CN113746849A - Method, device, equipment and storage medium for identifying equipment in network - Google Patents
Method, device, equipment and storage medium for identifying equipment in network Download PDFInfo
- Publication number
- CN113746849A CN113746849A CN202111043651.5A CN202111043651A CN113746849A CN 113746849 A CN113746849 A CN 113746849A CN 202111043651 A CN202111043651 A CN 202111043651A CN 113746849 A CN113746849 A CN 113746849A
- Authority
- CN
- China
- Prior art keywords
- equipment
- network
- protocol
- component information
- traffic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The application discloses a method and a device for identifying equipment in a network, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring network flow data of different protocols from the same terminal equipment in a network; determining device component information corresponding to each of the network traffic data based on protocol feature quantities included in each of the network traffic data; and combining and analyzing the determined equipment component information to form equipment component information, and determining the equipment identification result of the terminal equipment based on the equipment component information combination. This application carries out the extraction analysis of multiple agreement characteristic vector through the network flow data to terminal equipment, can acquire a plurality of many-sided equipment part information about terminal equipment, combines the identification equipment information, has improved equipment identification rate of accuracy to, this application carries out equipment identification with the form of flow monitoring, has also cancelled the service condition restriction, makes the application more convenient, can help effectively to maintain network security.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for identifying devices in a network, an electronic device, and a computer-readable storage medium.
Background
With the development of science and technology and the improvement of network speed, network devices used by users are more and more intelligent and more in variety. Various smart phones and IOT (Internet of Things) devices are being briskly developed.
The development of the industry also carries some risks. Many different kinds of intricate network devices may be deployed in an enterprise's internal network, even if not completely clear to the network administrator. Once dangerous equipment is mixed in for attack, huge loss is caused. It is therefore important and essential to discover devices in a network and present specific device information for management by a network administrator.
In the prior art, when device discovery is performed, a specific port of a target device is generally accessed actively, for example, a 161 port of the target device is accessed by using a snmp protocol, and if the target device responds, the device type of the target device is identified by using the snmp response. However, this active access behavior is similar to active scanning, requiring constant packets to detect the port information opened by the target device, which is somewhat similar to an attack behavior from the point of view of the terminal device. Also, this approach requires that the scanning device and the scanned device be reachable (communicable) on the network, which may not be acceptable to the user of the partial device in practice.
In view of the above, it is an important need for those skilled in the art to provide a solution to the above technical problems.
Disclosure of Invention
The application aims to provide a method and a device for identifying equipment in a network, electronic equipment and a computer readable storage medium, wherein the method and the device are convenient to apply and high in identification accuracy.
In order to solve the above technical problem, in one aspect, the present application discloses a method for identifying a device in a network, which is applied to a network security device, and the method includes:
acquiring network flow data of different protocols from the same terminal equipment in the network;
determining device component information corresponding to each of the network traffic data based on protocol feature quantities included in each of the network traffic data;
and combining and analyzing the determined equipment component information to form equipment component information, and determining the equipment identification result of the terminal equipment based on the equipment component information combination.
Optionally, the acquiring network traffic data of different protocols from the same terminal device in the network includes:
and acquiring network flow data of different protocols from the same terminal equipment by receiving the mirror flow data sent by the core switch.
Optionally, the determining, based on a protocol feature included in each of the network traffic data, device component information corresponding to each of the network traffic data includes:
for any network traffic data:
identifying a network protocol adopted by the network traffic data as a target network protocol;
extracting protocol characteristic quantities corresponding to the target network protocol from the network traffic data;
based on the protocol characteristic quantity, searching corresponding equipment component information in a protocol fingerprint library of the target network protocol; and the protocol fingerprint libraries store the information of the equipment components respectively corresponding to different values of the corresponding types of protocol characteristic quantities.
Optionally, the determining a device identification result of the terminal device based on the device component information combination includes:
matching and searching in a multi-protocol feature fingerprint library based on the equipment component information combination; the multi-protocol characteristic fingerprint library stores equipment information respectively corresponding to different equipment component information combinations;
and taking the matched and searched equipment information as an equipment identification result of the terminal equipment.
Optionally, after the determining the device identification result of the terminal device based on the device component information combination, the method further includes:
and reporting the equipment identification result and the protocol characteristic quantity which is not successfully identified to a cloud end so that the cloud end can check and integrate the data reported by the plurality of network security equipment.
Optionally, after the cloud checks and integrates the data reported by the multiple network security devices, the method further includes:
and after the checking and integrating result passes the verification, receiving the updating data issued by the cloud so as to update each protocol fingerprint library and the multi-protocol feature fingerprint library.
Optionally, the category of the network protocol in which the protocol fingerprint library is established includes any combination of the following:
arp protocol, dhcp protocol, tcp protocol, http protocol, netbios protocol, capwap protocol.
In another aspect, the present application further discloses an apparatus for identifying devices in a network, which is applied to a network security device, and includes:
the acquisition module is used for acquiring network traffic data of different protocols from the same terminal equipment in the network;
the searching module is used for determining equipment component information corresponding to each network flow data based on protocol characteristic quantity contained in each network flow data;
and the identification module is used for forming equipment component information combination analysis on the determined information of each equipment component and determining the equipment identification result of the terminal equipment based on the equipment component information combination.
Optionally, when the obtaining module obtains network traffic data of different protocols from the same terminal device in the network, the obtaining module is specifically configured to:
and acquiring network flow data of different protocols from the same terminal equipment by receiving the mirror flow data sent by the core switch.
Optionally, the searching module specifically includes:
the protocol identification unit is used for identifying a network protocol adopted by any network flow data as a target network protocol;
a feature extraction unit, configured to extract a protocol feature quantity corresponding to the target network protocol from the network traffic data;
the characteristic searching unit is used for searching corresponding equipment component information in a protocol fingerprint database of the target network protocol based on the protocol characteristic quantity; and the protocol fingerprint libraries store the information of the equipment components respectively corresponding to different values of the corresponding types of protocol characteristic quantities.
Optionally, the identification module is specifically configured to:
matching and searching in a multi-protocol feature fingerprint library based on the equipment component information combination; the multi-protocol characteristic fingerprint library stores equipment information respectively corresponding to different equipment component information combinations;
and taking the matched and searched equipment information as an equipment identification result of the terminal equipment.
Optionally, the method further comprises:
and the reporting module is used for reporting the equipment identification result and the protocol characteristic quantity which is not successfully identified to a cloud after the identification module determines the equipment identification result of the terminal equipment based on the equipment component information combination, so that the cloud can check and integrate the data reported by the plurality of network security equipment.
Optionally, the method further comprises:
and the updating module is used for receiving the updating data transmitted by the cloud end so as to update each protocol fingerprint library and the multi-protocol feature fingerprint library after the data reported by the plurality of network security devices are collated and integrated by the cloud end and the collation and integration result passes the verification.
Optionally, the category of the network protocol in which the protocol fingerprint library is established includes any combination of the following:
arp protocol, dhcp protocol, tcp protocol, http protocol, netbios protocol, capwap protocol.
In another aspect, the present application also discloses an electronic device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the device identification method in any one of the networks as described above.
In yet another aspect, the present application also discloses a computer readable storage medium having a computer program stored therein, which when executed by a processor is used to implement the steps of the device identification method in any one of the networks as described above.
The equipment identification method, the equipment identification device, the electronic equipment and the computer readable storage medium in the network have the advantages that: according to the method and the device, the network flow data of the terminal device is extracted and analyzed by the characteristic quantity of various protocols, and the information of a plurality of pieces of equipment components related to the source device can be acquired, so that the equipment information of the terminal device can be accurately identified by combining the information combination of the equipment components. The method and the device for identifying the equipment in the flow monitoring mode not only reduce the limitation of use conditions, but also greatly improve the accuracy rate of equipment identification, and can effectively help to maintain network safety.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is an application scenario diagram of a device identification method in a network according to an embodiment of the present application;
fig. 2 is a flowchart of a method for identifying devices in a network according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a device identification method in a network according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram illustrating reporting of a device identification result disclosed in an embodiment of the present application;
fig. 5 is a block diagram illustrating a structure of a device identification apparatus in a network according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The core of the application is to provide a method and a device for identifying equipment in a network, electronic equipment and a computer readable storage medium, wherein the method and the device are convenient to apply and high in identification accuracy.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
When device discovery is performed in the industry, a specific port of a target device is generally accessed actively, for example, a 161 port of the target device is accessed by using a Simple Network Management Protocol (snmp), and if the target device responds, the device type of the target device is identified by using a snmp response. However, this active access behavior is similar to active scanning, requiring constant packets to detect the port information opened by the target device, which is somewhat similar to an attack behavior from the point of view of the terminal device. Also, this approach requires that the scanning device and the scanned device be reachable (communicable) on the network, which may not be acceptable to the user of the partial device in practice. In view of this, the present application provides a device identification scheme in a network, which can effectively solve the above problem.
Referring to fig. 1, an embodiment of the present application discloses an application scenario diagram of a device identification method in a network.
As shown in fig. 1, an AC (Wireless Access Point Controller) device is suspended by a core switch. Meanwhile, in the network environment, a wired network and a wireless network may be provided specifically by a router and an AP (Access Point) device, and further, a PC (Personal Computer), a server, a mobile phone, a notebook Computer, and other terminal devices may be mounted. The device identification method provided by the present application can be specifically applied to the access controller in fig. 1. Of course, other kinds of network security devices that are hooked up to a core switch may also be used.
Referring to fig. 2, an embodiment of the present application discloses a method for identifying devices in a network, which is applied to a network security device and mainly includes:
s101: and acquiring network flow data of different protocols from the same terminal equipment in the network.
S102: the device component information corresponding to each network traffic data is determined based on the protocol feature amount included in each network traffic data.
S103: and combining and analyzing the determined equipment component information to form equipment component information, and determining the equipment identification result of the terminal equipment based on the equipment component information combination.
Specifically, the method for identifying a device in a network provided in the embodiment of the present application specifically uses a manner of performing traffic monitoring for a terminal device, so that network traffic data from the terminal device needs to be acquired first. In this case, the terminal device may be referred to as a source device of the network traffic data.
When the network traffic data is acquired, in order to ensure that the network traffic data from the same terminal device is acquired, the traffic in the network can be classified according to the IP address, so that the network traffic data from the same terminal device is combed. Certainly, if the Network data of the same terminal is determined by the IP Address, it should be ensured as much as possible not to be a NAT (Network Address Translation) scenario.
It should be noted that there are various network protocols that can be used for transmitting network traffic data, and each network protocol has its own corresponding protocol characteristic quantity. In particular, for a network protocol, some kinds of information extracted from network traffic data adopting the network protocol must be true and reliable, and these information items are protocol characteristic quantities of the network protocol. On the contrary, these information items may not be true in the network traffic data using other protocols, and may be obtained after being processed by some masquerading and transformation means.
Taking an arp Protocol (Address Resolution Protocol) as an example, a Protocol feature quantity corresponding to the arp Protocol is specifically a mac Address (Media Access Control Address), and device component information that can be reflected by the mac Address as the Protocol feature quantity is specifically provider information of the network card. Therefore, the corresponding network card provider information can be determined according to the mac address extracted from the network traffic data adopting the arp protocol.
It is easy to understand that a terminal device with complete functions includes various components, specifically, may be a hardware component in the device, and may also be a software component in the device; each component may in turn contain more than one piece of information. Accordingly, the device part information may be variously called.
Generally, the protocol characteristic quantity of a certain network protocol can only reflect part or even a certain piece of equipment component information, and the equipment information of the corresponding equipment is difficult to be accurately determined only by limited equipment component information, so that the method further combines a plurality of pieces of equipment component information for identifying the equipment information of the terminal equipment so as to improve the identification accuracy.
Specifically, the application establishes correspondence between a large number of different equipment component information combinations and equipment information in advance. Therefore, the specific equipment information of the source equipment of the network traffic data can be determined according to the obtained equipment component information combination. For example, the device information of the corresponding device may be specifically identified according to a piece of device component information composed of network card provider information, CPU model information, memory model information, os version information, disk number and capacity information, and the like. Those skilled in the art will readily appreciate that the device information may specifically include device type information (cell phone, computer, router, … …), device model information (P40, iphone 11, … …), operating system information (EMUI 10.1, iOS 15), device vendor information, etc. for the device.
It is easy to understand that the identified device information can be displayed in further detail, so as to facilitate a network administrator to comb network assets, evaluate whether each terminal device in the network has a security risk, and further take protective measures as soon as possible to reduce loss.
Therefore, the method for identifying the equipment in the network can acquire a plurality of pieces of equipment component information related to the source equipment by extracting and analyzing the characteristic quantity of various protocols of the network flow data of the terminal equipment, thereby combining the information combination of the equipment components to accurately identify the equipment information of the terminal equipment. The method and the device for identifying the equipment in the flow monitoring mode not only reduce the limitation of use conditions, but also greatly improve the accuracy rate of equipment identification, and can effectively help to maintain network safety.
As a specific embodiment, the method for identifying a device in a network according to the embodiment of the present application, based on the above contents, acquires network traffic data of different protocols from the same terminal device in the network, including:
and acquiring network flow data of different protocols from the same terminal equipment by receiving the mirror flow data sent by the core switch.
Specifically, after a terminal device in the network sends network traffic data to a core switch (through a switch and an AP device), the core switch may copy (or called as mirroring) the data, and then send the generated mirrored traffic data to the network security device, so that the network security device identifies device information of the terminal device (i.e., a source device of the network traffic data) based on analysis of the mirrored traffic data.
As a specific embodiment, the method for identifying a device in a network according to the embodiment of the present application, based on the above contents, determines device component information corresponding to each network traffic data based on a protocol feature included in each network traffic data, including:
for any network traffic data:
identifying a network protocol adopted by the network flow data as a target network protocol;
extracting protocol characteristic quantity corresponding to the target network protocol from the network flow data;
based on the protocol characteristic quantity, searching corresponding equipment component information in a protocol fingerprint library of a target network protocol; and the protocol fingerprint libraries store the information of the equipment components respectively corresponding to different values of the corresponding kinds of protocol characteristic quantities.
Specifically, in order to determine the device component information according to the protocol characteristic quantity, for each network protocol, the corresponding relationship between different values of the protocol characteristic quantity and the device component information is stored in a pre-established protocol fingerprint database. That is, in the present embodiment, protocol fingerprint libraries are respectively established for multiple network protocols, so that multiple pieces of device component information are combined with each other to accurately identify a terminal device in a network.
It should be noted that the same network traffic data may correspond to multiple network protocols. For example, a piece of network traffic data identified as corresponding to the http protocol would likely be identified as corresponding to the tcp protocol at the same time. In order to avoid missing detection, after a copy of network traffic data is identified to correspond to n network protocols, protocol characteristic quantity analysis of the n network protocols needs to be performed on the network traffic data respectively.
As a specific embodiment, the method for identifying a device in a network according to the embodiment of the present application, based on the above contents, determines a device identification result of a terminal device based on a device component information combination, including:
determining a device identification result of the terminal device based on the device component information combination, including:
matching and searching in a multi-protocol feature fingerprint library based on the equipment component information combination; the multi-protocol characteristic fingerprint library stores equipment information respectively corresponding to different equipment component information combinations;
and taking the matched and searched equipment information as an equipment identification result of the terminal equipment.
Specifically, in order to determine the device information according to the device component information combination, the corresponding relationship between various different device component information combinations and the device information is specifically stored in a pre-established multi-protocol feature fingerprint library. Therefore, the device information of the source device of the network traffic data can be acquired by matching and searching in the multi-protocol feature fingerprint library according to the acquired device component information combination.
As a specific embodiment, in the method for identifying a device in a network provided in the embodiment of the present application, on the basis of the foregoing content, the types of network protocols in which the protocol fingerprint library is established include any combination of the following:
an arp Protocol (Address Resolution Protocol), a dhcp Protocol (Dynamic Host Configuration Protocol), a tcp Protocol (Transmission Control Protocol), an http Protocol (hypertext Transfer Protocol), a netbios Protocol (Network Basic Input Output System, Network Basic Input Output System Protocol), a capwap Protocol (Control And Configuration Protocol of Wireless Access Points).
It is easy to understand that the more kinds of the protocol fingerprint database are, the more helpful is to improve the identification accuracy. Referring to fig. 3, in the schematic diagram of the device identification method shown in fig. 3, a corresponding protocol fingerprint database is set for each protocol.
As a specific embodiment, the method for identifying a device in a network according to the embodiment of the present application, after determining a device identification result of a terminal device based on a device component information combination, further includes:
and reporting the equipment identification result and the protocol characteristic quantity which is not successfully identified to the cloud end so that the cloud end can correct and integrate the data reported by the plurality of network security equipment.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating reporting of a device identification result disclosed in the embodiment of the present application.
Specifically, the cloud is configured to receive and process the reported data of the plurality of network security devices. Based on the data which are reported by each network security device and are successfully identified and unsuccessfully identified, the cloud end can carry out mathematical statistics, comparison and verification, gap and leakage filling, modification and correction, and generate new and more accurate data when necessary.
As a specific embodiment, the method for identifying devices in a network provided in the embodiment of the present application, based on the above contents, further includes, after the cloud performs collation and integration on data reported by multiple network security devices:
and after the checking and integrating result passes the verification, receiving the updating data issued by the cloud so as to update each protocol fingerprint database and the multi-protocol feature fingerprint database.
Specifically, the cloud system operation and maintenance personnel can check or manually modify the cloud data. The approved data is sent to each network security device, and the protocol fingerprint database and the multi-protocol feature fingerprint database of the network security device are updated. The iterative updating is repeated and continued in this way, the fronting of the identification capability of the network security equipment can be realized, and the identification capability of new equipment is kept. Therefore, the mechanism for updating the fingerprint database based on cloud linkage can greatly adapt to the development trend of rapid updating of the prior network technology.
Referring to fig. 5, an embodiment of the present application discloses an apparatus for identifying a device in a network, which is applied to a network security device, and mainly includes:
an obtaining module 201, configured to obtain network traffic data of different protocols from the same terminal device in a network;
the searching module 202 is configured to determine, based on the protocol feature quantity included in each network traffic data, device component information corresponding to each network traffic data;
and the identification module 203 analyzes the combination of the determined equipment component information of each equipment component to determine the equipment identification result of the terminal equipment based on the equipment component information combination.
It can be seen that, the device identification apparatus in the network disclosed in the embodiment of the present application can obtain a plurality of pieces of device component information on the source device by performing extraction and analysis of a plurality of protocol feature quantities on the network traffic data of the terminal device, thereby accurately identifying the device information of the terminal device by combining the device component information combinations. The method and the device for identifying the equipment in the flow monitoring mode not only reduce the limitation of use conditions, but also greatly improve the accuracy rate of equipment identification, and can effectively help to maintain network safety.
For the specific content of the device identification apparatus in the network, reference may be made to the foregoing detailed description of the device identification method in the network, and details thereof are not repeated here.
As a specific embodiment, on the basis of the foregoing content, the device identification apparatus in a network disclosed in the embodiment of the present application specifically includes:
the protocol identification unit is used for identifying a network protocol adopted by any network flow data as a target network protocol;
a feature extraction unit for extracting a protocol feature quantity corresponding to a target network protocol from the network traffic data;
the characteristic searching unit is used for searching corresponding equipment component information in a protocol fingerprint database of a target network protocol based on the protocol characteristic quantity; and the protocol fingerprint libraries store the information of the equipment components respectively corresponding to different values of the corresponding kinds of protocol characteristic quantities.
As a specific embodiment, on the basis of the foregoing, the device identification apparatus in a network disclosed in the embodiment of the present application, when the obtaining module 201 obtains network traffic data from the same terminal device in the network, is specifically configured to:
and acquiring network flow data from the same terminal equipment by receiving the mirror flow data sent by the core switch.
As a specific embodiment, in the device identification apparatus in the network disclosed in the embodiment of the present application, on the basis of the foregoing content, the identification module 203 is specifically configured to:
matching and searching in a multi-protocol feature fingerprint library based on the equipment component information combination; the multi-protocol characteristic fingerprint library stores equipment information respectively corresponding to different equipment component information combinations;
and taking the matched and searched equipment information as an equipment identification result of the terminal equipment.
As a specific embodiment, the device identification apparatus in a network disclosed in the embodiment of the present application further includes, on the basis of the foregoing content:
and the reporting module is used for reporting the equipment identification result and the protocol characteristic quantity which is not successfully identified to the cloud after the identification module determines the equipment identification result of the terminal equipment based on the equipment component information combination so that the cloud can correct and integrate the data reported by the plurality of network security equipment.
As a specific embodiment, the device identification apparatus in a network disclosed in the embodiment of the present application further includes, on the basis of the foregoing content:
and the updating module is used for receiving the updating data issued by the cloud end so as to update each protocol fingerprint library and the multi-protocol feature fingerprint library after the data reported by the plurality of network security devices are collated and integrated at the cloud end and the collation integration result passes the verification.
As a specific embodiment, the device identification apparatus in a network disclosed in the embodiment of the present application, based on the above contents, the types of network protocols in which the protocol fingerprint library is established include any combination of the following:
arp protocol, dhcp protocol, tcp protocol, http protocol, netbios protocol, capwap protocol.
Referring to fig. 6, an embodiment of the present application discloses an electronic device, including:
a memory 301 for storing a computer program;
a processor 302 for executing a computer program to implement the steps of the device identification method in a network as any of the above.
Further, an embodiment of the present application also discloses a computer-readable storage medium, in which a computer program is stored, and the computer program is used for implementing the steps of the device identification method in any network as above when being executed by a processor.
For details of the electronic device and the computer-readable storage medium, reference may be made to the foregoing detailed description of the device identification method in the network, and details thereof are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the equipment disclosed by the embodiment, the description is relatively simple because the equipment corresponds to the method disclosed by the embodiment, and the relevant parts can be referred to the method part for description.
It is further noted that, throughout this document, relational terms such as "first" and "second" are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. A device identification method in a network, which is applied to a network security device, the method comprises the following steps:
acquiring network flow data of different protocols from the same terminal equipment in the network;
determining device component information corresponding to each of the network traffic data based on protocol feature quantities included in each of the network traffic data;
and combining and analyzing the determined equipment component information to form equipment component information, and determining the equipment identification result of the terminal equipment based on the equipment component information combination.
2. The device identification method according to claim 1, wherein the acquiring network traffic data of different protocols from the same terminal device in the network comprises:
and acquiring network flow data of different protocols from the same terminal equipment by receiving the mirror flow data sent by the core switch.
3. The method according to claim 1, wherein the determining device component information corresponding to each piece of network traffic data based on a protocol feature quantity included in each piece of network traffic data includes:
for any network traffic data:
identifying a network protocol adopted by the network traffic data as a target network protocol;
extracting protocol characteristic quantities corresponding to the target network protocol from the network traffic data;
based on the protocol characteristic quantity, searching corresponding equipment component information in a protocol fingerprint library of the target network protocol; and the protocol fingerprint libraries store the information of the equipment components respectively corresponding to different values of the corresponding types of protocol characteristic quantities.
4. The device identification method according to claim 3, wherein the determining of the device identification result of the terminal device based on the device component information combination comprises:
matching and searching in a multi-protocol feature fingerprint library based on the equipment component information combination; the multi-protocol characteristic fingerprint library stores equipment information respectively corresponding to different equipment component information combinations;
and taking the matched and searched equipment information as an equipment identification result of the terminal equipment.
5. The device identification method according to claim 4, further comprising, after said determining a device identification result of the terminal device based on the device component information combination:
and reporting the equipment identification result and the protocol characteristic quantity which is not successfully identified to a cloud end so that the cloud end can check and integrate the data reported by the plurality of network security equipment.
6. The device identification method according to claim 5, wherein after the cloud checks and integrates the data reported by the plurality of network security devices, the method further comprises:
and after the checking and integrating result passes the verification, receiving the updating data issued by the cloud so as to update each protocol fingerprint library and the multi-protocol feature fingerprint library.
7. The device identification method according to any one of claims 1 to 6, wherein the category of the network protocol in which the protocol fingerprint database is established comprises any combination of the following:
arp protocol, dhcp protocol, tcp protocol, http protocol, netbios protocol, capwap protocol.
8. An apparatus for identifying devices in a network, applied to a network security device, comprising:
the acquisition module is used for acquiring network traffic data of different protocols from the same terminal equipment in the network;
the searching module is used for determining equipment component information corresponding to each network flow data based on protocol characteristic quantity contained in each network flow data;
and the identification module is used for forming equipment component information combination analysis on the determined information of each equipment component and determining the equipment identification result of the terminal equipment based on the equipment component information combination.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the device identification method according to any of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the device identification method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111043651.5A CN113746849A (en) | 2021-09-07 | 2021-09-07 | Method, device, equipment and storage medium for identifying equipment in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111043651.5A CN113746849A (en) | 2021-09-07 | 2021-09-07 | Method, device, equipment and storage medium for identifying equipment in network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113746849A true CN113746849A (en) | 2021-12-03 |
Family
ID=78736505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111043651.5A Pending CN113746849A (en) | 2021-09-07 | 2021-09-07 | Method, device, equipment and storage medium for identifying equipment in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113746849A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338436A (en) * | 2021-12-28 | 2022-04-12 | 深信服科技股份有限公司 | Network traffic file identification method and device, electronic equipment and medium |
| CN116708253A (en) * | 2023-08-07 | 2023-09-05 | 烽台科技(北京)有限公司 | Equipment identification method, device, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487879A (en) * | 2016-09-20 | 2017-03-08 | 北京知道未来信息技术有限公司 | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device |
| CN107995226A (en) * | 2017-12-27 | 2018-05-04 | 山东华软金盾软件股份有限公司 | A kind of device-fingerprint recognition methods based on passive flux |
| CN110401662A (en) * | 2019-07-29 | 2019-11-01 | 华能阜新风力发电有限责任公司 | A kind of industrial control equipment fingerprint identification method, storage medium |
| CN111447153A (en) * | 2020-04-03 | 2020-07-24 | 北京天地和兴科技有限公司 | Industrial equipment fingerprint identification method |
| EP3799383A1 (en) * | 2019-09-30 | 2021-03-31 | AO Kaspersky Lab | System and method for using inventory rules to identify devices of a computer network |
| CN112714045A (en) * | 2020-12-31 | 2021-04-27 | 浙江远望信息股份有限公司 | Rapid protocol identification method based on equipment fingerprint and port |
-
2021
- 2021-09-07 CN CN202111043651.5A patent/CN113746849A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487879A (en) * | 2016-09-20 | 2017-03-08 | 北京知道未来信息技术有限公司 | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device |
| CN107995226A (en) * | 2017-12-27 | 2018-05-04 | 山东华软金盾软件股份有限公司 | A kind of device-fingerprint recognition methods based on passive flux |
| CN110401662A (en) * | 2019-07-29 | 2019-11-01 | 华能阜新风力发电有限责任公司 | A kind of industrial control equipment fingerprint identification method, storage medium |
| EP3799383A1 (en) * | 2019-09-30 | 2021-03-31 | AO Kaspersky Lab | System and method for using inventory rules to identify devices of a computer network |
| CN111447153A (en) * | 2020-04-03 | 2020-07-24 | 北京天地和兴科技有限公司 | Industrial equipment fingerprint identification method |
| CN112714045A (en) * | 2020-12-31 | 2021-04-27 | 浙江远望信息股份有限公司 | Rapid protocol identification method based on equipment fingerprint and port |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338436A (en) * | 2021-12-28 | 2022-04-12 | 深信服科技股份有限公司 | Network traffic file identification method and device, electronic equipment and medium |
| CN116708253A (en) * | 2023-08-07 | 2023-09-05 | 烽台科技(北京)有限公司 | Equipment identification method, device, equipment and medium |
| CN116708253B (en) * | 2023-08-07 | 2023-10-13 | 烽台科技(北京)有限公司 | Equipment identification method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109687991B (en) | User behavior identification method, device, equipment and storage medium | |
| CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
| CN110213212B (en) | Equipment classification method and device | |
| Noguchi et al. | Device identification based on communication analysis for the internet of things | |
| US9614866B2 (en) | System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature | |
| CN101711470A (en) | A system and method for creating a list of shared information on a peer-to-peer network | |
| CN113746849A (en) | Method, device, equipment and storage medium for identifying equipment in network | |
| CN113111951B (en) | Data processing method and device | |
| CN110648172B (en) | Identity recognition method and system integrating multiple mobile devices | |
| CN113938308A (en) | Application cluster security protection system and method, electronic device and storage medium | |
| CN111224878B (en) | Route forwarding method and device, electronic equipment and storage medium | |
| CN112688810A (en) | Network asset information acquisition method, equipment and readable storage medium | |
| CN112564957B (en) | Method and device for acquiring running data of virtual network element | |
| CN107592302B (en) | Port scanner and method for mobile terminal | |
| CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| KR101792235B1 (en) | Method and system for scanning vulnerability of the network printer | |
| CN110401626B (en) | Hacker attack grading detection method and device | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN110503504B (en) | Information identification method, device and equipment of network product | |
| CN114417198A (en) | Phishing early warning method, phishing early warning device, phishing early warning system | |
| CN104363256B (en) | A kind of identification and control method, equipment and system of mobile phone viruses | |
| CN114244555A (en) | Method for adjusting security policy | |
| CN113254942A (en) | Data processing method, system and device | |
| CN111625807A (en) | Equipment type identification method and device | |
| CN114070819B (en) | Malicious domain name detection method, device, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |