CN111654486A - Server equipment judgment and identification method - Google Patents

Server equipment judgment and identification method Download PDF

Info

Publication number
CN111654486A
CN111654486A CN202010456642.8A CN202010456642A CN111654486A CN 111654486 A CN111654486 A CN 111654486A CN 202010456642 A CN202010456642 A CN 202010456642A CN 111654486 A CN111654486 A CN 111654486A
Authority
CN
China
Prior art keywords
server
flow
address
network
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010456642.8A
Other languages
Chinese (zh)
Inventor
蔡伟彬
黄跃珍
郭晓冬
高才
唐锡南
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Clearcloud Software Technology Co ltd
Original Assignee
Nanjing Clearcloud Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Clearcloud Software Technology Co ltd filed Critical Nanjing Clearcloud Software Technology Co ltd
Priority to CN202010456642.8A priority Critical patent/CN111654486A/en
Publication of CN111654486A publication Critical patent/CN111654486A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Abstract

The invention relates to a server equipment judging and identifying method, which comprises the steps of receiving server and user network flow through a bypass mirror image of a switch, separating TCP protocol flow, extracting key features in the TCP protocol flow for behavior judgment, judging the behavior mode of each IP in the whole network according to the extracted key feature information, wherein the behavior mode comprises IP address classification, port opening service, flow direction and successful communication establishment times, judging whether the IP is the server IP or not by performing aggregation filtering on the four behavior modes, and achieving the purpose of accurately judging the server by utilizing daily real flow data of the whole network, thereby improving the condition that the IP of the server is difficult to accurately judge and identify in the field of network full flow at present, and being more intelligent and higher in accuracy compared with manual server address configuration through program automatic identification, the network safety is supervised.

Description

Server equipment judgment and identification method
Technical Field
The invention relates to the technical field of network equipment safety management, in particular to a server equipment judgment and identification method.
Background
The server is a high-performance computer, and is also called a soul of the network as a node of the network, storing and processing 80% of data and information on the network. Also, a server refers to a computer software for managing resources and providing services to users, and is generally classified into a file server, a database server, and an application server. Compared with a common PC, the server has higher requirements on stability, safety, performance and the like, so that the hardware such as a CPU, a chipset, a memory, a disk system, a network and the like is different from that of a common computer, and the server is more excellent in quality and data performance of a processor. Generally, people cannot see the real server easily because the server is generally placed in a machine room with emphasis, and idlers are generally free. The data of the websites browsed every day are in the server, and the server plays a vital role in the field of computer networks.
At present, server identification mainly depends on a manual registration identification method, so that the situation that an illegal server built privately in a network and some servers after being reinstalled and new network addresses are allocated cannot be found, the network security is reduced, and potential safety hazards exist.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a server equipment judgment and identification method which has the advantages that the identification does not depend on manual registration identification, the problems that a server is established in a network privately and is difficult to find after a system is reinstalled or a new network address is allocated are avoided, the identification is rapid, and the accuracy is high.
The Chinese corresponding to English referred in the following documents is explained as follows: TCP (transmission control protocol message), destination address (dip), destination port (dport), actually sent traffic from source address (inbyte), actually sent traffic from destination address (outbyte), and successful communication times (flow).
In order to achieve the purpose, the invention adopts the following technical scheme.
A server equipment judgment and identification method specifically comprises the following steps:
step S1: acquiring current network flow data through a switch mirror image, and separating the current network flow data to obtain TCP flow information for subsequently acquiring basic data for analyzing an IP characteristic behavior pattern in a network;
step S2: the specific contents of the behavior patterns obtained in the step S1 include IP address classification, port open service, traffic direction, and successful communication establishment times;
step S3: filtering the contents of the four specific behavior modes in the step S2, wherein the filtering specifically includes filtering and extracting an intranet IP with successfully established communication in the whole network; then, port open service identification is carried out on the basis, and IP pairs with successful communication of server ports are identified and filtered through TCP flow information; finally, judging the flow direction of the IP on the basis of the filtering, wherein the filtered flow direction is the server port equipment accessing the IP from other IPs;
step S4: and analyzing and comparing the flow characteristic data of the filtered IP and the filtered port, wherein the steps of analyzing whether the number of times of successfully establishing communication of the server IP in the same period of time is greater than that of the terminal IP and analyzing whether the flow output by the server IP in the same period of time is greater than that of the terminal flowing into the server are included, judging that the equipment where the IP is located is server equipment as long as one of the conditions is met, and finally separating the IP address of the server equipment and the equipment type through data records to obtain the IP address of the server equipment and the equipment type.
As a further improvement of the present invention, in the step S1, a bypass detection acquisition mode is adopted to obtain the network traffic from the switch mirror.
The method and the device can ensure the reality and real-time of data and obtain comprehensive and detailed flow information under the condition of not influencing the performance of a backbone network.
As a further improvement of the present invention, the traffic information of the TCP in step S1 includes a destination address (dip), a destination port (dport), a traffic actually sent by the source address (inbyte), a traffic actually sent by the destination address (outbyte), a direction of the traffic, whether the three-way handshake is successfully established, and a number of successful communications (flow).
As a further improvement of the present invention, the filtering process in step S3 includes classifying the IP addresses, that is, extracting the IP addresses in the intranet for use; the open services referred to by the open server port include web services, database services, dns services, mail services, and the like.
As a further improvement of the present invention, in the step S3, the flow direction determination is performed by using a triplet extracted from the TCP protocol, where the triplet extracted includes the source IP, the destination IP and the destination port data.
As a further improvement of the invention, the IP address information extracted from the intranet consists of an intranet section and the IP address of the affiliated public network section.
Due to the application of the technical scheme, the technical scheme of the invention has the following beneficial effects: according to the technical scheme, the bypass detection acquisition mode is adopted for acquiring the network flow from the switch mirror image, so that comprehensive and detailed flow information can be acquired under the conditions that the performance of a backbone network is not influenced and the reality and real time of data are guaranteed; compared with the existing manual judgment, the judgment and identification method for the server equipment based on the bypass network full flow provided by the invention has the advantages that whether the IP is the server equipment IP or not is judged by comprehensively analyzing and judging the IP according to the judgment condition by combining the IP address classification, the port opening service and the flow method and the successful communication establishing times, so that the condition that the server is difficult to accurately identify in the whole network at present is improved, the efficient and rapid identification can be realized, the method is more intelligent than manual registration identification, the accuracy is higher, and the supervision effect on the network safety is realized.
Detailed Description
The present invention will be described in further detail with reference to specific examples.
A server equipment judgment and identification method specifically comprises the following steps: step S1: acquiring current network flow data through a switch mirror image, and separating the current network flow data to obtain TCP flow information for subsequently acquiring basic data for analyzing an IP characteristic behavior pattern in a network; step S2: the specific contents of the behavior patterns obtained in the step S1 include IP address classification, port open service, traffic direction, and successful communication establishment times; step S3: filtering the contents of the four specific behavior modes in the step S2, wherein the filtering specifically includes filtering and extracting an intranet IP with successfully established communication in the whole network; then, port open service identification is carried out on the basis, and IP pairs with successful communication of server ports are identified and filtered through TCP flow information; finally, judging the flow direction of the IP on the basis of the filtering, wherein the filtered flow direction is the server port equipment accessing the IP from other IPs; step S4: and analyzing and comparing the flow characteristic data of the filtered IP and the filtered port, wherein the steps of analyzing whether the number of times of successfully establishing communication of the server IP in the same period of time is greater than that of the terminal IP and analyzing whether the flow output by the server IP in the same period of time is greater than that of the terminal flowing into the server are included, judging that the equipment where the IP is located is server equipment as long as one of the conditions is met, and finally separating the IP address of the server equipment and the equipment type through data records to obtain the IP address of the server equipment and the equipment type.
In step S1, the bypass detection acquisition mode is used to obtain the network traffic from the switch mirror image, so that the performance of the backbone network is not affected, and the data is real and real-time, and comprehensive and detailed traffic information can be obtained. The traffic information of the TCP in step S1 includes a destination address (dip), a destination port (dport), a traffic (inbyte) actually sent by the source address, a traffic (outbyte) actually sent by the destination address, a direction of the traffic, and whether the three-way handshake is successfully established or not and the number of successful communications (flow). The filtering process in step S3 includes classifying the IP addresses, that is, extracting the IP addresses used in the intranet; the open services referred to by the open server port include web services, database services, dns services, mail services, and the like. In step S3, the flow direction determination is performed by extracting a triplet of the TCP protocol, where the extracted triplet data includes the source IP, the destination IP, and the destination port data. The IP address information extracted from the intranet consists of an intranet section and the IP address of the affiliated public network section.
The identification method of the invention adopts a method of combining IP address classification, port open service, flow direction and successful communication times to carry out comprehensive analysis to judge whether the equipment is a server or not, and utilizes daily real flow data of the whole network to achieve the aim of accurately judging the server, thereby improving the condition that the IP of the server is difficult to accurately judge and identify in the field of network full flow at present, and the identification method is more intelligent and more accurate through program automatic identification compared with manual server address configuration, and plays a role in monitoring network safety. When the open port is a web service common port, such as 80, 443, etc., the IP is retained and further filtered, and in addition, the specific traffic characteristics of the server include that the source IP address of successfully establishing communication with the server is larger than that of the common terminal, and the traffic output by the server is larger than that generated by the communication of the common terminal.
The above is only a specific application example of the present invention, and the protection scope of the present invention is not limited in any way. All the technical solutions formed by equivalent transformation or equivalent replacement fall within the protection scope of the present invention.

Claims (6)

1. A server equipment judgment and identification method is characterized by comprising the following steps:
step S1: acquiring current network flow data through a switch mirror image, and separating the current network flow data to obtain TCP flow information for subsequently acquiring basic data for analyzing an IP characteristic behavior pattern in a network;
step S2: the specific contents of the behavior patterns obtained in the step S1 include IP address classification, port open service, traffic direction, and successful communication establishment times;
step S3: filtering the contents of the four specific behavior modes in the step S2, wherein the filtering specifically includes filtering and extracting an intranet IP with successfully established communication in the whole network; then, port open service identification is carried out on the basis, and IP pairs with successful communication of server ports are identified and filtered through TCP flow information; finally, judging the flow direction of the IP on the basis of the filtering, wherein the filtered flow direction is the server port equipment accessing the IP from other IPs;
step S4: and analyzing and comparing the flow characteristic data of the filtered IP and the filtered port, wherein the steps of analyzing whether the number of times of successfully establishing communication of the server IP in the same period of time is greater than that of the terminal IP and analyzing whether the flow output by the server IP in the same period of time is greater than that of the terminal flowing into the server are included, judging that the equipment where the IP is located is server equipment as long as one of the conditions is met, and finally separating the IP address of the server equipment and the equipment type through data records to obtain the IP address of the server equipment and the equipment type.
2. The server apparatus decision identification method according to claim 1, characterized in that: in step S1, the bypass detection acquisition mode is used to obtain the network traffic from the switch mirror.
3. The server apparatus decision identification method according to claim 1, characterized in that: the traffic information of the TCP in step S1 includes a destination address (dip), a destination port (dport), a traffic (inbyte) actually sent by the source address, a traffic (outbyte) actually sent by the destination address, a direction of the traffic, and whether the three-way handshake is successfully established or not and the number of successful communications (flow).
4. The server apparatus decision identification method according to claim 1, characterized in that: the filtering process in step S3 includes classifying the IP addresses, that is, extracting the IP addresses used in the intranet; the open services referred to by the open server port include web services, database services, dns services, mail services, and the like.
5. The server apparatus decision identification method according to claim 1, characterized in that: in step S3, the flow direction determination is performed by extracting a triplet of the TCP protocol, where the extracted triplet data includes the source IP, the destination IP, and the destination port data.
6. The server apparatus decision identification method according to claim 1, characterized in that: the IP address information extracted from the intranet consists of an intranet section and the IP address of the affiliated public network section.
CN202010456642.8A 2020-05-26 2020-05-26 Server equipment judgment and identification method Pending CN111654486A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010456642.8A CN111654486A (en) 2020-05-26 2020-05-26 Server equipment judgment and identification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010456642.8A CN111654486A (en) 2020-05-26 2020-05-26 Server equipment judgment and identification method

Publications (1)

Publication Number Publication Date
CN111654486A true CN111654486A (en) 2020-09-11

Family

ID=72342931

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010456642.8A Pending CN111654486A (en) 2020-05-26 2020-05-26 Server equipment judgment and identification method

Country Status (1)

Country Link
CN (1) CN111654486A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112636980A (en) * 2020-12-25 2021-04-09 平安科技(深圳)有限公司 Resource quantity determination method and device, electronic equipment and related products
CN113239968A (en) * 2021-04-15 2021-08-10 国家计算机网络与信息安全管理中心 Method, device, computer storage medium and terminal for realizing server classification
CN115174521A (en) * 2022-06-09 2022-10-11 浙江远望信息股份有限公司 NAT subnet discovery method based on domain name resolution protocol analysis

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080304423A1 (en) * 2007-06-06 2008-12-11 Mike Chuang Network traffic monitoring in a server network environment
US8102783B1 (en) * 2009-02-04 2012-01-24 Juniper Networks, Inc. Dynamic monitoring of network traffic
CN106357620A (en) * 2016-08-27 2017-01-25 浙江远望信息股份有限公司 Method of intelligent recognition of servers
CN109587179A (en) * 2019-01-28 2019-04-05 南京云利来软件科技有限公司 A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080304423A1 (en) * 2007-06-06 2008-12-11 Mike Chuang Network traffic monitoring in a server network environment
US8102783B1 (en) * 2009-02-04 2012-01-24 Juniper Networks, Inc. Dynamic monitoring of network traffic
CN106357620A (en) * 2016-08-27 2017-01-25 浙江远望信息股份有限公司 Method of intelligent recognition of servers
CN109587179A (en) * 2019-01-28 2019-04-05 南京云利来软件科技有限公司 A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨敬民等编著: "《无线网络技术原理、实验与网络设计》", 31 December 2018, 厦门大学出版社 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112636980A (en) * 2020-12-25 2021-04-09 平安科技(深圳)有限公司 Resource quantity determination method and device, electronic equipment and related products
CN112636980B (en) * 2020-12-25 2022-06-28 平安科技(深圳)有限公司 Resource quantity determining method and device, electronic equipment and related products
CN113239968A (en) * 2021-04-15 2021-08-10 国家计算机网络与信息安全管理中心 Method, device, computer storage medium and terminal for realizing server classification
CN115174521A (en) * 2022-06-09 2022-10-11 浙江远望信息股份有限公司 NAT subnet discovery method based on domain name resolution protocol analysis

Similar Documents

Publication Publication Date Title
CN111935170B (en) Network abnormal flow detection method, device and equipment
CN111654486A (en) Server equipment judgment and identification method
US10547674B2 (en) Methods and systems for network flow analysis
CN110120948B (en) Illegal external connection monitoring method based on wireless and wired data stream similarity analysis
US20060212942A1 (en) Semantically-aware network intrusion signature generator
CN101924757A (en) Method and system for reviewing Botnet
CN106789242B (en) Intelligent identification application analysis method based on mobile phone client software dynamic feature library
CN111683097A (en) Cloud network flow monitoring system based on two-stage architecture
CN111885106A (en) Internet of things safety management and control method and system based on terminal equipment characteristic information
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN114598499B (en) Network risk behavior analysis method combined with business application
CN110677327A (en) Chip-based real-time detection method for RTP flow fault
CN104021348A (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN106357620A (en) Method of intelligent recognition of servers
CN109474529B (en) Method for feeding back terminal network associated data
CN111224891B (en) Flow application identification system and method based on dynamic learning triples
CN109922083A (en) A kind of network protocol flow control system
CN112822683B (en) Method for detecting illegal external connection by using mobile network
CN111614611B (en) Network security auditing method and device for power grid embedded terminal
CN113807373B (en) Traffic identification method and device, equipment and storage medium
CN110620682B (en) Resource information acquisition method and device, storage medium and terminal
CN101478406A (en) Method for real-time monitoring network operation behavior of remote user
CN113037551A (en) Quick identification and positioning method for sensitive-related services based on traffic slice
CN107592214B (en) Method for identifying login user name of internet application system
KR100501210B1 (en) Intrusion detection system and method based on kernel module in security gateway system for high-speed intrusion detection on network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200911

RJ01 Rejection of invention patent application after publication