according to the method described in claim 1, it is characterized in that, further including before the step S1:
According to multiple network equipments in all given ports, the historical data that each port is identified builds network The decision tree of port.
3. according to the method described in claim 2, it is characterized in that, the decision tree of the structure network port specifically includes:
The network equipment is received in the port poster of each port, and the port poster of each port is known Not, the recognition result of each port is obtained;
According to the recognition result of each port, the port identification state vector of the network equipment is built;
The port identification state vector that port identification is carried out according to multiple and different network equipments, builds the decision tree of the network port Preference pattern;
Wherein, the recognition result includes recognizable, not recognizable and unknown;
Wherein, it can recognize that in the recognition result and include:Recognize device type, equipment brand, unit type, equipment firmware version This number, it is one or more in device port open service version number.
4. according to the method described in claim 3, it is characterized in that, the port poster to each port is known Not, the recognition result for obtaining each port specifically includes:
Multiple given ports of the network equipment are detected, obtain the port poster of each port respectively;
Classification is identified to the port poster, obtains the recognition result in the network equipment port detection.
5. according to the method described in claim 4, it is characterized in that, the port identification state of the structure network equipment to Amount specifically includes:
According to the recognition result of each port, the recognition result of the equipment is judged;
By the recognition result of the recognition result of the port and equipment, port identification state vector is constituted, wherein know the port It is each in other state vector to arrange the recognition result for representing a port.
6. according to the method described in claim 3, it is characterized in that, being can recognize that in the recognition result specifically, working as the net When the port poster that network equipment obtains in arbitrary a port is recognizable, then judge that the equipment identification state is that can know Not;
It is not recognizable specifically, when the network equipment can not all obtain identifiable institute in all of the port in the recognition result When stating port poster, then judge that the equipment identification state is that not can recognize that;
It is unknown in the recognition result that all of the port in the set of the port is not opened specifically, working as the network equipment, Then judge that the equipment identification state is unknown.
7. according to the method described in claim 3, it is characterized in that, described carry out port knowledge according to multiple and different network equipments Other port identification state vector, the Decision-Tree Classifier Model for building the network port specifically include:
Port identification is carried out to multiple and different network equipments, obtains the port identification state vector of multiple network equipments, is built Identification state matrix;
According to the port identification state vector, the information gain of each port is calculated, the maximum port of information gain is chosen and makees For the root node of decision tree;
To the port other than the root node, the information gain of each remaining port is recalculated, selection wherein information gain is most Big port is as child node, until meeting the termination condition of decision tree generation, obtains the decision tree of final port selection.
8. the method according to the description of claim 7 is characterized in that decision tree generation termination condition is specially:Work as structure The node of decision tree when all-network equipment can be identified or when described information gain is less than predetermined threshold value, then stop Only decision tree builds.
9. according to the method described in claim 4, it is characterized in that, described be identified the specific packet of classification to the port poster It includes:Classified to the port poster using device-fingerprint;Or by way of machine learning, trained grader is used Classify to the port poster.
10. a kind of system of detection network equipment, which is characterized in that including:
Port order selecting module is used for the sequence of the decision tree nodes according to the network port, end when obtaining detection network equipment The exploring sequence of mouth;
Equipment identification module successively detects the network equipment for the exploring sequence according to the port, until visiting Survey recognizes the network equipment;
Wherein, the decision tree of the network port is from root node to each child node, when corresponding to detection network equipment respectively, uses The port of rate from high to low.
CN201810077929.2A 2018-01-26 2018-01-26 Method and system for detecting network equipment Active CN108418727B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810077929.2A CN108418727B (en) 2018-01-26 2018-01-26 Method and system for detecting network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810077929.2A CN108418727B (en) 2018-01-26 2018-01-26 Method and system for detecting network equipment

Publications (2)

Publication Number Publication Date
CN108418727A true CN108418727A (en) 2018-08-17
CN108418727B CN108418727B (en) 2020-04-24

Family

ID=63126246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810077929.2A Active CN108418727B (en) 2018-01-26 2018-01-26 Method and system for detecting network equipment

Country Status (1)

Country Link
CN (1) CN108418727B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110380925A (en) * 2019-06-28 2019-10-25 中国科学院信息工程研究所 A kind of network equipment detection middle port selection method and system
CN112016635A (en) * 2020-10-16 2020-12-01 腾讯科技(深圳)有限公司 Device type identification method and device, computer device and storage medium
CN112769635A (en) * 2020-12-10 2021-05-07 青岛海洋科学与技术国家实验室发展中心 Service identification method and device for multi-granularity feature analysis
CN113037705A (en) * 2020-12-30 2021-06-25 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN115442259A (en) * 2022-08-30 2022-12-06 奇安信网神信息技术(北京)股份有限公司 System identification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571389A (en) * 2003-04-29 2005-01-26 微软公司 Method and apparatus for discovering network devices
CN101714926A (en) * 2009-11-02 2010-05-26 福建星网锐捷网络有限公司 Method, device and system for managing network equipment
US20150304167A1 (en) * 2014-04-22 2015-10-22 International Business Machines Corporation Accelerating device, connection and service discovery
CN106998299A (en) * 2016-01-22 2017-08-01 华为技术有限公司 The recognition methods of the network equipment, apparatus and system in data center network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571389A (en) * 2003-04-29 2005-01-26 微软公司 Method and apparatus for discovering network devices
CN101714926A (en) * 2009-11-02 2010-05-26 福建星网锐捷网络有限公司 Method, device and system for managing network equipment
US20150304167A1 (en) * 2014-04-22 2015-10-22 International Business Machines Corporation Accelerating device, connection and service discovery
CN106998299A (en) * 2016-01-22 2017-08-01 华为技术有限公司 The recognition methods of the network equipment, apparatus and system in data center network

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110380925A (en) * 2019-06-28 2019-10-25 中国科学院信息工程研究所 A kind of network equipment detection middle port selection method and system
CN110380925B (en) * 2019-06-28 2021-02-02 中国科学院信息工程研究所 Port selection method and system in network equipment detection
CN112016635A (en) * 2020-10-16 2020-12-01 腾讯科技(深圳)有限公司 Device type identification method and device, computer device and storage medium
CN112016635B (en) * 2020-10-16 2021-02-19 腾讯科技(深圳)有限公司 Device type identification method and device, computer device and storage medium
WO2022078191A1 (en) * 2020-10-16 2022-04-21 腾讯科技(深圳)有限公司 Method and apparatus for identifying device type, computer device, and storage medium
CN112769635A (en) * 2020-12-10 2021-05-07 青岛海洋科学与技术国家实验室发展中心 Service identification method and device for multi-granularity feature analysis
CN113037705A (en) * 2020-12-30 2021-06-25 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN113037705B (en) * 2020-12-30 2022-07-15 智网安云(武汉)信息技术有限公司 Network terminal port scanning method and network terminal port scanning system
CN115442259A (en) * 2022-08-30 2022-12-06 奇安信网神信息技术(北京)股份有限公司 System identification method and device

Also Published As

Publication number Publication date
CN108418727B (en) 2020-04-24

Similar Documents

Publication Publication Date Title
CN108418727A (en) A kind of method and system of detection network equipment
CN110245213A (en) Questionnaire generation method, device, equipment and storage medium
CN101252541B (en) Method for establishing network flow classified model and corresponding system thereof
CN104125153B (en) Method for discovering network topology and equipment
CN111953669B (en) Tor flow tracing and application type identification method and system suitable for SDN
CN107992887A (en) Classifier generation method, sorting technique, device, electronic equipment and storage medium
CN102315974A (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN109842588B (en) Network data detection method and related equipment
CN105101406A (en) Wireless intensity based indoor positioning method and system
CN109033471A (en) A kind of information assets recognition methods and device
CN111062520B (en) Hostname feature prediction method based on random forest algorithm
CN110380925A (en) A kind of network equipment detection middle port selection method and system
CN111355616B (en) Tactical communication network key node identification method based on physical layer data
CN109344258A (en) A kind of intelligent self-adaptive sensitive data identifying system and method
CN114374626B (en) Router performance detection method under 5G network condition
CN115277102B (en) Network attack detection method and device, electronic equipment and storage medium
CN110365603A (en) A kind of self adaptive network traffic classification method open based on 5G network capabilities
CN113411766B (en) Intelligent Internet of things comprehensive sensing system and method
CN109587000B (en) High-delay anomaly detection method and system based on crowd-sourcing network measurement data
CN108814584A (en) Electrocardiograph signal detection method, terminal and computer readable storage medium
CN107395573A (en) The detection method and device of a kind of industrial control system
CN112685272A (en) Interpretable user behavior abnormity detection method
CN117131100A (en) Mining method, device, equipment and storage medium for power equipment fault data
CN113726809B (en) Internet of things equipment identification method based on flow data
CN116192530A (en) Unknown threat self-adaptive detection method based on deceptive defense

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant