CN116647370A - Intranet asset identification method and device, electronic equipment and storage medium - Google Patents

Intranet asset identification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116647370A
CN116647370A CN202310491830.8A CN202310491830A CN116647370A CN 116647370 A CN116647370 A CN 116647370A CN 202310491830 A CN202310491830 A CN 202310491830A CN 116647370 A CN116647370 A CN 116647370A
Authority
CN
China
Prior art keywords
intranet
section
destination
port
segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310491830.8A
Other languages
Chinese (zh)
Inventor
白杨
汤良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202310491830.8A priority Critical patent/CN116647370A/en
Publication of CN116647370A publication Critical patent/CN116647370A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an intranet asset identification method and device, electronic equipment and storage media, and relates to the technical field of information security. The method identifies the intranet IP section in the flow by combining the port information and the IP information carried by the flow, and the equipment corresponding to the intranet IP section is the intranet asset, so that the identification of the intranet asset is realized.

Description

Intranet asset identification method and device, electronic equipment and storage medium
Technical Field
The application relates to the technical field of information security, in particular to an intranet asset identification method, an intranet asset identification device, electronic equipment and a storage medium.
Background
In recent years, with the popularization of internet applications, network traffic has been increasing, so that the occurrence of security events is possible, thereby forming security risks. In an enterprise security operating system, asset security is the basis of all security. Therefore, the identification of intranet assets is particularly important.
At present, the identification of the intranet assets is generally based on network segments, for example, some intranet segments belonging to the intranet assets are divided in advance, and then the intranet assets are identified based on the intranet segments, but the method is not applicable to a private scene of a public network segment, that is, the intranet assets in the scene cannot be identified, so that the intranet assets cannot be comprehensively and accurately identified.
Disclosure of Invention
The embodiment of the application aims to provide an intranet asset identification method, an intranet asset identification device, electronic equipment and a storage medium, which are used for solving the problem that the intranet asset cannot be comprehensively and accurately identified in the existing identification mode.
In a first aspect, an embodiment of the present application provides an intranet asset identification method, where the method includes:
acquiring port information and IP information carried by traffic;
and identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
In the implementation process, the intranet IP section in the flow is identified by combining the port information carried by the flow and the IP information, and the equipment corresponding to the intranet IP section is the intranet asset, so that the identification of the intranet asset is realized.
Optionally, the identifying the intranet IP segment in the traffic according to the port information and the IP information includes:
counting the number of ports of destination ports corresponding to the same destination IP in the flow and counting the number of source IPs corresponding to the same destination IP in the flow;
and identifying the intranet IP section in the flow based on the port number and the IP number.
In the implementation process, the number of ports and the number of IP are combined to identify the intranet assets, so that the accuracy of intranet asset identification can be improved.
Optionally, the identifying the intranet IP segment in the traffic based on the number of ports and the number of IPs includes:
if the destination port corresponding to the same destination IP does not hit the port white list and the number of the ports is larger than a first threshold, caching the destination IP and the corresponding IP C section into a port identification table;
if the number of the source IPs corresponding to the same destination IP is larger than a second threshold value and the average value of the three-way handshake time of the message corresponding to the destination IP is larger than a third threshold value, caching an IP C section of the destination IP into an IP identification table;
if the same IP C section exists in the IP identification table and the port identification table, determining that the same IP C section is the first intranet IP section.
In the implementation process, if the IP C section hits the IP identification table and the port identification table at the same time, the IP C section is actually an intranet IP section, that is, the accuracy of identifying the intranet IP section based on combination of the IP and the port is higher.
Optionally, after buffering the destination IP and the IP C segment corresponding to the destination port in the port identification table, the method further includes:
if the port identification table has different objective IPs with the same IP C section, determining the IP C section as a second intranet IP section. Devices in an intranet generally have the same IP C segment, so if different destination IPs have the same IP C segment, they can be considered intranet IP segments.
Optionally, the method further comprises:
if the destination port hits the port white list, determining that an IP C section of a destination IP corresponding to the destination port is a third intranet IP section;
if the average value of the three-way handshake time is smaller than or equal to a third threshold value, determining that the IP C section of the same destination IP is a fourth intranet IP section.
In the implementation process, the port white list contains some default ports, which are generally intranet ports, so if the port white list is hit, the port white list is considered as intranet IP segment. Generally, the three-way handshake time of communication between devices in an intranet is shorter, so if the average value of the three-way handshake time is smaller than a threshold value, the device is determined to be an intranet IP segment.
Optionally, if the destination port hits the port white list, determining that the IP C segment of the destination IP corresponding to the destination port is a third intranet IP segment includes:
if the destination port hits the system fixed port white list, determining that the IP C section corresponding to the destination port is the third intranet IP section;
and if the destination port hits a default port white list of the software and the number of the destination IP ports corresponding to the destination port is larger than a fourth threshold, determining that the IP C section of the destination IP is the third intranet IP section.
In the implementation process, if the port hits the software default port white list, the port number is combined to judge, and because the ports in the software default port white list are dynamic ports and can be customized by a user, the intranet IP section can be more accurately identified by combining the port number.
Optionally, the method further comprises:
expanding an IP C section with the same IP B section in the intranet IP section according to upper and lower limits, and storing the expanded IP C section into an IP C section table, wherein the intranet IP section comprises the first intranet IP section, the second intranet IP section, the third intranet IP section and the fourth intranet IP section;
and determining the IP C section in the IP C section table as a final intranet IP section.
In the implementation process, through expanding the IP C section with the same IP B section in the intranet IP section, more intranet IP sections can be identified on the basis of ensuring that the expanded IP C section is the intranet IP section.
Optionally, after the saving the IP C segment obtained by expansion in the IP C segment table, the method further includes:
caching corresponding flow information in the third intranet IP section, the fourth intranet IP section, the port identification table and the IP identification table into a temporary identification table;
extracting IP C sections of all source IPs and the occurrence times of each IP C section from the temporary identification table to an IP total table;
comparing the IP C section table with the IP total table, screening out the same IP C sections with the number of occurrence times in the previous preset proportion, and caching the screened IP C sections into an intranet IP section table;
and determining the IP C section in the intranet IP section table as a final intranet IP section.
In the implementation process, the IP C section in the temporary identification table is screened, so that the real intranet IP section can be screened out, and intranet assets can be identified more accurately.
Optionally, after the filtering out the IP C segment is cached in the intranet IP segment table, the method further includes:
extracting all destination IPs from the temporary identification table to a destination IP table;
if the IP C section corresponding to the target IP in the temporary identification table is in the intranet IP section table, comparing the source IP corresponding to the target IP with the target IP table;
if the source IP is in the destination IP table, the IP C section corresponding to the source IP is stored in the IP C section table.
In the implementation process, whether the IP C section corresponding to the source IP in the temporary identification table is the intranet IP section is identified by combining the destination IP table, so that the identification range of the intranet IP section can be enlarged, the automatic clustering effect is achieved, the accuracy of intranet asset identification is enhanced, and the comprehensiveness of intranet asset identification is improved.
In a second aspect, an embodiment of the present application provides an intranet asset identifying apparatus, where the apparatus includes:
the information acquisition module is used for acquiring port information and IP information carried by the traffic;
and the identification module is used for identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
In a third aspect, an embodiment of the present application provides an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first aspect above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an intranet asset identification method provided by an embodiment of the present application;
fig. 2 is a block diagram of an intranet asset identifying device according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device for executing an intranet asset identification method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that the terms "system" and "network" in embodiments of the present application may be used interchangeably. "plurality" means two or more, and "plurality" may also be understood as "at least two" in this embodiment of the present application. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/", unless otherwise specified, generally indicates that the associated object is an "or" relationship.
The embodiment of the application provides an intranet asset identification method, which is used for identifying intranet assets in traffic by combining port information and IP information carried by the traffic, wherein equipment corresponding to the intranet IP section is intranet assets, so that the identification of the intranet assets is realized, and because the IP information and the port information can better reflect the communication characteristics of the equipment (namely, the communication characteristics among all the equipment in the intranet can be represented by the IP information and the port information), the method is suitable for the communication environment (including the private scene of a public network section) of any local area network, the intranet assets can be effectively identified based on the two information, and the scheme does not depend on the network section to identify the intranet assets.
Referring to fig. 1, fig. 1 is a flowchart of an intranet asset identification method according to an embodiment of the present application, where the method includes the following steps:
step S110: and acquiring port information and IP information carried by the traffic.
The execution main body of the intranet asset identification method of the embodiment of the application can be acquisition equipment deployed in the intranet, such as a sensor, wherein the sensor can be used for acquiring network traffic, and the sensor can be reasonably deployed at a plurality of positions of the network so as to acquire more comprehensive network traffic as much as possible. Or, the collecting device may be a firewall device, which may be used to collect network traffic, and then identify the intranet IP segment in the traffic, and then know which devices are intranet assets, so that security detection and other operations may be performed on these intranet assets later. For convenience of description, the following embodiments will be described with the collection device being generally referred to as a collection device.
The traffic can be real-time traffic or traffic in a cache, for example, the acquisition device can cache the acquired traffic, and then identify intranet assets for the cached traffic at intervals.
The traffic includes a large number of messages, and these messages carry port information and IP information, that is, four-tuple information, including source port, source IP address, destination port and destination IP address, where the port information includes the source port and destination port and corresponding statistics information of these ports, such as the number of ports, and the IP information includes the source IP address and destination IP address and corresponding statistics information of these IP addresses, such as the IP C segment corresponding to these IP addresses, and the number of IPs, etc.
Step S120: and identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
The device corresponding to the intranet IP section is the intranet asset. Because the port information and the IP information can characterize the communication characteristics between devices, for example, for devices in an intranet, the communication port may be fixed, or some default ports, and the IP information also has a certain rule, based on the two information, it is possible to distinguish which traffic is communication traffic between intranet devices, and which traffic is external traffic, so that accurate identification of intranet assets is achieved.
In the implementation process, the intranet IP section in the flow is identified by combining the port information carried by the flow and the IP information, and the equipment corresponding to the intranet IP section is the intranet asset, so that the identification of the intranet asset is realized.
Based on the above embodiment, identifying the intranet IP segment in the traffic based on the port information and the IP information specifically includes:
the port number of the destination port corresponding to the same destination IP in the flow is counted, the IP number of the source IP corresponding to the same destination IP in the flow is counted, and the intranet IP section in the flow is identified based on the port number and the IP number.
Examples of port number statistics are: for example, the buffered traffic includes 50 packets, each packet includes a destination IP and a destination port, and then the number of the destination ports corresponding to the destination IPs is counted, where the counted number of the ports is smaller than or equal to 50 for the same destination port (for example, the number of the destination IPs in 3 packets is 195.1.1.1, the number of the destination ports corresponding to 20,20,23 is 20,20,23, and the number of the ports corresponding to the destination IPs is 2). Therefore, the number of the destination ports corresponding to each destination IP can be counted, for example, the destination IP is obtained by counting: 195.1.1.1 the number of destination ports is 2, destination IP:195.1.1.2 the number of destination ports is 3, etc.
Examples of IP quantity statistics are: for example, the buffered traffic includes 50 packets, and destination IPs in the 50 packets can be obtained, where the number of obtained destination IPs is less than or equal to 50, for example, there are 30 destination IPs (where destination IPs in some packets are the same), and the number of source IPs corresponding to each destination IP in the 30 destination IPs is counted, for example, the destination IPs: 195.1.1.1 if 10 messages in the 50 messages are all the destination IP, the number of source IP corresponding to the destination IP is 10, so that the number of source IP corresponding to each destination IP can be obtained statistically.
When specifically identifying, if the destination port corresponding to the same destination IP does not hit the port white list and the number of the corresponding ports is greater than a first threshold, caching the destination IP and the corresponding IP C section into a port identification table; if the number of the source IPs corresponding to the same destination IP is larger than a second threshold, and the average value of the three-way handshake time of the message corresponding to the destination IP is larger than a third threshold, caching the IP C section of the destination IP into an IP identification table; if the same IP C section exists in the IP identification table and the port identification table, the same IP C section is determined to be the first intranet IP section.
The port white list is preset and includes some information of fixed ports, such as port information of some system fixed use, such as ports with port numbers of 21,22,23, etc., and default port information of some common software, such as port number of 1158,1433, etc. If the destination port does not hit the port white list, that is, the destination port is not any port in the port white list, it can be primarily determined that the destination IP corresponding to the destination port may not be the intranet IP segment, and further determination needs to be performed by combining other information. Whether the number of the PORTs is larger than a first threshold (the value of the first threshold can be flexibly set according to practical situations) is further determined, if so, the destination IP and the IP C segment can be cached in the PORT identification table first, because only the intranet equipment generally provides multiple services, the number of the PORTs possibly corresponding to the same IP is large, and therefore the PORT can be temporarily cached in the PORT identification table (the PORT identification table can be first recorded as port_c_internal), and then further determined by combining with the IP identification table.
If the number of the IPs is greater than the second threshold (the specific value of the second threshold can be flexibly set according to the actual situation), it is indicated that the device corresponding to the destination IP is very likely to be an intranet device, then, the average value of the three-way handshake time (when the average value is obtained, the average value can be obtained through real-time calculation, or can be calculated before, and can be obtained directly when needed) is obtained, the three-way handshake time judgment can be used as an auxiliary judgment for intranet asset identification, generally speaking, the handshake time of the devices in the lan is relatively short, and if the average value is greater than the third threshold (the value of the third threshold can be flexibly set according to the actual situation), it is indicated that the device corresponding to the destination IP is likely to be an intranet asset, the IP C section of the destination IP can be temporarily cached in the IP identification table, and then, the device is further judged by combining with the port identification table.
The port identification table is provided with a plurality of target IP and IP C sections, the IP identification table is cached with a plurality of IP C sections, and the equipment corresponding to the target IP and the IP C sections can be regarded as suspected intranet assets, so that the target IP and the IP C sections are combined to further accurately identify the intranet assets in the port identification table. If the same IP C segment exists in the IP identification table and the port identification table, for example, the same IP C segment as the IP C segment in the IP identification table is searched in the port identification table, or vice versa, the same IP C segment as the IP C segment in the port identification table is searched in the IP identification table, that is, the same IP C segment in the IP identification table and the port identification table may be determined as the first intranet IP segment, that is, the devices corresponding to these same IP C segments may be regarded as intranet assets.
In the implementation process, if the IP C section hits the IP identification table and the port identification table at the same time, the IP C section is actually an intranet IP section, that is, the accuracy of identifying the intranet IP section based on combination of the IP and the port is higher.
In addition, the port identification table stores the destination IP and the IP C segment corresponding to the destination IP, and if the IP C segments corresponding to different destination IPs are the same, the IP C segment can be considered as an intranet IP segment, so if the different destination IPs in the port identification table have the same IP C segment, the IP C segment can be determined to be a second intranet IP segment, and the device corresponding to the second intranet IP segment can be considered as an intranet asset.
For example, there is a destination IP in the port identification table: 10.1.1.2, the corresponding IP C segment is 1, if there are two other different purpose IPs: 10.1.1.3 and 10.1.1.4, the IP C segment of the two destination IPs is also 1, and this IP C segment (1) can be considered as an intranet IP segment. Of course, when counted here, it means that at least two different purpose IPs correspond to the same IP C segment, so that the IP C segment is an intranet IP segment, otherwise, it is not an intranet IP segment. Or a number threshold judgment can be added here, for example, if the number of different destination IPs corresponding to the same IP C segment is greater than a certain threshold (the threshold can be set to 3 or 4, for example, and can be specifically set according to actual situations), then the IP C segment is determined to be an intranet IP segment.
In the above embodiment, when the destination port does not hit the port white list, the number of ports is combined to further identify the intranet IP segment, and if the destination port hits the port white list, it may be determined that the IP C segment corresponding to the destination port is a third intranet IP segment, and the device corresponding to the third intranet IP segment may be regarded as an intranet asset. The IP C segment here refers to the IP C segment of the destination IP corresponding to the destination port.
In practical situations, the port whitelist may be further subdivided, for example, the port whitelist may be a system fixed port whitelist and a software default port whitelist, where the ports in the system fixed port whitelist are system default ports and are generally not tampered (such as SSH connection service, printer service, etc.) at will, so if the destination port hits the system fixed port whitelist, it may be determined that the IP C segment corresponding to the destination port is the third intranet IP segment.
Ports in the software default port white list are dynamic ports which can be customized by a user, so that the number judgment is more accurate, and if the destination port hits the software default port white list and the number of the destination IP ports corresponding to the destination port is larger than a fourth threshold (the specific value of the threshold can be flexibly set according to the actual situation), the IP C section of the destination IP is determined to be a third intranet IP section.
For example, if a destination port is 1158 and the destination port 1158 hits the default port white list, the number of destination IP (e.g., 10.1.1.1) ports corresponding to the destination port 1158 in the traffic is counted, that is, the number of ports of destination ports corresponding to the destination IP (10.1.1.1) in the traffic is counted (e.g., the destination ports corresponding to the destination IP include 1158,1433, 1642, and the number of ports is 3), where if the number of ports of destination ports corresponding to the destination IP (10.1.1.1) is greater than the fourth threshold, the IP C segment of the destination IP (10.1.1.1) is regarded as the intranet IP segment, otherwise, the IP C segment is not regarded as the intranet IP segment.
In addition, when the IP information is identified, if the number of the source IPs corresponding to the same destination IP is greater than the second threshold, the average value of the three-way handshake time of the message corresponding to the destination IP is calculated, if the average value is less than or equal to the third threshold, the IP C segment of the same destination IP is determined to be the fourth intranet IP segment (because the three-way handshake time of the general intranet device is relatively short, if the average value is less than or equal to the third threshold, the IP C segment is determined to be the intranet asset).
In the implementation process, the port white list contains some default ports, which are generally intranet ports, so if the port white list is hit, the port white list is considered as intranet IP segment. Generally, the three-way handshake time of communication between devices in an intranet is shorter, so if the average value of the three-way handshake time is smaller than a threshold value, the device is determined to be an intranet IP segment.
On the basis of the above embodiment, the first intranet IP segment, the second intranet IP segment, the third intranet IP segment, and the fourth intranet IP segment are identified in the above embodiment, and the devices corresponding to these intranet IP segments may be considered as intranet assets, but in actual situations, more intranet IP segments may actually be included and not identified, so the intranet IP segments may be further identified by the following manner:
and expanding the IP C section with the same IP B section in the intranet IP section according to the upper limit and the lower limit, storing the IP C section obtained by expansion in an IP C section table, wherein the intranet IP section comprises the first intranet IP section, the second intranet IP section, the third intranet IP section and the fourth intranet IP section, and then determining the IP C section in the IP C section table as the final intranet IP section.
For convenience of description, all the IP segments included in the first intranet IP segment, the second intranet IP segment, the third intranet IP segment and the fourth intranet IP segment may be denoted as white_current_ip (i.e., intranet IP segments), then all the IP C segments stored in the white_current_ip are counted, the IP is not counted, and the IP C segments with the same IP B segment are extended according to the upper limit and the lower limit, for example, the two IP addresses of 10.1.1.1 and 10.1.6.6 have the same IP B segment, so that the IP C segments may be extended according to the upper limit and the lower limit, for example, the extended IP C segments may be extended from 10.1.1.1. X to 10.1.6.X, for example, the extended IP C segments include 10.1.2.X, 10.1.3.X, 10.1.4.X, and 10.1.5.X, that is, the extended IP C segment between the minimum IP C segment in the white_current_ip and the maximum IP C segment is extended.
The reason for the expansion is that the IP C section in the IP C section table can be determined to be the intranet IP section, so that the IP C section obtained by expansion in the mode is also the intranet IP section, the expansion of the intranet IP section can be realized, the identification range of the intranet IP section is enlarged, and more intranet IP sections can be identified on the basis of ensuring that the expanded IP C section is the intranet IP section.
In some embodiments, in order to make the identification more accurate, the number of the IP C segments with the same IP B segment may be counted, and if the number exceeds the specified threshold, the expansion is performed, because the number exceeds the specified threshold to indicate that the number of the IP C segments is more, and the intranet device can only provide so many services, so that the IP C segment after the expansion is more likely to be the intranet IP segment, thereby improving the accuracy of the expansion of the intranet IP segment.
On the basis of the above embodiment, in order to further improve accuracy of intranet IP segment identification, after the IP C segment expansion, the third intranet IP segment, the fourth intranet IP segment, the port identification table, and the corresponding quadruple traffic information in the IP identification table may be cached in the temporary identification table, then the IP C segments of all source IPs and the occurrence times of each IP C segment are extracted from the temporary identification table into the IP summary table, the IP C segment table is compared with the IP summary table, the same IP C segments with the occurrence times in the same preset proportion are screened out, the screened IP C segments are cached in the intranet IP segment table, and then the IP C segments in the intranet IP segment table are determined to be final intranet IP segments.
For convenience of description, the temporary identification table may be denoted as ip_all_info, where corresponding traffic information, including quadruple information, is stored, so that IP C segments of all source IPs may be extracted from the ip_all_info, and the number of occurrences of these IP C segments may be stored in an IP table, where an IP total table is denoted as all_src_ip_c_subject. For example, one source IP extracted from ip_all_info is 195.1.1.1, its corresponding IP C segment is 195.1.1.X, and then the number of occurrences of 195.1.1.X in ip_all_info, for example, 5 times can be counted, and then the correspondence of 195.1.1.X-5 is saved in all_src_ip_c_subject.
The IP C segment table includes some extended IP C segments, the IP C segment table may be marked as white_ip_c, the white_ip_c and all_src_ip_c_subject are compared, identical IP C segments are screened, that is, IP C segments with intersections exist, then the number of occurrences of these identical IP C segments is obtained from all_src_ip_c_subject, the number of occurrences is set in advance (the set proportion may be set according to practical situations, for example, the previous 50%) of IP C segments is screened and buffered into the intranet IP segment table, the intranet IP segment table may be marked as intranet_c_top, for example, the number of occurrences of these identical IP C segments is arranged in order from large to small, the first 50% of IP C segments are screened out and stored into the intranet_c_top, or the number of occurrences may also be greater than the preset number of occurrences (the preset number may also be set according to practical situations, for example, set as 3) of IP C segments are stored into the intranet_c_top.
The reason for such screening is that since the device corresponding to the IP in one IP C segment is both the server and the client, it is considered as an intranet device, and the IP C segment with the first 50% of the number of occurrences is the intranet IP segment, where 50% is a threshold, and the lower the probability that the lower the representation is the intranet IP segment is higher.
On the basis of the above embodiment, in order to identify more intranet IP segments, for example, an intranet asset is used as a service end and a client end, the IP C segment is an intranet IP segment, so in order to identify the intranet asset in such a scenario, all destination IPs may be extracted from the temporary identification table into the destination IP table, if the IP C segment corresponding to the destination IP in the temporary identification table is in the intranet IP segment table, the source IP corresponding to the destination IP is compared with the destination IP table, and if the source IP is in the destination IP table, the IP C segment corresponding to the member IP is stored in the IP C segment table, where the IP C segment in the IP C segment table is the final intranet IP segment.
If the IP C segment of the destination IP in the ip_all_info is in the intranet IP segment table, all source IPs connected to the destination IP are compared with the destination IP table all_dst_ip, and if the source IPs are in all_dst_ip, the IP C segment of the source IP is considered to be also the intranet IP segment, and is saved in the IP C segment table.
Then updating the IP C section in the white_current_ip at intervals, and repeatedly executing the step of expanding the IP C section until the following process of saving the IP C section corresponding to the source IP into an IP C section table, thereby re-identifying and expanding the intranet IP section at intervals.
In the implementation process, whether the IP C section corresponding to the source IP in the temporary identification table is the intranet IP section is identified by combining the destination IP table, so that the identification range of the intranet IP section can be enlarged, the automatic clustering effect is achieved, the accuracy of intranet asset identification is enhanced, and the comprehensiveness of intranet asset identification is improved.
Referring to fig. 2, fig. 2 is a block diagram illustrating a configuration of an intranet asset identifying apparatus 200 according to an embodiment of the present application, where the apparatus 200 may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above embodiment of the method of fig. 1, and is capable of performing the steps involved in the embodiment of the method of fig. 1, and specific functions of the apparatus 200 may be referred to in the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
Optionally, the apparatus 200 includes:
an information obtaining module 210, configured to obtain port information and IP information carried by a flow;
and the identifying module 220 is configured to identify an intranet IP segment in the traffic according to the port information and the IP information, and determine a device corresponding to the intranet IP segment as an intranet asset.
Optionally, the identifying module 220 is configured to count the number of ports of destination ports corresponding to the same destination IP in the flow, and count the number of IP of source IPs corresponding to the same destination IP in the flow; and identifying the intranet IP section in the flow based on the port number and the IP number.
Optionally, the identifying module 220 is configured to cache the destination IP and the corresponding IP C segment in the port identifying table if the destination port corresponding to the same destination IP does not hit the port white list and the number of ports is greater than a first threshold; if the number of the source IPs corresponding to the same destination IP is larger than a second threshold value and the average value of the three-way handshake time of the message corresponding to the destination IP is larger than a third threshold value, caching an IP C section of the destination IP into an IP identification table; if the same IP C section exists in the IP identification table and the port identification table, determining that the same IP C section is the first intranet IP section.
Optionally, the identifying module 220 is configured to determine that the IP C segment is the second intranet IP segment if different destination IPs in the port identifying table have the same IP C segment.
Optionally, the identifying module 220 is configured to determine that an IP C segment of the destination IP corresponding to the destination port is a third intranet IP segment if the destination port hits the port whitelist; if the average value of the three-way handshake time is smaller than or equal to a third threshold value, determining that the IP C section of the same destination IP is a fourth intranet IP section.
Optionally, the identifying module 220 is configured to determine that the IP C segment corresponding to the destination port is the third intranet IP segment if the destination port hits the system fixed port whitelist; and if the destination port hits a default port white list of the software and the number of the destination IP ports corresponding to the destination port is larger than a fourth threshold, determining that the IP C section of the destination IP is the third intranet IP section.
Optionally, the identifying module 220 is configured to extend an IP C segment having the same IP B segment in the intranet IP segments according to an upper limit and a lower limit, and store the IP C segment obtained by extension in an IP C segment table, where the intranet IP segments include the first intranet IP segment, the second intranet IP segment, the third intranet IP segment, and the fourth intranet IP segment; and determining the IP C section in the IP C section table as a final intranet IP section.
Optionally, the identifying module 220 is configured to cache the corresponding traffic information in the third intranet IP segment, the fourth intranet IP segment, the port identifying table, and the IP identifying table into a temporary identifying table; extracting IP C sections of all source IPs and the occurrence times of each IP C section from the temporary identification table to an IP total table; comparing the IP C section table with the IP total table, screening out the same IP C sections with the number of occurrence times in the previous preset proportion, and caching the screened IP C sections into an intranet IP section table; and determining the IP C section in the intranet IP section table as a final intranet IP section.
Optionally, the identifying module 220 is configured to extract all destination IPs from the temporary identifying table into a destination IP table; if the IP C section corresponding to the target IP in the temporary identification table is in the intranet IP section table, comparing the source IP corresponding to the target IP with the target IP table; if the source IP is in the destination IP table, the IP C section corresponding to the source IP is stored in the IP C section table.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device for executing an intranet asset identification method according to an embodiment of the present application, where the electronic device may include: at least one processor 310, such as a CPU, at least one communication interface 320, at least one memory 330, and at least one communication bus 340. Wherein the communication bus 340 is used to enable direct connection communication of these components. The communication interface 320 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 330 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one disk memory. Memory 330 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 330 has stored therein computer readable instructions which, when executed by the processor 310, perform the method process described above in fig. 1.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method process performed by an electronic device in the method embodiment shown in fig. 1.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the above-described method embodiments, for example, comprising:
acquiring port information and IP information carried by traffic;
and identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
In summary, the embodiment of the application provides an intranet asset identification method, device, electronic equipment and storage medium, which identify intranet IP segments in traffic by combining port information and IP information carried by the traffic, and the equipment corresponding to the intranet IP segments is intranet assets, so that the identification of the intranet assets is realized.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (12)

1. An intranet asset identification method, which is characterized by comprising the following steps:
acquiring port information and IP information carried by traffic;
and identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
2. The method of claim 1, wherein the identifying the intranet IP segment in the traffic based on the port information and the IP information comprises:
counting the number of ports of destination ports corresponding to the same destination IP in the flow and counting the number of source IPs corresponding to the same destination IP in the flow;
and identifying the intranet IP section in the flow based on the port number and the IP number.
3. The method of claim 2, wherein the identifying intranet IP segments in the traffic based on the number of ports and the number of IPs comprises:
if the destination port corresponding to the same destination IP does not hit the port white list and the number of the ports is larger than a first threshold, caching the destination IP and the corresponding IP C section into a port identification table;
if the number of the source IPs corresponding to the same destination IP is larger than a second threshold value and the average value of the three-way handshake time of the message corresponding to the destination IP is larger than a third threshold value, caching an IP C section of the destination IP into an IP identification table;
if the same IP C section exists in the IP identification table and the port identification table, determining that the same IP C section is the first intranet IP section.
4. The method of claim 3, wherein after buffering the destination IP and IP C segments corresponding to the destination port in the port identification table, further comprising:
if the port identification table has different objective IPs with the same IP C section, determining the IP C section as a second intranet IP section.
5. A method according to claim 3, characterized in that the method further comprises:
if the destination port hits the port white list, determining that an IP C section of a destination IP corresponding to the destination port is a third intranet IP section;
if the average value of the three-way handshake time is smaller than or equal to a third threshold value, determining that the IP C section of the same destination IP is a fourth intranet IP section.
6. The method of claim 5, wherein if the destination port hits the port whitelist, determining the IP C segment of the destination IP corresponding to the destination port as a third intranet IP segment comprises:
if the destination port hits the system fixed port white list, determining that the IP C section corresponding to the destination port is the third intranet IP section;
and if the destination port hits a default port white list of the software and the number of the destination IP ports corresponding to the destination port is larger than a fourth threshold, determining that the IP C section of the destination IP is the third intranet IP section.
7. The method according to claim 5 or 6, characterized in that the method further comprises:
expanding an IP C section with the same IP B section in the intranet IP section according to upper and lower limits, and storing the expanded IP C section into an IP C section table, wherein the intranet IP section comprises the first intranet IP section, the second intranet IP section, the third intranet IP section and the fourth intranet IP section;
and determining the IP C section in the IP C section table as a final intranet IP section.
8. The method of claim 7, wherein after saving the extended IP C segment into the IP C segment table, the method further comprises:
caching corresponding flow information in the third intranet IP section, the fourth intranet IP section, the port identification table and the IP identification table into a temporary identification table;
extracting IP C sections of all source IPs and the occurrence times of each IP C section from the temporary identification table to an IP total table;
comparing the IP C section table with the IP total table, screening out the same IP C sections with the number of occurrence times in the previous preset proportion, and caching the screened IP C sections into an intranet IP section table;
and determining the IP C section in the intranet IP section table as a final intranet IP section.
9. The method of claim 8, wherein after buffering the screened IP C segment in the intranet IP segment table, further comprising:
extracting all destination IPs from the temporary identification table to a destination IP table;
if the IP C section corresponding to the target IP in the temporary identification table is in the intranet IP section table, comparing the source IP corresponding to the target IP with the target IP table;
if the source IP is in the destination IP table, the IP C section corresponding to the source IP is stored in the IP C section table.
10. An intranet asset identification device, the device comprising:
the information acquisition module is used for acquiring port information and IP information carried by the traffic;
and the identification module is used for identifying an intranet IP section in the flow according to the port information and the IP information, and determining equipment corresponding to the intranet IP section as intranet assets.
11. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-9.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the method according to any of claims 1-9.
CN202310491830.8A 2023-05-04 2023-05-04 Intranet asset identification method and device, electronic equipment and storage medium Pending CN116647370A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310491830.8A CN116647370A (en) 2023-05-04 2023-05-04 Intranet asset identification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310491830.8A CN116647370A (en) 2023-05-04 2023-05-04 Intranet asset identification method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116647370A true CN116647370A (en) 2023-08-25

Family

ID=87639074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310491830.8A Pending CN116647370A (en) 2023-05-04 2023-05-04 Intranet asset identification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116647370A (en)

Similar Documents

Publication Publication Date Title
CN108737333B (en) Data detection method and device
US10666672B2 (en) Collecting domain name system traffic
US7596810B2 (en) Apparatus and method of detecting network attack situation
JP2008104027A (en) Apparatus and program for collecting packet information
CN108011752A (en) Fault locating analysis method and device, computer-readable recording medium
CN104639391A (en) Method for generating network flow record and corresponding flow detection equipment
EP3242240B1 (en) Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program
JP6750457B2 (en) Network monitoring device, program and method
CN107426132A (en) The detection method and device of network attack
KR100901696B1 (en) Apparatus of content-based Sampling for Security events and method thereof
US20200169577A1 (en) Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code
US20210152573A1 (en) Cyberattack information analysis program, cyberattack information analysis method, and information processing apparatus
CN110138583B (en) Display method for intelligent alarm analysis
CN116647370A (en) Intranet asset identification method and device, electronic equipment and storage medium
CN114301696B (en) Malicious domain name detection method, malicious domain name detection device, computer equipment and storage medium
CN109995886A (en) Domain name recognition methods, device, equipment and medium
US9374474B1 (en) System, method, and computer program for detecting duplicated telecommunications events in a consumer telecommunications network
CN110300193B (en) Method and device for acquiring entity domain name
US10305754B2 (en) Apparatus and method to collect packets related to abnormal connection
CN113660247B (en) Method, system and readable storage medium for validating configuration of cluster environment
CN111212039A (en) Host mining behavior detection method based on DNS flow
CN114143088B (en) Network fault diagnosis method, device, equipment and computer readable storage medium
CN112600816B (en) Intrusion prevention method, system and related equipment
CN109995731A (en) It improves the method, apparatus of caching discharge flow, calculate equipment and storage medium
CN116708356B (en) IP feature library generation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination