CN111343167A - Information processing method based on network and electronic equipment - Google Patents

Information processing method based on network and electronic equipment Download PDF

Info

Publication number
CN111343167A
CN111343167A CN202010102379.2A CN202010102379A CN111343167A CN 111343167 A CN111343167 A CN 111343167A CN 202010102379 A CN202010102379 A CN 202010102379A CN 111343167 A CN111343167 A CN 111343167A
Authority
CN
China
Prior art keywords
information
network
data
operating system
mirror image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010102379.2A
Other languages
Chinese (zh)
Other versions
CN111343167B (en
Inventor
郭立春
肖国颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202010102379.2A priority Critical patent/CN111343167B/en
Publication of CN111343167A publication Critical patent/CN111343167A/en
Application granted granted Critical
Publication of CN111343167B publication Critical patent/CN111343167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The application discloses a network-based information processing method and electronic equipment, wherein the method comprises the following steps: sending a request command to the first network equipment so that the first network equipment responds to the request command, generates corresponding mirror image flow based on the data flow flowing through the first network equipment, and sends the mirror image flow out; receiving mirror image flow, and acquiring data characteristics corresponding to target equipment in a network based on the mirror image flow; determining an operating system of the target device based on the data characteristics; and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model. The information processing method can not actively perform scanning detection operation on the whole network, and can accurately obtain the asset information of the target equipment in the network according to the mirror image flow.

Description

Information processing method based on network and electronic equipment
Technical Field
The present disclosure relates to the field of network information and network security, and in particular, to a network-based information processing method and an electronic device.
Background
With the development of informatization, the security problem of the internet information system is more and more concerned. Under increasingly severe information security situations, it is important to accurately understand assets, application base cases and security states in a particular network (in a governed network of a dominant nature). However, currently, when acquiring the asset information, the asset information is acquired in an active detection mode (for example, by actively detecting an asset port), and the corresponding asset information can be acquired only by sending a specific network detection data packet to the target asset and performing asset identification analysis on a return result of a target asset response. At present, due to the complex network environment or the protection of network security protection strategies and other limitations, the detection operation of sending the data packet fails, so that assets in the network cannot be identified.
Disclosure of Invention
An object of the embodiments of the present application is to provide a network-based information processing method and an electronic device, where the information processing method can obtain asset information of devices in a network without performing scanning and detecting operations on the entire network, and avoid a phenomenon that the devices are blocked or intruding into the network during active scanning and detecting.
In order to solve the technical problem, the embodiment of the application adopts the following technical scheme: a network-based information processing method includes:
sending a request command to a first network device, so that the first network device responds to the request command, generates corresponding mirror image traffic based on data flow flowing through the first network device, and sends the mirror image traffic;
receiving the mirror image flow, and acquiring data characteristics corresponding to target equipment in a network based on the mirror image flow;
determining an operating system of the target device based on the data characteristics;
and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model.
Optionally, wherein the data characteristics include one or more of: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
Optionally, the receiving the mirror traffic, and acquiring the data feature corresponding to the target device in the network based on the mirror traffic includes:
acquiring address information and communication protocol information corresponding to the target equipment based on the mirror image flow;
and comparing the address information and the communication protocol information with a preset rule base, and acquiring service information corresponding to the target equipment according to a comparison result.
Optionally, the determining an operating system of the target device based on the data feature further includes:
determining an operating system of the target device based at least on the program installation mode information and the resource update information.
Optionally, the inputting the operating system and the data characteristics into a preset behavior model to determine asset information of the corresponding target device based on the preset behavior model includes:
inputting the operating system, the first relationship information and the service information of the target device into the preset behavior model, so that the preset behavior model determines the corresponding asset information of the target device based on the derivation relationship between the data features and the output conclusion in the preset behavior model on the basis of the determined operating system.
Optionally, the target device includes a terminal device and a server device;
the service information comprises file transmission service information, DNS analysis service, WEB access service and instant messaging service.
Optionally, the method further comprises:
performing a preprocessing operation on the received mirror traffic, wherein,
the preprocessing operation comprises the following steps:
converting the data format of the mirror image flow to enable the data in the mirror image flow to accord with a preset format standard;
acquiring service domain name information through address information corresponding to the target device, and supplementing the service domain name information into the mirror image flow;
and filtering out extra data in the mirror flow.
Optionally, the method further comprises:
and under the condition that the data characteristics corresponding to the target equipment are changed and the change degree exceeds a preset change range, updating the preset behavior model based on the changed data characteristics.
An embodiment of the present application further provides an electronic device, including:
the request module is configured to send a request command to a first network device, so that the first network device responds to the request command, generates corresponding mirror image traffic based on data flow flowing through the first network device, and sends out the mirror image traffic;
the acquisition module is configured to receive the mirror image flow and acquire data characteristics corresponding to target equipment in a network based on the mirror image flow;
a processing module configured to determine an operating system of the target device based on the data characteristics; and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model.
Optionally, wherein the data characteristics include one or more of: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
Optionally, the obtaining module is further configured to:
acquiring address information and communication protocol information corresponding to the target equipment based on the mirror image flow;
and comparing the address information and the communication protocol information with a preset rule base, and acquiring service information corresponding to the target equipment according to a comparison result.
Optionally, the data feature further includes program installation mode information, and the processing module is further configured to: determining an operating system of the target device based at least on the program installation mode information and the resource update information.
The beneficial effects of the embodiment of the application are that: the information processing method can not actively scan and detect the whole network, but passively receive the mirror image flow, and then obtain the asset information of the target equipment in the network according to the mirror image flow, thereby avoiding the phenomenon of blocking or intruding the network when actively scanning and detecting, and simultaneously accurately obtaining the asset information of the target equipment in the network, such as the identity information of the target equipment, the Web application in the target equipment and other detailed information about the target equipment.
Drawings
Fig. 1 is a flowchart of a network-based information processing method according to an embodiment of the present application;
FIG. 2 is a flowchart of one embodiment of step S2 of FIG. 1 according to an embodiment of the present application;
FIG. 3 is a flowchart of an embodiment of a network-based information processing method according to the present application;
FIG. 4 is a timing diagram illustrating an operating system discovery process in an information processing method according to an embodiment of the present application;
fig. 5 is a connection structure diagram of an electronic device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Fig. 1 is a flowchart of a network-based information processing method according to an embodiment of the present application, which may be applied to a network, such as a client network, an internal network, a local area network, etc., having self-dominance capability, and acquire information related to assets (such as devices or applications on the devices, etc.) in the network, as shown in fig. 1 in combination with fig. 4 and 5, and the method includes the following steps:
s1, sending a request command to a first network device, so that the first network device generates a corresponding mirror traffic based on a data stream flowing through itself in response to the request command, and sends out the mirror traffic.
The first network device is a backbone device in the network, and data streams formed by data interaction between all networks and the external internet flow through the first network device, for example, the first network device is a main switch in the network of this embodiment, the switch is connected to the external internet through a firewall to connect the network with the external internet, and a target device (asset) in the network may interact with the external internet through the first network device. For example, in this embodiment, a corresponding electronic device may be set in the network, for example, the electronic device includes a console and a host, and connects to the first network device through the host, and sends a request command to the first network device to request the first network device to acquire the mirror image traffic. The mirror flow is the flow after the data flow of the first network device is subjected to mirror operation, the content of the mirror flow is the same as the content of the data flow flowing through the first network device, and after receiving the request command, the first network device generates corresponding mirror flow based on the data flow flowing through the first network device and sends the mirror flow to the electronic device.
S2, receiving the mirror flow, and acquiring data characteristics corresponding to a target device in a network based on the mirror flow, wherein the data characteristics include one or more of the following: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
Specifically, after receiving the mirror traffic sent by the first network device, the mirror traffic can be subjected to data analysis, and since the mirror traffic includes target data generated by a plurality of target devices in the network during data interaction, data characteristics corresponding to each target device, such as service information of the device, resource update information, first relationship information representing a relationship between traffic and time, and the like, can be acquired based on the target data, so that after analyzing the mirror traffic, the data characteristics corresponding to the target devices can be acquired, and then the data characteristics are labeled and the like, so that when the data characteristics are used, the data characteristics can be called according to the labeled information.
S3, determining the operating system of the target device based on the data characteristics.
The target device may be a server, a terminal device (such as a PC device), other network devices, and the like. The operating system of the target device may be a Windows operating system, a Linux operating system, or the like, and in this embodiment, the operating system needs to be determined first before determining the asset information of the target device. Since the data features are capable of characterizing all communication conditions of the target device, the operating system may be determined from at least some of the data features. For example, information representing an installation manner of the target device in a program installation process, that is, program installation manner information; the resource updating information representing the relevant condition of the resource updating process of the operating system, the patch updating information representing the relevant information of the patching operation of the operating system and the like are all data characteristics of the target equipment. Based on the data characteristics, the operating system of the target device, such as a Windows operating system or a Linux operating system, can be determined and determined.
And S4, inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target device based on the preset behavior model.
The preset behavior model represents a behavior rule of the operating system for communication in the network, a derivation relation between the data characteristics of the target device and an output conclusion is specified in the preset behavior model, and the preset behavior model can be preset and constructed and is updated according to the change of the data characteristics in the using process so as to be suitable for the current network state. The asset information comprises identity information of the target device and detailed information about the target device, such as Web application in the target device, and the user can know about the assets in the network in time through the asset information. In this implementation, the operating system and the data characteristics of the target device are input into the preset behavior model, and the asset information of the target device is obtained through calculation by the preset behavior model, for example, under the Windows operating system, the target device can be determined to be the terminal device through the service information in the data characteristics and the first relationship information representing the relationship between the flow and the time, and then the Web application in the terminal device is determined.
The information processing method can not actively scan and detect the whole network, but passively receive the mirror image flow, and then obtain the asset information of the equipment in the network according to the mirror image flow, thereby avoiding the phenomenon that the equipment is blocked or invades the network when actively scanning and detecting, and simultaneously accurately obtaining the asset information of the target equipment in the network, such as the identity information of the target equipment, the Web application in the target equipment and other detailed information about the target equipment.
In an embodiment of the present application, the receiving the mirror traffic and acquiring the data feature corresponding to the target device in the network based on the mirror traffic, as shown in fig. 2, includes the following steps:
and S21, acquiring the address information and the communication protocol information corresponding to the target device based on the mirror image flow.
The target device corresponds to corresponding address information in the network, for example, the target device has an IP address, and can be found from the network based on the address information, in addition, the communication protocol information corresponding to the target device includes multiple protocols, such as a TCP/IP protocol, a NetBEUI protocol, an IPX/SPX protocol, and the like, and data interaction can be performed based on the protocols when the target device performs communication.
And S22, comparing the address information and the communication protocol information with a preset rule base, and acquiring service information corresponding to the target device according to the comparison result.
The preset rule base may be derivation information for deriving the service information based on the address information and the communication protocol information, including association between the address information and the communication protocol information, and the service information. And on the basis that the address information and the communication protocol information are determined, obtaining the service information corresponding to the target equipment from a comparison result obtained by comparing the address information and the communication protocol information with a preset rule base. For example, through the IP address of the target device and the communication protocol used during the interaction, service information of the target device, such as WEB service, mail service, remote login service (ssh telnetrdpsmb winrm snmp, etc.), file transfer service (ftp), instant messaging service, DNS service, VPN service, clock service system upgrade update service, backup service, exception feedback service, repository update service, etc., can be obtained. The determined service information can be used as an important input parameter in the preset behavior model so as to ensure the accurate calculation process of the preset behavior model.
In an embodiment of the application, the data feature further includes program installation information, and the determining an operating system of the target device based on the data feature includes the following steps: determining an operating system of the target device based at least on the program installation mode information and the resource update information.
Specifically, referring to fig. 4, the program installation mode information is information related to a process of installing a program in the target device, for example, the target device is installed through an installation package input by a user when installing software, and source information of the installation package. The resource update information may be related information generated by the target device in the process of updating the device resource, such as information about a patching manner of the operating system and a downloading manner of the resource. In this embodiment, the operating system of the target device is determined based on at least the program installation mode information and the resource update information. For example, the program installation package is obtained by a server of a program producer (with relevant obtaining information), and the patching mode is also that the user actively obtains the program installation package from a third party different from the operating system (correspondingly with patch obtaining information), so that the operating system of the target device can be determined to be the Windows operating system according to the relevant information; if the program installation package is obtained from a community (which has associated community information) of the operating system itself, and the operating system is patched based on the operating system community (which also has associated community patch obtaining information), the operating system may be considered as a Linux operating system based on the above-mentioned associated information.
In an embodiment of the application, the inputting the operating system and the data characteristics into a preset behavior model to determine asset information of the corresponding target device based on the preset behavior model includes:
inputting the operating system, the first relationship information and the service information of the target device into the preset behavior model, so that the preset behavior model determines the corresponding asset information of the target device based on the derivation relationship between the data features and the output conclusion in the preset behavior model on the basis of the determined operating system.
Specifically, in this embodiment, the operating system of the target device may be determined in advance, and based on the determined operating system, the asset information of the target device may be determined by using the preset behavior model and according to the first relationship information and the service information input into the preset behavior model. Further, a derivation relationship between the data characteristic and the output conclusion is set in the preset behavior model, and the derivation relationship includes a derivation relationship between the first relationship information and the service information and the output conclusion, and a derivation relationship between the other data characteristic and the output conclusion. The service information includes: WEB services, mail services, remote login services (sshtelnet rdp smb winrm wmi snmp, etc.), file transfer services (ftp), instant messaging services, DNS services, VPN services, clock service system upgrade update services, backup services, exception feedback services, repository update services, etc. The first relation information represents a relation between the traffic and time, for example, a relation between the traffic corresponding to the target device and different time periods in a day, and if the first target device is large in uplink traffic, small in downlink traffic, large in uplink traffic in daytime, and small in uplink traffic at night; the second target device has large upstream flow, large output flow and small difference between the flow in the day and the flow at night.
In this embodiment, asset information of the corresponding target device is determined based on a derivation relationship between data features and an output conclusion in the preset behavior model. In conjunction with the above, the data characteristics include, for example, first relationship information and service information. Judging the first target equipment, and under the condition that an operating system of the first target equipment is determined, if the operating system is small in uplink flow, large in downlink flow, large in uplink flow in the daytime, small in uplink flow at night, provided with a file transfer service, a DNS (domain name system) analysis service, a WEB access service, an instant messaging service and the like, judging through a preset behavior model, and determining that the first target equipment is terminal equipment (PC equipment); and judging the second target equipment, and under the condition that an operating system of the second target equipment is determined, if the uplink flow is small, the output flow is large, the remote login service is provided, the external WEB service is provided, the FTP service or the mail service is provided, and the like, judging can be carried out through a preset behavior model, and the second target equipment is determined to be the server equipment. Of course, the determination may also be performed through other data features corresponding to the target device, for example, the target device is determined based on whether social information exists in the data features, and if so, the target device is considered as a terminal device, and then the corresponding asset information is determined.
In one embodiment of the present application, the target device includes a terminal device and a server device; the service information comprises file transmission service information, DNS analysis service, WEB access service and instant messaging service.
In one embodiment of the present application, the method further comprises: performing a preprocessing operation on the received mirror traffic, wherein as shown in fig. 3, the preprocessing operation includes:
s5, converting the data format of the mirror flow to make the data in the mirror flow accord with a preset format standard;
s6, obtaining service domain name information through the address information corresponding to the target device, and supplementing the service domain name information into the mirror image flow;
and S7, filtering out the extra data in the mirror flow.
Specifically, after the mirror image traffic is received, formatting and sorting are required to be performed on the mirror image traffic, and the data format of the mirror image traffic is standardized so that the mirror image traffic meets the preset format standard, which is convenient for further processing the mirror image traffic and ensures the accuracy of the data processing process. In addition, the mirror image traffic may have incomplete data, which affects the determination of the data characteristics, and at this time, part of the specific content may be supplemented according to the data already existing in the mirror image traffic, for example, the corresponding service domain name information is found by associating the IP address corresponding to the target device with the DNS library, and the service domain name information is supplemented to the mirror image traffic, so that the mirror image traffic is perfected to perform accurate determination on the data characteristics corresponding to the target device. In addition, the preprocessing operation in this embodiment may also perform noise reduction processing on the mirror traffic, and filter out additional data, for example, filter out some interference data or data that does not contribute to the determination process, so as to avoid misjudgment due to the additional data.
In one embodiment of the present application, the method further comprises: and under the condition that the data characteristics corresponding to the target equipment are changed and the change degree exceeds a preset change range, updating the preset behavior model based on the changed data characteristics.
Specifically, in the use process of the network, the data traffic flowing through the first network device may change (for example, the data traffic changes along with the change of the service of the network), so that the obtained mirror traffic may change, and the data characteristics may also change.
An embodiment of the present application further provides an electronic device, where the electronic device may be applied in a network, as shown in fig. 6, and with reference to fig. 4 and 5, the electronic device includes:
the request module is configured to send a request command to a first network device, so that the first network device generates corresponding mirror traffic based on data flows flowing through the first network device and sends out the mirror traffic in response to the request command.
The first network device is a backbone device in the network, and data streams formed by data interaction between all networks and the external internet flow through the first network device, for example, the first network device is a main switch in the network of this embodiment, the switch is connected to the external internet through a firewall to connect the network with the external internet, and a target device (asset) in the network may interact with the external internet through the first network device. In this embodiment, a request module of an electronic device is connected to a first network device and sends a request command to the first network device to request the first network device to acquire mirror image traffic. The mirror flow is the flow after the data flow of the first network device is subjected to mirror operation, the content of the mirror flow is the same as the content of the data flow flowing through the first network device, and after receiving the request command, the first network device generates corresponding mirror flow based on the data flow flowing through the first network device and sends the mirror flow to the electronic device.
An obtaining module configured to receive the mirror traffic, and obtain data characteristics corresponding to a target device in a network based on the mirror traffic, where the data characteristics include one or more of: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
Specifically, the obtaining module can perform data analysis on the mirror traffic after receiving the mirror traffic sent by the first network device, and the mirror traffic includes target data generated during the data interaction process of a plurality of target devices in the network, so that the obtaining module can obtain data characteristics corresponding to each target device based on the target data, such as service information of the obtaining device, resource update information, first relationship information representing a relationship between traffic and time, and the like, and thus the obtaining module can obtain data characteristics corresponding to the target devices after analyzing the mirror traffic, and perform operations such as labeling on the data characteristics, so that the data characteristics can be called according to the labeling information when used.
A processing module configured to determine an operating system of the target device based on the data characteristics; and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model.
The target device may be a server, a terminal device (such as a PC device), other network devices, and the like. The operating system of the target device may be a Windows operating system, a Linux operating system, or the like, and in this embodiment, the processing module needs to determine the operating system first before determining the asset information of the target device. Since the data features are capable of characterizing all communication conditions of the target device, the processing module may determine the operating system from at least some of the data features. For example, information representing an installation manner of the target device in a program installation process, that is, program installation manner information; the resource updating information representing the relevant condition of the resource updating process of the operating system, the patch updating information representing the relevant information of the patching operation of the operating system and the like are all data characteristics of the target equipment. The processing module can determine and determine the operating system of the target device based on the data characteristics, such as a Windows operating system or a Linux operating system.
The preset behavior model represents a behavior rule of the operating system for communication in the network, a derivation relation between the data characteristics of the target device and an output conclusion is specified in the preset behavior model, and the preset behavior model can be preset and constructed and is updated according to the change of the data characteristics in the using process so as to be suitable for the current network state. The asset information comprises identity information of the target device and detailed information about the target device, such as Web application in the target device, and the user can know about the assets in the network in time through the asset information. In this implementation, the processing module inputs the operating system and the data characteristics of the target device into the preset behavior model, and calculates the asset information of the target device through the preset behavior model, for example, in the Windows operating system, the target device can be determined to be the terminal device through the service information in the data characteristics and the first relationship information representing the relationship between the flow and the time, and then the Web application in the terminal device is determined.
The electronic device can not actively scan and detect the whole network, but passively receive the mirror image flow, and then obtain the asset information of the device in the network according to the mirror image flow, thereby avoiding the phenomenon that the device is blocked or invades the network when actively scanning and detecting, and simultaneously accurately obtaining the asset information of the target device in the network, such as the identity information of the target device, the Web application in the target device and other detailed information about the target device.
In an embodiment of the present application, the obtaining module is further configured to:
acquiring address information and communication protocol information corresponding to the target equipment based on the mirror image flow;
and comparing the address information and the communication protocol information with a preset rule base, and acquiring service information corresponding to the target equipment according to a comparison result.
Specifically, the target device corresponds to corresponding address information in the network, for example, the target device has an IP address, and the target device can be found from the network based on the address information, in addition, the communication protocol information corresponding to the target device includes multiple protocols, such as a TCP/IP protocol, a NetBEUI protocol, an IPX/SPX protocol, and the like, and data interaction can be performed based on the protocols when the target device performs communication.
The preset rule base may be derivation information for deriving the service information based on the address information and the communication protocol information, including association between the address information and the communication protocol information, and the service information. On the basis that the address information and the communication protocol information are determined, the obtaining module obtains the service information corresponding to the target device from a comparison result obtained by comparing the address information and the communication protocol information with a preset rule base. For example, through the IP address of the target device and the communication protocol used during the interaction, service information of the target device, such as WEB service, mail service, remote login service (sshtelnet rdp smb winrm wmi snmp, etc.), file transfer service (ftp), instant messaging service, DNS service, VPN service, clock service system upgrade update service, backup service, exception feedback service, repository update service, etc., can be obtained. The determined service information can be used as an important input parameter in the preset behavior model so as to ensure the accurate calculation process of the preset behavior model.
In an embodiment of the application, the data feature further includes program installation information, and the processing module is further configured to: determining an operating system of the target device based at least on the program installation mode information and the resource update information.
Specifically, referring to fig. 4, the program installation mode information is information related to a process of installing a program in the target device, for example, the target device is installed through an installation package input by a user when installing software, and source information of the installation package. The resource update information may be related information generated by the target device in the process of updating the device resource, such as information about a patching manner of the operating system and a downloading manner of the resource. In this embodiment, the processing module determines the operating system of the target device based on at least the program installation mode information and the resource update information. For example, the program installation package is obtained by a server of a program producer (with relevant obtaining information), and the patching mode is also that the user actively obtains the program installation package from a third party different from the operating system (correspondingly with patch obtaining information), so that the processing module can determine that the operating system of the target device is the Windows operating system according to the relevant information; if the program installation package is obtained from a community of the operating system (the community has associated community information) and is obtained from a server established by a vendor of the operating system, and the operating system is patched based on the community of the operating system (the community also has associated community patch obtaining information), the processing module may regard the operating system as a Linux operating system based on the above-mentioned associated information.
In one embodiment of the present application, the processing module is further configured to:
inputting the operating system, the first relationship information and the service information of the target device into the preset behavior model, so that the preset behavior model determines the corresponding asset information of the target device based on the derivation relationship between the data features and the output conclusion in the preset behavior model on the basis of the determined operating system.
Specifically, in this embodiment, the processing module may determine an operating system of the target device in advance, and determine asset information of the target device based on the determined operating system and by using the preset behavior model and according to the first relationship information and the service information input into the preset behavior model. Further, a derivation relationship between the data characteristic and the output conclusion is set in the preset behavior model, and the derivation relationship includes a derivation relationship between the first relationship information and the service information and the output conclusion, and a derivation relationship between the other data characteristic and the output conclusion. The service information includes: WEB services, mail services, remote login services (ssh telnet rdp smb winrm wmi snmp, etc.), file transfer services (ftp), instant messaging services, DNS services, VPN services, clock service system upgrade update services, backup services, exception feedback services, repository update services, etc. The first relation information represents a relation between the traffic and time, for example, a relation between the traffic corresponding to the target device and different time periods in a day, and if the first target device is large in uplink traffic, small in downlink traffic, large in uplink traffic in daytime, and small in uplink traffic at night; the second target device has large upstream flow, large output flow and small difference between the flow in the day and the flow at night.
In this embodiment, based on a derivation relationship between data characteristics and an output conclusion in the preset behavior model, the processing module determines asset information of the corresponding target device. In conjunction with the above, the data characteristics include, for example, first relationship information and service information. Judging the first target equipment, and under the condition that an operating system of the first target equipment is determined, if the operating system is small in uplink flow, large in downlink flow, large in uplink flow in the daytime, small in uplink flow at night, provided with a file transfer service, a DNS (domain name system) analysis service, a WEB access service, an instant messaging service and the like, judging by a processing module through a preset behavior model, and determining the first target equipment as terminal equipment (PC equipment); and judging the second target equipment, and if the operating system of the second target equipment is determined, if the uplink flow is small, the output flow is large, the remote login service is provided, the external WEB service is provided, the FTP service or the mail service is provided, and the like, the processing module can make a judgment through a preset behavior model, and the second target equipment is determined to be the server equipment. Of course, the determination may also be performed through other data features corresponding to the target device, for example, the target device is determined based on whether social information exists in the data features, and if so, the target device is considered as a terminal device, and then the corresponding asset information is determined.
In one embodiment of the present application, the target device includes a terminal device and a server device;
the service information comprises file transmission service information, DNS analysis service, WEB access service and instant messaging service.
In one embodiment of the present application, the electronic device further comprises a preprocessing module configured to:
performing a preprocessing operation on the received mirror traffic, wherein,
the preprocessing operation comprises the following steps:
converting the data format of the mirror image flow to enable the data in the mirror image flow to accord with a preset format standard;
acquiring service domain name information through address information corresponding to the target device, and supplementing the service domain name information into the mirror image flow;
and filtering out extra data in the mirror flow.
Specifically, after the mirror image traffic is received, the preprocessing module needs to perform formatting and sorting on the mirror image traffic, standardizes the data format of the mirror image traffic so that the mirror image traffic meets the preset format standard, facilitates further processing on the mirror image traffic, and ensures the accuracy of the data processing process. In addition, incomplete data may occur in the mirror flow, so that determination of data characteristics is affected, and at this time, the preprocessing module may supplement part of specific content according to data already existing in the mirror flow, for example, find out corresponding service domain name information by associating an IP address corresponding to the target device with a DNS library, and supplement the service domain name information to the mirror flow, so that the mirror flow is perfected to perform accurate determination on data characteristics corresponding to the target device later. In addition, the preprocessing operation performed by the preprocessing module in this embodiment may also perform noise reduction processing on the mirror flow, and filter out additional data, for example, filter out some interference data or data that does not contribute to the determination process, so as to avoid misjudgment due to the additional data.
In one embodiment of the present application, the electronic device further includes an update module configured to:
and under the condition that the data characteristics corresponding to the target equipment are changed and the change degree exceeds a preset change range, updating the preset behavior model based on the changed data characteristics.
Specifically, in the use process of the network, the data traffic flowing through the first network device may change (for example, the data traffic changes along with the change of the service of the network), so that the obtained mirror traffic may change, and the data characteristics may also change.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.

Claims (10)

1. A network-based information processing method, comprising:
sending a request command to a first network device, so that the first network device responds to the request command, generates corresponding mirror image traffic based on data flow flowing through the first network device, and sends the mirror image traffic;
receiving the mirror image flow, and acquiring data characteristics corresponding to target equipment in a network based on the mirror image flow;
determining an operating system of the target device based on the data characteristics;
and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model.
2. The method of claim 1, wherein the data characteristics comprise one or more of: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
3. The method according to claim 2, wherein the receiving the mirror traffic and obtaining the data characteristics corresponding to the target device in the network based on the mirror traffic comprises:
acquiring address information and communication protocol information corresponding to the target equipment based on the mirror image flow;
and comparing the address information and the communication protocol information with a preset rule base, and acquiring service information corresponding to the target equipment according to a comparison result.
4. The method of claim 2, wherein the data feature further comprises program installation information, and wherein determining the operating system of the target device based on the data feature comprises:
determining an operating system of the target device based at least on the program installation mode information and the resource update information.
5. The method of claim 2, wherein the inputting the operating system and the data characteristics into a predetermined behavior model to determine asset information of the corresponding target device based on the predetermined behavior model comprises:
inputting the operating system, the first relationship information and the service information of the target device into the preset behavior model, so that the preset behavior model determines the corresponding asset information of the target device based on the derivation relationship between the data features and the output conclusion in the preset behavior model on the basis of the determined operating system.
6. The method according to any one of claims 1 to 5, wherein the target device comprises a terminal device and a server device;
the service information comprises file transmission service information, DNS analysis service, WEB access service and instant messaging service.
7. The method of claim 2, further comprising:
performing a preprocessing operation on the received mirror traffic, wherein,
the preprocessing operation comprises the following steps:
converting the data format of the mirror image flow to enable the data in the mirror image flow to accord with a preset format standard;
acquiring service domain name information through address information corresponding to the target device, and supplementing the service domain name information into the mirror image flow;
and filtering out extra data in the mirror flow.
8. The method of claim 1, further comprising:
and under the condition that the data characteristics corresponding to the target equipment are changed and the change degree exceeds a preset change range, updating the preset behavior model based on the changed data characteristics.
9. An electronic device, comprising:
the request module is configured to send a request command to a first network device, so that the first network device responds to the request command, generates corresponding mirror image traffic based on data flow flowing through the first network device, and sends out the mirror image traffic;
the acquisition module is configured to receive the mirror image flow and acquire data characteristics corresponding to target equipment in a network based on the mirror image flow;
a processing module configured to determine an operating system of the target device based on the data characteristics; and inputting the operating system and the data characteristics into a preset behavior model so as to determine the asset information of the corresponding target equipment based on the preset behavior model.
10. The electronic device of claim 9, wherein the data characteristics comprise one or more of: the system comprises service information, resource updating information and first relation information representing the relation between flow and time.
CN202010102379.2A 2020-02-19 2020-02-19 Information processing method based on network and electronic equipment Active CN111343167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010102379.2A CN111343167B (en) 2020-02-19 2020-02-19 Information processing method based on network and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010102379.2A CN111343167B (en) 2020-02-19 2020-02-19 Information processing method based on network and electronic equipment

Publications (2)

Publication Number Publication Date
CN111343167A true CN111343167A (en) 2020-06-26
CN111343167B CN111343167B (en) 2022-08-12

Family

ID=71181707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010102379.2A Active CN111343167B (en) 2020-02-19 2020-02-19 Information processing method based on network and electronic equipment

Country Status (1)

Country Link
CN (1) CN111343167B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866286A (en) * 2022-04-07 2022-08-05 水利部信息中心 Method for combing shadow assets based on network flow

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050027806A1 (en) * 2003-07-28 2005-02-03 Schunemann Alan J. Network asset tracker for identifying users of networked computers
CN102947801A (en) * 2010-05-20 2013-02-27 埃森哲环球服务有限公司 Malicious attack detection and analysis
US20170048312A1 (en) * 2015-08-12 2017-02-16 Brocade Communications Systems, Inc. Sdn-based mirroring of traffic flows for in-band network analytics
US20190190851A1 (en) * 2017-12-14 2019-06-20 Industrial Technology Research Institute Method and device for monitoring traffic in a network
CN109995582A (en) * 2019-03-13 2019-07-09 北京国舜科技股份有限公司 Asset equipment management system and method based on real-time status
CN110113345A (en) * 2019-05-13 2019-08-09 四川长虹电器股份有限公司 A method of the assets based on Internet of Things flow are found automatically
CN110311931A (en) * 2019-08-02 2019-10-08 杭州安恒信息技术股份有限公司 Assets automatic discovering method and device
CN110661669A (en) * 2019-10-11 2020-01-07 云南电网有限责任公司德宏供电局 Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050027806A1 (en) * 2003-07-28 2005-02-03 Schunemann Alan J. Network asset tracker for identifying users of networked computers
CN102947801A (en) * 2010-05-20 2013-02-27 埃森哲环球服务有限公司 Malicious attack detection and analysis
US20170048312A1 (en) * 2015-08-12 2017-02-16 Brocade Communications Systems, Inc. Sdn-based mirroring of traffic flows for in-band network analytics
US20190190851A1 (en) * 2017-12-14 2019-06-20 Industrial Technology Research Institute Method and device for monitoring traffic in a network
CN109995582A (en) * 2019-03-13 2019-07-09 北京国舜科技股份有限公司 Asset equipment management system and method based on real-time status
CN110113345A (en) * 2019-05-13 2019-08-09 四川长虹电器股份有限公司 A method of the assets based on Internet of Things flow are found automatically
CN110311931A (en) * 2019-08-02 2019-10-08 杭州安恒信息技术股份有限公司 Assets automatic discovering method and device
CN110661669A (en) * 2019-10-11 2020-01-07 云南电网有限责任公司德宏供电局 Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866286A (en) * 2022-04-07 2022-08-05 水利部信息中心 Method for combing shadow assets based on network flow
CN114866286B (en) * 2022-04-07 2023-10-27 水利部信息中心 Method for carding shadow asset based on network flow

Also Published As

Publication number Publication date
CN111343167B (en) 2022-08-12

Similar Documents

Publication Publication Date Title
US11652793B2 (en) Dynamic firewall configuration
JP7425832B2 (en) Pattern matching based detection in IoT security
CN108028835B (en) Automatic configuration server and server execution method
EP2200249A1 (en) Network analysis
US20090122721A1 (en) Hybrid network discovery method for detecting client applications
CN111343167B (en) Information processing method based on network and electronic equipment
CN114611576A (en) Accurate identification technology for terminal equipment in power grid
US11979374B2 (en) Local network device connection control
EP3971748A1 (en) Network connection request method and apparatus
EP3941100B1 (en) Network device identification
KR20150026187A (en) System and Method for dropper distinction
CN110769010B (en) Data management authority processing method and device and computer equipment
CN114070624A (en) Message monitoring method and device, electronic equipment and medium
US20090158386A1 (en) Method and apparatus for checking firewall policy
US11283881B1 (en) Management and protection of internet of things devices
JP2010183214A (en) Apparatus, method and program for analysis of packet
CN107070861B (en) Method and system for discovering worm victim nodes of Internet of things equipment under sampling flow
EP4120659A1 (en) Network device identification
US11799910B2 (en) Network connection management
CN116170240B (en) Access method and device for privately-allocated service, electronic equipment and storage medium
CN114629683B (en) Access method, device, equipment and storage medium of management server
US11843946B2 (en) Device-specific wireless access point password authentication
CN110034977B (en) Equipment safety monitoring method and safety monitoring equipment
CN115694848A (en) Device searching method, device, system and computer readable medium
CN117692348A (en) Method and device for detecting that specified equipment is put into specified user and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant