CN114257664B - Network equipment fingerprint extraction method, device, server and storage medium - Google Patents
Network equipment fingerprint extraction method, device, server and storage medium Download PDFInfo
- Publication number
- CN114257664B CN114257664B CN202111515320.7A CN202111515320A CN114257664B CN 114257664 B CN114257664 B CN 114257664B CN 202111515320 A CN202111515320 A CN 202111515320A CN 114257664 B CN114257664 B CN 114257664B
- Authority
- CN
- China
- Prior art keywords
- network
- data
- network device
- message
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000605 extraction Methods 0.000 title claims abstract description 48
- 230000003993 interaction Effects 0.000 claims abstract description 92
- 238000000034 method Methods 0.000 claims abstract description 30
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 239000011159 matrix material Substances 0.000 claims description 29
- 238000013528 artificial neural network Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012512 characterization method Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 9
- 230000002452 interceptive effect Effects 0.000 abstract 2
- 238000010586 diagram Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 238000013135 deep learning Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of networks, and provides a network equipment fingerprint extraction method, a device, a server and a storage medium, wherein the method, the device, the server and the storage medium are applied to the server, the server is in communication connection with first network equipment, second network equipment is also arranged in a network where the network equipment is located, and the method comprises the following steps: monitoring a network message sent by a first network device to a second network device; if the network message is an encrypted message, protocol interaction data are acquired from the network message; and inputting the protocol interaction data into a convolutional neural network to perform feature extraction to obtain interaction features of interaction between the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device. According to the invention, the interactive features of the network equipment and other equipment are identified, and the interactive features are used as the fingerprint information of the network equipment, so that the type of the network equipment can be identified more accurately according to the fingerprint information.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, a server, and a storage medium for extracting fingerprints of network devices.
Background
The network equipment detection not only provides a system cognition basis for network security monitoring and threat situation awareness, but also has more application in the aspects of improving the efficiency of an intrusion detection system, security threat analysis and the like. According to the mastered network equipment conditions, irrelevant rules can be removed for an intrusion detection system, a matching rule base is reduced, detection efficiency is improved, alarm information can be filtered, alarm analysis pressure of network security management personnel is reduced, and more efforts are put on processing effective attacks. Therefore, how to accurately identify the type of network device is an important ring in network intrusion detection and network security threat analysis.
Disclosure of Invention
The invention provides a network device fingerprint extraction method, a device, a server and a storage medium, which can use interaction characteristics as fingerprint information of network devices by identifying the interaction characteristics of the network devices and other devices so as to more accurately identify the types of the network devices according to the fingerprint information.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
In a first aspect, the present invention provides a method for extracting a fingerprint of a network device, which is applied to a server, where the server is communicatively connected to a first network device, and a second network device is further located in a network where the network device is located, where the method includes: monitoring a network message sent by the first network device to the second network device; if the network message is an encrypted message, protocol interaction data are acquired from the network message; and inputting the protocol interaction data into a convolutional neural network to perform feature extraction to obtain interaction features of the interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device.
In a second aspect, the present invention provides a network device fingerprint extraction apparatus, applied to a server, where the server is communicatively connected to a first network device, and a second network device is further located in a network where the network device is located, where the apparatus includes: the monitoring module is used for monitoring the network message sent to the second network device by the first network device; the acquisition module is used for acquiring protocol interaction data from the network message if the network message is an encrypted message; and the feature extraction module is used for inputting the protocol interaction data into a convolutional neural network to perform feature extraction, obtaining interaction features of the interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device.
In a third aspect, the present invention provides a server, including a memory and a controller, where the controller implements a network device fingerprint extraction method as described above when executing the computer program.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a controller implements a network device fingerprint extraction method as described above.
Compared with the prior art, the method and the device have the advantages that the network message sent to the second network device by the first network device is monitored; when the network message is an encrypted message, protocol interaction data are acquired from the network message; and inputting the protocol interaction data into a convolutional neural network to perform feature extraction to obtain interaction features of interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device, so that fingerprint information capable of accurately reflecting the interaction features of the first network device can be obtained, and the type of the first network device can be accurately identified according to the fingerprint information.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an exemplary diagram of an application scenario provided in an embodiment of the present invention.
Fig. 2 is a block diagram of a server according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating a method for extracting a fingerprint of a network device according to an embodiment of the present invention.
Fig. 4 is a flowchart illustrating another method for extracting a fingerprint of a network device according to an embodiment of the present invention.
Fig. 5 is a flowchart illustrating another method for extracting a fingerprint of a network device according to an embodiment of the present invention.
Fig. 6 is a flowchart illustrating another method for extracting a fingerprint of a network device according to an embodiment of the present invention.
Fig. 7 is a block schematic diagram of a network device fingerprint extraction apparatus according to an embodiment of the present invention.
Icon: 10-a server; 11-a controller; 12-memory; 13-bus; 20-a first network device; 30-a second network device; 100-a network device fingerprint extraction device; 110-a monitoring module; 120-an acquisition module; 130-a feature extraction module; 140-determination module.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, if the terms "upper", "lower", "inner", "outer", and the like indicate an azimuth or a positional relationship based on the azimuth or the positional relationship shown in the drawings, or the azimuth or the positional relationship in which the inventive product is conventionally put in use, it is merely for convenience of describing the present invention and simplifying the description, and it is not indicated or implied that the apparatus or element referred to must have a specific azimuth, be configured and operated in a specific azimuth, and thus it should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," and the like, if any, are used merely for distinguishing between descriptions and not for indicating or implying a relative importance.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is an exemplary diagram of an application scenario provided by the embodiment of the present invention, in fig. 1, a first network device 20 and a second network device 30 are connected in a communication manner, a server 10 and the first network device 20 and the second network device 30 are both located in the same network, the server 10 may collect network traffic interacted between the first network device 20 and the second network device 30, and as a specific implementation manner, the server 10 may operate a software packet capturing tool to capture a data packet transmitted between the first network device 20 and the second network device 30. It should be noted that the first network device 20 and the second network device 30 may each be plural.
The server 10 may be a stand-alone physical computer device, or a virtual machine capable of implementing the same function as the physical computer device, and the server 10 may be one device, or a server cluster composed of a plurality of devices.
The first network device 20 and the second network device 30 may be devices responsible for data forwarding or network interconnection, such as switches, routers, gateways, and bridges, or may be devices providing data management services, such as file servers and database servers.
Based on the application scenario of fig. 1, in the prior art, the data packets transmitted between the first network device 20 and the second network device 30 are generally analyzed to obtain the device types of the first network device 20 and the second network device, and then based on the device types, the information such as the network topology structure, the vulnerability and the like is synthesized, the possible high-risk attack paths are evaluated based on the attack technology, and key defense and response measures are adopted according to the evaluation result, so that the pertinence of the defense is improved.
Currently, in order to protect communication data, more and more network communication will use encrypted communication, and in the prior art, it is difficult to effectively analyze the captured encrypted data packet so as to accurately identify the device type.
In view of this, the embodiments of the present invention provide a method, an apparatus, a server and a storage medium for extracting a fingerprint of a network device, which can obtain accurate fingerprint information of the device by analyzing an encrypted message, so as to accurately identify a device type according to the fingerprint information, and the detailed description will be given below.
Referring to fig. 2, fig. 2 is a block diagram of a server according to an embodiment of the invention, where the server 10 includes a controller 11, a memory 12, a bus 13 and a communication interface 14, and the controller 11, the memory 12 and the communication interface 14 are connected through the bus 13.
The memory 12 is used for storing a program, for example, the network device fingerprint extraction device 100 according to the embodiment of the present invention, where the network device fingerprint extraction device 100 includes at least one software function module that may be stored in the memory 12 in the form of software or firmware (firmware), and the controller 11 executes the program after receiving the execution instruction to implement the network device fingerprint extraction method disclosed in the embodiment of the present invention.
The memory 12 may include a high-speed random access memory (Random Access Memory, RAM) and may also include a non-volatile memory (NVM).
The controller 11 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the controller 11 or instructions in the form of software. The controller 11 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a micro control unit (Microcontroller Unit, MCU), a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable gate array (Field Programmable GATE ARRAY, FPGA), an embedded ARM, and the like.
The server 10 communicates with the first network device 10 and the second network device 20 via the communication interface 14.
On the basis of fig. 1 and fig. 2, an embodiment of the present invention provides a network device fingerprint extraction method, which is applied to a server 10 in fig. 1 and fig. 2, please refer to fig. 3, fig. 3 is a flowchart illustrating a network device fingerprint extraction method provided in the embodiment of the present invention, the method includes the following steps:
step S110, monitor the network message that the first network device sends to the second network device.
In this embodiment, the second network device may be one or more devices that are in the same network with the first network device and have communication interaction with the first network device, and the first network device may send network messages to the plurality of second network devices, that is, the network messages are messages sent by the first network device, and as a specific implementation manner, the server 10 may use a software packet capturing tool to monitor the network messages sent by the first network device, where the software packet capturing tool includes, but is not limited to WIRESHARK, SNIFFER, HTTPWATCH, IPTOOL and so on.
Step S120, if the network message is an encrypted message, the protocol interaction data is obtained from the network message.
In this embodiment, the network message sent by the first network device may be encrypted or unencrypted, if the network message is encrypted, the content in the network message cannot be obtained at this time and analyzed, but a field related to a protocol in the network message, that is, protocol interaction data, may still be obtained, where the protocol interaction data is used to characterize a data connection manner before the first network device performs data transmission with the second network device, for example, if the network message adopts a secure transport layer TSL (Transport Layer Security, TSL) protocol, the network message may be a message sent by the first network device in a TSL handshake stage, and the protocol interaction data is a field including TLS ClientHello, TLS ServerHello and a part of Certification message in the network message sent by the TSL handshake stage. If not, the content in the network message may be directly obtained and analyzed to identify the type of the first network device.
And step S130, inputting the protocol interaction data into a convolutional neural network for feature extraction to obtain interaction features of the interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device.
In this embodiment, the difference in protocol interaction data means that the data services provided by the first network devices are also different, that is, the types of the first network devices are also different, and the types of the first network devices may be file servers, database servers, routers, switches, and the like. The fingerprint information of the first network device is used to characterize the type of the first network device.
In this embodiment, in order to extract the interaction feature in the protocol interaction data, so that the fingerprint information of the first network device is more accurate, in this embodiment of the present invention, the feature extraction is performed by using a convolutional neural network to obtain the interaction feature, where the convolutional neural network CNN (Convolutional Neural Networks, CNN) is a type of feedforward neural network (Feedforward Neural Networks) that includes convolutional calculation and has a deep structure, and is one of the representative algorithms of deep learning (DEEP LEARNING), it is understood that the convolutional neural network in this step is obtained after training with a large amount of sample data, and the sample data may be protocol interaction data obtained from a historical network packet sent by monitoring the first network device, or may be protocol interaction data obtained from a historical network packet sent by a second network device or a network device of another network.
According to the method provided by the embodiment, the interaction characteristics of the first network device and the second network device are identified, and the interaction characteristics are used as the fingerprint information of the first network device, so that the type of the first network device can be identified more accurately according to the fingerprint information.
On the basis of fig. 3, the embodiment of the present invention further provides a specific implementation manner of determining that a network packet is an encrypted packet, please refer to fig. 4, fig. 4 is a flowchart illustrating another method for extracting a fingerprint of a network device according to the embodiment of the present invention, and step S110 includes the following steps:
substep S100 extracts the protocol type field of the network message.
In this embodiment, the network packet generally includes a protocol type field that characterizes a protocol type used for transmitting the network packet, and different protocol types may have different names of the protocol type fields, but there will always be one field indicating a protocol type used, where the protocol type includes, but is not limited to, TCP, UDP, remote procedure call RPC (Remote Procedure Call), secure shell protocol SSH (Secure Shell), and the like.
In sub-step S101, if the protocol represented by the protocol type field is a preset encryption protocol, the network message is determined to be an encrypted message.
In this embodiment, the preset encryption protocol may be pre-specified as needed, and the preset encryption protocol may be, but is not limited to, kerberos, secure shell protocol SSH, secure electronic transaction protocol SET (Secure Electronic Transaction, SET), TSL, secure socket layer protocol SSL (Secure Sockets Layer, SSL), and the like.
According to the method provided by the embodiment, whether the network message is the encrypted message is judged through the protocol type field, so that the encrypted message can be accurately and efficiently determined.
On the basis of fig. 3, the embodiment of the present invention further provides a specific implementation manner of acquiring protocol interaction data from a network packet, please refer to fig. 5, fig. 5 is a flowchart illustrating another network device fingerprint extraction method provided by the embodiment of the present invention, and step S120 includes the following sub-steps:
In step S1201, a pre-set number of bytes in each network packet is extracted as handshake data of each network packet, where the pre-set number of bytes includes a handshake message type field in the network packet and handshake data related to the handshake message type field.
In this embodiment, since the data actually interacted between the first network device and the second network device is encrypted, the embodiment of the invention avoids the data actually interacted between the first network device and the second network device, and obtains the interaction of handshake messages performed before the data interaction between the first network device and the second network device, and simultaneously, in order to make the protocol interaction data more accurately reflect the interaction characteristics of the interaction between the first network device and the second network device, a plurality of network messages sent by the first network device can be monitored, for each network message, the handshake data of the network messages are extracted, and finally, the handshake data of all network messages are combined, thereby obtaining the protocol interaction data which more accurately reflects the interaction characteristics of the interaction between the first network device and the second network device.
In this embodiment, in order to make the extracted protocol interaction data not only fully embody the interaction characteristics, but also not include excessive invalid data to reduce the accuracy of the finally obtained fingerprint information, the preset number of bytes in the network message is extracted as handshake data of the network message in the embodiment of the present invention, and as a specific implementation manner, the preset number may be set to 1800. For example, for TLS, the handshake message type field is: HANDSHACK PROTOCOL, where the value of the field includes Client Hello, server Hello, certificate, SERVER KEY Exchange, etc., when the handshake message type field is Client Hello, server Hello or SERVER KEY Exchange, the first 1800 bytes of the network message are taken, so that a complete handshake message can be obtained, and when the handshake message type field is Certificate, the inventor finds that only the first part of the content of the Certificate is taken through a large number of analyses, and the inventor finds that the first 1800 bytes can meet the requirement through a large number of experiments.
Sub-step S1202 combines the handshake data of all network messages to obtain protocol interaction data.
In this embodiment, there are multiple network messages, each network message may extract corresponding handshake data, and finally, the handshake data of all the network messages are combined to obtain protocol interaction data.
As a specific embodiment, for the ith network packet, the handshake data may be expressed as:
RawBytes (i) = (b 1,b2,...,bj,...b1800),bj e [0,255], where RawBytes (i) represents handshake data of the ith network packet, b i represents the ith byte in the ith network packet, since b i represents the first byte, one byte is a binary system consisting of 0 and/or 1, and the corresponding decimal value is between [0,255 ].
According to the method provided by the embodiment, the bytes of the preset numbers in front of the network messages are combined to obtain the protocol interaction data, so that the protocol interaction data accurately reflecting the interaction characteristics can be obtained, the data volume of the protocol interaction data is not excessively expanded, and the balance between accuracy and processing efficiency is achieved.
In this embodiment, in order to more conveniently use a convolutional neural network to perform feature extraction, as a specific implementation manner, protocol interaction data may be represented in a data matrix form, and the embodiment of the present invention further provides a specific implementation manner for obtaining the protocol interaction data, where specific steps are as follows:
firstly, splicing handshake data of all network messages to obtain spliced data.
In this embodiment, as a specific implementation manner, handshake data of all network packets may be spliced according to the sequence of the listening time of all network packets, for example, the handshake data of the network packets according to the sequence of the listening time is: p1, p2 and p3, the spliced data obtained after splicing are: p1p2p3. Of course, the splicing can be performed according to other sequences according to actual needs, so as to obtain splicing data, for example, splicing is performed according to the sequence of the time stamps recorded in the network message.
And secondly, recombining the spliced data according to a preset sequence to obtain combined data of the spliced data.
In this embodiment, as a specific implementation manner, the spliced data may be recombined according to an inverted sequence to obtain combined data of the spliced data, for example, the spliced data is: abcdefgh, its corresponding combined data is: hgfedcba. Of course, the combination data can also be obtained by recombining the spliced data according to other preset sequences according to actual needs, for example, firstly segmenting the spliced data, and then combining each segment according to the preset sequences.
And generating a data matrix according to the spliced data and the combined data, wherein the spliced data and the combined data are respectively positioned on different rows of the data matrix.
In this embodiment, the spliced data is used as one row of the data matrix, and the combined data is used as the other row of the data matrix, so as to generate the data matrix. For example, the splice data is: abcdefgh, its corresponding combined data is: hgfedcba, the data matrix is:
In this embodiment, as a specific implementation manner, there may be multiple network messages, where the number of columns of the data matrix is the same as the number of network messages, and each column in the data matrix corresponds to the spliced data and the combined data of each network message. For example, the number of network messages is 3, and the corresponding handshake data are respectively: a1a2a3a4, b1b2b3b4, c1c2c3c4, the splice data is: a1a2a3a4b1b2b3b4c1c2c3c4, and the corresponding combined data are: 4c3c2c1c4b3b2b1b4a3a2a1a, then the data matrix is:
in this embodiment, the number of network messages may be preset according to the requirements of the actual application scenario, for example, the number of network messages is set to 10, and the first 10 messages that begin to be sent by the first network device to begin to normally provide services to the outside may be monitored as network messages. As a specific implementation manner, the number of network messages, the number of columns of the data matrix and the number of convolution kernels of the convolution neural network are the same.
And finally, taking the data matrix as protocol interaction data.
In this embodiment, in order to identify the type of the network device according to the extracted fingerprint of the network device, on the basis of fig. 3, the embodiment of the present invention further provides a specific implementation manner for identifying the type of the network device, please refer to fig. 6, fig. 6 is a flowchart of another network device fingerprint extraction method provided in the embodiment of the present invention, and the method further includes the following steps:
step S140, determining a target asset fingerprint matching the fingerprint information of the first network device from the plurality of asset fingerprints.
In this embodiment, the server 10 has a plurality of asset fingerprints stored in advance, each asset fingerprint characterizing one asset type. The fingerprint of the asset can be represented by a matrix, fingerprint information is also represented by a matrix, for example, the number of network messages is 10, the data matrix is 2 rows and 10 columns, and the number of convolution kernels is 10, so that the convolution neural network outputs a matrix of 2 rows and 10 columns, and the matrix of 2 rows and 10 columns output by the convolution neural network is the interaction feature, namely the fingerprint information of the first network device.
In this embodiment, if the fingerprint information of the asset fingerprint and the fingerprint information of the first network device are both represented as matrices, whether the asset fingerprint matches the fingerprint information may be determined by determining whether the two matrices are similar, where the determining manner of whether the matrices are similar includes, but is not limited to: judging whether the characteristic values are equal or not; judging whether determinant is equal; judging whether the tracks are equal; and judging whether the ranks are equal.
And step S150, taking the asset type of the target asset fingerprint characterization as the asset type of the first network device.
According to the method provided by the embodiment, the type of the first network equipment can be rapidly identified based on the fingerprint information of the first network equipment, and the type of all network equipment in the preset network can be identified by adopting the method, so that risk assessment can be conveniently carried out on network assets in the preset network according to the equipment type, vulnerability information and the like, and timely and targeted defense can be carried out.
In order to perform the above-described embodiments and corresponding steps in each possible implementation, an implementation of the network device fingerprint extraction apparatus 100 is given below. Referring to fig. 7, fig. 7 is a block diagram illustrating a network device fingerprint extraction apparatus 100 according to an embodiment of the invention. It should be noted that, the basic principle and the technical effects of the network device fingerprint extraction device 100 provided in this embodiment are the same as those of the above embodiment, and for brevity, this embodiment is not mentioned in the description.
The network device fingerprint extraction apparatus 100 includes a listening module 110, an acquisition module 120, a feature extraction module 130, and a determination module 140.
And the monitoring module 110 is configured to monitor a network packet sent by the first network device to the second network device.
The obtaining module 120 is configured to obtain the protocol interaction data from the network packet if the network packet is an encrypted packet.
As a specific embodiment, the obtaining module 120 is further configured to: extracting a protocol type field of the network message; if the protocol represented by the protocol type field is a preset encryption protocol, judging that the network message is an encryption message.
The feature extraction module 130 is configured to input the protocol interaction data into the convolutional neural network to perform feature extraction, obtain interaction features of the interaction between the first network device and the second network device, and use the interaction features as fingerprint information of the first network device.
As one specific embodiment, the feature extraction module 130 is specifically configured to: extracting a preset number of bytes in the network message as handshake data of each network message, wherein the preset number of bytes comprises a handshake message type field in the network message and handshake data related to the handshake message type field; and combining the handshake data of all the network messages to obtain protocol interaction data.
As a specific embodiment, the feature extraction module 130 is specifically configured to, when configured to combine handshake data of all network packets to obtain protocol interaction data: splicing the handshake data of all the network messages to obtain spliced data; recombining the spliced data according to a preset sequence to obtain combined data of the spliced data; generating a data matrix according to the spliced data and the combined data, wherein the spliced data and the combined data are respectively positioned on different rows of the data matrix; and taking the data matrix as protocol interaction data.
In a specific embodiment, the feature extraction module 130 includes a plurality of network messages, the number of columns of the data matrix is the same as the number of network messages, and each column of the data matrix corresponds to the spliced data and the combined data of each network message.
In a specific embodiment, in the feature extraction module 130, the number of network packets, the number of columns of the data matrix, and the number of convolution kernels of the convolutional neural network are the same.
A determining module 140, configured to: determining a target asset fingerprint from the plurality of asset fingerprints that matches the fingerprint information of the first network device; the asset type of the target asset fingerprint representation is used as the asset type of the first network device, a plurality of asset fingerprints are stored in advance in a server, and each asset fingerprint represents one asset type.
The present invention provides a computer readable storage medium having stored thereon a computer program which when executed by a controller implements a network device fingerprint extraction method as described above.
In summary, the embodiments of the present invention provide a method, an apparatus, a server, and a storage medium for extracting a fingerprint of a network device, where the method is applied to the server, the server is communicatively connected to a first network device, and a second network device is further located in a network where the network device is located, where the method includes: monitoring a network message sent by a first network device to a second network device; if the network message is an encrypted message, protocol interaction data are acquired from the network message; and inputting the protocol interaction data into a convolutional neural network to perform feature extraction to obtain interaction features of interaction between the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device. Compared with the prior art, the method and the device have the advantages that the interaction characteristics of the first network device and the second network device are identified, and the interaction characteristics are used as fingerprint information of the first network device, so that the first network device can be identified more accurately according to the fingerprint information.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A network device fingerprint extraction method, applied to a server, where the server is communicatively connected to a first network device, and a second network device is further present in a network where the network device is located, the method comprising:
Monitoring network messages sent to the second network device by the first network device, wherein the number of the network messages is multiple;
If the network message is an encrypted message, protocol interaction data are acquired from the network message;
Inputting the protocol interaction data into a convolutional neural network for feature extraction to obtain interaction features of the interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device;
the step of obtaining protocol interaction data from the network message comprises the following steps:
Extracting a preset number of bytes in each network message as handshake data of each network message, wherein the preset number of bytes comprises a handshake message type field in the network message and handshake data related to the handshake message type field;
and combining all handshake data of the network messages to obtain the protocol interaction data.
2. The network device fingerprint extraction method of claim 1, wherein the step of combining handshake data of all the network messages to obtain the protocol interaction data comprises:
splicing all handshake data of the network messages to obtain spliced data;
Recombining the spliced data according to a preset sequence to obtain combined data of the spliced data;
Generating a data matrix according to the spliced data and the combined data, wherein the spliced data and the combined data are respectively positioned on different rows of the data matrix;
and taking the data matrix as the protocol interaction data.
3. The method for extracting fingerprint from network device according to claim 2, wherein the number of network messages is plural, the number of columns of the data matrix is the same as the number of network messages, and each column of the data matrix corresponds to the concatenation data and the combination data of each network message.
4. The network device fingerprint extraction method of claim 3, wherein the number of network messages, the number of columns of the data matrix, and the number of convolution kernels of the convolution neural network are the same.
5. The network device fingerprint extraction method of claim 1, wherein the server pre-stores a plurality of asset fingerprints, each of the asset fingerprints characterizing an asset type, the method further comprising:
Determining a target asset fingerprint from the plurality of asset fingerprints that matches fingerprint information of the first network device;
And taking the asset type of the target asset fingerprint characterization as the asset type of the first network device.
6. The method for extracting fingerprint of network device according to claim 1, wherein if the network message is an encrypted message, the step of obtaining protocol interaction data from the network message comprises:
extracting a protocol type field of the network message;
And if the protocol represented by the protocol type field is a preset encryption protocol, judging that the network message is an encryption message.
7. A network device fingerprint extraction apparatus, applied to a server, where the server is communicatively connected to a first network device, and a second network device is further located in a network where the network device is located, the apparatus comprising:
The monitoring module is used for monitoring the network message sent to the second network device by the first network device;
The acquisition module is used for acquiring protocol interaction data from the network message if the network message is an encrypted message;
the feature extraction module is used for inputting the protocol interaction data into a convolutional neural network to perform feature extraction, so as to obtain interaction features of the interaction of the first network device and the second network device, and taking the interaction features as fingerprint information of the first network device;
The acquisition module is specifically configured to: extracting a preset number of bytes in each network message as handshake data of each network message, wherein the preset number of bytes comprises a handshake message type field in the network message and handshake data related to the handshake message type field; and combining all handshake data of the network messages to obtain the protocol interaction data.
8. A server comprising a memory and a controller, wherein the memory stores a computer program, the controller implementing the network device fingerprint extraction method according to any one of claims 1-6 when executing the computer program.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a controller implements the network device fingerprint extraction method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111515320.7A CN114257664B (en) | 2021-12-13 | 2021-12-13 | Network equipment fingerprint extraction method, device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111515320.7A CN114257664B (en) | 2021-12-13 | 2021-12-13 | Network equipment fingerprint extraction method, device, server and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257664A CN114257664A (en) | 2022-03-29 |
| CN114257664B true CN114257664B (en) | 2024-06-07 |
Family
ID=80791940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111515320.7A Active CN114257664B (en) | 2021-12-13 | 2021-12-13 | Network equipment fingerprint extraction method, device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257664B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117714279B (en) * | 2023-07-28 | 2024-10-08 | 荣耀终端有限公司 | Method for device management, router and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN111756756A (en) * | 2020-06-28 | 2020-10-09 | 深圳市信锐网科技术有限公司 | Terminal network control method and device, electronic equipment and storage medium |
| CN113395406A (en) * | 2021-06-23 | 2021-09-14 | 中国电力科学研究院有限公司 | Encryption authentication method and system based on power equipment fingerprints |
| CN113497762A (en) * | 2020-04-01 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Data message transmission method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10862885B2 (en) * | 2017-03-20 | 2020-12-08 | Forescout Technologies, Inc. | Device identification |
-
2021
- 2021-12-13 CN CN202111515320.7A patent/CN114257664B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN113497762A (en) * | 2020-04-01 | 2021-10-12 | 腾讯科技(深圳)有限公司 | Data message transmission method and device |
| CN111756756A (en) * | 2020-06-28 | 2020-10-09 | 深圳市信锐网科技术有限公司 | Terminal network control method and device, electronic equipment and storage medium |
| CN113395406A (en) * | 2021-06-23 | 2021-09-14 | 中国电力科学研究院有限公司 | Encryption authentication method and system based on power equipment fingerprints |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257664A (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200412767A1 (en) | Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks | |
| US20210297452A1 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| CN111935172B (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| EP2961111B1 (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| CN109922073A (en) | Network security monitoring device, method and system | |
| CN109474603B (en) | Data packet grabbing processing method and terminal equipment | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| CN110417717B (en) | Login behavior identification method and device | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| CN111064755B (en) | Data protection method and device, computer equipment and storage medium | |
| CN115147956B (en) | Data processing method, device, electronic equipment and storage medium | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN113574841A (en) | Information processing method and device, equipment and storage medium | |
| CN114257664B (en) | Network equipment fingerprint extraction method, device, server and storage medium | |
| CN114826663A (en) | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium | |
| CN110691097A (en) | Industrial honey pot system based on hpfeeds protocol and working method thereof | |
| Kebande et al. | Functional requirements for adding digital forensic readiness as a security component in IoT environments | |
| CN113518042A (en) | Data processing method, device, equipment and storage medium | |
| WO2019043804A1 (en) | Log analysis device, log analysis method, and computer-readable recording medium | |
| CN117221423A (en) | Flow analysis method and device, electronic equipment and storage medium | |
| CN113114626A (en) | Security gateway system based on edge calculation and construction method thereof | |
| Sayadi et al. | Detection of covert channels over ICMP protocol | |
| WO2020103154A1 (en) | Method, apparatus and system for data analysis | |
| CN113141375A (en) | Network security monitoring method and device, storage medium and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |