Disclosure of Invention
The present application mainly aims to provide a method, an apparatus, a device and a readable storage medium for detecting a cross-network boundary device, and aims to solve the technical problem of high cost of the existing method for detecting the cross-network boundary device.
In order to achieve the above object, the present application provides a method for detecting a cross-network boundary device, where the method for detecting a cross-network boundary device includes the steps of:
sending a detection packet to a detected device in a preset network;
obtaining a return result fed back by the detected equipment aiming at the detection packet;
and if the return result meets the preset cross-network boundary equipment determining condition, determining that the detected equipment is cross-network boundary equipment.
Optionally, the sending a probe packet to a device to be probed in a preset network includes:
acquiring an Internet Protocol (IP) section and/or an asset library of a preset network;
scanning the IPs in the IP section and/or the asset library one by one;
and sending a detection packet to each IP.
Optionally, the detecting packet is a port detecting packet, and if the returned result meets a preset determination condition of the inter-network boundary device, determining that the detected device is the inter-network boundary device includes:
if a port response packet corresponding to the port detection packet is received, determining that a single port or a combined port corresponding to the port response packet is in an externally open state, and determining that the detected device is a cross-network boundary device.
Optionally, the detecting packet is a content detecting packet, and if the returned result meets a preset determination condition of the inter-network boundary device, determining that the detected device is the inter-network boundary device includes:
and if the return result contains the target content, determining that the detected equipment is cross-network boundary equipment.
Optionally, the target content comprises at least one of: title keywords, content keywords, general keywords, and secure socket protocol SSL hint information.
Optionally, before sending the probe packet to the device to be detected in the preset network, the method includes:
acquiring cross-network boundary equipment characteristics of preset cross-network boundary equipment;
and constructing a detection packet based on the cross-network boundary equipment characteristics.
Optionally, after acquiring the cross-network boundary device characteristics of the preset cross-network boundary device, the method further includes:
and determining a preset cross-network boundary equipment determining condition based on the cross-network boundary equipment characteristics.
In addition, in order to achieve the above object, the present application further provides a device for detecting an inter-network boundary device, where the device for detecting an inter-network boundary device includes:
the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a detection packet to a detected device in a preset network;
an obtaining module, configured to obtain a return result fed back by the detected device for the detection packet;
and the determining module is used for determining the detected equipment as cross-network boundary equipment if the return result meets the preset cross-network boundary equipment determining condition.
Optionally, the sending module is further configured to:
acquiring an Internet Protocol (IP) segment and/or an asset library of a preset network;
scanning the IPs in the IP section and/or the asset library one by one;
and sending a detection packet to each IP.
Optionally, the probe packet is a port probe packet, and the determining module is further configured to:
if a port response packet corresponding to the port detection packet is received, determining that a single port or a combined port corresponding to the port response packet is in an externally open state, and determining that the detected device is a cross-network boundary device.
Optionally, the detection packet is a content detection packet, and the determining module is further configured to:
and if the return result contains the target content, determining that the detected equipment is cross-network boundary equipment.
Optionally, the target content comprises at least one of: title keywords, content keywords, general keywords, and secure socket protocol SSL hint information.
Optionally, the inter-network boundary device detecting apparatus further includes:
the acquisition module is used for acquiring cross-network boundary equipment characteristics of preset cross-network boundary equipment;
and the construction module is used for constructing the detection packet based on the cross-network boundary equipment characteristics.
Optionally, the inter-network boundary device detecting apparatus further includes:
and the generating module is used for determining a preset cross-network boundary equipment determining condition based on the cross-network boundary equipment characteristics.
In addition, to achieve the above object, the present application further provides a cross-network boundary device detection device, which includes a memory, a processor, and a cross-network boundary device detection program stored in the memory and executable on the processor, and when executed by the processor, the cross-network boundary device detection program implements the steps of the cross-network boundary device detection method described above.
In addition, to achieve the above object, the present application also provides a computer readable storage medium, which stores thereon a cross-network boundary device detection program, and when the cross-network boundary device detection program is executed by a processor, the cross-network boundary device detection program implements the steps of the cross-network boundary device detection method as described above.
Compared with the prior art that the cost is high because the cross-network boundary equipment is determined in a flow analysis mode, the method and the device send the detection packet to the detected equipment in the preset network; obtaining a return result fed back by the detected equipment aiming at the detection packet; and if the return result meets the preset cross-network boundary equipment determining condition, determining that the detected equipment is cross-network boundary equipment. According to the method, the device and the system, through the automatic detection of the cross-network boundary equipment, the boundary link which is constructed illegally and the boundary link which is not registered as required can be found, the behavior that illegal boundaries are constructed illegally is effectively deterred, the compliance of boundary construction is promoted, the return result corresponding to the detection packet is analyzed, the remote detection is realized, the cross-network boundary equipment is found, the flow analysis is not needed, and when the cross-network boundary equipment is determined, high-performance acquisition and analysis equipment does not need to be deployed in large quantity, so that the cost is reduced.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Referring to fig. 1, fig. 1 is a schematic flowchart of a first embodiment of a cross-network boundary device detection method according to the present application.
The embodiments of the present application provide an embodiment of a cross-network boundary device detection method, and it should be noted that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that here. The cross-network boundary equipment detection method can be applied to a terminal or a personal computer. For convenience of description, the following omits to perform various steps of the subject description cross-network boundary device detection method. The cross-network boundary equipment detection method comprises the following steps:
and step S10, sending a detection packet to the detected equipment in the preset network.
In this embodiment, the preset network is a private network, such as a local area network, including internal networks of various enterprises and public institutions, and is a network restricted from performing data exchange with the internet; the detection packet is a data packet for detecting the cross-network boundary device, and the detection packet is transmitted by transmitting a request to the detected device.
The process of sending the probe packet to the device to be detected in the preset network is implemented based on an IP (Internet Protocol ), and specifically, the sending the probe packet to the device to be detected in the preset network includes:
step a, obtaining an Internet Protocol (IP) section and/or an asset library of a preset network.
In this embodiment, the IP is used for end-to-end data exchange between hosts, and the IP is composed of four groups, i.e., a, B, C, and D, and each group has a value ranging from 0 to 255, for example, for an IP:192.168.255.255, groups A, B, C and D are 192, 168, 255 and 255, respectively. For an IP segment, the IP segment consists of multiple IPs, e.g., 192.168.0.0 to 192.168.255.255.
For the asset library, the asset library records the equipment asset information in the preset network, and the equipment asset information comprises an equipment number, an equipment name, an equipment user number, an IP (Internet protocol) and the like.
And b, scanning the IPs in the IP section and/or the asset library one by one.
In this embodiment, in the detection process, generally, all devices in the preset network need to be detected, that is, the devices in the preset network are traversed, and the traversed devices are detected as detected devices. One device corresponds to one IP, and the process of traversing the devices in the preset network can be realized by scanning all IPs one by one.
And step c, sending a detection packet to each IP.
In this embodiment, the probe packets are of various types, specifically, the probe packets include port probe packets and content probe packets, where the determination process of the inter-network boundary device by the port probe packets is implemented based on the opening condition of ports or port combinations of the inter-network boundary device; the determination process of the cross-network boundary equipment through the content detection packet is realized based on the content of the returned result.
It should be noted that, when sending a probe packet to each IP, it is unknown whether a device to be detected corresponding to each IP is a cross-network boundary device or not, which can be determined by a port probe packet, or a content probe packet. Therefore, when sending a probe packet to each IP, it is necessary to send a port probe packet and a content probe packet to determine whether the detected device is a cross-network boundary device; or firstly sending the port detection packet to the detected equipment and then sending the content detection packet to the detected equipment; or firstly sending the content detection packet to the detected device and then sending the port detection packet to the detected device.
In the process of sending the port detection packet and the content detection packet to the detected device, after sending a detection packet and receiving a return result, it may be determined whether to continue sending another detection packet, that is, after determining that the detected device is a cross-network boundary device through a previous detection packet, the latter detection packet is not sent, for example, when sending the detection packet to each IP, a policy of sending the port detection packet to the detected device first and then sending the content detection packet to the detected device is used for detection, after sending the port detection packet to the detected device and receiving the return result, it may be determined that the detected device is a cross-network boundary device through the return result, and then the content detection packet is not sent to the detected device; if the detected device can not be determined to be the cross-network boundary device through the returned result, the content detection packet is continuously sent to the detected device, and whether the detected device is the cross-network boundary device is determined through the corresponding returned result.
And step S20, obtaining a return result fed back by the detected device aiming at the detection packet.
In this embodiment, a returned result of the detected device after receiving the detection packet is obtained, where corresponding to the detection packet, the returned result fed back by different detected devices may be different. It can be understood that different detected devices perform detection of the inter-network boundary device through the port detection packet and/or the content detection packet, and a return result obtained by detecting through the port detection packet is different from a return result obtained by detecting through the content detection packet.
And step S30, if the return result meets the preset cross-network boundary equipment determining condition, determining that the detected equipment is cross-network boundary equipment.
In this embodiment, the returned result is used to determine whether the detected device is a cross-network boundary device, and when the returned result meets a preset cross-network boundary device determination condition, the detected device is determined to be a cross-network boundary device; and when the returned result does not meet the preset cross-network boundary equipment determining condition, determining that the detected equipment is non-cross-network boundary equipment.
Specifically, for the case that the return result is the port response packet and the detection packet is the port detection packet, if the return result meets the predetermined determination condition for the inter-network boundary device, determining that the detected device is the inter-network boundary device, including:
and d, if a port response packet corresponding to the port detection packet is received, determining that a single port or a combined port corresponding to the port response packet is in an externally open state, and determining that the detected equipment is cross-network boundary equipment.
In this embodiment, a single port or a combined port of a device to be detected is detected by a port detection packet, and whether the single port or the combined port is in an externally open state is determined by a port response packet corresponding to the port detection packet, and if the single port or the combined port is in the externally open state, the device to be detected is determined to be an inter-network boundary device; and if the detected device is not in the external open state, determining that the detected device is a non-cross-network boundary device.
It should be noted that the basis for determining the inter-network boundary device is that the inter-network boundary device may open a single port or a combined port that is not opened by the non-inter-network boundary device, that is, determine whether the detected device is the inter-network boundary device by determining whether a port response packet corresponding to the single port or the combined port corresponding to the inter-network boundary device can be received. For example, it is known that a 1234 port is opened by a certain brand of inter-network boundary device, a syn packet of a TCP (Transmission Control Protocol) is sent to the 1234 port of device a to the IP of device a, and if an ack packet, which is a port response packet, is received, it is indicated that device a opens the 1234 port, that is, device a is an inter-network boundary device; for another example, it is known that a certain brand of inter-network boundary device simultaneously opens 1234 port, 2234 port, and 8080 port, sends a syn packet of TCP (Transmission Control Protocol) to IP of device a to 1234 port, 2234 port, and 8080 port of device a, and if a port acknowledgement packet, ack packet, is received, it indicates that device a opens 1234 port, 2234 port, and 8080 port, that is, device a is an inter-network boundary device.
For the case that the return result is the target content and the detection packet is the content detection packet, if the return result meets the preset determination condition of the inter-network boundary device, determining that the detected device is the inter-network boundary device, including:
and f, if the return result contains the target content, determining that the detected equipment is cross-network boundary equipment.
Wherein the target content comprises at least one of: title keywords, content keywords, general keywords, and secure socket protocol SSL hint information.
In this embodiment, different target contents are determined at different positions in the returned result, where the title keyword is determined by a title in HTTP (Hyper Text Transfer Protocol) or HTTPs (Hyper Text Transfer Protocol over secure session Layer); the content keywords and the general keywords are determined by the title and the page content in HTTP or HTTPS; the SSL (Secure Sockets Layer) hint information is determined by the SSL response information in HTTPS.
It should be noted that the words include words, that is, the title keyword, the content keyword, and the general keyword include a title keyword, a content keyword, a general keyword, a title keyword, a content keyword, and a general keyword.
It can be understood that the target content is a basis for determining whether the detected device is a cross-network boundary device, and when the return result includes at least one of a title keyword, a content keyword, a general keyword and SSL hint information, the detected device may be determined to be a cross-network boundary device.
The title key includes title related information such as company name (or abbreviation) (chinese or english), device name (or abbreviation) (chinese or english), and product name (or abbreviation) (chinese or english), it should be noted that the inter-network boundary device can be determined by the title related information, for example, if the inter-network boundary device is manufactured and sold by "XX company", the detected device is determined to be the inter-network boundary device when "XX company" exists in the title. For example, the title is "XX company official website", then there is a company name- "XX company" in the title; also, if the title is "XX device details", then the title exists the product name- "XX device".
Wherein the content keywords comprise XX brand cross-web border device content keyword characteristics comprising words or terms that can be determined to describe XX brand cross-web border devices, such as an introductory content of XX brand cross-web border devices in the page content, which may be understood to explicitly specify the corresponding devices. For example, the introduction content is "the only network device for XX by the company", and the only network device for the company is the cross-network boundary device, so that the content keywords "only" and "network device" can be used to derive the detected device as the cross-network boundary device.
The general keywords include general keyword features capable of indicating that the device itself is a cross-network boundary device, such as "data exchange" and "network isolation" describing the functions of the device, that is, when the returned result includes "data exchange" or "network isolation", the detected device can be determined to be a cross-network boundary device.
The response information includes product-specific information such as company name (or abbreviation) (chinese or english) and product name (or abbreviation) (chinese or english), and is different from the title keyword in that the response information is content in the SSL, and the title keyword is content in the title.
Further, before sending the probe packet to the probed device in the preset network, the method includes:
d, acquiring cross-network boundary equipment characteristics of preset cross-network boundary equipment;
and e, constructing a detection packet based on the cross-network boundary equipment characteristics.
In this embodiment, before detecting the inter-network boundary device, characteristics of the inter-network boundary device need to be determined, so as to determine whether the detected device is the inter-network boundary device according to the characteristics. Specifically, the characteristics of the cross-network boundary equipment of the mainstream at home and abroad, namely the detection basis, are collected, and a characteristic library is established to store the characteristics of the cross-network boundary equipment, so that the characteristics are convenient to use in the detection process.
It is understood that, when detecting a cross-network border device, the cross-network border device feature is known, that is, the process of detecting the cross-network border device is to find a detected device in a preset network, where the cross-network border device feature exists, so that the cross-network border device feature actually includes a single port or a combined port of the cross-network border device, and header keywords, content keywords, general keywords, and secure socket protocol SSL hint information.
It should be noted that, when acquiring the characteristics of the cross-network boundary device, it may be determined according to past experience which devices are cross-network boundary devices, and acquire the characteristics of the cross-network boundary devices determined according to the experience, and determine the cross-network boundary devices according to other various channels, for example, search is performed through a search engine, the characteristics of the cross-network boundary devices are acquired through channels such as related patent documents and academic papers, so as to acquire the cross-network boundary characteristics of the cross-network boundary devices as much as possible, thereby improving the accuracy of detecting the cross-network boundary devices.
After the cross-network boundary equipment characteristics are collected, constructing a detection packet, wherein a port detection packet is constructed through the cross-network boundary equipment characteristics related to a port; the content probe packet is constructed by content-dependent cross-network boundary device features.
After acquiring the cross-network boundary device characteristics of the preset cross-network boundary device, the method further includes:
and f, determining a preset cross-network boundary equipment determining condition based on the cross-network boundary equipment characteristics.
In this embodiment, before determining the inter-network boundary device through the returned result, the preset inter-network boundary device determination condition is determined through the inter-network boundary device characteristic, and it should be noted that the preset inter-network boundary device determination condition is that the returned result is a port response packet, or that the preset inter-network boundary device determination condition is that target content exists in the returned result.
Compared with the prior art that the cost is high because the cross-network boundary equipment is determined in a flow analysis mode, the method and the device send the detection packet to the detected equipment in the preset network; obtaining a return result fed back by the detected equipment aiming at the detection packet; and if the return result meets the preset cross-network boundary equipment determining condition, determining that the detected equipment is cross-network boundary equipment. According to the method, the device and the system, through the automatic detection of the cross-network boundary equipment, the boundary link which is constructed illegally and the boundary link which is not registered as required can be found, the behavior that illegal boundaries are constructed illegally is effectively deterred, the compliance of boundary construction is promoted, the return result corresponding to the detection packet is analyzed, the remote detection is realized, the cross-network boundary equipment is found, the flow analysis is not needed, and when the cross-network boundary equipment is determined, high-performance acquisition and analysis equipment does not need to be deployed in large quantity, so that the cost is reduced.
In addition, the present application further provides a cross-network boundary device detecting apparatus, as shown in fig. 2, the cross-network boundary device detecting apparatus includes:
a sending module 10, configured to send a probe packet to a device to be detected in a preset network;
an obtaining module 20, configured to obtain a return result fed back by the detected device for the detection packet;
a determining module 30, configured to determine that the detected device is a cross-network boundary device if the returned result meets a preset cross-network boundary device determining condition.
Optionally, the sending module 10 is further configured to:
acquiring an Internet Protocol (IP) segment and/or an asset library of a preset network;
scanning the IPs in the IP section and/or the asset library one by one;
and sending a detection packet to each IP.
Optionally, the probe packet is a port probe packet, and the determining module 30 is further configured to:
if a port response packet corresponding to the port detection packet is received, determining that a single port or a combined port corresponding to the port response packet is in an externally open state, and determining that the detected device is a cross-network boundary device.
Optionally, the probe packet is a content probe packet, and the determining module 30 is further configured to:
and if the return result contains the target content, determining that the detected equipment is cross-network boundary equipment.
Optionally, the target content comprises at least one of: title keywords, content keywords, general keywords, and secure socket protocol SSL hints.
Optionally, the inter-network boundary device detecting apparatus further includes:
the acquisition module is used for acquiring the cross-network boundary equipment characteristics of the preset cross-network boundary equipment;
and the construction module is used for constructing the detection packet based on the cross-network boundary equipment characteristics.
Optionally, the inter-network boundary device detecting apparatus further includes:
and the generating module is used for determining a preset cross-network boundary device determining condition based on the cross-network boundary device characteristics.
The specific implementation of the cross-network boundary device detection apparatus in the present application is substantially the same as that of each embodiment of the cross-network boundary device detection method described above, and is not described herein again.
In addition, the application also provides cross-network boundary equipment detection equipment. As shown in fig. 3, fig. 3 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present application.
It should be noted that fig. 3 is a schematic structural diagram of a hardware operating environment of the inter-network boundary device detection device.
As shown in fig. 3, the cross-network boundary device detecting device may include: a processor 1001, e.g. a CPU, a memory 1005, a user interface 1003, a network interface 1004, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the inter-network boundary device detection device may further include an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like.
Those skilled in the art will appreciate that the configuration of the cross-web boundary device detection device shown in fig. 3 does not constitute a limitation of the cross-web boundary device detection device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 3, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a cross-network boundary device probe program. The operating system is a program for managing and controlling hardware and software resources of the cross-network boundary equipment detection device, and supports the operation of the cross-network boundary equipment detection program and other software or programs.
In the inter-network boundary device detection device shown in fig. 3, the user interface 1003 is mainly used for connecting a terminal and performing data communication with the terminal, for example, receiving user signaling data sent by the terminal; the network interface 1004 is mainly used for the background server and performs data communication with the background server; the processor 1001 may be configured to invoke the cross-network boundary device probing program stored in the memory 1005 and perform the steps of the cross-network boundary device probing method described above.
The specific implementation of the inter-network boundary device detection apparatus in the present application is substantially the same as each of the embodiments of the inter-network boundary device detection method described above, and is not described herein again.
In addition, an embodiment of the present application further provides a computer-readable storage medium, where a cross-network boundary device detection program is stored on the computer-readable storage medium, and when being executed by a processor, the cross-network boundary device detection program implements the steps of the cross-network boundary device detection method described above.
The specific implementation of the computer-readable storage medium of the present application is substantially the same as the embodiments of the foregoing cross-network boundary device detection method, and is not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a device, or a network device) to execute the method according to the embodiments of the present application.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all the equivalent structures or equivalent processes that can be directly or indirectly applied to other related technical fields by using the contents of the specification and the drawings of the present application are also included in the scope of the present application.