CN116582346A

CN116582346A - Passive network asset identification method, device, server and storage medium

Info

Publication number: CN116582346A
Application number: CN202310634059.5A
Authority: CN
Inventors: 王昊天
Original assignee: Shanghai Dragon Technology Co ltd
Current assignee: Shanghai Dragon Technology Co ltd
Priority date: 2023-05-31
Filing date: 2023-05-31
Publication date: 2023-08-11

Abstract

The application relates to the technical field of computers, in particular to a passive network asset identification method, a device, a server and a storage medium, wherein the method comprises the steps of obtaining at least one flow packet to be monitored and writing the at least one flow packet to be monitored into a bypass monitoring space; screening each flow packet to be monitored, which is transferred to the bypass monitoring space, according to the monitoring demand information input by the user to obtain a target monitoring flow packet corresponding to each flow packet to be monitored; identifying the type of the traffic packet corresponding to each target monitoring traffic packet, wherein the type of the traffic packet is an unencrypted type or an encrypted type; writing each target monitoring flow packet into a corresponding target lock-free buffer area according to the flow packet type corresponding to each target monitoring flow packet; and carrying out network asset characteristic identification on the target monitoring flow packets in each target lock-free buffer zone according to the corresponding flow packet types to obtain corresponding characteristic identification information. The application can improve the working efficiency when identifying the passive network assets.

Description

Passive network asset identification method, device, server and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a passive network asset identification method, device, server, and storage medium.

Background

With the development of network technology, network resources are particularly important, and the detection and management of network assets can help enterprises to know the network assets owned by the enterprises, and whether potential threats or potential attacks exist in the equipment inside the enterprises or not can be checked by analyzing the identified network assets, so that the protection of the network resources inside the enterprises can be realized.

The network assets comprise active network assets and passive network assets, wherein the passive network assets are identified without occupying a network, network burden can be reduced, and the active network assets are detected without occupying a network, so that the controlled network assets are generally identified by detecting the passive network assets when the network assets in an enterprise are required to be monitored, the extracted characteristic fields are generally extracted from the captured network traffic data packets, and then the extracted characteristic fields are matched with a library which stores a large amount of asset characteristic information, so that the passive network assets are monitored and analyzed, but because the number of the devices in the enterprise is more, and the number of the network assets corresponding to each device is also more, when all the network assets in the enterprise are required to be monitored and analyzed, the all the network assets are required to be identified and analyzed one by one, and therefore, the working efficiency of the monitoring and analyzing can be reduced.

Disclosure of Invention

In order to improve the working efficiency when identifying passive network assets, the application provides a passive network asset identification method, a device, a server and a storage medium.

In a first aspect, the present application provides a passive network asset identification method, which adopts the following technical scheme:

a passive network asset identification method, comprising:

acquiring at least one flow packet to be monitored, and writing the at least one flow packet to be monitored into a bypass monitoring space;

screening each flow packet to be monitored, which is transferred to the bypass monitoring space, according to monitoring demand information input by a user to obtain a target monitoring flow packet corresponding to each flow packet to be monitored;

identifying a flow packet type corresponding to each target monitoring flow packet, wherein the flow packet type is an unencrypted type or an encrypted type;

writing each target monitoring flow packet into a corresponding target lock-free buffer area according to the flow packet type corresponding to each target monitoring flow packet;

and carrying out network asset characteristic identification on the target monitoring flow packets in each target lock-free buffer zone according to the corresponding flow packet types to obtain corresponding characteristic identification information.

By adopting the technical scheme, through unloading at least one to-be-monitored flow packet to the monitoring space corresponding to the bypass outside the control main line, data processing operation is carried out, instead of directly carrying out interception processing on to-be-monitored flow on the control main line, unloading the to-be-monitored flow packet to the bypass and then carrying out processing operation, the network asset can be detected and analyzed on the premise of not influencing normal access of a user, the detection and sharing of the network asset and the normal access function of the user are separately processed, efficiency when the network asset is detected is convenient to improve, in addition, the acquired to-be-monitored flow packet is screened according to the monitoring requirement input by the user, invalid data are removed, the operation pressure of a computer when the network asset feature is identified is reduced, thereby improving the working efficiency when the network asset feature is detected, before the network asset feature is required to be identified on a plurality of screened target monitoring flows, the plurality of target monitoring flows are divided according to the type of the flow packet, the target monitoring flows are separated and are unloaded from the bypass space, the monitoring area is convenient to read into the corresponding to the monitoring area when the target asset is not identified, and the target asset feature is not required to be identified in time, and the real-time is convenient to read into the target area when the monitoring flow is identified.

In one possible implementation manner, the filtering, according to the monitoring requirement information input by the user, each to-be-monitored flow packet transferred to the bypass monitoring space to obtain a target monitoring flow packet corresponding to each to-be-monitored flow packet includes:

analyzing monitoring demand information input by a user to obtain monitoring screening demands of the user, wherein the monitoring demand information comprises at least one monitoring screening demand;

when the number of the monitoring and screening requirements is one, screening the monitored flow packets transferred to the bypass monitoring space according to a screening process channel corresponding to the monitoring and screening requirements to obtain corresponding target monitoring flow packets;

when the number of the monitoring and screening requirements is at least two, screening work information corresponding to each monitoring and screening requirement is obtained, screening sequences of the at least two monitoring and screening requirements are determined according to the screening work information of each monitoring and screening requirement, and the flow packets to be monitored, which are transferred to the bypass monitoring space, are screened according to screening process channels corresponding to the screening sequences of the at least two monitoring and screening requirements, so that corresponding target monitoring flow packets are obtained, wherein each monitoring and screening work information comprises screening work efficiency and screening waiting time corresponding to each monitoring and screening requirement.

By adopting the technical scheme, because the screening process channels corresponding to different monitoring and screening requirements are different, when the flow packets to be monitored are screened according to the user requirements, if the number of the corresponding monitoring and screening requirements in the user requirements is at least two, the screening work efficiency and the screening waiting time corresponding to each monitoring and screening requirement are determined, rather than the sequence during screening, the flow packets to be monitored are screened according to the fixed sequence, the screening sequence is reasonably planned according to the screening work efficiency and the waiting time, and the screening is carried out according to the screening sequence, so that unnecessary waiting in the screening process can be avoided, and the work efficiency of screening the flow packets to be monitored can be improved.

In one possible implementation, writing the target monitoring traffic packet into the corresponding target lock-free buffer area further includes:

determining a first initial lock-free buffer zone of a target monitoring flow packet according to a flow packet type corresponding to the target monitoring flow packet, wherein the first initial lock-free buffer zone is a lock-free buffer zone corresponding to the flow packet type of the target monitoring flow packet;

determining the data volume of the target monitoring flow packet, and judging whether a second initial lock-free buffer area exists in the first initial lock-free buffer area or not based on the data volume of the target monitoring flow packet, wherein the cache data volume of the second initial lock-free buffer area is not lower than the data volume of the target monitoring flow packet;

If so, determining the number of the second initial lock-free buffer areas, and determining the target lock-free buffer areas of the target monitoring flow based on the number of the second initial lock-free buffer areas and the corresponding buffer data amount;

if the data quantity of the target monitoring flow packet does not exist, a new lock-free buffer area is created according to the data quantity of the target monitoring flow packet, and the created new lock-free buffer area is determined to be the target lock-free buffer area of the target monitoring flow.

By adopting the technical scheme, because the network asset characteristic identification modes corresponding to different traffic packet types are different, different types of target monitoring traffic packets are written into different lock-free buffers, the subsequent direct network asset characteristic identification of the target monitoring traffic in the lock-free buffers is facilitated, the time for judging the traffic packet types is not required, the time for switching the characteristic identification modes is not required, when a proper lock-free buffer exists, the target monitoring traffic packets are directly written into the lock-free buffers, rather than creating a new lock-free buffer for each target traffic packet, the waiting time for creating the lock-free buffer is reduced, the speed for writing the target monitoring traffic packets is conveniently increased, the target lock-free buffers are selected according to the data volume of the target monitoring traffic packets, the adaptation degree of the lock-free buffers and the target monitoring traffic packets is conveniently increased, the probability that the target monitoring traffic packets cannot be stored completely due to the fact that the lock-free buffers appear halfway can be reduced, and the speed for transferring the target monitoring traffic packets out of a bypass monitoring space can be improved.

In one possible implementation manner, the identifying the network asset characteristics according to the type of the target monitoring traffic packet in each target lock-free buffer zone and the corresponding traffic packet further includes:

recording the total written data in each target lock-free buffer area;

comparing the total written data of each target monitoring flow packet in the corresponding target lock-free buffer area with the total target monitoring data;

if the total written data amount in the target lock-free buffer area is the same as the total target monitoring data amount, carrying out network asset characteristic identification on a target monitoring flow packet in the target lock-free buffer area;

and if the total written data in the target lock-free buffer area is different from the total target monitoring data, recording the waiting transmission time, and when the waiting transmission time exceeds the preset time, emptying the total written data in the target lock-free buffer area.

By adopting the technical scheme, before the network asset feature identification is carried out on the target monitoring flow packet in the target lock-free buffer zone, whether the total amount of the written data in the target lock-free buffer zone is complete or not is judged, namely whether the target monitoring flow packet is completely written into the target lock-free buffer zone is required to be judged, the integrity judgment is carried out before the network asset feature identification is carried out on the target monitoring flow packet, the comprehensiveness and the accuracy in the process of determining the network asset are facilitated to be improved, if the incompleteness of the target monitoring flow packet written into the target lock-free buffer zone is detected, the writing of the complete target flow packet is carried out by setting the waiting time length, meanwhile, the written data in the target lock-free buffer zone is emptied when the waiting time length reaches the limit value by setting the limit value, and the data circulation rate is facilitated to be improved by timely releasing the buffer space.

In one possible implementation manner, the performing network asset feature identification according to the corresponding traffic packet type to obtain corresponding feature identification information includes:

when the flow packet type corresponding to the target monitoring flow packet is a non-encryption flow packet type, carrying out passive fingerprint identification on the target monitoring flow packet, determining a first identification result according to a preset network asset characteristic table, and determining the first identification result as characteristic identification information of the target monitoring flow packet;

and when the flow packet type corresponding to the target monitoring flow packet is an encrypted flow packet type, decrypting the target monitoring flow packet, extracting data of the decrypted target monitoring flow packet, determining a second identification result according to the extracted data and the preset network asset characteristic table, and determining the second identification result as characteristic identification information of the target monitoring flow packet.

By adopting the technical scheme, the non-encrypted monitoring flow packet is subjected to fingerprint identification through the fingerprint identification technology, the accuracy of determining the passive network assets included in the target monitoring flow packet can be improved through the fingerprint identification technology, and the accuracy of determining the passive network assets included in the target monitoring flow packet can be improved because the passive network assets corresponding to the encrypted monitoring flow packet cannot be accurately determined through the fingerprint identification technology, so that the encrypted monitoring flow packet needs to be decrypted before the passive network assets included in the encrypted monitoring flow packet are identified, and then the decrypted flow packet is subjected to network asset identification.

In one possible implementation manner, the decrypting the target monitoring traffic packet includes:

identifying a target encryption identification code corresponding to the target monitoring flow packet;

judging whether a target private key corresponding to the target encryption identification code exists in a preset key database according to the target encryption identification code, wherein the preset key database comprises a plurality of private keys corresponding to the encryption identification codes;

if yes, decrypting the target monitoring flow packet according to the target private key;

if not, the target monitoring flow packet is decrypted by extracting preset characteristic information contained in the target monitoring flow packet.

By adopting the technical scheme, the application provides two methods for decrypting the encrypted traffic packet, when the target monitoring traffic packet is decrypted, the decryption method of the target monitoring traffic packet is determined according to the target encryption identification code contained in the target monitoring traffic packet, and if a private key corresponding to the target encryption identification code exists, the target monitoring traffic packet is directly decrypted to obtain a plaintext, so that the accuracy is higher; if the private key corresponding to the target encryption identification code does not exist in error, decryption is performed in a mode of extracting preset features, and the decryption rate is high.

In one possible implementation manner, the obtaining the corresponding feature identification information further includes:

access flow data are acquired, wherein the access flow data comprise access information corresponding to each network asset characteristic in the characteristic identification information, and the access information comprises access time, access times and access occupation time in a preset time period;

when the access information meets any one of the following preset conditions, determining that the network asset characteristics corresponding to the access information are abnormal,

the preset conditions comprise:

the access frequency corresponding to the network asset characteristics is higher than the preset standard access frequency;

and the access occupied flow corresponding to the network asset characteristics is higher than the standard access occupied flow corresponding to the network asset characteristics.

By adopting the technical scheme, whether the identified network asset characteristics are abnormal or not is judged by analyzing the access information corresponding to each network asset, so that whether the network asset has potential threat or potential attack is checked.

In a second aspect, the present application provides a passive network asset identifying device, which adopts the following technical scheme:

a passive network asset identification device comprising:

The flow packet acquisition module is used for acquiring at least one flow packet to be monitored and writing the at least one flow packet to be monitored into the bypass monitoring space;

the screening module is used for screening each flow packet to be monitored which is transferred to the bypass monitoring space according to the monitoring demand information input by the user, so as to obtain a target monitoring flow packet corresponding to each flow packet to be monitored;

the traffic packet type identifying module is used for identifying the traffic packet type corresponding to each target monitoring traffic packet, wherein the traffic packet type is a non-encryption type or an encryption type;

the transfer module is used for writing each target monitoring flow packet into a corresponding target lock-free buffer area according to the flow packet type corresponding to each target monitoring flow packet;

and the asset characteristic identification module is used for carrying out network asset characteristic identification on the target monitoring flow packets in each target lock-free buffer zone according to the corresponding flow packet types to obtain corresponding characteristic identification information.

In one possible implementation manner, when the screening module screens each to-be-monitored flow packet stored in the bypass monitoring space according to the monitoring demand information input by the user, the screening module is specifically configured to:

In one possible implementation, the apparatus further includes:

the system comprises a first initial lock-free buffer zone determining module, a second initial lock-free buffer zone determining module and a second lock-free buffer zone determining module, wherein the first initial lock-free buffer zone is used for determining a first initial lock-free buffer zone of a target monitoring flow packet according to a flow packet type corresponding to the target monitoring flow packet, and the first initial lock-free buffer zone is a lock-free buffer zone corresponding to the flow packet type of the target monitoring flow packet;

the second initial lock-free buffer zone judging module is used for determining the data quantity of the target monitoring flow packet, judging whether a second initial lock-free buffer zone exists in the first initial lock-free buffer zone or not based on the data quantity of the target monitoring flow packet, wherein the cache data quantity of the second initial lock-free buffer zone is not lower than the data quantity of the target monitoring flow packet;

the first determining target lock-free buffer area module is used for determining the number of the second initial lock-free buffer areas if the target lock-free buffer area exists, and determining the target lock-free buffer area of the target monitoring flow based on the number of the second initial lock-free buffer areas and the corresponding buffer data volume;

and the second target lock-free buffer zone determining module is used for creating a new lock-free buffer zone according to the data volume of the target monitoring flow packet if the target lock-free buffer zone does not exist, and determining the created new lock-free buffer zone as the target lock-free buffer zone of the target monitoring flow.

In one possible implementation, the apparatus further includes:

the record data total amount module is used for recording the total amount of the write-in data in each target lock-free buffer area;

the data total quantity comparison module is used for comparing the total quantity of the write-in data of each target monitoring flow packet in the corresponding target lock-free buffer zone with the total quantity of the target monitoring data;

the first identification module is used for carrying out network asset characteristic identification on the target monitoring flow packet in the target lock-free buffer zone if the total written data amount in the target lock-free buffer zone is the same as the target monitoring data amount;

and the second identification module is used for recording the waiting transmission time length if the total written data in the target lock-free buffer area is different from the total target monitoring data, and clearing the total written data in the target lock-free buffer area when the waiting transmission time length exceeds the preset time length.

In one possible implementation manner, the asset feature identification module is specifically configured to, when performing network asset feature identification according to a corresponding traffic packet type to obtain corresponding feature identification information:

In one possible implementation manner, the asset feature identification module is specifically configured to, when performing decryption processing on the target monitoring traffic packet:

In one possible implementation, the apparatus further includes:

The access flow data comprises access information corresponding to each network asset feature in the feature identification information, wherein the access information comprises access time, access times and access occupation time in a preset time period;

an abnormality judgment module for determining that the network asset characteristics corresponding to the access information are abnormal when the access information meets any one of the following preset conditions,

the preset conditions comprise:

In a third aspect, the present application provides a server, which adopts the following technical scheme:

a server, the server comprising:

at least one processor;

a memory;

at least one application, wherein the at least one application is stored in memory and configured to be executed by at least one processor, the at least one application configured to: and executing the passive network asset identification method.

In a fourth aspect, the present application provides a computer readable storage medium, which adopts the following technical scheme:

A computer-readable storage medium, comprising: a computer program is stored that can be loaded by a processor and that performs the passive network asset identification method described above.

In summary, the present application includes at least one of the following beneficial technical effects:

1. the method comprises the steps of storing at least one flow packet to be monitored into a monitoring space corresponding to a bypass outside a control main line, then performing data processing operation, instead of directly intercepting the flow to be monitored on the control main line, storing the flow packet to be monitored into the bypass, then performing processing operation, detecting and analyzing network assets on the premise of not affecting normal access of a user, and dividing the detected and shared flow packets to the network assets into a lock-free buffer zone according to the type of the flow packet, so that efficiency of detecting the network assets is improved, in addition, the acquired flow packet to be monitored is screened through monitoring requirements input by the user, invalid data is removed, operating pressure of a computer when network asset feature recognition is performed is facilitated to be reduced through reducing invalid data in the flow packet to be monitored, therefore working efficiency of a computer is facilitated to be improved, before network asset feature recognition is performed on a plurality of screened target monitoring flows, the plurality of target monitoring flows are divided according to the type of the flow packet of the target monitoring flows, the divided target monitoring flows are stored into the lock-free buffer zone from the bypass space according to the type of the flow packet to be conveniently and the target flows are not recognized in time, and the target flows can be recognized by writing the corresponding to the bypass in the buffer zone when the target packets are not required to be recognized, and the target asset feature recognition is not can be performed in time, and the target characteristics of the target asset feature recognition can be recognized.

2. Because the network asset characteristic identification modes corresponding to different traffic packet types are different, different types of target monitoring traffic packets are written into different lock-free buffer areas, network asset characteristic identification is conveniently and directly carried out on target monitoring traffic in the lock-free buffer areas, time is not required to be spent on judging the traffic packet types, time is not required to be spent on switching the characteristic identification modes, when a proper lock-free buffer area exists, the target monitoring traffic packets are directly written into the lock-free buffer areas instead of creating a new lock-free buffer area for each target traffic packet, waiting time of creating the lock-free buffer area is conveniently reduced, speed of writing the target monitoring traffic packets is conveniently increased, the target lock-free buffer area is selected according to data volume of the target monitoring traffic packets, adaptation degree of the lock-free buffer areas and the target monitoring traffic packets is conveniently increased, probability that the target monitoring traffic packets cannot be stored completely due to the fact that the lock-free buffer areas are replaced halfway is caused can be reduced, and speed of transferring the target monitoring traffic packets out of bypass monitoring space can be increased.

Drawings

FIG. 1 is a flow chart of a passive network asset identification method according to an embodiment of the present application;

FIG. 2 is a flow chart of determining a target monitoring traffic packet according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a passive network asset identification device according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

The application is described in further detail below with reference to fig. 1-4.

Modifications of the embodiments which do not creatively contribute to the application may be made by those skilled in the art after reading the present specification, but are protected by patent laws within the scope of the claims of the present application.

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Specifically, the embodiment of the application provides a passive network asset identification method, which is executed by a server, wherein the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server for providing cloud computing service.

The enterprise is internally provided with a plurality of terminal devices, each terminal device stores a plurality of network assets, and because the number of the network assets is large, if special management is lacked for a long time or network asset investigation is not carried out for a long time, the enterprise intranet can be accessed from outside, so that the safety of the enterprise intranet is reduced, and because network isolation exists in some enterprises and potential safety hazards exist in scanning key business, the risk is high when the network assets in the enterprises are identified in an active scanning mode; when the terminal side identification technology is used for identifying the network assets in the enterprise, the personal terminal equipment is required to install the equipment of the Agent (the autonomously active software or hardware entity), but a large number of networking equipment which cannot install the Agent may exist in many enterprises, so the application provides a passive network asset identification method, and the identification and detection of the network assets in the enterprise are realized by a feature matching mode, and referring to fig. 1, fig. 1 is a flow diagram of a passive network asset identification method in an embodiment of the application, the method comprises steps S110, S120, S130, S140 and S150, wherein:

Step S110: and acquiring at least one flow packet to be monitored, and writing the at least one flow packet to be monitored into the bypass monitoring space.

Specifically, the flow packet to be monitored may be obtained by scanning a port of the terminal device in the local area network, or may be obtained according to access communication data after the terminal device in the local area network and the server are monitored to perform access communication, so long as the flow packet to be monitored corresponding to the terminal device in the local area network can be obtained. Since the terminal devices in the lan may access and communicate with the server at the same time, the number of traffic packets to be monitored may be one or more. Because the terminal equipment in the local area network can communicate with the server only through the access control bus, in order to enable the process of identifying the network asset and the process of accessing the server by the equipment in the local area network to be carried out simultaneously, the process of identifying the network asset and the process of accessing the server by a user are separately processed in a mode of writing the traffic packet to be monitored into a bypass monitoring space, wherein the bypass monitoring space can be a bypass kernel module specially used for capturing and processing the traffic packet, and the kernel module can be accessed in a bypass mode.

Step S120: and screening each flow packet to be monitored which is transferred to the bypass monitoring space according to the monitoring demand information input by the user, and obtaining a target monitoring flow packet corresponding to each flow packet to be monitored.

Specifically, the method of transferring the flow packet to be monitored to the bypass detection space may be copying the acquired flow packet to be monitored through the port mirror function, but the capturing and copying process of the flow packet to be monitored may affect the network performance due to the large data volume of the flow packet, so that the acquired flow packet to be monitored needs to be screened according to the user requirement, where the filtering method may be configured by the user in a self-defining way, and in the embodiment of the present application, no specific limitation is made, so long as the data which does not need to be identified in the acquired flow packet to be monitored can be filtered, and the target monitoring flow packet is obtained.

The filtering conditions may be protocol filtering, address filtering, port filtering, packet size filtering and keyword filtering, where the protocol filtering is to filter the acquired traffic packet to be monitored according to the protocol type, for example, if the monitoring requirement information input by the user is to identify network assets contained in the traffic packets corresponding to the TCP protocol and the UDP protocol, data not belonging to the TCP protocol and the UDP protocol is removed from the traffic packet to be monitored; if the monitoring requirement input by the user is to identify the network asset contained in the flow packet corresponding to the source address or the target address, only reserving the flow packet corresponding to the designated address; if the monitoring requirement input by the user is to identify the network asset contained in the flow packet corresponding to the designated port, only reserving the flow packet corresponding to the designated port; if the monitoring requirement input by the user is a data packet with a specified size, only reserving a flow packet consistent with the data packet with the specified size; if the monitoring requirement input by the user is a specified keyword, only the flow packet containing the specified keyword is reserved.

Step S130: and identifying the type of the traffic packet corresponding to each target monitoring traffic packet.

Wherein the traffic packet type is an unencrypted type or an encrypted type.

Specifically, the encrypted traffic packet refers to data or information protected by an encryption algorithm to prevent unauthorized access, and the corresponding traffic packet type is an encryption type; the traffic packets that are not encrypted refer to data or information that is not protected, the corresponding traffic packet type is of the non-encrypted type, the encrypted traffic packets are commonly referred to as ciphertext, and the non-encrypted traffic packets are referred to as plaintext.

When the flow packet type of the target monitoring flow packet is identified, the judgment can be performed by judging whether the target monitoring flow packet is a plaintext or not, and also by identifying whether the target monitoring flow packet carries an encryption identifier or not, and the specific judgment mode is not particularly limited in the embodiment of the application, so long as the flow packet type of the target monitoring flow packet can be identified.

Step S140: and writing each target monitoring flow packet into a corresponding target lock-free buffer area according to the flow packet type corresponding to each target monitoring flow packet.

Specifically, the types of the lock-free buffer areas corresponding to different traffic packet types are different, when the target monitoring traffic packet is transferred from the bypass monitoring space, a DPDK data packet buffer processing technology can be adopted to directly transfer the different types of the target monitoring traffic packet into different lock-free buffer areas, so that the different types of the target monitoring traffic packet can be conveniently and separately processed, no lock and waiting operation are adopted in the lock-free buffer areas, and the transfer rate of the target monitoring traffic packet can be conveniently improved, wherein the lock-free buffer areas can be annular lock-free buffer areas or lock-free queues, and the embodiment of the application is not particularly limited.

Step S150: and carrying out network asset characteristic identification on the target monitoring flow packets in each target lock-free buffer zone according to the corresponding flow packet types to obtain corresponding characteristic identification information.

Specifically, the types of the traffic packets corresponding to different target monitoring traffic packets may be different, and the network asset feature recognition modes corresponding to different traffic packet types are also different, so that when the network asset features in the target monitoring traffic packets are recognized, the recognition needs to be performed according to the respective corresponding feature recognition modes, and each target monitoring traffic packet corresponds to one piece of feature recognition information, wherein the feature recognition information may include one network asset recognition feature or a plurality of network asset recognition features, and the generated feature recognition information may be fed back to the terminal equipment of the user when the user needs to view.

According to the embodiment of the application, the data processing operation is carried out after at least one flow packet to be monitored is transferred to the monitoring space corresponding to the bypass outside the control main line, instead of directly intercepting the flow to be monitored on the control main line, the flow packet to be monitored is transferred to the bypass and then processed, the network asset can be detected and analyzed on the premise that normal access of a user is not affected, the detection and sharing of the network asset and the normal access function of the user are processed separately, the efficiency when the network asset is detected is convenient to improve, in addition, the acquired flow packet to be monitored is filtered through the monitoring requirement input by the user, invalid data is removed, the calculation pressure of a computer when the network asset feature recognition is carried out is convenient to reduce, therefore, the working efficiency when the network asset feature recognition is carried out on a plurality of screened target monitoring flows is convenient to improve, the plurality of target monitoring flows are divided according to the flow packet types, the divided target monitoring flows are transferred from the bypass space to the bypass according to the flow packet types, the characteristics are not required to be recognized, and the corresponding to the target asset is not required to be monitored, and the work efficiency when the monitoring flow is not required to be read into the corresponding to the bypass, and the target asset feature recognition is carried out, and the work area is convenient to identify.

Further, after the flow packets to be monitored are obtained, each flow packet to be monitored which is transferred to the bypass monitoring space is screened according to the monitoring demand information input by the user, so as to obtain a target monitoring flow packet corresponding to each flow packet to be monitored, which specifically may include step S1201, step S1202 and step S1203, as shown in fig. 2, wherein:

step S1201: analyzing monitoring demand information input by a user to obtain monitoring screening demands of the user, wherein the monitoring demand information comprises at least one monitoring screening demand.

Specifically, the monitoring requirement information input by the user includes a monitoring requirement input by the user and an input time, the user can input one monitoring requirement at the same time, or can input a plurality of monitoring requirements at the same time, when the monitoring requirements input by the user are integrated, timing can be started after the monitoring requirement information input by the user is received for the first time, so as to count the monitoring requirement information input by the user in a preset time period, wherein the preset time period can be 5 seconds or 6 seconds, and the embodiment of the application is not particularly limited.

Step S1202: when the number of the monitoring and screening requirements is one, screening the monitored flow packets which are transferred to the bypass monitoring space according to the screening process channels corresponding to the monitoring and screening requirements, and obtaining corresponding target monitoring flow packets.

Specifically, when the number of monitoring and screening requirements is one, the monitoring requirement information input by the user in the preset time period is characterized to only include one monitoring and screening requirement, for example, the monitoring requirement information is to identify network assets contained in a flow packet corresponding to the TCP protocol, and the obtained target monitoring flow packet is data belonging to the TCP protocol.

Step S1203: when the number of the monitoring and screening requirements is at least two, screening work information corresponding to each monitoring and screening requirement is obtained, the screening sequence of the at least two monitoring and screening requirements is determined according to the screening work information of each monitoring and screening requirement, and the flow packet to be monitored, which is transferred to the bypass monitoring space, is screened according to the screening process channels corresponding to the screening sequence of the at least two monitoring and screening requirements, so that a corresponding target monitoring flow packet is obtained.

Each piece of monitoring and screening work information comprises screening work efficiency and screening waiting time corresponding to each piece of monitoring and screening requirement.

Specifically, when the number of the monitoring and screening requirements is at least two, the monitoring requirement information input by the user in the preset time period is characterized to only include at least two monitoring and screening requirements, and at this time, the screening sequence of the two monitoring and screening requirements can be determined, for example, the two monitoring and screening requirements are respectively according to port filtration and keyword filtration, when the flow packet to be monitored is screened, data containing a designated port can be screened out, and then data containing a designated keyword can be screened out from the data containing the designated port; the data containing the specified key words can be screened out first, and then the data containing the specified ports can be screened out from the data containing the specified key words.

Because the screening rules corresponding to different monitoring screening requirements are different, namely the corresponding screening processes are also different, when at least two monitoring screening requirements are determined, screening work efficiency and screening waiting time corresponding to each monitoring screening requirement can be determined, for example, the size of a flow packet to be monitored is 2500MB, three existing screening requirements are respectively required to be A, B and C, wherein the waiting time corresponding to the A requirement is 15 seconds, the working efficiency is 290MB/s, the waiting time corresponding to the B requirement is 0 seconds, the working efficiency is 250MB/s, the waiting time corresponding to the C requirement is 5 seconds, the working efficiency is 390MB/s, the B requirement is determined to be firstly screened for the flow packet to be monitored according to the waiting time corresponding to each monitoring screening requirement, the 10 seconds are required for screening the B requirement, the screening process corresponding to the C requirement is idle, the screening process corresponding to the A requirement is not yet ended, the C requirement is screened after the B requirement is screened, and the A requirement is screened finally.

For the embodiment of the application, the screening sequence is reasonably planned through the screening work efficiency and the waiting time, and the screening is carried out according to the screening sequence, so that unnecessary waiting in the screening process can be avoided, and the work efficiency of screening the flow packets to be monitored can be improved.

Further, screening the to-be-monitored flow packet according to the monitoring demand information input by the user to obtain a target monitoring flow packet, determining the target lock-free buffer area corresponding to the target monitoring flow packet before writing the target monitoring flow packet into the corresponding target lock-free buffer area, where determining the target lock-free buffer area includes:

determining a first initial lock-free buffer zone of the target monitoring flow packet according to the flow packet type corresponding to the target monitoring flow packet, wherein the first initial lock-free buffer zone is a lock-free buffer zone corresponding to the flow packet type of the target monitoring flow packet; determining the data volume of a target monitoring flow packet, and judging whether a second initial lock-free buffer area exists in the first initial lock-free buffer area or not based on the data volume of the target monitoring flow packet, wherein the cache data volume of the second initial lock-free buffer area is not lower than the data volume of the target monitoring flow packet; if the data exists, determining the number of second initial lock-free buffer areas, and determining a target lock-free buffer area of the target monitoring flow based on the number of the second initial lock-free buffer areas and the corresponding buffer data amount; if the data quantity of the target monitoring flow packet does not exist, a new lock-free buffer area is created according to the data quantity of the target monitoring flow packet, and the created new lock-free buffer area is determined to be the target lock-free buffer area of the target monitoring flow.

Specifically, the first initial lock-free buffer may include a plurality of lock-free buffers, where the first initial lock-free buffers corresponding to different traffic packet types are different, for example, there are 5 existing lock-free buffers, where buffer 1, buffer 2, and buffer 3 are first initial lock-free buffers corresponding to the target monitoring traffic packet of the unencrypted type, and buffer 4 and buffer 5 are first initial lock-free buffers corresponding to the target monitoring traffic packet of the encrypted type.

The second initial lock-free buffer zone is a buffer zone with the buffer data volume of the first initial lock-free buffer zone not lower than the data volume of the target monitoring flow packet, for example, the data volume corresponding to the target monitoring flow packet of the non-encryption type is 580MB, if the buffer data volume of the buffer zone 1 is 600MB, the buffer data volume of the buffer zone 2 is 1022MB, and the buffer data volume of the buffer zone 3 is 360MB, because the buffer data volumes corresponding to the buffer zone 1 and the buffer zone 2 are both higher than the data volume of the target monitoring flow packet, the second initial lock-free buffer zone is determined to exist in the first initial lock-free buffer zone, and when the second initial lock-free buffer zone comprises at least two buffer zones, the buffer zone with the minimum difference between the buffer data volume of the buffer data volume and the target monitoring flow packet is selected as the target buffer zone.

For example, the data amount corresponding to the target monitoring traffic packet of the non-encryption type is 580MB, at this time, if the buffer data amount of the buffer 1 is 500MB, the buffer data amount of the buffer 2 is 522MB, and the buffer data amount of the buffer 3 is 360MB, because the buffer data amounts corresponding to the buffer 1, the buffer 2, and the buffer 3 are not higher than the data amount of the target monitoring traffic packet, it is determined that the second initial non-lock buffer is not present in the first initial non-lock buffer, and at this time, the non-lock buffer needs to be re-created for the target monitoring traffic packet to restore the target monitoring traffic packet.

The method for restoring the target monitoring traffic packet may take a longer restoring time due to a larger data volume, so before the network asset identification is performed on the target monitoring traffic packet restored into the target lock-free buffer zone, the method further comprises:

recording the total written data in each target lock-free buffer area; comparing the total written data of each target monitoring flow packet in the corresponding target lock-free buffer area with the total target monitoring data; if the total written data amount in the target lock-free buffer area is the same as the total target monitoring data amount, carrying out network asset characteristic identification on the target monitoring flow packet in the target lock-free buffer area; and if the total written data in the target lock-free buffer area is different from the total target monitoring data, recording the waiting transmission time, and when the waiting transmission time exceeds the preset time, emptying the total written data in the target lock-free buffer area.

Specifically, if it is detected that a written traffic packet exists in the target lock-free buffer, a complete target monitoring traffic packet may be written at this time, or may be being written, so that the total amount of written data in the target lock-free buffer needs to be compared with the data amount of the target monitoring traffic packet to determine whether the target monitoring traffic packet has been completely written in the target lock-free buffer.

If the target monitoring flow packet is not completely written into the target lock-free buffer zone, starting timing to generate waiting transfer time, and when the transfer time exceeds a preset time, clearing partial flow packets written into the target lock-free buffer zone, wherein the preset time is determined according to the data quantity of the target monitoring flow packet, if the total written data quantity in the target lock-free buffer zone is still smaller than the data quantity of the target monitoring flow packet in the preset time, determining that the target monitoring flow packet is lost in the transfer process, and if the network asset feature identification is carried out on the flow packet with the data loss, larger errors can occur, so that the lost flow packet is selected to be cleared.

After the lost flow packet is cleared, prompt information can be generated according to the flow packet identifier corresponding to the flow packet, and the prompt information is fed back to related technicians, so that the related technicians can acquire the flow packet to be monitored containing the flow packet identifier again, and re-identify the flow packet.

Furthermore, after network asset feature identification is performed on the target monitoring traffic packet in the target lock-free buffer zone, the buffer space of the idle lock-free buffer zone is timely released by setting a release duration, wherein the release duration can be set by a related technician, the release duration can be 30 seconds or 1 minute, and when the idle duration of a certain lock-free buffer zone is higher than the release duration, the buffer space of the lock-free buffer zone is released.

For the embodiment of the application, the integrity judgment is carried out before the network asset characteristic identification is carried out on the target monitoring flow packet, so that the comprehensiveness and the accuracy in determining the network asset are improved, if the incompleteness of the target monitoring flow packet written in the target lock-free buffer area is detected, the complete target flow packet is written in by setting the waiting time length, meanwhile, the written data in the target lock-free buffer area are emptied when the waiting time length reaches the limit value by setting the limit value of the waiting time length, and the data circulation rate is improved by timely releasing the buffer space.

When the target monitoring traffic packet written into the target lock-free buffer area needs to be characterized, because the network asset feature identification modes corresponding to different traffic packet types are different, when the network asset feature identification is performed according to the corresponding traffic packet types to obtain the corresponding feature identification information, the method specifically comprises the steps S1501 and S1502, wherein:

Step S1501: and when the flow packet type corresponding to the target monitoring flow packet is the non-encryption flow packet type, carrying out passive fingerprint identification on the target monitoring flow packet, determining a first identification result according to a preset network asset characteristic table, and determining the first identification result as characteristic identification information of the target monitoring flow packet.

Specifically, when the traffic packet type corresponding to the target monitoring traffic packet is a non-encrypted traffic packet type, the target monitoring traffic packet is characterized as a plaintext, so that the network asset characteristics contained in the target monitoring traffic packet can be identified directly through a passive fingerprint identification algorithm, all terminal devices and applications of the terminal devices in the local area network can be accurately identified and classified through the passive fingerprint identification algorithm, various types of devices such as routers and switches can be identified through the technology, various types of applications such as Web applications and databases can be accurately identified, for example, specific Windows registry item information is contained in a traffic packet load used by a Windows system, a Windows system can be identified through analyzing registry item information in the target monitoring traffic packet load, and then, for example, user-Aghead information in an HTTP protocol contains detailed information related to a browser and an operating system, application and operating system types in the target monitoring traffic packet can be identified through analyzing User-Agent head information in the target monitoring traffic packet, the application and the devices in the target monitoring traffic packet can be identified, the application and the operating system can be identified through the analysis of the User-Agent head information in the target monitoring traffic packet, the application and the device can be identified through the network asset characteristics corresponding to the network asset characteristics in the network asset database, and the network asset characteristics can be identified through the network asset characteristics corresponding to the network asset characteristics are identified through the network asset characteristics corresponding to the network characteristics.

Step S1502: and when the flow packet type corresponding to the target monitoring flow packet is the encrypted flow packet type, decrypting the target monitoring flow packet, extracting data of the decrypted target monitoring flow packet, determining a second identification result according to the extracted data and a preset network asset characteristic table, and determining the second identification result as characteristic identification information of the target monitoring flow packet.

The difference between the network asset feature identification of the target monitoring traffic packet of the non-encrypted type and the network asset feature identification of the non-encrypted type is that when the traffic packet type of the target monitoring traffic packet is the encrypted traffic packet type, the decryption processing is required to be performed on the target monitoring traffic packet, and then feature identification information corresponding to the target monitoring traffic packet is determined according to the decryption result, where the manner of determining the feature identification information corresponding to the target monitoring traffic packet according to the decryption result may refer to the manner of determining the feature identification information according to the preset network asset feature table in the embodiment corresponding to the step S1501, which is not described herein.

The process of decrypting the target monitoring flow packet comprises the following steps:

identifying a target encryption identification code corresponding to the target monitoring flow packet; judging whether a target private key corresponding to the target encryption identification code exists in a preset key database according to the target encryption identification code, wherein the preset key database comprises a plurality of private keys corresponding to the encryption identification codes; if yes, decrypting the target monitoring flow packet according to the target private key; if not, the target monitoring flow packet is decrypted by extracting preset characteristic information contained in the target monitoring flow packet.

Specifically, the encryption type of the target encryption identification code is conveniently judged by identifying the corresponding target encryption identification code in the target monitoring traffic packet, the encryption type comprises a private key and a non-private key, when the encryption type of the target monitoring traffic packet is the private key, the encryption traffic is decrypted by using an SSL/TLS decryption technology so as to analyze and extract the decrypted plaintext traffic, wherein the SSL/TLS decryption technology negotiates session parameters between the terminal equipment and the server through a handshake process, and establishes a session, and main parameters contained in the session comprise a session ID, certificates of both parties, an encryption suite (a key negotiation algorithm, a symmetric encryption algorithm, a digest algorithm and the like) and a master secret key (master secret), and in the method, the system identifies and intercepts the SSL/TLS traffic packet, and then decrypts the encrypted target monitoring traffic packet by using the private key so as to extract network asset characteristics from the decrypted plaintext traffic. After the session parameters are extracted, traversing is carried out from preset key data according to the session parameters, a target private key is determined, decryption processing is carried out according to the target private key, and contents in a preset key database can be added, deleted or modified by related technicians according to actual requirements.

If the target private key does not exist in the preset key database, the flow analysis technology is adopted to identify preset characteristic information in the target monitoring flow packet, so that the encrypted target monitoring flow packet is decrypted, wherein the preset characteristic can be the size, the time stamp and the like of the target monitoring flow packet, and the preset characteristic can be added and deleted or modified by related technicians, and the embodiment of the application is not particularly limited.

Further, after obtaining the feature identification information, the method further comprises:

access flow data are acquired, wherein the access flow data comprise access information corresponding to each network asset characteristic in characteristic identification information, and the access information comprises access time, access times and access occupation time in a preset time period; when the access information meets any one of the following preset conditions, determining that the network asset characteristics corresponding to the access information are abnormal, wherein the preset conditions comprise: the access frequency corresponding to the network asset characteristics is higher than the access frequency of a preset standard; the network asset characteristics correspond to access occupancy traffic that is higher than the corresponding standard access occupancy traffic.

Specifically, the access flow data may be used to characterize the flow that needs to be occupied when the target monitoring flow packet is generated, and in addition, the access time, the access times and the duration of the control bus occupied when the target monitoring flow packet accesses the server are included, when the same target monitoring flow packet accesses the server frequently in a short time, or when the flow occupied when the target monitoring flow packet accesses the server is higher than the standard access occupied flow, a potential threat or abnormal behavior may exist, and at this time, when the feature identification information is fed back to the user terminal, the detection result is also sent together for the user to review.

The above embodiments describe a passive network asset identification method from the viewpoint of a method flow, and the following embodiments describe a passive network asset identification device from the viewpoint of a virtual module or a virtual unit, which is specifically described in the following embodiments.

An embodiment of the present application provides a passive network asset identification device, as shown in fig. 3, the device may specifically include a flow packet acquisition module 310, a screening module 320, a flow packet type identification module 330, a dump module 340, and an asset characteristic identification module 350, where:

an acquiring flow packet module 310, configured to acquire at least one flow packet to be monitored, and write the at least one flow packet to be monitored into the bypass monitoring space;

the screening module 320 is configured to screen each flow packet to be monitored, which is stored in the bypass monitoring space according to the monitoring requirement information input by the user, so as to obtain a target monitoring flow packet corresponding to each flow packet to be monitored;

the traffic packet type identifying module 330 is configured to identify a traffic packet type corresponding to each target monitoring traffic packet, where the traffic packet type is a non-encryption type or an encryption type;

the dump module 340 is configured to write each target monitoring traffic packet into a corresponding target lock-free buffer area according to a traffic packet type corresponding to each target monitoring traffic packet;

The asset feature identification module 350 is configured to identify the network asset feature according to the type of the target monitoring traffic packet in each target lock-free buffer zone and obtain corresponding feature identification information.

In one possible implementation manner, when the screening module 320 screens each to-be-monitored flow packet stored in the bypass monitoring space according to the monitoring requirement information input by the user, the screening module is specifically configured to:

when the number of the monitoring and screening requirements is at least two, screening work information corresponding to each monitoring and screening requirement is obtained, screening sequences of the at least two monitoring and screening requirements are determined according to the screening work information of each monitoring and screening requirement, and the flow packets to be monitored, which are transferred to the bypass monitoring space, are screened according to screening process channels corresponding to the screening sequences of the at least two monitoring and screening requirements, so that corresponding target monitoring flow packets are obtained, wherein each monitoring and screening work information comprises screening work efficiency and screening waiting time length corresponding to each monitoring and screening requirement.

In one possible implementation, the apparatus further includes:

the first initial lock-free buffer zone determining module is used for determining a first initial lock-free buffer zone of the target monitoring flow packet according to the flow packet type corresponding to the target monitoring flow packet, wherein the first initial lock-free buffer zone is the lock-free buffer zone corresponding to the flow packet type of the target monitoring flow packet;

the second initial lock-free buffer zone judging module is used for determining the data volume of the target monitoring flow packet, judging whether a second initial lock-free buffer zone exists in the first initial lock-free buffer zone or not based on the data volume of the target monitoring flow packet, wherein the cache data volume of the second initial lock-free buffer zone is not lower than the data volume of the target monitoring flow packet;

the first determining target lock-free buffer area module is used for determining the number of the second initial lock-free buffer areas if the target lock-free buffer area exists, and determining the target lock-free buffer areas of the target monitoring flow based on the number of the second initial lock-free buffer areas and the corresponding buffer data amount;

and the second determining target lock-free buffer zone module is used for creating a new lock-free buffer zone according to the data quantity of the target monitoring flow packet if the target lock-free buffer zone does not exist, and determining the created new lock-free buffer zone as the target lock-free buffer zone of the target monitoring flow.

In one possible implementation, the apparatus further includes:

In one possible implementation manner, the asset feature identification module 350 is specifically configured to, when performing network asset feature identification according to the corresponding traffic packet type to obtain corresponding feature identification information:

when the flow packet type corresponding to the target monitoring flow packet is the non-encryption flow packet type, carrying out passive fingerprint identification on the target monitoring flow packet, determining a first identification result according to a preset network asset characteristic table, and determining the first identification result as characteristic identification information of the target monitoring flow packet;

And when the flow packet type corresponding to the target monitoring flow packet is the encrypted flow packet type, decrypting the target monitoring flow packet, extracting data of the decrypted target monitoring flow packet, determining a second identification result according to the extracted data and a preset network asset characteristic table, and determining the second identification result as characteristic identification information of the target monitoring flow packet.

In one possible implementation, the asset signature identification module 350 is specifically configured to, when performing decryption processing on the target monitoring traffic packet:

In one possible implementation, the apparatus further includes:

the access flow data comprises access time, access times and access occupation time in a preset time period;

the preset conditions comprise:

the access frequency corresponding to the network asset characteristics is higher than the access frequency of a preset standard;

the network asset characteristics correspond to access occupancy traffic that is higher than the corresponding standard access occupancy traffic.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In an embodiment of the present application, as shown in fig. 4, a server 400 shown in fig. 4 includes: a processor 401 and a memory 403. Processor 401 is connected to memory 403, such as via bus 402. Optionally, the server 400 may also include a transceiver 404. It should be noted that, in practical applications, the transceiver 404 is not limited to one, and the structure of the server 400 is not limited to the embodiment of the present application.

The processor 401 may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. Processor 401 may also be a combination that implements computing functionality, such as a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.

Bus 402 may include a path to transfer information between the components. Bus 402 may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus or EISA (Extended Industry Standard Architecture ) bus, among others. Bus 402 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.

The Memory 403 may be, but is not limited to, a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory ), a CD-ROM (Compact Disc Read Only Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

The memory 403 is used for storing application program codes for executing the inventive arrangements and is controlled to be executed by the processor 401. The processor 401 is arranged to execute application code stored in the memory 403 for implementing what is shown in the foregoing method embodiments.

The server illustrated in fig. 4 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present application.

Embodiments of the present application provide a computer-readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the corresponding method embodiments described above.

It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.

The foregoing is only a partial embodiment of the present application, and it should be noted that it will be apparent to those skilled in the art that modifications and adaptations can be made without departing from the principles of the present application, and such modifications and adaptations are intended to be comprehended within the scope of the present application.

Claims

1. A passive network asset identification method, comprising:

2. The passive network asset identification method according to claim 1, wherein the screening each to-be-monitored flow packet transferred to the bypass monitoring space according to the monitoring requirement information input by the user to obtain a target monitoring flow packet corresponding to each to-be-monitored flow packet includes:

3. The passive network asset identification method of claim 1, wherein writing the target monitoring traffic packet into the corresponding target lock-free buffer zone, further comprises:

4. The passive network asset identification method according to claim 1, wherein said identifying the network asset characteristics of the target monitoring traffic packets in each target lock-free buffer according to the corresponding traffic packet type further comprises:

recording the total written data in each target lock-free buffer area;

5. The passive network asset identification method according to claim 1, wherein the network asset feature identification is performed according to the corresponding traffic packet type to obtain corresponding feature identification information, and the method comprises the steps of:

6. The passive network asset identification method according to claim 5, wherein said decrypting said target monitoring traffic packet comprises:

7. The passive network asset identification method according to claim 1, wherein the obtaining the corresponding feature identification information further comprises:

the preset conditions comprise:

8. A passive network asset identification device, comprising:

9. A server, the server comprising:

at least one processor;

a memory;

at least one application, wherein the at least one application is stored in memory and configured to be executed by at least one processor, the at least one application configured to: a passive network asset identification method as claimed in any one of claims 1 to 7.

10. A computer-readable storage medium, comprising: a computer program stored which can be loaded by a processor and which performs a passive network asset identification method as claimed in any one of claims 1 to 7.