TWI797676B - Pre-processing method and system for nuclear network risk dection and computer readable medium thererof - Google Patents

Pre-processing method and system for nuclear network risk dection and computer readable medium thererof Download PDF

Info

Publication number
TWI797676B
TWI797676B TW110125880A TW110125880A TWI797676B TW I797676 B TWI797676 B TW I797676B TW 110125880 A TW110125880 A TW 110125880A TW 110125880 A TW110125880 A TW 110125880A TW I797676 B TWI797676 B TW I797676B
Authority
TW
Taiwan
Prior art keywords
remainder
address
point value
prime number
risk detection
Prior art date
Application number
TW110125880A
Other languages
Chinese (zh)
Other versions
TW202304233A (en
Inventor
張耿豪
林武震
徐正磬
黃傳強
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW110125880A priority Critical patent/TWI797676B/en
Publication of TW202304233A publication Critical patent/TW202304233A/en
Application granted granted Critical
Publication of TWI797676B publication Critical patent/TWI797676B/en

Links

Images

Landscapes

  • Apparatus For Radiation Diagnosis (AREA)
  • Hardware Redundancy (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is a pre-processing method and a system for nuclear network risk detection. An Internet Protocol address slicing module arranges the IP addresses to be scanned, and then sends them to a sub-scanning module for scanning. Therefore, the scanning network segment can be dispersed effectively, and packet loss caused by congestion or delay in a single host and local network can be avoided. Further, protection about a large number of brute force scanning attacks monitored by the scanning target hardware or software can be bypassed, it can avoid that known vulnerabilities that cannot be detected. The memory resource shortage caused by a large number of scans of a single host at the same time also be reduced in the present invention. The present invention also provides a computer-readable medium for executing the method of the present invention.

Description

核網風險檢測之前置處理方法、系統及其電腦可讀媒介 Nuclear network risk detection pre-processing method, system and computer-readable medium thereof

本發明關於一種核網檢測之技術,尤指一種核網風險檢測之前置處理方法、系統及其電腦可讀媒介。 The present invention relates to a nuclear network detection technology, in particular to a nuclear network risk detection pre-processing method, system and computer readable medium.

隨著科技的快速發展,企業內網的網路資產不斷增加,對內部資訊安全的要求不斷提升,故必須透過檢查來瞭解內網問題,其中,網際網路範圍內的掃描能協助系統管理者發現新的漏洞,且監控設備的部署亦能透明顯示分佈式之生態系統。 With the rapid development of technology, the network assets of the enterprise intranet continue to increase, and the requirements for internal information security continue to increase. Therefore, it is necessary to understand intranet problems through inspections. Among them, scanning within the Internet range can help system administrators New vulnerabilities are discovered, and the deployment of monitoring equipment can also transparently display the distributed ecosystem.

現有的掃描機制存在一些待改進部分,例如缺乏分散掃描網段機制,易造成單一主機與區域網路雍塞或是延遲導致封包的丟失,進而影響漏洞檢測正確性與完整性;其次,現有的隨機掃描器執行時,需使用列表紀錄欲掃描的隨機IP地址,因而需要花費系統資源紀錄隨機數列,此將耗費記憶體資源,同時有重複掃描或遺漏欲掃描之主機的可能發生;另外,現有的逐步掃描器係一個網際協定位址(IP)接著一個網際協定位址依序進行掃描,此在面對掃描標的硬體或 軟體具防護檢測下,恐會被認為是大量暴力掃表式掃描攻擊,而有掃描失敗的情況發生。 There are some parts to be improved in the existing scanning mechanism, such as the lack of a decentralized scanning network segment mechanism, which may easily cause a single host and the local area network to block or cause packet loss due to delay, thereby affecting the correctness and integrity of vulnerability detection; secondly, the existing When the random scanner is executed, it needs to use a list to record the random IP address to be scanned, so it needs to spend system resources to record the random number sequence, which will consume memory resources, and there is a possibility of repeated scanning or missing the host to be scanned; in addition, the existing The step-by-step scanner scans sequentially one Internet Protocol address (IP) by IP Under software protection detection, it may be considered as a large number of brute force table scanning attacks, and scanning failures may occur.

因此,如何克服前述現有技術之種種缺失,特別是,在核網檢測時,如何減少網路雍塞、封包丟失、過度耗費系統資源之情況發生,又或是避免被誤認為暴力掃表式掃描攻擊,此將成目前技術人員亟欲解決的課題。 Therefore, how to overcome the various deficiencies of the aforementioned prior art, especially, how to reduce network congestion, packet loss, and excessive consumption of system resources during nuclear network detection, or avoid being mistaken for violent table scanning Attacks, this will become a problem that technical personnel are eager to solve.

有鑑於上述問題,本發明提出一種核網風險檢測之前置處理方法,係包括:接收欲掃描之網際協定位址範圍;將該網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值;將該初始起點數值和該初始終點數值利用一標準化函式轉換為新的起點數值和新的終點數值;取得一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數;以及將該餘數利用一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址。 In view of the above problems, the present invention proposes a pre-processing method for nuclear network risk detection, which includes: receiving the IP address range to be scanned; converting the IP address range to generate the corresponding IP address range The initial start point value and the initial end point value of the address range; the initial start point value and the initial end point value are converted into a new start point value and a new end point value by a normalization function; a first prime number greater than the new end point value is obtained , a random number between the new start value and the new end point value and a second prime number smaller than the first prime number are operated to generate a remainder; and the remainder is converted into the IP addresses within the IP address range.

於上述方法中,該第一質數、該隨機數及該第二質數之運算,係包括將該隨機數與該第二質數相乘後,再除以該第一質數,以得到該餘數。 In the above method, the operation of the first prime number, the random number and the second prime number includes multiplying the random number by the second prime number, and then dividing by the first prime number to obtain the remainder.

於上述方法中,於產生該餘數後,復包括:將該餘數乘以該第二質數後,再除以該第一質數,以得到下一餘數;以及反覆執行上述運算,直到最後產生之該下一餘數等於該餘數為止,其中,該餘數、該下一餘數及直到最後產生之該下一餘數的所有餘數係依序經該逆標準化函式轉換後成為該網際協定位址之數列。 In the above method, after generating the remainder, further comprising: multiplying the remainder by the second prime number, and then dividing by the first prime number to obtain the next remainder; and repeatedly performing the above operations until the last generated Until the next remainder is equal to the remainder, wherein, the remainder, the next remainder, and all remainders up to the last generated next remainder are sequentially transformed by the denormalization function into the sequence of IP addresses.

於前述方法中,復包括將該數列中的數個網際協定位址依序進行風險檢測之掃描。 In the aforementioned method, further comprising scanning the several IP addresses in the array for risk detection in sequence.

本發明復提出一種核網風險檢測系統,係包括:網際協定位址切片模組以及子掃描模組。該網際協定位址切片模組係包括:數值轉換單元,係用於所接收之欲掃描的網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值;標準化單元,係用於將該初始起點數值和該初始終點數值,透過一標準化函式轉換為新的起點數值和新的終點數值;取餘數單元,係用於依據一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數;以及逆標準化單元,係用於將該餘數,透過一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址;另外,該子掃描模組係用於將該網際協定位址進行風險檢測之掃描。 The present invention further proposes a nuclear network risk detection system, which includes: an IP address slicing module and a sub-scanning module. The IP address slicing module includes: a value conversion unit, which is used to perform value conversion on the received IP address range to be scanned, so as to generate an initial start point value and an initial end point value corresponding to the IP address range ;The normalization unit is used to convert the initial starting point value and the initial ending point value into a new starting point value and a new ending point value through a normalization function; the remainder unit is used to convert the initial starting point value and the initial ending point value into a new starting point value and a new ending point value; The first prime number, a random number between the new starting point value and the new end point value, and a second prime number smaller than the first prime number are operated to generate a remainder; and the denormalization unit is used to The remainder is converted into an IP address within the IP address range through a denormalization function; in addition, the sub-scanning module is used for scanning the IP address for risk detection.

於上述系統中,該取餘數單元復包括以該餘數為下一個隨機數,以相同之運算方式產生下一餘數,直到最後產生之該下一餘數等於該餘數為止,且令該餘數、該下一餘數依序及直到最後產生之該下一餘數的所有餘數依序經該逆標準化函式轉換後成為該網際協定位址之數列。 In the above-mentioned system, the remainder unit further includes using the remainder as the next random number, and generating the next remainder in the same operation until the last generated next remainder is equal to the remainder, and making the remainder, the next A remainder and all remainders up to the next remainder generated at last are sequentially transformed by the denormalization function into the sequence of IP addresses.

於上述系統中,該子掃描模組係將該數列中的數個網際協定位址依序進行風險檢測之掃描。 In the above-mentioned system, the sub-scanning module scans several IP addresses in the array for risk detection sequentially.

於前述方法與系統中,該標準化函式係使該初始起點數值減去一數值,以令該新的起點數值成為1。 In the foregoing method and system, the normalization function subtracts a value from the initial starting value to make the new starting value 1.

於前述方法與系統中,該逆標準化函式係使該餘數與該數值相加,以產生反標準化數列。 In the foregoing method and system, the denormalization function adds the remainder to the value to generate a denormalized sequence.

另外,該反標準化數列轉為二進制後,再轉換為該網際協定位址。 In addition, after the denormalized sequence is converted into binary, it is converted into the IP address.

本發明另提出一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行前述之核網風險檢測之前置處理方法。 The present invention further proposes a computer-readable medium, which is applied to a computing device or a computer and stores instructions to execute the aforementioned pre-processing method for nuclear network risk detection.

綜上所述,透過本發明之核網風險檢測之前置處理方法、系統及其電腦可讀媒介,能提供自動化核網風險檢測之前置處理,其中,網際協定位址切片模組藉由數學運算隨機排列所欲掃描的IP地址後,傳送至子掃描模組進行掃描,用以水平式快速掃描企業內部全網段漏洞,特別是,本發明係透過轉換欲掃描網段並結合質數特性運算以得出之隨機掃描位址,不僅不會重複且不遺漏地掃描主機,也能有效地分散掃描網段而避免造成單一主機與區域網路雍塞或延遲導致封包的丟失;其次,對於擁有眾多主機、防護軟體的系統,也可有效繞過掃描標的硬體或軟體防護監測大量暴力掃表式掃描攻擊,避免已知漏洞無法被檢驗出;再者,對於多個單一主機多網卡多網際協定位址(IP)的環境中,本發明能有效減少同一時間大量掃描單一主機而造成其記憶體資源匱乏的情形發生,進而能減少掃描時間以及受檢服務回應時間誤差而造成漏洞檢測嚴重誤差。 In summary, through the nuclear network risk detection pre-processing method, system and computer-readable medium of the present invention, it can provide automatic nuclear network risk detection pre-processing, wherein the IP address slicing module uses Mathematical operations randomly arrange the IP addresses to be scanned, and then send them to the sub-scanning module for scanning, which is used to quickly scan the vulnerabilities of the entire network segment within the enterprise in a horizontal manner. In particular, the present invention converts the network segments to be scanned and combines the characteristics of prime numbers The random scanning address obtained by calculation can not only scan the host repeatedly and without omission, but also effectively disperse the scanning network segments to avoid packet loss caused by congestion or delay between a single host and the local network; secondly, for A system with many hosts and protection software can also effectively bypass the hardware or software protection of the scanning target to monitor a large number of brute-force table scanning attacks to prevent known vulnerabilities from being detected; moreover, for multiple single hosts with multiple network cards and multiple In an Internet Protocol (IP) environment, the present invention can effectively reduce the shortage of memory resources caused by a large number of scans of a single host at the same time, thereby reducing the scanning time and the response time error of the checked service, which will cause serious vulnerability detection. error.

2:核網風險檢測系統 2: Nuclear network risk detection system

21:網際協定位址切片模組 21:Internet protocol address slicing module

211:數值轉換單元 211:Numerical conversion unit

212:標準化單元 212:Standardization unit

213:取餘數單元 213: take the remainder unit

214:逆標準化單元 214: Denormalization unit

22:子掃描模組 22: Sub-scan module

S101~S105:步驟 S101~S105: steps

S310~S401:流程 S310~S401: Process

圖1係本發明之核網風險檢測之前置處理方法的步驟圖。 FIG. 1 is a step diagram of the pre-processing method for nuclear network risk detection of the present invention.

圖2係本發明之核網風險檢測系統的系統架構圖。 Fig. 2 is a system architecture diagram of the nuclear network risk detection system of the present invention.

圖3係本發明之核網風險檢測之前置處理方法一具體實施例的流程圖。 Fig. 3 is a flow chart of a specific embodiment of the pre-processing method for nuclear network risk detection of the present invention.

圖4係本發明用於產生隨機排列IP地址之餘數循環的示意圖。 FIG. 4 is a schematic diagram of the cycle used to generate the remainder of random permutation of IP addresses according to the present invention.

以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention through specific embodiments, and those skilled in the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied in other different specific implementation forms.

圖1為本發明之核網風險檢測之前置處理方法的步驟圖。在核網風險檢測時,若只是按數字順序簡單地探查每一個IP地址,可能會造成區域網路的嚴重雍塞、延遲,甚至造成許多封包的丟失,對此,本發明提出於核網風險檢測前,透過產生隨機排列的網際協定位址,以供子掃描模組進行風險檢測之掃描。 FIG. 1 is a step diagram of a pre-processing method for nuclear network risk detection in the present invention. In nuclear network risk detection, if each IP address is simply checked in numerical order, it may cause serious congestion, delay, and even loss of many packets in the regional network. In this regard, the present invention proposes nuclear network risk Before detection, the sub-scanning module scans for risk detection by generating randomly arranged IP addresses.

如圖所示,於步驟S101,接收欲掃描之網際協定位址範圍。本步驟即取得欲進行掃描之網際協定位址相關資訊,藉以確定要進行掃描之核網內相關設備的網際協定(IP位址)範圍為何。 As shown in the figure, in step S101, an IP address range to be scanned is received. This step is to obtain the relevant information of the IP address to be scanned, so as to determine the range of the Internet Protocol (IP address) of the relevant equipment in the nuclear network to be scanned.

於步驟S102,將該網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值。為了後續能隨機取得掃描位址,故本發明透過運算方式以產生隨機數值,但基於IP位址無法直接進行運算,故本步驟係將IP位址進行數值轉換以利後續的運算,因而在前步驟知悉網際協定(IP位址)範圍為何下,藉由運算可得到對應網際協定位址範圍之初始起點數值和初始終點數值。 In step S102, numerical conversion is performed on the IP address range to generate an initial start point value and an initial end point value corresponding to the IP address range. In order to obtain the scanning address randomly in the follow-up, the present invention generates a random value through an operation method, but the IP address cannot be used for direct operation, so this step is to convert the IP address to facilitate the subsequent operation. The step is to know what the Internet Protocol (IP address) range is, and the initial start value and initial end point value of the corresponding IP address range can be obtained by calculation.

於步驟S103,將該初始起點數值和該初始終點數值利用一標準化函式轉換為新的起點數值和新的終點數值。前一步驟係將網際協定位址範圍進行數值轉換,但不同資料轉換後其數值將有不同數值之呈現,為使每一次運算具一致性,故本步驟透過標準化函式,將初始起點數值和初始終點數值轉換為新的起點數值和新的終點數值。 In step S103, the initial start point value and the initial end point value are transformed into a new start point value and a new end point value using a normalization function. The previous step is to convert the IP address range into numerical values, but the values of different data will have different values after conversion. In order to make each calculation consistent, this step uses standardized functions to convert the initial starting point value and The initial end point value is converted to a new start point value and a new end point value.

於一實施例中,該標準化函式係使該初始起點數值減去一數值,以令該新的起點數值成為1,亦即,主要是令無論初始起點數值為何,將其轉換成數值為1,故會將初始起點數值減去一數值,而該數值將於後續在反推還原時使用。 In one embodiment, the normalization function subtracts a value from the initial starting point value to make the new starting point value 1, i.e. basically, whatever the initial starting point value is, converts it to a value of 1 , so a value will be subtracted from the initial starting point value, and this value will be used later in reverse derivation.

於步驟S104,取得一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數。本步驟係進行取隨機數值之運算,透過取得一大於新的終點數值的質數、一介於新的起點數值和新的終點數值之間的隨機數及一小於前述質數的另外一個質數進行運算並產生一餘數。 In step S104, a first prime number greater than the new end point value, a random number between the new start point value and the new end point value, and a second prime number smaller than the first prime number are obtained for calculation, to produces a remainder. This step is the operation of taking random values, by obtaining a prime number greater than the new end point value, a random number between the new start point value and the new end point value, and another prime number smaller than the aforementioned prime number to perform the operation and generate a remainder.

於一實施例中,該第一質數、該隨機數及該第二質數之運算,係包括將該隨機數與該第二質數相乘後,再除以該第一質數,以得到該餘數。換言之,該餘數之取得的具體運算係將該隨機數與該第二質數相乘後,再除以該第一質數,方能得到該餘數。 In one embodiment, the operation of the first prime number, the random number and the second prime number includes multiplying the random number by the second prime number, and then dividing by the first prime number to obtain the remainder. In other words, the specific operation for obtaining the remainder is to multiply the random number by the second prime number and then divide by the first prime number to obtain the remainder.

於步驟S105,將該餘數利用一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址。本步驟係將前步驟取得之餘數,利用逆標準化函式作反推,以得到該餘數對應之原本的網際協定位址,而此網際協定位址為隨機取得之網際協定位址。 In step S105, the remainder is converted into an IP address within the IP address range by using a denormalization function. In this step, the remainder obtained in the previous step is deduced by using the denormalization function to obtain the original IP address corresponding to the remainder, and the IP address is a randomly obtained IP address.

於一實施例中,該逆標準化函式係使該餘數與前述標準化時所採之數值相加,以產生反標準化數列。簡言之,步驟S103中,將初始起點數值減去一數值來達到標準化需求,而本步驟則將該數值加回,以達到反推網際協定位址之目的。 In one embodiment, the denormalization function is to add the remainder to the value obtained during normalization to generate a denormalized sequence. In short, in step S103, a value is subtracted from the initial starting point value to meet the standardization requirement, and this step adds back the value to achieve the purpose of reversely deriving the IP address.

另外,前述之反標準化數列於轉為二進制後,會再轉換為該網際協定位址。步驟S105利用逆標準化函式將餘數轉換為對應之網際協定位址,其中包括將反標準化數列先轉為二進制後,才會再轉換為網際協定位址。關於轉換等程序,後續將透過具體實例加以說明。 In addition, after the aforementioned denormalized sequence is converted into binary, it will be converted into the IP address again. Step S105 uses the denormalization function to convert the remainder into a corresponding IP address, including converting the denormalized sequence into binary before converting it into an IP address. As for the conversion and other procedures, the following will be explained through specific examples.

可理解的,進行風險檢測之設備當然不只一個,不僅包含許多設備且分別有各別網際協定位址,前述餘數之取得僅是針對第一台設備進行運算,後續將再運算以找出第二台設備、第三台設備等。其具體作法係於產生該餘數後,將該餘數乘以該第二質數後,再除以該第一質數,以得到下一餘數,接著,反覆執行上述運算,直到最後產生之下一餘數等於該餘數為止,該餘數即指一開始所得到的第一個餘數,同樣的,該餘數、該下一餘數以及直到最後產生之下一餘數的所有餘數,都會依序再經逆標準化函式轉換後成為網際協定位址之數列,也就是說,掃描的順序就是依據每次算出之餘數所對應之網際協定位址,直到最後產生之餘數等於一開始的餘數才停止。 It is understandable that there is certainly more than one device for risk detection. It not only includes many devices and each has its own IP address, the above-mentioned remainder is only calculated for the first device, and subsequent operations will be performed to find the second first device, third device, etc. Its specific method is after generating the remainder, multiplying the remainder by the second prime number, and then dividing by the first prime number to obtain the next remainder, and then repeatedly performing the above operations until the next remainder equal to Up to the remainder, the remainder refers to the first remainder obtained at the beginning. Similarly, the remainder, the next remainder, and all remainders up to the next remainder will be transformed by the inverse normalization function in sequence Then it becomes a sequence of IP addresses, that is to say, the scanning sequence is based on the IP addresses corresponding to the remainders calculated each time, and stops until the remainders generated at the end are equal to the remainders at the beginning.

另外,本發明之核網風險檢測之前置處理方法,復包括將該數列中的數個網際協定位址依序進行風險檢測之掃描。基於本發明之目的係進行核網風險之檢測,故前面步驟取得之所有餘數經轉換後得到之網際協定位址,將會依序進行風險檢測之掃描,即能達到隨機排列並完整對所有網際協定位址進行掃描之結果。 In addition, the pre-processing method of the nuclear network risk detection of the present invention further includes performing risk detection scanning on several IP addresses in the array in sequence. The purpose of the present invention is to carry out the detection of nuclear network risk, so all the remainders obtained in the previous steps are converted to the IP address obtained, and the scanning of risk detection will be carried out in order, which can achieve random arrangement and complete analysis of all Internet The result of scanning the protocol address.

圖2為本發明之核網風險檢測系統的系統架構圖。如圖所示,核網風險檢測系統2係用於核網風險檢測,其中為了減少網路雍塞、封包丟失、過度耗費系統資源之情況發生,且避免被誤認為暴力掃表式掃描攻擊,該核網風險檢測系統2透過資料前置處理,以達隨機排列所欲掃描的網際協定位址之目的,其 中,本發明之核網風險檢測系統2主要包括網際協定位址切片模組21以及子掃描模組22。 FIG. 2 is a system architecture diagram of the nuclear network risk detection system of the present invention. As shown in the figure, the nuclear network risk detection system 2 is used for nuclear network risk detection. In order to reduce network congestion, packet loss, and excessive consumption of system resources, and to avoid being mistaken for violent table scanning attacks, The nuclear network risk detection system 2 achieves the purpose of randomly arranging the IP addresses to be scanned through data pre-processing. Among them, the nuclear network risk detection system 2 of the present invention mainly includes an IP address slicing module 21 and a sub-scanning module 22 .

網際協定位址切片模組21係用於執行資料前處理,其包括數值轉換單元211、標準化單元212、取餘數單元213以及逆標準化單元214。 The IP address slicing module 21 is used for performing data pre-processing, and includes a value conversion unit 211 , a normalization unit 212 , a remainder unit 213 and a denormalization unit 214 .

數值轉換單元211用於所接收之欲掃描的網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值。為了後續能隨機取得掃描位址,數值轉換單元211係IP位址進行數值轉換以利後續的運算,在知悉網際協定(IP位址)範圍下,透過運算以得到該網際協定位址範圍之初始起點數值和初始終點數值。 The value conversion unit 211 is used for performing value conversion on the received IP address range to be scanned, so as to generate an initial start point value and an initial end point value corresponding to the IP address range. In order to obtain the scanning address at random in the follow-up, the value conversion unit 211 performs value conversion on the IP address to facilitate subsequent calculations. After knowing the range of the Internet Protocol (IP address), the initial value of the IP address range is obtained through calculation. Start value and initial end value.

標準化單元212用於將該初始起點數值和該初始終點數值,透過一標準化函式轉換為新的起點數值和新的終點數值。為使每一次運算具一致性,標準化單元212利用標準化函式,將初始起點數值和初始終點數值進行轉換,以產生新的起點數值和新的終點數值。 The normalization unit 212 is used for converting the initial start point value and the initial end point value into a new start point value and a new end point value through a normalization function. In order to make each calculation consistent, the standardization unit 212 converts the initial start point value and the initial end point value using a standardization function to generate a new start point value and a new end point value.

於一實施例中,該標準化函式係使該初始起點數值減去一數值,以令該新的起點數值成為1,亦即將初始起點數值減去一數值後,使初始起點數值轉換成數值1,另外,該初始起點數值所減去之數值,也將於後續在反推還原時使用。 In one embodiment, the normalization function subtracts a value from the initial starting point value to make the new starting point value 1, that is, after subtracting a value from the initial starting point value, the initial starting point value is converted into a value of 1 , in addition, the value subtracted from the initial starting point value will also be used later in back-calculation and restoration.

取餘數單元213用於依據一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數。簡言之,取餘數單元213係進行取隨機數值之運算,透過取得一大於新的終點數值的質數、一介於新的起點數值和新的終點數值之間的隨機數及一小於前述質數的另外一個質數進行運算而產生一餘數。具體來 說,可先取得一大於新的終點數值的第一質數、介於新的起點數值和新的終點數值之間的隨機數及小於第一質數的第二質數做運算,包括將該隨機數與該第二質數相乘後,再除以該第一質數,即可得到該餘數 The remainder unit 213 is used to perform calculations based on a first prime number greater than the new end point value, a random number between the new start point value and the new end point value, and a second prime number smaller than the first prime number , to produce the remainder. In short, the remainder unit 213 performs the operation of taking random values, by obtaining a prime number greater than the new end point value, a random number between the new start point value and the new end point value, and another prime number smaller than the aforementioned prime number An operation performed on a prime number produces a remainder. Specifically In other words, a first prime number greater than the new end point value, a random number between the new start point value and the new end point value, and a second prime number smaller than the first prime number can be obtained for calculation, including combining the random number with After the second prime number is multiplied and then divided by the first prime number, the remainder can be obtained

逆標準化單元214用於將該餘數,透過一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址。該逆標準化函式係使該餘數與該數值相加,以產生反標準化數列。逆標準化單元214係將取餘數單元213取得之餘數,利用逆標準化函式作反推,以得到該餘數對應之原本的網際協定位址,具體來說,將餘數加回該標準化單元212中標準化函式所用之數值,以達到反推網際協定位址之目的。 The denormalization unit 214 is used for converting the remainder into an IP address within the IP address range through a denormalization function. The denormal function adds the remainder to the value to generate a denormalized sequence. The denormalization unit 214 uses the denormalization function to deduce the remainder obtained by the remainder unit 213 to obtain the original IP address corresponding to the remainder. Specifically, the remainder is added back to the standardization unit 212 for normalization The value used by the function to achieve the purpose of reversing the IP address.

另外,該反標準化數列將會先轉為二進制後,才能轉換為該網際協定位址。 In addition, the denormalized array will first be converted into binary before being converted into the IP address.

基於進行風險檢測之設備不只一個,且各設備具有各別網際協定位址,第一次取得之餘數僅是針對第一台設備進行運算,後續將再運算以找出第二台設備、第三台設備等其他設備,因而該取餘數單元213復包括以該餘數為下一個隨機數,以相同之運算方式產生下一餘數,直到最後產生之下一餘數等於該餘數為止,且令該餘數、該下一餘數依序及直到該最後產生之下一餘數的所有餘數依序經該逆標準化函式轉換後成為該網際協定位址之數列。簡言之,利用第一次產生之餘數繼續運算,將該餘數乘以該第二質數後,再除以該第一質數,以得到下一餘數,並透過反覆執行上述運算,直到最後產生之下一餘數等於該餘數為止,如此,該餘數、該下一餘數及直到最後產生之下一餘數的所有餘數會依序,經逆標準化函式轉換後將成為網際協定位址之數列,由上可知,掃描的順序就是 依據每次算出之餘數所對應之網際協定位址,直到最後產生之餘數等於一開始的餘數才停止。 Since there is more than one device for risk detection, and each device has its own IP address, the remainder obtained for the first time is only calculated for the first device, and will be recalculated later to find the second device, the third other equipment such as equipment, so the remainder unit 213 includes taking the remainder as the next random number, generating the next remainder in the same operation mode until the next remainder equal to the remainder, and making the remainder, The next remainder and all remainders up to the last generated next remainder are sequentially transformed by the denormalization function into the sequence of IP addresses. In short, use the remainder generated for the first time to continue the operation, multiply the remainder by the second prime number, and then divide it by the first prime number to obtain the next remainder, and repeat the above operations until the last prime number is generated Until the next remainder is equal to the remainder, in this way, the remainder, the next remainder, and all remainders until the next remainder will be generated in sequence, and converted by the denormalization function will become a sequence of Internet protocol addresses, from the above It can be seen that the scanning order is According to the IP address corresponding to the remainder calculated each time, it does not stop until the remainder generated at the end is equal to the remainder at the beginning.

子掃描模組22係用於將該網際協定位址進行風險檢測之掃描,具體而言,該子掃描模組22將該數列中的數個網際協定位址依序進行風險檢測之掃描。 The sub-scanning module 22 is used for scanning the IP addresses for risk detection. Specifically, the sub-scanning module 22 performs risk detection scanning for the several IP addresses in the array sequentially.

圖3係本發明之核網風險檢測之前置處理方法一具體實施例的流程圖。本發明提出一種快速且精確的風險檢測方法,若採用現有技術,只是按數字順序簡單地探查每一個IP地址,可能會造成區域網路的嚴重雍塞、延遲甚至造成許多封包的丟失,為了避免這種情況,本發明之網際協定位址切片模組能隨機排列掃描地址,若要選擇地址空間的較小隨機樣本,我們只需掃描完整排列的子集。因此,本發明藉由掃描前的前置處理,隨機排列要掃描的網際協定位址,以快速的執行網際網路範圍內的掃描,也能有效繞過掃描標的硬體或軟體防護檢測大量暴力掃表式掃描攻擊。 Fig. 3 is a flow chart of a specific embodiment of the pre-processing method for nuclear network risk detection of the present invention. The present invention proposes a fast and accurate risk detection method. If the prior art is adopted, each IP address is simply checked in numerical order, which may cause serious blockage, delay or even loss of many packets in the local area network. In order to avoid In this case, the IP address slicing module of the present invention can randomly arrange and scan addresses. To select a smaller random sample of the address space, we only need to scan a subset of the complete arrangement. Therefore, the present invention randomly arranges the IP addresses to be scanned by pre-processing before scanning, so as to quickly perform scanning within the range of the Internet, and can also effectively bypass the hardware or software protection of the scanning target to detect a large amount of violence. Sweep table scan attack.

詳細流程圖如圖3所示,首先,於流程S310,係輸入欲掃描的IP地址範圍,因為後續要將所欲掃描的IP地址範圍進行轉換,本發明提出兩種不同的IP地址輸入的轉換方法,同時為因應未來IPv6可能取代IPv4,因而本發明亦能支援內網IPv6算法。 The detailed flow chart is shown in Figure 3. First, in process S310, the IP address range to be scanned is input, because the IP address range to be scanned will be converted later, the present invention proposes two different IP address input conversions method, and in response to future IPv6 may replace IPv4, so the present invention can also support intranet IPv6 algorithm.

於IPv4部分,可包含兩種轉換方法。第一種轉換方法即進入流程S320,假定一掃描IP地址範圍為X1.X2.X3.X4-Y1.Y 2.Y 3.Y 4,接著進入流程S321,算出起點H和終點E,其中,起點H=X1 * 224+X2 * 216+X3 * 28+X4 * 20,終點E=Y1 * 224+Y2 * 216+Y3 * 28+Y4 * 20In the IPv4 part, two conversion methods can be included. The first conversion method is to enter the process S320 , assuming that the IP address range of a scan is X 1 . End point E, starting point H=X 1 * 2 24 +X 2 * 2 16 +X 3 * 2 8 +X 4 * 2 0 , end point E=Y 1 * 2 24 +Y 2 * 2 16 +Y 3 * 2 8 +Y 4 * 2 0 .

第二種轉換方法係為流程S330,假定一掃描IP地址範圍為P 1.P 2.P 3.P 4/D,接著進入流程S331,算出起點H和終點E,其中,將其帶入T=P 1 * 224+P 2 * 216+P 3 * 28+P 4 * 20以求得出T,令K為T &

Figure 110125880-A0101-12-0011-3
,&為程式中轉化為二進位制的及閘,接著,K轉成十進位制得到H,即H=(K)10,H即為所欲掃描的IP地址範圍之起點,終點E為H+232-D -1,其中,
Figure 110125880-A0101-12-0011-1
Figure 110125880-A0101-12-0011-2
經化簡後可得232-232-D The second conversion method is the process S330, assuming that the IP address range of a scan is P 1 . P 2 . = P 1 * 2 24 + P 2 * 2 16 + P 3 * 2 8 + P 4 * 2 0 to find T, let K be T &
Figure 110125880-A0101-12-0011-3
, & is the gate that is converted into binary system in the program, and then, K is converted into decimal system to obtain H, that is, H=(K) 10 , H is the starting point of the IP address range to be scanned, and the end point E is H +2 32- D -1, where,
Figure 110125880-A0101-12-0011-1
Figure 110125880-A0101-12-0011-2
After simplification, 2 32 -2 32- D can be obtained.

於IPv6部分,採用第一種轉換方法時,假定掃描IP地址範圍為X1X2X3X4:X5X6X7X8:X9X10X11X12:X13X14X15X16:X17X18X19X20:X21X22X23X24:X25X26X27X28:X29X30X31X32至Y1 Y 2 Y 3 Y 4Y 5 Y 6 Y 7 Y 8Y 9 Y 10 Y 11 Y 12Y 13 Y 14 Y 15 Y 16Y 17 Y 18 Y 19 Y 20Y 21 Y 22 Y 23 Y 24Y 25 Y 26 Y 27 Y 28Y 29 Y 30 Y 31 Y 32,算出起點

Figure 110125880-A0101-12-0011-10
,終點
Figure 110125880-A0101-12-0011-11
1632-i 。 For the IPv6 part, when using the first conversion method, it is assumed that the scanned IP address range is X 1 X 2 X 3 X 4 : X 5 X 6 X 7 X 8 : X 9 X 10 X 11 X 12 : X 13 X 14 X 15 X 16 : X 17 X 18 X 19 X 20 : X 21 X 22 X 23 X 24 : X 25 X 26 X 27 X 28 : X 29 X 30 X 31 X 32 to Y 1 Y 2 Y 3 Y 4 : Y 5 Y 6 Y 7 Y 8 : Y 9 Y 10 Y 11 Y 12 : Y 13 Y 14 Y 15 Y 16 : Y 17 Y 18 Y 19 Y 20 : Y 21 Y 22 Y 23 Y 24 : Y 25 Y 26 Y 27 Y 28 : Y 29 Y 30 Y 31 Y 32 , calculate the starting point
Figure 110125880-A0101-12-0011-10
,end
Figure 110125880-A0101-12-0011-11
16 32- i .

採用第二種轉換方法時,假定一掃描IP地址範圍為P 1 P 2 P 3 P 4P 5 P 6 P 7 P 8P 9 P 10 P 11 P 12P 13 P 14 P 15 P 16P 17 P 18 P 19 P 20P 21 P 22 P 23 P 24P 25 P 26 P 27 P 28P 29 P 30 P 31 P 32/D,將其帶入

Figure 110125880-A0101-12-0011-4
,求出T,令K為T &
Figure 110125880-A0101-12-0011-5
,其中,&為程式中轉化為二進位制的及閘,K轉成十進位制得到H,H即為所欲掃描的IP地址範圍之起點,終點E為H+1632-D -1。 When using the second conversion method, it is assumed that a scan IP address range is P 1 P 2 P 3 P 4 : P 5 P 6 P 7 P 8 : P 9 P 10 P 11 P 12 : P 13 P 14 P 15 P 16 : P 17 P 18 P 19 P 20 : P 21 P 22 P 23 P 24 : P 25 P 26 P 27 P 28 : P 29 P 30 P 31 P 32 /D, bring it in
Figure 110125880-A0101-12-0011-4
, find T, let K be T &
Figure 110125880-A0101-12-0011-5
, where & is the AND gate converted into binary system in the program, K is converted into decimal system to obtain H, H is the starting point of the IP address range to be scanned, and the end point E is H+16 32- D -1.

若輸入掃描的IP地址範圍不為形式一或形式二,則進入流程S311,要求重新輸入正確IP範圍。 If the scanned IP address range is not in the form 1 or 2, enter into the process S311 and require re-input of the correct IP range.

提出前述方法轉換後得出之起點H與終點E,進入流程S340,令一標準化函式為F(x)=x-(H-1),掃描IP地址範圍為起點H和終點E帶入標準化函式,可得新的起點F(H)和新的終點F(E)。 Propose the starting point H and the end point E obtained after the conversion of the aforementioned method, enter the process S340, let a normalization function be F(x)=x-(H-1), and scan the IP address range for the starting point H and the end point E to bring into the standardization function, a new starting point F(H) and a new ending point F(E) can be obtained.

接著進入流程S350-S370,即有關餘數之運算,流程S350為算出一個大於F(E)的某個質數P,從F(H)~F(E)隨機選取一數值G(流程S361)與小於質數P的質數Q(流程S360)相乘為S,最後,於流程S370,將S去除以質數P得到餘數R0,並紀錄R0的數值。之後,於流程S380,逆推標準化函式F將R0+(H-1)轉換回IP地址,即可進入流程S390,將此IP地址傳送至子掃描模組開始掃描,此為一個循環,也就是第一個要掃描的IP地址。 Then enter the process S350-S370, namely the operation of the remainder, the process S350 is to calculate a certain prime number P greater than F(E), randomly select a value G from F(H)~F(E) (process S361) and less than The prime number Q of the prime number P (process S360) is multiplied to S, and finally, in the process S370, the remainder R 0 is obtained by dividing S by the prime number P, and the value of R 0 is recorded. Afterwards, in the process S380, reversely deduce the standardized function F to convert R 0 +(H-1) back to the IP address, and then enter the process S390, and send the IP address to the sub-scanning module to start scanning. This is a cycle. That is, the first IP address to scan.

為了在取得後續其他IP位址,接著再次執行餘數之運算,進入流程S371,將R0再去乘以質數Q,得到結果S 1除以質數P得到餘數R 1,進入流程S381,透過逆推標準化函式F把R1+(H-1)轉換回IP地址,最後,進入流程S391,傳送至子掃描模組進行掃描,此為第二個循環。在每一個循環後,進入流程S400,判斷R n =R 0,若否,則進入流程S401,即回到流程S371,計算出下一個餘數,經反覆的疊代之後,當R n =R 0時,此大循環結束,本發明允許發送排程時僅使用四個整數來存儲選定的排列並通過四個整數進行處理,該四個整數即為用於餘數運算的數值Q和質數P、第一個掃描的地址以及當前地址。 In order to obtain other subsequent IP addresses, then execute the remainder operation again, enter the process S371, multiply R 0 by the prime number Q, and divide the result S 1 by the prime number P to obtain the remainder R 1 , enter the process S381, through reverse deduction The standardized function F converts R 1 +(H-1) back to an IP address, and finally, enters the process S391 and sends it to the sub-scanning module for scanning. This is the second loop. After each cycle, enter the process S400, judge R n = R 0 , if not, enter the process S401, that is, return to the process S371, calculate the next remainder, after repeated iterations, when R n = R 0 , this large cycle ends, and the present invention allows only four integers to be used to store the selected permutation and process through four integers when sending the schedule. A scanned address as well as the current address.

將R到R n-1作為一個數列展開,所得到的數列為一小於質數P的所有整數隨機排列數列,將此數列反標準化並轉換成二進位制的IP地址,將得到所欲掃描範圍內的隨機排列IP地址,如圖4所示,我們將數列1到10比喻成欲掃描並且標準化後的IP地址,選擇一大於10的質數P=11,隨機選擇1到10的一個數字4和小於質數P的一個質數Q=7相乘,得到結果S=28後除以 質數P,所得到的餘數R 0=6;再將R 0乘以質數Q後除以質數11,得到餘數R 1=9,反覆疊代後,可以得到R 0~R 10數列為[6、9、8、1、7、5、2、3、10、4、6],由於R 0=R 10,故疊代結束,所得數列R 0~R 9為一小於質數P的隨機排列數列。由於算出隨機的IP地址後就會傳送給各子掃描模組開始掃描,並不需要將所欲掃描範圍內的隨機排列IP地址紀錄起來,此將大幅降低系統的記憶體空間。 Expand R to R n -1 as a sequence, and the obtained sequence is a random sequence of all integers less than the prime number P. Denormalize this sequence and convert it into a binary IP address, and you will get the desired scan range Randomly arrange IP addresses, as shown in Figure 4, we compare the sequence 1 to 10 to the IP address to be scanned and standardized, choose a prime number greater than 10 P=11, randomly select a number 4 from 1 to 10 and less than Multiply a prime number Q=7 of the prime number P, get the result S=28, divide it by the prime number P, and get the remainder R 0 =6; then multiply R 0 by the prime number Q and divide it by the prime number 11, and get the remainder R 1 = 9. After repeated iterations, the sequence of R 0 ~ R 10 can be obtained as [6, 9, 8, 1, 7, 5, 2, 3, 10, 4, 6]. Since R 0 = R 10 , the iteration At the end, the obtained sequence R 0 ~ R 9 is a sequence of random arrangement smaller than the prime number P. Since the calculated random IP address will be sent to each sub-scanning module to start scanning, there is no need to record the randomly arranged IP addresses within the desired scanning range, which will greatly reduce the memory space of the system.

鑒於企業內網之網路資產不斷增加,資產管控和內網安全重要性日益上升,本發明提出透過網際協定位址切片模組將公司內部網路或是關聯網域進行分組掃描,下面以實例作說明,例如172.10.0.1至173.10.1.252皆為公司內部網路或是關聯網域,用前述兩種方法進行轉換和計算。 In view of the ever-increasing network assets of the enterprise intranet, the importance of asset management and intranet security is increasing day by day. This invention proposes to scan the company's internal network or associated network domains in groups through the IP address slicing module. The following is an example For illustration, for example, 172.10.0.1 to 173.10.1.252 are all company intranets or associated domains, and the above two methods are used for conversion and calculation.

於第一種轉換方法中,假定一掃描IP地址範圍為172.10.0.1至173.10.1.252,計算起點H=172 * 224+10 * 216+0 * 28+1 * 20,終點E=173 * 224+10 * 216+1 * 28+252 * 20,可得到起點H=2886336513,終點E=2903114236。 In the first conversion method, assuming that a scanning IP address range is 172.10.0.1 to 173.10.1.252, the calculation start point H=172 * 2 24 +10 * 2 16 +0 * 2 8 +1 * 2 0 , the end point E= 173 * 2 24 +10 * 2 16 +1 * 2 8 +252 * 2 0 , the starting point H=2886336513 and the ending point E=2903114236.

將上述方法轉換後得出之起點H與終點E提出,令一標準化函式為F(x)=x-2886336512,掃描IP地址範圍為起點H和終點E帶入標準化函式,可得F(H)=1和F(E)=16777724,接著,算出一個大於F(E)的某個質數P=16777729(亦可將P固定為4294967311=2^32+15,但會增加計算量,進而增加一點運算時間),從F(H)~F(E)隨機選取一數值9624327與小於質數P的質數Q=97相乘可得S,最後將S去除以質數P得到餘數R0=10784624,並紀錄R0的數值,再以逆推標準化函式F,將R0+2886336512轉換回IP地址可得172.174.143.112,即可傳送至子掃描模組開始掃描,此為一個循環。 Put forward the starting point H and end point E obtained after the conversion of the above method, let a normalization function be F(x)=x-2886336512, scan the IP address range as the starting point H and the end point E into the normalization function, you can get F( H)=1 and F(E)=16777724, then, calculate a certain prime number P=16777729 greater than F(E) (you can also fix P to 4294967311=2^32+15, but it will increase the amount of calculation, and then Add a little computing time), randomly select a value 9624327 from F(H)~F(E) and multiply it with a prime number Q=97 smaller than the prime number P to get S, and finally divide S by prime number P to get the remainder R 0 =10784624, And record the value of R 0 , and then use the inverse normalization function F to convert R 0 +2886336512 back to the IP address to get 172.174.143.112, which can be sent to the sub-scanning module to start scanning. This is a cycle.

之後,將R0再去乘以質數Q,得到結果S 1除以質數P得餘數R 1=5889330,透過逆推標準化函式F把R1+2886336512轉換回IP地址可得172.99.221.50,傳送至子掃描模組進行掃描,此為第二個循環。在反覆疊代之後,當R n =R 0時,此大循環結束,如前所述,僅需使用四個整數來存儲選定之排列及後續處理,而四個整數分別儲存質數Q、質數P、第一個掃描的地址和當前地址。 Afterwards, multiply R 0 by the prime number Q to obtain the result S 1 divided by the prime number P to obtain the remainder R 1 =5889330, and convert R 1 +2886336512 back to an IP address by inverting the standardized function F to obtain 172.99.221.50, and send Go to the sub-scanning module to scan, this is the second cycle. After repeated iterations, when R n = R 0 , this large cycle ends. As mentioned above, only four integers are used to store the selected arrangement and subsequent processing, and the four integers store the prime number Q and the prime number P respectively. , the address of the first scan and the current address.

經過反覆疊代後,所取得之餘數可成為一個數列,即R數列為[10784624,5889330,822224,12644812,1772547,4159769,832097,…],經反標準化後,反標準化數列為[2897121136,2892225842,2887158736,2898981324,2888109059,289049628,…],接著進行二進制轉換,轉換後二進制數列為[10101100.10101110.10001111.01110000,10101100.01100011.11011101.00110010,10101100.00010110.10001011.11010000,10101100.11001010.11110001.11001100,…],最後,再將二進制數值轉換為IP位址,轉換後IP地址數列為[172.174.143.112,172.99.221.50,172.22.139.208,172.202.241.204,…],即能提供給子掃描模組進行掃描。 After repeated iterations, the obtained remainder can become a sequence, that is, the R sequence is [10784624, 5889330, 822224, 12644812, 1772547, 4159769, 832097, ...], after denormalization, the denormalized sequence is [2897121136, 2892225842 , 2887158736, 2898981324, 2888109059, 289049628, ...], followed by binary conversion, the converted binary sequence is [10101100.10101110.10001111.01110000, 10101100.01100011.1101110101010101010 10110.10001011.11010000, 10101100.11001010.11110001.11001100, ...], and finally, convert the binary value to IP address, after conversion, the IP address sequence is [172.174.143.112, 172.99.221.50, 172.22.139.208, 172.202.241.204, ...], which can be provided to the sub-scanning module for scanning.

於第二種轉換方法中,假定一掃描IP地址範圍為192.168.0.32/25,將其帶入T=192 * 224+168 * 216+0 * 28+32 * 20求出T=3232235552,令K為T &

Figure 110125880-A0101-12-0014-16
,&為程式中轉化為二進位制的及閘,令X為
Figure 110125880-A0101-12-0014-17
Figure 110125880-A0101-12-0014-18
,化簡後可得232-27=4294967168,即T的二進位制為11000000101010000000000000100000,X的二進位制為11111111111111111111111110000000,計算後得到的K為 11000000101010000000000000000000,K轉成十進位制,可得到H=3232235520,H即為所欲掃描的IP地址範圍之起點,計算後可得終點E為3232235647。 In the second conversion method, it is assumed that a scanning IP address range is 192.168.0.32/25, and it is brought into T=192 * 2 24 +168 * 2 16 +0 * 2 8 +32 * 2 0 to obtain T= 3232235552, let K be T &
Figure 110125880-A0101-12-0014-16
, & is the AND gate converted into binary system in the program, let X be
Figure 110125880-A0101-12-0014-17
Figure 110125880-A0101-12-0014-18
, after simplification, we can get 2 32 -2 7 =4294967168, that is, the binary system of T is 11000000101010000000000000100000, the binary system of X is 1111111111111111111111110000000, and the K obtained after calculation is 110000000100000 00, K is converted into decimal system, and H= 3232235520, H is the starting point of the IP address range to be scanned, after calculation, the end point E is 3232235647.

將上述方法轉換後得出之起點H與終點E提出,令一標準化函式為F(x)=x-3232235519,掃描IP地址範圍為起點H和終點E帶入標準化函式,可得F(H)=1和F(E)=128,接著,算出一個大於F(E)的某個質數P=131,從F(H)~F(E)隨機選取一數值70與小於質數P的質數Q=97相乘得到S,最後將S除以質數P得到餘數R0=109,並紀錄R0的數值,再以逆推標準化函式F,將R0+3232235519轉換回IP地址可得192.168.0.108,即可傳送至子掃描模組開始掃描,此為一個循環。 Put forward the starting point H and the ending point E obtained after the conversion of the above method, let a normalization function be F(x)=x-3232235519, scan the IP address range as the starting point H and the ending point E into the normalization function, you can get F( H)=1 and F(E)=128, then, calculate a certain prime number P=131 greater than F(E), randomly select a prime number with a value of 70 and less than the prime number P from F(H)~F(E) Multiply Q=97 to get S, and finally divide S by the prime number P to get the remainder R 0 =109, and record the value of R 0 , and then use the inverse normalization function F to convert R 0 +3232235519 back to the IP address to get 192.168 .0.108, it can be sent to the sub-scanning module to start scanning, which is a cycle.

之後,將R0再去乘以質數Q,得到結果S 1除以質數P得到餘數R 1=93,利用逆推標準化函式F,把R1+3232235519轉換回IP地址並傳送至子掃描模組進行掃描,此為第二個循環。反覆的疊代之後,當R n =R 0時,此大循環結束,同樣地,僅需使用四個整數來存儲選定之排列及後續處理,而四個整數分別儲存質數Q、質數P、第一個掃描的地址和當前地址。 Afterwards, multiply R 0 by the prime number Q to obtain the result S 1 divided by the prime number P to obtain the remainder R 1 =93, use the inverse normalization function F to convert R 1 +3232235519 back to the IP address and send it to the sub-scan module group to scan, this is the second cycle. After repeated iterations, when R n = R 0 , this large cycle ends. Similarly, only four integers are used to store the selected arrangement and subsequent processing, and the four integers store the prime number Q, the prime number P, the first A scanned address and the current address.

經過反覆疊代後,所取得之餘數可成為一個數列,即R數列為[109,93,113,88,21,72,41,47,105,98,…],經反標準化後,反標準化數列為[3232235628,3232235612,3232235632,3232235607,3232235540,3232235591,…],接著,轉換成為二進制數列[11000000.10101000.00000000.01101100,11000000.10101000.00000000.01011100,11000000.10101000.00000000.01110000,11000000.10101000.00000000.01010111,11000000.10101000.00000000.00010100,…],最後,再將二進制數值轉換為IP位址,轉換後IP地址數列為[192.168.0.108, 192.168.0.92,192.168.0.112,192.168.0.87,192.168.0.20,…],即能提供給子掃描模組進行掃描。 After repeated iterations, the obtained remainder can become a sequence, that is, the R sequence is [109, 93, 113, 88, 21, 72, 41, 47, 105, 98, ...]. After denormalization, denormalization The sequence is [3232235628, 3232235612, 3232235632, 3232235607, 3232235540, 3232235591, ...], and then converted into a binary sequence [11000000.10101000.00000000.01101100, 11000.0000. .01011100, 11000000.10101000.00000000.01110000, 11000000.10101000.00000000.01010111, 11000000.10101000.00000000.00010100, ...], and finally, Then convert the binary value into an IP address, and the converted IP address is listed as [192.168.0.108, 192.168.0.92, 192.168.0.112, 192.168.0.87, 192.168.0.20, ...], which can be provided to the sub-scanning module for scanning.

因此,本發明能於核網風險檢測之前進行前置處理,藉由數學運算隨機排列所欲掃描的IP地址,以快速的執行網際網路範圍內的掃描,並能有效繞過掃描標的硬體或軟體防護檢測大量暴力掃表式掃描攻擊。 Therefore, the present invention can carry out pre-processing before nuclear network risk detection, and randomly arrange the IP addresses to be scanned by mathematical operations, so as to quickly perform scanning within the Internet range, and can effectively bypass the scanning target hardware Or software protection to detect a large number of brute force table scanning attacks.

此外,本發明還揭示一種電腦可讀媒介,係應用於具有處理器(例如,CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於執行此電腦可讀媒介時執行上述之方法及各步驟。 In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (for example, CPU, GPU, etc.) and/or memory, and stores instructions, and can be used by this computing device or The computer executes the computer-readable medium through the processor and/or memory, so as to execute the above-mentioned method and each step when executing the computer-readable medium.

本發明的模組、單元、裝置等包括微處理器及記憶體,而演算法、資料、程式等係儲存記憶體或晶片內,微處理器可從記憶體載入資料或演算法或程式進行資料分析或計算等處理,在此不予贅述。易言之,本發明之核網風險檢測系統可於電子設備上執行,例如一般電腦、平板或是伺服器,在收到使用者輸入之欲掃描之網際協定位址範圍後執行資料分析與運算,故核網風險檢測系統所進行程序,可透過軟體設計並架構在具有處理器、記憶體等元件之電子設備上,以於各類電子設備上運行;另外,亦可將核網風險檢測系統之網際協定位址切片模組及逆標準化單元分別以獨立元件組成,例如設計為計算器、記憶體、儲存器或是具有處理單元的韌體,皆可成為實現本發明之組件,而數值轉換單元、標準化單元、取餘數單元以及逆標準化單元亦可選擇以軟體程式、硬體或韌體架構呈現。 The module, unit, device, etc. of the present invention include a microprocessor and a memory, and algorithms, data, programs, etc. are stored in the memory or a chip, and the microprocessor can load data or algorithms or programs from the memory to perform Processing such as data analysis or calculation will not be repeated here. In other words, the nuclear network risk detection system of the present invention can be executed on electronic equipment, such as a general computer, tablet or server, and perform data analysis and calculation after receiving the IP address range to be scanned input by the user , so the program of the nuclear network risk detection system can be designed and built on electronic devices with processors, memory and other components through software, so as to run on various electronic devices; in addition, the nuclear network risk detection system can also be The IP address slicing module and the denormalization unit are respectively composed of independent components, such as being designed as a calculator, a memory, a storage device or a firmware with a processing unit, all of which can become components of the present invention, and the value conversion Units, normalization units, remainder units, and denormalization units may also optionally be presented as software programs, hardware or firmware architectures.

綜上所述,本發明之核網風險檢測之前置處理方法、系統及其電腦可讀媒介,利用數學運算隨機排列所欲掃描的IP地址後,傳送至子掃描模組 進行掃描,以水平式快速掃描企業內部全網段漏洞,因此,本發明可達到如下技術功效。 In summary, the nuclear network risk detection pre-processing method, system and computer-readable medium of the present invention use mathematical operations to randomly arrange the IP addresses to be scanned, and then transmit them to the sub-scanning module Scanning is performed to quickly scan the loopholes in the entire network segment within the enterprise in a horizontal manner. Therefore, the present invention can achieve the following technical effects.

本發明轉換欲掃描網段結合質數特性運算,可有效地分散掃描網段,避免造成單一主機與區域網路雍塞或延遲導致封包的丟失,進而影響漏洞檢測正確性與完整性。 The present invention converts the network segment to be scanned and combines the prime number characteristic operation, which can effectively disperse the scanning network segment, avoiding the loss of packets caused by congestion or delay between a single host and the regional network, and then affecting the correctness and integrity of loophole detection.

相較於過去的隨機掃描器需要使用列表紀錄欲掃描的隨機IP地址,本發明透過數學運算隨機排列所欲掃描的IP地址,算出隨機IP地址後就會交由掃描器進行掃描,並不需要花費系統資源紀錄隨機數列,可大大降低記憶體資源,節省記憶體資源的同時並不會重複掃描或遺漏欲掃描之主機。 Compared with the past random scanners that need to use a list to record the random IP addresses to be scanned, this invention randomly arranges the IP addresses to be scanned through mathematical operations, and after calculating the random IP addresses, it will be handed over to the scanner for scanning without Using system resources to record random numbers can greatly reduce memory resources. While saving memory resources, it will not repeatedly scan or miss hosts to be scanned.

相較於過去的逐步掃描器一個IP地址一個IP地址依序進行掃描,本專利透過數學運算隨機排列所欲掃描的IP地址,可有效繞過掃描標的硬體或軟體防護檢測大量暴力掃表式掃描攻擊。 Compared with the previous step-by-step scanners that scan IP addresses one by one in sequence, this patent randomly arranges the IP addresses to be scanned through mathematical operations, which can effectively bypass the hardware or software protection detection of the scanning target and a large number of violent table scanning methods Scan attack.

上述實施形態僅例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above-mentioned embodiments are only illustrative to illustrate the principles and effects of the present invention, and are not intended to limit the present invention. Anyone skilled in the art can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the scope of protection of the rights of the present invention should be listed in the scope of the patent application described later.

S101~S105:步驟 S101~S105: steps

Claims (14)

一種核網風險檢測之前置處理方法,係包括:接收欲掃描之網際協定位址範圍;將該網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值;將該初始起點數值和該初始終點數值利用一標準化函式轉換為新的起點數值和新的終點數值;取得一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數;以及將該餘數利用一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址,其中,於該第一質數、該隨機數及該第二質數運算後,依據該餘數自該網際協定位址範圍內找出所對應之網際協定位址,以於反覆執行該餘數之運算後,使得欲掃描之網際協定位址被隨機找出並排列。 A pre-processing method for nuclear network risk detection, including: receiving the IP address range to be scanned; converting the IP address range to generate an initial starting point value and an initial value corresponding to the IP address range End point value; convert the initial start point value and the initial end point value into a new start point value and a new end point value by a normalization function; obtain a first prime number greater than the new end point value, and a value between the new start point value and a random number between the new endpoint value and a second prime number less than the first prime number to generate a remainder; Protocol address, wherein, after the operation of the first prime number, the random number and the second prime number, the corresponding IP address is found from the IP address range according to the remainder, so as to repeatedly execute the remainder After the operation, the IP addresses to be scanned are randomly found and arranged. 如請求項1所述之核網風險檢測之前置處理方法,其中,該標準化函式係使該初始起點數值減去一數值,以令該新的起點數值成為1。 The pre-processing method for nuclear network risk detection according to claim 1, wherein the normalization function is to subtract a value from the initial starting point value, so that the new starting point value becomes 1. 如請求項2所述之核網風險檢測之前置處理方法,其中,該逆標準化函式係使該餘數與該數值相加,以產生反標準化數列。 The pre-processing method for nuclear network risk detection according to Claim 2, wherein the denormalization function adds the remainder to the value to generate a denormalization sequence. 如請求項3所述之核網風險檢測之前置處理方法,其中,該反標準化數列轉為二進制後,再轉換為該網際協定位址。 The pre-processing method for nuclear network risk detection as described in Claim 3, wherein the denormalized sequence is converted into binary, and then converted into the IP address. 如請求項1所述之核網風險檢測之前置處理方法,其中,該第一質數、該隨機數及該第二質數之運算,係包括將該隨機數與該第二質數相乘後,再除以該第一質數,以得到該餘數。 The pre-processing method for nuclear network risk detection as described in Claim 1, wherein the operation of the first prime number, the random number and the second prime number includes multiplying the random number by the second prime number, Then divide by the first prime number to obtain the remainder. 如請求項1所述之核網風險檢測之前置處理方法,其中,於產生該餘數後,復包括:將該餘數乘以該第二質數後,再除以該第一質數,以得到下一餘數;以及反覆執行上述運算,直到最後產生之該下一餘數等於該餘數為止,其中,該餘數、該下一餘數及直到最後產生之該下一餘數的所有餘數係依序經該逆標準化函式轉換後成為該網際協定位址之數列。 The pre-processing method for nuclear network risk detection as described in Claim 1, wherein, after generating the remainder, further comprising: multiplying the remainder by the second prime number, and then dividing by the first prime number to obtain the following a remainder; and performing the above operations repeatedly until the last resulting next remainder is equal to the remainder, wherein the remainder, the next remainder, and all remainders up to the last resulting next remainder are sequentially subjected to the denormalization After the function is converted, it becomes an array of the IP address. 如請求項6所述之核網風險檢測之前置處理方法,復包括:將該數列中的數個網際協定位址依序進行風險檢測之掃描。 The pre-processing method for nuclear network risk detection as described in claim item 6 further includes: performing risk detection scanning on several IP addresses in the array in sequence. 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項1至7之任一者所述之核網風險檢測之前置處理方法。 A computer-readable medium, applied to a computing device or a computer, storing instructions to execute the pre-processing method for nuclear network risk detection as described in any one of claims 1 to 7. 一種核網風險檢測系統,係包括:網際協定位址切片模組,係包括:數值轉換單元,係用於所接收之欲掃描的網際協定位址範圍進行數值轉換,以產生對應該網際協定位址範圍之初始起點數值和初始終點數值;標準化單元,係用於將該初始起點數值和該初始終點數值,透過一標準化函式轉換為新的起點數值和新的終點數值;取餘數單元,係用於依據一大於該新的終點數值之第一質數、一介於該新的起點數值和該新的終點數值之間的隨機數及一小於該第一質數之第二質數進行運算,以產生餘數;以及 逆標準化單元,係用於將該餘數,透過一逆標準化函式轉換為該網際協定位址範圍內之網際協定位址,其中,依據該餘數自該網際協定位址範圍內找出所對應之網際協定位址,以於反覆執行該餘數之運算後,使得欲掃描之網際協定位址被隨機找出並排列;以及子掃描模組,係用於將該網際協定位址進行風險檢測之掃描。 A nuclear network risk detection system, comprising: an IP address slicing module, including: a numerical conversion unit, which is used to convert the received IP address range to be scanned, so as to generate the corresponding IP address The initial starting point value and the initial ending point value of the address range; the normalization unit is used to convert the initial starting point value and the initial ending point value into a new starting point value and a new ending point value through a normalization function; taking the remainder unit, the system Used to generate a remainder based on a first prime number greater than the new end point value, a random number between the new start point value and the new end point value, and a second prime number smaller than the first prime number ;as well as The denormalization unit is used to convert the remainder into an IP address within the IP address range through a denormalization function, wherein, according to the remainder, the corresponding IP address is found from within the IP address range IP address, so that after repeatedly performing the operation of the remainder, the IP address to be scanned is randomly found and arranged; and the sub-scanning module is used to scan the IP address for risk detection . 如請求項9所述之核網風險檢測系統,其中,該取餘數單元復包括以該餘數為下一個隨機數,以相同之運算方式產生下一餘數,直到最後產生之該下一餘數等於該餘數為止,且令該餘數、該下一餘數及直到最後產生之該下一餘數的所有餘數依序經該逆標準化函式轉換後成為該網際協定位址之數列。 The nuclear network risk detection system as described in claim item 9, wherein, the remainder unit further includes taking the remainder as the next random number, and generating the next remainder in the same operation until the last remainder is equal to the until the remainder, and make the remainder, the next remainder, and all remainders up to the last generated next remainder sequentially transformed by the denormalization function into the sequence of the IP address. 如請求項10所述之核網風險檢測系統,其中,該子掃描模組係將該數列中的數個網際協定位址依序進行風險檢測之掃描。 The nuclear network risk detection system according to claim 10, wherein the sub-scanning module performs risk detection sequentially on several IP addresses in the array. 如請求項9所述之核網風險檢測系統,其中,該標準化函式係使該初始起點數值減去一數值,以令該新的起點數值成為1。 The nuclear network risk detection system according to claim 9, wherein the normalization function is to subtract a value from the initial starting point value, so that the new starting point value becomes 1. 如請求項12所述之核網風險檢測系統,其中,該逆標準化函式係使該餘數與該數值相加,以產生反標準化數列。 The nuclear network risk detection system as claimed in claim 12, wherein the denormalization function is to add the remainder to the numerical value to generate a denormalization sequence. 如請求項13所述之核網風險檢測系統,其中,該反標準化數列轉為二進制後,再轉換為該網際協定位址。 The nuclear network risk detection system according to claim 13, wherein the denormalized sequence is converted into binary and then converted into the IP address.
TW110125880A 2021-07-14 2021-07-14 Pre-processing method and system for nuclear network risk dection and computer readable medium thererof TWI797676B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110125880A TWI797676B (en) 2021-07-14 2021-07-14 Pre-processing method and system for nuclear network risk dection and computer readable medium thererof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110125880A TWI797676B (en) 2021-07-14 2021-07-14 Pre-processing method and system for nuclear network risk dection and computer readable medium thererof

Publications (2)

Publication Number Publication Date
TW202304233A TW202304233A (en) 2023-01-16
TWI797676B true TWI797676B (en) 2023-04-01

Family

ID=86657992

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110125880A TWI797676B (en) 2021-07-14 2021-07-14 Pre-processing method and system for nuclear network risk dection and computer readable medium thererof

Country Status (1)

Country Link
TW (1) TWI797676B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105917328A (en) * 2013-09-05 2016-08-31 艾尔多·切瓦达 Method and apparatus for the remote supply, display and/or presentation of dynamic informative contents
CN112165486A (en) * 2020-09-27 2021-01-01 杭州迪普科技股份有限公司 Network address set splitting method and device
CN113079158A (en) * 2021-04-01 2021-07-06 南京微亚讯信息科技有限公司 Network big data security protection method based on deep learning

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105917328A (en) * 2013-09-05 2016-08-31 艾尔多·切瓦达 Method and apparatus for the remote supply, display and/or presentation of dynamic informative contents
CN112165486A (en) * 2020-09-27 2021-01-01 杭州迪普科技股份有限公司 Network address set splitting method and device
CN113079158A (en) * 2021-04-01 2021-07-06 南京微亚讯信息科技有限公司 Network big data security protection method based on deep learning

Also Published As

Publication number Publication date
TW202304233A (en) 2023-01-16

Similar Documents

Publication Publication Date Title
US10701093B2 (en) Anomaly alert system for cyber threat detection
US10198579B2 (en) System and method to detect domain generation algorithm malware and systems infected by such malware
EP4053711A1 (en) Consensus method for blockchain, and consensus node, electronic device and storage medium
CN108446314B (en) Student information storage method, computer readable storage medium and terminal equipment
TW201933151A (en) Method and apparatus for determining data exception
Li A practical algorithm for L triangulation with outliers
CN101150432A (en) An information system risk evaluation method and system
US11429450B2 (en) Aggregated virtualized compute accelerators for assignment of compute kernels
US20220035806A1 (en) Method and system for anomaly detection based on statistical closed-form isolation forest analysis
CN111475376A (en) Method and device for processing test data, computer equipment and storage medium
CN112541181A (en) Method and device for detecting server security
CN112511379A (en) Network access configuration checking method and device
CN112328962A (en) Matrix operation optimization method, device and equipment and readable storage medium
US10560473B2 (en) Method of network monitoring and device
TWI797676B (en) Pre-processing method and system for nuclear network risk dection and computer readable medium thererof
EP4184367A1 (en) Integrity measurement method and integrity measurement device
CN112464238B (en) Vulnerability scanning method and electronic equipment
US7529181B2 (en) Method and apparatus for adaptive monitoring and management of distributed systems
Chen et al. Iterative methods for computing the resolvent of the sum of a maximal monotone operator and composite operator with applications
CN111310832A (en) Picture duplicate checking method and system
CN114826727A (en) Flow data acquisition method and device, computer equipment and storage medium
CN110737411B (en) Task demand cloud processing evaluation system
US20030233584A1 (en) Method and system using combinable computational puzzles as challenges to network entities for identity check
US10158659B1 (en) Phony profiles detector
CN113272782A (en) Distributed random generation via multi-party computation