CN112003758A - Method for identifying object characteristics in network space mapping process - Google Patents
Method for identifying object characteristics in network space mapping process Download PDFInfo
- Publication number
- CN112003758A CN112003758A CN201910598426.4A CN201910598426A CN112003758A CN 112003758 A CN112003758 A CN 112003758A CN 201910598426 A CN201910598426 A CN 201910598426A CN 112003758 A CN112003758 A CN 112003758A
- Authority
- CN
- China
- Prior art keywords
- port
- scanning
- network segment
- protocol
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention provides a method for identifying object characteristics in a network space mapping process, which comprises the following steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port. The method of the invention reduces the overall time and system resource consumption in the network space mapping process.
Description
Technical Field
The invention belongs to the field of network space mapping, and particularly relates to a method for identifying object features in a network space mapping process.
Background
Network space mapping is a form of network asset management, and all port information, corresponding software and hardware information of an IP network segment are obtained by scanning all or a specific IP network segment, so that a basic basis is provided for a mapper to obtain the general appearance characteristics of the IP network segment.
In the process of network space mapping, after an open port of an IP network segment is obtained by scanning, software and hardware information corresponding to the port needs to be acquired, which requires that a communication protocol used by a network port is known first.
CN102546625A discloses a protocol identification method of semi-supervised clustering integration, which comprises collecting data packets in a network; analyzing the received network data, extracting each field of the data packet, and counting; matching the feature codes of the network data obtained after analyzing the network data with the feature codes preset in a database, and if the matching is successful, indicating that the data packet is a corresponding protocol; clustering analysis is carried out on data which cannot be successfully matched, a plurality of base clustering devices are used for clustering data packets, the result is fed back, and the prior label value is modified; and performing semi-supervised statistical learning on the result of clustering the network data packet and the known protocols to train a discriminant learner. The invention improves the protocol recognition rate.
CN107404492A discloses an identification method of equipment in a communication network, which relates to the field of network communication and comprises S1: the method comprises the steps that equipment accessed by a port in a switch sends a protocol message to other ports in a Link up state in the switch at regular time, wherein the protocol message comprises a specific target mac address and a private Ethernet type; s2: the port in the Link up state receives the protocol message and sends the protocol message to a CPU of the switch; s3: the CPU analyzes the protocol message and judges whether the protocol content in the protocol message data conforms to the identification characteristics of the authentication equipment, wherein the protocol content comprises a message format, a protocol type and a mac address of the equipment for sending the protocol message; if yes, the protocol message sending port is set to be in a Forwarding state, equipment accessed by the protocol message sending port is identified as authenticated equipment, and if not, the protocol message sending port is set to be in a Block state. The invention judges whether the equipment is authenticated or not by sending the specific protocol message.
The above inventions all mention determining a certain state of a device by detecting data packets, but none provide a method for feature recognition of software and hardware objects in a network in a spatial mapping environment.
Disclosure of Invention
The invention provides a method for identifying object characteristics in a network space mapping process, which comprises the following steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
Scanning the IP global network segment by adopting a high-concurrency scanning mode; or the concurrent scanning of the IP global network segment is based on a distributed architecture, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to appropriate processing resources, so that distributed scanning is realized for a plurality of nodes of the IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage.
The feedback condition of the port comprises no feedback and feedback; under the condition of no feedback, continuously sending a specific data packet, and detecting the feedback condition of the port; and under the condition of feedback, analyzing the composition of the data packet and acquiring the characteristic information of the server.
And the IP network segment open port obtained by scanning is compared with the port-protocol predefined database, and one or more communication protocols are predefined for the IP network segment open port.
Wherein each port in the port-protocol pre-defined database has a plurality of corresponding protocols, the corresponding protocols having different priorities.
Wherein after sending the data packet, starting a countdown timer; and after the countdown is over, no data packet is fed back, and the next specific data packet is sent according to the protocol priority sequence.
The invention has the beneficial effects that:
1) by sending and receiving different data packets, the object characteristics in the network can be accurately identified.
2) Compared with local data, the protocols with different priorities are preset for the objects in the network, and are executed in sequence, so that the condition that the protocols are sent randomly is avoided, and the time for determining the communication protocols in the network space mapping process is saved.
3) By means of sequentially sending the data packets in turn, the communication protocols of all the ports can be accurately determined while time is saved.
The invention can not only complete the confirmation of the port communication protocol, but also better save time.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a schematic diagram of a data packet transmitted according to the present invention;
FIG. 3 is a diagram of a received packet according to the present invention.
Detailed Description
FIG. 1 is a flow chart of the method of the present invention. The object feature of the present invention mainly refers to the protocol supported by the port. For example, a remote server opens a port such as 11300, and in some cases, it is necessary to know what the service corresponding to the port of the server corresponds to, what the corresponding protocol corresponds to, and what the characteristic information of a specific service is. After obtaining the above information, the theme in a specific situation can take corresponding measures.
In order to solve the problem, the characteristic information of the server is acquired through the scheme of the invention. For example, we want to extract the server feature information of the ClamAV protocol corresponding to the port 3310, and know from the document opened by the protocol, we need to send a packet nVERSION/n, and the server will return its version information, for example, ClamAV 0.97.5/n, so we can obtain the server version information. What we do is get the feature information of each server for all the services contained in the assets around the world.
If a data packet is sent to the IP port of the feature information that we want to obtain and the opposite server does not feed back the data packet, this means that the port opened by the opposite server is not the service we want, in which case we can directly close the network connection and do no more processing. However, such a processing method is not always effective, and when trying to transmit a packet, feedback may be obtained sometimes, and feedback may not be obtained sometimes, which brings about problems of low efficiency, incomplete data, and large consumption of system resources.
The invention is mainly suitable for network space mapping and can also be suitable for other occasions. Referring to fig. 1, the process of the present invention mainly comprises the following four steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
In the first step, because the number of the IP global network segments is very large, the IP global network segments can be scanned in a highly concurrent manner. Concurrent scanning based on a distributed architecture can also be adopted, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to a proper processing resource, so that distributed scanning is realized for a plurality of nodes of an IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage. The concurrent scanning with high concurrency and distributed architecture effectively reduces the time consumed by scanning, and the high concurrency mode can realize the alternate and sequential updating of network space mapping results under the condition that the system needs periodic scanning, thereby improving the updating speed and having better real-time performance for users; highly concurrent network processing requests can be processed independently, and the concurrency number is limited only according to the configuration of the server, such as a CPU (central processing unit), a memory and the like.
In the second step, after the open port of the IP network segment is determined, for a specific port, although the protocol corresponding to the port cannot be specified, from the perspective of big data, the probability that some protocols correspond to some ports is higher. On the basis, a port-protocol predefined database is established locally, the IP network segment open port obtained by scanning is compared with the port-protocol predefined database, and one or more communication protocols are predefined for the IP network segment open port. Thus, the local computer no longer blindly sends test packets, but determines the type of packet sent based on the existing big data result. Therefore, the condition that the transmitted test packets have no feedback is reduced, and although the time consumption reduction for a single port is limited, the time consumption is greatly reduced in the case of an IP whole network segment.
In the third step, the order in which the packets are sent has been determined, and therefore, in this step, the packets are sent primarily according to the agreed protocol type. For example, the highest probability of the protocol corresponding to the 11300 port is the beanstalk protocol, then the packet as in fig. 2 is sent first.
For the data packet of fig. 2, the 11300 port may not have any feedback, and then it is most likely that the 11300 port does not support the beanstalk protocol at this time, and of course, the data packet loss may also occur. Under the condition of no feedback, sending a data packet of the next priority according to the priority sequence of the protocol; until a feedback packet is detected. After the packet is sent, the timer begins to count down. If no feedback is received within a predetermined time, the transmission of the next priority packet is started and the timer restarts counting down. If all the data packets are sent and no feedback is received, the data packets can be sent again. After a complete transmission of several rounds of packets, it may be decided to stop transmitting packets to the port.
The third step is to send the data packet. In the fourth step, if the data packet is fed back, the data packet needs to be analyzed. For example, a packet such as that of FIG. 2 is sent to port 11300, and a packet such as that of FIG. 3 is returned to port 11300. In fig. 2 and 3, the boxed part is the specific data case of the transmitted data packet. This means that the corresponding protocol is the beanstalk protocol. If there is no data packet fed back, it is determined that the protocol corresponding to the 11300 port is not the beacon talk protocol.
By the method, the invention can determine the protocol types corresponding to the active ports one by one. Under the condition of an IP full network segment, the method can effectively reduce the time for determining the protocol type corresponding to the active port and improve the working efficiency of the system.
The foregoing is a more detailed description of the present invention in connection with specific preferred embodiments and is not intended to limit the practice of the invention to these embodiments. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (7)
1. A method for identifying object features in a network space mapping process comprises the following steps:
firstly, scanning an IP global network segment to obtain an open port of the IP network segment;
secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port;
thirdly, sending a data packet corresponding to a specific protocol to the open port according to a predefined communication protocol of the open port;
and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
2. The method of claim 1, wherein:
and scanning the IP global network segment by adopting a high-concurrency scanning mode.
3. The method of claim 1, wherein:
the concurrent scanning of the IP global network segment is based on a distributed architecture, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to a proper processing resource, so that distributed scanning is realized for a plurality of nodes of the IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage.
4. The method of claim 1, wherein:
the feedback condition of the port comprises no feedback and feedback; under the condition of no feedback, continuously sending a specific data packet, and detecting the feedback condition of the port; and under the condition of feedback, analyzing the composition of the data packet and acquiring the characteristic information of the server.
5. The method of claim 1, wherein:
and establishing a port-protocol predefined database locally, comparing the IP network segment open port obtained by scanning with the port-protocol predefined database, and predefining one or more communication protocols for the IP network segment open port.
6. The method of claim 5, wherein:
port-protocol each port in the predefined database has a plurality of corresponding protocols, the corresponding protocols having different priorities.
7. The method of claim 6, wherein:
wherein after sending the data packet, starting a countdown timer; and after the countdown is over, no data packet is fed back, and the next specific data packet is sent according to the protocol priority sequence.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2019104440713 | 2019-05-27 | ||
CN201910444071 | 2019-05-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112003758A true CN112003758A (en) | 2020-11-27 |
Family
ID=73461642
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910598426.4A Pending CN112003758A (en) | 2019-05-27 | 2019-07-04 | Method for identifying object characteristics in network space mapping process |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112003758A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN107395573A (en) * | 2017-06-30 | 2017-11-24 | 北京航空航天大学 | The detection method and device of a kind of industrial control system |
CN109586947A (en) * | 2018-10-11 | 2019-04-05 | 上海交通大学 | Distributed apparatus information acquisition system and method |
-
2019
- 2019-07-04 CN CN201910598426.4A patent/CN112003758A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN107395573A (en) * | 2017-06-30 | 2017-11-24 | 北京航空航天大学 | The detection method and device of a kind of industrial control system |
CN109586947A (en) * | 2018-10-11 | 2019-04-05 | 上海交通大学 | Distributed apparatus information acquisition system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
WO2015165296A1 (en) | Method and device for identifying protocol type | |
US20150131445A1 (en) | Similarity matching method and related device and communication system | |
CN111385260B (en) | Port detection method, system, server and storage medium | |
JP2005354249A (en) | Network communication terminal | |
WO2009093226A2 (en) | A method and apparatus for fingerprinting systems and operating systems in a network | |
CN109104395B (en) | Method and device for scanning, discovering and identifying service of Internet assets | |
CN107769992B (en) | Message parsing and shunting method and device | |
US9755833B2 (en) | Identification information management system, method of generating and managing identification information, terminal, and generation and management programs | |
WO2017054307A1 (en) | Recognition method and apparatus for user information | |
WO2021018440A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
CN112437163A (en) | Communication processing method and system based on block chain and big data | |
CN107508827B (en) | Message parsing method and device | |
CN108076149B (en) | Session maintaining method and device | |
CN112202795A (en) | Data processing method, gateway equipment and medium | |
CN112003758A (en) | Method for identifying object characteristics in network space mapping process | |
CN116806038A (en) | Decentralizing computer data sharing method and device | |
US8060568B2 (en) | Real time messaging framework hub to intercept and retransmit messages for a messaging facility | |
CN105681317A (en) | Novel business and database auditing engine | |
CN113794620B (en) | Message sending method, device, equipment, system and storage medium | |
CN113596105B (en) | Content acquisition method, edge node and computer readable storage medium | |
CN116821215A (en) | OPC UA server searching method based on port inquiry | |
US11381544B2 (en) | Service type determining method and related device | |
WO2022093697A1 (en) | Adaptive network probing using machine learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |