CN111131339A - NAT equipment identification method and system based on IP identification number - Google Patents
NAT equipment identification method and system based on IP identification number Download PDFInfo
- Publication number
- CN111131339A CN111131339A CN202010250849.XA CN202010250849A CN111131339A CN 111131339 A CN111131339 A CN 111131339A CN 202010250849 A CN202010250849 A CN 202010250849A CN 111131339 A CN111131339 A CN 111131339A
- Authority
- CN
- China
- Prior art keywords
- identification number
- network
- maximum
- identification
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the invention discloses a NAT equipment identification method and a system based on an IP identification number, wherein the method comprises the following steps: collecting all network flows accessed in a network; extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header; acquiring the maximum identification number in the network and the time corresponding to the maximum identification number; when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number; and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment. The embodiment of the invention can improve the identification accuracy of the NAT equipment, and has the advantages of less storage state, simple calculation method, short identification period and high identification efficiency.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for identifying NAT equipment based on an IP identification number.
Background
In the field of network security of the internet of things, a user needs to have clear visibility of network boundaries in a network. Especially in a video private network, the camera is installed outdoors and is easily connected to the NAT equipment in series. After transformation, the camera is accessed into a video private network through the NAT to continue normal service, and managers cannot detect the abnormality of the camera. But illegal personnel access other equipment to the network through NAT, which threatens the network security. Therefore, it is significant to be able to find the NAT network boundary in the network in time. Since the NAT device accesses a plurality of network devices sharing the same IP, the existence of the NAT device cannot be detected by a common active detection technology.
In the field of network security, administrators need to automatically and accurately identify unauthorized privately installed NAT devices among a large number of network devices. Because the original equipment can carry out normal business operation through the NAT equipment, the NAT equipment can not be monitored. Meanwhile, other illegal devices can be connected into the network through the NAT device. Such devices pose a potential risk to network security.
The prior art is therefore still subject to further development.
Disclosure of Invention
In view of the above technical problems, embodiments of the present invention provide an IP identification number-based NAT device identification method and system, which can solve the technical problem in the prior art that unauthorized NAT devices cannot be automatically and accurately identified in the field of internet of things.
A first aspect of an embodiment of the present invention provides a method for identifying NAT devices based on an IP identification number, including:
collecting all network flows accessed in a network;
extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
Optionally, the collecting all network traffic accessed in the network includes:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
Optionally, the extracting network connection information in the network traffic includes:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
Optionally, the acquiring a maximum identification number in the network and a time corresponding to the maximum identification number includes:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
Optionally, before collecting all network traffic accessed in the network, the method further includes:
and setting a threshold value of the identification number and a time threshold value in advance.
A second aspect of the embodiments of the present invention provides an IP identification number-based NAT device identification system, where the system includes: a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the steps of:
collecting all network flows accessed in a network;
extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
Optionally, the computer program when executed by the processor further implements the steps of:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
Optionally, the computer program when executed by the processor further implements the steps of:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
Optionally, if the first invoked web interface is still requesting other web interfaces, the computer program when executed by the processor further implements the following steps:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
A third aspect of embodiments of the present invention provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are executed by one or more processors, the computer-executable instructions may cause the one or more processors to perform the above-mentioned NAT device identification method based on an IP identification number.
In the technical scheme provided by the embodiment of the invention, all network flows accessed in a network are collected; extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header; acquiring the maximum identification number in the network and the time corresponding to the maximum identification number; when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number; and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment. Compared with the prior art, the embodiment of the invention can improve the identification accuracy of the NAT equipment, and has the advantages of less storage state, simple calculation method, short identification period and high identification efficiency.
Drawings
Fig. 1 is a schematic flowchart of an embodiment of a NAT device identification method based on an IP identification number according to the present invention;
fig. 2 is a schematic hardware structure diagram of another embodiment of a NAT device identification system based on an IP identification number in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, NAT equipment is identified mainly by two methods: one way is to actively scan all possible IP addresses in the network, send a specific probe packet to each IP address, and determine whether it is a NAT device according to the returned information. For example, an http request is sent, and if there is a return, the determination is made according to the manufacturer model information of the NAT device that may be included in the http return packet.
Another way is to perform packet parsing on all packets in the network. And if the message is an http message, recording user-agent information in a message header. If a specific conflict occurs in the user-agent information of the same IP, such as an android browser and a desktop browser, it is likely that the IP is NAT; the methods have long period, consume more computing resources, have unreliable results and have low accuracy. The invention provides a NAT equipment identification method based on IP identification number, which solves the problem of finding and identifying NAT equipment from the IP layer network data identification by excavating the network structure and the internal principle of NAT technology, only maintains two state variables for each IP according to the characteristic that identifiers maintained by a plurality of network equipment are independently increased when the plurality of network equipment are accessed to the network through the NAT equipment, and can identify that a plurality of equipment are accessed to the network through the same NAT through simple calculation.
The following detailed description of embodiments of the invention refers to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart illustrating an embodiment of a NAT device identification method based on an IP identification number according to the present invention. As shown in fig. 1, includes:
s100, collecting all network flows accessed in a network;
step S200, extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
step S300, acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
step S400, when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and S500, when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
Specifically, each network device accessed through the NAT has its own private IP address, and connects to other devices through the private IP address. When the IP network packet passes through the NAT equipment, the NAT equipment performs protocol conversion on the IP network packet, uniformly replaces private IP addresses into external IP addresses of the NAT equipment, and performs port conversion at the same time;
but there is an important IP header information that remains unchanged, which is the identification number identifier of the IP header. This is an integer number, maintained by each network device itself. Each network device fills in this number for each outgoing IP packet and remains monotonically increasing. Since each network device independently maintains the number, the fields of the headers of the IP packets sent by all different network devices are different, and there is usually a large gap;
if a device does not access the network through the NAT, the data in the IP packets sent by the device in the network will exhibit a monotonically increasing regularity. If several network devices access the network through NAT, the identifier of the IP head in the network packet taking the IP address of the NAT as the source IP in the network will present a hopping rule or an overlapping rule;
recording identifiers in network packets sent by each source IP in the network, sequencing, and checking whether the identifiers are continuously increased or not and whether the identifiers are interrupted or not, thereby judging whether the source IP is the NAT equipment or not. This approach requires that the identifier in many network packets be stored for each IP, with or without gaps in between; thereby determining whether the source IP is a NAT device. This approach requires storing many identifiers in the network packet for each IP and ordering to see if this number is consecutive. The situation that IP data packets are out of order and fragmented in the network is considered, and the method is extremely complex to realize and consumes a large amount of storage and computing resources;
the specific realization principle is as follows: for each IP, the system records the maximum identifier in the network packets currently sent out from that IP and the time when this maximum identifier occurs. When a new IP data packet comes, the identifier is extracted from the data packet and compared with the current maximum identifier corresponding to the IP recorded in the system, and if the new identifier is larger than the current record, the current maximum identifier and the time are updated. If the new identifier is smaller than the existing identifier, the difference value is larger than a certain configured threshold value, and the difference value between the time of the new identifier and the time of the existing largest identifier is smaller than a certain configured threshold value, the IP can be judged to be the NAT equipment;
in practical application, the accuracy of the method for identifying the NAT equipment can be greatly improved by reasonably setting the threshold, and the method only needs two stored states and is simple in calculation.
Further collecting all network traffic accessed in the network, including:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
Specifically, in a network traffic mirroring manner, the network traffic collection device collects the entire network traffic in the network, and it is ensured that the network traffic passing through the NAT device is collected. The network traffic mirror is also called a port mirror, and a port mirroring (port mirroring) function is to forward data traffic of one or more source ports to a certain designated port on a switch or a router to monitor the network, where the designated port is called a "mirror port" or a "destination port", and the network traffic can be monitored and analyzed through the mirror port without seriously affecting the normal throughput of the source ports. The mirror image function is used in the enterprise, network data in the enterprise can be well monitored and managed, and when the network fails, the fault can be quickly positioned.
Further, extracting network connection information in the network traffic includes:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
Specifically, network connection information is extracted by parsing a TCP/IP data packet header of the network traffic, and the network connection information includes, but is not limited to, a source IP and an identification number identifier in the IP packet header.
Further, acquiring the maximum identification number in the network and the time corresponding to the maximum identification number includes:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
In specific implementation, for each IP, the system maintains the following state, the time corresponding to the largest ever seen identifier is extracted, and after a group of new IPs is extracted, if the new identifier is larger than the existing record of the IP, the new identifier and the corresponding time are used for updating the state of the IP.
Further, before collecting all network traffic accessed in the network, the method further includes:
and setting a threshold value of the identification number and a time threshold value in advance.
In specific implementation, the threshold size of the identification number and the time threshold size are set in advance. For example, the threshold for the identification number may be set to 5000, and for example, the time threshold may be set to 30 seconds. When the new identifier of an IP is smaller than the recorded identifiers, the difference value of the two identifiers is calculated, and the difference value of the corresponding time of the two identifiers is calculated at the same time. If the difference of the identifiers is larger than a threshold value of the identification number and the time difference is smaller than a time threshold value, the IP can be judged to be a NAT device.
The above description is made on the NAT device identification method based on the IP identification number in the embodiment of the present invention, and the following description is made on the NAT device identification system based on the IP identification number in the embodiment of the present invention, please refer to fig. 2, fig. 2 is a schematic hardware structure diagram of another embodiment of a NAT device identification system based on the IP identification number in the embodiment of the present invention, as shown in fig. 2, the system 10 includes: a memory 102, a processor 101 and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor 101 implementing the steps of:
collecting all network flows accessed in a network;
extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
The specific implementation steps are the same as those of the method embodiments, and are not described herein again.
Optionally, the computer program when executed by the processor 101 further implements the steps of:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
The specific implementation steps are the same as those of the method embodiments, and are not described herein again.
Optionally, the computer program when executed by the processor 101 further implements the steps of:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
The specific implementation steps are the same as those of the method embodiments, and are not described herein again.
Optionally, the computer program when executed by the processor 101 further implements the steps of:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
The specific implementation steps are the same as those of the method embodiments, and are not described herein again.
Optionally, the computer program when executed by the processor 101 further implements the steps of:
and setting a threshold value of the identification number and a time threshold value in advance.
The specific implementation steps are the same as those of the method embodiments, and are not described herein again.
Embodiments of the present invention provide a non-transitory computer-readable storage medium storing computer-executable instructions for execution by one or more processors, for example, to perform method steps S100-S500 of fig. 1 described above.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A NAT equipment identification method based on IP identification number is characterized by comprising the following steps:
collecting all network flows accessed in a network;
extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
2. The method for identifying the NAT device based on the IP identification number according to claim 1, wherein said collecting all network traffic accessed in the network comprises:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
3. The method of claim 2, wherein the extracting network connection information in the network traffic comprises:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
4. The method according to claim 3, wherein the obtaining the maximum identification number in the network and the time corresponding to the maximum identification number includes:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
5. The method for identifying NAT equipment based on IP identification number according to claim 4, wherein before collecting all network traffic accessed in network, further comprising:
and setting a threshold value of the identification number and a time threshold value in advance.
6. An IP identification number-based NAT device identification system, the system comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the steps of:
collecting all network flows accessed in a network;
extracting network connection information in network flow, wherein the network connection information comprises a source IP and an identification number in an IP packet header;
acquiring the maximum identification number in the network and the time corresponding to the maximum identification number;
when the identification number of a target IP is detected to be smaller than the maximum identification number, calculating the identification number difference value between the identification number of the target IP and the maximum identification number, and calculating the time difference between the time corresponding to the identification number of the target IP and the time corresponding to the maximum identification number;
and when the difference value of the identification numbers is larger than a preset identification number threshold value and the time difference is smaller than a time threshold value, judging that the current IP access equipment is NAT equipment.
7. The IP identification number based NAT device identification system of claim 6, wherein the computer program when executed by the processor further performs the steps of:
and acquiring all network traffic accessed in the network in a network traffic mirroring mode.
8. The IP identification number based NAT device identification system of claim 7, wherein the computer program when executed by the processor further performs the steps of:
analyzing a TCP/IP data packet header in the network flow, and extracting network connection information according to the TCP/IP data packet header.
9. The IP identification number based NAT device identification system of claim 8, wherein the computer program when executed by the processor further performs the steps of:
acquiring a maximum identification number pre-stored in a network, and judging whether the current identification number is larger than the maximum identification number;
and if the current identification number is larger than the maximum identification number, taking the current identification number as the maximum identification number, and recording the replaced maximum identification number and the corresponding time.
10. A non-transitory computer-readable storage medium storing computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the IP identification number based NAT device identification method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010250849.XA CN111131339A (en) | 2020-04-01 | 2020-04-01 | NAT equipment identification method and system based on IP identification number |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010250849.XA CN111131339A (en) | 2020-04-01 | 2020-04-01 | NAT equipment identification method and system based on IP identification number |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131339A true CN111131339A (en) | 2020-05-08 |
Family
ID=70493932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010250849.XA Pending CN111131339A (en) | 2020-04-01 | 2020-04-01 | NAT equipment identification method and system based on IP identification number |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131339A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112995358A (en) * | 2021-04-21 | 2021-06-18 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
| CN114884918A (en) * | 2022-05-20 | 2022-08-09 | 深圳铸泰科技有限公司 | NAT equipment identification method and system based on IP identification number |
| CN115514732A (en) * | 2022-09-02 | 2022-12-23 | 上海量讯物联技术有限公司 | TCP connection number-based source NAT IP allocation method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1866951A (en) * | 2005-05-20 | 2006-11-22 | 华为技术有限公司 | Method and system for detecting shared access host machine in network |
| CN101502052A (en) * | 2006-05-09 | 2009-08-05 | 思科技术公司 | NAT and proxy device detection |
-
2020
- 2020-04-01 CN CN202010250849.XA patent/CN111131339A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1866951A (en) * | 2005-05-20 | 2006-11-22 | 华为技术有限公司 | Method and system for detecting shared access host machine in network |
| CN101502052A (en) * | 2006-05-09 | 2009-08-05 | 思科技术公司 | NAT and proxy device detection |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112995358A (en) * | 2021-04-21 | 2021-06-18 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
| CN112995358B (en) * | 2021-04-21 | 2021-07-23 | 中国人民解放军国防科技大学 | Large-scale network address translation traffic identification method and device and computer equipment |
| CN114884918A (en) * | 2022-05-20 | 2022-08-09 | 深圳铸泰科技有限公司 | NAT equipment identification method and system based on IP identification number |
| CN115514732A (en) * | 2022-09-02 | 2022-12-23 | 上海量讯物联技术有限公司 | TCP connection number-based source NAT IP allocation method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11716344B2 (en) | Elastic asset-based licensing model for use in a vulnerability management system | |
| Perdisci et al. | Iotfinder: Efficient large-scale identification of iot devices via passive dns traffic analysis | |
| CN110865867B (en) | Method, device and system for discovering application topological relation | |
| US10440049B2 (en) | Network traffic analysis for malware detection and performance reporting | |
| JP7425832B2 (en) | Pattern matching based detection in IoT security | |
| CN111131339A (en) | NAT equipment identification method and system based on IP identification number | |
| KR102580898B1 (en) | System and method for selectively collecting computer forensics data using DNS messages | |
| US20060198313A1 (en) | Method and device for detecting and blocking unauthorized access | |
| US20200120122A1 (en) | Multi-dimensional periodicity detection of iot device behavior | |
| CN104601570A (en) | Network security monitoring method based on bypass monitoring and software packet capturing technology | |
| US9246774B2 (en) | Sample based determination of network policy violations | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| CN109361574B (en) | JavaScript script-based NAT detection method, system, medium and equipment | |
| CN111654477A (en) | Information topology method and device of industrial control network based on FINS protocol and computer equipment | |
| EP3854033B1 (en) | Packet capture via packet tagging | |
| US20210367829A1 (en) | Iot application learning | |
| US20230318923A1 (en) | Proactive inspection technique for improved classification | |
| JP6325993B2 (en) | Service monitoring apparatus and service monitoring method | |
| JP2014063349A (en) | Malware detection device and method | |
| Mugitama et al. | An evidence-based technical process for openflow-based SDN forensics | |
| CN116235172A (en) | Prioritizing assets using security metrics | |
| KR100850629B1 (en) | A network interface card for filtering transmitted data packet in a network and a method for filtering | |
| CN113722142B (en) | Method and device for analyzing reasons of insufficient memory, electronic equipment and storage medium | |
| KR102156600B1 (en) | System and method for creating association between packets collected in network and processes in endpoint computing device | |
| CN116962255B (en) | Detection method, system, equipment and readable medium for finding PCDN user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |
|
| RJ01 | Rejection of invention patent application after publication |