CN116599775B - Asset discovery system and method combining active and passive detection - Google Patents
Asset discovery system and method combining active and passive detection Download PDFInfo
- Publication number
- CN116599775B CN116599775B CN202310868729.XA CN202310868729A CN116599775B CN 116599775 B CN116599775 B CN 116599775B CN 202310868729 A CN202310868729 A CN 202310868729A CN 116599775 B CN116599775 B CN 116599775B
- Authority
- CN
- China
- Prior art keywords
- asset
- active
- passive
- module
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 132
- 238000000034 method Methods 0.000 title abstract description 14
- 238000004891 communication Methods 0.000 claims abstract description 26
- 238000004458 analytical method Methods 0.000 claims abstract description 18
- 239000000284 extract Substances 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 6
- 239000000523 sample Substances 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000001502 supplementing effect Effects 0.000 claims description 2
- 230000008878 coupling Effects 0.000 abstract description 2
- 238000010168 coupling process Methods 0.000 abstract description 2
- 238000005859 coupling reaction Methods 0.000 abstract description 2
- 238000005065 mining Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 6
- 238000012423 maintenance Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses an asset discovery system and method combining active and passive detection, wherein the system comprises an active detection module, a passive detection module, a log analysis module and a control module, and asset information such as MAC address, IP, operation service, host name, operating system, equipment type, communication frequency, flow and the like of network assets is acquired through the active detection module and the passive detection module; and then the log module and the log analysis module are used for converging and combining the results of the two asset detection discoveries, perfecting asset information, extracting key information in the passive asset discovery results, and feeding the key information back to the active discovery module to realize the deep mining of key asset information. The active detection module and the passive detection module have low coupling degree, are uniformly scheduled by the control module, and can be flexibly and freely combined and deployed according to different network environments; breaks through the limitation of a single asset detection mode, and can obviously improve the detection efficiency and the accuracy of detection results.
Description
Technical Field
The invention relates to network asset monitoring and asset discovery in the field of computer network security, in particular to an asset discovery system and method combining active and passive detection.
Background
With the development of internet technology, more and more services are migrated to the internet, and the number of network assets is increasing, so that the maintenance of network assets is more complex and difficult. The asset discovery technology can assist management maintenance personnel to quickly master the condition of active assets in the network, reduce the difficulty of network maintenance and realize the full utilization of resources. From the perspective of network security, asset discovery techniques may assist network security maintenance personnel in discovering suspicious devices and suspicious communications, increasing the reliability and security of the network.
Conventional network assets refer to a variety of physical devices used in computer networks, including PCs, servers, routers, security devices, industrial control devices, and the like. With the development of cloud technology, virtual machines and services are also brought into the scope of network assets as units for asset maintenance.
Active asset detection is the mainstream asset discovery mode at present, and the method is used for sending detection messages to target assets by simulating the interaction process among the assets, and extracting asset information according to response contents of replies. The related technology mainly comprises host survival judgment, port scanning, SNMP, fingerprint library matching and other technologies. Abundant asset information can be extracted through active asset detection techniques, but there are also a number of problems. For example, active packet delivery may interfere with existing networks, one scan may take longer, time may be less efficient, the probe device may need to be reachable by all networks, etc.
Passive asset detection refers to extracting asset information by analyzing traffic between assets in a network. Passive asset detection techniques may analyze mirrored traffic of a core switch or router by way of bypass deployment. Zero interference to the original network, capability of acquiring real-time communication conditions among all assets and rapidly capturing network change conditions, and higher timeliness. While passive asset detection can remedy the deficiencies of active detection to some extent, passive asset detection also has natural drawbacks. For example, devices that can only analyze the transit through the core switch, it is difficult to cover all network assets for complex network systems.
Disclosure of Invention
The invention aims to: aiming at the problems in the prior art, the invention aims to provide an asset discovery system and an asset discovery method based on active and passive detection combination, which can make up for the defects of two detection modes, and meanwhile, the result of passive asset detection can be used as the basis of active asset detection, so that key detection of core assets is realized, the detection efficiency is improved, and the detection depth is increased.
The technical scheme is as follows: an active-passive exploration combined asset discovery system comprising:
the active detection module is used for detecting the possible assets and asset information in the network through scanning;
the passive detection module is used for analyzing the passive flow and acquiring asset information of both communication parties in the flow;
the log module is used for packaging the asset information acquired by the active detection module and the passive detection module into an asset log;
the log analysis module is used for receiving the asset log sent by the log module, combining the active detection result and the passive detection result, extracting the passive additional information from the passive detection result to form a new active detection scanning strategy, and delivering the new active detection scanning strategy to the control module;
the control module controls the active detection module and the passive detection module to start, stop and pause detection tasks, and issues and updates an active detection scanning strategy.
Optionally, the active probing module scans and probes the assets and asset information that may exist in the network through nmap and snmp.
Specifically, the asset information acquired by the active detection module includes an open port, an operating system and an operation service of the asset. The asset information acquired by the passive detection module comprises the IP, MAC, communication protocol, protocol key information, service port, communication frequency and flow size of the asset.
Further, the passive additional information comprises main services and ports corresponding to the services of each asset, domain name and ip corresponding relation extracted from DNS query and response information, api information based on http protocol and a new online asset ip address.
Optionally, the asset information is packaged into an asset log according to JSON and tlv.
An asset discovery method based on the asset discovery system comprises the following steps:
step 1: the passive detection module is connected to the mirror image flow, and metadata in the mirror image flow are extracted;
step 2: the passive detection module extracts asset information according to metadata by combining with a fingerprint database;
step 3: the passive detection module delivers the asset information to the log module to form a passive asset log;
step 4: the control module issues an active detection strategy, and the active detection module is scheduled to start active asset scanning;
step 5: the active detection module scans the possible assets in the network according to an active detection strategy and excavates asset information;
step 6: the active detection module delivers the asset information to the log module to form an active asset log;
step 7: the log analysis module aggregates the active asset log and the passive asset log, extracts newly discovered assets from the active asset log and updates information of the discovered assets;
step 8: the log analysis module extracts key assets and passive additional information, and the log analysis module delivers the key assets and the passive additional information to the control module for the next active scanning;
step 9: the control module is used for stopping the current active scanning task or stopping the current active detection task in advance; and (3) adjusting an active detection strategy by combining passive additional information to perform a new active asset scanning.
Compared with the prior art, the invention has the following beneficial effects:
1. the asset discovery system separates the active asset detection module from the passive asset detection module, has low coupling degree, and can be flexibly and freely combined and deployed according to different network environments by uniformly dispatching and analyzing detection results by the control module.
2. The asset discovery method disclosed by the invention is a method for comprehensively analyzing the active asset detection and the passive asset detection results, optimizing the active asset detection strategy according to the passive asset detection results and finally extracting network asset information, breaks through the limitation of a single asset detection mode, and can obviously improve the detection efficiency and the accuracy of the detection results.
Drawings
FIG. 1 is a schematic diagram of a system module connection of the present invention;
FIG. 2 is a flow chart of an asset discovery method of the invention;
fig. 3 is a schematic view of a deployment scenario of the present invention.
Description of the embodiments
Embodiments of the technical scheme of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present invention, and thus are merely examples, and are not intended to limit the scope of the present invention.
As shown in fig. 1, the asset discovery system with combined active and passive detection comprises an active detection module, a passive detection module, a log analysis module and a control module, wherein the signal output ends of the active detection module and the passive detection module are in communication connection with the signal input end of the log module, the signal output end of the log module is in communication connection with the signal input end of the log analysis module, the signal output end of the log analysis module is in communication connection with the signal input end of the control module, and the signal output end of the control module is respectively connected with the signal input ends of the active detection module and the passive detection module.
An active probing module, which is responsible for active asset probing, scans for possible assets and asset information in the network by means of nmap, snmp, etc. techniques, the acquired asset information including but not limited to open ports, operating systems, running services, etc.
And the passive detection module is responsible for analyzing the passive traffic and acquiring asset information of both communication parties in the traffic, wherein the acquired asset information comprises but is not limited to IP, MAC, communication protocol, service port, communication frequency, traffic size and the like.
And the log module is responsible for packaging the asset information into asset logs in a certain format, such as JSON, tlv and the like, and then reporting the asset logs to the log analysis module.
And the log analysis module is responsible for combining the active detection result and the passive detection result, extracting the passive additional information from the passive detection result to form a new active detection scanning strategy, and delivering the new active detection scanning strategy to the control module for adjusting the active detection strategy. The passive additional information mainly includes the following:
(1) Main service of each asset opening and port corresponding to the service;
(2) Extracting the corresponding relation between the domain name and ip from the DNS inquiry and response information;
(3) Api information based on http protocol;
(4) The new online asset ip address.
The control module is responsible for scheduling work of other modules and mainly comprises:
(1) Actively detecting the start, the stop and the pause of the task;
(2) The start, the stop and the pause of the passive detection task;
(3) And (5) issuing and updating an active detection strategy.
As shown in fig. 2, a method for actively and passively detecting combined assets based on the asset discovery system includes the following steps:
step 1: the passive detection module accesses the mirror image flow, extracts metadata in the mirror image flow, and the metadata comprises but is not limited to IP, MAC, communication protocol, protocol key information, flow size and the like.
Step 2: and the passive detection module extracts asset information according to the metadata by combining with the nmap fingerprint library.
Step 3: the passive detection module delivers the asset information to the log module to form a passive asset log.
Step 4: the control module issues an active detection strategy, and the active detection module is scheduled to start active asset scanning.
Step 5: the active detection module scans the assets possibly existing in the network according to the detection strategy, and excavates the detailed asset information of the open port, the operating system, the running service and the like.
Step 6: the active detection module delivers the asset information to the log module to form an active asset log.
Step 7: the log analysis module aggregates the active asset log and the passive asset log, extracts newly discovered assets therefrom, and updates information of the discovered assets.
Step 8: the log analysis module extracts key assets and passive additional information, and the log analysis module delivers the key assets and the passive additional information to the control module for the next active scanning.
Step 9: and the control module is used for stopping the current active scanning task or stopping the current active detection task in advance. And (3) adjusting an active detection strategy by combining passive additional information to perform a new active asset scanning. The adjustment of the active scanning strategy is automatically performed by the control module, and the adjustment mode mainly comprises the following steps: modifying the priority of the active scanning target according to the communication traffic and the communication frequency; supplementing initial information of active scanning, which specifically comprises an open port, an operation service, a website domain name, a website url and the like; and when a new device is on line, the new device can be quickly added into the active scanning list, so that quick response is realized.
Through the combination of the active and passive asset detection, the asset information such as the MAC address, IP, operation service, host name, operating system, equipment type, communication frequency, flow and the like of the network asset can be obtained; then, the results of the two asset detection are converged and combined to perfect asset information; and finally, extracting key information in the passive asset discovery result, and feeding back the key information to the active discovery module to realize the deep mining of key asset information.
Fig. 3 shows a deployment embodiment of the present invention, which mainly comprises five parts of probe equipment, a convergence switch, a core switch, an office network and a server cluster. The functions of each part are as follows:
probe apparatus: and the receiving core exchanger is used for receiving the mirror image flow of the core exchanger to carry out passive detection, and the receiving core exchanger is connected to the network to send packets through a convergence exchanger to carry out active detection.
Aggregation switch: the two-layer switch is responsible for the link layer forwarding during the internal communication of a network segment. When the network segments are communicated, the routing forwarding is needed through the core switch.
Core switch: and the three-layer switch is responsible for carrying out route forwarding during cross-network-segment communication. And mirror the traffic of all ports to the probe device.
Office network and server cluster: which belong to two different network segments and internally contain a large number of asset devices.
In the network shown in fig. 3, there are significant limitations to conventional asset detection techniques. The passive detection can only extract information from the traffic of the cross-network segment communication, the extracted asset information is very limited, and the passive detection can not be perceived for the host and the service which are communicated only in one network segment. And the active detection needs to send a large number of detection packets to affect the communication quality of the original network, and meanwhile, the information of the assets which can be scanned out is relatively less due to the lack of scanning initial information. In addition, because the active detection speed is slower, a fast response cannot be achieved for a newly online host.
By the technology of the invention, active and passive scanning results can be converged to obtain complete asset information. Meanwhile, the target asset is prioritized through the passive detection result, and during active detection, assets with higher priorities are scanned in a key way, so that the number of active detection packages is reduced. And by combining the passive detection result, extracting information such as an open port, an operation service, a domain name, url and the like of the target asset, and improving the efficiency and the quality of active detection. For a newly online host, once the newly online host generates cross-network-segment communication, passive detection can be quickly perceived, and then active scanning is immediately performed to discover suspicious equipment in time.
The foregoing examples represent only a few preferred embodiments of the present invention, which are described in more detail and detail, but are not to be construed as limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention.
Claims (3)
1. An active-passive exploration-combined asset discovery system, comprising:
the active detection module is used for detecting the possible assets and asset information in the network through scanning; the asset information acquired by the active detection module comprises an open port of an asset, an operating system and running services;
the passive detection module is used for analyzing the passive flow and acquiring asset information of both communication parties in the flow; the asset information acquired by the passive detection module comprises the IP, MAC, communication protocol, protocol key information, service port, communication frequency and flow of the asset;
the log module is used for packaging the asset information acquired by the active detection module and the passive detection module into an asset log;
the log analysis module is used for receiving the asset log sent by the log module, combining the active detection result and the passive detection result, extracting the passive additional information from the passive detection result to form a new active detection scanning strategy, and delivering the new active detection scanning strategy to the control module; the passive additional information comprises main services of each asset opening and ports corresponding to the services, domain name and ip corresponding relations extracted from DNS query and response information, http protocol-based api information and a new online asset ip address;
the control module is used for controlling the active detection module and the passive detection module to start, stop and pause detection tasks and issuing and updating an active detection scanning strategy;
the asset discovery system performs active and passive probing of assets by:
step 1: the passive detection module is connected to the mirror image flow, and metadata in the mirror image flow are extracted;
step 2: the passive detection module extracts asset information according to metadata by combining with a fingerprint database;
step 3: the passive detection module delivers the asset information to the log module to form a passive asset log;
step 4: the control module issues an active detection strategy, and the active detection module is scheduled to start active asset scanning;
step 5: the active detection module scans the possible assets in the network according to an active detection strategy and excavates asset information;
step 6: the active detection module delivers the asset information to the log module to form an active asset log;
step 7: the log analysis module aggregates the active asset log and the passive asset log, extracts newly discovered assets from the active asset log and updates information of the discovered assets;
step 8: the log analysis module extracts key assets and passive additional information, and the log analysis module delivers the key assets and the passive additional information to the control module for the next active scanning;
step 9: the control module is used for stopping the current active scanning task or stopping the current active detection task in advance; combining the passive additional information, adjusting an active detection strategy, and performing a new round of active asset scanning; the adjustment of the active detection strategy is performed by a control module in the following adjustment modes: modifying the priority of the active scanning target according to the communication traffic and the communication frequency; supplementing initial information of active scanning, which specifically comprises an open port, an operation service, a website domain name and a website url; and adding the new device to the active scanning list when the new device is online.
2. The active-passive probing combined asset discovery system of claim 1 wherein the active probing module probes the assets and asset information that may be present in the network by nmap, snmp scans.
3. The active-passive probing combined asset discovery system of claim 1 wherein the asset information is packaged as an asset log in JSON, tlv.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310868729.XA CN116599775B (en) | 2023-07-17 | 2023-07-17 | Asset discovery system and method combining active and passive detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310868729.XA CN116599775B (en) | 2023-07-17 | 2023-07-17 | Asset discovery system and method combining active and passive detection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116599775A CN116599775A (en) | 2023-08-15 |
CN116599775B true CN116599775B (en) | 2023-10-17 |
Family
ID=87601237
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310868729.XA Active CN116599775B (en) | 2023-07-17 | 2023-07-17 | Asset discovery system and method combining active and passive detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116599775B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110474906A (en) * | 2019-08-16 | 2019-11-19 | 国家计算机网络与信息安全管理中心 | Master based on closed loop feedback passively combines cyberspace target depth digging technology |
CN111028085A (en) * | 2019-03-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Network shooting range asset information acquisition method and device based on active and passive combination |
CN111555988A (en) * | 2020-04-26 | 2020-08-18 | 深圳供电局有限公司 | Big data-based network asset mapping and discovering method and device |
CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8549650B2 (en) * | 2010-05-06 | 2013-10-01 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
CA2933669A1 (en) * | 2015-06-23 | 2016-12-23 | Above Security Inc. | Method and system for detecting and identifying assets on a computer network |
US11962469B2 (en) * | 2021-02-10 | 2024-04-16 | Cisco Technology, Inc. | Identifying devices and device intents in an IoT network |
-
2023
- 2023-07-17 CN CN202310868729.XA patent/CN116599775B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111028085A (en) * | 2019-03-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Network shooting range asset information acquisition method and device based on active and passive combination |
CN110474906A (en) * | 2019-08-16 | 2019-11-19 | 国家计算机网络与信息安全管理中心 | Master based on closed loop feedback passively combines cyberspace target depth digging technology |
CN111555988A (en) * | 2020-04-26 | 2020-08-18 | 深圳供电局有限公司 | Big data-based network asset mapping and discovering method and device |
CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
Also Published As
Publication number | Publication date |
---|---|
CN116599775A (en) | 2023-08-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10565001B2 (en) | Distributed virtual network controller | |
US9798572B2 (en) | Virtual machine migration method, switch, and virtual machine system | |
CN106100999B (en) | Image network flow control methods in a kind of virtualized network environment | |
CN113812126B (en) | Message transmission method, device and system, and readable storage medium | |
US11411988B2 (en) | Managing traffic control in a network mitigating DDOS | |
CN103118148B (en) | A kind of ARP buffering updating method and equipment | |
WO2013184846A1 (en) | Physical path determination for virtual network packet flows | |
US20130294449A1 (en) | Efficient application recognition in network traffic | |
US8848522B2 (en) | Telecommunications system and server apparatus | |
WO2021018309A1 (en) | Method, device and system for determination of message transmission path, and computer storage medium | |
US11153185B2 (en) | Network device snapshots | |
WO2011032321A1 (en) | Data forwarding method, data processing method, system and device thereof | |
EP3588859B1 (en) | Network device configuration versioning | |
CN114389792B (en) | WEB log NAT (network Address translation) front-back association method and system | |
WO2021052280A1 (en) | Network measurement system and method, device and storage medium | |
AU2008213165B2 (en) | Methods, systems and apparatus for monitoring and/or generating communications in a communications network | |
CN101404594A (en) | Hot backup performance test method and apparatus, communication equipment | |
CN116599775B (en) | Asset discovery system and method combining active and passive detection | |
KR100825257B1 (en) | Detail processing method of abnormal traffic data | |
KR102318686B1 (en) | Improved method for sequrity employing network | |
Wang et al. | A SDN-based heterogeneous networking scheme for profinet and Modbus Networks | |
CN111901707B (en) | Burst flow detection method and device based on slice in PON system | |
KR101724922B1 (en) | Apparatus and Method for controlling middleboxs | |
CN113691388A (en) | Data acquisition system and method based on LVS and SNMP protocol | |
CN113590268A (en) | Virtual machine migration method, ARP proxy gateway and VTEP |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |