CN114338602A - Network equipment identification method and device and computer readable storage medium - Google Patents
Network equipment identification method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN114338602A CN114338602A CN202111480134.4A CN202111480134A CN114338602A CN 114338602 A CN114338602 A CN 114338602A CN 202111480134 A CN202111480134 A CN 202111480134A CN 114338602 A CN114338602 A CN 114338602A
- Authority
- CN
- China
- Prior art keywords
- key character
- information
- similarity
- target network
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000003860 storage Methods 0.000 title claims abstract description 14
- 238000012545 processing Methods 0.000 claims abstract description 68
- 238000013507 mapping Methods 0.000 claims abstract description 11
- 238000011156 evaluation Methods 0.000 claims description 85
- 238000004590 computer program Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000004140 cleaning Methods 0.000 description 7
- 238000000605 extraction Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Abstract
The invention discloses a network equipment identification method and device and a computer readable storage medium. Wherein, the method comprises the following steps: performing feature processing on a domain name resolution (DNS) request initiated by target network equipment to obtain key character information of the target network equipment; performing fingerprinting processing on the key character information to generate fingerprint information, wherein the fingerprint information comprises a mapping relation between a current MAC address of the target network equipment and each key character in the key character information; determining similarity between the fingerprint information and historical fingerprint information; determining a device type of the target network device based on the similarity. The invention solves the technical problem that the type of the network equipment client cannot be accurately identified through fingerprint information in the related technology.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a network device identification method and apparatus, and a computer-readable storage medium.
Background
MAC addresses are unique and reliable identifiers of devices on a network, and are usually set at the factory and cannot be changed by conventional means, and therefore are also used for tracking users. In some systems, the system generates MAC addresses in a random manner, taking privacy concerns into account. But this will present significant challenges for network management, some of the user's common functions, such as parental control, QoS services, smart home linkage, etc.
For the above drawbacks, some solutions exist at present, for example, by actively sending a probe packet and using the probe packet as a data set according to a feedback packet, however, fingerprint information in the solution refers to information such as an operating system of a device, that is, only information such as the operating system of the device can be identified, but different clients cannot be accurately distinguished, that is, clients of the same model cannot be distinguished.
In view of the above-mentioned problem that network management is difficult due to low reliability of the identification method of the network device used in the related art, no effective solution is proposed at present.
Disclosure of Invention
The embodiment of the invention provides an identification method and device of network equipment and a computer readable storage medium, which at least solve the technical problem that the type of the network equipment cannot be accurately identified by fingerprint information for a network equipment client in the related technology.
According to an aspect of the embodiments of the present invention, there is provided a method for identifying a network device, including: performing feature processing on a domain name resolution (DNS) request initiated by target network equipment to obtain key character information of the target network equipment; performing fingerprinting processing on the key character information to generate fingerprint information, wherein the fingerprint information contains a mapping relation between a current MAC address of the target network equipment and each key character in the key character information; determining similarity between the fingerprint information and historical fingerprint information; determining a device type of the target network device based on the similarity.
Optionally, performing feature processing on a domain name resolution DNS request initiated by a target network device to obtain key character information of the target network device, includes: after detecting the network access information of the target network equipment, acquiring the DNS request initiated by the target network equipment; extracting key characters of the DNS request to obtain domain name information in the DNS request; and performing feature processing on the key characters corresponding to the domain name information to obtain the key character information.
Optionally, performing feature processing on a key character corresponding to the domain name information to obtain the key character information, where the feature processing includes: cleaning the key characters to obtain cleaned key characters; and encrypting the cleaned key character to obtain the key character information.
Optionally, fingerprinting the key character information to generate fingerprint information, including: acquiring the current MAC address of the target network equipment; acquiring an evaluation factor of each key character corresponding to the key character information, and generating a key value pair of each key character based on the evaluation factor of each key character; and generating the key-value pair of the current MAC address and each key character to obtain the fingerprint information.
Optionally, obtaining an evaluation factor of each keyword corresponding to the keyword information includes: acquiring the sum of the occurrence times of all key characters corresponding to all access network devices in a historical time period and the access times of all the access network devices; acquiring the occurrence frequency of each key character in the target network equipment in the access and the occurrence frequency of each key character in the access frequency; determining a first sub-evaluation factor based on the sum of the occurrence times of each key character in the access of the target network equipment and the occurrence times of all key characters; determining a second sub-evaluation factor based on the access times of all the access network devices and the occurrence times of each key character in the access times; determining a product of the first sub-evaluation factor and the second sub-evaluation factor as an evaluation factor of each of the key characters.
Optionally, determining a similarity between the fingerprint information and historical fingerprint information includes: obtaining an evaluation factor of each key character in the fingerprint information; obtaining an evaluation factor of each historical key character in the historical fingerprint information; determining the similarity based on the evaluation factor of each keyword character and the evaluation factor of each historical keyword character.
Optionally, determining the similarity based on the evaluation factor of each keyword character and the evaluation factor of each historical keyword character includes: determining a first similarity value by a first formula, wherein the first formula is:
a represents the first similarity value, wtijThe evaluation factor of the ith key character in the jth network equipment access information is represented, and j and i are positive integers; determining a second similarity value by a second formula, wherein the second formula is:
b represents the value of the second degree of similarity, wtikThe evaluation factor of the ith key character in the access information of the kth network equipment is represented, and k is a positive integer; determining a third similarity value by a third formula, wherein the third formula is:
c represents the third similarity value; determining the similarity based on a ratio between the third similarity value and a product of the first similarity value and the second similarity value.
Optionally, determining the device type of the target network device based on the similarity includes: determining that the target network device and the network device corresponding to the MAC address in the historical fingerprint information are the same network device under the condition that the similarity is greater than a similarity threshold value; and under the condition that the similarity is not greater than a similarity threshold value, determining the target network equipment as new access network equipment.
Optionally, the method for identifying a network device further includes: when the target network device and the network device corresponding to the MAC address in the historical fingerprint information are determined to be the same network device, updating a fingerprint library and the total times of occurrence of each key character in the fingerprint library, and updating each key character in the target network device and the times of occurrence of each key character; when the target network device is determined to be a new access network device, the fingerprint database and the total times of occurrence of each key character in the fingerprint database are updated, and the fingerprint information is added to the fingerprint database.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for identifying a network device, including: the system comprises a feature processing unit, a DNS processing unit and a DNS processing unit, wherein the feature processing unit is used for performing feature processing on a domain name resolution DNS request initiated by target network equipment to obtain key character information of the target network equipment; a fingerprinting processing unit, configured to perform fingerprinting processing on the key character information to generate fingerprint information, where the fingerprint information includes a mapping relationship between a current MAC address of the target network device and each key character in the key character information; a first determination unit configured to determine a similarity between the fingerprint information and historical fingerprint information; a second determining unit, configured to determine a device type of the target network device based on the similarity.
Optionally, the feature processing unit includes: the acquisition module is used for acquiring the DNS request initiated by the target network equipment after the network access information of the target network equipment is detected; the key character extraction module is used for extracting key characters of the DNS request to obtain domain name information in the DNS request; and the characteristic processing module is used for carrying out characteristic processing on the key characters corresponding to the domain name information to obtain the key character information.
Optionally, the feature processing module includes: the cleaning processing submodule is used for cleaning the key characters to obtain cleaned key characters; and the encryption processing sub-module is used for encrypting the cleaned key characters to obtain the key character information.
Optionally, the fingerprinting processing unit includes: the first acquisition module is used for acquiring the current MAC address of the target network equipment; the second obtaining module is used for obtaining the evaluation factor of each key character corresponding to the key character information and generating the key value pair of each key character based on the evaluation factor of each key character; and the generating module is used for generating the key value pair of the current MAC address and each key character so as to obtain the fingerprint information.
Optionally, the second obtaining module includes: the first obtaining submodule is used for obtaining the sum of the times of occurrence of all key characters corresponding to all access network equipment in a historical time period and the access times of all the access network equipment; a second obtaining sub-module, configured to obtain the number of times that each key character appears in the access of the target network device, and the number of times that each key character appears in the access number; a first determining sub-module, configured to determine a first sub-evaluation factor based on a sum of a number of occurrences of each keyword in the access of the target network device and a number of occurrences of all the keywords; a second determining submodule, configured to determine a second sub-evaluation factor based on the access times of all the access network devices and the occurrence number of each key character in the access times; a third determining sub-module, configured to determine a product of the first sub-evaluation factor and the second sub-evaluation factor as the evaluation factor of each keyword.
Optionally, the first determining unit includes: a third obtaining module, configured to obtain an evaluation factor of each key character in the fingerprint information; the fourth acquisition module is used for acquiring the evaluation factor of each historical key character in the historical fingerprint information; a first determining module for determining the similarity based on the evaluation factor of each keyword character and the evaluation factor of each historical keyword character.
Optionally, the first determining module includes: a fourth determining submodule, configured to determine a first similarity value according to a first formula, where the first formula is:
a represents the first similarity value, wtijThe evaluation factor of the ith key character in the jth network equipment access information is represented, and j and i are positive integers; a fifth determining submodule, configured to determine a second similarity value according to a second formula, where the second formula is:
b represents the value of the second degree of similarity, wtikThe evaluation factor of the ith key character in the access information of the kth network equipment is represented, and k is a positive integer; a sixth determining submodule, configured to determine a third similarity value according to a third formula, where the third formula is:
c represents the third similarity value; a seventh determining submodule for determining the similarity based on a ratio between the third similarity value and a product of the first similarity value and the second similarity value.
Optionally, the second determining unit includes: the second determining module is used for determining that the target network device and the network device corresponding to the MAC address in the historical fingerprint information are the same network device under the condition that the similarity is greater than a similarity threshold value; a third determining module, configured to determine that the target network device is a new access network device when the similarity is not greater than a similarity threshold.
Optionally, the network device identification apparatus further includes: a first updating module, configured to update a fingerprint library and a total number of occurrences of each keyword in the fingerprint library when it is determined that the target network device and a network device corresponding to the MAC address in the historical fingerprint information are the same network device, and update each keyword in the target network device and the number of occurrences of each keyword; and the second updating module is used for updating the fingerprint database and the total times of occurrence of each key character in the fingerprint database when the target network device is determined to be a new access network device, and adding the fingerprint information to the fingerprint database.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, which includes a stored computer program, wherein when the computer program is executed by a processor, the computer-readable storage medium is controlled by a device to execute any one of the above methods for identifying a network device.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a computer program, where the computer program executes to perform the method for identifying a network device according to any one of the above descriptions.
In the embodiment of the invention, the domain name resolution DNS request initiated by the target network equipment is subjected to characteristic processing to obtain key character information of the target network equipment; performing fingerprinting processing on the key character information to generate fingerprint information, wherein the fingerprint information comprises a mapping relation between a current MAC address of the target network equipment and each key character in the key character information; determining similarity between the fingerprint information and historical fingerprint information; determining a device type of the target network device based on the similarity. By the network equipment identification method provided by the embodiment of the invention, the purpose of forming fingerprint information by using the key character information of the target network equipment and comparing the fingerprint information with the historical fingerprint information to determine the equipment type of the target network equipment based on the similarity is achieved, so that the technical effect of improving the accuracy of identifying the network equipment is realized, and the technical problem that the type of the network equipment cannot be accurately identified by the fingerprint information for the network equipment client in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a flowchart of an identification method of a network device according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating receiver operating characteristic ROC curves for similarity determinations made for the same client threshold change, in accordance with an embodiment of the present invention;
FIG. 3 is a flow chart of a preferred network device identification method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an identification apparatus of a network device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some nouns or terms appearing in the embodiments of the present invention are explained below.
Domain Name Resolution (DNS): the domain name is directed to the space IP of the website, so that people can conveniently access the website through the registered domain name.
Example 1
In accordance with an embodiment of the present invention, there is provided a method embodiment of an identification method for a network device, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of an identification method of a network device according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, the domain name resolution DNS request initiated by the target network equipment is subjected to characteristic processing to obtain key character information of the target network equipment.
Optionally, in the above step, the domain name in the DNS request is subjected to keyword extraction, for example, the domain name is intercepted with characters of ':', '/', etc.
Step S104, performing fingerprint processing on the key character information to generate fingerprint information, wherein the fingerprint information contains the mapping relation between the current MAC address of the target network device and each key character in the key character information.
Optionally, in the above step, the fingerprint information is obtained by performing fingerprinting processing on the previously acquired key character information, where it needs to be explained that the fingerprint information includes a mapping relationship between a MAC address of the target network device when the DNS request is currently initiated and each key character in the previously extracted key character information. The MAC address is a unique network identifier of each network device, and may also be referred to as a network card address, and is written inside hardware when produced by a network device manufacturer.
Step S106, determining the similarity between the fingerprint information and the historical fingerprint information.
Optionally, in the above step, the similarity between the fingerprint information and the historical fingerprint information is calculated by using an evaluation factor.
Step S108, the device type of the target network device is determined based on the similarity.
As can be seen from the above, in the embodiment of the present invention, first, a domain name resolution DNS request initiated by a target network device may be subjected to feature processing to obtain key character information of the target network device; then, fingerprint processing can be carried out on the key character information to generate fingerprint information, wherein the fingerprint information comprises a mapping relation between the current MAC address of the target network equipment and each key character in the key character information; similarity between the fingerprint information and the historical fingerprint information may then be determined; finally, the device type of the target network device may be determined based on the similarity. By the network equipment identification method provided by the embodiment of the invention, the purpose of forming fingerprint information by using the key character information of the target network equipment and comparing the fingerprint information with the historical fingerprint information to determine the equipment type of the target network equipment based on the similarity is achieved, so that the technical effect of improving the accuracy of identifying the network equipment is realized, and the technical problem that the type of the network equipment cannot be accurately identified by the fingerprint information for the network equipment client in the related technology is solved.
As an optional embodiment, performing feature processing on a domain name resolution DNS request initiated by a target network device to obtain key character information of the target network device includes: after detecting the network access information of the target network equipment, acquiring a DNS request initiated by the target network equipment; extracting key characters of the DNS request to obtain domain name information in the DNS request; and performing feature processing on the key characters corresponding to the domain name information to obtain key character information.
In the above optional embodiment, the target network device first proposes a domain name resolution request (i.e., network access information), and sends the request to a local domain name server after looking up a local HOST file, at this time, the method provided in this embodiment collects a DNS request and performs key character extraction to obtain domain name information in the DNS request, and finally performs feature processing on key characters corresponding to the domain name information to obtain key character information.
As an optional embodiment, performing feature processing on a keyword corresponding to domain name information to obtain keyword information includes: cleaning the key characters to obtain cleaned key characters; and encrypting the cleaned key character to obtain key character information.
In the above alternative embodiment, the key characters are first cleaned, for example, single characters or special characters such as arabic numerals and special mathematical characters are removed, which is helpful to obtain the key character information better.
In a partial security scenario, in order to protect user privacy, the cleaned key characters need to be encrypted, and common methods include key character hash processing, MD5 processing, and the like.
As an alternative embodiment, performing fingerprinting on the key character information to generate fingerprint information includes: acquiring a current MAC address of target network equipment; acquiring an evaluation factor of each key character corresponding to the key character information, and generating a key value pair of each key character based on the evaluation factor of each key character; and generating a key-value pair of the current MAC address and each key character to obtain fingerprint information.
In the above optional embodiment, in order to acquire the fingerprint information, in the embodiment of the present invention, first, a Mac-fingerprint key-value pair is acquired, where it needs to be described that the fingerprint is a series of keyword-wt key-value pairs, where the Mac is a current Mac address of the access client, the keyword is each keyword in the above step, and wt is an evaluation factor of the keyword.
As an alternative embodiment, obtaining the evaluation factor of each keyword corresponding to the keyword information includes: acquiring the sum of the occurrence times of all key characters corresponding to all access network devices in a historical time period and the access times of all the access network devices; acquiring the occurrence frequency of each key character in the access of the target network equipment and the occurrence frequency of each key character in the access frequency; determining a first sub-evaluation factor based on the sum of the occurrence frequency of each key character in the access of the target network equipment and the occurrence frequency of all key characters; determining a second sub-evaluation factor based on the access times of all the access network devices and the occurrence times of each key character in the access times; the product of the first sub-evaluation factor and the second sub-evaluation factor is determined as the evaluation factor for each keyword.
In the above alternative embodiment, the fingerprint information is obtained by using the evaluation factor of the keyword, and the following describes in detail the calculation procedure of the evaluation factor of the keyword.
1) Define, define
Wherein n isiIs a keywordiThe number of times of occurrence of all the keywords of the access of the device at the time, and the denominator is the sum of the number of times of occurrence of all the keywords of all the access devices in the history.
2) Define, define
Wherein D is the access times of all network devices in the historical time period, DiTo represent a keywordiNumber of occurrences in D recordings.
3) Definition of wti=tfi*idfiWherein, wtiI.e. the evaluation factor.
As an alternative embodiment, determining similarity between the fingerprint information and the historical fingerprint information includes: obtaining an evaluation factor of each key character in the fingerprint information; obtaining an evaluation factor of each historical key character in the historical fingerprint information; similarity is determined based on the evaluation factor for each keyword character and the evaluation factor for each historical keyword character.
In the above optional embodiment, the evaluation factor of each key character in the fingerprint information and the historical fingerprint information is obtained, and the similarity is determined based on the evaluation factor, that is, the similarity between the wireless fingerprint information and the fingerprint in the historical fingerprint database is compared, and if the similarity is greater than a set threshold, the wireless fingerprint information and the fingerprint in the historical fingerprint database are judged to be the same client; otherwise, the new client is added.
As an alternative embodiment, determining the similarity based on the evaluation factor of each keyword and the evaluation factor of each historical keyword comprises: determining a first similarity value by a first formula, wherein the first formula is:
a represents a first similarity value, wtijThe evaluation factor of the ith key character in the jth network equipment access information is represented, and j and i are positive integers; determining a second similarity value by a second formula, wherein the second formula is:
b represents a second similarity value, wtikThe evaluation factor of the ith key character in the access information of the kth network equipment is represented, and k is a positive integer; determining a third similarity value by a third formula, wherein the third formula is:
c represents a third similarity value; the similarity is determined based on a ratio between the third similarity value and a product of the first similarity value and the second similarity value.
In the above alternative embodiment, the evaluation factor of each key character in the fingerprint information and the historical fingerprint information is previously obtained, and the similarity is determined based on the evaluation factor. The following describes the steps of the method for obtaining similarity.
1) Define, define
Wherein, wtijAnd accessing the evaluation factor of the ith keyword in the information for the jth equipment.
2) Define the same principles
Wherein, wtikFor the kth device to access the informationi evaluation factors for keywords.
3) Define, define
4) And the similarity between the fingerprint information of the j-th access information and the fingerprint information of the k-th access information is defined as C/(A × B).
5) The threshold value is selected by acquiring a large amount of data through experiments, the scheme is adopted to analyze confusion matrixes under different threshold values for giving, fig. 2 is a schematic diagram of an operation characteristic ROC curve of a receiver under the condition that the similarity of the embodiment of the invention is judged to be the same client threshold value change, as shown in fig. 2, under the method provided by the embodiment of the invention, the accuracy represented by a solid line is higher and higher, and in an actual production test, a proper threshold value can be selected according to actual needs.
As an alternative embodiment, determining the device type of the target network device based on the similarity includes: under the condition that the similarity is greater than the similarity threshold value, determining that the target network equipment and the network equipment corresponding to the MAC address in the historical fingerprint information are the same network equipment; and under the condition that the similarity is not greater than the similarity threshold value, determining the target network equipment as new access network equipment.
In the above optional embodiment, when the similarity is greater than the preset similarity threshold, it is determined that the target network device and the network device corresponding to the historical fingerprint information are the same network device; and when the similarity is not greater than the similarity threshold value, determining that the target network equipment is newly accessed network equipment.
As an optional embodiment, the method for identifying a network device further includes: when the target network equipment and the network equipment corresponding to the MAC address in the historical fingerprint information are determined to be the same network equipment, updating the fingerprint database and the total times of occurrence of each key character in the fingerprint database, and updating each key character in the target network equipment and the times of occurrence of each key character; when the target network device is determined to be a new access network device, the fingerprint database and the total times of occurrence of each key character in the fingerprint database are updated, and meanwhile, the fingerprint information is added to the fingerprint database.
Fig. 3 is a flowchart of a preferred network device identification method according to an embodiment of the present invention, and as shown in fig. 3, a DNS request within a certain time period after a device is accessed is first collected, then feature processing, keyword extraction, cleaning, fuzzification processing, and wireless fingerprint information construction are sequentially performed, then similarity comparison is performed, a client is determined, and finally fingerprint database information is updated.
Therefore, by the embodiment provided by the invention, whether the client is the client accessed in the history can be effectively identified in the client access process, and the client is in one-to-one correspondence; when the MAC address of the client changes, the client can still be effectively identified in the scheme, the DNS message of the client within a period of time after the client is accessed is relied on, namely the change of the DNS message influences the accuracy of client identification, namely whether patent infringement exists is easily judged; the access terminal does not need to actively initiate interaction with the access equipment, and is a pure passive scheme, namely, the network performance and the client experience are not influenced.
Example 2
According to another aspect of the embodiment of the present invention, there is also provided an apparatus for identifying a network device, and fig. 4 is a schematic diagram of the apparatus for identifying a network device according to the embodiment of the present invention, as shown in fig. 4, including: a feature processing unit 41, a fingerprinting processing unit 43, a first determining unit 45 and a second determining unit 47. The following describes the identification device of the network device.
A feature processing unit 41, configured to perform feature processing on a domain name resolution DNS request initiated by a target network device to obtain key character information of the target network device;
a fingerprinting processing unit 43, configured to perform fingerprinting processing on the key character information to generate fingerprint information, where the fingerprint information includes a mapping relationship between a current MAC address of the target network device and each key character in the key character information;
a first determining unit 45 for determining a similarity between the fingerprint information and the history fingerprint information;
a second determining unit 47, configured to determine the device type of the target network device based on the similarity.
It should be noted here that the feature processing unit 41, the fingerprinting processing unit 43, the first determining unit 45, and the second determining unit 47 correspond to steps S102 to S108 in embodiment 1, and the modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 1. It should be noted that the modules described above as part of an apparatus may be implemented in a computer system such as a set of computer-executable instructions.
As can be seen from the above, in the embodiment of the present invention, first, the feature processing unit 41 may perform feature processing on the domain name resolution DNS request initiated by the target network device, so as to obtain key character information of the target network device; then, the fingerprinting processing unit 43 may perform fingerprinting processing on the key character information to generate fingerprint information, where the fingerprint information includes a mapping relationship between a current MAC address of the target network device and each key character in the key character information; the similarity between the fingerprint information and the historical fingerprint information may then be determined by means of the first determination unit 45; finally, the device type of the target network device can be determined by means of the second determination unit 47 on the basis of the similarity. By the network equipment identification device provided by the embodiment of the invention, the purpose of forming fingerprint information by using the key character information of the target network equipment and comparing the fingerprint information with the historical fingerprint information to determine the equipment type of the target network equipment based on the similarity is achieved, so that the technical effect of improving the accuracy of identifying the network equipment is realized, and the technical problem that the type of the network equipment cannot be accurately identified by the fingerprint information for the network equipment client in the related technology is solved.
Optionally, the feature processing unit includes: the acquisition module is used for acquiring a DNS request initiated by target network equipment after detecting the network access information of the target network equipment; the key character extraction module is used for extracting key characters of the DNS request to obtain domain name information in the DNS request; and the characteristic processing module is used for carrying out characteristic processing on the key characters corresponding to the domain name information to obtain key character information.
Optionally, the feature processing module includes: the cleaning processing submodule is used for cleaning the key characters to obtain the cleaned key characters; and the encryption processing sub-module is used for encrypting the cleaned key characters to obtain key character information.
Optionally, the fingerprinting processing unit includes: the first acquisition module is used for acquiring the current MAC address of the target network equipment; the second acquisition module is used for acquiring the evaluation factor of each key character corresponding to the key character information and generating the key value pair of each key character based on the evaluation factor of each key character; and the generating module is used for generating the key value pair of the current MAC address and each key character so as to obtain the fingerprint information.
Optionally, the second obtaining module includes: the first obtaining submodule is used for obtaining the sum of the times of occurrence of all key characters corresponding to all access network equipment in a historical time period and the access times of all the access network equipment; the second obtaining submodule is used for obtaining the occurrence frequency of each key character in the access of the target network equipment and the occurrence frequency of each key character in the access frequency; the first determining submodule is used for determining a first sub-evaluation factor based on the sum of the occurrence frequency of each key character in the access of the target network equipment and the occurrence frequency of all key characters; the second determination submodule is used for determining a second sub-evaluation factor based on the access times of all the access network devices and the occurrence times of each key character in the access times; and the third determining submodule is used for determining the product of the first sub-evaluation factor and the second sub-evaluation factor as the evaluation factor of each key character.
Optionally, the first determining unit includes: the third acquisition module is used for acquiring the evaluation factor of each key character in the fingerprint information; the fourth acquisition module is used for acquiring the evaluation factor of each historical key character in the historical fingerprint information; and the first determining module is used for determining the similarity based on the evaluation factor of each key character and the evaluation factor of each historical key character.
Optionally, the first determining module includes: a fourth determining submodule, configured to determine the first similarity value through a first formula, where the first formula is:
a represents a first similarity value, wtijThe evaluation factor of the ith key character in the jth network equipment access information is represented, and j and i are positive integers; a fifth determining submodule, configured to determine a second similarity value according to a second formula, where the second formula is:
b represents a second similarity value, wtikThe evaluation factor of the ith key character in the access information of the kth network equipment is represented, and k is a positive integer; a sixth determining submodule, configured to determine a third similarity value according to a third formula, where the third formula is:
c represents a third similarity value; a seventh determining submodule for determining the similarity based on a ratio between the third similarity value and a product of the first similarity value and the second similarity value.
Optionally, the second determining unit includes: the second determining module is used for determining that the target network device and the network device corresponding to the MAC address in the historical fingerprint information are the same network device under the condition that the similarity is greater than the similarity threshold value; and the third determining module is used for determining the target network equipment as the new access network equipment under the condition that the similarity is not greater than the similarity threshold value.
Optionally, the network device identification apparatus further includes: the first updating module is used for updating the fingerprint database and the total times of occurrence of each key character in the fingerprint database when the target network equipment and the network equipment corresponding to the MAC address in the historical fingerprint information are determined to be the same network equipment, and updating each key character in the target network equipment and the times of occurrence of each key character; and the second updating module is used for updating the fingerprint database and the total times of occurrence of each key character in the fingerprint database when the target network equipment is determined to be newly accessed network equipment, and adding the fingerprint information to the fingerprint database.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium including a stored computer program, wherein when the computer program is executed by a processor, the apparatus where the computer-readable storage medium is located is controlled to execute the network device identification method of any one of the above.
Example 4
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a computer program, where the computer program executes to perform the method for identifying a network device in any one of the above.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (11)
1. A method for identifying a network device, comprising:
performing feature processing on a domain name resolution (DNS) request initiated by target network equipment to obtain key character information of the target network equipment;
performing fingerprinting processing on the key character information to generate fingerprint information, wherein the fingerprint information contains a mapping relation between a current MAC address of the target network equipment and each key character in the key character information;
determining similarity between the fingerprint information and historical fingerprint information;
determining a device type of the target network device based on the similarity.
2. The method of claim 1, wherein performing feature processing on a domain name resolution (DNS) request initiated by a target network device to obtain keyword information of the target network device comprises:
after detecting the network access information of the target network equipment, acquiring the DNS request initiated by the target network equipment;
extracting key characters of the DNS request to obtain domain name information in the DNS request;
and performing feature processing on the key characters corresponding to the domain name information to obtain the key character information.
3. The method of claim 1, wherein fingerprinting the key character information to generate fingerprint information comprises:
acquiring the current MAC address of the target network equipment;
acquiring an evaluation factor of each key character corresponding to the key character information, and generating a key value pair of each key character based on the evaluation factor of each key character;
and generating the key-value pair of the current MAC address and each key character to obtain the fingerprint information.
4. The method according to claim 3, wherein obtaining the evaluation factor of each keyword corresponding to the keyword information comprises:
acquiring the sum of the occurrence times of all key characters corresponding to all access network devices in a historical time period and the access times of all the access network devices;
acquiring the occurrence frequency of each key character in the target network equipment in the access and the occurrence frequency of each key character in the access frequency;
determining a first sub-evaluation factor based on the sum of the occurrence times of each key character in the access of the target network equipment and the occurrence times of all key characters;
determining a second sub-evaluation factor based on the access times of all the access network devices and the occurrence times of each key character in the access times;
determining a product of the first sub-evaluation factor and the second sub-evaluation factor as an evaluation factor of each of the key characters.
5. The method of claim 4, wherein determining a similarity between the fingerprint information and historical fingerprint information comprises:
obtaining an evaluation factor of each key character in the fingerprint information;
obtaining an evaluation factor of each historical key character in the historical fingerprint information;
determining the similarity based on the evaluation factor of each keyword character and the evaluation factor of each historical keyword character.
6. The method of claim 5, wherein determining the similarity based on the evaluation factor of each keyword character and the evaluation factor of each historical keyword character comprises:
determining a first similarity value by a first formula, wherein the first formula is:
a represents the first similarity value, wtijThe evaluation factor of the ith key character in the jth network equipment access information is represented, and j and i are positive integers;
determining a second similarity value by a second formula, wherein the second formula is:
b represents the value of the second degree of similarity, wtikThe evaluation factor of the ith key character in the access information of the kth network equipment is represented, and k is a positive integer;
determining a third similarity value by a third formula, wherein the third formula is:
c represents the third similarity value;
determining the similarity based on a ratio between the third similarity value and a product of the first similarity value and the second similarity value.
7. The method of any of claims 1 to 6, wherein determining the device type of the target network device based on the similarity comprises:
determining that the target network device and the network device corresponding to the MAC address in the historical fingerprint information are the same network device under the condition that the similarity is greater than a similarity threshold value;
and under the condition that the similarity is not greater than a similarity threshold value, determining the target network equipment as new access network equipment.
8. The method of claim 7, further comprising:
when the target network device and the network device corresponding to the MAC address in the historical fingerprint information are determined to be the same network device, updating a fingerprint library and the total times of occurrence of each key character in the fingerprint library, and updating each key character in the target network device and the times of occurrence of each key character;
when the target network device is determined to be a new access network device, the fingerprint database and the total times of occurrence of each key character in the fingerprint database are updated, and the fingerprint information is added to the fingerprint database.
9. An apparatus for identifying a network device, comprising:
the system comprises a feature processing unit, a DNS processing unit and a DNS processing unit, wherein the feature processing unit is used for performing feature processing on a domain name resolution DNS request initiated by target network equipment to obtain key character information of the target network equipment;
a fingerprinting processing unit, configured to perform fingerprinting processing on the key character information to generate fingerprint information, where the fingerprint information includes a mapping relationship between a current MAC address of the target network device and each key character in the key character information;
a first determination unit configured to determine a similarity between the fingerprint information and historical fingerprint information;
a second determining unit, configured to determine a device type of the target network device based on the similarity.
10. A computer-readable storage medium, comprising a stored computer program, wherein when the computer program is executed by a processor, the computer-readable storage medium controls an apparatus to perform the network device identification method according to any one of claims 1 to 8.
11. A processor for executing a computer program, wherein the computer program executes to perform the method for identifying a network device according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111480134.4A CN114338602A (en) | 2021-12-06 | 2021-12-06 | Network equipment identification method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111480134.4A CN114338602A (en) | 2021-12-06 | 2021-12-06 | Network equipment identification method and device and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114338602A true CN114338602A (en) | 2022-04-12 |
Family
ID=81047903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111480134.4A Pending CN114338602A (en) | 2021-12-06 | 2021-12-06 | Network equipment identification method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338602A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI813326B (en) * | 2022-06-08 | 2023-08-21 | 英屬開曼群島商網際威信股份有限公司 | Method and system for inferring apparatus fingerprint |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090192866A1 (en) * | 2008-01-30 | 2009-07-30 | Venkatesh Karnam | System and method for using key-value pairing to identify uniquely a communication device on a mobile network |
| CN103166917A (en) * | 2011-12-12 | 2013-06-19 | 阿里巴巴集团控股有限公司 | Method and system for network equipment identity recognition |
| US20200076799A1 (en) * | 2018-08-28 | 2020-03-05 | International Business Machines Corporation | Device aware network communication management |
| CN111177483A (en) * | 2019-12-04 | 2020-05-19 | 北京奇虎科技有限公司 | Terminal device identification method, device and computer readable storage medium |
| CN112311630A (en) * | 2020-11-04 | 2021-02-02 | 国网北京市电力公司 | Network equipment identification method and device |
| WO2021190398A1 (en) * | 2020-03-24 | 2021-09-30 | 华为技术有限公司 | Device model identification method, apparatus and system |
-
2021
- 2021-12-06 CN CN202111480134.4A patent/CN114338602A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090192866A1 (en) * | 2008-01-30 | 2009-07-30 | Venkatesh Karnam | System and method for using key-value pairing to identify uniquely a communication device on a mobile network |
| CN103166917A (en) * | 2011-12-12 | 2013-06-19 | 阿里巴巴集团控股有限公司 | Method and system for network equipment identity recognition |
| US20200076799A1 (en) * | 2018-08-28 | 2020-03-05 | International Business Machines Corporation | Device aware network communication management |
| CN111177483A (en) * | 2019-12-04 | 2020-05-19 | 北京奇虎科技有限公司 | Terminal device identification method, device and computer readable storage medium |
| WO2021190398A1 (en) * | 2020-03-24 | 2021-09-30 | 华为技术有限公司 | Device model identification method, apparatus and system |
| CN112311630A (en) * | 2020-11-04 | 2021-02-02 | 国网北京市电力公司 | Network equipment identification method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI813326B (en) * | 2022-06-08 | 2023-08-21 | 英屬開曼群島商網際威信股份有限公司 | Method and system for inferring apparatus fingerprint |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| EP3343869B1 (en) | A method for modeling attack patterns in honeypots | |
| CN105100032B (en) | A kind of method and device for preventing resource from stealing | |
| EP3945739A1 (en) | Non-intrusive / agentless network device identification | |
| CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| US10083194B2 (en) | Process for obtaining candidate data from a remote storage server for comparison to a data to be identified | |
| CN113706100B (en) | Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network | |
| RU2747451C2 (en) | Method for detecting coupled clusters | |
| EP3972315A1 (en) | Network device identification | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN114338602A (en) | Network equipment identification method and device and computer readable storage medium | |
| CN115208643A (en) | Tracing method and device based on WEB dynamic defense | |
| CN109495471B (en) | Method, device and equipment for judging WEB attack result and readable storage medium | |
| CN113901441A (en) | User abnormal request detection method, device, equipment and storage medium | |
| US11288158B2 (en) | Device identification device and device identification method | |
| CN114091016A (en) | Method, apparatus and computer program product for anomaly detection | |
| CN116886341A (en) | Equipment safety management method and system based on topology network | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| Ferman et al. | Machine learning challenges for IOT device fingerprints identification | |
| CN114429355A (en) | Method, device, medium and equipment for generating identification characteristics of abnormal registration event | |
| CN110457600B (en) | Method, device, storage medium and computer equipment for searching target group | |
| CN111368294B (en) | Virus file identification method and device, storage medium and electronic device | |
| EP4243362A1 (en) | Network device identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |