CN112003758A - Method for identifying object characteristics in network space mapping process - Google Patents

Method for identifying object characteristics in network space mapping process Download PDF

Info

Publication number
CN112003758A
CN112003758A CN201910598426.4A CN201910598426A CN112003758A CN 112003758 A CN112003758 A CN 112003758A CN 201910598426 A CN201910598426 A CN 201910598426A CN 112003758 A CN112003758 A CN 112003758A
Authority
CN
China
Prior art keywords
port
scanning
network segment
protocol
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910598426.4A
Other languages
Chinese (zh)
Inventor
赵武
龙专
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baimaohui Technology Co ltd
Original Assignee
Beijing Baimaohui Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baimaohui Technology Co ltd filed Critical Beijing Baimaohui Technology Co ltd
Publication of CN112003758A publication Critical patent/CN112003758A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention provides a method for identifying object characteristics in a network space mapping process, which comprises the following steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port. The method of the invention reduces the overall time and system resource consumption in the network space mapping process.

Description

Method for identifying object characteristics in network space mapping process
Technical Field
The invention belongs to the field of network space mapping, and particularly relates to a method for identifying object features in a network space mapping process.
Background
Network space mapping is a form of network asset management, and all port information, corresponding software and hardware information of an IP network segment are obtained by scanning all or a specific IP network segment, so that a basic basis is provided for a mapper to obtain the general appearance characteristics of the IP network segment.
In the process of network space mapping, after an open port of an IP network segment is obtained by scanning, software and hardware information corresponding to the port needs to be acquired, which requires that a communication protocol used by a network port is known first.
CN102546625A discloses a protocol identification method of semi-supervised clustering integration, which comprises collecting data packets in a network; analyzing the received network data, extracting each field of the data packet, and counting; matching the feature codes of the network data obtained after analyzing the network data with the feature codes preset in a database, and if the matching is successful, indicating that the data packet is a corresponding protocol; clustering analysis is carried out on data which cannot be successfully matched, a plurality of base clustering devices are used for clustering data packets, the result is fed back, and the prior label value is modified; and performing semi-supervised statistical learning on the result of clustering the network data packet and the known protocols to train a discriminant learner. The invention improves the protocol recognition rate.
CN107404492A discloses an identification method of equipment in a communication network, which relates to the field of network communication and comprises S1: the method comprises the steps that equipment accessed by a port in a switch sends a protocol message to other ports in a Link up state in the switch at regular time, wherein the protocol message comprises a specific target mac address and a private Ethernet type; s2: the port in the Link up state receives the protocol message and sends the protocol message to a CPU of the switch; s3: the CPU analyzes the protocol message and judges whether the protocol content in the protocol message data conforms to the identification characteristics of the authentication equipment, wherein the protocol content comprises a message format, a protocol type and a mac address of the equipment for sending the protocol message; if yes, the protocol message sending port is set to be in a Forwarding state, equipment accessed by the protocol message sending port is identified as authenticated equipment, and if not, the protocol message sending port is set to be in a Block state. The invention judges whether the equipment is authenticated or not by sending the specific protocol message.
The above inventions all mention determining a certain state of a device by detecting data packets, but none provide a method for feature recognition of software and hardware objects in a network in a spatial mapping environment.
Disclosure of Invention
The invention provides a method for identifying object characteristics in a network space mapping process, which comprises the following steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
Scanning the IP global network segment by adopting a high-concurrency scanning mode; or the concurrent scanning of the IP global network segment is based on a distributed architecture, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to appropriate processing resources, so that distributed scanning is realized for a plurality of nodes of the IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage.
The feedback condition of the port comprises no feedback and feedback; under the condition of no feedback, continuously sending a specific data packet, and detecting the feedback condition of the port; and under the condition of feedback, analyzing the composition of the data packet and acquiring the characteristic information of the server.
And the IP network segment open port obtained by scanning is compared with the port-protocol predefined database, and one or more communication protocols are predefined for the IP network segment open port.
Wherein each port in the port-protocol pre-defined database has a plurality of corresponding protocols, the corresponding protocols having different priorities.
Wherein after sending the data packet, starting a countdown timer; and after the countdown is over, no data packet is fed back, and the next specific data packet is sent according to the protocol priority sequence.
The invention has the beneficial effects that:
1) by sending and receiving different data packets, the object characteristics in the network can be accurately identified.
2) Compared with local data, the protocols with different priorities are preset for the objects in the network, and are executed in sequence, so that the condition that the protocols are sent randomly is avoided, and the time for determining the communication protocols in the network space mapping process is saved.
3) By means of sequentially sending the data packets in turn, the communication protocols of all the ports can be accurately determined while time is saved.
The invention can not only complete the confirmation of the port communication protocol, but also better save time.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a schematic diagram of a data packet transmitted according to the present invention;
FIG. 3 is a diagram of a received packet according to the present invention.
Detailed Description
FIG. 1 is a flow chart of the method of the present invention. The object feature of the present invention mainly refers to the protocol supported by the port. For example, a remote server opens a port such as 11300, and in some cases, it is necessary to know what the service corresponding to the port of the server corresponds to, what the corresponding protocol corresponds to, and what the characteristic information of a specific service is. After obtaining the above information, the theme in a specific situation can take corresponding measures.
In order to solve the problem, the characteristic information of the server is acquired through the scheme of the invention. For example, we want to extract the server feature information of the ClamAV protocol corresponding to the port 3310, and know from the document opened by the protocol, we need to send a packet nVERSION/n, and the server will return its version information, for example, ClamAV 0.97.5/n, so we can obtain the server version information. What we do is get the feature information of each server for all the services contained in the assets around the world.
If a data packet is sent to the IP port of the feature information that we want to obtain and the opposite server does not feed back the data packet, this means that the port opened by the opposite server is not the service we want, in which case we can directly close the network connection and do no more processing. However, such a processing method is not always effective, and when trying to transmit a packet, feedback may be obtained sometimes, and feedback may not be obtained sometimes, which brings about problems of low efficiency, incomplete data, and large consumption of system resources.
The invention is mainly suitable for network space mapping and can also be suitable for other occasions. Referring to fig. 1, the process of the present invention mainly comprises the following four steps: firstly, scanning an IP global network segment to obtain an open port of the IP network segment; secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port; thirdly, sending a specific data packet to the open port according to a predefined communication protocol of the open port; and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
In the first step, because the number of the IP global network segments is very large, the IP global network segments can be scanned in a highly concurrent manner. Concurrent scanning based on a distributed architecture can also be adopted, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to a proper processing resource, so that distributed scanning is realized for a plurality of nodes of an IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage. The concurrent scanning with high concurrency and distributed architecture effectively reduces the time consumed by scanning, and the high concurrency mode can realize the alternate and sequential updating of network space mapping results under the condition that the system needs periodic scanning, thereby improving the updating speed and having better real-time performance for users; highly concurrent network processing requests can be processed independently, and the concurrency number is limited only according to the configuration of the server, such as a CPU (central processing unit), a memory and the like.
In the second step, after the open port of the IP network segment is determined, for a specific port, although the protocol corresponding to the port cannot be specified, from the perspective of big data, the probability that some protocols correspond to some ports is higher. On the basis, a port-protocol predefined database is established locally, the IP network segment open port obtained by scanning is compared with the port-protocol predefined database, and one or more communication protocols are predefined for the IP network segment open port. Thus, the local computer no longer blindly sends test packets, but determines the type of packet sent based on the existing big data result. Therefore, the condition that the transmitted test packets have no feedback is reduced, and although the time consumption reduction for a single port is limited, the time consumption is greatly reduced in the case of an IP whole network segment.
In the third step, the order in which the packets are sent has been determined, and therefore, in this step, the packets are sent primarily according to the agreed protocol type. For example, the highest probability of the protocol corresponding to the 11300 port is the beanstalk protocol, then the packet as in fig. 2 is sent first.
For the data packet of fig. 2, the 11300 port may not have any feedback, and then it is most likely that the 11300 port does not support the beanstalk protocol at this time, and of course, the data packet loss may also occur. Under the condition of no feedback, sending a data packet of the next priority according to the priority sequence of the protocol; until a feedback packet is detected. After the packet is sent, the timer begins to count down. If no feedback is received within a predetermined time, the transmission of the next priority packet is started and the timer restarts counting down. If all the data packets are sent and no feedback is received, the data packets can be sent again. After a complete transmission of several rounds of packets, it may be decided to stop transmitting packets to the port.
The third step is to send the data packet. In the fourth step, if the data packet is fed back, the data packet needs to be analyzed. For example, a packet such as that of FIG. 2 is sent to port 11300, and a packet such as that of FIG. 3 is returned to port 11300. In fig. 2 and 3, the boxed part is the specific data case of the transmitted data packet. This means that the corresponding protocol is the beanstalk protocol. If there is no data packet fed back, it is determined that the protocol corresponding to the 11300 port is not the beacon talk protocol.
By the method, the invention can determine the protocol types corresponding to the active ports one by one. Under the condition of an IP full network segment, the method can effectively reduce the time for determining the protocol type corresponding to the active port and improve the working efficiency of the system.
The foregoing is a more detailed description of the present invention in connection with specific preferred embodiments and is not intended to limit the practice of the invention to these embodiments. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.

Claims (7)

1. A method for identifying object features in a network space mapping process comprises the following steps:
firstly, scanning an IP global network segment to obtain an open port of the IP network segment;
secondly, analyzing the open port of the IP network segment obtained by scanning, and predefining a communication protocol of the open port;
thirdly, sending a data packet corresponding to a specific protocol to the open port according to a predefined communication protocol of the open port;
and fourthly, judging the characteristic information of the specific port server according to the feedback condition of the port.
2. The method of claim 1, wherein:
and scanning the IP global network segment by adopting a high-concurrency scanning mode.
3. The method of claim 1, wherein:
the concurrent scanning of the IP global network segment is based on a distributed architecture, and in the distributed architecture, after a scanning task is decomposed, the scanning task is distributed to a proper processing resource, so that distributed scanning is realized for a plurality of nodes of the IP global network segment; distributed scanning is performed concurrently with distributed processing, and distributed data storage.
4. The method of claim 1, wherein:
the feedback condition of the port comprises no feedback and feedback; under the condition of no feedback, continuously sending a specific data packet, and detecting the feedback condition of the port; and under the condition of feedback, analyzing the composition of the data packet and acquiring the characteristic information of the server.
5. The method of claim 1, wherein:
and establishing a port-protocol predefined database locally, comparing the IP network segment open port obtained by scanning with the port-protocol predefined database, and predefining one or more communication protocols for the IP network segment open port.
6. The method of claim 5, wherein:
port-protocol each port in the predefined database has a plurality of corresponding protocols, the corresponding protocols having different priorities.
7. The method of claim 6, wherein:
wherein after sending the data packet, starting a countdown timer; and after the countdown is over, no data packet is fed back, and the next specific data packet is sent according to the protocol priority sequence.
CN201910598426.4A 2019-05-27 2019-07-04 Method for identifying object characteristics in network space mapping process Pending CN112003758A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2019104440713 2019-05-27
CN201910444071 2019-05-27

Publications (1)

Publication Number Publication Date
CN112003758A true CN112003758A (en) 2020-11-27

Family

ID=73461642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910598426.4A Pending CN112003758A (en) 2019-05-27 2019-07-04 Method for identifying object characteristics in network space mapping process

Country Status (1)

Country Link
CN (1) CN112003758A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107395573A (en) * 2017-06-30 2017-11-24 北京航空航天大学 The detection method and device of a kind of industrial control system
CN109586947A (en) * 2018-10-11 2019-04-05 上海交通大学 Distributed apparatus information acquisition system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107395573A (en) * 2017-06-30 2017-11-24 北京航空航天大学 The detection method and device of a kind of industrial control system
CN109586947A (en) * 2018-10-11 2019-04-05 上海交通大学 Distributed apparatus information acquisition system and method

Similar Documents

Publication Publication Date Title
CN110113345B (en) Automatic asset discovery method based on flow of Internet of things
CN108712426B (en) Crawler identification method and system based on user behavior buried points
WO2015165296A1 (en) Method and device for identifying protocol type
US20150131445A1 (en) Similarity matching method and related device and communication system
CN111385260B (en) Port detection method, system, server and storage medium
JP2005354249A (en) Network communication terminal
WO2009093226A2 (en) A method and apparatus for fingerprinting systems and operating systems in a network
CN109104395B (en) Method and device for scanning, discovering and identifying service of Internet assets
CN107769992B (en) Message parsing and shunting method and device
US9755833B2 (en) Identification information management system, method of generating and managing identification information, terminal, and generation and management programs
WO2017054307A1 (en) Recognition method and apparatus for user information
WO2021018440A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
CN112437163A (en) Communication processing method and system based on block chain and big data
CN107508827B (en) Message parsing method and device
CN108076149B (en) Session maintaining method and device
CN112202795A (en) Data processing method, gateway equipment and medium
CN112003758A (en) Method for identifying object characteristics in network space mapping process
CN116806038A (en) Decentralizing computer data sharing method and device
US8060568B2 (en) Real time messaging framework hub to intercept and retransmit messages for a messaging facility
CN105681317A (en) Novel business and database auditing engine
CN113794620B (en) Message sending method, device, equipment, system and storage medium
CN113596105B (en) Content acquisition method, edge node and computer readable storage medium
CN116821215A (en) OPC UA server searching method based on port inquiry
US11381544B2 (en) Service type determining method and related device
WO2022093697A1 (en) Adaptive network probing using machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination