CN109104395A - The method and apparatus of internet assets scanning discovery and service identification - Google Patents
The method and apparatus of internet assets scanning discovery and service identification Download PDFInfo
- Publication number
- CN109104395A CN109104395A CN201710475038.8A CN201710475038A CN109104395A CN 109104395 A CN109104395 A CN 109104395A CN 201710475038 A CN201710475038 A CN 201710475038A CN 109104395 A CN109104395 A CN 109104395A
- Authority
- CN
- China
- Prior art keywords
- internet
- data packet
- service
- scanning
- assets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application provides the method and apparatus of a kind of internet assets scanning discovery and service identification, the executing subject of the method is the computer for accessing internet and being provided with scanning pond, comprising: determines the idle node in internet;The corresponding internet assets of IP address into scanning pond send the scan data packet through pretending, and in the IP address of the local cache internet assets and port;Then session is sent to idle node confirm data packet;The feedback data packet that idle node returns is received in an asynchronous manner;The corresponding internet assets of the feedback data packet are determined according to local cache, and judge whether the port of the internet assets is in open state according to the identity recognition number in the feedback data packet;If the port of the internet assets is in open state, the service that the internet assets provide is identified according to preset port and service features contrast relationship library.The application can effectively improve internet assets scan efficiency by above-mentioned means.
Description
Technical field
This application involves technical field of the computer network, particularly, are related to a kind of internet assets scanning discovery and service
The method and apparatus of identification.
Background technique
With the development of internet technology, the business disposed on the internet is more and more, however as internet assets
Increase, the security risk that enterprise is faced will be more, and the risk management for how reinforcing internet assets will become safety management
The significant challenge of member, assets on the internet are leaked cruelly in enterprise often becomes the primary object of hacker attack.
Networked asset scanning and service identification are a kind of technologies for detecting local and remote computer system security hidden danger, it
By sending probe data packet to Local or Remote host, the response of host is obtained, and divide the data packet of host feedback
Analysis, thus obtain host port development situation and host provide information on services, help we have found that the weakness of host and
Loophole improves network security, takes precautions against hacker attack.
The scanning of existing network assets and service identification technology are mainly scanned using the tool of open source, include internet control
Messaging protocol (ICMP, Internet Control Message Protocol) survival processed detects, port survival detects, port
Open service detection etc., it is therefore intended that the service that the sudden and violent leakage of discovery is leaked cruelly in the specific asset and the assets in internet, thus
It is reinforced in time, network blocking etc., it is ensured that the safety of assets and service.But existing tool cannot be considered in terms of efficiency and accuracy
Promotion, and effect that is efficient, precisely scanning, user experience effect is not achieved there is also security breaches in scanning tools itself of increasing income
Fruit is poor.
Summary of the invention
The application provides the method and apparatus of a kind of internet assets scanning discovery and service identification, for solving existing skill
Art cannot efficient, accurate scanning discovery internet assets the problem of.
Method for distinguishing, the executing subject of the method are known in a kind of internet assets scanning discovery disclosed in the present application and service
For the computer for accessing internet, the computer installation has scanning pond, the IP of assets to be scanned is preset in the scanning pond
Address, IP address section or more IP address sections, which comprises determine the IP address of idle node in internet;It is swept to described
It retouches the corresponding internet assets of IP address in pond and sends the scan data packet for passing through camouflage, and provided in the local cache internet
The IP address of production and its port;The source address of the scan data packet is the IP address of the idle node;Then to the sky
Not busy node sends session and confirms data packet;The feedback data packet that the idle node returns is received in an asynchronous manner;The scanning
Data packet, session confirmation data packet and feedback data packet include port and the identity recognition number of the internet assets;According to
Local cache determines the corresponding internet assets of the feedback data packet, and is sentenced according to the identity recognition number that the feedback data packet includes
Whether the corresponding ports for the internet assets of breaking are in open state;If the corresponding ports of the internet assets are in open shape
State then identifies the service of the internet assets offer according to preset port and service features contrast relationship library.
Preferably, further includes: above-mentioned resource scanning and service identification step are repeated, until completing to scanning Chi Zhongsuo
There is IP address to correspond to the scanning and service identification of Internet resources.
Preferably, the corresponding internet assets of IP address into the scanning pond send the scanning number by camouflage
According to packet, specifically: the scan data packet by camouflage is sent to multiple internet assets with concurrent fashion;And/or the basis
Preset port and service features contrast relationship library identify the service that the internet assets provide, specifically: by above-mentioned interconnection
The IP address of net assets and its port in open state are saved in local buffer, identify the interconnection with concurrent fashion
The service that net assets provide.
Preferably, it is also wrapped before sending the scan data packet by camouflage to multiple internet assets with concurrent fashion
It includes: discrete division being carried out to the IP address section in scanning pond, avoids sweeping in resource of the same time to identical IP address section
It retouches.
Preferably, further includes: the transmission rate of scan data packet is controlled according to the reception condition of feedback data packet.
Preferably, in the clothes for identifying the internet assets offer according to preset port and service features contrast relationship library
Before business, further includes: establish port blacklist, exclude the Internet resources port without identification.
Preferably, it is above-mentioned according to port and service features contrast relationship identify service that the internet assets provide it
Afterwards, further includes: for preset infrastructure service feature cannot be based on according to the service of port and the identification of service features contrast relationship
Library carries out fuzzy diagnosis to the services signatures information of internet assets feedback;Probe groups are according to fuzzy diagnosis content scheduling
The accurate identification that corresponding probe is serviced;The probe includes link order initiation, the instruction echo crawl for service
And the canonical of echo message is matched.
Preferably, further includes: the service precisely identified according to the probe groups and interface corresponding relationship, to preset end
Mouth is automatically updated with service features contrast relationship library.
The device of a kind of internet assets scanning discovery disclosed in the present application and service identification, comprising: scanning pond, it is described to sweep
Retouch IP address, IP address section or more IP address sections that assets to be scanned are preset in pond;Idle node determining module, it is mutual for determining
The IP address of idle node in networking;First scanning initiation module, for the corresponding interconnection of IP address into the scanning pond
Net assets send the scan data packet by camouflage, and in the IP address of the local cache internet assets and its port;It is described
The source address of scan data packet is the IP address of the idle node;Second scanning initiation module, in first scanning
Initiation module sends the rear of scan data packet to internet assets and sends session confirmation data packet to the idle node;Feedback packet
Receiving module, the feedback data packet returned for receiving the idle node in an asynchronous manner;The scan data packet, session are true
Recognize data packet and feedback data packet and include port and the identity recognition number of internet assets;Port status judgment module, is used for
The corresponding internet assets of the feedback data packet, and the identification for including according to the feedback data packet are determined according to local cache
Number judge whether the corresponding ports of the internet assets are in open state;First service identification module, for working as the interconnection
When the corresponding ports of net assets are in open state, the interconnection is identified according to preset port and service features contrast relationship library
The service that net assets provide.
Preferably, described device further include: loop control module, for repetitive schedule it is above-mentioned first scanning initiation module,
Second scanning initiation module, feedback packet receiving module, port status judgment module and first service identification module are in scanning pond
The corresponding Internet resources of IP address scan and recognize, until complete to scanning pond in all IP address correspond to internet provide
The scanning and service identification in source.
Preferably, the first scanning initiation module sends the scan data packet by camouflage as follows: with concurrent
Mode sends the scan data packet by camouflage to multiple internet assets;And/or the first service identification module is using such as
Under type identifies the service that the internet assets provide: by the IP address of above-mentioned internet assets and its in open state
Port is saved in local buffer, identifies the service that the internet assets provide with concurrent fashion.
Preferably, the scanning pond is also used to provide with concurrent fashion to multiple internets in the first scanning initiation module
Before producing the scan data packet sent by camouflage, discrete division is carried out to the IP address section in scanning pond, is avoided in same a period of time
Between the resource of identical IP address section is scanned;And/or the loop control module is also used to connecing according to feedback data packet
Receive the transmission rate of situation control scan data packet.
Preferably, described device further include: blacklist establishes module, for establishing port blacklist, excludes without identification
Internet resources port;Second service identification module is used for based on preset infrastructure service feature database, to the interconnection
The services signatures information of net assets feedback carries out fuzzy diagnosis;And according to corresponding in fuzzy diagnosis content scheduling probe groups
The accurate identification that probe is serviced;The probe includes that the link order for the service that is directed to is initiated, instruction echo grabs and right
The canonical of echo message matches.
Preferably, described device further include: feature database update module, the clothes for precisely being identified according to the probe groups
Business and interface corresponding relationship, automatically update preset port and service features contrast relationship library.
Compared with prior art, the application has the following advantages:
The application preferred embodiment sends the stateless of scan data packet to internet assets to be scanned by camouflage idle node
Type of attachment is not take up ICP/IP protocol stack resource, without keeping request connection (SYN), response (ACK) and closing connection
(FIN) etc. states also can avoid other application background traffic bring network overhead, can largely improve internet assets
Scan efficiency.By caching the IP address of Internet resources and its port information, and necessary information is stored in scanning
Form in data packet supports asynchronous scanning and identifies the service that it is provided (to receive feedback data packet in an asynchronous manner
Corresponding Internet resources can be identified according to the necessary information stored in packet afterwards), in the base for meeting high scanning and recognition efficiency
It also can ensure that the accuracy of verifying on plinth.
Detailed description of the invention
The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as the limitation to the application.And whole
In a attached drawing, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the flow chart that method for distinguishing first embodiment is known in the application internet assets scanning discovery and service;
Fig. 2 is the flow chart that method for distinguishing second embodiment is known in the application internet assets scanning discovery and service;
Fig. 3 is the structural schematic diagram of one embodiment of device of the application internet assets scanning discovery and service identification.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real
Applying mode, the present application will be further described in detail.
In the description of the present application, it is to be understood that term " first ", " second " are used for description purposes only, and cannot
It is interpreted as indication or suggestion relative importance or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " the
One ", the feature of " second " can explicitly or implicitly include one or more of the features.The meaning of " plurality " is two
Or it is more than two, unless otherwise specifically defined.The terms "include", "comprise" and similar terms are understood to out
The term of putting property, i.e., " including/including but not limited to ".Term "based" is " being based at least partially on ".Term " embodiment "
It indicates " at least one embodiment ";Term " another embodiment " expression " at least one other embodiment ".The phase of other terms
Pass definition provides in will be described below.
Referring to Fig.1, it shows the application internet assets scanning discovery and the stream of method for distinguishing first embodiment is known in service
Journey, executing subject are to access the computer of internet, and the computer installation has scanning pond, presets in the scanning pond wait sweep
Retouch the IP address, IP address section or more IP address sections of assets.This preferred method embodiment the following steps are included:
S103: the IP address of idle node in internet is determined.
S105: the corresponding internet assets of IP address into the scanning pond send the scan data packet by camouflage,
And in the IP address of the local cache internet assets and its port.
The source address of the scan data packet is the IP address of the idle node.
S107: session is sent to the idle node and confirms data packet.
S109: the feedback data packet that the idle node returns is received in an asynchronous manner.
The scan data packet, session confirmation data packet and feedback data packet include the internet assets port and
Identity recognition number.
S111: the corresponding internet assets of the feedback data packet are determined according to local cache.
S113: judge whether the corresponding ports of the internet assets are located according to the identity recognition number that the feedback data packet includes
In open state;If so, going to step S115;If it is not, terminating process.
S115: the service that the internet assets provide is identified according to preset port and service features contrast relationship library.
Referring to Fig. 2, shows the application internet assets scanning discovery and the stream of method for distinguishing second embodiment is known in service
Journey, executing subject are to access the computer of internet, and this method embodiment includes:
S101: scanning pond is written into assets IP address to be scanned, IP address section or more IP address sections.
S103: the IP address of idle node in internet is determined.
S105: the corresponding internet assets of IP address into the scanning pond send the scan data packet by camouflage,
And in the IP address of the local cache internet assets and its port.
Wherein, the source address of the scan data packet is the IP address of the idle node;The scan data packet includes
The port of the internet assets and identity recognition number.
In the specific implementation, it in order to further increase scan efficiency, can be sent with concurrent fashion to multiple internet assets
Scan data packet by camouflage.For example, the resource utilizations such as the CPU of scanning computer can be detected with single thread, such as
What controls concurrent scanning Thread Count according to resource utilization dynamic, ensures the peak use rate of scanning machine.
S107: and then send session to the idle node and confirm data packet.
Session confirmation data packet therein includes port and the identity recognition number of the internet assets.It should be noted that
, step S107 needs carry out after step S105.
S109: the feedback data packet that the idle node returns is received in an asynchronous manner.
Above-mentioned feedback data packet includes port and the identity recognition number of the internet assets.
S111: the corresponding internet assets of the feedback data packet are determined according to local cache.
S113: according to the identity recognition number that the feedback data packet includes judge the internet assets corresponding ports whether
In open state, if so, going to step S115;Otherwise, S117 is gone to step.
S115: the service that the internet assets provide is identified according to preset port and service features contrast relationship library;
Above-mentioned port can be preset in the specific implementation process with service features contrast relationship library, for example, file transmission association
Discuss 21 ports, safety shell protocol (SSH, the Secure Shell) service of (FTP, File Transfer Protocol) service
22 ports, Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol) service 25 ports, remote
23 ports of journey terminal protocol (Telnet) service, Post Office Protocol,Version 3 (POP3, Post Office Protocol
Version 3) service 110 ports etc..
In the specific implementation, in order to further increase service recognition efficiency, can by the IP of above-mentioned internet assets and its
Port in open state is saved in local buffer, identifies the service that the internet assets provide with concurrent fashion.
For example, can control concurrent service with the resource utilizations such as the CPU of computer dynamic identifies Thread Count, to improve computer utilization
Rate.
S117: judge whether all IP address and its port are all scanned in scanning pond, if so, terminating process;Otherwise,
Go to step scanning and service identification that S105 carries out new round IP address and its different port.
It wherein, is the system of defense for preventing continuous scanning and triggering internet assets itself, for IP address section or more IP
The case where address field, is sending the scan data packet (i.e. step S105) by camouflage with concurrent fashion to multiple internet assets
Can also include before S104: discrete division is carried out to the IP address section in scanning pond, avoid the same time to identical IP
The resource of location section is scanned.
Furthermore it is also possible to control the transmission rate of scan data packet according to the reception condition of feedback data packet, swept in guarantee
While retouching efficiency and recognition accuracy, additionally it is possible to control network flow.
The principle that this method embodiment judges whether the corresponding ports of internet assets open is: each IP on internet
Data packet has an identity recognition number (IPID), and general operation system is only simply incremented by the identifier, therefore analyzes
The IPID of last time can calculate how many data packet had sent to the Internet resources node.It carries out illustrating below
It is bright.
Assuming that internet node Z be it is idle, do not carry out network communication with other nodes.A meeting is sent to node Z
Words confirmation data packet (SYN/ACK), is asked since node Z is not transmitted across to the executing subject of the present embodiment (being assumed to be node T)
Connection packet (SYN) is asked, so node Z, which receives to be returned to after SYN/ACK packet, connects data to mono- resetting of node T
It wraps (RST), can be 31311) with IPID(hypothesis in RST packet.
When the SYN data packet of the IP address of the node Z that disguises oneself as of node T production is sent to the true host A to be scanned
Some port (such as No. 21 port) when, host Z is not aware that someone pretends it and has sent data packet, and IPID will not
It is affected.Posterior nodal point T send a SYN/ACK packet to node Z again, node Z can return to a RST packet, pass through the RST
IPID in packet is the open state that can determine whether No. 21 ports of host A, in which:
When 21 ports of host A in the open state, host A receives the SYN packet of node T, due to 21 open-endeds,
Host A will return to a SYN/ACK packet.At this point, the source IP in SYN packet is the address IP of node Z, then host A to
Node Z sends a SYN/ACK packet.After node Z receives this SYN/ACK packet, since it is not to 21 ends of host Z
Mouth mode connection request (i.e. SYN) then sends a RST packet to host A, and communication terminates between host A and node Z.
At this point, when above-mentioned node Z active transmission RST packet, IPID adds one automatically, and (IPID in this RST packet is
31312).Therefore, when node T sends SYN/ACK packet to node Z later, the IPID in RST packet that node Z is returned becomes
31313。
When 21 port shutdowns of host A or when being filtered, host A receives the SYN packet of node T, since the port is not opened
It puts or is filtered, so being returned to a RST packet, and this RST packet has been issued node Z.Since node Z is not sent
SYN packet is crossed, so directly abandoning to the RST packet received.Z does not send any data packet during this, therefore after node T
When to send SYN/ACK packet to node Z, the IPID in RST packet that node Z is returned becomes 31312.
In another method embodiment, to further increase service recognition efficiency, for some known and unconcerned end
Mouthful, such as driving generic port (including camera, printer) and the network ports such as 80,443, it is not necessary that waste system resource
Remove scanning recognition.For this purpose, can also include S114 before step S115: establishing port blacklist, exclude without scanning and know
Other Internet resources port.
In an also embodiment of the method, for cannot may be used also according to the service of port and the identification of service features contrast relationship
It is further identified in a manner of by establishing infrastructure service feature database and probe groups.Specifically, after step S115,
May include:
S116-1: for it is special that preset infrastructure service cannot be based on according to the service of port and the identification of service features contrast relationship
Library is levied, fuzzy diagnosis is carried out to the services signatures information of internet assets feedback.
S116-2: the accurate identification that probe groups are serviced according to the corresponding probe of fuzzy diagnosis content scheduling;The spy
Needle includes the link order initiation for service, the crawl of instruction echo and matches to the canonical of echo message.
Above-mentioned probe is a series of set of detection movements, and probe groups are a series of set of probes, can be for specific
Fuzzy diagnosis content goes to carry out instruction initiation, the crawl of details echo and specifying information canonical to dispatch certain specified class probe
Match.The echo of each probe has its corresponding unique identification, and probe groups have the ability of asynchronous monitoring, detects and takes in concurrent probe
When business, for certain primary return, probe groups can dispatch the processing that its corresponding probe carries out next step, set in advance until meeting
Set the accurate identification of strategy.
S116-3: the service precisely identified according to the probe groups and interface corresponding relationship, to preset port and clothes
Business feature comparison relationship library is automatically updated.
Furthermore it is also possible to after the end of scan by scanning information be recorded specified application interface (API,
Application Programming Interface) it receives preservation or is pushed directly to cache server for data analysis
And record, while can periodically port survival is scanned and be identified, for used in service discovery.
For the various method embodiments described above, simple in order to describe, therefore, it is stated as a series of action combinations, but
It is that those skilled in the art should be aware of, the application is not limited by the described action sequence, because according to the application,
Certain steps can serially or simultaneously be executed using other;Secondly, those skilled in the art should also know that, the above method is implemented
Example belongs to preferred embodiment, necessary to related actions and modules not necessarily the application.
Disclosed herein as well is a kind of storage mediums for being recorded on the program for executing the above method.It is described to deposit
Storage media includes any mechanism being configured to by the readable form storage of computer (by taking computer as an example) or transmission information.Example
Such as, storage medium includes read-only memory (ROM), random-access memory (ram), magnetic disk storage medium, optical storage media, sudden strain of a muscle
Fast storage medium, electricity, light, sound or transmitting signal (for example, carrier wave, infrared signal, digital signal etc.) of other forms etc..
Referring to Fig. 3, the structure of one embodiment of device of the application internet assets scanning discovery and service identification is shown
Block diagram, comprising:
Pond 20 is scanned, assets IP address, IP address section or more IP address sections to be scanned are preset in the scanning pond.
Idle node determining module 21, for determining the IP address of idle node in internet.
First scanning initiation module 22 sends for the corresponding internet assets of IP address into the scanning pond and passes through
The scan data packet (SYN in such as Transmission Control Protocol) of camouflage, and in the IP address of the local cache internet assets and its port;
The source address of the scan data packet is the IP address of the idle node.
In the specific implementation, in order to further increase scan efficiency, the first scanning initiation module 22 can with concurrent fashion to
Multiple internet assets send the scan data packet by camouflage.
Second scanning initiation module 23, for sending scanning number to internet assets in the first scanning initiation module 22
Rear according to packet sends session confirmation data packet (SYN/ACK in such as Transmission Control Protocol) to the idle node;
Packet receiving module 24 is fed back, feedback data packet (such as Transmission Control Protocol returned for receiving the idle node in an asynchronous manner
In ACK);The scan data packet, session confirmation data packet and feedback data packet include port and the body of internet assets
Part identifier;
Port status judgment module 25, for determining the corresponding internet assets of the feedback data packet, and root according to local cache
Judge whether the corresponding ports of the internet assets are in open state according to the identity recognition number that the feedback data packet includes;
First service identification module 26, for when the corresponding ports of the internet assets are in open state, according to default
Port and service features contrast relationship library identify the service that the internet assets provide.
It in the specific implementation, can be by the IP address of above-mentioned internet assets in order to further increase service recognition efficiency
And its port in open state is saved in local buffer, identifies the clothes that the internet assets provide with concurrent fashion
Business.
Loop control module 27, for repetitive schedule it is above-mentioned first scanning initiation module 22, second scan initiation module 23,
The functional modules such as packet receiving module 24, port status judgment module 25, first service identification module 26 are fed back in scanning pond 20
The corresponding Internet resources of IP scan and recognize, until complete to scanning pond in all IP address correspond to Internet resources
Scanning and service identification.
It wherein, is the system of defense for preventing continuous scanning and triggering internet assets itself, for IP address section or more IP
The case where address field, scanning pond 20 are also used to carry out discrete division to wherein IP address section, avoid in the same time to identical IP
The resource of address field is scanned.Loop control module 27 is also used to control scan data according to the reception condition of feedback data packet
The transmission rate of packet, while ensureing scan efficiency and recognition accuracy, additionally it is possible to control network flow
In another Installation practice, to further increase service recognition efficiency, it can also include that blacklist establishes module: be used for
Port blacklist is established, the Internet resources port without scanning and identification is excluded.
In an also Installation practice, being additionally provided with can be to cannot be according to port and the identification of service features contrast relationship
It services the second service identification module further identified: being used for based on preset infrastructure service feature database, to described
The services signatures information of internet assets feedback carries out fuzzy diagnosis, and according to corresponding in fuzzy diagnosis content scheduling probe groups
The accurate identification that is serviced of probe;The probe include for service link order initiate, instruction echo crawl and
Canonical matching to echo message.
Furthermore it is also possible to include feature database update module: service for precisely being identified according to the probe groups with connect
Mouth corresponding relationship, automatically updates preset port and service features contrast relationship library.
It should be noted that above-mentioned apparatus embodiment belongs to preferred embodiment, related unit and module might not
It is necessary to the application.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.For the dress of the application
For setting embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place is referring to method reality
Apply the explanation of example part.Device and Installation practice described above is only schematical, wherein described be used as is divided
Module from part description may or may not be physically separated, and both can be located in one place or can also be with
It is distributed over a plurality of network elements.Some or all of the modules therein can be selected to realize this implementation according to the actual needs
The purpose of example scheme.Those of ordinary skill in the art can understand and implement without creative efforts.
Above to the method and apparatus of a kind of internet assets scanning discovery provided herein and service identification, carry out
It is discussed in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, above embodiments
Explanation be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art,
According to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion in this specification
Hold the limitation that should not be construed as to the application.
Claims (14)
1. method for distinguishing is known in a kind of internet assets scanning discovery and service, which is characterized in that the executing subject of the method is
The computer of internet is accessed, the computer installation has scanning pond, the IP of assets to be scanned is preset in the scanning pond
Location, IP address section or more IP address sections, which comprises
Determine the IP address of idle node in internet;
The corresponding internet assets of IP address into the scanning pond send the scan data packet by camouflage, and locally slow
Deposit IP address and its port of the internet assets;The source address of the scan data packet is the IP address of the idle node;
Then session is sent to the idle node confirm data packet;
The feedback data packet that the idle node returns is received in an asynchronous manner;The scan data packet, session confirm data packet
It include port and the identity recognition number of the internet assets with feedback data packet;
The corresponding internet assets of the feedback data packet, and the identity for including according to the feedback data packet are determined according to local cache
Identifier judges whether the corresponding ports of the internet assets are in open state;
If the corresponding ports of the internet assets are in open state, according to preset port and service features contrast relationship
Library identifies the service that the internet assets provide.
2. the method according to claim 1, wherein further include:
Above-mentioned resource scanning and service identification step are repeated, until completing to correspond to internet to all IP address in scanning pond
The scanning and service identification of resource.
3. method according to claim 1 or 2, which is characterized in that
The corresponding internet assets of IP address into the scanning pond send the scan data packet by camouflage, specifically
Are as follows: the scan data packet for passing through camouflage is sent to multiple internet assets with concurrent fashion;
And/or
The service for identifying that the internet assets are provided according to preset port and service features contrast relationship library, specifically
Are as follows: the IP address of above-mentioned internet assets and its port in open state are saved in local buffer, with simultaneously originating party
Formula identifies the service that the internet assets provide.
4. according to the method described in claim 3, it is characterized in that, passing through being sent with concurrent fashion to multiple internet assets
Before the scan data packet of camouflage further include:
Discrete division is carried out to the IP address section in scanning pond, avoids sweeping in resource of the same time to identical IP address section
It retouches.
5. according to the method described in claim 2, it is characterized by further comprising: being controlled according to the reception condition of feedback data packet
The transmission rate of scan data packet.
6. the method according to claim 1, wherein according to preset port and service features contrast relationship library
Before the service that the internet assets offer is provided, further includes:
Port blacklist is established, the Internet resources port without identification is excluded.
7. method according to claim 1 or 6, which is characterized in that above-mentioned according to port and service features contrast relationship
After the service that the internet assets offer is provided, further includes:
It is right for preset infrastructure service feature database cannot be based on according to the service of port and the identification of service features contrast relationship
The services signatures information of the internet assets feedback carries out fuzzy diagnosis;
The accurate identification that probe groups are serviced according to the corresponding probe of fuzzy diagnosis content scheduling;The probe includes for clothes
The link order of business is initiated, instruction echo grabs and is matched to the canonical of echo message.
8. the method according to the description of claim 7 is characterized in that further include:
The service precisely identified according to the probe groups and interface corresponding relationship, compare pass with service features to preset port
It is that library is automatically updated.
9. the device of a kind of internet assets scanning discovery and service identification characterized by comprising
Pond is scanned, the IP address, IP address section or more IP address sections of assets to be scanned are preset in the scanning pond;
Idle node determining module, for determining the IP address of idle node in internet;
First scanning initiation module is sent for the corresponding internet assets of IP address into the scanning pond by camouflage
Scan data packet, and in the IP address of the local cache internet assets and its port;The source address of the scan data packet is
The IP address of the idle node;
Second scanning initiation module, for after the first scanning initiation module sends scan data packet to internet assets
Session, which is sent, to the idle node confirms data packet;
Packet receiving module is fed back, the feedback data packet returned for receiving the idle node in an asynchronous manner;The scanning number
It include port and the identity recognition number of internet assets according to packet, session confirmation data packet and feedback data packet;
Port status judgment module, for determining the corresponding internet assets of the feedback data packet according to local cache, and according to
The identity recognition number that the feedback data packet includes judges whether the corresponding ports of the internet assets are in open state;
First service identification module, for when the corresponding ports of the internet assets are in open state, according to preset
Port and service features contrast relationship library identify the service that the internet assets provide.
10. device according to claim 9, which is characterized in that described device further include:
Loop control module is received for the above-mentioned first scanning initiation module of repetitive schedule, the second scanning initiation module, feedback packet
Module, port status judgment module and first service identification module carry out the corresponding Internet resources of IP address in scanning pond
Scanning recognition, until completing to all IP address correspond to the scanning of Internet resources in scanning pond and service identifies.
11. device according to claim 10, which is characterized in that
The first scanning initiation module sends the scan data packet by camouflage as follows: with concurrent fashion to multiple mutual
Assets of networking send the scan data packet by camouflage;
And/or
The first service identification module identifies the service that the internet assets provide in the following way: by above-mentioned internet
The IP address of assets and its port in open state are saved in local buffer, identify the internet with concurrent fashion
The service that assets provide.
12. device according to claim 11, which is characterized in that
The scanning pond, which is also used to send with concurrent fashion to multiple internet assets in the first scanning initiation module, to be passed through
Before the scan data packet of camouflage, discrete division is carried out to the IP address section in scanning pond, is avoided in the same time to identical IP
The resource of address field is scanned;
And/or
The loop control module is also used to control the transmission rate of scan data packet according to the reception condition of feedback data packet.
13. device according to claim 9, which is characterized in that described device further include:
Blacklist establishes module, for establishing port blacklist, excludes the Internet resources port without identification;
Second service identification module, for being fed back to the internet assets based on preset infrastructure service feature database
Services signatures information carries out fuzzy diagnosis;And it is serviced according to probe corresponding in fuzzy diagnosis content scheduling probe groups
Accurate identification;The probe include for service link order initiate, instruction echo crawl and to echo message just
Then match.
14. device according to claim 13, which is characterized in that described device further include:
Feature database update module, service and interface corresponding relationship for precisely being identified according to the probe groups, to preset
Port is automatically updated with service features contrast relationship library.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710475038.8A CN109104395B (en) | 2017-06-21 | 2017-06-21 | Method and device for scanning, discovering and identifying service of Internet assets |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710475038.8A CN109104395B (en) | 2017-06-21 | 2017-06-21 | Method and device for scanning, discovering and identifying service of Internet assets |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109104395A true CN109104395A (en) | 2018-12-28 |
CN109104395B CN109104395B (en) | 2022-08-23 |
Family
ID=64796146
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710475038.8A Active CN109104395B (en) | 2017-06-21 | 2017-06-21 | Method and device for scanning, discovering and identifying service of Internet assets |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109104395B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109726763A (en) * | 2018-12-29 | 2019-05-07 | 北京神州绿盟信息安全科技股份有限公司 | A kind of information assets recognition methods, device, equipment and medium |
CN110336684A (en) * | 2019-03-21 | 2019-10-15 | 北京天防安全科技有限公司 | A kind of networked asset intelligent identification Method and system |
CN110380935A (en) * | 2019-07-23 | 2019-10-25 | 杭州数梦工场科技有限公司 | Port scanning method and device |
CN111447201A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Scanning behavior recognition method and device, electronic equipment and storage medium |
CN112491791A (en) * | 2020-10-20 | 2021-03-12 | 广州数智网络科技有限公司 | Method and device for rapidly identifying HTTP proxy IP address and electronic equipment |
CN113420303A (en) * | 2021-07-14 | 2021-09-21 | 广东电网有限责任公司广州供电局 | Port scanning-based substation host security vulnerability detection method and system |
CN115225530A (en) * | 2022-07-02 | 2022-10-21 | 北京华顺信安科技有限公司 | Asset state monitoring method, device, equipment and medium |
CN115314425A (en) * | 2022-07-12 | 2022-11-08 | 清华大学 | Network scanning device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102055771A (en) * | 2011-01-24 | 2011-05-11 | 上海红神信息技术有限公司 | Device and method for controlling cloud service-oriented multiple concurrent service flow |
CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
US20140330976A1 (en) * | 2013-05-06 | 2014-11-06 | Jeroen van Bemmel | Stateless load balancing of connections |
CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
-
2017
- 2017-06-21 CN CN201710475038.8A patent/CN109104395B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102055771A (en) * | 2011-01-24 | 2011-05-11 | 上海红神信息技术有限公司 | Device and method for controlling cloud service-oriented multiple concurrent service flow |
US20140330976A1 (en) * | 2013-05-06 | 2014-11-06 | Jeroen van Bemmel | Stateless load balancing of connections |
CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
Non-Patent Citations (2)
Title |
---|
COLORKNIGHT: "《Nmap空闲扫描》", 《HTTPS://BLOG.CSDN.NET/COLORKNIGHT/ARTICLE/DETAILS/43125487》 * |
佚名: "《渗透测试之Nmap命令(三)idle扫描》", 《百度搜索HTTP://WWW.WFUYU.COM/INTERNET/24936.HTML》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109726763A (en) * | 2018-12-29 | 2019-05-07 | 北京神州绿盟信息安全科技股份有限公司 | A kind of information assets recognition methods, device, equipment and medium |
CN109726763B (en) * | 2018-12-29 | 2021-05-28 | 绿盟科技集团股份有限公司 | Information asset identification method, device, equipment and medium |
CN110336684A (en) * | 2019-03-21 | 2019-10-15 | 北京天防安全科技有限公司 | A kind of networked asset intelligent identification Method and system |
CN110336684B (en) * | 2019-03-21 | 2022-03-18 | 北京天防安全科技有限公司 | Intelligent network asset identification method and system |
CN110380935A (en) * | 2019-07-23 | 2019-10-25 | 杭州数梦工场科技有限公司 | Port scanning method and device |
CN111447201A (en) * | 2020-03-24 | 2020-07-24 | 深信服科技股份有限公司 | Scanning behavior recognition method and device, electronic equipment and storage medium |
CN112491791B (en) * | 2020-10-20 | 2021-08-03 | 广州数智网络科技有限公司 | Method and device for rapidly identifying HTTP proxy IP address and electronic equipment |
CN112491791A (en) * | 2020-10-20 | 2021-03-12 | 广州数智网络科技有限公司 | Method and device for rapidly identifying HTTP proxy IP address and electronic equipment |
CN113420303A (en) * | 2021-07-14 | 2021-09-21 | 广东电网有限责任公司广州供电局 | Port scanning-based substation host security vulnerability detection method and system |
CN115225530A (en) * | 2022-07-02 | 2022-10-21 | 北京华顺信安科技有限公司 | Asset state monitoring method, device, equipment and medium |
CN115225530B (en) * | 2022-07-02 | 2023-09-05 | 北京华顺信安科技有限公司 | Asset state monitoring method, device, equipment and medium |
CN115314425A (en) * | 2022-07-12 | 2022-11-08 | 清华大学 | Network scanning device |
CN115314425B (en) * | 2022-07-12 | 2024-02-23 | 清华大学 | Network scanning device |
Also Published As
Publication number | Publication date |
---|---|
CN109104395B (en) | 2022-08-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109104395A (en) | The method and apparatus of internet assets scanning discovery and service identification | |
US9716644B2 (en) | Systems and methods for content type classification | |
US9930018B2 (en) | System and method for providing source ID spoof protection in an infiniband (IB) network | |
US7630379B2 (en) | Systems and methods for improved network based content inspection | |
US11757909B2 (en) | Remote configuration of security gateways | |
US8856884B2 (en) | Method, apparatus, signals, and medium for managing transfer of data in a data network | |
US8782771B2 (en) | Real-time industrial firewall | |
EP1589716A1 (en) | Method of detecting anomalous behaviour in a computer network | |
US20080196102A1 (en) | Device, system and method for use of micro-policies in intrusion detection/prevention | |
EP1667360A1 (en) | Generic discovery for computer networks | |
WO2018067283A1 (en) | Self-managed intelligent network devices that protect and monitor a distributed network | |
CN105554009B (en) | A method of passing through Network Data Capture device operating system information | |
CN112055048B (en) | P2P network communication method and system for high-throughput distributed account book | |
CN115086250B (en) | Network target range distributed flow generation system and method | |
CN110855424B (en) | Method and device for synthesizing asymmetric flow xDR in DPI field | |
CN109413018B (en) | Port scanning method and device | |
CN110233774A (en) | A kind of Distributed probing method and system of Socks proxy server | |
EP1774682B1 (en) | Automatic resynchronization of physically relocated links in a multi-link frame relay system | |
CN110035082A (en) | A kind of interchanger admission authentication method, interchanger and system | |
Gad et al. | Hierarchical events for efficient distributed network analysis and surveillance | |
Sanjeetha et al. | Mitigation of controller induced DDoS attack on primary server in high traffic scenarios of software defined networks | |
CN106506410A (en) | A kind of safe item establishing method and device | |
Shah et al. | Feasibility of detecting TCP-SYN scanning at a backbone router | |
Alsaedi et al. | Flow-based reconnaissance attacks detection in SDN-based environment | |
CN113676545B (en) | Equipment asset scanning method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |