CN108900351B - Intranet equipment type identification method and device - Google Patents

Intranet equipment type identification method and device Download PDF

Info

Publication number
CN108900351B
CN108900351B CN201810772584.2A CN201810772584A CN108900351B CN 108900351 B CN108900351 B CN 108900351B CN 201810772584 A CN201810772584 A CN 201810772584A CN 108900351 B CN108900351 B CN 108900351B
Authority
CN
China
Prior art keywords
devices
equipment
active
inactive
intranet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810772584.2A
Other languages
Chinese (zh)
Other versions
CN108900351A (en
Inventor
朱红松
杨月
文辉
石志强
孙利民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201810772584.2A priority Critical patent/CN108900351B/en
Publication of CN108900351A publication Critical patent/CN108900351A/en
Application granted granted Critical
Publication of CN108900351B publication Critical patent/CN108900351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/54Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The embodiment of the invention provides an intranet equipment type identification method and an intranet equipment type identification device, wherein the method comprises the following steps: analyzing according to the monitored specific protocol packet based on all the survival equipment in the intranet environment to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices; sending an active probing packet to the inactive devices to acquire Mac addresses of all the inactive devices; and acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices. According to the method and the device for identifying the type of the intranet equipment, provided by the embodiment of the invention, the type of the intranet equipment is identified by adopting an active and passive cooperative mode, so that the frequency of sending the detection packet can be effectively reduced, and the interference on a target network is reduced.

Description

Intranet equipment type identification method and device
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to an intranet equipment type identification method and device.
Background
The network device type identification technology is to identify the device type information of a target device through the network characteristics of the target device. Network devices generally refer to all physical devices connected to a computer network, and communication between these devices needs to be done by means of the computer network. Network devices can be classified into printers, network cameras, office PCs, routers, and the like according to the role they play in and the functions they provide in a computer network. In recent years, due to rapid development of computer networks, a Network architecture is gradually changed from a traditional public Network direct connection mode to a Network Address Translation (NAT) mode, a large number of devices with mixed fish and dragon move to an intranet environment, Network resources of the intranet are more sensitive and security defense is weaker, and rapid detection and identification of intranet Network space devices become a necessary means for better mastering an intranet Network asset distribution state and threat risk situation.
In the existing device identification technology, a large number of probe packets need to be sent to a plurality of ports of all network devices that may live in a network, and the type information of the devices is inferred by using character string matching or machine learning according to response information of port probes.
The existing equipment identification mode usually consumes huge hardware resources and bandwidth due to the need of sending a large number of detection packets, and meanwhile, a large number of network detections may also affect the quality of intranet network links, causing unstable intranet service and the like.
Disclosure of Invention
In order to solve the technical defects, the embodiments of the present invention provide a method and an apparatus for identifying an intranet device type.
In a first aspect, an embodiment of the present invention provides a method for identifying an intranet device type, including:
analyzing according to the monitored specific protocol packet based on all the survival equipment in the intranet environment to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices;
sending an active probing packet to the inactive devices to acquire Mac addresses of all the inactive devices;
and acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying an intranet device type, including:
the passive monitoring module is used for analyzing all the survival equipment in the intranet environment according to the monitored specific protocol packet to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices;
the active detection module is used for sending an active detection packet to the inactive equipment so as to acquire Mac addresses of all the inactive equipment;
and the identification module is used for acquiring the equipment types of all the survival equipment in the intranet environment according to the equipment connection relation diagram, the Mac addresses of all the active equipment and the Mac addresses of all the inactive equipment.
In a third aspect, an embodiment of the present invention provides an intranet device type identification device, including a memory and a processor, where the processor and the memory complete mutual communication through a bus; the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the intranet device type identification method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the intranet device type identification method according to the first aspect.
The method and the device for identifying the type of the intranet equipment fully consider the network characteristics of the local area network, adopt an active and passive cooperation mode, use a lightweight protocol of the local area network for equipment identification, and identify the type of the equipment by only sending a small amount of data packets to the intranet, thereby effectively reducing the frequency of sending detection packets to a target network in the whole detection process and effectively reducing the interference to the target network.
Drawings
FIG. 1 is a block diagram of an intranet apparatus according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for identifying the type of an intranet device according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an embodiment of obtaining a device type from an MDNS packet;
FIG. 4 is a diagram illustrating another device type acquisition based on MDNS packets in accordance with an embodiment of the present invention;
FIG. 5 is a diagram illustrating another device type obtained from an SSDP packet according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a method for identifying types of intranet devices according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an intranet device type identification apparatus according to an embodiment of the present invention;
fig. 8 is a schematic entity structure diagram of an intranet device type identification device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
In order to solve the problems in the prior art that when network equipment is identified, a large number of detection packets need to be sent to a large number of ports, which may cause network congestion and unstable service, embodiments of the present invention provide a lightweight and low-disturbance network equipment identification method.
Fig. 1 is a composition diagram of an intranet device according to an embodiment of the present invention, as shown in fig. 1, including:
s1, subnet range;
s2, survival device;
s3, active device;
S1-S3, inactive devices that may survive;
S2-S3, surviving inactive devices.
As shown in fig. 1, the entire network range is first set as the set S1, S1 includes all devices within the network range, including the alive device and the non-alive device, and all devices within the network are set as the range shown in S2. A surviving device is relative to a non-surviving device, i.e., a down device, that cannot respond to any requests. The operations in the embodiments of the present invention are for a surviving device, i.e., as shown in fig. 1, section S2.
Surviving devices include two broad categories, active devices and inactive devices.
As shown in fig. 1, all active devices on the intranet are in the range shown in S3, and the active devices are devices that are operating in the surviving devices, and can send protocol packets at a certain frequency and be captured by a host connected to the intranet.
Since S2 represents a surviving device, S3 represents an active device, and surviving devices include an active device and an inactive device, S2-S3 in fig. 1 represent surviving inactive devices, and S1-S3 represent potentially surviving inactive devices.
Fig. 2 is a schematic flowchart of a method for identifying a type of an intranet device according to an embodiment of the present invention, as shown in fig. 2, including:
step 21, analyzing according to the monitored specific protocol packet based on all the alive devices in the intranet environment to obtain Mac addresses of all the active devices and a device connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices;
step 22, sending an active probing packet to the inactive devices to obtain Mac addresses of all the inactive devices;
and step 23, acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices.
First, there is a host connected to the intranet that passively listens to a specific protocol packet based on all surviving devices in the intranet environment. In the embodiment of the present invention, the difference of the use protocols of the intranet network environment and the public network environment is fully considered, in the intranet network environment, besides using the communication Protocol running on the public network, a plurality of intranet proprietary protocols are usually used, such as broadcast or multicast protocols such as Address Resolution Protocol (ARP), Simple Service Discovery Protocol (SSDP), and Multicast DNS (MDNS), and such intranet proprietary protocols include many pieces of information that can be used for device identification, such as Mac Address information included in an ARP data packet, device description information in SSDP, device information implied by MDNS domain name string, and connection information of the intranet device. The specific protocol packet in the embodiment of the invention is a multicast data packet or a broadcast data packet based on the private protocol of each intranet.
Passively listening for a particular protocol packet is listening for a protocol packet sent by an active device, i.e., a range represented by S3 shown in fig. 1. By analyzing the content of the specific protocol packet, the Mac address information of the active device can be acquired, and a device connection relation graph is established. The device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices.
Since passive snooping can only obtain the Mac address of an active device and cannot obtain the Mac address of an inactive device, active probing needs to be initiated on the inactive device. Since all operations in the embodiments of the present invention are defined in the surviving device, the specific meaning of the inactive device in the embodiments of the present invention refers to the surviving but inactive device, i.e., the range represented by S2-S3 shown in fig. 1, and the meaning of all inactive devices in the following embodiments is the same here.
Although the Mac address information of the intranet active device, the device connection relation graph and the precise device type of the partially active device have been acquired before, this is only the active device, i.e., S3 shown in fig. 1, there are still many undeterminable devices in the intranet network, which do not generate multicast or broadcast traffic, cannot determine whether they are alive, i.e., portions S1-S3 as shown in fig. 1, for such devices, embodiments of the present invention first use ARP active probing to determine devices within the intranet that are alive but not active, i.e., the parts S2-S3 shown in fig. 1, and then performs SSDP active probing on the parts S2-S3, although the SSDP protocol is a multicast protocol, but still supports communication using unicast, by sending unicast SSDP Search All type packets to the devices in S2-S3, the exact device type of some of its devices can be obtained from the response.
The host connected with the intranet sends an active detection packet to the inactive device, wherein the active detection packet is also a multicast data packet or a broadcast data packet based on an intranet proprietary protocol, such as an ARP active detection packet, an SSDP active detection packet, and the like. The passive device sends a response data packet to the active detection packet, and the content of the response data packet is analyzed, so that the Mac address information of the passive device can be obtained.
The Mac address, i.e. media access control, or physical address and hardware address, is used to define the location of the network device. In the OSI model, a third layer network layer is responsible for IP addresses and a second layer data link layer is responsible for Mac addresses. A host will therefore have a Mac address and each network location will have an IP address specific to it.
The Mac address is determined by the network card and is fixed. The Mac address is, in a descriptive sense, just like the identification number on our identification card, globally unique.
And after Mac address information of the active equipment and the inactive equipment is obtained, the equipment types of all the survival equipment in the intranet environment can be obtained by combining the equipment connection relation diagram. Specifically, according to the Mac address information of the active device, the approximate device type of the active device can be known, and then the device type of the active device is further determined by combining the device connection relationship diagram. The Mac address is assigned by a fixed organization unique throughout the world, and unauthorized and authorized vendors do not have authority to produce network cards. Each card has a fixed card number, and any regular manufacturer produces a card with the card number directly marked thereon, which is generally a set of 12-bit 16-ary numbers. The first 6 bits represent the manufacturer of the network card. The manufacturer information can be obtained according to the Mac address information of the equipment, and each manufacturer usually produces a certain type of equipment, such as Haocongwei production video monitoring equipment, TP-Link production routing equipment and the like, so that the rough equipment type can be inferred according to the manufacturer information, meanwhile, the type of unknown equipment can be indirectly inferred according to the obtained connection relation of the equipment, for example, the equipment connected with the printer equipment is usually host equipment, and the video monitoring equipment cannot generate the connection relation with the printer equipment. The type of the equipment can be more accurately inferred through the equipment connection information, and all the survival equipment in the intranet and the model information thereof are finally detected.
The method for identifying the type of the intranet equipment provided by the embodiment of the invention fully considers the network characteristics of the local area network, uses the lightweight protocol of the local area network for equipment identification, and can effectively reduce the system overhead. And for the active equipment, identifying the equipment attribute by adopting a passive monitoring multicast or broadcast data packet mode. And for the inactive equipment, adopting an active detection mode, and identifying the equipment attribute according to the response data packet of the inactive equipment and the connection relation of the equipment. The active and passive cooperation mode can identify the type of the equipment by only sending a small number of data packets to the intranet, can effectively reduce the frequency of sending detection packets to a target network in the whole detection process, and effectively reduces the interference to the target network.
On the basis of the above embodiment, the analyzing according to the monitored specific protocol packet to obtain the Mac addresses and the device connection relationship diagrams of all the active devices specifically includes:
monitoring and analyzing the multicast data packet in the intranet environment, and acquiring the equipment type of partial active equipment according to the analysis result;
monitoring and analyzing the broadcast data packet in the intranet environment, acquiring Mac address information of all active devices according to an analysis result, and establishing a device connection relation graph.
Firstly, a multicast data packet in an intranet environment is monitored and analyzed for an active device, specifically, the multicast data packet is an MDNS data packet and/or an SSDP data packet. The device type of the partially active device can be directly obtained according to the parsed content, and the MDNS data packet and the SSDP data packet are respectively taken as an example in the following.
MDNS, a multicast DNS protocol, mainly enables hosts within a local area network to discover and communicate with each other without a conventional DNS server, and in a small network without a conventional DNS server, it is possible to use MDNS to implement DNS-like programming interfaces, packet formats, and operational semantics. The data packets can be divided into Request data packets and Response data packets, the Request data packets are domain name resolution initiated by a requester, the Response data packets are Response information initiated by equipment corresponding to domain names, the two data packets are both transmitted in a local area network in a multicast mode, the domain name information is a text character string which contains a plurality of characteristics used for equipment identification, and specific type information of a part of equipment in an intranet can be identified by establishing a characteristic character string fingerprint library for each equipment type.
Fig. 3 is a schematic diagram illustrating that a device type is obtained according to the MDNS packet according to the embodiment of the present invention, and as shown in fig. 3, the Mac address of a certain device is known to be 10.10.12.85 according to the analyzed content, and the corresponding device type is a MacBook office device.
Fig. 4 is a schematic diagram of another device type obtained according to the MDNS packet according to the embodiment of the present invention, and as shown in fig. 4, the Mac address of the device is 10.10.12.209, and the corresponding device type is a printer device.
The SSDP protocol is one of core protocols of upnp (plug and play) technology, and provides a mechanism for discovering devices in a local network, a packet of the protocol can be divided into a Search type and a Notify type, and both the Search type and the Notify type are transmitted in a multicast mode, and the Search type packet provides a service discovery capability, that is, a specific type of device or service in a member in a group is discovered; the Notify class packet provides the capability for service notification, i.e., notifying members in the group of devices or services provided locally. By passively listening to SSDP packets, devices and services present in the intranet may be identified.
Fig. 5 is a schematic diagram illustrating another device type obtained from the SSDP packet according to an embodiment of the present invention, and as shown in fig. 5, a printer device corresponds to a device with Mac address 10.10.12.210 according to the Server field information.
And then, monitoring and analyzing a broadcast data packet in the intranet environment, specifically, the broadcast data packet may be an ARP data packet, acquiring Mac address information of the active device according to the analyzed content, and establishing a device connection relation diagram. The device connectivity graph is a network connectivity graph of target surviving devices including all active devices and some inactive devices, or all active devices and all inactive devices. The establishment of the device connection relation graph is synchronously completed in the process of acquiring the Mac address information of the active device after monitoring and analyzing the broadcast data packet. The following will describe a process of acquiring a Mac address and establishing a device connection relationship diagram by taking an ARP broadcast packet as an example.
ARP is a TCP/IP protocol that obtains a physical address (Mac address) from an IP address. The communication mode of the ARP is a broadcast request and a unicast response, namely when a certain device in the intranet wants to communicate with another device in the intranet, if only the IP address of the opposite party is known but the Mac address of the opposite party is not known, the Mac address corresponding to the IP in the network needs to be inquired in an ARP broadcast mode, meanwhile, the Mac address of other hosts in the network is additionally informed, at the moment, the connection relationship between the device and other devices can be acquired, and after the device corresponding to the IP address receives the request, the Mac address of the requesting host can be responded in a unicast mode. According to the mechanism, the Mac address information of the active intranet equipment and the connection relation graph of the intranet equipment can be obtained through the step.
And obtaining the Mac address information of the active equipment, and basically judging the approximate range of the type of the active equipment, and then combining the equipment types of part of the active equipment and the equipment connection relation diagram to obtain the equipment types of all the active equipment.
The method for identifying the type of the intranet equipment, provided by the embodiment of the invention, acquires the accurate equipment type of part of active equipment by monitoring and analyzing a multicast data packet in an intranet environment, acquires Mac address information and an equipment connection relation graph of the active equipment by monitoring and analyzing a broadcast data packet in the intranet, and conjectures the accurate equipment type of part of the active equipment and the Mac address information and the equipment connection relation graph of the active equipment to acquire the equipment types of all the active equipment. The method for identifying the equipment by using the Mac address overcomes the problem that the traditional identification method completely depends on software information to judge and possibly causes errors, and because the Mac address is the hardware attribute of the equipment, the common situation cannot be modified, so that the attribute of the equipment can be more accurately described. The behavior characteristics of the equipment connection are used as vectors for the identification of the intranet equipment, the knowledge of behavior differences of different types of equipment and service correlations of different types of equipment is fully mined, and the type of unknown equipment can be calibrated more effectively.
On the basis of the foregoing embodiment, the sending an active probe packet to an inactive device to acquire Mac addresses of all inactive devices specifically includes:
an ARP active detection packet is sent to the inactive equipment, and first response packet information of the inactive equipment is obtained;
and obtaining Mac addresses of all the inactive devices according to the first response packet information.
More specifically, after the sending an ARP active probing packet to the inactive device and obtaining the first response packet information, the method further includes:
sending an SSDP active detection packet to the inactive equipment, and acquiring second response packet information of the inactive equipment;
and obtaining the device type of the partial inactive device according to the second response packet information.
For an inactive device, it is not possible to directly and passively monitor a data packet in its intranet, so it is necessary to actively initiate a probe to the inactive device. An ARP active probing packet is first sent to all inactive devices, and after receiving the active probing packet, the inactive devices need to respond, i.e., a first response packet. At this time, first response packet information is acquired, and the content of the first response packet is analyzed to obtain Mac addresses of all inactive devices.
Then, an SSDP active probing packet is sent to the inactive device, a second response packet sent by the inactive device is obtained, and the content of the second response packet is analyzed to obtain the precise device type of a part of the inactive devices.
On the basis of the above embodiment, the acquiring the device types of all the surviving devices in the intranet environment according to the device connection relationship diagram, the Mac addresses of all the active devices, and the Mac addresses of all the inactive devices specifically includes:
obtaining first type ranges of all active devices according to the Mac addresses of all the active devices; inferring the device types of the residual active devices according to the first type range, the device types of the partial active devices and the device connection relation diagram;
obtaining second type ranges of all the inactive devices according to the Mac addresses of all the inactive devices; inferring device types of remaining inactive devices from the second type range, device types of the partially inactive devices, and the device connectivity map.
The Mac address information of the active device and the Mac address information of the inactive device, the precise device type information of part of the active device and the precise device type information of part of the inactive device, and the device connection information in the intranet survival device have been obtained in the previous step. The Mac address is assigned by a fixed organization unique throughout the world, and unauthorized and authorized vendors do not have authority to produce network cards. Each card has a fixed card number, and any regular manufacturer produces a card with the card number directly marked thereon, which is generally a set of 12-bit 16-ary numbers. The first 6 bits represent the manufacturer of the network card. The vendor information of the devices may be obtained from their Mac address information, and each vendor typically produces a certain type of device from which a range of the first type of remaining active devices and a range of the second type of remaining inactive devices are obtained. Wherein, the remaining active device refers to all active devices except the active device with the determined precise device type, and similarly, the remaining inactive device refers to all inactive devices except the inactive device with the determined precise device type.
Such as Haokawav video monitoring equipment, TP-Link production routing equipment and the like, so that the rough equipment type can be inferred according to manufacturer information, meanwhile, the type of unknown equipment can be indirectly inferred according to the acquired accurate equipment type information of part of equipment and the connection relation of the equipment, and if the equipment connected with the printer equipment is generally host equipment, the video monitoring equipment cannot generate the connection relation with the printer equipment. The type of the equipment can be more accurately inferred through the equipment connection information, and all the survival equipment in the intranet and the model information thereof are finally detected.
In summary, the method for identifying the type of the intranet device in the embodiment of the present invention is specifically as follows:
1. aiming at active equipment, multicast data packets such as MDNS, SSDP and the like in an intranet environment are monitored and analyzed, and the accurate equipment type of part of the active equipment is obtained;
2. monitoring and analyzing ARP broadcast data packets in an intranet environment aiming at active equipment, acquiring Mac address information of the active equipment, and establishing an equipment relation connection diagram;
3. for the inactive equipment, an ARP active detection packet is sent to the inactive equipment, first response packet information of the inactive equipment is obtained, and Mac addresses of all the inactive equipment are obtained according to the first response packet information;
4. aiming at the inactive equipment, sending an SSDP active detection packet to the inactive equipment, acquiring second response packet information of the inactive equipment, and obtaining the accurate equipment type of part of the inactive equipment according to the second response packet information;
5. and obtaining the device types of the residual active devices according to the Mac address of the active device, the accurate device type of part of the active device and the device connection relation diagram, and obtaining the device types of the residual inactive devices according to the Mac address of the inactive device, the accurate device type of part of the inactive device and the device connection relation diagram, thereby obtaining the device types of all the alive devices in the intranet environment.
The method for identifying the type of the intranet equipment provided by the embodiment of the invention fully considers the network characteristics of the local area network, uses the lightweight protocol of the local area network for equipment identification, and can effectively reduce the system overhead. And for the active equipment, identifying the equipment attribute by adopting a passive monitoring multicast or broadcast data packet mode. And for the inactive equipment, adopting an active detection mode, and identifying the equipment attribute according to the response data packet of the inactive equipment and the connection relation of the equipment. The active and passive cooperation mode can identify the type of the equipment by only sending a small number of data packets to the intranet, can effectively reduce the frequency of sending detection packets to a target network in the whole detection process, and effectively reduces the interference to the target network.
The flow of the solution of the embodiment of the present invention will be described in more detail below with reference to the accompanying drawings.
Fig. 6 is a schematic diagram of an intranet device type identification method according to an embodiment of the present invention, as shown in fig. 6, including:
601, identifying equipment based on the selected target network;
passively monitoring specific protocol packets in an intranet environment for an active device, wherein the specific protocol packets include MDNS and SSDP multicast data packets, and ARP broadcast data packets;
603, for an inactive device, initiating an ARP active probe;
604, for an inactive device, initiating SSDP active probing;
605 obtaining the accurate type of the partial active device according to the MDNS passive monitoring and the SSDP passive monitoring in the step 602, and obtaining Mac address information of the active device according to the ARP passive monitoring in the step 602;
606, obtaining an equipment connection relation graph according to the ARP passive monitoring in the step 602;
607, obtaining Mac address information of the captured jade device according to the ARP active detection in the step 603, and obtaining the precise device type of part of the inactive devices according to the SSDP active detection in the step 604;
608, obtaining the device types of the remaining active devices according to the Mac address information of the active devices, the accurate device types of the partial active devices and the device connection relation;
609, obtaining the device types of the rest inactive devices according to the Mac address information of the inactive devices, the accurate device types of part of inactive devices and the device connection relation;
and 610, integrating the device types of all the surviving devices according to the results of the step 608 and the step 609.
The method for identifying the type of the intranet equipment provided by the embodiment of the invention fully considers the network characteristics of the local area network, uses the lightweight protocol of the local area network for equipment identification, and can effectively reduce the system overhead. And for the active equipment, identifying the equipment attribute by adopting a passive monitoring multicast or broadcast data packet mode. And for the inactive equipment, adopting an active detection mode, and identifying the equipment attribute according to the response data packet of the inactive equipment and the connection relation of the equipment. The active and passive cooperation mode can identify the type of the equipment by only sending a small number of data packets to the intranet, can effectively reduce the frequency of sending detection packets to a target network in the whole detection process, and effectively reduces the interference to the target network.
Fig. 7 is a schematic structural diagram of an intranet device type identification apparatus according to an embodiment of the present invention, as shown in fig. 7, including: the system comprises a passive monitoring module 71, an active detection module 72 and an identification module 73, wherein the passive monitoring module 71 is used for analyzing all alive devices in the intranet environment according to monitored specific protocol packets based on all the alive devices to obtain Mac addresses and device connection relation graphs of all the active devices; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices; the active probing module 72 is configured to send an active probing packet to the inactive device to obtain Mac addresses of all the inactive devices; the identification module 73 is configured to obtain the device types of all the surviving devices in the intranet environment according to the device connection relationship diagram, the Mac addresses of all the active devices, and the Mac addresses of all the inactive devices.
The passive listening module 71 passively listens to a specific protocol packet, that is, listens to a protocol packet sent by an active device. By analyzing the content of the specific protocol packet, the passive monitoring module 71 can acquire Mac address information of the active device and establish a device connection relationship diagram. The device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices.
Since passive snooping can only obtain the Mac address of an active device and cannot obtain the Mac address of an inactive device, active probing needs to be initiated on the inactive device. The active probing module 72 sends an active probing packet, such as an ARP active probing packet, to the inactive device, the inactive device sends a response packet to the active probing packet, and the active probing module 72 parses the content of the response packet, so as to obtain Mac address information of the inactive device.
After the Mac address information of the active device and the inactive device is obtained, the identification module 73 may obtain the device types of all the devices that survive in the intranet environment by combining the device connection relationship diagram. Specifically, the identification module 73 can acquire the approximate device type of the active device according to the Mac address information of the active device, and further determine the device type of the active device by combining with the device connection relationship diagram. The Mac address is assigned by a fixed organization unique throughout the world, and unauthorized and authorized vendors do not have authority to produce network cards. Each card has a fixed card number, and any regular manufacturer produces a card with the card number directly marked thereon, which is generally a set of 12-bit 16-ary numbers. The first 6 bits represent the manufacturer of the network card. The manufacturer information of the equipment can be obtained according to Mac address information of the equipment, and each manufacturer usually produces equipment of a certain type, such as Haokawav production video monitoring equipment, TP-Link production routing equipment and the like, so that the rough equipment type of the equipment can be inferred according to the manufacturer information, meanwhile, the type of unknown equipment can be indirectly inferred according to the connection relation of the obtained equipment, for example, the equipment connected with the printer equipment is generally host equipment, the video monitoring equipment cannot generate the connection relation with the printer equipment, the type of the equipment can be inferred more accurately through the equipment connection information, and finally all survival equipment of an intranet and the model information of the survival equipment are detected. The apparatus provided in the embodiment of the present invention is used for executing the above method embodiments, and for detailed descriptions and specific processes, reference is made to the above method embodiments, which are not described herein again.
The intranet equipment type identification device provided by the embodiment of the invention fully considers the network characteristics of the local area network, uses the lightweight protocol of the local area network for equipment identification, and can effectively reduce the system overhead. And for the active equipment, identifying the equipment attribute by adopting a passive monitoring multicast or broadcast data packet mode. And for the inactive equipment, adopting an active detection mode, and identifying the equipment attribute according to the response data packet of the inactive equipment and the connection relation of the equipment. The active and passive cooperation mode can identify the type of the equipment by only sending a small number of data packets to the intranet, can effectively reduce the frequency of sending detection packets to a target network in the whole detection process, and effectively reduces the interference to the target network.
Fig. 8 illustrates an entity structure diagram of an intranet device type identification device, and as shown in fig. 8, the electronic device may include: a processor (processor)81, a communication Interface (Communications Interface)82, a memory (memory)83 and a bus 84, wherein the processor 81, the communication Interface 82 and the memory 83 complete communication with each other through the bus 84. Bus 84 may be used for information transfer between the intranet device type identification device and the intranet survival device. Processor 81 may call logic instructions in memory 83 to perform the following method: analyzing according to the monitored specific protocol packet based on all the survival equipment in the intranet environment to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices; sending an active probing packet to the inactive devices to acquire Mac addresses of all the inactive devices; and acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices.
In addition, the logic instructions in the memory 83 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions enable a computer to execute the method for identifying an intranet device type provided in the foregoing embodiment, where the method includes: analyzing according to the monitored specific protocol packet based on all the survival equipment in the intranet environment to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices; sending an active probing packet to the inactive devices to acquire Mac addresses of all the inactive devices; and acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Various modifications and additions may be made to the described embodiments by those skilled in the art without departing from the spirit of the invention or exceeding the scope as defined in the appended claims.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. An intranet equipment type identification method is characterized by comprising the following steps:
analyzing according to the monitored specific protocol packet based on all the survival equipment in the intranet environment to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices;
sending an active probing packet to the inactive devices to acquire Mac addresses of all the inactive devices;
acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices;
analyzing according to the monitored specific protocol packet to obtain Mac addresses of all active devices and a device connection relation graph, wherein the method specifically comprises the following steps:
monitoring and analyzing the multicast data packet in the intranet environment, and acquiring the equipment type of partial active equipment according to the analysis result;
monitoring and analyzing the broadcast data packet in the intranet environment, acquiring Mac address information of all active devices according to an analysis result, and establishing a device connection relation graph.
2. The method of claim 1, wherein the multicast data packet is an MDNS data packet and/or an SSDP data packet.
3. The method of claim 1, wherein the broadcast packet is an ARP packet.
4. The method of claim 1, wherein sending an active probing packet to the inactive devices to obtain Mac addresses of all inactive devices specifically comprises:
an ARP active detection packet is sent to the inactive equipment, and first response packet information of the inactive equipment is obtained;
and obtaining Mac addresses of all the inactive devices according to the first response packet information.
5. The method of claim 4, wherein after said sending an ARP active probing packet to said inactive device, obtaining said first response packet information, said method further comprises:
sending an SSDP active detection packet to the inactive equipment, and acquiring second response packet information of the inactive equipment;
and obtaining the device type of the partial inactive device according to the second response packet information.
6. The method according to claim 5, wherein the obtaining device types of all surviving devices in the intranet environment according to the device connection relationship diagram, the Mac addresses of all active devices, and the Mac addresses of all inactive devices specifically includes:
obtaining first type ranges of all active devices according to the Mac addresses of all the active devices; inferring the device types of the residual active devices according to the first type range, the device types of the partial active devices and the device connection relation diagram;
obtaining second type ranges of all the inactive devices according to the Mac addresses of all the inactive devices; inferring device types of remaining inactive devices from the second type range, device types of the partially inactive devices, and the device connectivity map.
7. An intranet equipment type recognition device, comprising:
the passive monitoring module is used for analyzing all the survival equipment in the intranet environment according to the monitored specific protocol packet to obtain Mac addresses of all the active equipment and an equipment connection relation graph; the device connection relation graph is a network connection relation graph of a target survival device, wherein the target survival device comprises all active devices and part of inactive devices or all active devices and all inactive devices;
the active detection module is used for sending an active detection packet to the inactive equipment so as to acquire Mac addresses of all the inactive equipment;
the identification module is used for acquiring the device types of all the survival devices in the intranet environment according to the device connection relation diagram, the Mac addresses of all the active devices and the Mac addresses of all the inactive devices;
analyzing according to the monitored specific protocol packet to obtain Mac addresses of all active devices and a device connection relation graph, wherein the method specifically comprises the following steps:
monitoring and analyzing the multicast data packet in the intranet environment, and acquiring the equipment type of partial active equipment according to the analysis result;
monitoring and analyzing the broadcast data packet in the intranet environment, acquiring Mac address information of all active devices according to an analysis result, and establishing a device connection relation graph.
8. The type identification equipment of the intranet equipment is characterized by comprising a memory and a processor, wherein the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 6.
9. A non-transitory computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the intranet device type identification method according to any one of claims 1 to 6.
CN201810772584.2A 2018-07-13 2018-07-13 Intranet equipment type identification method and device Active CN108900351B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810772584.2A CN108900351B (en) 2018-07-13 2018-07-13 Intranet equipment type identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810772584.2A CN108900351B (en) 2018-07-13 2018-07-13 Intranet equipment type identification method and device

Publications (2)

Publication Number Publication Date
CN108900351A CN108900351A (en) 2018-11-27
CN108900351B true CN108900351B (en) 2020-11-27

Family

ID=64349156

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810772584.2A Active CN108900351B (en) 2018-07-13 2018-07-13 Intranet equipment type identification method and device

Country Status (1)

Country Link
CN (1) CN108900351B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111934946A (en) * 2020-07-16 2020-11-13 深信服科技股份有限公司 Network equipment identification method, device, equipment and readable storage medium
CN112073988A (en) * 2020-07-31 2020-12-11 中国科学院信息工程研究所 Detection method for hidden camera in local area network
CN112087532B (en) * 2020-08-28 2023-04-07 中国移动通信集团黑龙江有限公司 Information acquisition method, device, equipment and storage medium
CN112995358B (en) * 2021-04-21 2021-07-23 中国人民解放军国防科技大学 Large-scale network address translation traffic identification method and device and computer equipment
CN113938404B (en) * 2021-10-12 2023-04-07 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment, system and storage medium
CN114244755B (en) * 2021-12-15 2023-11-14 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment and storage medium
CN114679738B (en) * 2022-03-24 2023-01-24 中咨数据有限公司 Network communication signal abnormity diagnosis and analysis method, equipment and storage medium
CN115190106A (en) * 2022-06-17 2022-10-14 苏州迈科网络安全技术股份有限公司 Equipment sensing method based on MDNS protocol

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704654A (en) * 2016-02-17 2016-06-22 深圳市贝美互动科技有限公司 Wireless communication method and device
CN106063306A (en) * 2014-03-03 2016-10-26 三菱电机株式会社 Wireless communication system and wireless communication device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101193044B (en) * 2006-11-21 2010-05-12 北京大学 Redirection method and device for real time monitoring network activities
US9386155B2 (en) * 2009-01-28 2016-07-05 Virtual Hold Technology, Llc Communication device for establishing automated call back using queues
US9218628B2 (en) * 2011-01-24 2015-12-22 Beet, Llc Method and system for generating behavior profiles for device members of a network
CN104717107B (en) * 2015-03-27 2019-03-26 北京奇安信科技有限公司 The method, apparatus and system of network equipment detection
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
CN107294797B (en) * 2017-08-24 2020-06-09 广东电网有限责任公司电力科学研究院 Network topology identification method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106063306A (en) * 2014-03-03 2016-10-26 三菱电机株式会社 Wireless communication system and wireless communication device
CN105704654A (en) * 2016-02-17 2016-06-22 深圳市贝美互动科技有限公司 Wireless communication method and device

Also Published As

Publication number Publication date
CN108900351A (en) 2018-11-27

Similar Documents

Publication Publication Date Title
CN108900351B (en) Intranet equipment type identification method and device
CN110113345B (en) Automatic asset discovery method based on flow of Internet of things
Sivanathan et al. Can we classify an iot device using tcp port scan?
JP5390798B2 (en) Method and apparatus for early warning of network equipment
US20180048540A1 (en) Wireless terminal type identification method and system in router bridge networking mode
EP3219087B1 (en) Methods, systems, and computer readable media for facilitating the resolving of endpoint hostnames in test environments with firewalls, network address translators(nats), or clouds
EP2297648B1 (en) Network controller based pass-through communication mechanism between local host and management controller
CN106412142B (en) Resource equipment address obtaining method and device
US9215234B2 (en) Security actions based on client identity databases
US11283816B2 (en) Hierarchical scanning of internet connected assets
WO2019165775A1 (en) Local area network equipment searching method and searching system
CN112637364B (en) Method, client and system for establishing P2P connection
WO2021197292A1 (en) Method for detecting dhcp hijacking, and device
CN111447089A (en) Terminal asset identification method and apparatus, and computer-readable storage medium
CN111683162B (en) IP address management method based on flow identification
US10097418B2 (en) Discovering network nodes
CN111953810B (en) Method, device and storage medium for identifying proxy internet protocol address
US8724506B2 (en) Detecting double attachment between a wired network and at least one wireless network
US11411797B2 (en) Device management method and related device
US10015179B2 (en) Interrogating malware
KR101783014B1 (en) Method and apparatus for detecting terminals sharing a public IP address
CN115766252A (en) Flow abnormity detection method and device, electronic equipment and storage medium
US20060268862A1 (en) Apparatus and method for establishing network
JP4484190B2 (en) Router search system, router search method, and router search program
CN107317869B (en) Method, device and system for detecting node NAT type

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant