CN113411378A - Asset management method, system and computer readable medium based on event triggering - Google Patents
Asset management method, system and computer readable medium based on event triggering Download PDFInfo
- Publication number
- CN113411378A CN113411378A CN202110575550.6A CN202110575550A CN113411378A CN 113411378 A CN113411378 A CN 113411378A CN 202110575550 A CN202110575550 A CN 202110575550A CN 113411378 A CN113411378 A CN 113411378A
- Authority
- CN
- China
- Prior art keywords
- event
- asset
- equipment
- trigger
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 31
- 230000004044 response Effects 0.000 claims abstract description 33
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 238000000034 method Methods 0.000 claims abstract description 13
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 230000001960 triggered effect Effects 0.000 claims abstract 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/54—Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种基于事件触发的资产管理方法、系统及计算机可读介质。所述方法包括:监控设备的触发事件;根据所述触发事件监测是否发生对应所述触发事情的响应事件;基于所述触发事件与所述响应事件实现资产设备发现,从而获取所述资产设备的资产信息。本发明采集触发事件和响应事件,并分析触发事件与响应事件之间的关联信息可以得到新入网的资产信息,从而达到资产发现的目的;即不需要设置探测频率或利用网络数据流量管理资产设备,受防火墙影响小,对于发现设备的性能要求高;而是利用设备的运行数据即可实现资产设备管理。
The invention discloses an event-triggered asset management method, system and computer-readable medium. The method includes: monitoring a trigger event of a device; monitoring whether a response event corresponding to the trigger event occurs according to the trigger event; realizing asset device discovery based on the trigger event and the response event, so as to obtain the asset device's information. Asset Information. The invention collects trigger events and response events, and analyzes the correlation information between the trigger events and response events, so as to obtain the asset information newly connected to the network, so as to achieve the purpose of asset discovery; that is, it does not need to set detection frequency or use network data traffic to manage asset equipment , which is less affected by the firewall, and has high performance requirements for discovering devices; instead, asset device management can be realized by using the operating data of the device.
Description
Technical Field
The invention relates to the field of Internet of things equipment management, in particular to an asset management method and system based on event triggering and a computer readable medium.
Background
Most of the existing asset discovery is based on flow and is divided into active and passive, wherein the active asset discovery is that a detection device actively initiates flow scanning to detect whether an asset is online or not and receives a response message to judge whether the asset exists or not. The asset discovery of passive traffic is realized by sending network data traffic to asset discovery equipment in a mirror image or straight path mode, and the asset discovery equipment carries out asset discovery and judgment by analyzing the traffic.
However, all of them have certain limitations, for example, active traffic discovery relies on response message triggering, and device discovery may be affected because firewall devices existing in assets or network paths block probe traffic. The passive traffic depends on the asset discovery device to obtain the network traffic of all assets, the performance requirement on the asset discovery device is high, and the passive traffic cannot play a role in discovering east-west traffic which does not pass through a firewall.
The existing asset counterfeit identification and judgment mainly judges whether the assets are counterfeited or not by actively acquiring the equipment fingerprint information of the detected assets and changing the equipment fingerprint information of the detected assets. The method comprises the steps that by means of actively collecting detected asset fingerprint information, if the detection frequency is too high, detection flow affects a network and detected equipment, and if the detection frequency is too low, the detected asset cannot be found to be counterfeited in time, so that the risk that the network is attacked exists.
The prior art is therefore still subject to further development.
Disclosure of Invention
In view of the above technical problems, the present invention provides an asset management method, system and computer readable medium based on event triggering.
In a first aspect of the embodiments of the present invention, an asset management method based on event triggering is provided, where the method includes:
monitoring a triggering event of the device;
monitoring whether a response event corresponding to the triggering event occurs according to the triggering event;
and realizing asset equipment discovery based on the trigger event and the response event so as to acquire asset information of the asset equipment.
Optionally, the triggering event includes:
session creation event, user login event, ARP table generation event, interface UP event, AP user access event, MAC forwarding table generation event, sFlow flow event, netFlow flow event.
Optionally, the method further comprises:
and setting an event acquisition analyzer for processing the trigger event and the response event, wherein the event acquisition analyzer is used for judging whether the trigger event and the response event have a corresponding relationship or not.
Optionally, the method further comprises:
and actively detecting the assets of accessed assets, judging whether the equipment fingerprints of the assets need to be collected again according to whether the assets have preset suspicious events, and comparing the equipment fingerprints with the original equipment fingerprints.
Optionally, the performing active asset detection on an already intervening asset device comprises:
and if the up event or the down event does not occur on the switch port connected with the asset equipment, when a down/up event notification corresponding to an upper interface of the switch is received, re-acquiring the equipment fingerprint of the asset equipment, and comparing the equipment fingerprint with the original equipment fingerprint.
In a second aspect of an embodiment of the present invention, an asset management system based on event triggering includes:
the monitoring module is used for monitoring a trigger event of the equipment;
the judging module is used for monitoring whether a response event corresponding to the triggering event occurs according to the triggering event;
and the discovery module is used for realizing asset equipment discovery based on the trigger event and the response event so as to acquire asset information of the asset equipment.
Optionally, the triggering event includes:
session creation event, user login event, ARP table generation event, interface UP event, AP user access event, MAC forwarding table generation event, sFlow flow event, netFlow flow event.
Optionally, the asset management system further comprises:
and the analysis module is used for setting an event acquisition analyzer for processing the trigger event and the response event, and the event acquisition analyzer is used for judging whether the trigger event and the response event have a corresponding relation or not.
Optionally, the asset management system further comprises:
and the counterfeit judgment module is used for carrying out active asset detection on the intervened asset equipment, judging whether the equipment fingerprint of the asset equipment needs to be acquired again according to whether the preset suspicious event happens to the asset equipment, and comparing the equipment fingerprint with the original equipment fingerprint.
In a third aspect of the embodiments of the present invention, a computer-readable medium is provided, on which a computer program is stored, and the program, when executed by a processor, implements the aforementioned asset management method based on event triggering.
In the technical scheme provided by the invention, the newly-accessed asset information can be obtained by acquiring the trigger event and the response event and analyzing the associated information between the trigger event and the response event, so that the purpose of asset discovery is achieved; the detection frequency does not need to be set or the asset equipment is managed by using the network data flow, the influence of a firewall is small, and the requirement on the performance of the discovery equipment is high; asset device management may be accomplished using operational data of the device.
Drawings
FIG. 1 is a schematic flow chart of an asset management method based on event triggering according to an embodiment of the present invention;
FIG. 2 is a block diagram of an asset management system based on event triggering according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating an embodiment of an asset management method based on event triggering according to the present invention. The asset management method based on event triggering comprises the following steps:
step S100: a triggering event of the device is monitored.
In the specific embodiment, there are many triggering events of the device, and in short, a network device to access the inside of the network will necessarily trigger some event on the network device to which it is connected. For example, a computer accesses to a switch through a wire, and an interface UP event or a mac forwarding table generation event is generated; if there is a traffic trigger, then there will be an address request. If the computer requests an IP address via dhcp, a dhcp address request assignment event is generated.
When a user accesses the internet through a network firewall, a login request event is generated, and the user login may generate the user online event. The user's data stream may generate a session on the firewall, which generates a session generation event. A user computer logs into a domain, possibly generating a user login request event on a domain controller. If a computer is connected to the network through a wireless AP, a user access request event occurs on the AC controller.
The above various events can be obtained by monitoring, and are all one-to-one request and response events in the operation process of the device. Based on the above, the activity state of the device can be known, and the existence of the device can be known, so that the asset management work of the device is realized.
Step S200: and monitoring whether a response event corresponding to the trigger event occurs according to the trigger event.
A network device accessing the inside of the network will necessarily trigger some event on the network device it is interfacing with. For example, if a computer is connected to the switch through a wire, an up event of a network interface is generated on the switch; if there is a traffic trigger, then there will be a mac forwarding table generation event. If the computer requests an IP address via dhcp, the dhcp server generates a dhcp address assignment event.
The user accesses the internet through a network firewall, the firewall possibly rebounds a web login interface to log in the user, and the user login may generate a user online event. The user's data stream may generate a session generation event on top of the firewall. A user computer logs into a domain, possibly generating a user login event on a domain controller. If a computer is connected to the network through a wireless AP, a wifi login event occurs on the AC controller.
The triggering events described in the present invention include: session creation event, user login event, ARP table generation event, interface UP event, AP user access event, MAC forwarding table generation event, sFlow flow event, netFlow flow event, and ARP table generation event. It should be understood that the above events should not be limited to only the above events.
Step S300: and realizing asset equipment discovery based on the trigger event and the response event so as to acquire asset information of the asset equipment.
And acquiring newly-accessed asset information by collecting the events based on the information obtained in the steps. The association information between the assets can be analyzed to obtain the survival certification of the assets, such as newly-accessed assets and accessed assets, so as to achieve the purpose of asset discovery. I.e., without setting the probing frequency or managing the asset device with network data traffic. Compared with the prior art, the method provided by the invention is less affected by a firewall and has high requirements on the performance of discovery equipment; asset device management may be accomplished using operational data of the device.
In the actual use process, an event acquisition analyzer for processing the trigger event and the response event may be further set, where the event acquisition analyzer is configured to determine whether the trigger event and the response event have a corresponding relationship.
For example:
and setting a snmp trap sending interface up event, a mac forwarding table generating event and an arp table generating event to an event acquisition analyzer on the switch, and setting an sFlow to adopt port data flow to the event acquisition analyzer.
And setting a DHCP server to send a DHCP distribution IP event to the event acquisition analyzer through the syslog.
And setting a firewall to send a session creation event, a user login event and an arp table generation event to an event collection analyzer through a snmp trap.
If the equipment needs to request an IP address through a DHCP, a mac forwarding table generation event is generated on the switch; we can get the correspondence of mac and interface through this event. After receiving the DHCP request of the equipment, the DHCP server allocates the IP and generates a DHCP allocation IP event at the moment, and the corresponding relation between the IP and the mac can be obtained through the event.
If a user does not request IP through DHCP but uses static IP, then no DHCP allocates IP event, at this time, the IP address information used by the device can be obtained by analyzing the flow event through switch sFlow flow sampling, in addition, if the device needs to do cross-network access, the device needs to be forwarded through gateway equipment, an ARP generation event can be generated on the gateway equipment, a session generation event can be generated on a firewall according to the flow of the device, and if a user logs in, a user login event can also be generated.
The event collection analyzer can know the IP/MAC/switch access port of the equipment through the events and judge whether the asset is a new asset or an existing asset according to the MAC address of the accessed or accessed equipment, and the MAC is unique.
The event acquisition analyzer can also obtain the IP/mac/switch access port information of the equipment and possibly the user information of the equipment according to the flow of the sFlow and the sent events, thereby carrying out asset discovery.
Furthermore, the system can also be combined with partial active discovery or drainage functions to perform special treatment on the condition of asset information which cannot be analyzed.
For example, active asset detection is performed on an already-involved asset device, whether a device fingerprint of the asset device needs to be re-acquired is determined according to whether a preset suspicious event occurs to the asset device, and comparison is performed between the device fingerprint and an original device fingerprint.
Specifically, if an up event or a down event does not occur at a switch port to which the asset device is connected, when a down/up event notification corresponding to an upper interface of a switch is received, the device fingerprint of the asset device is re-acquired, and is compared with the original device fingerprint according to the device fingerprint.
In one embodiment, for an accessed asset, the active asset detection function can be used to enable the event collection analyzer to be built in to perform asset identification (obtaining device fingerprint information) on the device. After the asset identification is completed, if the switch port to which the device is connected has not had an up/down event, we can assume that there is no possibility of the device being counterfeited. And only when the event acquisition analyzer receives the down/up event notification of the interface on the corresponding switch, the asset identification module is called again to identify the assets of the equipment (acquire the fingerprints of the equipment again), and the fingerprints of the equipment are compared with the fingerprint information of the original equipment to judge counterfeit.
The invention also provides an asset management system based on event triggering, which comprises:
a monitoring module 10, configured to monitor a trigger event of a device; the triggering event comprises:
a session creation event, a user login event, an ARP table generation event, an interface UP event, an AP user access event, a MAC forwarding table generation event, an sFlow flow event, and a netFlow event, but are not limited to the above events.
A judging module 20, configured to monitor whether a response event corresponding to the trigger event occurs according to the trigger event;
and the discovery module 30 is configured to implement asset device discovery based on the trigger event and the response event, so as to obtain asset information of the asset device.
A network device accessing the inside of the network will necessarily trigger some event on the network device it is interfacing with. For example, if a computer is connected to the switch through a wire, an up event of a network interface is generated on the switch; if there is a traffic trigger, then there will be a mac forwarding table generation event. If the computer requests an IP address via dhcp, the dhcp server generates a dhcp address assignment event.
The user accesses the internet through a network firewall, the firewall possibly rebounds a web login interface to log in the user, and the user login may generate a user online event. The user's data stream may generate a session generation event on top of the firewall. A user computer logs into a domain, possibly generating a user login event on a domain controller. If a computer is connected to the network through a wireless AP, a wifi login event occurs on the AC controller.
The triggering events described in the present invention include: session creation event, user login event, ARP table generation event, interface UP event, AP user access event, MAC forwarding table generation event, sFlow flow event, netFlow flow event, and ARP table generation event. It should be understood that the above events should not be limited to only the above events.
And acquiring newly-accessed asset information by collecting the events based on the information obtained in the steps. The association information between the assets can be analyzed to obtain the survival certification of the assets, such as newly-accessed assets and accessed assets, so as to achieve the purpose of asset discovery. I.e., without setting the probing frequency or managing the asset device with network data traffic. Compared with the prior art, the method provided by the invention is less affected by a firewall and has high requirements on the performance of discovery equipment; asset device management may be accomplished using operational data of the device.
The system further comprises: and the analysis module is used for setting an event acquisition analyzer for processing the trigger event and the response event, and the event acquisition analyzer is used for judging whether the trigger event and the response event have a corresponding relation or not.
The asset management system based on event triggering further comprises:
and the counterfeit judgment module is used for carrying out active asset detection on the intervened asset equipment, judging whether the equipment fingerprint of the asset equipment needs to be acquired again according to whether the preset suspicious event happens to the asset equipment, and comparing the equipment fingerprint with the original equipment fingerprint.
And if the up event or the down event does not occur on the switch port connected with the asset equipment, when a down/up event notification corresponding to an upper interface of the switch is received, re-acquiring the equipment fingerprint of the asset equipment, and comparing the equipment fingerprint with the original equipment fingerprint.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the system of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110575550.6A CN113411378A (en) | 2021-05-26 | 2021-05-26 | Asset management method, system and computer readable medium based on event triggering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110575550.6A CN113411378A (en) | 2021-05-26 | 2021-05-26 | Asset management method, system and computer readable medium based on event triggering |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113411378A true CN113411378A (en) | 2021-09-17 |
Family
ID=77675160
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110575550.6A Pending CN113411378A (en) | 2021-05-26 | 2021-05-26 | Asset management method, system and computer readable medium based on event triggering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113411378A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075564A1 (en) * | 2011-06-01 | 2014-03-13 | Anurag Singla | Network asset information management |
| CN108074030A (en) * | 2017-03-03 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | A kind of safety analysis of assets information and Visualized management system and method |
| CN108694589A (en) * | 2018-05-08 | 2018-10-23 | 杭州佑他科技有限公司 | A kind of asset monitoring method based on block chain |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
| CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
| CN111597012A (en) * | 2020-05-18 | 2020-08-28 | 山东汇贸电子口岸有限公司 | System and method for automatically discovering cloud environment equipment |
| CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
| CN111784209A (en) * | 2020-07-30 | 2020-10-16 | 中国电子科技集团公司第十四研究所 | Asset visualization and safe operation management system |
| CN112733974A (en) * | 2020-12-11 | 2021-04-30 | 贵州电网有限责任公司 | Automatic management method for improving IT asset position accuracy |
-
2021
- 2021-05-26 CN CN202110575550.6A patent/CN113411378A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075564A1 (en) * | 2011-06-01 | 2014-03-13 | Anurag Singla | Network asset information management |
| CN108074030A (en) * | 2017-03-03 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | A kind of safety analysis of assets information and Visualized management system and method |
| CN108694589A (en) * | 2018-05-08 | 2018-10-23 | 杭州佑他科技有限公司 | A kind of asset monitoring method based on block chain |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
| CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
| CN111597012A (en) * | 2020-05-18 | 2020-08-28 | 山东汇贸电子口岸有限公司 | System and method for automatically discovering cloud environment equipment |
| CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
| CN111784209A (en) * | 2020-07-30 | 2020-10-16 | 中国电子科技集团公司第十四研究所 | Asset visualization and safe operation management system |
| CN112733974A (en) * | 2020-12-11 | 2021-04-30 | 贵州电网有限责任公司 | Automatic management method for improving IT asset position accuracy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10257224B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| Deri et al. | Effective traffic measurement using ntop | |
| US9049118B2 (en) | Probe election in failover configuration | |
| CN103442008B (en) | A kind of routing safety detecting system and detection method | |
| US7890752B2 (en) | Methods, systems, and computer program products for associating an originator of a network packet with the network packet using biometric information | |
| EP1999890B1 (en) | Automated network congestion and trouble locator and corrector | |
| JP4148526B2 (en) | Apparatus and method for detecting a network address translation device. | |
| KR100748246B1 (en) | Intrusion Detection Log Collection Engine and Traffic Statistics Collection Engine | |
| EP3223495B1 (en) | Detecting an anomalous activity within a computer network | |
| KR20140025316A (en) | Method and system for fingerprinting operating systems running on nodes in a communication network | |
| KR20060013491A (en) | Attack signature generation method, signature generation application application method, computer readable recording medium and attack signature generation device | |
| US20130268652A1 (en) | Opportunistic system scanning | |
| JP2008035266A (en) | Technology for analyzing the state of information systems | |
| CN110224883B (en) | A Grey Fault Diagnosis Method Applied in Telecom Bearer Network | |
| CN101854275A (en) | Method and device for detecting Trojans by analyzing network behaviors | |
| CN107135238A (en) | A kind of DNS reflection amplification attacks detection method, apparatus and system | |
| Guezzaz et al. | A new hybrid network sniffer model based on Pcap language and sockets (Pcapsocks) | |
| CN105207835B (en) | A method and device for determining the working state of a network element of a wireless local area network | |
| CN112422486B (en) | SDK-based safety protection method and device | |
| CN104618181A (en) | Method for detecting intranet operation system of power system based on NMAP (Network Mapper) | |
| CN113411378A (en) | Asset management method, system and computer readable medium based on event triggering | |
| CN111565196B (en) | KNXnet/IP protocol intrusion detection method, device, equipment and medium | |
| JP6325993B2 (en) | Service monitoring apparatus and service monitoring method | |
| CN114338103B (en) | Abnormal flow position method and system based on TR069 protocol combined log analysis | |
| JP4484190B2 (en) | Router search system, router search method, and router search program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210917 |