CN117729005A - Network asset mapping method - Google Patents
Network asset mapping method Download PDFInfo
- Publication number
- CN117729005A CN117729005A CN202311702530.6A CN202311702530A CN117729005A CN 117729005 A CN117729005 A CN 117729005A CN 202311702530 A CN202311702530 A CN 202311702530A CN 117729005 A CN117729005 A CN 117729005A
- Authority
- CN
- China
- Prior art keywords
- network
- target
- asset
- information
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000013507 mapping Methods 0.000 title claims abstract description 36
- 230000003993 interaction Effects 0.000 claims abstract description 68
- 238000012545 processing Methods 0.000 claims abstract description 14
- 230000005540 biological transmission Effects 0.000 claims description 18
- 238000012544 monitoring process Methods 0.000 claims description 15
- 238000005206 flow analysis Methods 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000002452 interceptive effect Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 19
- 238000004590 computer program Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000002356 single layer Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network asset mapping method. The method comprises the following steps: acquiring at least two flow information to be analyzed, which are monitored passively by the flow port mirror image; the flow information is generated based on interaction of network assets to be painted in the service network environment; analyzing and processing each flow information to obtain a target interaction relation between target network assets in the service network environment; and drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph. By the technical scheme, the network asset mapping can be automatically, quickly and accurately performed under the condition of not interfering with the service network environment, the flow interference to the service network environment is reduced, a host in the service network environment is not required to be invaded, and the stability and the safety of the service network environment are improved.
Description
Technical Field
The invention relates to equipment mapping technology, in particular to a network asset mapping method.
Background
With the development of the internet, users pay more and more attention to network security, wherein network asset inventory is an important basic work of network security. For example, the asset list corresponding to the business network environment is mastered, so that network security work can be more effectively and comprehensively developed.
At present, an active scanning and fingerprint identification mode and a host agent and system information mode are generally adopted as network asset mapping means, so that network asset conditions can be rapidly detected through information collection, asset reporting and other operations.
However, the active scanning in the existing network asset mapping manner can bring a lot of extra traffic interference to the service network environment, while the host agent manner can directly invade the corresponding network asset host, and introduce some external hidden trouble while introducing the component, so that the service network environment is paralyzed. It can be seen that existing network asset mapping methods are too invasive for networks and servers and can place a burden on the business network environment.
Disclosure of Invention
The invention provides a network asset mapping method, which can automatically, quickly and accurately map network assets under the condition of not interfering with the service network environment, reduce the flow interference to the service network environment, avoid invading a host in the service network environment, and improve the stability and safety of the service network environment.
According to an aspect of the present invention, there is provided a network asset mapping method comprising:
acquiring at least two flow information to be analyzed, which are monitored passively by the flow port mirror image; the flow information is generated based on interaction of network assets to be painted in a business network environment;
analyzing and processing each flow information to obtain a target interaction relation between target network assets in a service network environment;
and drawing a network asset topological graph based on the target interaction relationship, and determining a target network asset topological graph.
According to the technical scheme, at least two flow information to be analyzed, which are monitored passively by the flow port mirror image, are obtained, so that flow interference to the service network environment is reduced, a host in the service network environment is not required to be invaded, and the stability and safety of the service network environment are improved; the flow information is generated based on interaction of network assets to be painted in a business network environment; analyzing and processing each flow information to obtain a target interaction relation between target network assets in a service network environment; and drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph, so that the network asset is automatically, quickly and accurately drawn under the condition of not interfering with a service network environment.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method of network asset mapping according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a network asset mapping method according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of a network asset mapping device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing a network asset mapping method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," "target," "initial," and the like in the description and claims of the present invention and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a network asset mapping method according to an embodiment of the present invention, where the method may be performed by a network asset mapping device, which may be implemented in hardware and/or software, and may be configured in an electronic device, where the network asset mapping method is applicable to a case where network asset mapping is performed without disturbing a service network environment. As shown in fig. 1, the method includes:
s110, acquiring at least two flow information to be analyzed, which are monitored passively by a flow port mirror image; the traffic information is generated based on interactions of network assets to be painted in the business network environment.
The traffic port image may refer to a port image that listens for traffic. Traffic port mirroring may be used to monitor traffic information without disturbing the traffic network environment. Traffic information may refer to information that network assets transmit or communicate based on traffic. The business network environment may refer to a network environment in which the network asset to be drawn is located. For example, a business network environment may refer to an enterprise internal network environment. A network asset may refer to a network device deployed in a business network environment. For example, the network asset may be, but is not limited to, a web server, an ftp server, a database server, and a switch.
Specifically, before the traffic information monitoring, the traffic port mirror image and the bypass deployment server are configured, so that the bypass deployment server obtains at least two traffic information to be analyzed, which are monitored passively by the traffic port mirror image. The arrangement has the advantages that the interference to the service network environment can be reduced, the burden of the service network environment is reduced, a host in the service network environment is not required to be invaded, and the stability and the safety of the service network environment are improved.
Illustratively, the traffic ports are mirrored as passive listening ports provided on routers and/or switches; the flow port mirror image is used for monitoring flow information to be analyzed between the network equipment in the external network and the to-be-drawn network assets in the internal network and/or flow information to be analyzed between the to-be-drawn network assets in the internal network.
Wherein, port Mirroring (port Mirroring) can be configured on a switch or a router without complex installation deployment. Data traffic of one or more source ports is forwarded to a designated port, referred to as a "mirror port", to effect listening to the network. Under the condition that the normal throughput of the source port is not seriously affected, the traffic of the network can be monitored and analyzed through the mirror image port, and the fault can be rapidly and accurately positioned when the network fails. An intranet may refer to a business network. An external network may refer to a network other than a service network. If the flow port mirror image is used for monitoring flow information to be analyzed between the network equipment in the external network and the network assets to be drawn in the internal network, the flow information can be analyzed, and the network assets in the internal network are drawn and monitored at the same time whether interaction between the network equipment in the external network and the network assets in the internal network meets a preset interaction protocol. If the flow port mirror image is used for monitoring flow information to be analyzed among network assets to be drawn in an intranet, the flow information can be analyzed, and network asset mapping can be performed more finely and accurately based on the analyzed information.
S120, analyzing and processing each flow information to obtain a target interaction relation between target network assets in the service network environment.
The target network asset may refer to a network asset that exists in a business network environment. The target interaction relationship may refer to an information interaction relationship between individual target network assets. Specifically, each flow information is analyzed, a sending server and a receiving server of each flow information are determined, and a target interaction relationship between target network assets in the business network environment is determined based on the determined sending server and the determined receiving server.
And S130, drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph.
The target network asset topology graph may refer to a topology graph that includes interactions between individual target network assets. Specifically, determining a target network asset contained in each network segment based on a target interaction relation, drawing a single-layer topological graph of the target network asset in each network segment, combining all the single-layer topological graphs, and determining a target network asset topological graph containing a plurality of network segments.
According to the technical scheme, at least two flow information to be analyzed, which are monitored passively by the flow port mirror image, are obtained, so that flow interference to the service network environment is reduced, a host in the service network environment is not required to be invaded, and the stability and safety of the service network environment are improved; the flow information is generated based on interaction of network assets to be painted in the service network environment; analyzing and processing each flow information to obtain a target interaction relation between target network assets in the service network environment; and drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph, so that the network asset is automatically, quickly and accurately drawn under the condition of not interfering with the service network environment.
Based on the technical scheme, the method further comprises the following steps: monitoring a target network asset currently used in a business network environment based on the target network asset topological graph and a preset network asset list; if at least one currently used target network asset is detected to exceed the range of the preset network asset related to the preset network asset list, generating asset alarm information based on the target network asset, and displaying the asset alarm information; and updating the preset network asset list based on feedback information of the user on the asset alarm information.
The preset network asset list may refer to asset information corresponding to all available network assets included in a preset service network environment. The asset alert information may be alert cues that are generated by pointers to network assets that exceed a preset network asset range referred to by a preset network asset inventory. Feedback information may refer to feedback information that a user verifies that the asset alert information is compliant with the network asset.
Specifically, all available target network assets contained in the target network asset topology map are determined based on the target network asset topology map. And comparing all available network assets with preset network assets in a preset network asset list. If at least one currently used target network asset is detected to exceed the range of the preset network asset related to the preset network asset list, asset alarm information is generated based on the target network asset, and the asset alarm information is displayed, so that the currently used target network asset in the business network environment is monitored. The user can verify the presented asset alert information and generate feedback information based on the verification. And if the feedback information indicates that the target network asset is a new added compliant network asset, updating the preset network asset list based on the target network asset.
Based on the technical scheme, the method further comprises the following steps: monitoring a target protocol started by a target network asset based on a preset protocol library; if at least one target protocol is detected to exceed the available protocol corresponding to the target network asset in the preset protocol library, generating protocol alarm information based on the target protocol, and displaying the protocol alarm information; and updating the preset protocol library based on feedback information of the user on the protocol alarm information.
The preset protocol library may refer to an available protocol corresponding to all available network assets included in a preset service network environment. The target protocol may refer to a communication protocol used by the target network asset determined by parsing each traffic information. The available protocols may refer to communication protocols that a preset target network asset may use in performing communication interactions. The protocol alert information may be alert prompt information generated by a pointer to a target protocol that exceeds a preset usable protocol range.
Specifically, monitoring and comparing a target protocol started by a target network asset based on a preset protocol library; if at least one target protocol is detected to exceed the available protocol corresponding to the target network asset in the preset protocol library, generating protocol alarm information based on the target protocol, and displaying the protocol alarm information. The user can verify the presented protocol alarm information and generate feedback information based on the verification result. And if the feedback information indicates that the target protocol is the newly-started available protocol, updating the preset protocol library based on the target protocol.
Example two
Fig. 2 is a flowchart of a network asset mapping method according to a second embodiment of the present invention, where a process of determining a target interaction relationship is described in detail on the basis of the foregoing embodiment. Wherein the explanation of the same or corresponding terms as those of the above embodiments is not repeated herein. As shown in fig. 2, the method includes:
s210, acquiring at least two flow information to be analyzed, which are monitored passively by a flow port mirror image; the traffic information is generated based on interactions of network assets to be painted in the business network environment.
S220, carrying out flow analysis based on each flow information, and determining a flow information set.
The traffic information set may refer to traffic information generated by interaction between the same transmitting server and the same receiving server within a preset duration. Specifically, each flow information is subjected to flow analysis, interaction time, a sending server identifier and a receiving party identifier corresponding to the flow information are determined, and flow information generated by interaction between the same sending server identifier and the same receiving server identifier in a preset duration is determined to be a flow information set.
Illustratively, S220 may include: carrying out flow analysis based on each flow information, and determining the connection information of the network asset to be painted corresponding to each flow information; the connection information includes: at least one of mac address, information transmitting port, information receiving port, information transmitting address and information receiving address; and performing session restoration based on the connection information, and determining a restored flow information set.
If the connection information of the to-be-painted network assets corresponding to the plurality of traffic information is the same, that is, the mac addresses, the information sending ports, the information receiving ports, the information sending addresses and the information receiving addresses of the to-be-painted network assets are the same, it is determined that the plurality of traffic information belong to the same session, and the plurality of traffic information of the same session form a traffic information set.
And S230, carrying out protocol analysis based on each flow information set, and determining target interaction relations among target network assets in the service network environment.
Specifically, protocol parsing is performed based on each flow information set, a communication protocol used in each flow information set is determined, and a target interaction relationship between target network assets in the business network environment is determined based on the determined communication protocol.
Illustratively, S230 may include: extracting protocol features based on each flow information set, and determining the protocol features corresponding to each flow information set; inputting the protocol characteristics into a target network asset prediction model to predict the network asset to be drawn in the business network environment, and determining the target network asset in the business network environment; a target interaction relationship between target network assets in the business network environment is determined based on the connection information and the target network assets in each traffic information set.
The protocol feature may refer to a feature corresponding to a protocol used for communication interaction between the network assets. Protocol features may be used to characterize the type of network asset that uses the protocol. For example, the web server, ftp server, and database server respectively write specifications corresponding to different communication interaction protocols and different communication content fields. The target network asset prediction model may refer to a preset trained network model for determining the target network asset. The target network asset prediction model may predict a target network asset type corresponding to the protocol feature based on the protocol feature and determine a target network asset based on the target network asset type.
Specifically, protocol feature extraction is performed based on each flow information set, and the protocol feature corresponding to each flow information set is determined. The protocol characteristics are input into a target network asset prediction model to predict the network asset to be drawn in the business network environment, and the target network asset in the business network environment is determined, so that different types of network assets are identified, and the asset identification coverage is wider. A target interaction relationship between target network assets in the business network environment is determined based on the connection information and the target network assets in each traffic information set.
S240, drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph.
According to the technical scheme, flow analysis is carried out on the basis of each flow information, and a flow information set is determined; and carrying out protocol analysis based on each flow information set, and determining a target interaction relation between target network assets in the service network environment, so that the flow information is combined, the workload of protocol analysis is reduced, the determination efficiency of the target interaction relation is improved, and the network asset mapping efficiency is further improved.
Based on the above technical solution, "session restoration based on connection information, and determining the restored traffic information set" may include: performing information comparison based on the connection information, and determining target flow information corresponding to the same connection information; and determining a restored flow information set based on the target flow information in the preset time period.
Specifically, based on connection information, information comparison is performed, an interactive sending server and an interactive receiving server are determined, the sending server and the receiving server are used as two parties of a session, and a plurality of target flow information corresponding to the two parties of the same session in a preset time period form a restored flow information set.
Based on the above technical solution, S230 may further include: extracting the message based on each flow information set, and determining a transmission content message corresponding to each flow information set; determining a target network asset corresponding to each flow information set based on a preset protocol standard, a transmission content message and a preset asset standard; a target interaction relationship between target network assets in the business network environment is determined based on the connection information and the target network assets in each traffic information set.
The transmission content message may include, among other things, a communication content field and a protocol used for communication interactions. The preset protocol standard may include a standard correspondence between a preset protocol and a transmission content message. The preset asset criteria may include a preset standard correspondence between network assets and communication interaction protocols.
Specifically, message extraction is performed based on each flow information set, and a transmission content message corresponding to each flow information set is determined. And determining the target network asset corresponding to the transmission content message based on the preset protocol standard, the transmission content message and the preset asset standard, so as to determine the target network asset corresponding to each flow information set. A target interaction relationship between target network assets in the business network environment is determined based on the connection information and the target network assets in each traffic information set.
Based on the above technical solution, "determining the target network asset corresponding to each flow information set based on the preset protocol standard, the transmission content message, and the preset asset standard" may include: determining a target protocol corresponding to each flow information set based on a preset protocol standard and a transmission content message; and determining the target network asset corresponding to each flow information set based on the target protocol and the preset asset standard.
Specifically, a target protocol corresponding to the transmission content message is determined based on a preset protocol standard and the transmission content message, and a target network asset corresponding to the target protocol is determined from preset asset standards based on the target protocol, so that the target network asset corresponding to each flow information set is determined.
The following is an embodiment of a network asset mapping device provided by the embodiment of the present invention, which belongs to the same inventive concept as the network asset mapping method of the above embodiments, and reference may be made to the embodiments of the above network asset mapping method for details that are not described in detail in the embodiments of the network asset mapping device.
Example III
Fig. 3 is a schematic structural diagram of a network asset mapping device according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: a traffic information acquisition module 310, a target interaction relationship determination module 320, and a target network asset topology map determination module 330.
The flow information obtaining module 310 is configured to obtain at least two flow information to be resolved, which are monitored by the flow port mirror image passively; the flow information is generated based on interaction of network assets to be painted in the service network environment; the target interaction relation determining module 320 is configured to obtain a target interaction relation between target network assets in the service network environment by performing parsing processing on each flow information; the target network asset topology map determining module 330 is configured to draw a network asset topology map based on the target interaction relationship, and determine a target network asset topology map.
According to the technical scheme, at least two flow information to be analyzed, which are monitored passively by the flow port mirror image, are obtained, so that flow interference to the service network environment is reduced, a host in the service network environment is not required to be invaded, and the stability and safety of the service network environment are improved; the flow information is generated based on interaction of network assets to be painted in the service network environment; analyzing and processing each flow information to obtain a target interaction relation between target network assets in the service network environment; and drawing a network asset topological graph based on the target interaction relationship, and determining the target network asset topological graph, so that the network asset is automatically, quickly and accurately drawn under the condition of not interfering with the service network environment.
Optionally, the traffic port is mirrored as a passive listening port provided on the router and/or switch; the flow port mirror image is used for monitoring flow information to be analyzed between the network equipment in the external network and the to-be-drawn network assets in the internal network and/or flow information to be analyzed between the to-be-drawn network assets in the internal network.
Optionally, the target interaction relationship determination module 320 may include:
the flow information set determining submodule is used for carrying out flow analysis based on each flow information and determining a flow information set;
and the target interaction relation determining sub-module is used for carrying out protocol analysis based on each flow information set and determining the target interaction relation between the target network assets in the service network environment.
Optionally, the traffic information set determining submodule may include:
the connection information determining unit is used for carrying out flow analysis based on each flow information and determining the connection information of the network asset to be painted corresponding to each flow information; the connection information includes: at least one of mac address, information transmitting port, information receiving port, information transmitting address and information receiving address;
and the flow information set determining unit is used for carrying out session restoration based on the connection information and determining a restored flow information set.
Optionally, the flow information set determining unit is specifically configured to: performing information comparison based on the connection information, and determining target flow information corresponding to the same connection information; and determining a restored flow information set based on the target flow information in the preset time period.
Optionally, the target interaction relation determining submodule is specifically configured to: extracting protocol features based on each flow information set, and determining the protocol features corresponding to each flow information set; inputting the protocol characteristics into a target network asset prediction model to predict the network asset to be drawn in the business network environment, and determining the target network asset in the business network environment; a target interaction relationship between target network assets in the business network environment is determined based on the connection information and the target network assets in each traffic information set.
Optionally, the target interaction relation determination submodule further includes:
the transmission content message determining unit is used for extracting the message based on each flow information set and determining the transmission content message corresponding to each flow information set;
the target network asset determining unit is used for determining the target network asset corresponding to each flow information set based on a preset protocol standard, a transmission content message and a preset asset standard;
and the target interaction relation determining unit is used for determining the target interaction relation between the target network assets in the business network environment based on the connection information and the target network assets in each flow information set.
Optionally, the target network asset determining unit is specifically configured to: determining a target protocol corresponding to each flow information set based on a preset protocol standard and a transmission content message; and determining the target network asset corresponding to each flow information set based on the target protocol and the preset asset standard.
Optionally, the apparatus further comprises:
the target network asset monitoring module is used for monitoring the currently used target network asset in the business network environment based on the target network asset topological graph and the preset network asset list;
the asset alarm information generation module is used for generating asset alarm information based on at least one currently used target network asset and displaying the asset alarm information if the at least one currently used target network asset is detected to exceed the range of the preset network asset related to the preset network asset list;
and the preset network asset list updating module is used for updating the preset network asset list based on feedback information of the user on the asset alarm information.
Optionally, the apparatus further comprises:
the target protocol monitoring module is used for monitoring a target protocol started by the target network asset based on a preset protocol library;
the protocol alarm information generation module is used for generating protocol alarm information based on at least one target protocol if the at least one target protocol is detected to exceed an available protocol corresponding to the target network asset in a preset protocol library, and displaying the protocol alarm information;
and the preset protocol library updating module is used for updating the preset protocol library based on feedback information of the user on the protocol alarm information.
The network asset mapping device provided by the embodiment of the invention can execute the network asset mapping method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the network asset mapping method.
It should be noted that, in the above embodiment of network asset mapping, each unit and module included are only divided according to the functional logic, but not limited to the above division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as a network asset mapping method.
In some embodiments, the network asset mapping method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. One or more of the steps of the network asset mapping method described above may be performed when the computer program is loaded into RAM 13 and executed by processor 11. Alternatively, in other embodiments, processor 11 may be configured to perform the network asset mapping method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method of network asset mapping, comprising:
acquiring at least two flow information to be analyzed, which are monitored passively by the flow port mirror image; the flow information is generated based on interaction of network assets to be painted in a business network environment;
analyzing and processing each flow information to obtain a target interaction relation between target network assets in a service network environment;
and drawing a network asset topological graph based on the target interaction relationship, and determining a target network asset topological graph.
2. The method of claim 1, wherein the traffic port mirror is a passive listening port provided on a router and/or switch; the flow port mirror image is used for monitoring flow information to be analyzed between network equipment in the external network and to-be-drawn network assets in the internal network, and/or flow information to be analyzed between to-be-drawn network assets in the internal network.
3. The method according to claim 1, wherein the obtaining the target interaction relationship between the target network assets in the service network environment by parsing each of the traffic information includes:
carrying out flow analysis based on each flow information, and determining a flow information set;
and carrying out protocol analysis based on each flow information set, and determining target interaction relations among target network assets in the service network environment.
4. A method according to claim 3, wherein said determining a set of traffic information based on each of said traffic information for traffic resolution comprises:
carrying out flow analysis based on each flow information, and determining the connection information of the network asset to be painted corresponding to each flow information; the connection information includes: at least one of mac address, information transmitting port, information receiving port, information transmitting address and information receiving address;
and carrying out session restoration based on the connection information, and determining a restored flow information set.
5. The method of claim 4, wherein the performing session restoration based on the connection information, determining the restored traffic information set, comprises:
performing information comparison based on the connection information, and determining target flow information corresponding to the same connection information;
and determining a restored flow information set based on the target flow information in the preset time period.
6. A method according to claim 3, wherein said determining a target interaction relationship between target network assets in a business network environment based on protocol parsing of each of said traffic information sets comprises:
extracting protocol features based on each flow information set, and determining the protocol features corresponding to each flow information set;
inputting the protocol characteristics into a target network asset prediction model to predict the network asset to be painted in the business network environment, and determining the target network asset in the business network environment;
and determining target interaction relations among the target network assets in the business network environment based on the connection information and the target network assets in each flow information set.
7. A method according to claim 3, wherein said determining a target interaction relationship between target network assets in a business network environment based on protocol parsing of each of said traffic information sets comprises:
extracting the message based on each flow information set, and determining a transmission content message corresponding to each flow information set;
determining a target network asset corresponding to each flow information set based on a preset protocol standard, the transmission content message and a preset asset standard;
and determining target interaction relations among the target network assets in the business network environment based on the connection information and the target network assets in each flow information set.
8. The method of claim 7, wherein determining the target network asset corresponding to each set of traffic information based on the preset protocol criteria, the transport content messages, and the preset asset criteria comprises:
determining a target protocol corresponding to each flow information set based on a preset protocol standard and the transmission content message;
and determining the target network asset corresponding to each flow information set based on the target protocol and the preset asset standard.
9. The method according to claim 1, wherein the method further comprises:
monitoring a target network asset currently used in a business network environment based on the target network asset topological graph and a preset network asset list;
if at least one currently used target network asset is detected to exceed the range of the preset network asset related to the preset network asset list, generating asset alarm information based on the target network asset, and displaying the asset alarm information;
and updating the preset network asset list based on feedback information of the asset alarm information by a user.
10. The method according to claim 1, wherein the method further comprises:
monitoring a target protocol started by a target network asset based on a preset protocol library;
if at least one target protocol is detected to exceed the available protocol corresponding to the target network asset in the preset protocol library, generating protocol alarm information based on the target protocol, and displaying the protocol alarm information;
and updating the preset protocol library based on feedback information of the user on the protocol alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702530.6A CN117729005A (en) | 2023-12-12 | 2023-12-12 | Network asset mapping method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702530.6A CN117729005A (en) | 2023-12-12 | 2023-12-12 | Network asset mapping method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117729005A true CN117729005A (en) | 2024-03-19 |
Family
ID=90199178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311702530.6A Pending CN117729005A (en) | 2023-12-12 | 2023-12-12 | Network asset mapping method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117729005A (en) |
-
2023
- 2023-12-12 CN CN202311702530.6A patent/CN117729005A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115396289B (en) | Fault alarm determining method and device, electronic equipment and storage medium | |
| CN115883187A (en) | Method, device, equipment and medium for identifying abnormal information in network traffic data | |
| CN113795039A (en) | Operator network switching method, device, equipment and computer readable storage medium | |
| CN116010220A (en) | Alarm diagnosis method, device, equipment and storage medium | |
| CN117176802B (en) | Full-link monitoring method and device for service request, electronic equipment and medium | |
| CN116545905A (en) | Service health detection method and device, electronic equipment and storage medium | |
| CN114389969B (en) | Method and device for testing client, electronic equipment and storage medium | |
| CN117729005A (en) | Network asset mapping method | |
| CN114697247A (en) | Fault detection method, device, equipment and storage medium of streaming media system | |
| CN115481594A (en) | Score board implementation method, score board, electronic device and storage medium | |
| CN113691403A (en) | Topological node configuration method, related device and computer program product | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN115296917B (en) | Asset exposure surface information acquisition method, device, equipment and storage medium | |
| CN114500326B (en) | Abnormality detection method, abnormality detection device, electronic device, and storage medium | |
| CN113836291B (en) | Data processing method, device, equipment and storage medium | |
| CN117251769B (en) | Abnormal data identification method, device, equipment and medium based on monitoring component | |
| CN117749614A (en) | Protocol rule determining method and device, electronic equipment and storage medium | |
| CN113595870B (en) | Push message processing method and device, electronic equipment and storage medium | |
| CN115859349B (en) | Data desensitization method and device, electronic equipment and storage medium | |
| CN116668258A (en) | Alarm information processing method and device and electronic equipment | |
| CN115426143A (en) | Method, device, equipment and storage medium for identifying abnormal identity | |
| CN116340097A (en) | Method, device, equipment and storage medium for processing abnormal information | |
| CN115801357A (en) | Global exception handling method, device, equipment and storage medium | |
| CN117093627A (en) | Information mining method, device, electronic equipment and storage medium | |
| CN117395071A (en) | Abnormality detection method, abnormality detection device, abnormality detection equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |