CN110943884B - Data processing method and device - Google Patents

Data processing method and device Download PDF

Info

Publication number
CN110943884B
CN110943884B CN201911158965.2A CN201911158965A CN110943884B CN 110943884 B CN110943884 B CN 110943884B CN 201911158965 A CN201911158965 A CN 201911158965A CN 110943884 B CN110943884 B CN 110943884B
Authority
CN
China
Prior art keywords
address
tested
port
network
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911158965.2A
Other languages
Chinese (zh)
Other versions
CN110943884A (en
Inventor
张强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201911158965.2A priority Critical patent/CN110943884B/en
Publication of CN110943884A publication Critical patent/CN110943884A/en
Application granted granted Critical
Publication of CN110943884B publication Critical patent/CN110943884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/741Routing in networks with a plurality of addressing schemes, e.g. with both IPv4 and IPv6
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/668Internet protocol [IP] address subnets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to the technical field of financial science and technology (finance), and discloses a data processing method and device. The method comprises the steps of obtaining an IP address of a to-be-tested network device; sending a first request message to the to-be-tested network device according to the IP address of the to-be-tested network device; receiving a first response message of the to-be-tested network device; determining the type of the to-be-tested network device according to the first response message; and if the type of the to-be-tested network device cannot be determined according to the first response message, constructing a detection path at least according to the IP address and a set network protocol, detecting the detection path, and determining the type of the to-be-tested network device according to a detection result. According to the embodiment of the invention, the type of the network device is determined based on static detection and dynamic detection, and the IP address and the set network protocol are fused in the dynamic detection, so that the judgment information is richer, and the type of the network device to which each IP address belongs can be accurately judged.

Description

Data processing method and device
Technical Field
The invention relates to the technical field of financial science and technology (Fintech), in particular to a data processing method and device.
Background
With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changed to the financial technology (Fintech), but the financial technology also has higher requirements on the technology due to the requirements of safety and real-time performance of the financial industry. With the development of network technology, equipment assets in the field of financial science and technology are also transformed into network assets, and through managing the network assets of each client, the asset operation condition of the client can be known in time, and the accuracy and the richness of the depicted client portrait are improved.
At present, when determining the type of a network device to which a certain internet protocol (Internet Protocol, IP) address belongs, it is common practice to send a TCP request or an HTTP request to the network device to which the IP address belongs, and after receiving a response message sent by the network device, determine the type of the network device by comparing the matching degree of a returned host flag bit carried in the response message with known fingerprint data. However, this approach relies on known fingerprint data, which is the fingerprint data of each network device that has been tagged, and thus cannot determine the type of network device that is not tagged; and the mode only determines the type of the network equipment based on the returned host marker bit of the network equipment, and the limited network equipment can be judged due to limited judgment information, and the judgment accuracy is lower.
In summary, a data processing method is needed to solve the technical problem that the type of the network device to which each IP address belongs cannot be accurately determined due to the type of the known fingerprint data network device in the prior art.
Disclosure of Invention
The embodiment of the invention provides a data processing method and a data processing device, which are used for solving the technical problem that the type of network equipment to which each IP address belongs cannot be accurately judged due to the known type of fingerprint data network equipment in the prior art.
In a first aspect, an embodiment of the present invention provides a data processing method, including:
Acquiring an Internet Protocol (IP) address of a network device to be tested, sending a first request message to the network device to be tested according to the IP address of the network device to be tested, receiving a first response message of the network device to be tested, and determining the type of the network device to be tested according to the first response message; correspondingly, if the type of the network equipment to be detected cannot be determined according to the first response message, a detection path is constructed at least according to the IP address and the set network protocol, detection is executed on the detection path, and the type of the network equipment to be detected is determined according to a detection result.
In the embodiment of the invention, a first response message of the network equipment to be detected is firstly used for carrying out static detection on the type of the network equipment to be detected, and when the first response message is insufficient for judging the type of the network equipment to be detected, the network equipment to be detected is dynamically detected based on the IP address and the set network protocol, and the type of the network equipment to be detected is determined according to the detection result of the dynamic detection; therefore, the embodiment of the invention actually determines the type of the network equipment based on the static detection and the dynamic detection, and the dynamic detection fuses the IP address and the set network protocol, so that the judgment information is more abundant.
In one possible implementation manner, the first response message includes a surfing peak period of the IP address in a set period, surfing on-line days, and each port of the network device to be tested that is open; in a specific implementation, the determining the type of the network device to be tested according to the first response message includes: determining a probability value of the IP address under an online time period index according to the matching degree of the online peak time period and the set online time period of the IP address, determining the probability value of the IP address under the online time period index according to the corresponding relation between the online time period of the IP address and the set online time period, and determining the probability value of the IP address under a port index according to the corresponding relation between each port opened by the network equipment to be tested and a first set port; the set internet time period, the set internet days and the first set port are obtained based on statistics of the usage rule of the PC equipment; further, according to the weight of the online time period index, the weight of the online days index, the weight of the port index, the probability value of the IP address under the online time period index, the probability value of the IP address under the online days index and the probability value of the IP address under the port index, the probability that the IP address belongs to PC equipment is obtained, and if the probability that the IP address belongs to PC equipment is larger than the preset probability, the network equipment to be tested is determined to belong to PC equipment.
In the implementation manner, by setting the classification rule of the PC equipment, an explicit classification standard is provided for each network equipment, and compared with the prior art that the classification is performed based on the known fingerprint data, the method can more clearly and definitely classify the PC equipment in each network equipment, and has unified standard and high accuracy; and the implementation mode obtains the index characteristics of the PC equipment under the online time period index, the online days index and the port index by analyzing the use rule of the PC equipment, and can comprehensively judge whether the network equipment to be tested belongs to the PC equipment based on the index characteristics of the PC equipment under the three indexes, thereby improving the accuracy of judging the PC equipment.
In a possible implementation manner, the first response message includes each port opened by the network device to be tested and each running middleware service; in a specific implementation, the determining the type of the network device to be tested according to the first response message includes: if one or more middleware services in each middleware service running on the network equipment to be tested are matched with the set middleware services, and for the middleware service matched with any set middleware service, a second set port corresponding to the set middleware in each port of the middleware service running in the network equipment to be tested is matched with the set middleware, and the network equipment to be tested is determined to belong to IDC equipment; the set middleware service is obtained based on middleware service statistics running in IDC equipment of the internet data center, and the second set port is obtained based on port statistics running in the IDC equipment.
In the implementation manner, by setting the classification rule of the IDC equipment, a clear classification standard is provided for each network equipment, and compared with the prior art that the IDC equipment in each network equipment is classified based on known fingerprint data, the method can be used for classifying the IDC equipment more clearly and definitely, and has unified standard and high accuracy; and the implementation mode obtains the middleware service and the port which are commonly used by the IDC equipment by analyzing the use rule of the IDC equipment, and can comprehensively judge whether the network equipment to be tested belongs to the IDC equipment or not based on the characteristics of the network equipment to be tested under the middleware service and the port, thereby judging that the accuracy of the IDC equipment is higher.
In a possible implementation manner, the first response message further includes a network protocol supported by the network device under test; in a specific implementation, the constructing a probe path according to at least the IP address and the set network protocol, performing probing on the probe path, and determining the type of the network device to be tested according to the probing result includes: aiming at any port opened by the network equipment to be tested, according to the IP address, a network protocol supported by the network equipment to be tested and the port structure, a detection path corresponding to the port is obtained, a second request message is sent to the detection path corresponding to the port, and if a second response message is received, it is determined that the port is opened with global wide area network web service; and if one or more ports in the ports of the network equipment to be tested are open to the web service, determining that the network equipment to be tested belongs to IDC equipment.
In the above implementation manner, since the IDC device can generally provide web services for other network devices, by detecting whether each port opened by the network device to be tested provides web services, it can be accurately determined whether the network device to be tested belongs to the IDC device; and because the mode of judging the type by using the middleware service and the port can be completed based on the data in the first response message, the type of the network equipment can be judged rapidly, and the mode of judging the type by using the web service needs to send a second request message to each port, and the judging speed is relatively slower than that of the middleware service and the port, the mode of judging the type by using the middleware service and the port firstly and then using the web service can be set, and whether the network equipment to be tested belongs to the IDC equipment can be judged accurately while the judging efficiency is improved.
In one possible implementation manner, the constructing a probe path according to at least the IP address and the set network protocol, performing probing on the probe path, and determining the type of the network device under test according to the probing result includes: aiming at a fingerprint rule corresponding to any IOT type in an IOT type library, determining a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected and the IP address in the fingerprint rule corresponding to the IOT type; and sending a third request message to a detection path corresponding to the IOT type, receiving a third response message, and determining that the network equipment to be detected belongs to the IOT equipment if the third response message meets the detection result in the fingerprint rule corresponding to the IOT type.
In the implementation manner, the IOT type library containing the fingerprint rules corresponding to the plurality of IOT types is set, so that the scheme can support a plurality of manufacturers to customize the fingerprint rules corresponding to each IOT type, and whether the device to be detected belongs to each IOT type can be accurately determined according to the matching degree of the detection result and the detection result in the fingerprint rules by constructing the corresponding detection path by using the fingerprint rules corresponding to each IOT type.
In one possible implementation manner, before the first request message is sent to the network device to be tested according to the IP address of the network device to be tested, it is further determined that the IP address is legal, and it is determined that the IP address is in a surviving state.
In the above implementation manner, even if the request message is sent to the network devices with illegal IP addresses or deactivated IP addresses, the response message or the error response message cannot be obtained, so that by performing validity identification and activity identification on the IP addresses of the network devices to be tested before classifying the network devices to be tested, detection on the illegal IP addresses or deactivated IP addresses can be avoided, thereby avoiding execution of useless operations and improving classification efficiency.
In a second aspect, an embodiment of the present invention provides a data processing apparatus, including:
the acquisition module is used for acquiring the Internet Protocol (IP) address of the network equipment to be tested;
the receiving and transmitting module is used for sending a first request message to the network equipment to be tested according to the IP address of the network equipment to be tested and receiving a first response message of the network equipment to be tested;
A determining module, configured to determine a type of the network device to be tested according to the first response message;
And the detection module is used for constructing a detection path at least according to the IP address and a set network protocol if the type of the network equipment to be detected cannot be determined according to the first response message, executing detection on the detection path and determining the type of the network equipment to be detected according to a detection result.
In one possible implementation manner, the first response message includes a surfing peak period of the IP address in a set period, surfing on-line days, and each port of the network device to be tested that is open; in a specific implementation, the determining module is specifically configured to: determining a probability value of the IP address under an online time period index according to the matching degree of the online peak time period and the set online time period of the IP address, determining the probability value of the IP address under the online time period index according to the corresponding relation between the online time period of the IP address and the set online time period, and determining the probability value of the IP address under a port index according to the corresponding relation between each port opened by the network equipment to be tested and a first set port; the set internet time period, the set internet days and the first set port are obtained based on statistics of the usage rule of the PC equipment; further, according to the weight of the online time period index, the weight of the online days index, the weight of the port index, the probability value of the IP address under the online time period index, the probability value of the IP address under the online days index and the probability value of the IP address under the port index, the probability that the IP address belongs to PC equipment is obtained, and if the probability that the IP address belongs to PC equipment is larger than the preset probability, the network equipment to be tested is determined to belong to PC equipment.
In a possible implementation manner, the first response message includes each port opened by the network device to be tested and each running middleware service; in a specific implementation, the determining module is specifically configured to: if one or more middleware services in each middleware service running on the network equipment to be tested are matched with the set middleware services, and for the middleware service matched with any set middleware service, a second set port corresponding to the set middleware in each port of the middleware service running in the network equipment to be tested is matched with the set middleware, and the network equipment to be tested is determined to belong to IDC equipment; the set middleware service is obtained based on middleware service statistics running in IDC equipment of the internet data center, and the second set port is obtained based on port statistics running in the IDC equipment.
In a possible implementation manner, the first response message further includes a network protocol supported by the network device under test; in a specific implementation, the detection module is specifically configured to: aiming at any port opened by the network equipment to be tested, according to the IP address, a network protocol supported by the network equipment to be tested and the port structure, a detection path corresponding to the port is obtained, a second request message is sent to the detection path corresponding to the port, and if a second response message is received, it is determined that the port is opened with global wide area network web service; and if one or more ports in the ports of the network equipment to be tested are open and the web service exists, determining that the network equipment to be tested belongs to IDC equipment.
In one possible implementation manner, the detection module is specifically configured to: aiming at a fingerprint rule corresponding to any IOT type in an IOT type library, determining a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected and the IP address in the fingerprint rule corresponding to the IOT type; and sending a third request message to a detection path corresponding to the IOT type, receiving a third response message, and determining that the network equipment to be detected belongs to the IOT equipment if the third response message meets the detection result in the fingerprint rule corresponding to the IOT type.
In one possible implementation, before the transceiver module sends the first request message to the IP address, the determining module further determines that the IP address is legal, and determines that the IP address is in a surviving state.
In a third aspect, an embodiment of the present invention provides a computing device, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, causes the processor to perform the data processing method according to any of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium storing a computer program executable by a computing device, which when run on the computing device, causes the computing device to perform the data processing method according to any of the first aspects described above.
These and other aspects of the invention will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of one possible system architecture to which embodiments of the present invention may be applied;
Fig. 2 is a flow chart corresponding to a data processing method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a hardware architecture of a data processing system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an interaction flow of a data processing method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention;
Fig. 6 is a schematic structural diagram of a computing device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
FIG. 1 is a schematic diagram of a suitable system architecture according to an embodiment of the present invention, as shown in FIG. 1, where the system architecture includes a data processing system 100 and at least one client, such as a client 111, a client 112, and a client 113; the data processing system 100 may be connected to each client, for example, by a wired connection, or may be connected by a wireless connection, which is not limited in particular.
In the embodiment of the present invention, the client may refer to a service system, such as a network credit service system, a security service system, a deposit service system, a card selling service system, etc., and each client may send an IP address to be categorized to the data processing system 100, so that the data processing system 100 determines a type of a network device to which each IP address belongs. Accordingly, the data processing system 100 may construct an asset management library based on the type of the network device to which each IP address belongs, so that each client may query, or may return the type of the network device to which each IP address belongs to each client, so that each client performs each service, which is not limited in particular.
Based on the system architecture illustrated in fig. 1, fig. 2 is a flow chart corresponding to a data processing method according to an embodiment of the present invention, where the method is applicable to a data processing system 100, and the method includes:
step 201, obtaining an IP address of a network device to be tested.
In the embodiment of the present invention, the data processing system 100 may obtain the IP address of the network device to be tested in various manners, for example, the IP address of each network device to be tested may be sent to the data processing system 100 by each client, or the data processing system 100 may obtain the IP address of each network device to be tested from each client through a file transfer protocol negotiated in advance, or an optical signal carrying the IP address of each network device to be tested may be sent to the data processing system 100 through an optical splitter pre-deployed in the optical network system, or an electrical signal carrying the IP address of each network device to be tested may be sent to the data processing system 100 through a splitter pre-deployed in the circuit network system, or an electrical signal carrying the IP address of each network device to be tested may be sent to the data processing system 100 through a bypass flow replication function of each network device to be tested, and so on, which is not limited specifically.
The IP address of the network device to be tested may be any one or more of an IPV4 address, an IPV6 address, and an IPV9 address.
In one example, if a client constructs a PCAP packet according to an IP protocol of a network device to be tested, and sends the PCAP packet to the data processing system 100, after the data processing system 100 receives the PCAP packet, the IP protocol in the PCAP packet may be further parsed, and then an IP address is extracted from a packet header of the IP protocol.
Step 202, a first request message is sent to the network device to be tested according to the IP address of the network device to be tested, and a first response message of the network device to be tested is received.
In the embodiment of the present invention, after obtaining the IP addresses of each network device to be tested, the data processing system 100 may detect each IP address to obtain the type of the network device to be tested corresponding to each IP address, however, since some invalid IP addresses, such as illegal IP addresses or inactivated IP addresses, may exist in each IP address, even if a request message is sent to the network devices with these IP addresses, a response message or an incorrect response message cannot be obtained for the invalid IP addresses, so that the data processing system 100 cannot analyze and obtain the type of the network device to be tested corresponding to these IP addresses, and therefore, if all IP addresses are detected, more useless operations are performed, resulting in lower efficiency of data processing.
In order to solve the above problem, in one possible implementation manner, after obtaining the IP addresses of the network devices to be tested, the data processing system 100 may perform validity identification on each IP address first, determine whether each IP address belongs to a valid IP address or an invalid IP address, and after the validity identification of each IP address is completed, reject the invalid IP address in each IP address from each IP address to obtain a valid IP address set; and then carrying out activity identification on each IP address in the legal IP address set to determine whether each IP address belongs to a surviving IP address or an inactivated IP address, and removing the inactivated IP address in the legal IP address set from the legal IP address set after the activity identification of each IP address is finished to obtain the legal and surviving IP address set.
In specific implementation, the validity of the IP address may be identified in the following manner: for any IP address, determining the matching degree of the IP address and each set illegal IP field, if one or more set illegal IP fields exist so that the matching degree of the IP address and the one or more set illegal IP fields is greater than or equal to the set matching degree, determining the IP address as an illegal IP address, and if the matching degree of the IP address and any set illegal IP field is smaller than the set matching degree, determining the IP address as a legal IP address. The setting of the illegal IP field may be performed empirically by those skilled in the art, for example, as known from the specification of the illegal IP address field in the RFC1918 official document, the intranet private IP field (since the intranet private IP address contains 10.64.0.0 to 10.64.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.00 to 192.168.255.255, the intranet private IP field may be 100.64, 172.16, or 192.168), the loopback IP field (such as 127.0.0.1, 169.254, etc.), and the reserved IP field all belong to the illegal IP field, and thus, the intranet private IP field, the loopback IP field, and the reserved IP field may be set as the setting illegal IP field.
Accordingly, the IP address may be lively identified in the following manner: for any legal IP address, a request data packet can be constructed based on a Tcp Connect protocol or a Syn protocol, then the request data packet is sent to the network equipment to be tested corresponding to the IP address, the network equipment to be tested waits for a response data packet to be returned, if the network equipment to be tested successfully returns a SYN response data packet or an ACK response data packet, the IP address is determined to be a surviving IP address, and if the network equipment to be tested does not successfully return the SYN response data packet or the ACK response data packet, the IP address is determined to be an inactivated IP address.
It should be noted that the foregoing is only an example of an execution flow, and does not constitute a limitation on the execution sequence of the validity authentication and the activity authentication; that is, the data processing system may perform validity authentication on each IP address first, remove an illegal IP address from each IP address, and then perform liveness authentication on a legal IP address, or may perform liveness authentication on each IP address first, remove an inactivated IP address from each IP address, and then perform validity authentication on a surviving IP address, which is not particularly limited.
In the implementation manner, by performing validity identification and activity identification on the IP address of the network device to be tested before classifying the network device to be tested, detection on an illegal IP address or an inactivated IP address can be avoided, thereby avoiding execution of useless operations and improving classification efficiency.
Further, for any IP address in the set of legal and surviving IP addresses, the data processing system 100 may send, according to the IP address, a first request message to the network device to be tested corresponding to the IP address, where the first request message may be used to obtain any one or more of open ports and historical internet access activity information of the network device to be tested, open ports and running middleware services, open ports and supported network protocols. Taking the first request message as an example for obtaining the above information, after the network device to be tested receives the first request message, a first response message may be constructed according to each port opened in the network device to be tested and the Banner information of each port, and then the first response message is sent to the data processing system 100, where the type of the first response message may be a TCP data type, nmap data type or masscan data type; accordingly, after the data processing system 100 obtains the first response message sent by each network device to be tested, the first response message may be parsed to obtain each port opened in each network device to be tested and the Banner information of each port, and the network protocol supported by each port and the operating system version of the network device to be tested are identified from the Banner information of the port.
And step 203, determining the type of the network equipment to be tested according to the first response message.
Step 204, if the type of the network device to be tested cannot be determined according to the first response message, constructing a detection path at least according to the IP address and the set network protocol.
In step 205, probing is performed on the probing path, and the type of the network device to be tested is determined according to the probing result.
In one possible implementation, the data processing system 100 may classify each network device as a personal computer (Personal Computer, PC) device, an internet data center (INTERNET DATA CENTER, IDC) device, an internet of things (Internet of Things, IOT) device, and set corresponding classification rules for the PC device, the IDC device, and the IOT device, respectively, and the implementation process for determining whether any network device to be tested is a PC device, an IDC device, and an IOT device is described below.
PC equipment
The PC device refers to a general user device, and the general user device may access the internet through an Asymmetric Digital Subscriber Line (ADSL) dial-up or through other broadband modes.
In the embodiment of the present invention, if the first response message includes all ports opened by the network device to be tested and historical internet surfing active information, the data processing system 100 may determine whether the network device to be tested belongs to the PC device based on the first response message; the historical internet surfing activity information can comprise internet surfing peak time periods and internet surfing on-line days of the IP address in the set time period.
In a specific implementation, the data processing system 100 may calculate a matching degree between an internet surfing peak period and a set internet surfing period of an IP address of a network device to be tested, determine a probability value of the IP address under an internet surfing period index according to the matching degree, and calculate a corresponding relationship between an internet surfing on-line number of days and the set internet surfing on-line number of days of the IP address, thereby determining a probability value of the IP address under the internet surfing on-line number of days index, and calculate a corresponding relationship between each port opened by the network device to be tested and a first set port, and determine a probability value of the IP address under a port index; the setting of the internet time period, the setting of the internet days and the first setting port are obtained based on statistics of the usage rule of the PC equipment. Further, the data processing system 100 may obtain the probability that the IP address belongs to the PC device according to the weight of the online time period indicator, the weight of the online days indicator, the weight of the port indicator, the probability value of the IP address under the online time period indicator, the probability value of the IP address under the online days indicator, and the probability value of the IP address under the port indicator, and determine that the network device to be tested belongs to the PC device if the probability that the IP address belongs to the PC device is greater than the preset probability.
For example, by counting the internet surfing period of each day for the IP addresses of a plurality of known PC devices, the internet surfing peak period of the PC devices is found to be generally concentrated in 6:00 a.m. to 12:00 a.m., so the internet surfing period can be set to 6:00-24:00. In specific implementation, when the internet surfing peak time period of the IP address of the network equipment to be tested is between 6:00 and 24:00, the probability that the network equipment to be tested is PC equipment is high, so that the probability value of the network equipment to be tested under the internet surfing peak time period index is set to be R 1, when the internet surfing peak time period of the IP address of the network equipment to be tested is not between 6:00 and 24:00, the probability that the network equipment to be tested is PC equipment is low, and the probability value of the network equipment to be tested under the internet surfing peak time period index is 1-R 1; wherein, R 1>1-R1.
Accordingly, in the domestic common dial-up networking mode, the IP address allocated to the PC device by the operator is usually not unique, that is, the IP address of the PC device is often in a changing state, so that the number of online days of the PC device is usually small, so that the number of online days of the network can be set to be short-term online, the number of days corresponding to the short term can be determined according to the number of online days of the IP addresses of the known PC devices, for example, the average value of the number of online days of the IP addresses of the known PC devices, or the median of the number of online days of the IP addresses of the known PC devices, which is not limited. In specific implementation, when the online days of the IP address of the network equipment to be tested are short-term online, the possibility that the network equipment to be tested is PC equipment is high, so that the probability value of the network equipment to be tested under the online days index is set to be R 2, and when the online days of the IP address of the network equipment to be tested are long-term online, the possibility that the network equipment to be tested is PC equipment is low, and the probability value of the network equipment to be tested under the online days index is set to be 1-R 2; wherein, R 2>1-R2.
Further, by counting the ports opened by a plurality of known PC devices, the ports opened by the PC devices are found to be typically 135 ports and/or 445 ports, and thus the first set port may be 135 ports and/or 445 ports. In specific implementation, when each port of the opening of the network device to be tested contains 135 ports and/or 445 ports, the probability that the network device to be tested is a PC device is higher, so that the probability value of the network device to be tested under the port index is set to be R 3, and when each port of the opening of the network device to be tested does not contain 135 ports and 445 ports, the probability that the network device to be tested is a PC device is lower, and the probability value of the network device to be tested under the port index is 1-R 3; wherein, R 3>1-R3.
Thus, after determining the probability value of the network device to be tested under the online peak time period index, the probability value of the network device to be tested under the online on-line day index and the probability value of the port index, the data processing system can weight average the probability value of the network device to be tested under the online peak time period index, the probability value of the network device to be tested under the online on-line day index and the probability value of the port index according to the weight of the online peak time period index, the weight of the online on-line day index and the weight of the port index, so as to obtain the probability that the network device to be tested belongs to the PC device. For example, when the ports are set to 135 ports and 445 ports, if the first response message is analyzed to find that the internet surfing peak period of the network device to be tested is concentrated in 8:00-21:00, and 135 ports included in all ports which are long-term online and open do not include 445 ports, the probability α that the network device to be tested belongs to the PC device may be:
α=w1*R1+w2*(1-R2)+w3*(1-R3)
Wherein w 1 is the weight of the online peak time period index, w 2 is the weight of the online days index, and w 3 is the weight of the port index.
When the probability alpha of the network equipment to be tested belonging to the PC equipment is determined, if the probability alpha of the network equipment to be tested belonging to the PC equipment is larger than or equal to the preset probability, the network equipment to be tested can be determined to belong to the PC equipment, and if the probability alpha of the network equipment to be tested belonging to the PC equipment is smaller than the preset probability, the network equipment to be tested can be determined not to belong to the PC equipment. The preset probability may be set by those skilled in the art according to experience, for example, may be set to 0.5 or may be set to 0.8, and is not particularly limited.
In the embodiment of the invention, by setting the classification rule of the PC equipment, a clear classification standard is provided for each network equipment, and compared with the prior art for classifying based on known fingerprint data, the method can more clearly and clearly classify the PC equipment in each network equipment, has uniform standard and high accuracy; and the implementation mode obtains the index characteristics of the PC equipment under the online time period index, the online days index and the port index by analyzing the use rule of the PC equipment, and can comprehensively judge whether the network equipment to be tested belongs to the PC equipment based on the index characteristics of the PC equipment under the three indexes, thereby improving the accuracy of judging the PC equipment.
IDC device
IDC devices refer to network devices within a professional server hosting area provided by an internet service provider, including websites for renting, network devices for storing data or resources, etc. provided by an internet service provider for an enterprise, organization or individual.
In the embodiment of the invention, by analyzing the usage rule of the known IDC device, the IDC device is found to have two parallel characteristics, the first parallel characteristic is that each port opened by the IDC device and the middleware service running in the Banner protocol of each port usually have an association relation, and the second parallel characteristic is that the IDC device usually provides stable internet service to the outside, so that whether the network device to be tested belongs to the IDC device can be determined based on the two parallel characteristics.
For ease of description, the first parallel feature will be referred to as a port protocol feature, the second parallel feature will be referred to as a web service feature, and the implementation of determining whether a network device under test belongs to an IDC device based on the port protocol feature or the web service feature, respectively, will be described below.
Port protocol features
By counting the middleware services running in a plurality of known IDC devices, the middleware services running in the IDC devices are found to generally comprise mysql middleware service, redis middleware service, mong odb middleware service or apache middleware service, etc., so that the middleware services can be set to be any one or more of mysql middleware service, redis middleware service, mong odb middleware service and apache middleware service; accordingly, each middleware service may also correspond to significant port features, e.g., mysql middleware service typically corresponds to 3306 port and redis middleware service typically corresponds to 8888 port, such that by analyzing the port to which each set middleware service operates in a plurality of known IDC devices, the respective ports of the IDC devices associated with the operating set middleware are found to typically include, but are not limited to, 22 port, 80 port, 1433 port, 1723 port, 3306 port, 3389 port, 8080 port, 8888 port, 9000 port, and thus the second set port may be set to any one or more of 22 port, 80 port, 1433 port, 1723 port, 3306 port, 3389 port, 8080 port, 8888 port, 9000 port.
Based on this, by counting the respective middleware services operated by the plurality of known IDC devices and the ports corresponding to each middleware service, the respective set middleware services corresponding to the IDC devices and the second set ports corresponding to each set middleware service may be set, and each set middleware service may correspond to one second set port, or may also correspond to a plurality of second set ports, which is not limited specifically.
In a specific implementation, if the first response message includes each port opened by the network device to be tested and Bannr protocols of each port, the data processing system 100 may parse the middleware service corresponding to each port from Bannr protocols of each port, then determine whether one or more middleware services in each middleware service running on the network device to be tested are matched with the set middleware service, if not, it cannot be determined whether the network device to be tested belongs to the IDC device through the first response message, if so, it is determined whether a port corresponding to the middleware service in the network device to be tested is matched with the second set port corresponding to the set middleware for any middleware service, if so, it may be determined whether the network device to be tested belongs to the IDC device, and if not, it cannot be determined whether the network device to be tested belongs to the IDC device through the first response message.
In the embodiment of the invention, by setting the classification rule of the IDC equipment, an explicit IDC equipment classification standard is provided for each network equipment, and compared with the prior art for classifying based on known fingerprint data, the IDC equipment in each network equipment can be more clearly and definitely classified by the mode, and the standard is uniform and the accuracy is high; and the middleware service commonly used by the IDC equipment and each port corresponding to each middleware service commonly used by the IDC equipment are obtained by analyzing the use rule of the IDC equipment, so that whether the network equipment to be tested belongs to the IDC equipment or not can be comprehensively judged based on the characteristics (namely, port protocol characteristics) of the network equipment to be tested under the middleware service and the ports, and the accuracy of the IDC equipment is high.
Web service features
In a specific implementation, if the first response message includes each port opened by the network device to be tested and a supported network protocol, for any port opened by the network device to be tested, the data processing system 100 may obtain a probe path corresponding to the port according to an IP address of the network device to be tested, the supported network protocol and the port structure, and may send a second request message to the probe path corresponding to the port, if the second response message is received, it may be determined that a global Wide area network (Web) service is opened by the port, and if the second response message is not received, it may be determined that a global Wide area network (Web) service is not opened by the port; thus, after the detection of each port opened by the network device to be detected is completed, the number of ports opened with the web service in each port can be counted, and if the number is an integer greater than 0, the network device to be detected can be determined to belong to the IDC device.
In one example, the data processing system 100 may invoke a plurality of processes to detect each port opened by the network device to be tested in parallel, or may detect each port opened by the network device to be tested by using only one process, and once detecting that a certain port is opened with a web service, may determine that the network device to be tested belongs to an IDC device, so that detection on a port which is not detected yet is not needed, a useless detection process is avoided, and performance loss of the system is reduced.
For example, if the IP address of the network device to be tested is 168.231.23.12, the open ports are 25, 9999 and 43579 ports, and the supported network protocol is a hypertext transfer protocol (HyperText Transfer Protocol, http) or a security-targeted hypertext transfer protocol (Hyper Text Transfer Protocol over SecureSocket Layer, https), the data processing system 100 may respectively construct URL detection paths corresponding to the three ports based on the IP address of the network device to be tested, the supported network protocol and the open ports as follows:
http(s)://168.231.23.12:25
http(s)://168.231.23.12:9999
http(s)://168.231.23.12:43579
In this way, the data processing system 100 may send a probe request to any one of the URL probe paths, and wait for a probe response of the URL probe path, and if the URL probe paths http(s):// 168.231.23.12:25 and http(s):// 168.231.23.12:43579 do not receive the probe response, and the URL probe paths http(s):// 168.231.23.12:9999 receive the probe response, and the status code is 200, it is indicated that the 9999 port is provided with the web service, so it may be determined that the network device under test belongs to the IDC device.
In the embodiment of the invention, because the IDC equipment can provide web services for other network equipment, whether the network equipment to be tested belongs to the IDC equipment can be accurately judged by detecting whether each port opened by the network equipment to be tested provides web services.
It should be noted that, when determining whether the network device to be tested belongs to the IDC device, the data processing system 100 may determine whether the network device to be tested belongs to the IDC device based on the port protocol feature or the web service feature alone, or may determine whether the network device to be tested belongs to the IDC device based on the port protocol feature and the web service feature together, and does not limit the analysis order based on the port protocol feature and the web service feature, for example, the data processing system 100 may determine whether the network device to be tested belongs to the IDC device based on the port protocol feature first, and then determine whether the network device to be tested belongs to the IDC device based on the web service feature if the network device to be tested cannot be determined to belong to the IDC device, or the data processing system 100 may determine whether the network device to be tested belongs to the IDC device based on the port protocol feature if the network device to be tested cannot be determined to the IDC device.
In one example, if each port opened by the network device to be tested, each running middleware service and the supported network protocol are obtained through analysis according to the first response message, the data processing system 100 may determine whether there is a matching between the middleware service running by the network device to be tested and the second set middleware service, if there is a matching between one or more middleware services in the middleware service running by the network device to be tested and the second set middleware service, determine, for any matching middleware service and second set middleware service, whether the port running by the middleware service in the network device to be tested is matched with the port corresponding to the second set middleware service, and if so, determine that the network device to be tested belongs to IDC device; if the network equipment is not matched, or if the middleware service is not matched with the second set middleware service in the middleware service operated by the network equipment to be tested, the detection addresses corresponding to the ports are obtained based on the IP address of the network equipment to be tested, the supported network protocols and the open ports, then detection requests are sent to the detection addresses, if the detection response sent by at least one port is received, the network equipment to be tested is determined to belong to the IDC equipment, and if the detection response is not sent by all ports, the network equipment to be tested is determined not to belong to the IDC equipment.
In the above example, since the mode of judging the type by using the middleware service and the port can be completed based on the data in the first response message, it can rapidly judge the type of the network device, and the mode of judging the type by using the web service needs to send the second request message to each port, and the judging speed is relatively slower than that of the middleware service and the port, so by setting the mode of judging the type by using the middleware service and the port first and then using the web service, it can accurately judge whether the network device to be tested belongs to the IDC device while improving the judging efficiency.
IOT device
The IOT device is an internet of things device, and may include various sensing devices and intelligent network devices that access the internet, and may also include network devices that connect to and serve different architectures, such as routers, firewalls, and egress gateway devices.
In the embodiment of the invention, the classification rule of the IOT device is implemented based on the IOT type library, fingerprint rules corresponding to a plurality of IOT types can be set in the IOT type library, and the fingerprint rule corresponding to each IOT type supports customization of a corresponding device manufacturer or can be obtained by aggregation based on corresponding device information, without limitation. The fingerprint rule corresponding to each IOT type may include a set network protocol supported by the IOT type network device and a page identifier to be probed, and may further include any one or more of a manufacturer identifier, a set port service, and an operating system version.
In one example, the set network Protocol corresponding to The IOT type may be an http network Protocol, a message queue telemetry transport (Message Queuing Telemetry Transport, MQTT) network Protocol, a radar electronic scanning technology (Resource Representational STATE TRANSFER, REST) network Protocol, the Extensible MESSAGING AND PRESENCE Protocol (XMPP), an Advanced Message Queue Protocol (AMQP), and The like.
In a specific implementation, when determining whether the network device to be detected belongs to an IOT device, the data processing system 100 may determine, for a fingerprint rule corresponding to any IOT type in the IOT type library, a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected, and an IP address in the fingerprint rule corresponding to the IOT type; in this way, after a third request message is sent to the probe path corresponding to the IOT type, waiting for a third response message sent by the probe path corresponding to the IOT type, and after the third response message is received, determining whether the third response message meets the detection result in the fingerprint rule corresponding to the IOT type, if yes, determining that the network device to be detected belongs to the IOT device, and if not, determining that the network device to be detected does not belong to the IOT device.
For example, table 1 is a schematic representation of fingerprint rules corresponding to a certain IOT type in the IOT type library.
Table 1: schematic of fingerprint rules corresponding to IOT types
As shown in table 1, the fingerprint rule corresponding to the IOT type includes the network protocol supported by the IOT type network device, the page identifier to be detected, the detection result and the meaning of each field in the detection result; the network protocol supported by the network equipment and the page identifier to be detected are used for constructing a detection path, and the detection result is set for comparing the detection result after the detection of the detection path, so that whether the network equipment to be detected belongs to the IOT equipment is determined.
For example, for the IOT type identified as the CCTV of hakuwei view in the IOT type library, when the IP address of the network device to be tested is 168.231.23.12, a URL detection path http://168.231.23.12/index. Asp may be constructed based on the IP address 168.231.23.12, the network protocol http, and the page identifier/index. Asp to be detected, and a third request message may be sent to the URL detection path. If the third response message is not received, the request fails, so the state code retcode is not 200, and the detection result does not meet the set detection result of the IOT type, and the network device to be detected does not belong to the IOT device; if the third response message is received, the request is successful, so the state code retcode is 200, so it can be determined whether the header file header in the third response message contains Hikvision-Webs fields, and whether the header of the third response message is connected to the WIFI network, if the header does not contain Hikvision-Webs fields and is not connected to the WIFI network, the detection result does not satisfy the set detection result of the IOT type, the network device to be tested does not belong to the IOT device, if the header does not contain Hikvision-Webs fields or is connected to the WIFI network, it can be determined whether 80 ports exist in the ports opened by the network device to be tested contained in the third response message, if the header file header does not exist, the detection result does not satisfy the set detection result of the IOT type, the network device to be tested does not belong to the IOT device, and if the detection result satisfies the set detection result of the IOT type, the network device to be tested belongs to the IOT device.
In the embodiment of the invention, 200 sustainable fingerprint rules can be stored in the IOT type library, and the real-time updating of the fingerprint rules can be supported, for example, the fingerprint rules can be added, deleted and checked in real time; accordingly, when determining whether the network device to be tested belongs to the IOT device, the data processing system 100 may match the network device to be tested with the fingerprint rules in the IOT type library according to any order, once the corresponding IOT type is matched, it may determine that the network device to be tested belongs to the IOT device, and may not match the network device to be tested with the remaining fingerprint rules any more, and if all the fingerprint rules are matched, no fingerprint rule matching with the network device to be tested is found, it may determine that the network device to be tested does not belong to the IOT device.
In the embodiment of the invention, the IOT type library containing the fingerprint rules corresponding to various IOT types is arranged, so that the scheme can support various manufacturers to customize the fingerprint rules corresponding to each IOT type, and the detection path corresponding to each IOT type is constructed by using the fingerprint rules corresponding to each IOT type, so that whether the equipment to be detected belongs to each IOT type can be accurately determined according to the matching degree of the detection result and the detection result in the fingerprint rules.
It should be noted that, the classification manner of the network device to be tested may be implemented according to any combination sequence of the PC device, the IDC device, and the IOT device, and the sequence may be determined by the data processing system 100 randomly, so that the classification sequence of the network device to be tested is not fixed each time, or may be preset by a person skilled in the art, so that the data processing system 100 classifies the network device to be tested according to the same classification sequence each time, which is not particularly limited.
In the embodiment of the invention, a first response message of the network equipment to be detected is firstly used for carrying out static detection on the type of the network equipment to be detected, and when the first response message is insufficient for judging the type of the network equipment to be detected, the network equipment to be detected is dynamically detected based on the IP address and the set network protocol, and the type of the network equipment to be detected is determined according to the detection result of the dynamic detection; therefore, the embodiment of the invention actually determines the type of the network equipment based on the static detection and the dynamic detection, and the dynamic detection fuses the IP address and the set network protocol, so that the judgment information is more abundant.
In the following, a possible architecture of a data processing system is described from a hardware perspective, fig. 3 is a schematic diagram of an architecture of a data processing system according to an embodiment of the present invention, and as shown in fig. 3, a data preprocessing unit 101, a task scheduling unit 102, a data scanning unit 103, a processing unit 104, and a database unit 105 that are sequentially connected may be disposed in the data processing system 100; wherein the database unit 105 is disposed at the bottommost end of the data processing system 100, the data preprocessing unit 101 is disposed at the topmost end of the data processing system 100, the task scheduling unit 102, the data scanning unit 103 and the processing unit 104 are disposed at the middle end of the data processing system 100, and the data preprocessing unit 101 may be connected with at least one client.
As shown in fig. 3, the data processing system 100 may further be provided with an alarm unit 106, where the alarm unit 106 may be connected to the data scanning unit 103 and the processing unit 104, respectively, for example, by a wired manner, or may also be connected by a wireless manner, which is not limited.
Based on the data processing system illustrated in fig. 3, fig. 4 is an overall flowchart of a data processing method according to an embodiment of the present invention. An embodiment of the present invention will be described in detail with reference to fig. 4.
The data processing method in the embodiment of the present invention relates to each unit in the client and the data processing system, such as a data preprocessing unit 101, a task scheduling unit 102, a data scanning unit 103, a processing unit 104, a database unit 105, and an alarm unit 106.
The method comprises the following steps:
in step 401, the client sends the IP address of the network device to be tested to the data preprocessing unit 101.
In step 402, the data preprocessing unit 101 determines whether the IP address of the network device to be tested is legal and alive, if the IP address is not legal or alive, step 403 is executed, and if the IP address is legal and alive, step 404 is executed.
In one example, if the data preprocessing unit 101 receives a plurality of IP addresses, it may determine that each IP address performs validity authentication and liveness authentication, and select a valid and surviving IP address from the respective IP addresses according to the authentication result, and perform step 404.
In step 403, the data preprocessing unit 101 generates a response message according to the illegal or non-surviving IP address, and sends the response message to the client.
In step 404, the data preprocessing unit 101 sends the IP address (i.e. the legal and surviving IP address) of the network device under test to the task scheduling unit 102.
In step 405, the task scheduling unit 102 creates a task according to the IP address of the network device to be tested.
In an example, a plurality of task scheduling nodes may be disposed in the task scheduling unit 102, and after the task scheduling unit 102 receives the IP address of the network device to be tested, the task scheduling unit 102 may select a task scheduling node that is idle to process the IP address according to resource usage conditions of the plurality of task scheduling nodes. Accordingly, if there are a plurality of IP addresses and a plurality of idle task scheduling nodes, the task scheduling unit 102 may distribute the plurality of IP addresses to the plurality of idle task scheduling nodes, and the number of IP addresses distributed by each idle task scheduling node may be the same or different, which is not limited.
In a specific implementation, after each task scheduling node receives the IP address, a task corresponding to the IP address may be generated according to a task scheduling rule, which may be set by a person skilled in the art according to experience, or may also be set according to a service system to which the client belongs, and the specific implementation is not limited.
In one example, the task scheduling rule may be used to define a manner in which the data scanning unit 103 obtains the first response message, for example, the task scheduling rule may be set to time information of scanning the IP address by the data scanning unit 103, such as setting to scan the IP address at a fixed time of day, or scan the IP address at a fixed time of week, and the like, which is not limited in particular.
In step 406, the task scheduling unit 102 determines whether the scheduling condition of the task corresponding to the IP address is satisfied, if not, step 406 is executed, and if satisfied, step 407 is executed.
In step 407, the task scheduling unit 102 sends the task corresponding to the IP address to the data scanning unit 103.
In an example, a plurality of data scanning nodes may be disposed in the data scanning unit 103, and after receiving a task corresponding to the IP address sent by the data scheduling unit 102, the data scanning unit 103 may select a data scanning node that is idle to process the task according to resource usage conditions of the plurality of data scanning nodes. Accordingly, if there are a plurality of tasks corresponding to the IP addresses and a plurality of idle data scanning nodes, the data scanning unit 103 may distribute the tasks corresponding to the IP addresses to the plurality of idle data scanning nodes, and the number of tasks distributed by each idle data scanning node may be the same or different, which is not limited.
In step 408, after determining that the scheduling rule of the task corresponding to the IP address is satisfied, the data scanning unit 103 sends a first request message to the network device to be tested according to the IP address of the network device to be tested, and receives a first response message of the network device to be tested.
For example, if the scheduling rule of the task corresponding to the IP address is that data scanning is performed at 10:00 of each day in 11 months 13 to 11 months 20 days to obtain the internet surfing active information of the network device to be tested to which the IP address belongs in the current day, the data scanning unit 103 may send a first request message to the network device to be tested according to the IP address of the network device to be tested and receive a first response message of the network device to be tested, where the first response message includes the internet surfing active information of the network device to be tested in the current day, such as the internet surfing period of the current day, for each of 11 months 13 to 11 months 20 days.
It should be noted that the foregoing is merely an exemplary simple description, and does not limit the solution, and in a specific implementation, the first response message may further include other information, such as each port opened by the network device to be tested, banner information of each port, supported network protocols, and so on.
In step 409, the data scanning unit 103 sends a first response message of the network device under test to the processing unit 104.
In step 410, the processing unit 104 determines the type of the network device to be tested according to the first response message, if the type of the network device to be tested cannot be determined, a detection path is constructed according to the IP address of the network device to be tested and the set network protocol, and determines the type of the network device to be tested according to the detection result.
In a specific implementation, after receiving the internet surfing activity information of each of the 11 months 13 days to 11 months 20 days of the IP address of the network device to be tested sent by the data scanning unit 103, the processing unit 104 may count the internet surfing days of the IP address, and may determine an internet surfing peak period according to an internet surfing period of each of 8 days, for example, a period of surfing every day, or a period of surfing every 6 days of 8 days, and so on.
Here, the process of determining the type of the network device to be tested by the processing unit 104 may refer to steps 203 to 205, which will not be described again.
In step 411, the processing unit 104 generates a response message according to the type of the network device to be tested, and sends the response message to the client.
In step 412, the processing unit 104 sends the relevant information of the network device to be tested to the database unit 105, where the relevant information of the network device to be tested includes the IP address, the type, the open ports of the network device to be tested, the Banner information of each port, the supported network protocol, the running middleware service, the active information of surfing the internet, the version of the operating system, and so on.
In step 413, the database unit 105 stores the relevant information of the network device under test in the network asset management database.
In the embodiment of the present invention, the database unit 105 may use the network asset management database to store relevant information of each network device, such as an IP address, a type of the network device, each port opened, a Banner information of each port, a supported network protocol, a running middleware service, internet surfing active information, a version of an operating system, and the like.
Thus, after the data processing system receives the IP address of the network equipment to be tested, the matching degree of the IP address of the network equipment to be tested and the IP address of each network equipment in the network asset management database can be determined first, if the network equipment with the matching degree larger than the set matching degree exists in the network asset management database, the type of the network equipment can be determined to be the type of the network equipment to be tested, and the type of the network equipment in the network asset management database can be directly sent to the client without detecting the network equipment to be tested of a known type, so that useless data processing process is avoided, and data processing efficiency is improved.
In one example, the database unit 105 may also be connected to a client, so that if the client wants to view the probing results of each network device under test in real time, the database unit 105 may be instructed to display the type and/or other information of each network device under test to the user on the client side in real time.
In step 414, the alarm unit 106 monitors the data scanning unit 103 and the processing unit 104 in real time.
In step 415, the alarm unit 106 monitors that the data scanning unit 103 and/or the processing unit 104 is/are faulty, and alarms.
In the embodiment of the present invention, at any time executed in steps 401 to 413, the alarm unit 106 may monitor the operation states of the data scanning unit 103 and the processing unit 104, and if it is determined that there is a data scanning node in the data scanning unit 103 and/or there is a detection node sending fault in the processing unit 104 (for example, the heartbeat is zero), alarm information may be generated and sent to the operation and maintenance personnel through a nail, a micro-letter, a mail or a short message, so that the operation and maintenance personnel can ensure the normal operation of the data processing system even if the availability of the data scanning unit 103 and the processing unit 104 is maintained.
The above step numbers are only an example of the execution flow, and do not limit the execution sequence of each step.
In the above embodiment of the present invention, an IP address of a network device to be tested is obtained, a first request message is sent to the network device to be tested according to the IP address of the network device to be tested, a first response message of the network device to be tested is received, and a type of the network device to be tested is determined according to the first response message; correspondingly, if the type of the network equipment to be detected cannot be determined according to the first response message, a detection path is constructed at least according to the IP address and the set network protocol, detection is executed on the detection path, and the type of the network equipment to be detected is determined according to a detection result. In the embodiment of the invention, a first response message of the network equipment to be detected is firstly used for carrying out static detection on the type of the network equipment to be detected, and when the first response message is insufficient for judging the type of the network equipment to be detected, the network equipment to be detected is dynamically detected based on the IP address and the set network protocol, and the type of the network equipment to be detected is determined according to the detection result of the dynamic detection; therefore, the embodiment of the invention actually determines the type of the network equipment based on the static detection and the dynamic detection, and the dynamic detection fuses the IP address and the set network protocol, so that the judgment information is more abundant, and compared with the mode of carrying out the static detection only based on the returned host mark bit in the prior art, the type of the network equipment to which each IP address belongs can be accurately judged, and the judgment effect is better.
For the above method flow, the embodiment of the present invention further provides a data processing apparatus, where the specific content of the apparatus may be implemented by referring to the above method.
Fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention, including:
an obtaining module 501, configured to obtain an IP address of a network device to be tested;
a transceiver module 502, configured to send a first request message to the network device to be tested according to the IP address of the network device to be tested, and receive a first response message of the network device to be tested;
a determining module 503, configured to determine a type of the network device to be tested according to the first response message;
and a detection module 504, configured to, if the type of the network device to be detected cannot be determined according to the first response message, construct a detection path at least according to the IP address and the set network protocol, perform detection on the detection path, and determine the type of the network device to be detected according to a detection result.
Optionally, the first response message includes a surfing peak period, a surfing online days of the IP address and each port of the network device to be tested that is open in a set period;
the determining module 503 is specifically configured to:
Determining a probability value of the IP address under an online time period index according to the matching degree of the online peak time period and the set online time period of the IP address, determining the probability value of the IP address under the online time period index according to the corresponding relation between the online time period of the IP address and the set online time period, and determining the probability value of the IP address under a port index according to the corresponding relation between each port opened by the network equipment to be tested and a first set port; the set internet time period, the set internet days and the first set port are obtained based on statistics of the usage rule of the PC equipment;
Obtaining the probability that the IP address belongs to PC equipment according to the weight of the online time period index, the weight of the online days index, the weight of the port index, the probability value of the IP address under the online time period index, the probability value of the IP address under the online days index and the probability value of the IP address under the port index;
and if the probability that the IP address belongs to the PC equipment is larger than the preset probability, determining that the network equipment to be tested belongs to the PC equipment.
Optionally, the first response message includes each port opened by the network device to be tested and each running middleware service;
the determining module 503 is specifically configured to:
If one or more middleware services in each middleware service running on the network equipment to be tested are matched with the set middleware services, and for the middleware service matched with any set middleware service, a second set port corresponding to the set middleware in each port of the middleware service running in the network equipment to be tested is matched with the set middleware, and the network equipment to be tested is determined to belong to IDC equipment; the set middleware service is obtained based on middleware service statistics running in IDC equipment of the internet data center, and the second set port is obtained based on port statistics running in the IDC equipment.
Optionally, the first response message further includes a network protocol supported by the network device to be tested;
the detection module 504 is specifically configured to:
aiming at any port opened by the network equipment to be tested, according to the IP address, a network protocol supported by the network equipment to be tested and the port structure, a detection path corresponding to the port is obtained, a second request message is sent to the detection path corresponding to the port, and if a second response message is received, it is determined that the port is opened with global wide area network web service;
and if one or more ports in the ports of the network equipment to be tested are open and the web service exists, determining that the network equipment to be tested belongs to IDC equipment.
Optionally, the detection module 504 is specifically configured to:
Aiming at a fingerprint rule corresponding to any IOT type in an IOT type library, determining a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected and the IP address in the fingerprint rule corresponding to the IOT type; and sending a third request message to a detection path corresponding to the IOT type, receiving a third response message, and determining that the network equipment to be detected belongs to the IOT equipment if the third response message meets the detection result in the fingerprint rule corresponding to the IOT type.
Optionally, before the transceiver module 502 sends the first request message to the IP address, the determining module 503 is further configured to:
and determining that the IP address is legal and determining that the IP address is in a survival state.
From the above, it can be seen that: in the above embodiment of the present invention, an IP address of a network device to be tested is obtained, a first request message is sent to the network device to be tested according to the IP address of the network device to be tested, a first response message of the network device to be tested is received, and a type of the network device to be tested is determined according to the first response message; correspondingly, if the type of the network equipment to be detected cannot be determined according to the first response message, a detection path is constructed at least according to the IP address and the set network protocol, detection is executed on the detection path, and the type of the network equipment to be detected is determined according to a detection result. In the embodiment of the invention, a first response message of the network equipment to be detected is firstly used for carrying out static detection on the type of the network equipment to be detected, and when the first response message is insufficient for judging the type of the network equipment to be detected, the network equipment to be detected is dynamically detected based on the IP address and the set network protocol, and the type of the network equipment to be detected is determined according to the detection result of the dynamic detection; therefore, the embodiment of the invention actually determines the type of the network equipment based on the static detection and the dynamic detection, and the dynamic detection fuses the IP address and the set network protocol, so that the judgment information is more abundant, and compared with the mode of carrying out the static detection only based on the returned host mark bit in the prior art, the type of the network equipment to which each IP address belongs can be accurately judged, and the judgment effect is better.
Based on the same inventive concept, an embodiment of the present invention further provides a computing device, as shown in fig. 6, including at least one processor 601 and a memory 602 connected to the at least one processor, where in the embodiment of the present invention, a specific connection medium between the processor 601 and the memory 602 is not limited, and in fig. 6, the processor 601 and the memory 602 are connected by a bus, for example. The buses may be divided into address buses, data buses, control buses, etc.
In the embodiment of the present invention, the memory 602 stores instructions executable by the at least one processor 601, and the at least one processor 601 may perform the steps included in the aforementioned data processing method by executing the instructions stored in the memory 602.
Where the processor 601 is the control center of the computing device, various interfaces and lines may be utilized to connect various portions of the computing device, through execution or execution of instructions stored in the memory 602 and invocation of data stored in the memory 602, to effect data processing. Alternatively, the processor 601 may include one or more processing units, and the processor 601 may integrate an application processor and a modem processor, wherein the application processor primarily processes an operating system, a user interface, an application program, and the like, and the modem processor primarily processes issuing instructions. It will be appreciated that the modem processor described above may not be integrated into the processor 601. In some embodiments, processor 601 and memory 602 may be implemented on the same chip, or they may be implemented separately on separate chips in some embodiments.
The processor 601 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application SPECIFIC INTEGRATED Circuit (ASIC), field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or a combination thereof, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the data processing embodiments may be embodied directly in hardware processor execution or in a combination of hardware and software modules in a processor.
The memory 602 is a non-volatile computer readable storage medium that can be used to store non-volatile software programs, non-volatile computer executable programs, and modules. The Memory 602 may include at least one type of storage medium, which may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 602 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 602 in embodiments of the present invention may also be circuitry or any other device capable of performing storage functions for storing program instructions and/or data.
Based on the same inventive concept, embodiments of the present invention also provide a computer-readable storage medium storing a computer program executable by a computing device, which when run on the computing device, causes the computing device to perform a data processing method as described in any of fig. 2.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, or as a computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. A method of data processing, the method comprising:
Acquiring an Internet Protocol (IP) address of a network device to be tested;
Sending a first request message to the network equipment to be tested according to the IP address of the network equipment to be tested, and receiving a first response message of the network equipment to be tested;
If the first response message comprises a surfing peak period, surfing on-line days and all ports opened by the network equipment to be tested of the IP address in a set period; determining a probability value of the IP address under an online time period index according to the matching degree of the online peak time period and the set online time period of the IP address, determining the probability value of the IP address under the online time period index according to the corresponding relation between the online time period of the IP address and the set online time period, and determining the probability value of the IP address under a port index according to the corresponding relation between each port opened by the network equipment to be tested and a first set port; the set internet time period, the set internet online days and the first set port are obtained based on statistics of the usage rule of the PC equipment;
Obtaining the probability that the IP address belongs to PC equipment according to the weight of the online time period index, the weight of the online days index, the weight of the port index, the probability value of the IP address under the online time period index, the probability value of the IP address under the online days index and the probability value of the IP address under the port index;
if the probability that the IP address belongs to the PC equipment is larger than the preset probability, determining that the network equipment to be tested belongs to the PC equipment; or (b)
If the first response message comprises all ports opened by the network equipment to be tested and all running middleware services; if one or more middleware services in each middleware service running on the network equipment to be tested are matched with the set middleware services, and for the middleware service matched with any set middleware service, a second set port corresponding to the set middleware in each port of the middleware service running in the network equipment to be tested is matched with the set middleware, and the network equipment to be tested is determined to belong to IDC equipment; the set middleware service is obtained based on middleware service statistics running in IDC equipment of the internet data center, and the second set port is obtained based on port statistics running in the IDC equipment;
If the type of the network equipment to be detected cannot be determined according to the first response message, constructing a detection path at least according to the IP address and a set network protocol;
and detecting the detection path, and determining the type of the network equipment to be detected according to a detection result.
2. The method of claim 1, wherein the first response message further comprises a network protocol supported by the network device under test;
the construction of the detection path at least according to the IP address and the set network protocol, the detection of the detection path, and the determination of the type of the network equipment to be detected according to the detection result, includes:
aiming at any port opened by the network equipment to be tested, according to the IP address, a network protocol supported by the network equipment to be tested and the port structure, a detection path corresponding to the port is obtained, a second request message is sent to the detection path corresponding to the port, and if a second response message is received, it is determined that the port is opened with global wide area network web service;
and if one or more ports in the ports of the network equipment to be tested are open and the web service exists, determining that the network equipment to be tested belongs to IDC equipment.
3. The method according to claim 1, wherein constructing a probe path according to at least the IP address and a set network protocol, performing probing on the probe path, and determining the type of the network device under test according to a probing result includes:
Aiming at a fingerprint rule corresponding to any IOT type in an IOT type library, determining a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected and the IP address in the fingerprint rule corresponding to the IOT type; and sending a third request message to a detection path corresponding to the IOT type, receiving a third response message, and determining that the network equipment to be detected belongs to the IOT equipment if the third response message meets the detection result in the fingerprint rule corresponding to the IOT type.
4. The method according to claim 1, wherein before the sending the first request message to the network device under test according to the IP address of the network device under test, further comprises:
and determining that the IP address is legal and determining that the IP address is in a survival state.
5. A data processing apparatus, the apparatus comprising:
The acquisition module is used for acquiring an internet protocol IIP address of the network equipment to be detected;
the receiving and transmitting module is used for sending a first request message to the network equipment to be tested according to the IP address of the network equipment to be tested and receiving a first response message of the network equipment to be tested;
The determining module is used for the first response message to comprise the Internet surfing peak time period, the Internet surfing online days of the IP address and each port opened by the network equipment to be tested in a set time period; determining a probability value of the IP address under an online time period index according to the matching degree of the online peak time period and the set online time period of the IP address, determining the probability value of the IP address under the online time period index according to the corresponding relation between the online time period of the IP address and the set online time period, and determining the probability value of the IP address under a port index according to the corresponding relation between each port opened by the network equipment to be tested and a first set port; the set internet time period, the set internet online days and the first set port are obtained based on statistics of the usage rule of the PC equipment; obtaining the probability that the IP address belongs to PC equipment according to the weight of the online time period index, the weight of the online days index, the weight of the port index, the probability value of the IP address under the online time period index, the probability value of the IP address under the online days index and the probability value of the IP address under the port index; if the probability that the IP address belongs to the PC equipment is larger than the preset probability, determining that the network equipment to be tested belongs to the PC equipment; or (b)
If the first response message comprises all ports opened by the network equipment to be tested and all running middleware services; if one or more middleware services in each middleware service running on the network equipment to be tested are matched with the set middleware services, and for the middleware service matched with any set middleware service, a second set port corresponding to the set middleware in each port of the middleware service running in the network equipment to be tested is matched with the set middleware, and the network equipment to be tested is determined to belong to IDC equipment; the set middleware service is obtained based on middleware service statistics running in IDC equipment of the internet data center, and the second set port is obtained based on port statistics running in the IDC equipment;
And the detection module is used for constructing a detection path at least according to the IP address and a set network protocol if the type of the network equipment to be detected cannot be determined according to the first response message, executing detection on the detection path and determining the type of the network equipment to be detected according to a detection result.
6. The apparatus of claim 5, wherein the first response message further comprises a network protocol supported by the network device under test;
The detection module is specifically used for:
aiming at any port opened by the network equipment to be tested, according to the IP address, a network protocol supported by the network equipment to be tested and the port structure, a detection path corresponding to the port is obtained, a second request message is sent to the detection path corresponding to the port, and if a second response message is received, it is determined that the port is opened with global wide area network web service;
and if one or more ports in the ports of the network equipment to be tested are open and the web service exists, determining that the network equipment to be tested belongs to IDC equipment.
7. The apparatus of claim 6, wherein the detection module is specifically configured to:
Aiming at a fingerprint rule corresponding to any IOT type in an IOT type library, determining a detection path corresponding to the IOT type according to a network protocol, a page identifier to be detected and the IP address in the fingerprint rule corresponding to the IOT type; and sending a third request message to a detection path corresponding to the IOT type, receiving a third response message, and determining that the network equipment to be detected belongs to the IOT equipment if the third response message meets the detection result in the fingerprint rule corresponding to the IOT type.
8. The apparatus of claim 6, wherein the means for determining is further configured to, prior to the means for receiving and transmitting sending a first request message to the IP address:
and determining that the IP address is legal and determining that the IP address is in a survival state.
9. A computing device comprising at least one processor and at least one memory, wherein the memory stores a computer program that, when executed by the processor, causes the processor to perform the method of any of claims 1-4.
10. A computer readable storage medium, characterized in that it stores a computer program executable by a computing device, which when run on the computing device, causes the computing device to perform the method of any of claims 1-4.
CN201911158965.2A 2019-11-22 2019-11-22 Data processing method and device Active CN110943884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911158965.2A CN110943884B (en) 2019-11-22 2019-11-22 Data processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911158965.2A CN110943884B (en) 2019-11-22 2019-11-22 Data processing method and device

Publications (2)

Publication Number Publication Date
CN110943884A CN110943884A (en) 2020-03-31
CN110943884B true CN110943884B (en) 2024-05-17

Family

ID=69907906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911158965.2A Active CN110943884B (en) 2019-11-22 2019-11-22 Data processing method and device

Country Status (1)

Country Link
CN (1) CN110943884B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112118149B (en) * 2020-08-14 2022-04-12 深圳市科陆电子科技股份有限公司 Device testing method, electronic device, and storage medium
CN112087532B (en) * 2020-08-28 2023-04-07 中国移动通信集团黑龙江有限公司 Information acquisition method, device, equipment and storage medium
CN112016635B (en) * 2020-10-16 2021-02-19 腾讯科技(深圳)有限公司 Device type identification method and device, computer device and storage medium
CN114244755B (en) * 2021-12-15 2023-11-14 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment and storage medium
CN114513399A (en) * 2021-12-31 2022-05-17 锐捷网络股份有限公司 Device identification method and device, computer-readable storage medium and electronic device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917808A (en) * 1997-01-17 1999-06-29 Fluke Corporation Method of identifying device types on a local area network using passive monitoring
CN103795709A (en) * 2013-12-27 2014-05-14 北京天融信软件有限公司 Network security detection method and system
CN106487879A (en) * 2016-09-20 2017-03-08 北京知道未来信息技术有限公司 A kind of network equipment recognition methodss based on device-fingerprint storehouse and device
CN106789934A (en) * 2016-11-29 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of network equipment recognition methods and system
CN107995192A (en) * 2017-12-01 2018-05-04 贵州电网有限责任公司 A kind of inline detection of network boundary violation is with blocking system
CN110213212A (en) * 2018-05-24 2019-09-06 腾讯科技(深圳)有限公司 A kind of classification method and device of equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7974217B2 (en) * 2004-07-19 2011-07-05 Samsung Electronics Co., Ltd. Method and apparatus for identifying network device corresponding to internet protocol address, and method and apparatus for allocating internet protocol address
US11140180B2 (en) * 2018-03-23 2021-10-05 International Business Machines Corporation Guard system for automatic network flow controls for internet of things (IoT) devices

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917808A (en) * 1997-01-17 1999-06-29 Fluke Corporation Method of identifying device types on a local area network using passive monitoring
CN103795709A (en) * 2013-12-27 2014-05-14 北京天融信软件有限公司 Network security detection method and system
CN106487879A (en) * 2016-09-20 2017-03-08 北京知道未来信息技术有限公司 A kind of network equipment recognition methodss based on device-fingerprint storehouse and device
CN106789934A (en) * 2016-11-29 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of network equipment recognition methods and system
CN107995192A (en) * 2017-12-01 2018-05-04 贵州电网有限责任公司 A kind of inline detection of network boundary violation is with blocking system
CN110213212A (en) * 2018-05-24 2019-09-06 腾讯科技(深圳)有限公司 A kind of classification method and device of equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
新颖的多区域多子网以太网物理拓扑发现算法;夏晓忠;肖宗水;仇一弘;方长江;;计算机工程;20070420(第08期);全文 *
面向网络态势感知的实时网络拓扑发现;贺英杰;王慧强;周仁杰;;计算机工程;20091220(第24期);全文 *

Also Published As

Publication number Publication date
CN110943884A (en) 2020-03-31

Similar Documents

Publication Publication Date Title
CN110943884B (en) Data processing method and device
US11750482B2 (en) Automatic health check and performance monitoring for applications and protocols using deep packet inspection in a datacenter
US10452843B2 (en) Self-adaptive application programming interface level security monitoring
US20200287794A1 (en) Intelligent autoscale of services
US8863266B1 (en) Dynamic throttling systems and services
US7461369B2 (en) Java application response time analyzer
US7792948B2 (en) Method and system for collecting, aggregating and viewing performance data on a site-wide basis
CN107135188B (en) Method, device and system for realizing services of financial information exchange (FIX) protocol
CN111131320B (en) Asset identification method, device, system and medium
US8631124B2 (en) Network analysis system and method utilizing collected metadata
US20050108384A1 (en) Analysis of message sequences
EP3796167A1 (en) Router management by an event stream processing cluster manager
CN109167812B (en) Method for evaluating service quality and determining adjustment strategy, server and storage medium
US8661456B2 (en) Extendable event processing through services
US7171464B1 (en) Method of tracing data traffic on a network
CN112165445B (en) Method, device, storage medium and computer equipment for detecting network attack
US20160380867A1 (en) Method and System for Detecting and Identifying Assets on a Computer Network
US20160119380A1 (en) System and method for real time detection and prevention of segregation of duties violations in business-critical applications
CN108596738A (en) A kind of user behavior detection method and device
CN113810381A (en) Crawler detection method, web application cloud firewall, device and storage medium
US7254638B2 (en) Method and apparatus for identifying slow links and for providing application-based responses to slow links in a distributed computer network
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
CN111314326A (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
US9178771B2 (en) Determining the type of a network tier
CN113542044A (en) Network quality monitoring method and device and computing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant