CN110535727B - Asset identification method and device - Google Patents
Asset identification method and device Download PDFInfo
- Publication number
- CN110535727B CN110535727B CN201910822194.6A CN201910822194A CN110535727B CN 110535727 B CN110535727 B CN 110535727B CN 201910822194 A CN201910822194 A CN 201910822194A CN 110535727 B CN110535727 B CN 110535727B
- Authority
- CN
- China
- Prior art keywords
- asset
- identified
- assets
- address
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/065—Generation of reports related to network devices
Abstract
The invention provides an asset identification method and device, which relate to the technical field of network security and comprise the following steps: acquiring asset data of an asset to be identified, wherein the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, a protocol used by the asset to be identified; judging whether the database contains asset data or not; if the database does not contain asset data and the first preset IP address range contains the access IP address of the asset to be identified, the asset to be identified is an internal asset, wherein the internal asset is the asset corresponding to the first preset IP address range, and the technical problem that the existing asset identification method is low in identification efficiency of unknown assets is solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an asset identification method and device.
Background
With the rapid development of internet technology, the high-speed informatization development of business of enterprises, public institutions and schools, and more complex support platforms and management systems, assets such as servers, storage devices, network devices, security devices and the like are correspondingly needed. The more the quantity is accumulated, the more and more complicated assets of the types greatly increase the management difficulty and the management cost of enterprises and public institutions and schools, and a large amount of masterless assets and zombie assets are generated in the long time. The assets are unmanned for a long time, so that more known bugs and configuration violations exist, and more seriously, the assets are difficult to be brought into the daily maintenance range of managers, great hidden dangers are brought to the safety of enterprises and public institutions and schools, and the assets become soft ribs for enterprise information safety.
Therefore, how to quickly and efficiently identify internal assets, thereby reducing the information security risk is an urgent problem to be solved.
No effective solution has been proposed to the above problems.
Disclosure of Invention
In view of this, the present invention provides an asset identification method and device to alleviate the technical problem of low identification efficiency of the existing asset identification method for unknown assets.
In a first aspect, an embodiment of the present invention provides an asset identification method and apparatus, including: acquiring asset data of an asset to be identified, wherein the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified; judging whether a database contains the asset data; if the asset data is not contained in the database and a first preset IP address range contains the access IP address of the asset to be identified, the asset to be identified is an internal asset, wherein the internal asset is the asset corresponding to the first preset IP address range.
Further, the method further comprises: if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified; and if the access IP addresses of the target assets are in the range of a second preset IP address with a preset number, the assets to be identified are the internal assets.
Further, acquiring asset data of the asset to be identified comprises: acquiring a flow message of the assets to be identified; analyzing the flow message to obtain attribute data of the assets to be identified, and determining the attribute data as the asset data, wherein the attribute data comprises: an access end IP address, a server end port number and a protocol used by the asset to be identified; or acquiring scanning data scanned by the port scanning device based on preset parameters, and determining the preset parameters and the scanning data as the asset data, wherein the preset parameters include: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters.
Further, analyzing the flow message to obtain attribute data of the asset to be identified, including: acquiring a target byte of the flow message, wherein the target byte is the front preset number of bytes of the flow message; and analyzing the target byte to obtain the attribute data of the asset to be identified.
Further, before determining whether the asset data is contained in the database, the method further comprises: if the assets to be identified are network assets, acquiring host address information stored in a domain name server; determining whether the domain name information of the network asset is correct based on the mapping relation between the host address information and the domain name information of the network asset; and if the domain name information of the network assets is incorrect, discarding the asset data of the network assets.
Further, the method further comprises: acquiring scanning data scanned by port scanning equipment based on preset parameters, wherein the preset parameters comprise: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters; and determining the assets corresponding to the scanning data as the internal assets.
In a second aspect, an embodiment of the present invention provides an asset identification apparatus, including: the device comprises an acquisition unit, a judgment unit and a determination unit, wherein the acquisition unit is used for acquiring asset data of assets to be identified, and the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified; the judging unit is used for judging whether the database contains the asset data; the determining unit is configured to determine that the asset to be identified is an internal asset if the database does not contain the asset data and a first preset IP address range contains an access IP address of the asset to be identified, where the internal asset is an asset corresponding to the first preset IP address range.
Further, the determining unit is further configured to: if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified; and if the access IP addresses of the target assets are in the range of a second preset IP address with a preset number, the assets to be identified are the internal assets.
Further, the obtaining unit is further configured to: acquiring a flow message of the assets to be identified; analyzing the flow message to obtain attribute data of the assets to be identified, and determining the attribute data as the asset data, wherein the attribute data comprises: an access end IP address, a server end port number and a protocol used by the asset to be identified; or acquiring scanning data scanned by the port scanning device based on preset parameters, and determining the preset parameters and the scanning data as the asset data, wherein the preset parameters include: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters.
Further, the obtaining unit is further configured to: acquiring a target byte of the flow message, wherein the target byte is the front preset number of bytes of the flow message; and analyzing the target byte to obtain the attribute data of the asset to be identified.
In the embodiment of the invention, firstly, asset data of assets to be identified is obtained; then, judging whether the database contains the asset data; and finally, if the database does not contain the asset data and the first preset IP address range contains the access IP address of the asset to be identified, the asset to be identified is an internal asset.
According to the asset identification method and device, the asset data of the assets to be identified are obtained, whether the asset data are contained in the database is judged, if the asset data are not contained in the database, the assets to be identified are unknown assets, and if the access IP address of the unknown assets is contained in the first preset IP address range, the unknown assets are internal assets, so that the purpose of identifying the unknown assets is achieved, the technical problem that the identification efficiency of the existing asset identification method for the unknown assets is low is solved, and the technical effect of improving the identification efficiency of the unknown assets is achieved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method for asset identification provided by an embodiment of the present invention;
FIG. 2 is a flow chart of another asset identification method provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of an asset identification device provided by an embodiment of the invention;
fig. 4 is a schematic diagram of a server according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
in accordance with an embodiment of the present invention, there is provided an asset identification method embodiment, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
FIG. 1 is a flow chart of a method of asset identification according to an embodiment of the present invention, as shown in FIG. 1, the method comprising the steps of:
step S102, acquiring asset data of assets to be identified, wherein the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified;
step S104, judging whether the database contains the asset data;
step S106, if the asset data is not contained in the database and a first preset IP address range contains the access IP address of the asset to be identified, the asset to be identified is an internal asset, wherein the internal asset is an asset corresponding to the first preset IP address range.
According to the asset identification method and device, the asset data of the assets to be identified are obtained, whether the asset data are contained in the database is judged, if the asset data are not contained in the database, the assets to be identified are unknown assets, and if the access IP address of the unknown assets is contained in the first preset IP address range, the unknown assets are internal assets, so that the purpose of identifying the unknown assets is achieved, the technical problem that the identification efficiency of the existing asset identification method for the unknown assets is low is solved, and the technical effect of improving the identification efficiency of the unknown assets is achieved.
It should be noted that, when the database does not contain the asset data of the asset to be identified, the asset to be identified may be determined as an unknown asset.
Due to the characteristics of IP attribution, concentrated distribution of IP sections and the like of the same enterprise and public institution and school, the first preset IP address range can correspond to one enterprise and public institution or school, and when the access IP address of the unknown asset is in the first preset IP address range, the asset to be identified can be determined as the internal asset of the enterprise and public institution or school.
In the embodiment of the present invention, as shown in fig. 2, the method further includes the following steps:
step S108, if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified;
step S110, if the access IP addresses of the target assets are within a range of a second preset IP address with a preset number, the asset to be identified is the internal asset.
In the embodiment of the present invention, if it is determined that the database does not contain asset data and the first preset IP address range does not contain the access IP address of the asset to be identified, the access IP addresses of a plurality of target assets accessing the asset to be identified need to be obtained.
And under the condition that the access IP addresses of the target assets are within the range of a second preset IP address with a preset number, determining that the assets to be identified are internal assets.
It should be noted that the range of the second preset IP addresses with the preset number is a range of different IP addresses with b segments with the preset number, or a range of different IP addresses with c segments with the preset number, where the preset number may be set by a user according to an actual situation, and is not specifically limited in this embodiment of the application.
Due to the characteristics of IP attribution of the same enterprise and public institution and the centralized distribution of IP sections and the like, the second preset IP address range can correspond to one enterprise and public institution or school, when an unknown asset (namely, the asset data of the asset to be identified is not contained in the database, the asset to be identified can be determined as the unknown asset) is accessed for multiple times by the IP address corresponding to the same enterprise and public institution or school, the unknown asset can be determined as the internal asset of the enterprise and public institution.
The method and the device have the advantages that the number of the target assets is counted by using a counting algorithm, so that the number of the target assets is determined, whether the assets to be identified are internal assets is judged according to the number of the target assets, and the technical problems that in the prior art, all internal IP or asset addresses need to be sorted in advance to identify the internal assets through methods such as port scanning or manual counting, island assets are prone to being omitted, and a large amount of labor cost is consumed by a manual counting mode are solved.
In this embodiment of the present invention, step S102 further includes the following steps:
step S11, acquiring the flow message of the assets to be identified;
step S12, analyzing the traffic message to obtain attribute data of the asset to be identified, and determining the attribute data as the asset data, where the attribute data includes: an access end IP address, a service end port number and a protocol used by the asset to be identified.
In the embodiment of the invention, in order to acquire the asset data of the asset to be identified, firstly, a flow message of the equipment to be identified is guided to a preset port.
And then, acquiring the flow message of the equipment to be identified from the preset port.
And finally, analyzing the flow message to obtain attribute data such as an access end IP address, a service end port number and a protocol used by the asset to be identified, and determining the attribute data as the asset data of the asset to be identified.
It should be noted that, in order to reduce the operating pressure of the server, an effective traffic message may be filtered through a protocol used by the asset to be identified, and then the effective traffic message is analyzed, so as to achieve the technical effect of reducing the operating pressure of the service.
In addition, it should be noted that, in order to reduce the parsing pressure of the server and increase the parsing speed, a header of an effective traffic packet (that is, a preset number of bytes at the beginning of the traffic packet) may be obtained, and since the attribute data of the asset to be identified can be parsed by parsing the header of the traffic packet, the parsing pressure of the server and the parsing speed may be effectively reduced by obtaining the header of the effective traffic packet and then parsing the header.
Finally, it should be noted that the specific number of the preset number of bytes at the beginning of the flow packet is not specifically limited in the embodiment of the present invention, and may be set by the user according to the actual situation.
In this embodiment of the present invention, before step S104, the method further includes the following steps:
step S21, if the assets to be identified are network assets, obtaining host address information stored in a domain name server;
step S22, determining whether the domain name information of the network asset is correct domain name information based on the mapping relation between the host address information and the domain name information of the network asset;
step S23, if the domain name information of the network asset is incorrect, discarding the asset data of the network asset.
In the embodiment of the present invention, in order to reduce the operating pressure of the server, the correctness of the domain name information of the network asset may be determined, the asset data of the incorrect network asset of the domain name information is discarded, and step S104 is not performed on the asset data of the incorrect network asset of the domain name information, so as to reduce the operating pressure of the server.
Specifically, after the asset data of the network asset is obtained, the host address information stored in the domain name server is obtained, whether the domain name information of the network asset is correct domain name information is determined according to the mapping relation between the host address information and the domain name information of the network asset, and if the domain name information of the network asset is incorrect domain name information, the asset data of the network asset is discarded.
In an embodiment of the present invention, the method further comprises:
step S112, acquiring scan data scanned by the port scanning device based on preset parameters, where the preset parameters include: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters;
step S114, determining the asset corresponding to the scan data as the internal asset.
In the embodiment of the present invention, the preset parameter is added to the port scanning device, so that the port scanning device scans the asset (i.e., the asset to be identified) corresponding to the preset parameter according to the preset parameter, thereby obtaining the service IP address and/or the service port parameter of the asset to be identified, and determining the asset corresponding to the scanned data as the internal asset.
It should be noted that the preset parameter may be an access IP address or an access port parameter of one asset to be identified, or may be an access IP address range or multiple access port parameters (i.e., access IP addresses or range port parameters of multiple assets to be identified).
Example two:
the invention also provides an asset identification device, which is used for executing the asset identification method provided by the embodiment of the invention, and the following is a specific introduction of the asset identification device provided by the embodiment of the invention.
As shown in fig. 3, the asset identification device described above includes: an acquisition unit 10, a judgment unit 20 and a determination unit 30.
The acquiring unit 10 is configured to acquire asset data of an asset to be identified, where the asset data includes: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified;
the judging unit 20 is configured to judge whether the asset data is contained in the database;
the determining unit 30 is configured to determine that the asset to be identified is an internal asset if the database does not include the asset data and a first preset IP address range includes an access IP address of the asset to be identified, where the internal asset is an asset corresponding to the first preset IP address range.
According to the asset identification method and device, the asset data of the assets to be identified are obtained, whether the asset data are contained in the database is judged, if the asset data are not contained in the database, the assets to be identified are unknown assets, and if the access IP address of the unknown assets is contained in the first preset IP address range, the unknown assets are internal assets, so that the purpose of identifying the unknown assets is achieved, the technical problem that the identification efficiency of the existing asset identification method for the unknown assets is low is solved, and the technical effect of improving the identification efficiency of the unknown assets is achieved.
Preferably, the determining unit is further configured to: if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified; and if the access IP addresses of the target assets are in the range of a second preset IP address with a preset number, the assets to be identified are the internal assets.
Preferably, the obtaining unit is further configured to: acquiring a flow message of the assets to be identified; analyzing the flow message to obtain attribute data of the assets to be identified, and determining the attribute data as the asset data, wherein the attribute data comprises: the IP address of the access terminal, the IP address of the service terminal, the port number of the service terminal and the protocol used by the assets to be identified.
Preferably, the obtaining unit is further configured to: acquiring a target byte of the flow message, wherein the target byte is the front preset number of bytes of the flow message; and analyzing the target byte to obtain the attribute data of the asset to be identified.
Preferably, the apparatus further comprises: the verification unit is used for acquiring host address information stored in the domain name server if the assets to be identified are network assets; determining whether the domain name information of the network asset is correct based on the mapping relation between the host address information and the domain name information of the network asset; and if the domain name information of the network assets is incorrect, discarding the asset data of the network assets.
Preferably, the apparatus further comprises: a scanning unit, configured to acquire scanning data scanned by a port scanning device based on preset parameters, where the preset parameters include: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters; and determining the assets corresponding to the scanning data as the internal assets.
Referring to fig. 4, an embodiment of the present invention further provides a server 100, including: the device comprises a processor 50, a memory 51, a bus 52 and a communication interface 53, wherein the processor 50, the communication interface 53 and the memory 51 are connected through the bus 52; the processor 50 is arranged to execute executable modules, such as computer programs, stored in the memory 51.
The Memory 51 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 53 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 52 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but that does not indicate only one bus or one type of bus.
The memory 51 is used for storing a program, the processor 50 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 50, or implemented by the processor 50.
The processor 50 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 50. The Processor 50 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 51, and the processor 50 reads the information in the memory 51 and completes the steps of the method in combination with the hardware thereof.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. An asset identification method, comprising:
acquiring asset data of an asset to be identified, wherein the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified;
judging whether a database contains the asset data;
if the asset data is not contained in the database and a first preset IP address range contains the access IP address of the asset to be identified, the asset to be identified is an internal asset, wherein the internal asset is an asset corresponding to the first preset IP address range;
wherein the method further comprises:
if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified;
and if the access IP addresses of the target assets are in the range of a second preset IP address with a preset number, the assets to be identified are the internal assets.
2. The method of claim 1, wherein obtaining asset data for an asset to be identified comprises:
acquiring a flow message of the assets to be identified;
analyzing the flow message to obtain attribute data of the assets to be identified, and determining the attribute data as the asset data, wherein the attribute data comprises: an access end IP address, a service end port number and a protocol used by the asset to be identified.
3. The method according to claim 2, wherein analyzing the traffic message to obtain attribute data of the asset to be identified comprises:
acquiring a target byte of the flow message, wherein the target byte is the front preset number of bytes of the flow message;
and analyzing the target byte to obtain the attribute data of the asset to be identified.
4. The method of claim 1, wherein prior to determining whether the asset data is contained in the database, the method further comprises:
if the assets to be identified are network assets, acquiring host address information stored in a domain name server;
determining whether the domain name information of the network asset is correct based on the mapping relation between the host address information and the domain name information of the network asset;
and if the domain name information of the network assets is incorrect, discarding the asset data of the network assets.
5. The method of claim 1, further comprising:
acquiring scanning data scanned by port scanning equipment based on preset parameters, wherein the preset parameters comprise: the access IP address of the asset to be identified and the access port parameter of the asset to be identified, the scanning data comprises: service IP address, service port parameters;
and determining the assets corresponding to the scanning data as the internal assets.
6. An asset identification device, characterized in that said device comprises: an acquisition unit, a judgment unit and a determination unit, wherein,
the acquisition unit is used for acquiring asset data of an asset to be identified, wherein the asset data comprises: an access IP address, an access port parameter, a service IP address, a service port parameter, and a protocol used by the asset to be identified;
the judging unit is used for judging whether the database contains the asset data;
the determining unit is configured to determine that the asset to be identified is an internal asset if the asset data is not included in the database and a first preset IP address range includes an access IP address of the asset to be identified, where the internal asset is an asset corresponding to the first preset IP address range;
wherein the determining unit is further configured to:
if the asset data is not contained in the database and a first preset IP address range does not contain the access IP address of the asset to be identified, acquiring the access IP addresses of a plurality of target assets, wherein the target assets are the assets for accessing the asset to be identified;
and if the access IP addresses of the target assets are in the range of a second preset IP address with a preset number, the assets to be identified are the internal assets.
7. The apparatus of claim 6, wherein the obtaining unit is further configured to:
acquiring a flow message of the assets to be identified;
analyzing the flow message to obtain attribute data of the assets to be identified, and determining the attribute data as the asset data, wherein the attribute data comprises: an access end IP address, a service end port number and a protocol used by the asset to be identified.
8. The apparatus of claim 7, wherein the obtaining unit is further configured to:
acquiring a target byte of the flow message, wherein the target byte is the front preset number of bytes of the flow message;
and analyzing the target byte to obtain the attribute data of the asset to be identified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910822194.6A CN110535727B (en) | 2019-09-02 | 2019-09-02 | Asset identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910822194.6A CN110535727B (en) | 2019-09-02 | 2019-09-02 | Asset identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110535727A CN110535727A (en) | 2019-12-03 |
| CN110535727B true CN110535727B (en) | 2021-06-18 |
Family
ID=68666073
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910822194.6A Active CN110535727B (en) | 2019-09-02 | 2019-09-02 | Asset identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110535727B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111030887B (en) * | 2019-12-19 | 2021-11-05 | 杭州安恒信息技术股份有限公司 | Web server discovery method and device and electronic equipment |
| CN110891071A (en) * | 2019-12-25 | 2020-03-17 | 杭州安恒信息技术股份有限公司 | Network traffic information acquisition method, device and related equipment |
| CN111399893A (en) * | 2020-03-20 | 2020-07-10 | 深信服科技股份有限公司 | Service information updating method, device, equipment and computer readable storage medium |
| CN112039853B (en) * | 2020-08-11 | 2022-09-30 | 深信服科技股份有限公司 | Asset identification method and device for local area network, equipment and readable storage medium |
| CN112732724A (en) * | 2021-01-21 | 2021-04-30 | 杭州迪普科技股份有限公司 | Asset information management method and device |
| CN113158001A (en) * | 2021-03-25 | 2021-07-23 | 深圳市联软科技股份有限公司 | Method and system for judging attribution and correlation of network space IP assets |
| CN113949627A (en) * | 2021-08-24 | 2022-01-18 | 中国人寿保险股份有限公司上海数据中心 | Equipment network point attribution identification method and system |
| CN114500261B (en) * | 2022-01-24 | 2024-01-02 | 深信服科技股份有限公司 | Network asset identification method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035793A (en) * | 2009-09-28 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Botnet detecting method, device and network security protective equipment |
| CN102684897A (en) * | 2011-03-14 | 2012-09-19 | 上海宝信软件股份有限公司 | Method for discovering transmission control protocol/Internet protocol (TCP/IP) network private access equipment |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN109327461A (en) * | 2018-11-12 | 2019-02-12 | 广东省信息安全测评中心 | Distributed asset identification and change cognitive method and system |
| CN109995582A (en) * | 2019-03-13 | 2019-07-09 | 北京国舜科技股份有限公司 | Asset equipment management system and method based on real-time status |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101820073B1 (en) * | 2011-06-08 | 2018-01-18 | 마벨 월드 트레이드 리미티드 | Method and apparatus for dynamically adjusting a configurable parameter of a discovery protocol during discovery of devices in a wireless network |
| CN102724068B (en) * | 2012-04-05 | 2014-12-31 | 杭州安恒信息技术有限公司 | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network |
-
2019
- 2019-09-02 CN CN201910822194.6A patent/CN110535727B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035793A (en) * | 2009-09-28 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Botnet detecting method, device and network security protective equipment |
| CN102684897A (en) * | 2011-03-14 | 2012-09-19 | 上海宝信软件股份有限公司 | Method for discovering transmission control protocol/Internet protocol (TCP/IP) network private access equipment |
| CN103905261A (en) * | 2012-12-26 | 2014-07-02 | 中国电信股份有限公司 | Protocol characteristic library online updating method and system |
| CN109327461A (en) * | 2018-11-12 | 2019-02-12 | 广东省信息安全测评中心 | Distributed asset identification and change cognitive method and system |
| CN109995582A (en) * | 2019-03-13 | 2019-07-09 | 北京国舜科技股份有限公司 | Asset equipment management system and method based on real-time status |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110535727A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535727B (en) | Asset identification method and device | |
| CN110708315A (en) | Asset vulnerability identification method, device and system | |
| CN109347827B (en) | Method, device, equipment and storage medium for predicting network attack behavior | |
| CN110134653B (en) | Method and system for assisting database auditing by using logs | |
| CN108923972B (en) | Weight-reducing flow prompting method, device, server and storage medium | |
| CN113242236B (en) | Method for constructing network entity threat map | |
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| CN109413017B (en) | Method and system for managing heterogeneous firewall | |
| CN109688094B (en) | Suspicious IP configuration method, device, equipment and storage medium based on network security | |
| CN110866259A (en) | Method and system for calculating potential safety hazard score based on multi-dimensional data | |
| CN112069425A (en) | Log management method and device, electronic equipment and readable storage medium | |
| CN114826946B (en) | Unauthorized access interface detection method, device, equipment and storage medium | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN113535823B (en) | Abnormal access behavior detection method and device and electronic equipment | |
| CN111404937A (en) | Method and device for detecting server vulnerability | |
| CN111277569B (en) | Network message decoding method and device and electronic equipment | |
| CN110971575B (en) | Malicious request identification method and device, electronic equipment and computer storage medium | |
| CN110866831A (en) | Asset activity level determination method and device and server | |
| KR102051580B1 (en) | Integrated clinical trial apparatus based on cdisc | |
| CN111353138A (en) | Abnormal user identification method and device, electronic equipment and storage medium | |
| CN112738175B (en) | Request processing method and related equipment | |
| CN114172980A (en) | Method, system, device, equipment and medium for identifying type of operating system | |
| CN113452533B (en) | Charging self-inspection and self-healing method and device, computer equipment and storage medium | |
| CN110300193B (en) | Method and device for acquiring entity domain name |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |