CN112398782A - Network asset identification method, device, medium and equipment - Google Patents

Network asset identification method, device, medium and equipment Download PDF

Info

Publication number
CN112398782A
CN112398782A CN201910755099.9A CN201910755099A CN112398782A CN 112398782 A CN112398782 A CN 112398782A CN 201910755099 A CN201910755099 A CN 201910755099A CN 112398782 A CN112398782 A CN 112398782A
Authority
CN
China
Prior art keywords
host
network
surviving
address
local area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910755099.9A
Other languages
Chinese (zh)
Inventor
邱成鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Gridsum Technology Co Ltd
Original Assignee
Beijing Gridsum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Gridsum Technology Co Ltd filed Critical Beijing Gridsum Technology Co Ltd
Priority to CN201910755099.9A priority Critical patent/CN112398782A/en
Publication of CN112398782A publication Critical patent/CN112398782A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application provides a method, a device, a medium and equipment for identifying network assets. The network asset identification method comprises the following steps: acquiring an IP address list of a target local area network; determining a host which survives in the target local area network according to the IP address in the IP address list; performing full port scanning on the surviving host to determine surviving ports on the surviving host; acquiring parameter information of the alive host and acquiring parameter information of a corresponding alive port on the alive host; and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host into a first network asset list corresponding to the target local area network. Through the first network asset list corresponding to the target local area network, the network operation and maintenance personnel can conveniently manage the network assets in the target local area network.

Description

Network asset identification method, device, medium and equipment
Technical Field
The present application relates to the field of network information security, and in particular, to a method, an apparatus, a medium, and a device for identifying a network asset.
Background
With the rapid development of internet technology, the types of network devices, such as PCs, servers, routers, mobile phones, tablet computers, printers, etc., which are accessed in a local area network within a company/enterprise, are increasing, and these network devices together constitute the company/enterprise intranet. Not only do these network devices have mutual access to each other, but many of these network devices also have access to the internet to establish connections with external networks. Typically, corporate/enterprise intranets restrict external access by establishing certain rules, such as firewalls.
With the development of company/enterprise services, various service platforms and/or management systems and the like will increase, mobility of corresponding personnel will be increased, network devices accessed in a company/enterprise intranet will be more and more complex, network devices used and managed by various departments and/or various personnel will be different, and access rights will be different, so that a plurality of local area networks and the like of different levels may exist in the company/enterprise intranet. All the above factors make it difficult to manage network device assets of a company/enterprise, and as time goes on, a large amount of various non-master network assets such as no-one use, management or unregistered or registered information inconsistent with actual conditions are generated inside the company/enterprise.
Due to the long-term lack of special management of these non-master network assets, the non-master network assets accessing the external network can easily become the exposed surface of the company/enterprise internal network (exposed surface, which refers to the collection of resources that can access the internal network from the external network), and the intruder can easily access the company/enterprise internal network by bypassing the firewall and so on through these exposed surfaces, so that the risk of the company/enterprise network suffering network attack is increased, and the network security of the company/enterprise is greatly reduced. Therefore, how to quickly identify the network assets in the company/enterprise intranet so as to facilitate effective management is of great significance to company/enterprise network security.
Disclosure of Invention
In order to solve the above problems, the present application provides a method, an apparatus, a medium, a device, and a computer product for identifying a network asset.
A first aspect of an embodiment of the present application provides a method for identifying a network asset, where the method includes:
acquiring an IP address list of a target local area network;
determining a host which survives in the target local area network according to the IP address in the IP address list;
performing full port scanning on the surviving host to determine surviving ports on the surviving host;
acquiring parameter information of the alive host and acquiring parameter information of a corresponding alive port on the alive host;
and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host into a first network asset list corresponding to the target local area network.
A second aspect of the embodiments of the present application provides an apparatus for identifying a network asset, where the apparatus includes:
the first acquisition module is used for acquiring an IP address list of a target local area network;
the first determining module is used for determining the surviving host in the target local area network according to the IP address in the IP address list;
the first scanning module is used for carrying out full-port scanning on the surviving host computer and determining the surviving ports on the surviving host computer;
a first obtaining module, configured to obtain parameter information of the surviving host, and obtain parameter information of a corresponding surviving port on the surviving host;
and the first adding module is used for adding the parameter information of the alive host and the parameter information of the alive port on the alive host into a first network asset list corresponding to the target local area network.
A third aspect of embodiments of the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps in the method according to the first aspect of the present application.
A fourth aspect of the embodiments of the present application provides a processor, configured to execute a program, where the program executes to perform the steps in the method according to the first aspect of the present application.
A fifth aspect of embodiments of the present application provides an apparatus, including at least one processor, and at least one memory and a bus connected to the processor; the processor and the memory complete mutual communication through a bus; the processor is adapted to invoke program instructions in the memory to perform the steps of the method according to the first aspect of the application.
A sixth aspect of embodiments of the present application provides a computer program product adapted to, when executed on a data processing apparatus, perform a procedure for initializing:
acquiring an IP address list of a target local area network;
determining a host which survives in the target local area network according to the IP address in the IP address list;
performing full port scanning on the surviving host to determine surviving ports on the surviving host;
acquiring parameter information of the alive host and acquiring parameter information of a corresponding alive port on the alive host;
and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host into a first network asset list corresponding to the target local area network.
By adopting the network asset identification method provided by the embodiment of the application, after the target local area network needing network asset identification is selected, IP scanning is carried out on the target local area network, IP addresses used by all network assets (network equipment or hosts) in the target local area network are further obtained, an IP address list is formed by the IP addresses obtained by scanning, according to the IP address in the IP address list, performing IP detection to determine the surviving host in the target LAN, then performing full port scanning to the detected surviving host to determine the surviving port on the surviving host, and further acquiring the parameter information of the surviving host and the parameter information of the corresponding surviving port, and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host to a first network asset list corresponding to the target local area network. Through the first network asset list corresponding to the target local area network, network operation and maintenance (management) personnel can conveniently manage the network assets in the target local area network.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
FIG. 1 is a schematic diagram of an implementation environment shown in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating a method for network asset identification in accordance with an exemplary embodiment;
FIG. 3 is a detailed flowchart illustrating step S203 of a network asset identification method according to an exemplary embodiment;
FIG. 4 is a flow diagram illustrating another method of network asset identification according to an exemplary embodiment;
FIG. 5 is a flow chart illustrating yet another network asset identification method in accordance with an exemplary embodiment;
FIG. 6 is a detailed flowchart illustrating a step S510 of yet another network asset identification method according to an example embodiment;
FIG. 7 is a schematic diagram illustrating a network asset identification device, according to an example embodiment;
FIG. 8 is a schematic diagram illustrating an apparatus according to an example embodiment.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
FIG. 1 is a schematic diagram illustrating one implementation environment in accordance with an example embodiment. A networking schematic of a Company (Company1) is shown in fig. 1, which includes a total of 3 departments: administrative, financial and business departments. The local area network (intranet) of the whole company is accessed to the Internet (extranet) Internet through the router 100; in the whole intranet, networking is performed through a four-layer switch 101, and the router 100, the proxy server 102 and the Web server 103 are respectively in communication connection, where the proxy server 102 is used for proxy of extranet access requirements of all network assets (devices or hosts) in the whole company, and the Web server 103 is used for personnel of the whole company to access an internal website of the company, or an ERP (Enterprise Resource Planning) system of the company and other collaborative software systems in the company/Enterprise, and the like.
Meanwhile, the four-layer switch 101 is configured and communicated with three two-layer switches which are respectively used for networking of three departments in a downlink manner, namely a two-layer switch 104 which is used for networking of an administrative department, so as to form a local area network 107 of the administrative department; a two-layer exchange 105 for networking of the financial department, a local area network 108 constituting the financial department; the two-layer switch 106 for networking of the business department constitutes the local area network 109 of the business department. In the following embodiments, only the local area network 107 of the administrative department is taken as an example for detailed description, and with this example, a person skilled in the art can easily think of a specific application of the technology in the local area network 108 of the financial department or the local area network 109 of the business department as a target local area network without creative work, and even a specific application of the whole intranet as a target local area network, so that network configurations of other departments are not described herein again, and only a specific deployment situation of the local area network 107 composed by the administrative department is described below.
As shown in fig. 1, the specific configuration of each host is shown in table 1, and a local area network 107 formed by the administrative department is used as a target local area network for network asset identification by using a computer 114 as a local host. It should be noted that there may be other network devices (hosts or assets) in the target lan, such as printers, copiers, etc., but they are not specifically shown.
It should be noted that the technical solution disclosed in the present application is not limited to the above-mentioned exemplary implementation environment, but may also be applied to other target local area networks, for example, local area networks composed of branch companies under group type companies, or various target local area networks composed of home environments, etc., which are not exhaustive.
FIG. 2 is a flow chart illustrating a method of network asset identification according to an exemplary embodiment. Referring to fig. 2, the method includes the steps of:
s200, an IP address list of the target local area network is obtained.
It should be noted that in some exemplary embodiments, the acquiring IP address list may adopt different means or manners to acquire all IP addresses in the target lan, so as to form a corresponding IP address list of the target lan, according to the difference of the "target lan".
In an exemplary embodiment, the "target local area network" is configured by using a (wireless) router, and during networking, the (wireless) router automatically configures IP addresses for all devices accessing the (wireless) router (or in the local area network), and performs real-time scanning and recording, only needs to log in the (wireless) router of the networking, and can obtain the IP addresses and/or MAC addresses of all online terminals (or devices) in the target local area network and other some more detailed information through a "terminal management" or "device management" function, and more specifically, please refer to related prior art, which is not described herein again. The local area network using the (wireless) router for networking is most commonly the local area network in the home environment, and of course, a person skilled in the art can directly and unambiguously know that in other environments, the (wireless) router for networking can also obtain all the IP addresses of the corresponding local area network by the above-mentioned method, and form an IP address list, and is not necessarily limited to the local area network in the home environment.
In the environment illustrated in fig. 1, all IP addresses of the entire intranet of the company are obtained by logging in the router 100 at the local host (computer 114), for example, so as to form an IP address list of the intranet of the company.
In another exemplary embodiment, the "target lan" directly adopts a switch networking, logs in a management interface of the networked switch in a telnet mode, and types a command: "dis arp" allows to view the IP addresses and/or MAC addresses of all hosts connected to the switch, and the connection interfaces provided by the switch when each host is connected to the switch, and more specifically, please refer to the related prior art, which is not described herein again. The local area network using the switch for networking is mainly an office network in a company/enterprise, and certainly, a person skilled in the art can directly and unambiguously know that, in the local area network using the switch for directly networking in other environments, all the IP addresses of the corresponding local area network can be obtained through the above method, and an IP address list is formed, and is not limited to the office network of the company/enterprise.
In the environment illustrated in fig. 1, for example, a local host (at the computer 114) acquires all IP addresses of the entire intranet of the company by logging in the four-layer switch 101, and forms an IP address list of the intranet of the company; or the local host (computer 114) acquires all the IP addresses of the local area network 107 composed of the administrative department by logging in the second layer switch 104, thereby forming an IP address list of the local area network 107 composed of the administrative department. Because of factors such as firewall and authority configuration, in order to obtain the IP address list of the local area network of other departments of the company, it is usually necessary to log in a corresponding switch in the access device in the corresponding local area network, for example, it is necessary to log in the two-layer switch 105 in a certain device in the local area network 108 to obtain the IP address list of the local area network 108 of the financial department; it is not excluded that the list of IP addresses of lan 108 may be obtained by logging onto layer two switch 105 on a device in an external network with respect to lan 108, and will not be described herein.
In another exemplary embodiment, a Windows system is deployed on a host in a target lan, and a network segment ping scan can be performed by using a cmd command line function of the Windows system. More specifically, if the following command is entered in the cmd Command line Window: "for/L% i IN <1, 254> DO ping-w 1-n 1192.168.0.% i", and executes the command, and after the command is executed, the following command is entered again IN the cmd command line window: "arp-a" can look at all IP addresses and/or MAC addresses in the local area network and then use these obtained IP addresses to generate a list of IP addresses. It should be noted that, considering that the private address 192.168.x.x (address field: 192.168.0.0 to 192.168.255.255) in the class C IP address is used in the generally common local area network, the ping scanning is performed sequentially from the IP address "192.168.0.0" in the above example, but this is not a limitation of the present application, and it should be understood that the initial IP address of the ping scanning can be flexibly selected when the method is applied to different local area networks, for example, a special local area network composed of class a or class B IP addresses. Certainly, the host names of all hosts in the target local area network can be obtained in advance through a "net view" command, and after the host names are obtained, the host names are traversed to return corresponding IP addresses, and compared with the former ping scanning mode, the ping scanning mode has the advantages that the IPv4 addresses or the IPv6 addresses can be accurately returned, and then the command "nbtstat-a computer name/IP" can be used for obtaining the MAC addresses of all the hosts; when the target local area network is configured more complicated, and the IPv6 address is used, it is preferable that the scanning method obtains all IP addresses of the target local area network to form an IP address list.
With the environment illustrated in FIG. 1, such as a Windows system deployed on a local host side (at computer 114), the following commands may be entered in a cmd Command line Window: "for/L% i IN <1, 254> DO ping-w 1-n 1192.168.0.% i", then executes the command, and after the command is executed, again enters the following command IN the cmd Command line Window: "arp-a" returns the results shown in Table 1.
TABLE 1 IP address/MAC address of target LAN
Host name IP address MAC address
Host
110 192.168.0.10 000c-2975-ee58
Host
111 192.168.0.15 F092-1c66-0bb0
Host
112 192.168.0.20 1475-9013-3599
Host 113 192.168.0.25
Host computer 114 192.168.0.30 8cdc-d421-43e3
The hosts in table 1 are the computers shown in fig. 1, and the host names correspond to the numbers in the figure one by one, that is, host 110 corresponds to computer 110 … …, and host 114 corresponds to computer 114. A list of IP addresses for the target lan 107 may be generated using all the IP addresses in table 1. The list of IP addresses in the MAC address column of table 1, i.e., the destination lan 107, is removed as in table 2.
Table 2 IP address list of target lan
Figure BDA0002168494130000071
Figure BDA0002168494130000081
The network configuration of the host 114 may also be implemented by entering a command in the command line: "ipconfig/all" obtains detailed IP configuration information of the host 114.
In other exemplary embodiments, third-party network scanning software, such as scanning software Namp or Advanced IP Scanner, may also be used, because the functions of various third-party network scanning software are different, and the usage methods are different, please refer to related prior art or usage description directly, which is not described herein again.
S201, according to the IP address in the IP address list, determining the host which survives in the target local area network.
"survivability" is a term that expresses the address status of a target host. And after the IP address list is obtained, performing IP detection on the IP addresses in the IP address list to judge whether the hosts corresponding to the IP addresses are alive (are started and are on-line). As known from the above description, when scanning a target lan, not only an IP address can be obtained, but also MAC addresses of hosts corresponding to the IP addresses can be obtained in some methods, so as to determine whether the host corresponding to the IP address is alive. With the environment illustrated in fig. 1, please refer to table 1, where the host 113 does not return a MAC address, and thus the host 113 can be initially considered to be in an alive state. However, some methods for obtaining the IP address list of the target lan cannot directly determine whether the corresponding host is alive. When it is impossible to determine whether a host is alive by the above method of acquiring an IP address list, the host that is alive in the target lan can be determined by the following method.
In an exemplary embodiment, whether the target host is alive or not may be detected by sending an ICMP ECHO REQUEST datagram to the target host at the local host, and if the local host receives an ICMP ECHO Reply datagram returned by the target host, it may be confirmed that the target host is alive.
In the environment illustrated in fig. 1, for example, an ICMP ECHO REQUEST datagram is generated at the host 114 by using each IP address in the IP address list (all IP addresses in table 2) as a destination IP address, and is sent to the host corresponding to the corresponding IP address, and when the ICMP ECHO Reply datagram returned by the corresponding host is received, it can be determined that the host is alive. Eventually failing to receive the ICMP ECHO Reply datagram of the host 113, it is preliminarily assumed that the host 113 is in the non-survival state.
However, the way of probing using ICMP ECHO datagrams has two disadvantages: first, the host probing of this technique is only applicable to UNIX host of the target network, and WINDOWS machine will not generate ICMP ECHO REPLY data report to ICMP ECHO REQUEST targeting broadcast address or network address; secondly, the destination host is allowed to be probed, i.e. the destination host does not filter or mask ICMP datagrams by means of a firewall or the like, and therefore, the method is not described herein again, and more specifically, refer to the prior art.
Therefore, in another exemplary embodiment, the MAC address of the host corresponding to the destination IP address is requested to be obtained by generating an ARP REQUEST datagram containing the destination IP address at the local host; initializing an MAC address and an IP address, taking a local host MAC address as a source address, and taking a physical broadcast address as a physical frame destination address; setting the destination address of the ARP frame to 0; setting the hardware type to be 0x0001, and converting the host byte sequence of 16 bits into a network byte sequence of 16 bits; set protocol type to 0x 0800; taking a local IP address as a source IP address, and converting the byte sequence of the 32-bit host IP address into a 32-bit network byte sequence; the IP address of the local host computer is operated with the subnet mask 'AND' to obtain the IP address of the gateway, AND then a _ PACKET structural body is initialized; finally, the ARP REQUEST datagram of the _ PACKET structure is sent, the ARP REQUEST datagram is broadcasted to all hosts on the network, and the ARP REPLY datagram is received. And analyzing the received ARP REPLY datagram to obtain the MAC address of the host corresponding to the destination IP address, wherein if the ARP REPLY datagram is not received, the host corresponding to the destination IP address is in a non-survival state.
Taking the environment illustrated in fig. 1 as an example, the host 114 generates an ARP REQUEST datagram with each IP address in the IP address list (all IP addresses in table 2) as a destination IP address (more specifically, please refer to above), then broadcasts each ARP REQUEST datagram to other hosts in the local area network 107, receives the corresponding ARP REPLY datagram, finally fails to receive the ARP REPLY datagram of the host 113 and also fails to obtain the MAC address of the host 113, and finally returns the result as shown in table 1, and can determine that the host 113 is in the non-alive state.
S202, carrying out full port scanning on the alive host, and determining the alive ports on the alive host.
After determining the surviving hosts in the target lan, the surviving ports on each surviving host, that is, the ports configured on each host in the open state, need to be determined again.
In performing a full port scan on each surviving host, in an exemplary embodiment, only a TCP scan may be performed; in another exemplary embodiment, it is also possible to perform only UDP scanning; in yet another embodiment, both TCP scan and CUP scan may be performed.
Wherein, for each surviving host TCP scan, specifically: sending SYN message to any port of 1-65535 number ports, if receiving ACK message returned from the port, then showing that the port is alive, meanwhile proving that the host is alive, and recording the alive port number; if the ACK message is not received, the port is in a non-survival state; this step is repeated until all port numbers have been traversed.
Wherein UDP scanning of each surviving host is specifically: sending a UDP REQUEST message to any port of the ports 1 to 65535, if receiving a UDP RESPONSE message returned by the port, indicating that the port is alive, and recording the port number; if the UDP RESPONSE message cannot be received, the port is in the non-survival state; this step is repeated until all port numbers have been traversed.
TABLE 3 TCP/UDP scan results
Host name IP address Surviving ports
Host 110 192.168.0.10 21/25/53/80
Host 111 192.168.0.15 25/80
Host 112 192.168.0.20 22/21/23/80
Host computer 114 192.168.0.30 25/53/69/80/162
In the environment illustrated in fig. 1, host 113 is known to be in an inactive state and a full port scan is to be performed on host 110, host 111, host 112, and local end host 114. And both TCP and UDP scans were performed, with the final scan results shown in table 3.
S203, obtaining the parameter information of the alive host and obtaining the parameter information of the corresponding alive port on the alive host.
After the surviving hosts and surviving ports on the surviving hosts in the target lan are known, the parameter information of the surviving hosts and the parameter information of the corresponding surviving ports on the surviving hosts can be obtained by the following method. Fig. 3 is a flowchart illustrating a step S203 of a network asset identification method according to an example embodiment. Referring to fig. 3, step S203 specifically includes the following steps:
s300, generating a corresponding scanning task for each alive port on each alive host.
With the environment illustrated in fig. 1, see table 3, it is clear that a total of 15 scan jobs need to be generated.
S301, caching the scanning task into a scanning task pool.
With the environment illustrated in fig. 1, the above-mentioned 15 scan tasks are cached in the scan task pool.
S302, starting a scanning task in the scanning task pool, and sending a multi-protocol detection message to a corresponding alive port on a corresponding alive host corresponding to the scanning task, wherein the multi-protocol detection message is used for operating system fingerprint identification and application component fingerprint identification;
and acquiring the parameter information of the surviving host corresponding to the scanning task and the parameter information of the corresponding port on the surviving host corresponding to the scanning task according to the identification results of the operating system fingerprint identification and the application component fingerprint identification.
In the environment illustrated in fig. 1, the 15 scanning tasks may be suspended in the form of a task queue, and then each scanning task is allocated to a corresponding thread for execution, where the specific execution may be single-thread serial execution or multi-thread parallel execution. Specifically, the single-line serial execution or the multi-thread parallel execution is adopted, and in the present application, no specific limitation is imposed, but from the viewpoint of improving the working efficiency and saving time, a multi-thread parallel execution mode is preferably adopted, that is, a plurality of scanning tasks are executed in parallel until all the scanning tasks are executed. When the multi-protocol detection message is sent to the alive port corresponding to the alive host corresponding to each scanning task, the multi-protocol detection message may be an FTP message, a TELNET message, an SMTP message, an SSH message, a Mysql message, and/or a redis message, and so on, which are not exhaustive, so as to perform the operating system fingerprint identification and the application component fingerprint identification.
Operating System (OS) identification is important information that needs to be collected for intrusion or security detection, and is the basis for analyzing vulnerabilities and various potential safety hazards. The security status of the remote host can be further evaluated only if the operating system type and version of the remote host are determined. More specifically, the operating system fingerprinting and the application component fingerprinting are TCP/IP protocol stack fingerprinting. Because the TCP/IP protocol stack is only described in the RFC document and has no unified implementation standard, when each company writes the TCP/IP protocol stack applied to its own operating system, the RFC document is interpreted differently, resulting in different TCP/IP protocols of each operating system. Therefore, the TCP/IP protocol stack in the operating system can be used as a special 'fingerprint', and the type of the operating system can be judged by identifying the slight difference existing in the TCP/IP protocol stacks of different operating systems. More specifically, please refer to related art for TCP/IP stack fingerprinting, which is not described herein.
In the environment illustrated in fig. 1, the results of TCP/IP stack fingerprinting are shown in table 4.
TABLE 4 TCP/IP protocol stack fingerprint identification results
Figure BDA0002168494130000121
Table 4 may serve as a first network asset information list for local area network 107.
It should be noted that table 4 only shows the service and the service protocol version of port number 22 on the host 112 by way of example, the service and the protocol version are different because of different kinds of ports, and the service protocol versions are different greatly, and the service protocol versions of the ports are not listed in detail in other ports on other hosts.
S205, add the parameter information of the alive host and the parameter information of the alive port on the alive host to the first network asset list corresponding to the target lan.
After the detection, parameter information of each alive host and parameter information of a port alive thereon in a target local area network (for example, the local area network 107 in the example of fig. 1) can be obtained and added to a first network asset list corresponding to the target local area network, so as to form the first network asset list corresponding to the target local area network, so that a network operation and maintenance (management) person manages the target local area network, and an asset management person manages the network assets in the target local area network.
By adopting the network asset identification method provided by the embodiment of the application, after the target local area network needing network asset identification is selected, IP scanning is carried out on the target local area network, IP addresses used by all network assets (network equipment or hosts) in the target local area network are further obtained, an IP address list is formed by the IP addresses obtained by scanning, according to the IP address in the IP address list, performing IP detection to determine the surviving host in the target LAN, then performing full port scanning to the detected surviving host to determine the surviving port on the surviving host, and then the parameter information of the surviving host and the parameter information of the corresponding surviving port can be obtained, and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host to a first network asset list corresponding to the target local area network. Through the first network asset list corresponding to the target local area network, network operation and maintenance (management) personnel can conveniently manage the network assets in the target local area network.
FIG. 4 is a flow chart illustrating another method of network asset identification according to an example embodiment. Referring to fig. 4, the method includes the steps of:
s400, an IP address list of the target local area network is obtained.
S401, according to the IP address in the IP address list, the surviving host in the target local area network is determined.
S402, carrying out full port scanning on the alive host, and determining the alive ports on the alive host.
S403, obtaining the parameter information of the alive host and obtaining the parameter information of the corresponding alive port on the alive host,
s404, adding the parameter information of the alive host and the parameter information of the alive port on the alive host to a first network asset list corresponding to the target local area network.
The above steps S400-S404 have been described in detail in the above embodiments, and are not described herein again.
S405, monitoring and mirroring all IP datagrams in the data flow of the target local area network.
With the environment illustrated in fig. 1, when the target lan is the entire internal company network, data traffic in the entire internal company network may be mirrored from a mirror port of the router 100 or the four-layer switch 101 (note that the port here is a physical port on the four-layer switch 101, and a port not specifically described in this application is not a physical port on a device, but a port of a transport layer in network communication), and all the mirrored data traffic is directed to be forwarded to the local host 114 for analysis. When the target lan is the lan 107 of the administration department, the IP datagram can be extracted from the data traffic in the mirror lan 107 at the mirror port (which is a physical port) of the layer two switch 104.
Of course, it is not excluded that the mirror copy may be made by an optical splitter, an iptables TEE module, or other traffic copy related software tool (e.g., tcpcopy, gor tool).
S406, the IP datagram obtained by mirroring is analyzed, and a source IP address and a source port number, a destination IP address and a destination port number in the IP datagram are obtained.
S407, determining an access object according to the source IP address and the source port number.
S408, determining an accessed object according to the destination IP address and the destination port number.
S409, determining the access relation of the host in the first network asset list according to the access object and the accessed object.
Analyzing the IP datagram obtained by mirroring, obtaining a source IP address and a source port number, and a corresponding destination IP address and a corresponding destination port number in each IP datagram, and determining an access object initiating access according to the source IP address and the source port number, wherein the access object is a host initiating access, and may come from the local area network 107 or an external network outside the local area network 107; the accessed access object can be determined according to the destination IP address and the destination port number, and the accessed object is the accessed host, and may also be in the local area network 107 or an external network outside the local area network 107.
In the environment illustrated in fig. 1, the local area network 107 in the target local area network, in combination with table 3, decodes the IP datagram mirrored in the layer two switch 104, compares the source IP address and the source port number and the destination IP address and the destination port number with table 3 in the target local area network, and determines the mutual access relationship between the surviving hosts when the above four-tuple information (source IP address, source port number, destination IP address, and destination port number) can be found from table 3. For example, after a certain IP datagram is resolved, the source IP address is 192.168.0.10, the source port number is 80, the destination IP address is 192.168.0.15, and the destination port number is 80, it can be determined that host 110 has accessed host 111.
Meanwhile, according to the time obtained by mirroring each IP data packet, the time of mutual access between the surviving hosts can be determined. For example, if the mirror time of the IP datagram of the host 110 accessing the host 111 is 08:00 am on 8/5 th 2019, it may be determined that the time of the host 110 accessing the host 111 is 08:00 am on 8/5 th 2019.
When the source IP address and the source port number in the above four-tuple information are not found from table 3, it indicates that an external access object initiates access to the host in the lan 107, and which host in the lan 107 is accessed (or attacked) can be determined according to the destination IP address and the destination port number therein. For example, after a certain IP datagram is resolved, the source IP address is 192.168.0.50, the source port number is 80, the destination IP address is 192.168.0.20, and the destination port number is 80, it can be determined that the host 112 is accessed (or attacked) from the outside.
Correspondingly, when the destination IP address and the destination port number in the quadruplet information cannot be found from table 3, it indicates that there is an internal device in the local area network 107 accessing the external network, and the host specifically initiating access in the local area network 107 can be determined according to the source IP address and the source port number therein. For example, after a certain IP datagram is resolved, the destination IP address is 192.168.0.60, the source port number is 80, the source IP address is 192.168.0.10, and the destination port number is 80, it can be determined that the host 110 has accessed the external network of the lan 107.
FIG. 5 is a flow chart illustrating a method of network asset identification according to an exemplary embodiment. Referring to fig. 5, the method includes the steps of:
s500, an IP address list of the target local area network is obtained.
S501, determining the surviving host in the target local area network according to the IP address in the IP address list.
S502, carrying out full port scanning on the alive host, and determining the alive ports on the alive host.
S503, obtaining the parameter information of the alive host and the parameter information of the corresponding alive port on the alive host,
s504, adding the parameter information of the alive host and the parameter information of the alive port on the alive host to a first network asset list corresponding to the target local area network.
And S505, monitoring and mirroring all IP datagrams in the data flow of the target local area network.
S506, the IP datagram obtained by mirror image analysis is obtained, and a source IP address and a source port number, a destination IP address and a destination port number in the IP datagram are obtained.
S507, determining an access object according to the source IP address and the source port number.
S508, according to the destination IP address and the destination port number, an accessed object is determined.
S509, determining the access relation of the host in the first network asset list according to the access object and the accessed object.
The above steps S500 to S509 have been described in detail in the above embodiments, and are not described again here.
In some exemplary embodiments, step S510 may be performed to perform security management on the hosts in the first network asset list according to the access relationship of the hosts in the first network asset list.
Specifically, in some embodiments, whether the host in the first network asset list performs the illegal external connection operation is determined according to the destination IP address in the IP datagram sent by the host in the first network asset list and the access authority of the corresponding host.
The judgment can be made in the following manner. Fig. 6 is a flowchart illustrating a step S510 of yet another network asset identification method according to an example embodiment. Referring to fig. 6, step S510 specifically includes the following steps:
s600, determining the host initiating the access according to the source IP address of the IP datagram obtained by mirroring.
And searching the source IP address in the datagram in the table 3, and when the source IP address is searched in the table 3, acquiring the host accessing the external network correspondingly. With the environment illustrated in fig. 1, for example, resolving that the source IP address of the first IP datagram is 192.168.0.10 determines that host 110 initiated access, and the source IP address of the second IP datagram is 192.168.0.15 determines that host 111 initiated access.
S601, judging whether the destination IP address of the IP datagram obtained by mirroring is the external network IP address of the target local area network.
The destination IP address and the destination port number in the datagram are looked up in table 3, and when the source IP address is looked up in table 3, it can be determined that the external network is accessed. With the environment illustrated in fig. 1, for example, resolving that the source IP address of the first IP datagram is 192.168.0.80 and the source IP address of the second IP datagram is 192.168.0.90, it may be determined that both host 110 and host 111 have access to the extranet.
S602, judging whether the host sending the IP datagram has the access authority of accessing the external network of the target local area.
In the environment illustrated in FIG. 1, for example, host 110 has access to an extranet, and for example, host 111 does not have access to an extranet.
S603, if the destination IP address is an external network IP address and the host sending the IP datagram has the authority of accessing the external network, the external network is allowed to be accessed.
In the environment illustrated in FIG. 1, for example, where the host 110 has access to an extranet, the proxy server 102 allows the host 110 to access the extranet.
S604, if the destination IP address is an external network IP address and the host sending the IP datagram does not have the authority of accessing the external network, corresponding measures are taken.
In the environment illustrated in fig. 1, for example, the host 111 does not have the right to access the extranet, and corresponding measures are taken, such as: proxy server 102 denies the access request of host 111.
More specifically, in some embodiments, step S605 is performed,
performing vulnerability identification on ports that survive on the hosts in the first network asset list to identify vulnerable ports.
For example, the SSH port can determine whether the port is a vulnerable port by exposing a cracked password, the default 6379 is a vulnerable port without password login, and the weak password is also a vulnerable port. Since the port numbers range from 1 to 65535, the numbers are insufficient, and the enumeration is insufficient, more specifically, please refer to the related art.
In some exemplary embodiments, step S511 may be performed.
And S511, performing life cycle management on the host in the first network asset list according to the first network asset list and the access relation of the host in the first network asset list.
And when the preset time threshold is reached and the IP datagram of a certain host in the first network asset list is not obtained through mirroring, determining that the host does not survive.
For example, after all IP datagrams of a mirror are resolved within a day, if the source IP address of none of the IP datagrams is 192.168.0.20, it may be determined that the host 112 has not survived, the host may be detected, a failure may occur, or it may be discriminated whether the host 112 has dropped from the network.
In other exemplary embodiments, step S510 and step S511 are both performed, and steps S510 and S511 are more specifically described above and will not be described herein again.
In some exemplary embodiments, the method comprises the steps of:
s512, adding the actual IP address of the alive host to the first network asset information table.
The actual IP addresses corresponding to the respective hosts are added to table 4 to form table 5.
Table 5 first network asset information table
Figure BDA0002168494130000181
And S513, acquiring a second network asset information table pre-counted for the target local area network.
For example, table 6.
Table 6 second network asset information table
Figure BDA0002168494130000191
A large number of various non-master network assets are generated within a company/enterprise that are not used, managed or registered, or whose registration information does not match the actual situation.
S514, comparing the host parameter information and the corresponding allocated IP address in the second network asset information table with the host parameter information and the corresponding actual IP address in the first network asset information table to generate a master-less network asset list in the target local area network.
By comparison, it can be seen that the host 112 is not registered in the second network asset information table. A list of unowned network assets for the local area network 107 may be generated, see table 7.
TABLE 7 Master-less network asset List
Figure BDA0002168494130000192
Figure BDA0002168494130000201
In this example, no owner asset whose unattended, managed or registered information is inconsistent with the actual situation is shown, but those skilled in the art can easily know that by comparing the first network asset list and the second network asset list, other owner assets can be matched very easily, which is convenient for the network operation and maintenance (management) personnel to manage the target lan.
FIG. 7 is a schematic diagram illustrating a network asset identification device, according to an example embodiment. Referring to fig. 7, the apparatus includes:
a first obtaining module 700, configured to obtain an IP address list of a target local area network;
a first determining module 701, configured to determine a host alive in a target local area network according to an IP address in an IP address list;
a first scanning module 702, configured to perform full port scanning on the surviving host to determine surviving ports on the surviving host;
a first obtaining module 703, configured to obtain parameter information of the alive host, and obtain parameter information of a corresponding alive port on the alive host;
a first adding module 704, configured to add the parameter information of the surviving host and the parameter information of the surviving port on the surviving host to a first network asset list corresponding to the target local area network.
Optionally, the apparatus further comprises:
the first monitoring module is used for monitoring and mirroring all IP datagrams in the data flow of the target local area network;
the first analysis module is used for analyzing the IP datagram obtained by mirroring, and acquiring a source IP address and a source port number, a destination IP address and a destination port in the IP datagram;
a second determining module, configured to determine an access object according to the source IP address and the source port number;
a third determining module, configured to determine an accessed object according to the destination IP address and the destination port number;
and the fourth determining module is used for determining the access relation of the host in the first network asset list according to the access object and the accessed object.
Optionally, the apparatus further comprises:
the first management module is used for carrying out safety management on the host in the first network asset list according to the access relation of the host in the first network asset list;
and/or the presence of a gas in the gas,
and the second management module is used for carrying out life cycle management on the host computers in the first network asset list according to the first network asset list and the access relation of the host computers in the first network asset list.
Optionally, the first management module includes:
the first judging unit is used for judging whether the host in the first network asset list executes the illegal external connection operation according to the destination IP address in the IP datagram sent by the host in the first network asset list and the access authority of the corresponding host;
and/or the presence of a gas in the gas,
and the first identification unit is used for performing vulnerability identification on the ports which survive on the host computers in the first network asset list so as to identify the vulnerable ports.
Optionally, the second management module includes:
and the first determining unit is used for determining that the host does not survive if the IP datagram of the host in the first network asset list cannot be obtained through mirroring when a preset time threshold is reached.
Optionally, the first scanning module comprises:
the TCP scanning unit is used for carrying out TCP full-port scanning on the surviving host; and/or the presence of a gas in the gas,
and the UDP scanning unit is used for carrying out UDP full-port scanning on the alive host.
Optionally, the first obtaining module includes:
a generating unit, configured to generate a corresponding scanning task for each alive port on each alive host;
the cache unit is used for caching the scanning task into a scanning task pool;
a starting unit, configured to start a scan task in the scan task pool, and send a multi-protocol detection packet to a corresponding alive port on a corresponding alive host corresponding to the scan task, where the multi-protocol detection packet is used for operating system fingerprint identification and application component fingerprint identification;
and acquiring the parameter information of the surviving host corresponding to the scanning task and the parameter information of the corresponding port on the surviving host corresponding to the scanning task according to the identification results of the operating system fingerprint identification and the application component fingerprint identification.
Optionally, the apparatus further comprises:
a second adding module, configured to add an actual IP address of the surviving host to the first network asset information table;
the second acquisition module is used for acquiring a second network asset information table which is pre-counted aiming at the target local area network;
and the first generation module is used for comparing the host parameter information and the corresponding allocated IP address in the second network asset information table with the host parameter information and the corresponding actual IP address in the first network asset information table to generate a master-free network asset list in the target local area network.
In an exemplary embodiment, the means for identifying the network asset comprises a processor and a memory, the first acquisition module, the first determination module, the first scanning module, the first acquisition module, the first adding module, the first monitoring module, the first analysis module, the second determination module, the third determination module, the fourth determination module, the first management module, the second adding module, the second acquisition module and the first generation module, and a TCP scanning unit and a UDP scanning unit in the first scanning module, a generating unit, a buffer unit and a starting unit in the first obtaining module, a first judging unit and a first identifying unit in the first management module, and a first determining unit in the second management module are all stored in a memory as program modules/units, the above-mentioned program elements stored in the memory are executed by the processor to realize the corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can set one or more than one kernel, identify the host network assets living in the target local area network by adjusting kernel parameters, obtain the parameter information of the host and the parameter information of the port living on the host, add the parameter information of the host and the parameter information of the port living on the host into the first network asset list, and the network operation and maintenance (management) personnel can conveniently manage the network assets in the target local area network through the first network asset list corresponding to the target local area network.
An embodiment of the present invention provides a storage medium having a program stored thereon, which when executed by a processor implements the network asset identification method.
The embodiment of the invention provides a processor, which is used for running a program, wherein the network asset identification method is executed when the program runs.
An apparatus according to an embodiment of the present invention is provided, please refer to fig. 8, which shows a schematic diagram of an apparatus according to an exemplary embodiment, the apparatus 80 includes at least one processor 801, and at least one memory 802 connected to the processor 801, a bus 803; the processor 801 and the memory 802 complete communication with each other through the bus 803; the processor 801 is configured to invoke program instructions in the memory 802 to perform the network asset identification method described above. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
acquiring an IP address list of a target local area network;
determining a host which survives in the target local area network according to the IP address in the IP address list;
performing full port scanning on the surviving host to determine surviving ports on the surviving host;
acquiring parameter information of the alive host and acquiring parameter information of a corresponding alive port on the alive host;
and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host into a first network asset list corresponding to the target local area network.
Optionally, the program, when executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps:
monitoring and mirroring all IP datagrams in the data traffic of the target local area network;
analyzing the IP datagram obtained by mirroring, and acquiring a source IP address and a source port number, and a destination IP address and a destination port number in the IP datagram;
determining an access object according to the source IP address and the source port number;
determining an accessed object according to the destination IP address and the destination port number;
and determining the access relation of the host in the first network asset list according to the access object and the accessed object.
Optionally, the program, when executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps:
according to the access relation of the host computers in the first network asset list, carrying out safety management on the host computers in the first network asset list;
and/or the presence of a gas in the gas,
and performing life cycle management on the host in the first network asset list according to the first network asset list and the access relation of the host in the first network asset list.
Optionally, when executed on a data processing device, the method is adapted to execute a program for initializing the step of performing security management on the host in the first network asset list according to the access relationship of the host in the first network asset list, and specifically includes:
judging whether the host in the first network asset list executes the illegal external connection operation according to a destination IP address in an IP datagram sent by the host in the first network asset list and the access authority of the corresponding host;
and/or the presence of a gas in the gas,
performing vulnerability identification on ports that survive on the hosts in the first network asset list to identify vulnerable ports.
Optionally, when executed on a data processing device, the method is adapted to execute a program initialized with the step of performing lifecycle management on hosts in the first network asset list according to the first network asset list and access relationships of hosts in the first network asset list, and specifically includes:
and when the preset time threshold is reached and the IP datagram of a certain host in the network asset list is not obtained through mirroring, determining that the host does not survive.
Optionally, when executed on a data processing device, the program is adapted to perform a procedure in which the step of performing a full port scan on the surviving host is initialized, and specifically includes:
performing TCP full port scanning on the surviving host; and/or the presence of a gas in the gas,
and performing UDP full-port scanning on the alive host.
Optionally, when executed on a data processing device, the program is adapted to execute a program initialized with the step of obtaining parameter information of the surviving host and obtaining parameter information of a corresponding surviving port on the surviving host, and specifically includes:
generating a corresponding scanning task for each alive port on each alive host;
caching the scanning task into a scanning task pool;
starting a scanning task in the scanning task pool, and sending a multi-protocol detection message to a corresponding alive port on a corresponding alive host corresponding to the scanning task, wherein the multi-protocol detection message is used for operating system fingerprint identification and application component fingerprint identification;
and acquiring the parameter information of the surviving host corresponding to the scanning task and the parameter information of the corresponding port on the surviving host corresponding to the scanning task according to the identification results of the operating system fingerprint identification and the application component fingerprint identification.
Optionally, the program, when executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps:
adding the actual IP address of the surviving host to the first network asset information table;
acquiring a second network asset information table pre-counted aiming at the target local area network;
comparing the host parameter information and the corresponding allocated IP address in the second network asset information table with the host parameter information and the corresponding actual IP address in the first network asset information table to generate a master-free network asset list in the target local area network.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, referring to FIG. 8, the device includes one or more processors (CPUs) 801, a memory 802, and a bus 803. The device may also include input/output interfaces, network interfaces, and the like.
The memory 802 may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory 802 includes at least one memory chip. Memory 802 is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (11)

1. A method for identifying a network asset, the method comprising:
acquiring an IP address list of a target local area network;
determining a host which survives in the target local area network according to the IP address in the IP address list;
performing full port scanning on the surviving host to determine surviving ports on the surviving host;
acquiring parameter information of the alive host and acquiring parameter information of a corresponding alive port on the alive host;
and adding the parameter information of the surviving host and the parameter information of the surviving port on the surviving host into a first network asset list corresponding to the target local area network.
2. The method of claim 1, further comprising:
monitoring and mirroring all IP datagrams in the data traffic of the target local area network;
analyzing the IP datagram obtained by mirroring, and acquiring a source IP address and a source port number, and a destination IP address and a destination port number in the IP datagram;
determining an access object according to the source IP address and the source port number;
determining an accessed object according to the destination IP address and the destination port number;
and determining the access relation of the host in the first network asset list according to the access object and the accessed object.
3. The method of claim 2, further comprising:
according to the access relation of the host computers in the first network asset list, carrying out safety management on the host computers in the first network asset list;
and/or the presence of a gas in the gas,
and performing life cycle management on the host in the first network asset list according to the first network asset list and the access relation of the host in the first network asset list.
4. The method according to claim 3, wherein the step of performing security management on the hosts in the first network asset list according to the access relationship of the hosts in the first network asset list comprises:
judging whether the host in the first network asset list executes the illegal external connection operation according to a destination IP address in an IP datagram sent by the host in the first network asset list and the access authority of the corresponding host;
and/or the presence of a gas in the gas,
performing vulnerability identification on ports that survive on the hosts in the first network asset list to identify vulnerable ports.
5. The method of claim 3, wherein the step of performing lifecycle management on the hosts in the first network asset list according to the first network asset list and the access relationships of the hosts in the first network asset list comprises:
and when the preset time threshold is reached and the IP datagram of a certain host in the first network asset list is not obtained through mirroring, determining that the host does not survive.
6. The method of claim 1, wherein the step of performing a full port scan of the surviving hosts comprises:
performing TCP full port scanning on the surviving host; and/or the presence of a gas in the gas,
and performing UDP full-port scanning on the alive host.
7. The method of claim 1, wherein the step of obtaining the parameter information of the surviving host and obtaining the parameter information of the corresponding surviving port on the surviving host comprises:
generating a corresponding scanning task for each alive port on each alive host;
caching the scanning task into a scanning task pool;
starting a scanning task in the scanning task pool, and sending a multi-protocol detection message to a corresponding alive port on a corresponding alive host corresponding to the scanning task, wherein the multi-protocol detection message is used for operating system fingerprint identification and application component fingerprint identification;
and acquiring the parameter information of the surviving host corresponding to the scanning task and the parameter information of the corresponding port on the surviving host corresponding to the scanning task according to the identification results of the operating system fingerprint identification and the application component fingerprint identification.
8. The method of claim 1, further comprising:
adding the actual IP address of the surviving host to the first network asset information table;
acquiring a second network asset information table pre-counted aiming at the target local area network;
comparing the host parameter information and the corresponding allocated IP address in the second network asset information table with the host parameter information and the corresponding actual IP address in the first network asset information table to generate a master-free network asset list in the target local area network.
9. An apparatus for identifying a network asset, the apparatus comprising:
the first acquisition module is used for acquiring an IP address list of a target local area network;
the first determining module is used for determining the surviving host in the target local area network according to the IP address in the IP address list;
the first scanning module is used for carrying out full-port scanning on the surviving host computer and determining the surviving ports on the surviving host computer;
a first obtaining module, configured to obtain parameter information of the surviving host, and obtain parameter information of a corresponding surviving port on the surviving host;
and the first adding module is used for adding the parameter information of the alive host and the parameter information of the alive port on the alive host into a first network asset list corresponding to the target local area network.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
11. An apparatus comprising at least one processor, and at least one memory, bus connected to the processor; the processor and the memory complete mutual communication through a bus; wherein the processor is configured to call program instructions in the memory to perform the steps of the method of any of claims 1 to 8.
CN201910755099.9A 2019-08-15 2019-08-15 Network asset identification method, device, medium and equipment Pending CN112398782A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910755099.9A CN112398782A (en) 2019-08-15 2019-08-15 Network asset identification method, device, medium and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910755099.9A CN112398782A (en) 2019-08-15 2019-08-15 Network asset identification method, device, medium and equipment

Publications (1)

Publication Number Publication Date
CN112398782A true CN112398782A (en) 2021-02-23

Family

ID=74601673

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910755099.9A Pending CN112398782A (en) 2019-08-15 2019-08-15 Network asset identification method, device, medium and equipment

Country Status (1)

Country Link
CN (1) CN112398782A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112883031A (en) * 2021-02-24 2021-06-01 杭州迪普科技股份有限公司 Industrial control asset information acquisition method and device
CN113240258A (en) * 2021-04-30 2021-08-10 山东云天安全技术有限公司 Industrial asset detection method, equipment and device
CN113259197A (en) * 2021-05-13 2021-08-13 北京天融信网络安全技术有限公司 Asset detection method and device and electronic equipment
CN113472588A (en) * 2021-07-13 2021-10-01 杭州安恒信息技术股份有限公司 Network asset detection method and device, electronic device and storage medium
CN113518019A (en) * 2021-09-07 2021-10-19 北京华云安信息技术有限公司 System identification method based on survival port
CN113572664A (en) * 2021-09-26 2021-10-29 广东电网有限责任公司中山供电局 Asset ledger updating method, system, electronic equipment and storage medium
CN113660134A (en) * 2021-07-27 2021-11-16 杭州安恒信息技术股份有限公司 Port detection method, device, electronic device and storage medium
CN113839833A (en) * 2021-09-24 2021-12-24 北京天融信网络安全技术有限公司 Method and device for identifying silent equipment, computer equipment and storage medium
CN113938404A (en) * 2021-10-12 2022-01-14 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment, system and storage medium
CN114257530A (en) * 2021-11-29 2022-03-29 中国联合网络通信集团有限公司 Network asset mapping method, device, equipment and storage medium
CN114268497A (en) * 2021-12-22 2022-04-01 杭州安恒信息技术股份有限公司 Network asset scanning method, device, equipment and medium
CN114338183A (en) * 2021-12-30 2022-04-12 深圳铸泰科技有限公司 Method, system, terminal and storage medium for rapidly discovering and identifying assets
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN115086448A (en) * 2022-06-28 2022-09-20 平安银行股份有限公司 Database management method and device, computer equipment and readable storage medium
CN115225530A (en) * 2022-07-02 2022-10-21 北京华顺信安科技有限公司 Asset state monitoring method, device, equipment and medium
CN115296917A (en) * 2022-08-09 2022-11-04 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN114268497B (en) * 2021-12-22 2024-04-26 杭州安恒信息技术股份有限公司 Network asset scanning method, device, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140007241A1 (en) * 2012-06-27 2014-01-02 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN103795707A (en) * 2013-12-20 2014-05-14 中国水电顾问集团成都勘测设计研究院有限公司 Enterprise network security automation testing system and method
CN105450442A (en) * 2015-11-06 2016-03-30 广东电网有限责任公司电力科学研究院 Network topology checking method and system thereof
CN107579876A (en) * 2017-09-15 2018-01-12 中国移动通信集团广东有限公司 A kind of automatic detection analysis method and device of assets increment
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109660401A (en) * 2018-12-20 2019-04-19 中国电子科技集团公司第三十研究所 A kind of distributed network assets detection method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140007241A1 (en) * 2012-06-27 2014-01-02 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
CN103795707A (en) * 2013-12-20 2014-05-14 中国水电顾问集团成都勘测设计研究院有限公司 Enterprise network security automation testing system and method
CN105450442A (en) * 2015-11-06 2016-03-30 广东电网有限责任公司电力科学研究院 Network topology checking method and system thereof
CN107579876A (en) * 2017-09-15 2018-01-12 中国移动通信集团广东有限公司 A kind of automatic detection analysis method and device of assets increment
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109660401A (en) * 2018-12-20 2019-04-19 中国电子科技集团公司第三十研究所 A kind of distributed network assets detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
九天科技, 中国铁道出版社 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112883031A (en) * 2021-02-24 2021-06-01 杭州迪普科技股份有限公司 Industrial control asset information acquisition method and device
CN113240258A (en) * 2021-04-30 2021-08-10 山东云天安全技术有限公司 Industrial asset detection method, equipment and device
CN113259197A (en) * 2021-05-13 2021-08-13 北京天融信网络安全技术有限公司 Asset detection method and device and electronic equipment
CN113472588A (en) * 2021-07-13 2021-10-01 杭州安恒信息技术股份有限公司 Network asset detection method and device, electronic device and storage medium
CN113660134A (en) * 2021-07-27 2021-11-16 杭州安恒信息技术股份有限公司 Port detection method, device, electronic device and storage medium
CN113660134B (en) * 2021-07-27 2024-03-19 杭州安恒信息技术股份有限公司 Port detection method, device, electronic device and storage medium
CN113518019A (en) * 2021-09-07 2021-10-19 北京华云安信息技术有限公司 System identification method based on survival port
CN113518019B (en) * 2021-09-07 2022-03-08 北京华云安信息技术有限公司 System identification method based on survival port
CN113839833A (en) * 2021-09-24 2021-12-24 北京天融信网络安全技术有限公司 Method and device for identifying silent equipment, computer equipment and storage medium
CN113839833B (en) * 2021-09-24 2023-12-05 北京天融信网络安全技术有限公司 Identification method and device of silent equipment, computer equipment and storage medium
CN113572664A (en) * 2021-09-26 2021-10-29 广东电网有限责任公司中山供电局 Asset ledger updating method, system, electronic equipment and storage medium
CN113572664B (en) * 2021-09-26 2022-01-25 广东电网有限责任公司中山供电局 Asset ledger updating method, system, electronic equipment and storage medium
CN113938404B (en) * 2021-10-12 2023-04-07 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment, system and storage medium
CN113938404A (en) * 2021-10-12 2022-01-14 北京恒安嘉新安全技术有限公司 Asset detection method, device, equipment, system and storage medium
CN114257530A (en) * 2021-11-29 2022-03-29 中国联合网络通信集团有限公司 Network asset mapping method, device, equipment and storage medium
CN114257530B (en) * 2021-11-29 2023-08-22 中国联合网络通信集团有限公司 Network asset mapping method, device, equipment and storage medium
CN114268497B (en) * 2021-12-22 2024-04-26 杭州安恒信息技术股份有限公司 Network asset scanning method, device, equipment and medium
CN114268497A (en) * 2021-12-22 2022-04-01 杭州安恒信息技术股份有限公司 Network asset scanning method, device, equipment and medium
CN114338183A (en) * 2021-12-30 2022-04-12 深圳铸泰科技有限公司 Method, system, terminal and storage medium for rapidly discovering and identifying assets
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN115086448A (en) * 2022-06-28 2022-09-20 平安银行股份有限公司 Database management method and device, computer equipment and readable storage medium
CN115086448B (en) * 2022-06-28 2024-02-02 平安银行股份有限公司 Database management method, device, computer equipment and readable storage medium
CN115225530A (en) * 2022-07-02 2022-10-21 北京华顺信安科技有限公司 Asset state monitoring method, device, equipment and medium
CN115225530B (en) * 2022-07-02 2023-09-05 北京华顺信安科技有限公司 Asset state monitoring method, device, equipment and medium
CN115296917B (en) * 2022-08-09 2023-07-07 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium
CN115296917A (en) * 2022-08-09 2022-11-04 山东港口科技集团烟台有限公司 Asset exposure surface information acquisition method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN112398782A (en) Network asset identification method, device, medium and equipment
US9847965B2 (en) Asset detection system
US8972571B2 (en) System and method for correlating network identities and addresses
EP2837159B1 (en) System asset repository management
US11201881B2 (en) Behavioral profiling of service access using intent to access in discovery protocols
US8954573B2 (en) Network address repository management
US11025588B2 (en) Identify assets of interest in enterprise using popularity as measure of importance
US8844041B1 (en) Detecting network devices and mapping topology using network introspection by collaborating endpoints
US11297077B2 (en) Gain customer trust with early engagement through visualization and data driven configuration
US11909767B2 (en) Device visibility and scanning including network segments
US20200137115A1 (en) Smart and selective mirroring to enable seamless data collection for analytics
US9516451B2 (en) Opportunistic system scanning
US10581880B2 (en) System and method for generating rules for attack detection feedback system
US20160028765A1 (en) Managing cyber attacks through change of network address
Hu et al. Toward detecting iot device traffic in transit networks
US20230319095A1 (en) Assessing entity risk based on exposed services
US10015179B2 (en) Interrogating malware
JP4484190B2 (en) Router search system, router search method, and router search program
US20240146772A1 (en) Device visibility and scanning including network segments
Abbasi Investigation of open resolvers in DNS reflection DDoS attacks
CN117714135A (en) Attack surface-based network security risk assessment method, device and processing equipment
Dulaunoy et al. The void–an interesting place for network security monitoring
CN117857411A (en) Asset identification method based on mixed mode
Keliiaa et al. Cyberspace modernization. An interest protocol planning advisory
Berko An Analysis of the Risk Exposure of Adopting IPV6 in Enterprise Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210223

RJ01 Rejection of invention patent application after publication