CN116647375A

CN116647375A - Fingerprint identification method and device and electronic equipment

Info

Publication number: CN116647375A
Application number: CN202310601786.1A
Authority: CN
Inventors: 甘安兴
Original assignee: Shanghai Ambiton Information Technology Co ltd
Current assignee: Shanghai Ambiton Information Technology Co ltd
Priority date: 2023-05-25
Filing date: 2023-05-25
Publication date: 2023-08-25

Abstract

The embodiment of the application discloses a fingerprint identification method, a fingerprint identification device and electronic equipment, which relate to the technical field of computers. The specific scheme is as follows: determining a fingerprint identification rule set; the fingerprint identification rule set at least comprises a fingerprint identification rule, wherein the fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for characterizing the characteristics of the network asset; acquiring network data of a network to be detected; and obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result is used for indicating whether fingerprint information exists in the network data.

Description

Fingerprint identification method and device and electronic equipment

Technical Field

The embodiment of the application relates to the technical field of computers. And more particularly, to a fingerprint identification method, a fingerprint identification device and an electronic device.

Background

As more network devices and terminals are available in enterprises, internet (internet Technology, IT) administrators experience problems in asset inventory and management. For example, how to identify network assets (e.g., different electronic devices, operating systems, application software, applications, service components and middleware on a network, etc.) among a vast number of I T assets; as another example, how to automatically identify the most current network asset information after the network asset is initialized or changed in configuration.

In the field of network security, fingerprints may identify network assets one by one so that network assets may be identified. At present, fingerprint identification is mainly implemented by using some open-source tools, platforms or manual detection network assets, so that a I T administrator is helped to quickly and effectively verify known vulnerabilities, and further the security and reliability of a network are improved.

However, the network asset is identified by the fingerprint identification tool mainly aiming at the fingerprint identification scene with low traffic and is actively identified, so that the problems of high false alarm rate, single fingerprint comparison and low working efficiency exist.

Disclosure of Invention

In view of the above problems, the embodiments of the present application provide a fingerprint identification method, apparatus, and electronic device, which are used to solve the problems that an existing fingerprint identification tool is used for identifying a fingerprint scene with low traffic, and is used to actively identify a network asset, and has high false alarm rate, single fingerprint comparison, and low working efficiency.

In a first aspect, an embodiment of the present application provides a fingerprint identification method, where the fingerprint identification method may include: determining a fingerprint identification rule set; the fingerprint identification rule set at least comprises a fingerprint identification rule, wherein the fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for characterizing the characteristics of the network asset; acquiring network data of a network to be detected; and obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result is used for indicating whether fingerprint information exists in the network data.

With reference to the first aspect, in an alternative manner, the fingerprint identification rule may include: a rule header and rule options; the rule header is used to determine the behavior of the rule, and the rule options are used to determine the characteristics and content of the rule.

With reference to the first aspect, in an alternative manner, the rule header may include: rule behavior; rule behavior is used to indicate actions performed when a behavior is matched; the rule options may include: the rule option comprises an option keyword and option content, wherein the option keyword is used for indicating the rule option, and the option content is corresponding to the rule option.

With reference to the first aspect, in an alternative manner, the rule behavior may include a fingerprint identification behavior; the option key may include a network asset name, a defined content, and a network asset tag, the network asset name identifying whether the network name exists in the network data; defining content for defining a direction and form of network data; the network asset tag is used to identify a network asset.

With reference to the first aspect, in an optional manner, the option key may further include a network asset version, where the network asset version is used to identify whether the network asset version exists in the network data.

With reference to the first aspect, in an alternative manner, the fingerprint identification rule may include a sur-ate fingerprint identification rule.

With reference to the first aspect, in an optional manner, acquiring network data of the network to be detected may include: acquiring a network data packet of a network to be detected; the network data packets are grouped and recombined to obtain recombined network data so as to obtain complete network data packets; and carrying out protocol decoding on the recombined network packets to obtain network data.

With reference to the first aspect, in an optional manner, the fingerprint identification method may further include: generating a log record of the fingerprint information under the condition that the network data comprise the fingerprint information as a matching result; the log record is stored and output.

In a second aspect, an embodiment of the present application further provides a fingerprint identification device. The fingerprint recognition device may include: a determining module, an acquiring module, a matching module and the like.

The determining module can be used for determining a fingerprint identification rule set; the set of fingerprint identification rules includes at least one fingerprint identification rule that can be used to detect fingerprint information that can be used to characterize the presence of a network asset in the network.

And the acquisition module can be used for acquiring network data of the network to be detected.

And the matching module can be used for obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result can be used for indicating whether fingerprint information exists in the network data.

In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory for storing instructions executable by the processor. The processor is configured to execute the above-described instructions to cause the electronic device to implement the fingerprint identification method as described in the first aspect or a possible implementation of the first aspect.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having computer program instructions stored thereon. The computer program instructions, when executed by an electronic device, cause the electronic device to implement the fingerprint identification method as described in the first aspect or a possible implementation of the first aspect.

In a fifth aspect, embodiments of the present application provide a computer program product comprising computer readable code which, when run in an electronic device, causes the electronic device to implement a fingerprint identification method as described in the first aspect or a possible implementation of the first aspect.

The scheme provided by the application is that a fingerprint identification rule set for identifying fingerprint information is firstly determined; then obtaining network data of a network to be detected; and finally, according to the network data and the fingerprint identification rule set, obtaining a matching result for indicating whether fingerprint information exists in the network data.

The scheme of the application is to acquire the network data of the network to be detected, namely passively acquire the network data. After the network data is obtained, the network data is matched with the determined fingerprint identification rule set, and then fingerprint information (i.e., network assets) in the network data is determined. That is, the scheme of the application only identifies the acquired network data, namely passively identifies the network asset, so that the network safety can be ensured to a certain extent, and the working efficiency is improved.

In addition, the scheme provided by the application matches the surica fingerprint identification rule set with the network data through the surica engine, so that the network asset is identified. As the surica fingerprint identification rule set can support fingerprint identification of protocols such as HTTP, DNS, tcp, tls, udp, smb and the like, hexadecimal, character strings and regular expressions can be supported for matching. Therefore, the scheme provided by the application can be used for aiming at a large quantity of fingerprint identification scenes and can solve the problem of poor fingerprint identification compatibility.

The foregoing description is only an overview of the technical solutions of the embodiments of the present application, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present application can be more clearly understood, and the following specific embodiments of the present application are given for clarity and understanding.

Drawings

The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:

fig. 1 shows a schematic structural diagram of an electronic device provided in the present embodiment;

fig. 2 shows a schematic flow chart of a fingerprint identification method provided by the application;

FIG. 3 is a schematic flow chart of another fingerprint identification method according to the present application;

fig. 4 shows a display interface of log information of an electronic device provided by the present application;

fig. 5 shows a schematic structural diagram of a fingerprint identification apparatus provided by the present application.

Detailed Description

Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein.

The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.

As more network devices and terminals are available in enterprises, internet (internet Technology, IT) administrators experience problems in asset inventory and management. For example, how to identify network assets (e.g., different electronic devices, operating systems, application software, applications, service components, middleware, etc. on a network) among a vast amount of IT assets; as another example, how to automatically identify the most current network asset information after the network asset is initialized or changed in configuration.

In the field of network security, fingerprints may identify network assets one by one so that network assets may be identified. At present, fingerprint identification mainly detects network assets through some open-source tools, platforms or manually, and can accurately acquire middleware types, service component types and version information, so that IT administrators are helped to quickly and effectively verify known vulnerabilities, and further the security and reliability of a network are improved.

Currently, common fingerprint detection objects may include: content management system (Content Management System, CMS) information, front-end technology, web servers, application servers, development languages, operating system information, content delivery network (Content Delivery Network, CDN) information, web application firewall (Web Application Firewall, WAF) information, network protocol (intellectual property, IP) and domain name information, port information, etc.

Wherein, the CMS information may include: CMS of chinese, dream of fabric, empire CMS, phpcms, ecshop, etc.

The front-end technology may include: hypertext markup language (HyperText Markup Language, HTML 5), jquery, bootstrap, pure, ace, etc.

The Web server may include: apache, lighttpd, nginx, IIS, etc.

The application server may include: tomcat, jboss, weblogic, websphere, etc.

Developer speech may include: hypertext pre-processing language (Hypertext Preprocessor, PHP), java, ruby, python, C #. The operating system information may include: linux, win2k8, win7, kali, centos, etc. (ContentDeliveryNetwork, CDN) information: whether CDNs are used, such as clodfire, 360CDN, 365cyd, yunjiasu, etc. The IP and domain name information may include: IP and domain name registration information, service provider information, etc. The port information may include: some software or platforms will probe common ports that are open to the server.

Common fingerprint identification means may include: the message-digest algorithm (MD 5) of a particular file identifies keywords contained in normal or error pages, keyword matching of request header information, keywords contained in a partial uniform resource locator (uniform resource locator, URL) (e.g., URL key features such as wp-includes, dede), development language.

The fingerprint detection object can be subjected to fingerprint identification through a fingerprint identification tool. Among these, nmap, whatWeb, wapplyzer, whatruns, webEye, goby, nuclei, tideFinger is a common fingerprint recognition tool. The Nmap is used for scanning basic information such as whether the target host is online, the port developed by the target host, the type of the operating system, and the like. WhatWeb is a Web site fingerprinting tool in kail, developed using Ruby language. The whatweb may recognize Web technologies including Content Management Systems (CMS), blog platforms, statistics/analytics packages, javaScript libraries, web servers, embedded devices, and the like. WhatWeb can also identify version numbers, email addresses, account IDs, web framework modules, SQL errors, etc. Wapplyzer is a browser plug-in that can be used to identify the type of web technology employed by a target website, and can detect CMS and e-commerce systems, message boards, javascript frameworks, host panels, analysis statistics tools, and other web systems. Nucleic is a customized rapid vulnerability scanner based on the development of YAML grammar templates, mainly for web applications. Tidefinger is used to scan web applications.

However, the types of fingerprints obtained will be different with different fingerprinting tools, such as Nmap for host systems, while nucleic, tidehinger for web applications, the fingerprinting tools being either Nmap or nucleic or tidehinger for applications that are of poor compatibility.

In addition, the existing fingerprint identification tool is mainly aimed at fingerprint identification scenes with low flow, and can only actively send packets for detection so as to identify network assets. The method has a certain influence on the network, is easily intercepted by the security equipment, and has the problems of high false alarm rate, single fingerprint and low working efficiency.

In order to solve the above-mentioned problems, the present application provides a fingerprint identification method that first determines a fingerprint identification rule set for identifying fingerprint information; then obtaining network data of a network to be detected; and finally, according to the network data and the fingerprint identification rule set, obtaining a matching result for indicating whether fingerprint information exists in the network data.

The scheme of the application is to acquire the network data of the network to be detected flowing through, namely passively acquire the network data. After the network data is obtained, the network data is matched with the determined fingerprint identification rule set, and then fingerprint information (i.e., network assets) in the network data is determined. That is, the scheme of the application only identifies the acquired network data, namely passively identifies the network asset, so that the network safety can be ensured to a certain extent, and the working efficiency is improved.

The fingerprint identification method provided by the application is described below.

The fingerprint identification method provided by the embodiment of the application can be applied to electronic equipment. The electronic device may be a device having fingerprint recognition functionality.

In some embodiments, the electronic device may be a notebook, tablet, handheld computer, PC, personal digital assistant (personal digital assistant, PDA), wearable device, or the like. The embodiment of the application does not limit the specific form of the electronic equipment. In the embodiment of the application, the electronic equipment is taken as a notebook computer as an example for schematic description.

In some examples, taking an electronic device as a notebook computer as an example, fig. 1 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.

As shown in fig. 1, the electronic device (i.e., notebook computer) may include: processor 110, fan 111, external memory interface 120, internal memory 121, universal serial bus (universal serial bus, USB) interface 130, charge management module 140, power management module 141, battery 142, display 150, antenna, wireless communication module 160, audio module 170, speaker (i.e., loudspeaker) 170A, microphone 170C, headset interface 170B, touch pad 180, keyboard 190, and camera 191, among others.

The other devices (such as the processor 110, the fan 111, the external memory interface 120, the internal memory 121, the usb interface 130, the charge management module 140, the power management module 141, the battery 142, the antenna, the wireless communication module 160, the audio module 170, the touch pad 180, the speaker 170A, the microphone 170C, the earphone interface 170B, the keyboard 190, the camera 191, etc.) except the display 150 may be disposed on the base of the notebook computer. The camera 191 may also be disposed on a frame of the display 150 of the notebook computer.

It should be understood that the structure illustrated in this embodiment does not constitute a specific limitation on the notebook computer. In other embodiments, the notebook computer may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a memory, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The controller can be a neural hub and a command center of the notebook computer. The controller can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may hold instructions or data that the processor 210 has just used or recycled. If the processor 110 needs to reuse the instruction or data, it may be called directly from memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby improving the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others.

It should be understood that the connection relationship between the modules illustrated in this embodiment is only illustrative, and does not limit the structure of the notebook computer. In other embodiments, the notebook computer may also use different interfacing modes, or a combination of multiple interfacing modes in the above embodiments.

The charge management module 140 is configured to receive a charge input from a charger (e.g., a wireless charger or a wired charger) to charge the battery 142. The wireless communication function of the notebook computer can be realized by an antenna and wireless communication module 160, a modem processor, a baseband processor, and the like.

The antenna is used for transmitting and receiving electromagnetic wave signals. Each antenna in a notebook computer may be used to cover a single or multiple communication bands. Different antennas may also be multiplexed to improve the utilization of the antennas.

In some embodiments, the antenna of the notebook computer is coupled with the wireless communication module 160 so that the notebook computer can communicate with the network and other devices through wireless communication technology. The wireless communication module 160 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wi-Fi network, bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field wireless communication technology (near field communication, NFC), infrared technology (IR), etc. applied to a notebook computer.

The notebook computer may implement display functions through a GPU, a display screen 150, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display 150 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information. The display screen 150 is used to display images, videos, and the like.

The notebook computer can realize a photographing function through the ISP, the camera 191, the video codec, the GPU, the display screen 150, the application processor, and the like. The ISP is used to process the data fed back by the camera 191. In some embodiments, the ISP may be provided in the camera 191. The camera 191 is used to capture still images or video. In some embodiments, the notebook computer may include 1 or N cameras 291, N being a positive integer greater than 1.

The external memory interface 120 may be used to connect an external memory card, such as a Micro SD card, to extend the memory capabilities of a notebook computer. The internal memory 121 may be used to store computer-executable program code that includes instructions. The processor 110 executes various functional applications of the notebook computer and data processing by executing instructions stored in the internal memory 121. For example, in an embodiment of the present application, the processor 110 may include a storage program area and a storage data area by executing instructions stored in the internal memory 121.

The notebook computer may implement audio functions through an audio module 170, a speaker 170A, a microphone 170C, an earphone interface 170B, an application processor, and the like. Such as music playing, recording, etc.

It will be understood, of course, that the above illustration of fig. 1 is merely exemplary of the case where the electronic device is in the form of a notebook computer. If the electronic device is in the form of a handheld computer, PDA, personal computer, server, or other device, the electronic device may include fewer structures than those shown in fig. 1, or more structures than those shown in fig. 1, and is not limited thereto.

The methods in the following embodiments may be implemented in an electronic device having the above-described hardware structure. In the embodiment of the application, the electronic equipment is taken as a notebook computer as an example for schematic description.

Fig. 2 shows a flowchart of a fingerprint identification method according to an embodiment of the present application. As shown in fig. 2, the fingerprint identification method may include: S201-S203.

S201, determining a fingerprint identification rule set; the fingerprint identification rule set at least comprises a fingerprint identification rule, wherein the fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for characterizing the characteristics of the network asset.

A set of fingerprint identification rules is determined, the set of fingerprint identification rules including at least one fingerprint identification rule for detecting fingerprint information.

Each of the fingerprinting rules may include a rule header that may be used to determine the behavior of the rule and rule options that may be used to determine the characteristics and content of the rule.

In some embodiments, the rule header may include a rule behavior. Rule behavior may be used to indicate actions performed when a match to a behavior is made.

For example, rule actions may include fingerprint identification actions, alarm actions, record actions, pass actions, discard actions, and so forth.

In some embodiments, the rule header may also include rule conditions. The rule conditions may be used for some conditions that are required in network data identification.

For example, rule conditions may include protocol type, source address and port, destination address and port, and traffic direction.

In some embodiments, the rule options may include an option keyword and option content. The option keywords may be used to indicate rule options, the option content being the content to which the rule option corresponds.

In some embodiments, the option keywords may include a network asset name, defined content, and a network asset tag. The network asset name may be used to identify whether a network name exists in the network data; defining content may be used to define the direction and form of network data; the network asset tag may be used to identify a network asset.

In some embodiments, the option keywords may also include a network asset version. The network asset version is used to identify whether a network asset version exists in the network data.

In some embodiments, the option keywords may further include: feature identifiers, revisions, references, priorities, categories, modifiers, traffic directions, and the like. The feature identifier may be used to uniquely represent a rule. The revision may be used to indicate that the rule was modified. The reference may be used to link external message sources. The priority may be used to manually set the priority of the rule. The categories may be used to categorize the fingerprinting rules according to the type of activity identified by the fingerprinting rules. Modifiers may be used to add modifiers after matching the content to enable precise control over the manner in which the engine matches the content in the network data. The flow direction may be used to define the flow source.

By specifying the above-described fingerprint identification rule, a fingerprint identification rule set can be determined, so that whether fingerprint information (i.e., a network asset) exists in the network data can be identified by the fingerprint identification rule set.

S202, acquiring network data to be detected.

When the network data of the network to be detected flows through the electronic equipment, the electronic equipment can acquire the network data to be detected flowing through.

In some embodiments, network data packets of a network to be detected are first acquired; then, the network data packets are grouped and recombined to obtain recombined network data so as to obtain complete network data packets; and then carrying out protocol decoding on the recombined network packets to obtain network data. To enable deep fingerprinting of the acquired network data to identify fingerprint information (i.e., network assets) in the network data.

In summary, it can be seen that network data flowing through the electronic device is obtained, that is, network data to be detected is passively obtained, so that fingerprint information (i.e., network assets) in the network data can be passively identified. That is, the scheme of the application does not actively send out the data packet, but only performs fingerprint identification on the received network data, and does not influence network security, thereby being capable of avoiding interception of the network data.

S203, obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result is used for indicating whether fingerprint information exists in the network data.

After the network data is obtained, the electronic device may match the network data with the fingerprint identification rule, to obtain a matching result for indicating whether fingerprint information exists in the network data.

In some embodiments, obtaining the matching result from the network data and the set of fingerprint recognition rules may include: determining a fingerprint identification rule in the fingerprint identification rule set according to the type of the network data; and matching the network data with the fingerprint identification rule to obtain a matching result.

And under the condition that the network data is matched with the fingerprint identification rule, obtaining a matching result of the network data including fingerprint information, namely identifying the network asset. Under the condition that the network data is not matched with the fingerprint identification rule, a matching result that the network data does not comprise fingerprint information is obtained, namely, the network asset is not identified, and the fingerprint identification can be ended.

The scheme of the application provides a fingerprint identification method, which comprises the steps of firstly determining a fingerprint identification rule set for identifying fingerprint information; then obtaining network data of a network to be detected; and finally, according to the network data and the fingerprint identification rule set, obtaining a matching result for indicating whether fingerprint information exists in the network data.

The scheme of the application is that network data of a network to be detected flowing through is obtained, namely, the network data is obtained passively. After the network data is obtained, the network data is matched with the determined fingerprint identification rule set, and then fingerprint information (i.e., network assets) in the network data is determined. That is, the scheme of the application only identifies the acquired network data, namely passively identifies the network asset, so that the network safety can be ensured to a certain extent, and the working efficiency is improved.

The surica engine is a free, open-source, mature, fast, robust network threat detection engine. The suricara engine is capable of real-time Intrusion Detection (IDS), inline Intrusion Prevention (IPS), network Security Monitoring (NSM), and offline pcap processing. Surica uses powerful and extensive rules and signature languages to examine network traffic and provides powerful Lua script support to detect complex threats. Integration using standard input and output formats (e.g., YAML and JSON) using existing SIEMs, splunk, logstash/Elasticsearch, kibana and other databases and other tools would be very simple.

In order to facilitate understanding, a specific implementation manner of a fingerprint identification method provided by the present application will be described in detail below with reference to fig. 3, taking a fingerprint identification rule set as a surica fingerprint identification rule set as an example. As shown in fig. 3, the fingerprint identification method provided by the embodiment of the present application may include: S301-S309.

S301, determining a surica fingerprint identification rule set, wherein the surica fingerprint identification rule set at least comprises a surica fingerprint identification rule, the surica fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for representing characteristics of network assets.

Each surica fingerprinting rule includes a rule header that may be used to determine the behavior of the rule and rule options that may be used to determine the characteristics and content of the rule.

The rule header may include rule behavior. Rule behavior may be used to indicate actions performed when a match to a behavior is made.

The rule behavior may include a fingerprinting behavior (fingerprinting) that is used to inform the surica engine to fingerprint the network data.

In some embodiments, rule behavior may also include alarm (alert) behavior, log behavior, pass-through behavior, drop behavior, and so forth. Alarm behavior refers to the alarm notification reporting engine recording all matching rules, network data associated with the matching rules. The act of logging refers to informing the reporting engine to log all matching rules and not log network data associated with the matching rules. By behavior is meant that no processing is done on the network data. The discarding behavior is to discard the network data.

In some embodiments, the option header may also include a protocol. The protocol may be used to inform the suricta engine of the protocol type for which the suricta fingerprinting rule applies. For example, the protocol type may be tcpb, udpc, icmpdip; any may be used when it is applicable to both TCP and UDP protocols.

In some embodiments, the rule header may also include the source/target host. The source/target host may be used to determine the host to which the source/target corresponds when matching (i.e., fingerprinting). For example, the source/target hosts may be IP listings or IP ranges in the form of a category-less interdomain routing classification (classless interDomain routing, CIDR). Source IP may also be specified in the configuration file: [ MISSING IMAGE: ] HOME_NET Surica Profile: suricate.yaml. If the surica fingerprint identification rule cannot be limited to a specific type of host, any host can be matched with the keyword "any".

In some embodiments, the rule header may also include a source/destination port. The source/destination ports may be used to determine the ports to which the source/destination hosts correspond when matching. The setting of the port may be specified, for example, the specific port may be specified as 80b. The setting of the port may also designate any port, for example, any port may be any.

In some embodiments, the rule header may also include a traffic direction (i.e., a network data direction). Traffic directions may be used to indicate the source of traffic, i.e. to identify only traffic in a prescribed direction (i.e. network data). And writing a rule three-way handshake according to the traffic state of the TCP network by the traffic direction. Wherein the three-way handshake comprises: the first handshake is that the client sends a first handshake message (i.e. SYN packet) to the server monitoring port; the second handshake is that after the server receives the first handshake message, the server sends the second handshake message (i.e. SYN/ACK packet) to the client; after the third handshake is that the client receives the second handshake message, the client sends the third handshake message (i.e. an ACK packet) to the server.

The configuration format of the flow direction is flow: < option >, < option >, < option >. The first option is a state option, and the second option is an orientation option; the third option is the traffic pattern state.

Wherein the status options may include: esctablished and stateless. The published indicates that the role matches the traffic for which a TCP session connection has been established. stateless indicates that the TCP session connection matches whether or not it has been established.

The orientation options may include to_server, from_server, to_client, and from_client. the to_server represents the flow from the client to the server; from_server represents the traffic from the server to the client; the to_client represents the traffic from the server to the client; to_client represents client-to-server traffic.

The traffic pattern state may include: no_stream and only_stream. no_stream indicates that the data to be matched is the reorganized network data; only_stream indicates that the data to be matched is a separate network packet.

The rule options may include option keywords and option content. The option keyword may be used to indicate a rule option, and the option content may be content corresponding to the rule option. The option keywords may include network asset names, network asset versions, qualifying content, network asset tags, and the like.

The network asset name (product. Name. Set) may be used to identify whether a network asset name is present in the network data.

In some embodiments, after determining the regular expression of the network asset name, the network asset name may be set with the content in the network data after matching, or the network asset name may be set in a custom manner.

For example, a regular expression of network asset names is as follows:

http.server；product.name.set:"Microsoft-IIS,iis"；。

in the above fingerprint identification rule, http.server may indicate that matching is performed from the server field of the http header. product. Name. Set needs to be bracketed with "; the format is: "[ pattern, [ middle ware name setting ] ]. With "," split matching content and set network asset name. Indicating that if the match is "Microsoft-IIS", the name is of the network asset is set.

Wherein the following is optional; if not, ", then" Microsoft-IIS "is set to the name of the network asset.

The network asset version (product. Ver. Set) may be used to identify whether a network asset version exists in the network data.

In some embodiments, a regular expression of the network asset version is determined and after matching, the content in the network data may be used as the network asset version.

For example, a regular expression of network asset names is as follows:

http.server；product.ver.set:"|28 28 28 34 7C 35 29 5C 2E 5B 30 2D 39 5D 29 7C 36 5C 2E 28 30 7C 31 29 29|"；。

http.server in the above fingerprint identification rule indicates a match from the server field of the http header. product. Ver. Set needs to be bracketed with "; the format is: "[ pattern ]". The network asset version may be converted to a string by hexadecimal as described above.

The version of the network asset in the above fingerprinting rules is (((4|5) \[ 0-9 ])|6\ (0|1)). If the fingerprinting rule is hit, the string of this expression code is set to the version of the network asset.

The definition may be used to define the direction and form of the network data. The defined content may include server-to-client defined content, client-to-server defined content. The server-to-client defined content may be used to define server-to-client content and storage forms; the server-to-client may be used to define the content and storage form of the server-to-client.

The server-to-client defined content may include a server-to-client temporary storage field and a server-to-client case field.

The server-to-client temporary storage field (i.e., var. Client. Set) may be used to extract a temporary variable from the network data based on the client direction and store the temporary variable in the session, so as to facilitate secondary extraction of the network asset name and the network asset version. The server-to-client temporary storage field may modify the identification content.

For example, the regular expression of the server-to-client temporary storage field (i.e., var. Client. Set) is as follows:

http.server；var.toclient.set:"Microsoft-IIS/|28 28 28 34 7C 35 29 5C 2E 5B 30 2D 39 5D 29 7C 36 5C 2E 28 30 7C 31 29 29|"；fast_pattern；。

the http.server in the fingerprint identification rule indicates that matching is performed from the server field of the http header. Wherein var.tocleant.set needs to be bracketed using "; the format is: "[ pattern ]". The network asset version is hexadecimal data, and the hexadecimal data is converted into a character string, so that the network asset version is as follows: ((4|5) \[ 0-9 ])|6\ (0|1)). A temporary variable is firstly extracted from the network data based on the tocycloient direction and is stored in a session, and when the network data is matched with the regular expression in the session, if the expression is hit, the character string of the expression code is set as the version of the network asset.

The fingerprint identification rule adopts fast_pattern, which means that the fingerprint identification rule is preferentially executed in the prefilter process and is preferentially executed in other matching fields, namely, the matching is preferentially performed in the temporary variables from the server side to the client side.

The temporary storage field from the server to the client sets a temporary variable in the direction from the server to the client, and preferably performs network asset identification (i.e. fingerprint information) on the temporary variable, so that network resources can be saved while the fingerprint identification efficiency is ensured.

The server-to-client uppercase field (i.e., var. Tocycloient field) may be used to collect network data at the server-to-client time, where the network data may include uppercase and/or lowercase data. The server-to-client case-based section is a buffer type modifier, can modify identification content, and represents fingerprint rule matching from a temporary variable which is not in a case of a client direction and is in case of a case; the latter field is convenient for extracting the network name and the network asset version.

For example, a regular expression for a server-to-client case section (i.e., var. Client field) is as follows:

http.server；var.toclient.set:"Microsoft-IIS/|28 28 28 34 7C 35 29 5C 2E 5B 30 2D 39 5D 29 7C 36 5C 2E 28 30 7C 31 29 29|"；fast_pattern；var.toclient；product.name.set:"Microsoft-IIS"；var.toclient；pro duct.ver.set:"|28 28 28 34 7C 35 29 5C 2E 5B 30 2D 39 5D 29 7C 36 5C 2E 28 30 7C 31 29 29|"；。

in the above-described fingerprinting rules, var.tocycloient may be matched from the temporary variables extracted from session var.tocycloient.set.

The var.tock field modifies the product.name field, i.e., the var.tock modifies the network asset name, indicating that Microsoft-IIS is to be matched from what is extracted from var.tock.set, and then sets the network asset name as Microsoft-IIS.

The server-side to client-side case section receives all traffic in the direction by default while limiting the traffic direction, i.e. without distinguishing the case of the traffic. In this way, the efficiency of network asset (i.e. fingerprint information) identification can be ensured while traffic sources are limited; i.e., no definition of the network asset name or the case of the network asset version is required.

The client-to-server defined content may include a client-to-server temporary storage field and a client-to-server case field.

The client-to-server temporary storage field (i.e., var. Server. Set) may be used to extract a temporary variable from the network data based on the server direction and store the temporary variable in the session, so as to facilitate secondary extraction of the network asset name and the network asset version. The server-to-client temporary storage field may modify the identification content.

For example, a regular expression of the server-to-client temporary storage field (i.e., var. Toserver. Set) is as follows:

http.user_agent；var.toserver.set:"curl/7.79.1"；fast_pattern；。

The http.user_agent in the fingerprint identification rule indicates that matching is performed from a User-Agent field in the http header. var.server.set needs to be bracketed with "; the format is: "[ pattern ]". The network asset version is: curl/7.79.1. A temporary variable is firstly extracted from the network data based on the toserver direction and is stored in the session, and when the network data in the session is matched with the regular expression, if the expression is hit, the character string of the expression code is set as the version of the network asset.

The fingerprint identification rule adopts fast_pattern, which means that the fingerprint identification rule is preferentially executed in a prefilter process and is preferentially executed in other matching fields, namely, the matching is preferentially performed in temporary variables from the client side to the server side.

The temporary storage field from the client to the server sets a temporary variable in the direction from the client to the server, and preferably performs network asset identification (i.e. fingerprint information) on the temporary variable, so that network resources can be saved while the fingerprint identification efficiency is ensured.

The client-to-server uppercase field (i.e., var. Tocycloient field) may be used to collect network data at the time of client-to-server, where the network data may include uppercase and/or lowercase data. The client-to-server case section is a buffer type modifier, which can modify detection content, and represents fingerprint rule matching from a temporary variable without case in the client direction; the latter field is convenient for extracting the network asset name and the network asset version.

For example, a regular expression for a client-to-server case segment (i.e., var. Toserver field) is as follows:

http.user_agent；var.toserver.set:"curl/7.79.1"；fast_pattern；var.toserver；pro duct.name.set:"curl"；var.toserver；product.ver.set:"|5C 64 2E 5C 64 2B 5C 2E 5C 64 2B|"；。

in the above fingerprint identification rule, the var.toserver field may be matched from the temporary variable extracted from the session var.toserver.set field.

The var.toserver field modifies the product.name.set field, i.e. the var.toserver field modifies the network asset name, which means that the curl key is to be matched from the content extracted from the var.toscient.set, and then sets the network asset name as curl.

The client-to-server case section is used for defaulting to receive all traffic in the direction while limiting the traffic direction, namely without distinguishing the case of the traffic. In this way, the efficiency of network asset (i.e. fingerprint information) identification can be ensured while traffic sources are limited; i.e., no definition of the network asset name or the case of the network asset version is required.

When there is a restriction in the surica fingerprint identification rule, the traffic direction may be optionally not set.

A network asset tag (i.e., finger) may be used to identify a network asset. If there are multiple network asset tags, the splitting may be performed.

For example, the network asset tag is as follows:

finger, operating system, windows 10; .

The network asset tag need not be bracketed; if there are multiple network asset tags, then "split".

In some embodiments, the option key may also include a feature identifier (sid), revision (rev), reference (reference), priority (priority), category (classtype).

Wherein a characteristic identifier (sid) can be used to uniquely identify a rule, the characteristic identifier cannot be repeated and can only be a numerical value.

For example, a feature identifier between 0-10000000 indicates a Sourcefire VRT reservation. As another example, the feature identifier is between 20000000-29999999, denoted as an Emerging Threads (ET) hold. Also, for example, a feature identifier above 30000000 indicates common use.

The revision (rev) may be used to indicate that the surica fingerprinting rule has been modified, i.e., that the version number of the surica fingerprinting rule has been modified.

For example, when a new surica fingerprinting rule is created, rev:1, the rev:1 may be used to identify the surica fingerprinting rule as a first version. As another example, when the surica fingerprinting is changed, there is no need to create a new surica fingerprinting rule, and rev may be incremented without changing the feature identifier.

The reference can be used for linking the source of external information, so that the application scene of the suricta fingerprint identification rule is more, namely, the neatness of the fingerprint identification rule can be maintained, the length of the suricta fingerprint identification rule is reduced, and the suricta fingerprint identification rule is easier to modify and edit.

For example, the reference may be directly specified. Such as: reference:; reference url, doc. Emergingthreats. Net/2010235b.

As another example, a reference (reference) may be defined by using a format in a surieria. Yaml configuration reference. Config file to define a reference type file: config reference. For example, in the file: config reference: cvehtp:// cve. Mtre. Org/cgi-bin/cvename. Cgename = rule: reference cve,2001-0414 actual reference: reference cve, http:// cne. Mtre. Org/cgi-bin/cnename. Cginame=2001-0414.

The priority (priority) may be used to manually specify the priority of the suricta fingerprinting rule. The fingerprint recognition efficiency can be improved by designating the priority of the suricta fingerprint recognition rule.

The priority is adjustable. For example, the priority may be set to 0-10 priority, with 0 priority being highest and 10 priority being lowest.

A category (classtype) may be used to categorize the fingerprinting rules according to the type of activity identified by the surica fingerprinting rules.

For example, the manner specified in the surica fingerprinting rules: classtype:; the format in the category file in the rule is described by configuring a classification.config file in surica.yaml: config classification, classification name: category name classification description: category description classification privoroty: the default priority assigned by the category, which is used when the fingerprinting rule uses the category.

In some embodiments, the option keywords may also include modifiers. Modifiers are used to add some modifiers after matching the content so that the manner in which the surica engine matches the content in the network data can be precisely controlled.

For example, modifiers may include nocase, offset, depth, distance, within, a matching range that defines both distance and witin content matches, and http content modifiers.

nocase may be used to not case the function when matching content. For example, product. Name. Set: "root"; nocase. I.e. whether a ROOT exists in the network data or a ROOT exists, the existence of the network asset in the network data is indicated as long as the network asset name exists in the network data as the ROOT.

offset may be used to indicate that content matching is to begin at a particular location in the network data, starting from the actual location of the payload. Wherein the payload start position starts at 0 bytes and not at 1 byte. For example, product. Name. Set: "root"; offset:5, a step of; . The 5 th byte in the network data starts to match the network asset name root.

depth may be used to limit the end position of searching for matching content. If offset is used, the start position is offset, otherwise the load start position. For example, product. Name. Set: "root"; offset 5; depth 7; . Indicating that the network data is matched from the 5 th byte, finishing the matching at the seventh byte, and identifying whether the network asset name of the root exists in the network data from the beginning to the finishing byte.

distance may be used to specify the distance of the end position of the last content match from the start position of the current content match.

within: may be used to limit how many bytes the present match must occur after the last match content ends.

The simultaneous use of distance and witin limits the matching range of the second content match. For example, content: "evilliveshre"; content: "here"; distance 1; within 7; .

The string "here" is matched in the range of 1 to 7 bytes after the matching string "evalliveshre".

The http content modifier may be used for a fingerprint recognition rule for recognizing http network data. For example, surica provides the functionality of http network packet reassembly, while providing a more efficient rule modifier for writing http network data.

For example fingerprint tcp any any- > any80 (msg: "Evil Doamin www.appliednsm.com"; "content:" GET ";" httpmethod "; product. Name. Set:" www.appliednsm.com ";" http_uri ";" sil: 5445555; rev: 1;). The http method is an http method (such as GET, POST, etc.) used by the client.

In some embodiments, the common http content modifier may further include: http_client_body, http_cookie, http_client_body, http_header, http_uri, http_stat_code, http_stat_message, and http_encodings, etc.

http_client_body is the subject content requested by the hettp client; the http_cookie is the "cookie" content of the http header field; the http_header is any content of the http request or response header; the http_uri is the URI content requested by the http client; the http_stat_code is the http status field content responded by the server; the http_stat_message is the http status message content responded by the server; the http_stat_message is the http status message content responded by the server; http_encode is the type of encoding used in the http transport.

In some embodiments, protocol header detection may include: TTL, dsize, itype, icode ip_proto, etc. Wherein TTL can be used to match specified TTL values, relational operators can be used (<, < =, > =, >) can be used to identify the type of network asset. dsize may be used to match a network packet of a specified payload size and the relational operator may be used (<, <=, > =, >). The type may be used to match a specified ICMP type value. An icode may be used to match a specified ICMP code value. ip_proto may be used to match a specified IP protocol, such as IGMP, GRE.

The general fingerprint rule can be changed into the surica fingerprint recognition rule which can be recognized by the surica engine through the surica fingerprint recognition rule.

For example, the general fingerprint rules are as follows,

when the network name is hundred-degree online text editor, the accessed network asset can be considered to be hundred-degree online web editor when a 'ueditor\\. All\. Js' field exists in the body of the http response.

By the above-mentioned surica fingerprint identification rule, fingerprint information can be changed into a surica fingerprint identification rule. The surica fingerprinting rule is as follows:

fingerprint http any any- > any y (msg: "hundred degrees online web editor fingerprint"; flow: published, to_client; http. Response_body; product. Name. Set: "|75 65 64 69 74 6f 72 5c 2e 61 6c 6c 5c 2e 6a 73|, hundred degrees online web editor"; fast_pattern; classtype): finger-application-layer; reference url wait for update; sil 20000085; rev is 1; finger application level/editor; the repeatability is 70; ).

The above-mentioned surica fingerprint identification rule: the rule header may include: the fingerprint identification behavior and the network data with the http protocol. The rule options may include:

network asset name hundred degrees online web editor fingerprinting. The definition is network data that matches only established TCP session connections, server-to-client. The identification range is the http response message body. If 75 65 64 69 74 6f 72 5c 2e 61 6c 6c 5c 2e 6a 73 (which is a 16-ary "ueditor\all\js") exists in the identified scope, then the target is considered to be a hundred degrees online web editor. The priority is the highest priority. The category is network assets of the application layer. Reference is made to a related connection. The identification rule is 20000085. The rule version is 1. Asset tags are application level/editors. The confidence level is 70.

Fingerprint identification (i.e., network asset) is achieved by changing the general fingerprint rules to the above-described surica fingerprint identification rules so that the surica engine can identify the surica fingerprint identification rules.

Since the surica engine can support protocols such as HTTP, DNS, tcp, tls, udp, smb, the surica engine can support hexadecimal and character strings. Therefore, after the common fingerprint identification rule is converted into the surica fingerprint identification rule which can be identified by the surica engine, the surica fingerprint identification rule can support identification of protocols such as HTTP, DNS, tcp, tls, udp, smb and the like, and can support hexadecimal, character strings and regular expressions to be matched, so that the fingerprint identification efficiency can be improved, and the method can be used in more application scenes.

S301 in the present embodiment corresponds to S201 in the above-described embodiment.

S302, acquiring a network data packet of a network to be detected.

Under the condition that the network data packet of the network to be detected flows through the electronic equipment, the electronic equipment acquires the network data packet of the network to be detected, so that the network data packet can be recombined.

In some embodiments, the reporting engine may obtain, through a network interface or a pacp file of the electronic device, a network data packet flowing through a network to be detected on the electronic device, so that the obtained network data packet may be subjected to packet reassembly.

S303, recombining the network data packet to obtain recombined network data so as to obtain a complete network data packet.

After the network data packet is obtained, the electronic device may perform packet reassembly on the network data packet to obtain a complete network data packet, so that protocol decoding may be performed on the reassembled network data packet.

In some embodiments, in the case where the suricta engine obtains a network packet, the suricta engine may reassemble the network packet of TCP and the network packet of UDP so that deep fingerprinting of the network packet may be performed.

S304, protocol decoding is carried out on the recombined network data packet, and network data is obtained.

After the recombined network data packet is obtained, the recombined network data is decoded according to TCP and UDP protocols to obtain the network data. The network data may be quintuple data. Wherein the five-tuple data may include: source IP, destination IP, source port, destination port, and transport protocol.

In some embodiments, after obtaining the reassembled network packet, protocol decoding the reassembled network packet may include: the surica engine performs protocol decoding on the reassembled network data packet according to the TCP and UDP protocols to enable identification of various protocols in the network data. For example, various protocols may include: hypertext transfer protocol transport (Hypertext Transfer Protocol, http), domain name system (Domain Name System, DNS), FTP (file transfer protocol ), and the like.

Note that S302 to S304 in the present embodiment correspond to S202 in the above-described embodiment. That is, S202 in the above-described embodiment can be realized by S302 to S304 in the present embodiment.

S305, determining sur cata fingerprint identification rules in the sur cata fingerprint identification rule set according to the type of the protocol in the network data.

After the network data is obtained, according to the type of the protocol in the network data, suricta fingerprint identification rules consistent with the type of the network data protocol are determined in a suricta fingerprint identification rule set, so that the network data and the suricta fingerprint identification rules can be matched, and a matching result is obtained.

Since the sur acta fingerprint recognition rule set contains a series of sur acta fingerprint recognition rules, each fingerprint recognition rule defines different fingerprint information. Therefore, a sur acta fingerprint identification rule set corresponding to the network data type needs to be determined in the sur acta fingerprint identification rule set for fingerprint identification.

S306, matching the network data with sur acta fingerprint identification rules to obtain a matching result.

After the sur acta fingerprint identification rule is determined, the network data is matched with the sur acta fingerprint identification rule, and a matching result is obtained.

In the case where the network data is matched with the surica fingerprint identification rule, a matching result is obtained in which the network data includes fingerprint information, i.e., the following S307 may be continuously executed.

Under the condition that the network data is not matched with the sur acta fingerprint identification rule, a matching result that the network data does not comprise fingerprint information is obtained, and the fingerprint identification work can be ended.

In some embodiments, the sur acta engine may match the network data with sur acta fingerprint identification rules to obtain a matching result.

S307, under the condition that the network data is matched with the sur acta fingerprint identification rule, a matching result that the network data comprises fingerprint information is obtained.

Under the condition that the network data is matched with the suricata fingerprint identification rule, the electronic equipment can determine that fingerprint information exists in the network data, namely, network assets are identified.

In some embodiments, the Sur acta engine may match the network data decoded by the protocol with the Sur acta fingerprint identification rule, and when the matching degree of the network data and the Sur acta fingerprint identification rule reaches a preset confidence level, it indicates that fingerprint information exists in the network data, that is, that network asset exists.

For example, when the confidence in the sur acta fingerprint identification rule is 70, if the similarity between the network data and the sur acta fingerprint identification rule is above 70, fingerprint information is considered to exist in the network data, that is, network assets exist in the network data.

Note that S305 to S307 in the present embodiment correspond to S203 in the above-described embodiment. That is, S203 in the above-described embodiment can be realized by S305 to S307 in the present embodiment.

And S308, generating a log record of the fingerprint information when the matching result is that the network data comprises the fingerprint information.

In the event that the sur acta engine detects fingerprint information (i.e., a network asset), the electronic device may generate a log record corresponding to the fingerprint information.

The log record may include detailed information about the detected network asset. For example, log information may include a timestamp, a source I P address, a destination I P address, a protocol, rules I D, classifications, priorities, confident, fingerprint tags, and the like.

S309, storing and outputting the log record.

After generating the log record of the fingerprint information, the electronic device stores the log information and outputs the log information.

In some embodiments, after generating the log record of fingerprint information, the electronic device may write the generated log record to disk.

For example, the storage log record is as follows:

asset log http any any- > any y (msg: "CMS fingerprint"; flow: published, to_server; content: "ThinkPHP"; decase; http_header; fast_pattern; classtype: protocol-command-decoder; reference: CVE, CVE-2014-1234; sed: 127; rev:1; finger: CMS, THINKPHP; reliability: 99).

The surica engine can identify the http protocol with the CMS fingerprint identification name as an identification rule, and only matches network data from the client to the server after TCP session connection is established; the network name is ThinkPHP; case-less; any content of the http request or response header; the priority is highest; the type is protocol-command-decode; CVE, CVE-2014-1234; the feature identifier is 127; revision 1; fingerprint label is CMS, THINKPHP; information with a confidence level of 99 or more is stored on the disk.

In some embodiments, the log records of the output may be displayed. For example, the log may be recorded on a display interface of the electronic device for display.

For example, FIG. 4 shows a display interface for log records. The display interface in fig. 4 displays log information of 4 pieces of fingerprint information (i.e., network assets), namely log record 1, log record 2, log record 3, and log record 4.

Log record 1 shows the following log records: a fingerprint identification rule; the http protocol is [1:20000344:1]; the network asset name is ConnKeepalive fingerprint identification; the type is identified at the application layer; the priority is 2; confidence 70; tcp is 8.130.165.191:80- >172.31.1.102:32940; chain; fingerprint tags are application level/others.

Log record 2 shows the following log records: a fingerprint identification rule; the http protocol is [1:20000346:1]; the network asset name is ConnKeepalive fingerprint identification; the type is identified at the application layer; the priority is 2; confidence 70; tcp is 8.130.165.191:80- >172.31.1.102:32940; chain; fingerprint tags are application level/others.

Log record 3 shows the following log records: a fingerprint identification rule; the http protocol is [1:20000981:1] network asset name Nginx fingerprint identification; the type is identified at the application layer; the priority is 2; confidence 70; tcp is 8.130.165.191:80- >172.31.1.102:32940; chain is shown in the specification; the fingerprint tag is an application level/reverse proxy.

Log record 4 shows the following log records: a fingerprint identification rule; the http protocol is [1:20000982:1] network asset name is Nginx fingerprint identification; the type is identified at the application layer; the priority is 2; confidence 70; tcp is 8.130.165.191:80- >172.31.1.102:32940; chain is shown in the specification; the fingerprint tag is an application level/reverse proxy.

The user can look up the log records through the display interface on the electronic equipment, and can accurately acquire the related information of the network asset, so that the known vulnerability can be verified quickly and effectively, and the safety and reliability of the network are improved.

According to the scheme, a surica fingerprint identification rule set for identifying fingerprint information is determined; acquiring network data containing protocol types; determining a surica fingerprint identification rule corresponding to the network type according to the type of the network data; matching the network data with the determined surica fingerprint identification rule; and obtaining a matching result comprising fingerprint information.

The scheme of the application is to acquire the network data of the network to be detected flowing through, namely passively acquire the network data. After the network data is obtained, the network data is matched with the determined surica fingerprint identification rule set, and fingerprint information (i.e., network assets) in the network data is determined. That is, the scheme of the application only identifies the acquired network data, namely passively identifies the network asset, so that the network safety can be ensured to a certain extent, and the working efficiency is improved.

In addition, the scheme provided by the application matches the surica fingerprint identification rule set with the network data through the surica engine, so that the network asset is identified. As the surica fingerprint identification rule set can support the identification of protocols such as HTTP, DNS, tcp, tls, udp, smb and the like, hexadecimal, character strings and regular expressions can be supported for matching; therefore, the scheme provided by the application can be used for aiming at a large quantity of fingerprint identification scenes and can solve the problem of poor fingerprint identification compatibility.

For the method in the foregoing embodiment, the present application further provides a fingerprint identification device. The fingerprint identification device can be applied to electronic equipment and is used for realizing the method in the embodiment. The fingerprint identification device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above functions.

For example, fig. 5 shows a schematic structural diagram of a fingerprint recognition device. The fingerprint recognition device 500 as illustrated in fig. 5 may include: a determining module 501, an acquiring module 502, a matching module 503, and the like.

Wherein the determining module 501 may be configured to determine a set of fingerprint identification rules; the set of fingerprint identification rules includes at least one fingerprint identification rule that can be used to detect fingerprint information that can be used to characterize the presence of a network asset in the network.

The acquiring module 502 may be configured to acquire network data of a network to be detected.

The matching module 503 may be configured to obtain a matching result according to the network data and the fingerprint identification rule set, where the matching result may be used to indicate whether fingerprint information exists in the network data.

In some embodiments, the fingerprinting rules include: a rule header and rule options; the rule header is used to determine the behavior of the rule and the rule options are used to determine the characteristics and content of the rule.

In some embodiments, the rule header includes: rule behavior; rule behavior is used to indicate actions performed when a behavior is matched; the rule options include: the rule option comprises an option keyword and option content, wherein the option keyword is used for indicating the rule option, and the option content is corresponding to the rule option.

In some embodiments, the rule behavior includes a fingerprinting behavior; the option keywords comprise network asset names, limiting content and network asset tags, wherein the network asset names are used for identifying whether network names exist in the network data; defining content for defining a direction and form of network data; the network asset tag is used to identify a network asset.

In some embodiments, the option key may also include a network asset version that identifies whether a network asset version exists in the network data.

In some embodiments, the fingerprint recognition rule may include a sur-ate fingerprint recognition rule.

In some embodiments, the obtaining module 502 may be further configured to obtain a network data packet of the network to be detected; the network data packets are grouped and recombined to obtain recombined network data so as to obtain complete network data packets; and carrying out protocol decoding on the recombined network packets to obtain network data.

In some embodiments, the matching module 503 may be further configured to determine a fingerprint identification rule in the fingerprint identification rule set according to a type of the network data; matching the network data with the fingerprint identification rule to obtain a matching result; and under the condition that the network data is matched with the fingerprint identification rule, obtaining a matching result that the network data comprises fingerprint information.

In some embodiments, as shown in fig. 5, the fingerprint recognition device may further include a log generation module 504, a storage module 505, and an output module 506.

The log generation module 504 may be configured to generate a log record of fingerprint information when the matching result is that the network data includes fingerprint information.

The storage module 505 may be used to store log records.

An output module 506 may be used to output the log record.

It should be understood that the division of units or modules (hereinafter referred to as units) in the above apparatus is merely a division of logic functions, and may be fully or partially integrated into one physical entity or may be physically separated. And the units in the device can be all realized in the form of software calls through the processing element; or can be realized in hardware; it is also possible that part of the units are implemented in the form of software, which is called by the processing element, and part of the units are implemented in the form of hardware.

For example, each unit may be a processing element that is set up separately, may be implemented as integrated in a certain chip of the apparatus, or may be stored in a memory in the form of a program, and the functions of the unit may be called and executed by a certain processing element of the apparatus. Furthermore, all or part of these units may be integrated together or may be implemented independently. The processing element described herein, which may also be referred to as a processor, may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each unit above may be implemented by an integrated logic circuit of hardware in a processor element or in the form of software called by a processing element.

In one example, the units in the above apparatus may be one or more integrated circuits configured to implement the above method, for example: one or more asics, or one or more DSPs, or one or more FPGAs, or a combination of at least two of these integrated circuit forms.

For another example, when the units in the apparatus may be implemented in the form of a scheduler of processing elements, the processing elements may be general-purpose processors, such as CPUs or other processors that may invoke programs. For another example, the units may be integrated together and implemented in the form of a system-on-a-ch ip (SOC).

In one implementation, the above means for implementing each corresponding step in the above method may be implemented in the form of a processing element scheduler. For example, the apparatus may comprise a processing element and a storage element, the processing element invoking a program stored in the storage element to perform the method described in the above method embodiments. The memory element may be a memory element on the same chip as the processing element, i.e. an on-chip memory element.

In another implementation, the program for performing the above method may be on a memory element on a different chip than the processing element, i.e. an off-chip memory element. At this point, the processing element invokes or loads a program from the off-chip storage element onto the on-chip storage element to invoke and execute the method described in the method embodiments above.

For example, embodiments of the present application may also provide an apparatus, such as: an electronic device may include: a processor, a memory for storing instructions executable by the processor. The processor is configured to execute the above instructions, causing the electronic device to implement the fingerprint identification method as described in the previous embodiments. The memory may be located within the electronic device or may be located external to the electronic device. And the processor includes one or more.

In yet another implementation, the unit implementing each step in the above method may be configured as one or more processing elements, where the processing elements may be disposed on the electronic device corresponding to the above, and the processing elements may be integrated circuits, for example: one or more asics, or one or more DSPs, or one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits may be integrated together to form a chip.

For example, the embodiment of the application also provides a chip, which can be applied to the electronic equipment. The chip includes one or more interface circuits and one or more processors; the interface circuit and the processor are interconnected through a circuit; the processor receives and executes computer instructions from the memory of the electronic device through the interface circuit to implement the fingerprint identification method described in the method embodiments above.

The embodiment of the application also provides a computer program product, which comprises the computer instructions for the electronic equipment to operate.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another apparatus, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and the parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be embodied in the form of a software product, such as: and (5) program. The software product is stored in a program product, such as a computer readable storage medium, comprising instructions for causing a device (which may be a single-chip microcomputer, chip or the like) or processor (processor) to perform all or part of the steps of the methods described in the various embodiments of the application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

For example, embodiments of the present application may also provide a computer readable storage medium having computer program instructions stored thereon. The computer program instructions, when executed by an electronic device, cause the electronic device to implement a fingerprint identification method as described in the foregoing method embodiments.

The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the present application is not limited thereto, but any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A fingerprint identification method, characterized in that the fingerprint identification method comprises:

determining a fingerprint identification rule set; the fingerprint identification rule set at least comprises a fingerprint identification rule, wherein the fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for representing the characteristics of the network asset;

acquiring network data of a network to be detected;

and obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result is used for indicating whether the fingerprint information exists in the network data.

2. The fingerprint identification method according to claim 1, wherein the fingerprint identification rule comprises: a rule header and rule options; the rule header is used to determine the behavior of the rule, and the rule options are used to determine the characteristics and content of the rule.

3. The fingerprint identification method according to claim 2, wherein the rule header comprises: rule behavior; the rule behavior is used for indicating actions executed when the behavior is matched;

the rule options include: the rule option comprises an option keyword and option content, wherein the option keyword is used for indicating the rule option, and the option content is corresponding to the rule option.

4. The fingerprinting method of claim 2, wherein the rule behavior comprises a fingerprinting behavior; the option keywords comprise network asset names, limiting contents and network asset tags, wherein the network asset names are used for identifying whether network names exist in the network data; the limiting content is used for limiting the direction and form of the network data; the network asset tag is used to identify a network asset.

5. The fingerprinting method of claim 4, wherein the option key further comprises a network asset version, the network asset version being used to identify whether a network asset version exists in the network data.

6. The fingerprinting method of any of claims 1-5, wherein the fingerprinting rule comprises a suricate fingerprinting rule.

7. The fingerprint identification method according to any one of claims 1-5, wherein the acquiring network data of the network to be detected comprises:

acquiring a network data packet of a network to be detected;

the network data packets are recombined to obtain recombined network data so as to obtain complete network data packets;

And carrying out protocol decoding on the recombined network packets to obtain the network data.

8. The fingerprint identification method according to claim 1, wherein obtaining a matching result according to the network data and the fingerprint identification rule set comprises:

determining a fingerprint identification rule in the fingerprint identification rule set according to the type of the network data;

matching the network data with the fingerprint identification rule to obtain a matching result;

and under the condition that the network data is matched with the fingerprint identification rule, obtaining a matching result that the network data comprises the fingerprint information.

9. The fingerprint identification method of claim 8, further comprising:

generating a log record of the fingerprint information under the condition that the network data comprise the fingerprint information as a result of the matching;

and storing and outputting the log record.

10. A fingerprint recognition device, characterized in that the fingerprint recognition device comprises: the device comprises a determining module, an acquiring module and a matching module;

the determining module is used for determining a fingerprint identification rule set; the fingerprint identification rule set at least comprises a fingerprint identification rule, wherein the fingerprint identification rule is used for detecting fingerprint information, and the fingerprint information is used for representing the existence of network assets in a network;

The acquisition module is used for acquiring network data of a network to be detected;

the matching module is used for obtaining a matching result according to the network data and the fingerprint identification rule set, wherein the matching result is used for indicating whether the fingerprint information exists in the network data.

11. An electronic device comprising a processor, a memory for storing instructions executable by the processor; the processor being configured to, when executing the instructions, cause the electronic device to implement the fingerprint identification method of any one of claims 1-9.