CN112637019B

CN112637019B - Network monitoring method

Info

Publication number: CN112637019B
Application number: CN202011614526.0A
Authority: CN
Inventors: 李瀛; 符春辉; 樊志甲; 叶建伟; 黄�俊; 贠珊
Original assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2020-12-30
Filing date: 2020-12-30
Publication date: 2022-04-19
Anticipated expiration: 2040-12-30
Also published as: CN112637019A

Abstract

The invention discloses a network monitoring method, a network monitoring device, network monitoring equipment and a network monitoring medium, which are used for solving the problem that the monitoring of network space assets is not accurate enough in the prior art. Because the embodiment of the invention can monitor the identification information of the target asset in the network flow, and after the on-line or survival state information of the network space asset corresponding to the identification information of the target asset is obtained, the network space asset corresponding to the identification information of the target asset is actively scanned, and the monitoring result corresponding to the identification information of the target asset is determined, compared with the prior mode that the network space asset is monitored by relying on the time information of active scanning set by a user, the timeliness and the accuracy of monitoring the network space asset can be improved, meanwhile, the monitoring efficiency can be improved, and the useless network resource loss can be reduced.

Description

Network monitoring method

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a network monitoring method, apparatus, device, and medium.

Background

The internet permeates all walks of life in the current society, influences each part of people's life, and becomes a technology that people's life is more and more inseparable. With the rapid development of the internet, the network is a problem which is becoming more and more concerned. In the field of network security, network monitoring of network space assets (assets for short) of interest, and sensing and controlling of risk states of network space assets such as protected assets are targets for implementing various security measures.

Taking protected assets as an example, currently, an active scanning mode is usually adopted to monitor the protected assets, and then the sensing and control of the risk state of the protected assets are realized. However, the existing active scanning method usually needs to depend on a User to set time information of active scanning, for example, a User may issue an active scanning task by setting time information of a start scanning time, a scanning duration, and the like of active scanning through a User Interface (UI) or a Representational State Transfer Interface (REST), and the like, however, no matter the active scanning task is issued through the UI Interface or the REST Interface, time information of active scanning needs to be set by the User, and in the network security field, taking a vulnerability State in a risk State as an example, a vulnerability State of a protected asset is affected by various factors, and a change rule and a period of the vulnerability State are unknown, which may cause that the method of depending on the User to set the time information of active scanning may not accurately monitor the protected asset, for example, if the time of active scanning set by the User is exactly the time of asset protection, non-on-line or non-survival time, then the active scanning at this time will cause a certain waste of resources and redundancy; if the protected asset is currently online or alive, and the user does not issue an active scanning task to the protected asset for a long time, the vulnerability state of the protected asset may not be known in time.

Therefore, the existing method for monitoring the cyberspace assets by relying on the time information of the active scanning set by the user cannot accurately monitor the cyberspace assets.

Disclosure of Invention

The invention provides a network monitoring method, a network monitoring device, network monitoring equipment and a network monitoring medium, which are used for solving the problem that in the prior art, the monitoring of network space assets is not accurate enough.

In a first aspect, an embodiment of the present invention provides a network monitoring method, where the method includes:

according to each asset identification information and monitoring information carried in the received first monitoring instruction, passive monitoring is carried out, and whether any asset identification information exists in network flow is judged;

if yes, determining monitored target asset identification information, actively scanning according to the target asset identification information and the monitoring information, and determining a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning.

Further, after the active scanning is performed and before the monitoring result corresponding to the target asset identification information is determined based on the scanning result of the active scanning, the method further includes:

and determining a monitoring result aiming at the passive monitoring of the target asset identification information, judging whether the first information is matched with second information corresponding to the first information in the scanning result of the active scanning aiming at each first information in the monitoring result, and performing the following steps of determining the monitoring result corresponding to the target asset identification information based on the scanning result of the active scanning according to the matching result.

Further, the determining, according to the matching result and based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information includes:

and if the first information is matched with second information corresponding to the first information in the scanning result of the active scanning, determining a monitoring result corresponding to the target asset identification information according to the scanning result of the active scanning.

if the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, updating the second information corresponding to the first information in the scanning result of the active scanning into the first information, and determining a monitoring result corresponding to the target asset identification information according to the updated scanning result; or the like, or, alternatively,

and if the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, deleting the second information corresponding to the first information in the scanning result of the active scanning, and determining a monitoring result corresponding to the target asset identification information according to the scanning result after deleting the second information.

Further, if the first monitoring instruction carries an active scanning condition, before performing active scanning according to the target asset identification information and the monitoring information, the method further includes:

and judging whether the current network flow meets the active scanning condition, and if so, carrying out the subsequent steps.

Further, the determining whether the current network traffic satisfies the active scanning condition includes:

judging whether a set first message exists in the current network flow; or the like, or, alternatively,

and judging whether the current network flow state is a set state allowing the execution of the active scanning.

Further, if the monitoring information carried in the first monitoring instruction includes a monitored fingerprint three-dimensional portrait, after determining the monitoring result corresponding to the target asset identification information, the method further includes:

and determining a fingerprint stereoscopic portrait of the target asset identification information according to the currently determined fingerprint characteristic monitoring result corresponding to the target asset identification information and the set number of fingerprint characteristic monitoring results within the set time period corresponding to the target asset identification information.

Further, if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, after determining a monitoring result corresponding to the target asset identification information, the method further includes:

and determining the vulnerability repair state of the target asset identification information according to the vulnerability monitoring result corresponding to the currently determined target asset identification information and the set number of vulnerability monitoring results corresponding to the target asset identification information.

Further, the method further comprises:

receiving a second monitoring instruction, wherein monitoring information carried in the second monitoring instruction comprises a version vulnerability identification;

determining a version vulnerability identification mark corresponding to the version vulnerability identification mark based on active scanning;

and passively monitoring whether any asset identification information and version vulnerability identification exist in network flow according to the asset identification information and the version vulnerability identification carried in the second monitoring instruction, and if so, determining the monitored target asset identification information and the target version vulnerability identification corresponding to the monitored target version vulnerability identification and outputting the target version vulnerability identification.

Further, the monitoring information includes at least one of a monitoring duration, a monitoring period, and time information of outputting a monitoring result each time.

In a second aspect, an embodiment of the present invention provides a network monitoring apparatus, where the apparatus includes:

the monitoring module is used for carrying out passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction and judging whether any asset identification information exists in network flow;

and the determining module is used for determining the monitored target asset identification information if any asset identification information exists in the network flow, performing active scanning according to the target asset identification information and the monitoring information, and determining a monitoring result corresponding to the target asset identification information based on the scanning result of the active scanning.

Further, the determining module is further configured to determine, after the active scanning is performed and before the monitoring result corresponding to the target asset identification information is determined based on the scanning result of the active scanning, a monitoring result for passive monitoring of the target asset identification information, determine, for each first information in the monitoring result, whether a second information corresponding to the first information in the scanning result of the active scanning matches the first information, and determine, according to the matching result and based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information.

Further, the determining module is specifically configured to determine, according to the scanning result of the active scanning, a monitoring result corresponding to the target asset identification information if the first information matches with second information corresponding to the first information in the scanning result of the active scanning.

Further, the determining module is specifically configured to update second information corresponding to the first information in the scanning result of the active scanning to the first information if the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, and determine a monitoring result corresponding to the target asset identification information according to the updated scanning result; or the like, or, alternatively,

Further, the determining module is specifically configured to, if the first monitoring instruction carries an active scanning condition, determine whether the current network traffic meets the active scanning condition before performing active scanning according to the target asset identification information and the monitoring information, and if so, perform subsequent steps.

Further, the determining module is specifically configured to determine whether a set first packet exists in the current network traffic; or the like, or, alternatively,

Further, the determining module is specifically configured to, if the monitoring information carried in the first monitoring instruction includes a monitored stereoscopic fingerprint portrait, determine the stereoscopic fingerprint portrait of the target asset identification information according to the currently determined monitoring result of the fingerprint feature corresponding to the target asset identification information and the set number of monitoring results of the fingerprint feature within the set time period corresponding to the target asset identification information.

Further, the determining module is specifically configured to, if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, determine, after determining the monitoring result corresponding to the target asset identification information, the vulnerability repair state of the target asset identification information according to the currently determined vulnerability monitoring result corresponding to the target asset identification information and the set number of vulnerability monitoring results corresponding to the target asset identification information.

Further, the monitoring module is further configured to receive a second monitoring instruction, where monitoring information carried in the second monitoring instruction includes a version vulnerability identification;

the determining module is further configured to determine a version vulnerability identification identifier corresponding to the version vulnerability identifier based on active scanning;

and the monitoring module is further used for passively monitoring whether any one of the asset identification information and the version vulnerability identification exists in the network flow according to the asset identification information and the version vulnerability identification carried in the second monitoring instruction, and if so, determining the monitored target asset identification information and the target version vulnerability identification corresponding to the monitored target version vulnerability identification and outputting the target version vulnerability identification.

In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes at least a processor and a memory, and the processor is configured to implement the steps of the network monitoring method as described in any one of the above when executing a computer program stored in the memory.

In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the steps of any one of the network monitoring methods described above.

Because the embodiment of the invention can monitor the identification information of the target asset in the network flow, and after the on-line or survival state information of the network space asset corresponding to the identification information of the target asset is obtained, the network space asset corresponding to the identification information of the target asset is actively scanned, and the monitoring result corresponding to the identification information of the target asset is determined, compared with the prior mode that the network space asset is monitored by relying on the time information of active scanning set by a user, the timeliness and the accuracy of monitoring the network space asset can be improved, meanwhile, the monitoring efficiency can be improved, and the useless network resource loss can be reduced.

Drawings

Fig. 1 is a schematic diagram of a first network monitoring process according to an embodiment of the present invention;

fig. 2 is a schematic diagram of a second network monitoring process according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a third network monitoring process according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a fourth network monitoring process according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a fifth network monitoring process according to an embodiment of the present invention;

fig. 6 is a schematic diagram of a sixth network monitoring process according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a seventh network monitoring process according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a network monitoring device according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In order to accurately monitor the network space assets, the embodiment of the invention provides a network monitoring method, a network monitoring device, network monitoring equipment and a network monitoring medium.

Example 1:

fig. 1 is a schematic diagram of a first network monitoring process provided in an embodiment of the present invention, where the process includes the following steps:

s101: and carrying out passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, and judging whether any asset identification information exists in the network flow.

The network monitoring method provided by the embodiment of the invention is applied to electronic equipment, and the electronic equipment can be equipment such as a PC (personal computer), a mobile terminal and the like, and can also be a server and the like.

In a possible implementation manner, in order to accurately monitor the cyberspace asset, the electronic device may perform passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction. Each asset identification information and monitoring information carried in the first monitoring instruction can be flexibly set according to requirements, and the asset identification information can be an IP address, an MAC address, a port number, a network space asset name and the like; the monitoring information can comprise real-time principle vulnerability monitoring, real-time asset state change vulnerability monitoring, protected asset fingerprint stereogram monitoring and the like.

In a possible implementation manner, whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in the network traffic may be determined through passive monitoring.

S102: if yes, determining monitored target asset identification information, actively scanning according to the target asset identification information and the monitoring information, and determining a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning.

In the embodiment of the invention, if any asset identification information in each asset identification information carried in the first monitoring instruction exists in the network flow through passive monitoring, the monitored target asset identification information can be determined and the network space asset corresponding to the target asset identification information is considered to be online or alive currently. Illustratively, each asset identification information carried in the first monitoring instruction is 192.168.1.1, 192.168.1.2, and 192.168.1.3 … ….168.1.100, and if the asset identification information 192.168.1.1 is monitored in the network traffic, it may be determined that the monitored target asset identification information is 192.168.1.1, and it may be considered that the network space asset corresponding to the target asset identification information is currently online.

In order to improve the accuracy of monitoring the network space assets, target asset identification information can be monitored in network flow, after the state information of on-line or survival and the like of the network space assets corresponding to the target asset identification information is obtained, the target asset identification information is actively scanned according to the monitored target asset identification information and the monitoring information carried in the first monitoring instruction. Specifically, the target asset identification information may be actively scanned by using the prior art, which is not described herein again. After the active scanning is performed, a monitoring result corresponding to the target asset identification information can be determined based on a scanning result of the active scanning, so that a user can know the risk state of the cyberspace asset according to the monitoring result.

Example 2:

in order to accurately determine the monitoring result corresponding to the target asset identification information, on the basis of the foregoing embodiment, in an embodiment of the present invention, after the performing active scanning, before determining the monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning, the method further includes:

In general, since network noise and the like may cause certain interference to the scanning result of the active scanning, although the information amount of the monitoring result of the passive monitoring is smaller than that of the scanning result of the active scanning, the information accuracy of the monitoring result of the passive monitoring is higher than that of the scanning result of the active scanning, and the scanning result of the active scanning may be corrected based on the monitoring result of the passive monitoring. In the embodiment of the present invention, in order to accurately determine the monitoring result corresponding to the target asset identification information, after the active scanning is performed and before the monitoring result corresponding to the target asset identification information is determined based on the scanning result of the active scanning, for each first information in the monitoring results of the passive monitoring, whether the first information is matched with second information corresponding to the first information in the scanning result of the active scanning may be determined, and then the monitoring result corresponding to the target asset identification information may be more accurately determined according to the matching result.

Example 3:

in order to accurately determine a monitoring result corresponding to target asset identification information according to a matching result, on the basis of the foregoing embodiments, in an embodiment of the present invention, the determining, according to the matching result and based on a scanning result of active scanning, the monitoring result corresponding to the target asset identification information includes:

In a possible implementation manner, when the monitoring result corresponding to the target asset identification information is determined according to the matching result, for each first information in the monitoring result of the passive monitoring, if the first information is matched with the second information corresponding to the first information in the scanning result of the active scanning, the scanning result of the active scanning may be considered to be relatively accurate, and the scanning result of the active scanning may be determined as the monitoring result corresponding to the target asset identification information.

Example 4:

For each first information in the passively monitored monitoring result, if the first information is not matched with the second information corresponding to the first information in the scanning result of the active scanning, it may be considered that the second information corresponding to the first information in the scanning result of the active scanning is inaccurate.

In a possible implementation manner, for each first information in the monitoring results of passive monitoring, if the first information does not match with second information corresponding to the first information in the scanning results of active scanning, in order to accurately determine the monitoring result corresponding to the target asset identification information, the second information corresponding to the first information in the scanning results of active scanning may also be deleted, and the scanning result after deleting the second information is determined as the monitoring result corresponding to the target asset identification information.

For convenience of understanding, the network monitoring process provided by the embodiment of the present invention is described below by using a specific embodiment, and fig. 2 is a schematic diagram of a second network monitoring process provided by the embodiment of the present invention, as shown in fig. 2, the process includes the following steps:

s201: and carrying out passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, and judging whether any asset identification information exists in the network flow.

S202: and if so, determining the monitored target asset identification information, and actively scanning according to the target asset identification information and the monitoring information.

S203: determining a monitoring result aiming at the passive monitoring of the target asset identification information, judging whether the first information is matched with second information corresponding to the first information in the scanning result of the active scanning aiming at each first information in the monitoring result, and if so, performing S204; if not, proceed to S205.

S204: and determining a monitoring result corresponding to the target asset identification information according to the scanning result of the active scanning.

S205: updating second information corresponding to the first information in the scanning result of the active scanning into first information, and determining a monitoring result corresponding to the target asset identification information according to the updated scanning result; or the like, or, alternatively,

and deleting second information corresponding to the first information in the scanning result of the active scanning, and determining a monitoring result corresponding to the target asset identification information according to the scanning result after the second information is deleted.

In general, the amount of information of the passive monitoring result is less than that of the scanning result of the active scanning, and the information accuracy of the scanning result of the active scanning is lower than that of the monitoring result of the passive monitoring.

Example 5:

in order to accurately determine a monitoring result corresponding to target asset identification information, on the basis of the foregoing embodiments, in an embodiment of the present invention, if the first monitoring instruction carries an active scanning condition, before performing active scanning according to the target asset identification information and the monitoring information, the method further includes:

In the embodiment of the present invention, in order to determine a monitoring result corresponding to target asset identification information more accurately, the first monitoring instruction may carry an active scanning condition, when the first monitoring instruction carries the active scanning condition, before performing active scanning according to the target asset identification information and monitoring information in the first monitoring instruction, it may be determined whether current network traffic satisfies the active scanning condition carried in the first monitoring instruction, and if so, it may be considered that a relatively accurate scanning result may be obtained when performing active scanning on a current network, and then, the active scanning may be performed according to the target asset identification information and the monitoring information in the first monitoring instruction.

It can be understood that if the current network traffic does not satisfy the active scanning condition carried in the first monitoring instruction, it can be considered that the accuracy of the obtained scanning result is not high when the current network performs active scanning, and then the active scanning may not be performed temporarily.

For convenience of understanding, the network monitoring process provided by the embodiment of the present invention is described below by using a specific embodiment, and fig. 3 is a schematic diagram of a third network monitoring process provided by the embodiment of the present invention, as shown in fig. 3, the process includes the following steps:

s301: and performing passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, judging whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in the network flow, and if so, performing S302.

Wherein, the first monitoring instruction carries the active scanning condition.

S302: and judging whether the current network flow meets the active scanning condition carried in the first monitoring instruction, if so, performing S303.

S303: and determining monitored target asset identification information, performing active scanning according to the target asset identification information and monitoring information carried in the first monitoring instruction, and determining a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning.

Example 6:

in order to accurately determine whether the current network traffic meets the active scanning condition, on the basis of the foregoing embodiments, in an embodiment of the present invention, the determining whether the current network traffic meets the active scanning condition includes:

Specifically, the active scanning condition can be flexibly set according to the requirement. In a possible implementation manner, a user may set different active scanning conditions according to different measures for protecting a network space asset, where whether a preset active scanning condition is met in current network traffic may be determined by determining whether a set first message exists in the current network traffic, and for example, when a set first message exists in the current network traffic, the current network traffic may be considered to meet the preset active scanning condition; or when the set first message does not exist in the current network traffic, the current network traffic is considered to meet the preset active scanning condition, and the like. The first message may be flexibly set according to a requirement, and for example, the set first message may be a message matched with the asset identification information for each asset identification information carried in the first monitoring instruction.

In a possible implementation manner, whether the current network traffic meets a preset active scanning condition may be further determined by determining whether the state of the current network traffic is a set allowed-to-execute active scanning state, where the set allowed-to-execute active scanning state may be flexibly set according to a requirement, and for example, the set allowed-to-execute active scanning state may be that the current network traffic is an idle state, a busy state, and the like.

The embodiment of the invention can set different active scanning conditions according to the difference of network state, network space asset protection measures and the like, and then starts active scanning when judging that the current network flow meets the active scanning conditions.

Example 7:

in order to determine a fingerprint stereoscopic image of target asset identification information, on the basis of the foregoing embodiments, in an embodiment of the present invention, if monitoring information carried in the first monitoring instruction includes a monitoring fingerprint stereoscopic image, after determining a monitoring result corresponding to the target asset identification information, the method further includes:

If the monitoring information carried in the first monitoring instruction comprises the monitoring fingerprint three-dimensional portrait, the fingerprint characteristic monitoring results corresponding to the target asset identification information in different monitoring periods can be determined, and the fingerprint three-dimensional portrait of the target asset identification information is determined according to the fingerprint characteristic monitoring result corresponding to each monitoring period. In a possible implementation manner, the first monitoring instruction may carry monitoring time information such as each monitoring duration, a monitoring period, and monitoring result output time information, and the fingerprint feature monitoring result corresponding to the target asset identification information in each monitoring period may be determined according to the monitoring time information. Or each monitoring period corresponds to one first monitoring instruction, and the fingerprint feature monitoring result corresponding to each monitoring period is determined according to each first monitoring instruction.

For example, for each monitoring period, passive monitoring may be performed according to each asset identification information and monitoring information carried in the received first monitoring instruction, to determine whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in network traffic, if yes, the monitored target asset identification information is determined, active scanning is performed according to the target asset identification information and the monitoring information, and based on a scanning result of the active scanning, a fingerprint feature monitoring result corresponding to the target asset identification information in the monitoring period is determined.

In a possible implementation manner, after the active scanning is performed, based on a scanning result of the active scanning, it is determined that the target asset identification information is before the fingerprint feature monitoring result corresponding to the monitoring period, a monitoring result for passive monitoring of the target asset identification information is determined, for each first information in the monitoring result, whether second information corresponding to the first information in the scanning result of the active scanning matches the first information is determined, and if the first information matches the second information corresponding to the first information in the scanning result of the active scanning, the fingerprint feature monitoring result corresponding to the target asset identification information in the monitoring period is determined according to the scanning result of the active scanning. If the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, updating the second information corresponding to the first information in the scanning result of the active scanning into the first information, and determining a fingerprint feature monitoring result corresponding to the target asset identification information in the monitoring period according to the updated scanning result; or if the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, deleting the second information corresponding to the first information in the scanning result of the active scanning, and determining a fingerprint feature monitoring result corresponding to the target asset identification information in the monitoring period according to the scanning result after deleting the second information.

In a possible implementation manner, the set time period and the set number of monitoring cycles may be flexibly set according to requirements, which is not specifically limited in the embodiment of the present invention. In general, each monitoring period corresponds to one fingerprint feature monitoring result, so the number of fingerprint feature monitoring results can be the same as the number of monitoring periods. When the fingerprint stereoscopic representation of the target asset identification information is determined, the fingerprint stereoscopic representation can be determined according to the fingerprint feature monitoring result corresponding to the target asset identification information determined in each monitoring period, wherein the fingerprint feature monitoring result corresponding to the target asset identification information determined in the current monitoring period and the fingerprint feature monitoring results determined by a set number of other monitoring periods within a set time period corresponding to the target asset identification information are included. Specifically, according to the fingerprint feature monitoring result corresponding to the target asset identification information determined in each monitoring period, the fingerprint stereogram for determining the target asset identification information may adopt the prior art, and is not described herein again.

Example 8:

for monitoring the bug fix state, on the basis of the foregoing embodiments, in an embodiment of the present invention, if the monitoring information carried in the first monitoring instruction includes the monitoring bug fix state, after determining the monitoring result corresponding to the target asset identification information, the method further includes:

If the monitoring information carried in the first monitoring instruction includes monitoring vulnerability repair states, it can be considered that vulnerability monitoring results corresponding to the target asset identification information in different monitoring periods need to be determined, and the vulnerability repair states of the target asset identification information are determined according to the vulnerability monitoring results corresponding to each monitoring period. In a possible implementation manner, monitoring time information such as each monitoring duration, monitoring period, monitoring result output time information, and the like may be carried in the first monitoring instruction, and a vulnerability monitoring result of the target asset identification information corresponding to each monitoring period may be determined according to the monitoring time information. Or each monitoring period corresponds to one first monitoring instruction, and the vulnerability monitoring result corresponding to each monitoring period is determined according to each first monitoring instruction.

The process of determining the vulnerability monitoring result corresponding to the target asset identification information in each monitoring period according to the first monitoring instruction is the same as that of the embodiment. For example, for each monitoring period, passive monitoring may be performed according to each asset identification information and monitoring information carried in the received first monitoring instruction, whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in the network traffic is determined, if yes, the monitored target asset identification information is determined, and active scanning is performed according to the target asset identification information and the monitoring information.

In one possible implementation, after the active scanning is performed, a monitoring result for the passive monitoring of the target asset identification information may be determined, and for each first information in the monitoring result, whether the first information matches with second information corresponding to the first information in the scanning result of the active scanning, and if the first information matches with the second information corresponding to the first information in the scanning result of the active scanning, a vulnerability monitoring result corresponding to the target asset identification information in the monitoring period is determined according to the scanning result of the active scanning. If the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, updating the second information corresponding to the first information in the scanning result of the active scanning into the first information, and determining a vulnerability monitoring result corresponding to the target asset identification information in the monitoring period according to the updated scanning result; or if the first information is not matched with second information corresponding to the first information in the scanning result of the active scanning, deleting the second information corresponding to the first information in the scanning result of the active scanning, and determining the vulnerability monitoring result corresponding to the target asset identification information in the monitoring period according to the scanning result after deleting the second information.

In a possible implementation manner, the number of monitoring cycles may be preset, where the number of monitoring cycles may be flexibly set according to a requirement, and this is not specifically limited in the embodiment of the present invention. When the vulnerability repair state of the target asset identification information is determined, the vulnerability repair state can be determined according to vulnerability monitoring results corresponding to the target asset identification information determined in each monitoring period, wherein the vulnerability monitoring results corresponding to the target asset identification information determined in the current monitoring period and vulnerability monitoring results determined in a set number of other monitoring periods corresponding to the target asset identification information are included.

For example, taking the monitoring period as two times, the monitoring result of the passive monitoring in the first monitoring period shows a principle vulnerability a, and the scanning result of the active scanning also shows a principle vulnerability a, so that the monitoring result of the first monitoring period can be considered as the principle vulnerability a. If the monitoring result of the passive monitoring in the second monitoring period shows that no principle bug A exists, and the scanning result of the active scanning also shows that no principle bug A exists, the monitoring result of the second monitoring period can be considered as no principle bug A, and the bug A can be considered as repaired; and if the monitoring result of the passive monitoring in the second monitoring period shows that the principle loophole A exists, and the scanning result of the active scanning shows that the principle loophole A does not exist, the monitoring result of the second monitoring period can be considered to be the principle loophole A, and the loophole A can be considered not to be repaired.

The embodiment of the invention can correct the scanning result of the active scanning based on the monitoring result of the passive monitoring, thereby improving the accuracy of detecting the bug fixing state.

Example 9:

in order to quickly and accurately monitor the version vulnerability, on the basis of the above embodiments, in the embodiment of the present invention, the method further includes:

In the embodiment of the present invention, if a second monitoring instruction is received, the second monitoring instruction carries, in addition to asset identification information, version vulnerability identification in the carried monitoring information, and it can be considered that a version vulnerability corresponding to the version vulnerability identification needs to be monitored.

Based on the prior art that the version vulnerability is usually monitored by adopting an active scanning mode, however, the active scanning mode needs longer time than the passive monitoring mode, and in order to improve the monitoring efficiency and ensure the timeliness of the version vulnerability to be monitored, in the embodiment of the invention, the version vulnerability can be monitored based on the passive monitoring mode. Specifically, in order to enable passive monitoring to identify a version vulnerability, a version vulnerability identification identifier corresponding to a version vulnerability identification carried in a second monitoring instruction may be determined based on an actively scanned vulnerability library and the like, then according to asset identification information carried in the second monitoring instruction and the version vulnerability identification identifier, whether any asset identification information and any version vulnerability identification identifier in the asset identification information carried in the second monitoring instruction exist in network traffic is passively monitored, if yes, monitored target asset identification information may be determined, meanwhile, a target version vulnerability identification corresponding to the monitored target vulnerability version identification identifier may be determined, and the monitored target asset identification information and the target version vulnerability identification may be output, so that a user may know a monitoring result.

Example 10:

for flexible monitoring, on the basis of the foregoing embodiments, in an embodiment of the present invention, the monitoring information includes at least one of a monitoring duration, a monitoring period, and time information of outputting a monitoring result.

In a possible implementation manner, the first monitoring information and the second monitoring information may each include at least one of monitoring time information of each monitoring duration, monitoring period, and monitoring result output time information, and the electronic device may determine, according to the monitoring time information, a monitoring result corresponding to the target asset identification information in each monitoring period, and may output, according to the monitoring result output time information, a corresponding monitoring result, so as to implement continuous monitoring of the network space asset, and improve user experience. The process of determining the monitoring result corresponding to the target asset identification information in each monitoring period is the same as that in the above embodiment, and is not described herein again.

For convenience of understanding, a network monitoring process provided in the embodiment of the present invention is described below with a specific embodiment, fig. 4 is a schematic diagram of a fourth network monitoring process provided in the embodiment of the present invention, and as shown in fig. 4, a master control unit (Tier1-MNT), at least one management scheduling unit (Tier2-MNT), at least one active scanning unit, and at least one passive monitoring unit may be disposed in an electronic device.

The master control unit is used for receiving a monitoring instruction issued by a user and sending the received monitoring instruction to at least one management scheduling unit, or the master control unit can directly send the monitoring instruction to the active scanning unit and the passive monitoring unit; the user can also check the monitoring result corresponding to the target asset identification information through the main control unit. In addition, the main control unit may also be used as an interface for data interaction between the electronic device and other third party data such as a Web Application Firewall (WAF), an Intrusion Detection System (IDS), a Security Operation Center (SOC), an installation package management Tool (APT), and other third party administration platforms, where the main control unit may be implemented through an Application Programming Interface (API) when performing data interaction between the electronic device and the other third party administration platforms.

At least one working group can be set in an isolation Area formed by each subnet or Virtual Local Area Network (VLAN), and a management scheduling unit is set in each working group. If the management scheduling unit receives the monitoring instruction sent by the main control unit, the management scheduling unit can send the monitoring instruction to the active scanning unit and the passive monitoring unit which are located in the same working group with the management scheduling unit, meanwhile, the management scheduling unit can also receive the monitoring result corresponding to the target asset identification information determined by the active scanning unit and the passive monitoring unit, and send the monitoring result corresponding to the target asset identification information to the main control unit, and a user can check the monitoring result corresponding to the target asset identification information through the main control unit.

The active scanning unit and the passive monitoring unit are used for monitoring network space assets, and the active scanning unit and the passive monitoring unit can be used for carrying out host vulnerability scanning, WEB application vulnerability scanning, asset fingerprint feature identification and the like. At least one active scanning unit can be arranged in the same working group, and the active scanning unit can monitor each network space asset in the working group where the active scanning unit is located. In general, at least one passive monitoring unit is provided in each domain of each workgroup, and the passive monitoring unit can monitor each cyberspace asset in the domain where the passive monitoring unit is located.

In a possible implementation manner, the active scanning unit and the passive monitoring unit may be disposed in the same unit, or may be disposed in different units; meanwhile, the active scanning unit and the management scheduling unit can be arranged in the same unit or different units, and can be flexibly arranged according to requirements, for example, in a centralized management and control mode, the active scanning unit and the management scheduling unit can be arranged in different units, namely, the active scanning unit and the management scheduling unit are separately deployed; in the flat management and control mode, the active scanning unit and the management scheduling unit can be arranged in the same unit, namely, combined.

A network monitoring process provided by the embodiment of the present invention is described below with a specific embodiment, and fig. 5 is a schematic diagram of a fifth network monitoring process provided by the embodiment of the present invention, as shown in fig. 5, the process includes the following steps:

s501: the main control unit receives a first monitoring instruction sent by a user and sends the first monitoring instruction to the management scheduling unit.

S502: the management scheduling unit sends the first monitoring instruction to the passive monitoring unit, the passive monitoring unit carries out passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, judges whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in network flow, determines monitored target asset identification information if the any asset identification information exists in the network flow, and sends the monitored target asset identification information to the management scheduling unit.

S503: the management scheduling unit sends the target asset identification information and the monitoring information in the first monitoring instruction to the active scanning unit, the active scanning unit carries out active scanning according to the target asset identification information and the monitoring information carried in the first monitoring instruction, determines a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning, and sends the monitoring result corresponding to the determined target asset identification information to the management scheduling unit.

S504: the management scheduling unit sends the monitoring result corresponding to the target asset identification information to the main control unit, so that a user can obtain the monitoring result corresponding to the target asset identification information through the main control unit.

For convenience of understanding, the network monitoring process provided by the embodiment of the present invention is described below by using a specific embodiment. Fig. 6 is a schematic diagram of a sixth network monitoring process provided in the embodiment of the present invention, as shown in fig. 6, the process includes the following steps:

s601: the main control unit receives a second monitoring instruction sent by a user, wherein the second monitoring instruction carries asset identification information and monitoring information, and the monitoring information comprises version vulnerability identification, monitoring duration and monitoring result output time.

S602: and the main control unit sends the second monitoring instruction to the management scheduling unit.

S603: the management scheduling unit judges whether the active scanning unit and the management scheduling unit are arranged in the same unit, if so, the S604 is carried out; if not, proceed to S605.

S604: the management scheduling unit sends the version vulnerability identification to an active scanning unit which is in the same unit with the management scheduling unit, the active scanning unit determines the version vulnerability identification corresponding to the version vulnerability identification based on the actively scanned vulnerability library and the like, and S606 is carried out.

S605: the management scheduling unit sends the version vulnerability identification to an active scanning unit which is in the same working group with the management scheduling unit, the active scanning unit determines the version vulnerability identification corresponding to the version vulnerability identification based on the actively scanned vulnerability library and the like, and S606 is carried out.

S606: and the management scheduling unit sends the asset identification information, the version vulnerability identification, the monitoring time length and the time for outputting the monitoring result to the passive monitoring unit in the same working group with the management scheduling unit.

S607: the passive monitoring unit continuously determines whether any asset identification information and version vulnerability identification exists in the network traffic, and meanwhile, S608 is performed. And if the asset identification information and the version vulnerability identification exist in the network flow, performing S609.

S608: the passive monitoring unit determines whether the monitoring duration is reached and the monitoring result output time is reached, and if so, proceeds to S610.

S609: and the passive monitoring unit determines the monitored target asset identification information and the monitored target version vulnerability identification, and sends the target asset identification information and the target version vulnerability identification to the management scheduling unit.

S610: and the management scheduling unit determines a target version vulnerability identification corresponding to the target version vulnerability identification according to the corresponding relation between the version vulnerability identification and the version vulnerability identification, and sends a monitoring result containing target asset identification information and the target version vulnerability identification to the main control unit.

S611: and the main control unit receives and outputs the monitoring result sent by each management scheduling unit.

For convenience of understanding, the network monitoring process provided in the embodiment of the present invention is further described below with a specific embodiment, and fig. 7 is a schematic diagram of a seventh network monitoring process provided in the embodiment of the present invention, as shown in fig. 7, the process includes the following steps:

s701: the main control unit receives a first monitoring instruction sent by a user and sends the first monitoring instruction to the management scheduling unit. And the monitoring information carried in the first monitoring instruction comprises principle vulnerability identification information.

S702: the management scheduling unit sends the first monitoring instruction to the passive monitoring unit, the passive monitoring unit performs passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, judges whether any asset identification information in each asset identification information carried in the first monitoring instruction exists in network traffic, and if yes, performs S703.

S703: and the passive monitoring unit determines the monitored target asset identification information and sends the target asset identification information to the management scheduling unit. In addition, the passive monitoring unit may also send the monitoring result passively monitored for the target asset identification information to the management scheduling unit.

S704: and the management scheduling unit sends the target asset identification information and the monitoring information to the active scanning unit.

S705: and the active scanning unit carries out active scanning according to the target asset identification information and the monitoring information carried in the first monitoring instruction, and sends the scanning result of the active scanning to the management scheduling unit.

S706: the management scheduling unit determines a monitoring result of passive monitoring for the target asset identification information, determines whether the first information is matched with second information corresponding to the first information in the scanning result of the active scanning or not for each first information in the monitoring result, and if so, performs S707; if not, proceed to S708.

The monitoring result of the passive monitoring and the scanning result of the active scanning may include an access range, a network protocol, an online event, an offline event, timestamp information of the corresponding event, and the like corresponding to the network space asset.

S707: and determining a monitoring result corresponding to the target asset identification information according to the scanning result of the active scanning, and performing S709.

S708: updating second information corresponding to the first information in the scanning result of the active scanning into the first information, and determining a monitoring result corresponding to the target asset identification information according to the updated scanning result; or deleting second information corresponding to the first information in the scanning result of the active scanning, and determining a monitoring result corresponding to the target asset identification information according to the scanning result after the second information is deleted.

S709: the management scheduling unit sends the monitoring result corresponding to the target asset identification information to the main control unit, so that a user can obtain the monitoring result corresponding to the target asset identification information through the main control unit.

Example 11:

on the basis of the foregoing embodiments, an embodiment of the present invention provides a network monitoring device, and fig. 8 is a schematic structural diagram of the network monitoring device provided in the embodiment of the present invention, and as shown in fig. 8, the network monitoring device includes:

the monitoring module 81 is configured to perform passive monitoring according to each asset identification information and monitoring information carried in the received first monitoring instruction, and determine whether any asset identification information exists in the network traffic;

a determining module 82, configured to determine, if any asset identification information exists in the network traffic, target asset identification information that is monitored, perform active scanning according to the target asset identification information and the monitoring information, and determine, based on a scanning result of the active scanning, a monitoring result corresponding to the target asset identification information.

In a possible implementation manner, the determining module 82 is further configured to determine, after performing active scanning and before determining a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning, a monitoring result for passive monitoring of the target asset identification information, determine, for each first information in the monitoring result, whether a second information corresponding to the first information in the scanning result of the active scanning matches the first information, and determine, according to a matching result and based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information.

In a possible implementation manner, the determining module 82 is specifically configured to determine, according to a scanning result of the active scanning, a monitoring result corresponding to the target asset identification information if the first information matches with second information corresponding to the first information in the scanning result of the active scanning.

In a possible implementation manner, the determining module 82 is specifically configured to update second information, corresponding to the first information, in the scanning result of the active scanning to be the first information if the first information is not matched with the second information, corresponding to the first information, in the scanning result of the active scanning, and determine, according to the updated scanning result, a monitoring result corresponding to the target asset identification information; or the like, or, alternatively,

In a possible implementation manner, the determining module 82 is specifically configured to, if the first monitoring instruction carries an active scanning condition, determine whether a current network traffic meets the active scanning condition before performing active scanning according to the target asset identification information and the monitoring information, and if so, perform subsequent steps.

In a possible implementation manner, the determining module 82 is specifically configured to determine whether a set first packet exists in the current network traffic; or the like, or, alternatively,

In a possible implementation manner, the determining module 82 is specifically configured to, if the monitoring information carried in the first monitoring instruction includes a monitored stereoscopic fingerprint image, after the monitoring result corresponding to the target asset identification information is determined, determine the stereoscopic fingerprint image of the target asset identification information according to the currently determined monitoring result of the fingerprint features corresponding to the target asset identification information and the set number of monitoring results of the fingerprint features within the set time period corresponding to the target asset identification information.

In a possible implementation manner, the determining module 82 is specifically configured to, if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, determine, after the monitoring result corresponding to the target asset identification information is determined, determine the vulnerability repair state of the target asset identification information according to the currently determined vulnerability monitoring result corresponding to the target asset identification information and the set number of vulnerability monitoring results corresponding to the target asset identification information.

In a possible implementation manner, the monitoring module 81 is further configured to receive a second monitoring instruction, where monitoring information carried in the second monitoring instruction includes a version vulnerability identifier;

the determining module 82 is further configured to determine, based on the active scanning, a version vulnerability identification identifier corresponding to the version vulnerability identification;

the monitoring module 81 is further configured to passively monitor whether any one of the asset identification information and the version vulnerability identification exists in the network traffic according to the asset identification information and the version vulnerability identification carried in the second monitoring instruction, and if yes, determine and output the monitored target asset identification information and the target version vulnerability identification corresponding to the monitored target version vulnerability identification.

Example 12:

on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, and fig. 9 is a schematic structural diagram of the electronic device provided in the embodiment of the present invention, as shown in fig. 9, the electronic device includes: the system comprises a processor 91, a communication interface 92, a memory 93 and a communication bus 94, wherein the processor 91, the communication interface 92 and the memory 93 are communicated with each other through the communication bus 94;

the memory 93 has stored therein a computer program which, when executed by the processor 91, causes the processor 91 to perform the steps of:

In a possible implementation manner, the processor 91 is further configured to, after the performing of the active scanning and before the determining of the monitoring result corresponding to the target asset identification information based on the scanning result of the active scanning, determine a monitoring result for passive monitoring of the target asset identification information, determine, for each first information in the monitoring result, whether a second information corresponding to the first information in the scanning result of the active scanning matches the first information, and perform, according to a matching result, a subsequent step of determining the monitoring result corresponding to the target asset identification information based on the scanning result of the active scanning.

In a possible implementation manner, the processor 91 is specifically configured to determine, according to a scanning result of the active scanning, a monitoring result corresponding to the target asset identification information if the first information matches with second information corresponding to the first information in the scanning result of the active scanning.

In a possible implementation manner, the processor 91 is specifically configured to update second information corresponding to the first information in the scanning result of the active scanning to be the first information if the first information does not match with the second information corresponding to the first information in the scanning result of the active scanning, and determine a monitoring result corresponding to the target asset identification information according to the updated scanning result; or the like, or, alternatively,

In a possible implementation manner, the processor 91 is further configured to, if the first monitoring instruction carries an active scanning condition, determine whether the current network traffic meets the active scanning condition before performing active scanning according to the target asset identification information and the monitoring information, and if so, perform subsequent steps.

In a possible implementation manner, the processor 91 is specifically configured to determine whether a set first packet exists in the current network traffic; or the like, or, alternatively,

In a possible implementation manner, the processor 91 is further configured to, if the monitoring information carried in the first monitoring instruction includes a monitored stereoscopic fingerprint image, after the monitoring result corresponding to the target asset identification information is determined, determine the stereoscopic fingerprint image of the target asset identification information according to the currently determined monitoring result of the fingerprint features corresponding to the target asset identification information and the set number of monitoring results of the fingerprint features within the set time period corresponding to the target asset identification information.

In a possible implementation manner, the processor 91 is further configured to determine, if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, the vulnerability repair state of the target asset identification information according to the currently determined vulnerability monitoring result corresponding to the target asset identification information and the set number of vulnerability monitoring results corresponding to the target asset identification information after determining the monitoring result corresponding to the target asset identification information.

In a possible implementation manner, the processor 91 is further configured to receive a second monitoring instruction, where monitoring information carried in the second monitoring instruction includes a version vulnerability identification;

In a possible implementation manner, the processor 91 is specifically configured to include at least one of a time length of each monitoring, a monitoring period, and time information of outputting a monitoring result in the monitoring information.

The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface 92 is used for communication between the above-described electronic apparatus and other apparatuses.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.

Example 13:

on the basis of the foregoing embodiments, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program executable by an electronic device is stored, and when the program is run on the electronic device, the electronic device is caused to execute the following steps:

In a possible implementation manner, after the performing the active scanning and before the determining, based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information, the method further includes:

In a possible implementation manner, the determining, according to the matching result and based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information includes:

In a possible implementation manner, if the first monitoring instruction carries an active scanning condition, before performing active scanning according to the target asset identification information and the monitoring information, the method further includes:

In a possible implementation manner, if the monitoring information carried in the first monitoring instruction includes a monitored fingerprint stereoscopic image, after determining a monitoring result corresponding to the target asset identification information, the method further includes:

In a possible implementation manner, if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, after determining a monitoring result corresponding to the target asset identification information, the method further includes:

In one possible embodiment, the method further comprises:

In a possible implementation manner, the monitoring information includes at least one of a monitoring duration, a monitoring period, and time information of outputting a monitoring result.

The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memory such as floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc., optical memory such as CDs, DVDs, BDs, HVDs, etc., and semiconductor memory such as ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs), etc.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method for network monitoring, the method comprising:

if yes, determining monitored target asset identification information, performing active scanning according to the target asset identification information and the monitoring information, and determining a monitoring result corresponding to the target asset identification information based on a scanning result of the active scanning;

after the active scanning is performed and before the monitoring result corresponding to the target asset identification information is determined based on the scanning result of the active scanning, the method further includes:

determining a monitoring result of passive monitoring aiming at the target asset identification information, judging whether the first information is matched with second information corresponding to the first information in a scanning result of active scanning aiming at each first information in the monitoring result, and determining a monitoring result corresponding to the target asset identification information according to the matching result and the subsequent scanning result based on the active scanning;

the determining, according to the matching result and based on the scanning result of the active scanning, the monitoring result corresponding to the target asset identification information includes:

2. The method of claim 1, wherein determining the monitoring result corresponding to the target asset identification information based on the scanning result of the active scanning according to the matching result comprises:

3. The method according to claim 1, wherein if the first monitoring instruction carries an active scanning condition, before performing active scanning according to the target asset identification information and the monitoring information, the method further comprises:

4. The method of claim 3, wherein the determining whether the current network traffic satisfies the active scanning condition comprises:

5. The method according to claim 1, wherein if the monitoring information carried in the first monitoring instruction includes a monitored fingerprint stereogram, and after determining the monitoring result corresponding to the target asset identification information, the method further comprises:

6. The method according to claim 1, wherein if the monitoring information carried in the first monitoring instruction includes a monitoring vulnerability repair state, after determining the monitoring result corresponding to the target asset identification information, the method further includes:

7. The method of claim 1, further comprising:

8. The method according to any one of claims 1 to 7, wherein the monitoring information includes at least one of a time length of each monitoring, a monitoring period, and time information of outputting a monitoring result.