WO2023241202A1 - Supervision engine for network assets - Google Patents

Supervision engine for network assets Download PDF

Info

Publication number
WO2023241202A1
WO2023241202A1 PCT/CN2023/088595 CN2023088595W WO2023241202A1 WO 2023241202 A1 WO2023241202 A1 WO 2023241202A1 CN 2023088595 W CN2023088595 W CN 2023088595W WO 2023241202 A1 WO2023241202 A1 WO 2023241202A1
Authority
WO
WIPO (PCT)
Prior art keywords
vulnerability
scanning
port
tcp
network
Prior art date
Application number
PCT/CN2023/088595
Other languages
French (fr)
Chinese (zh)
Inventor
戴宪宇
蔡波涛
李仁杰
华驰
Original Assignee
江苏信息职业技术学院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏信息职业技术学院 filed Critical 江苏信息职业技术学院
Publication of WO2023241202A1 publication Critical patent/WO2023241202A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the invention relates to the field of network security technology, and in particular to a monitoring engine for network assets.
  • the current network space of the Internet has expanded rapidly from the initial chaos to the present.
  • Internet devices are also used more and more widely.
  • the proliferation of Internet devices around the world has made it impossible to continue to include IPV4 addresses. It is conceivable that in the future, there will be more and more devices Connected in the Internet, based on the extension and expansion of the Internet, the extension of human life extends to the exchange of information and communication between all items.
  • the increasingly informatized era is also accompanied by more and more risks.
  • the cyberspace supervision engine plays a huge role in network security fields such as cyberspace mapping, situational awareness, and enterprise asset security management.
  • Traditional cyberspace mapping engines mainly use network detection, collection or mining technologies to obtain network attributes of physical resources such as network equipment and virtual resources such as users and services. Their main functions are single, the identification is inaccurate, and they do not have defense functions.
  • the present invention provides a network asset supervision engine to solve the above problems.
  • the purpose of the present invention is to provide a network asset supervision engine that integrates discovery, detection, management, and defense, and can greatly improve the security protection capabilities of network equipment.
  • Step 1 Network service identification
  • Step 1.1 Use the ICMP protocol to detect the IP to discover the surviving hosts in the IP segment and add the surviving host IP to the list; for the non-surviving IP, use the TCP protocol again to detect the data packets sent to the specific port. This can both The greatly improved recognition speed can also increase the recognition accuracy;
  • Step 1.2 Send a TCP packet to the surviving host port, and determine the open port of the host based on the content of the returned packet;
  • Step 2 Add the identification results of the open ports of the surviving hosts to the feature database and perform fingerprint identification on the open ports;
  • Step 2.1 Send a specific TCP packet to the open port, add the data returned by the port to the rule base, and determine the service running on the port based on the data characteristics;
  • Step 2.2 Perform fingerprint identification on the port using the W service to determine the type of running WEB service
  • Step 3 Send specific data packets based on the identified services, and judge the returned content to detect whether it contains specified service vulnerabilities;
  • Step 4 Specify corresponding defense methods based on the detected vulnerabilities
  • Step 5 Monitor intranet assets to defend against new intrusions and vulnerabilities
  • Step 6 Input the results of steps 1-5 into the WEB page to facilitate user management.
  • step 1.1 is specifically:
  • Step 1.11 Since ICMP packets are sent and received very quickly, we first use the ICMP protocol to scan, send ICMP packets to the scanned IP segments, classify the IPs with returned data as surviving host IPs, and add the surviving IPs to the list for subsequent scanning. ;
  • Step 1.12 Some hosts will intercept the ICMP protocol, so the unrecognized hosts will use the TCP protocol for detection again.
  • TCP is a reliable connection-oriented protocol. Each process of a complete TCP session has different states. Use TCP The protocol sends data to a specific port, based on the connection data Determine whether the host is alive.
  • step 1.2 is specifically:
  • Step 1.21 Perform port survival detection on the surviving host IP.
  • the port in the closed state will respond to the RST packet when receiving the detection packet, while the port in the listening state ignores the detection packet.
  • TCP covert scanning is divided into four types: SYN/ACK scanning, FIN scanning, XMAS (Christmas tree) scanning and NULL scanning. Both SYN/ACK scanning and FIN scanning bypass the first step of the TCP three-way handshake process. , send SYN/ACK packet or FIN packet directly to the destination port.
  • TCP is a connection-based protocol
  • the target host thinks that the SYN packet that the sender should send in the first step has not been sent, thus defining an error in the connection process this time and will send An RST packet to reset the connection, which is exactly what the scan needs. As long as there is a response, it means that the target system exists and the target port is closed.
  • step 2.1 is specifically:
  • Step 2.11 Due to different service ftp, http will have different return results. These results are used as fingerprints and matched with the fingerprints of the database to identify and mark the service corresponding to the port.
  • step 2.2 is specifically:
  • Step 2.21 Since there are various WEB systems, the ports identified as http and https in step 2.1 will be fingerprinted again.
  • the way to identify WEB fingerprints is to obtain a specific path and determine the return text under the path (through md5 or regular expressions). There are related fingerprints in the fingerprint library. The corresponding fingerprint can be used to identify the WEB application to which the URL belongs.
  • step 3 is specifically:
  • Step 3.1 Scan based on the vulnerability database. First, construct the scanning environment model, model and analyze the possible vulnerabilities in the system, past hacker attack cases and the security configuration of the system administrator. Secondly, based on the analysis results, generate A set of standard vulnerability database and matching patterns. Finally, the program automatically performs scanning based on the vulnerability database and matching patterns. The accuracy of vulnerability scanning depends on the integrity and effectiveness of the vulnerability database;
  • Step 3.2 Plug-in-based scanning.
  • Plug-ins are subroutine modules written in scripting languages.
  • the scanner can perform scanning by calling the plug-in. Adding new functions plug-ins can enable the scanner to add new functions or add vulnerability points that can be scanned. Type and quantity, you can also upgrade the plug-in to update the characteristic information of the vulnerability points, so as to obtain more accurate results.
  • the plug-in technology makes the upgrade and maintenance of the vulnerability scanning software relatively simple, and the use of a dedicated script language also simplifies the writing of new
  • the programming work of plug-ins makes the vulnerability scanning software highly scalable.
  • step 4 is specifically:
  • Step 4.1 The vulnerability repair phase involves the cooperation between security personnel and operation and maintenance personnel; the vulnerabilities detected in step 3 are displayed on the WEB side for operation and maintenance personnel to view.
  • the security personnel The vulnerability repair situation must be reviewed. If the vulnerability still exists after scanning again, it will be classified as a repair failure. Vulnerabilities that failed to be repaired must be converted back to the vulnerability discovery state. If the vulnerability does not exist after scanning again, it will be classified as verified. At the same time, if the vulnerability reappears due to changes in the asset itself during multiple scanning processes in the later period, the vulnerability status will be converted to rediscovered, and the rediscovered vulnerability must be promptly transferred to the pending repair status.
  • step 5 is specifically:
  • Step 5.1 Compare the data flowing through the computer's memory with the signatures of the cloud virus database (including virus definitions) to determine whether it is a virus.
  • step 6 is specifically:
  • Step 6.1 Import the results of steps 1-5 into the database and display them to users in a WEB-visualized form for users to monitor the status of internal network assets in real time.
  • the present invention has the following beneficial effects:
  • This invention performs multi-dimensional accurate portraits of various software and hardware network assets such as Web assets, operating systems, middleware, network equipment, security equipment, and Internet of Things equipment, and establishes a comprehensive asset information database, which can effectively complement users' traditional asset management methods. It helps users open up the information management process, improve the efficiency of security operation and maintenance, accurately discover unknown assets and dispose of them in a timely manner, and achieve timely risk clearance. The biggest advantage is automatic and continuous monitoring and analysis, timely Discover important security risks and have strong scalability, making it easy to connect with the company's existing management system.
  • Figure 1 is a schematic diagram of the overall structure of Embodiment 1 of the present invention.
  • a supervision engine for network assets which mainly includes the following specific steps:
  • Step 1 Network service identification.
  • Step 1.1 Use the ICMP protocol to detect the IP to discover the surviving hosts in the IP segment and add the surviving host IP to the list; for the non-surviving IP, use the TCP protocol again to detect the data packets sent to the specific port. This can both Significantly increasing the recognition speed can also increase the recognition accuracy. Among them, step 1.1 is specifically:
  • Step 1.11 Since ICMP packets are sent and received very quickly, we first use the ICMP protocol to scan, send ICMP packets to the scanned IP segments, classify the IPs with returned data as surviving host IPs, and add the surviving IPs to the list for subsequent scanning. .
  • Step 1.12 Some hosts will intercept the ICMP protocol, so the unrecognized hosts will use the TCP protocol for detection again.
  • TCP is a reliable connection-oriented protocol. Each process of a complete TCP session has different states. Use TCP The protocol sends data to a specific port and determines whether the host is alive based on the connection data.
  • Step 1.2 Send a TCP packet to the surviving host port, and determine the open port of the host based on the content of the returned packet. Step 1.2 is specifically as follows:
  • Step 1.21 Perform port survival detection on the surviving host IP.
  • TCP TCP protocol
  • the port in the state will respond to the RST packet when receiving the detection packet, while the port in the listening state will ignore the detection packet.
  • TCP covert scanning is divided into SYN/ACK scanning, There are four types of FIN scanning, XMAS (Christmas tree) scanning and NULL scanning. SYN/ACK scanning and FIN scanning bypass the first step of the TCP three-way handshake process and directly send SYN/ACK packets or FIN packets to the destination port, because TCP is based on The connection protocol.
  • the target host believes that the SYN packet that the sender should send in the first step has not been sent, thus defining an error in the connection process. It will send a RST packet to reset the connection, and this is the result required for scanning. As long as If there is a response, it means that the target system exists and the target port is closed.
  • Step 2 Add the identification results of the open ports of the surviving host to the signature database and perform fingerprint identification on the open ports.
  • Step 2.1 Send a specific TCP data packet to the open port, add the data returned by the port to the rule base, and determine the service running on the port based on the data characteristics. Step 2.1 is specifically as follows:
  • Step 2.11 Due to different service ftp, http will have different return results. These results are used as fingerprints and matched with the fingerprints of the database to identify and mark the service corresponding to the port.
  • Step 2.2 Perform fingerprint identification on the port using the W service to determine the type of running WEB service. Step 2.2 is specifically as follows:
  • Step 2.21 Since there are various WEB systems, the ports identified as http and https in step 2.1 will be fingerprinted again.
  • the way to identify WEB fingerprints is to obtain a specific path, determine the return text under the path (through md5 or regular expressions), and store it in the fingerprint library. Based on the corresponding fingerprint, the WEB application to which the URL belongs can be identified.
  • Step 3 Send a specific data packet based on the identified service, and judge the returned content to detect whether it contains the specified service vulnerability. Step 3 is specifically as follows:
  • Step 3.1 Scan based on the vulnerability database. First, construct the scanning environment model, model and analyze the possible vulnerabilities in the system, past hacker attack cases and the security configuration of the system administrator. Secondly, based on the analysis results, generate A set of standard vulnerability database and matching patterns. Finally, the program automatically performs scanning based on the vulnerability database and matching patterns. The accuracy of vulnerability scanning depends on the integrity and effectiveness of the vulnerability database.
  • Step 3.2 Plug-in-based scanning.
  • Plug-ins are subroutine modules written in scripting languages.
  • the scanner can perform scanning by calling the plug-in. Adding new functions plug-ins can enable the scanner to add new functions or add vulnerability points that can be scanned. Type and quantity, you can also upgrade the plug-in to update the characteristic information of the vulnerability points, so as to obtain more accurate results.
  • the plug-in technology makes the upgrade and maintenance of the vulnerability scanning software relatively simple, and the use of a dedicated script language also simplifies the writing of new
  • the programming work of plug-ins makes the vulnerability scanning software highly scalable.
  • Step 4 Specify corresponding defense methods based on the detected vulnerabilities. Step 4 is specifically:
  • Step 4.1 The vulnerability repair phase involves the cooperation between security personnel and operation and maintenance personnel; the vulnerabilities detected in step 3 are displayed on the WEB side for operation and maintenance personnel to view.
  • the security personnel The vulnerability repair situation must be reviewed. If the vulnerability still exists after scanning again, it will be classified as a repair failure. Vulnerabilities that failed to be repaired must be converted back to the vulnerability discovery state. If the vulnerability does not exist after scanning again, it will be classified as verified. At the same time, if the vulnerability reappears due to changes in the asset itself during multiple scanning processes in the later period, the vulnerability status will be converted to rediscovered, and the rediscovered vulnerability must be promptly transferred to the pending repair status.
  • Step 5 Monitor intranet assets and defend against new intrusions and vulnerabilities. Step 5 is specifically:
  • Step 5.1 Compare the data flowing through the computer's memory with the signatures of the cloud virus database (including virus definitions) to determine whether it is a virus.
  • Step 6 Enter the results of steps 1-5 into the WEB page to facilitate user management. Step 6 is specifically:
  • Step 6.1 Import the results of steps 1-5 into the database and display them to users in a WEB-visualized form for users to monitor the status of internal network assets in real time.
  • the invention is a monitoring engine for network assets. It first uses ICMP and TCP protocols to discover network assets, then conducts fingerprint identification and vulnerability identification on these assets, and repairs equipment with vulnerabilities to prevent network intrusion in real time.
  • This invention performs multi-dimensional accurate portraits of various software and hardware network assets such as Web assets, operating systems, middleware, network equipment, security equipment, and Internet of Things equipment, and establishes a comprehensive asset information database, which can effectively complement users' traditional asset management methods. It helps users open up the information management process, improve the efficiency of security operation and maintenance, accurately discover unknown assets and dispose of them in a timely manner, and achieve timely risk clearance. The biggest advantage is automatic and continuous monitoring and analysis, timely Discover important security risks and have strong scalability, making it easy to connect with the company's existing management system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Cardiology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention mainly relates to the technical field of network security, and particularly relates to a supervision engine for network assets. The supervision engine comprises the steps of: discovering network assets by using an ICMP and a TCP; then performing fingerprint recognition and vulnerability identification on these assets; and restoring devices with vulnerabilities, so as to defend against network intrusion in real time. In the present invention, multi-dimensional accurate profiling is performed on various software and hardware network assets, such as Web assets, operating systems, middleware, network devices, security devices and Internet of Things devices, and a comprehensive asset information base is established, such that the defects of a traditional asset management mode of a user can be effectively overcome, the user is helped in getting through an informatization management process, and the working efficiency of security operation and maintenance is improved, and unknown assets are then accurately found and handled in a timely manner, thereby clearing risks in a timely manner. The maximum advantage is automatic and continuous monitoring and analysis, so that an important security risk is found in a timely manner, and the extensibility is high, thereby facilitating docking with an existing management system of an enterprise.

Description

一种网络资产的监管引擎A supervision engine for network assets 技术领域Technical field
本发明涉及网络安全技术领域,特别是涉及一种网络资产的监管引擎。The invention relates to the field of network security technology, and in particular to a monitoring engine for network assets.
背景技术Background technique
当前互联网的网络空间由最初的混沌到现在快速扩展,互联网设备的也运用越来越广泛,全世界上网设备的激增导致IPV4地址无法继续包含下去,可以想象在未来,会有越来越多设备在互联网中相连接,以互联网为基础上的延伸和扩展,人类生活的延伸扩展到了一切物品之间的信息交换与通信,但是,越来越信息化的时代也伴随着越来越多的风险,这就需要通过网络空间监管引擎,快速地了解内网中的网络资产,网络空间监管引擎在网络空间测绘,态势感知,企业资产安全管理等网络安全领域发挥着巨大的作用。The current network space of the Internet has expanded rapidly from the initial chaos to the present. Internet devices are also used more and more widely. The proliferation of Internet devices around the world has made it impossible to continue to include IPV4 addresses. It is conceivable that in the future, there will be more and more devices Connected in the Internet, based on the extension and expansion of the Internet, the extension of human life extends to the exchange of information and communication between all items. However, the increasingly informatized era is also accompanied by more and more risks. , which requires quickly understanding the network assets in the intranet through the cyberspace supervision engine. The cyberspace supervision engine plays a huge role in network security fields such as cyberspace mapping, situational awareness, and enterprise asset security management.
传统的网络空间测绘引擎主要利用网络探测、采集或挖掘等技术﹐获取网络设备等实体资源、用户和服务等虚拟资源的网络属性,主要功能单一,识别不准确,不具备防御功能。Traditional cyberspace mapping engines mainly use network detection, collection or mining technologies to obtain network attributes of physical resources such as network equipment and virtual resources such as users and services. Their main functions are single, the identification is inaccurate, and they do not have defense functions.
综上所述,本发明提供一种网络资产的监管引擎,以解决上述问题。To sum up, the present invention provides a network asset supervision engine to solve the above problems.
发明内容Contents of the invention
针对上述情况,为克服现有技术之缺陷,本发明之目的在于提供一种网络资产的监管引擎,该种引擎集发现、检测、管理、防御为一体,能够大大提高网络设备的安全防护能力。In view of the above situation, in order to overcome the shortcomings of the existing technology, the purpose of the present invention is to provide a network asset supervision engine that integrates discovery, detection, management, and defense, and can greatly improve the security protection capabilities of network equipment.
本发明的上述技术目的是通过以下技术方案得以实现的:The above technical objectives of the present invention are achieved through the following technical solutions:
一种网络资产的监管引擎,其特征在于,主要包括以下具体步骤:A network asset supervision engine is characterized by mainly including the following specific steps:
步骤1:网络服务识别; Step 1: Network service identification;
步骤1.1:使用ICMP协议对IP进行探测,用于发现IP段中的存活主机,将存活主机ip加入列表;对于未存活的ip再次使用TCP协议对特定端口发送数据包进行探测,这样既能大幅度提升识别速度又能增加识别准确率;Step 1.1: Use the ICMP protocol to detect the IP to discover the surviving hosts in the IP segment and add the surviving host IP to the list; for the non-surviving IP, use the TCP protocol again to detect the data packets sent to the specific port. This can both The greatly improved recognition speed can also increase the recognition accuracy;
步骤1.2:对存活主机端口发送TCP数据包,根据返回包内容判断主机开放端口;Step 1.2: Send a TCP packet to the surviving host port, and determine the open port of the host based on the content of the returned packet;
步骤2:将存活主机开放端口识别结果加入到特征库,对开放端口进行指纹识别;Step 2: Add the identification results of the open ports of the surviving hosts to the feature database and perform fingerprint identification on the open ports;
步骤2.1:对开放端口发送特定TCP数据包,将端口返回数据内容加入规则库,根据数据特征来判断端口运行的服务;Step 2.1: Send a specific TCP packet to the open port, add the data returned by the port to the rule base, and determine the service running on the port based on the data characteristics;
步骤2.2:对于使用W服务的端口再行进行指纹识别,来判断运行的WEB服务类型;Step 2.2: Perform fingerprint identification on the port using the W service to determine the type of running WEB service;
步骤3:根据识别出的服务发送特定数据包,将返回内容进判断,以此来检测是否包含指定服务漏洞;Step 3: Send specific data packets based on the identified services, and judge the returned content to detect whether it contains specified service vulnerabilities;
步骤4:根据检测出的漏洞指定相对应的防御方法;Step 4: Specify corresponding defense methods based on the detected vulnerabilities;
步骤5:监控内网资产,防御新的入侵及漏洞;Step 5: Monitor intranet assets to defend against new intrusions and vulnerabilities;
步骤6:将步骤1-5的结果输入到WEB页面,方便使用者管理。Step 6: Input the results of steps 1-5 into the WEB page to facilitate user management.
进一步地,所述步骤1.1具体为:Further, the step 1.1 is specifically:
步骤1.11:由于ICMP数据包发送和接收速度快,所以先使用ICMP协议扫描,对扫描IP段发送ICMP数据包,将有返回数据的ip划定为存活主机ip,将存活ip加入列表进行后续扫描;Step 1.11: Since ICMP packets are sent and received very quickly, we first use the ICMP protocol to scan, send ICMP packets to the scanned IP segments, classify the IPs with returned data as surviving host IPs, and add the surviving IPs to the list for subsequent scanning. ;
步骤1.12:部分主机会对ICMP协议进行拦截,所以未识别出的主机再次使用TCP协议进行探测,TCP是可靠的面向连接的协议,一个完整的TCP会话每个过程都有不同的状态,使用TCP协议向特定端口发送数据,根据连接数据 判断主机是否存活。Step 1.12: Some hosts will intercept the ICMP protocol, so the unrecognized hosts will use the TCP protocol for detection again. TCP is a reliable connection-oriented protocol. Each process of a complete TCP session has different states. Use TCP The protocol sends data to a specific port, based on the connection data Determine whether the host is alive.
进一步地,所述步骤1.2具体为:Further, the step 1.2 is specifically:
步骤1.21:对存活主机IP进行端口存活探测,根据TCP协议,处于关闭状态的端口,在收到探测包时会响应RST包,而处于侦听状态的端口则忽略此探测包,根据探测包中各标志位设置的不同,TCP隐蔽扫描又分为SYN/ACK扫描、FIN扫描、XMAS(圣诞树)扫描和NULL扫描四种,SYN/ACK扫描和FIN扫描均绕过TCP三次握手过程的第一步,直接给目的端口发送SYN/ACK包或者FIN包,因为TCP是基于连接的协议,目标主机认为发送方在第一步中应该发送的SYN包没有送出,从而定义这次连接过程错误,会发送一个RST包以重置连接,而这正是扫描需要的结果,只要有响应,就说明目标系统存在,且目标端口处于关闭状态。Step 1.21: Perform port survival detection on the surviving host IP. According to the TCP protocol, the port in the closed state will respond to the RST packet when receiving the detection packet, while the port in the listening state ignores the detection packet. According to the detection packet Depending on the settings of each flag bit, TCP covert scanning is divided into four types: SYN/ACK scanning, FIN scanning, XMAS (Christmas tree) scanning and NULL scanning. Both SYN/ACK scanning and FIN scanning bypass the first step of the TCP three-way handshake process. , send SYN/ACK packet or FIN packet directly to the destination port. Because TCP is a connection-based protocol, the target host thinks that the SYN packet that the sender should send in the first step has not been sent, thus defining an error in the connection process this time and will send An RST packet to reset the connection, which is exactly what the scan needs. As long as there is a response, it means that the target system exists and the target port is closed.
进一步地,所述步骤2.1具体为:Further, the step 2.1 is specifically:
步骤2.11:由于不同的服务ftp,http会有不同的返回结果,根据这些结果作为指纹,与数据库的指纹匹配,来识别出该端口对应的服务并做标记。Step 2.11: Due to different service ftp, http will have different return results. These results are used as fingerprints and matched with the fingerprints of the database to identify and mark the service corresponding to the port.
进一步地,所述步骤2.2具体为:Further, the step 2.2 is specifically:
步骤2.21:由于WEB系统多种多样,将对步骤2.1中端口识别为http和https的端口再次进行WEB指纹识别,WEB系统在静态文件(例如html、js、css)中会包含一些特征字符串,即使没有,固定url文件也是一种特征字符;例如wordpress会在robots.txt中会包含wp-admin之类,默认样式会在首页中包含generator=wordpress xx,页面中会包含wp-content路径等等,以此类推,几乎所有WEB都会有类似的指纹特征,识别WEB指纹的方式,通过获取一段特定的路径,判断该路径下的返回文本(通过md5或者正则表达式),在指纹库中存在相对应的指纹,即可判别该URL所属于的WEB应用。 Step 2.21: Since there are various WEB systems, the ports identified as http and https in step 2.1 will be fingerprinted again. The WEB system will contain some characteristic strings in static files (such as html, js, css). Even if not, the fixed URL file is also a characteristic character; for example, WordPress will include wp-admin in robots.txt, the default style will include generator = wordpress xx on the homepage, the page will include wp-content path, etc. , and by analogy, almost all WEBs will have similar fingerprint characteristics. The way to identify WEB fingerprints is to obtain a specific path and determine the return text under the path (through md5 or regular expressions). There are related fingerprints in the fingerprint library. The corresponding fingerprint can be used to identify the WEB application to which the URL belongs.
进一步地,所述步骤3具体为:Further, the step 3 is specifically:
步骤3.1:基于脆弱点数据库的扫描,首先构造扫描的环境模型,对系统中可能存在的脆弱点、过往黑客攻击案例和系统管理员的安全配置进行建模与分析,其次基于分析的结果,生成一套标准的脆弱点数据库及匹配模式,最后由程序基于脆弱点数据库及匹配模式自动进行扫描工作,脆弱点扫描的准确性取决于脆弱点数据库的完整性及有效性;Step 3.1: Scan based on the vulnerability database. First, construct the scanning environment model, model and analyze the possible vulnerabilities in the system, past hacker attack cases and the security configuration of the system administrator. Secondly, based on the analysis results, generate A set of standard vulnerability database and matching patterns. Finally, the program automatically performs scanning based on the vulnerability database and matching patterns. The accuracy of vulnerability scanning depends on the integrity and effectiveness of the vulnerability database;
步骤3.2:基于插件的扫描,插件是由脚本语言编写的子程序模块,扫描程序可以通过调用插件来执行扫描,添加新的功能插件可以使扫描程序增加新的功能,或者增加可扫描脆弱点的类型与数量,也可以升级插件来更新脆弱点的特征信息,从而得到更为准确的结果,插件技术使脆弱点扫描软件的升级维护变得相对简单,而专用脚本语言的使用也简化了编写新插件的编程工作,使弱点扫描软件具有很强的扩展性。Step 3.2: Plug-in-based scanning. Plug-ins are subroutine modules written in scripting languages. The scanner can perform scanning by calling the plug-in. Adding new functions plug-ins can enable the scanner to add new functions or add vulnerability points that can be scanned. Type and quantity, you can also upgrade the plug-in to update the characteristic information of the vulnerability points, so as to obtain more accurate results. The plug-in technology makes the upgrade and maintenance of the vulnerability scanning software relatively simple, and the use of a dedicated script language also simplifies the writing of new The programming work of plug-ins makes the vulnerability scanning software highly scalable.
进一步地,所述步骤4具体为:Further, the step 4 is specifically:
步骤4.1:漏洞修复阶段为安全人员和运维人员相互配合;将步骤3检测出的漏洞显示在WEB端供运维人员查看,当运维人员把待修复漏洞转换到已修复转态,安全人员必须要对漏洞修复情况进行复查,如果再次扫描发现漏洞依然存在,则归为修复失败,对于修复失败的漏洞要重新转换到漏洞发现状态,如果再次扫描漏洞不存在,则归为已验证状态,同时如果后期多次扫描过程中因为资产本身变化导致漏洞复现,漏洞状态转换为再次发现,对于再次发现的漏洞要及时转至待修复状态。Step 4.1: The vulnerability repair phase involves the cooperation between security personnel and operation and maintenance personnel; the vulnerabilities detected in step 3 are displayed on the WEB side for operation and maintenance personnel to view. When the operation and maintenance personnel convert the vulnerability to be repaired to the repaired state, the security personnel The vulnerability repair situation must be reviewed. If the vulnerability still exists after scanning again, it will be classified as a repair failure. Vulnerabilities that failed to be repaired must be converted back to the vulnerability discovery state. If the vulnerability does not exist after scanning again, it will be classified as verified. At the same time, if the vulnerability reappears due to changes in the asset itself during multiple scanning processes in the later period, the vulnerability status will be converted to rediscovered, and the rediscovered vulnerability must be promptly transferred to the pending repair status.
进一步地,所述步骤5具体为:Further, the step 5 is specifically:
步骤5.1:将电脑里流过内存的数据与云端病毒库(包含病毒定义)的特征码相比较,以判断是否为病毒,使用启发技术,在原有的特征值识别技术基础上, 根据反病毒样本分析可疑程序样本,在没有符合特征值比对时,根据反编译后程序代码所调用的win32API函数情况(特征组合、出现频率等)判断程序的具体目的是否为病毒、恶意软件,符合判断条件即报警提示用户发现可疑程序,达到防御未知病毒、恶意软件的目的,解决了单一通过特征值比对存在的缺陷,采用人工智能算法,具备“自学习、自进化”能力,无需频繁升级特征库,就能免疫大部分的变种病毒,通过网状的大量客户端对网络中软件行为的异常监测,获取互联网中木马、恶意程序的最新信息,推送到服务端进行自动分析和处理,再把病毒和木马的解决方案分发到每一个客户端。Step 5.1: Compare the data flowing through the computer's memory with the signatures of the cloud virus database (including virus definitions) to determine whether it is a virus. Use heuristic technology and based on the original feature value identification technology, Analyze suspicious program samples based on anti-virus samples. If the characteristic value comparison is not met, determine whether the specific purpose of the program is a virus or malware based on the win32API functions called by the decompiled program code (feature combination, frequency of occurrence, etc.). If the judgment conditions are met, an alarm will be issued to prompt the user to find suspicious programs, thereby achieving the purpose of defending against unknown viruses and malware. It solves the shortcomings of a single comparison of characteristic values. It uses artificial intelligence algorithms and has the ability to "self-learn and evolve" without the need for frequent By upgrading the signature database, you can be immune to most mutant viruses. Through a large number of mesh clients, you can monitor abnormal software behavior in the network, obtain the latest information on Trojans and malicious programs on the Internet, and push it to the server for automatic analysis and processing. Then distribute virus and Trojan solutions to each client.
进一步地,所述步骤6具体为:Further, the step 6 is specifically:
步骤6.1:将步骤1-5的结果导入到数据库中,并在WEB一可视化的形式展示给用户,供用户实时监控内部网络资产状态。Step 6.1: Import the results of steps 1-5 into the database and display them to users in a WEB-visualized form for users to monitor the status of internal network assets in real time.
综上所述,本发明具有以下有益效果:To sum up, the present invention has the following beneficial effects:
本发明对Web资产、操作系统、中间件、网络设备、安全设备和物联网设备等各类软硬件网络资产进行多维度的精准画像,建立全面的资产信息库,可以有效弥补用户传统资产管理方式的不足,帮助用户打通信息化管理的流程,提升安全运维的工作效率,进而准确发现未知资产并及时处置,做到及时的风险清零,其中最大的优势是自动、持续的监测分析,及时发现重要的安全风险,延展性强,方便对接企业现有的管理系统。This invention performs multi-dimensional accurate portraits of various software and hardware network assets such as Web assets, operating systems, middleware, network equipment, security equipment, and Internet of Things equipment, and establishes a comprehensive asset information database, which can effectively complement users' traditional asset management methods. It helps users open up the information management process, improve the efficiency of security operation and maintenance, accurately discover unknown assets and dispose of them in a timely manner, and achieve timely risk clearance. The biggest advantage is automatic and continuous monitoring and analysis, timely Discover important security risks and have strong scalability, making it easy to connect with the company's existing management system.
附图说明Description of the drawings
此处所说明的附图是用来提供对本发明的进一步理解,构成本申请的一部分,但并不构成对本发明的不当限定,在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of this application, but do not constitute an improper limitation of the present invention. In the accompanying drawings:
图1是本发明中实施例1的整体结构示意图。 Figure 1 is a schematic diagram of the overall structure of Embodiment 1 of the present invention.
具体实施方式Detailed ways
有关本发明的前述及其他技术内容、特点与功效,在以下配合参考附图1对实施例的详细说明中,将可清楚的呈现。以下实施例中所提到的结构内容,均是以说明书附图为参考。The foregoing and other technical contents, features and effects of the present invention will be clearly presented in the following detailed description of the embodiment with reference to the accompanying drawing 1. The structural contents mentioned in the following embodiments are all referred to the accompanying drawings of the description.
下面将参照附图描述本发明的各示例性的实施例。Various exemplary embodiments of the present invention will be described below with reference to the accompanying drawings.
实施例1:Example 1:
一种网络资产的监管引擎,主要包括以下具体步骤:A supervision engine for network assets, which mainly includes the following specific steps:
步骤1:网络服务识别。Step 1: Network service identification.
步骤1.1:使用ICMP协议对IP进行探测,用于发现IP段中的存活主机,将存活主机ip加入列表;对于未存活的ip再次使用TCP协议对特定端口发送数据包进行探测,这样既能大幅度提升识别速度又能增加识别准确率,其中,步骤1.1具体为:Step 1.1: Use the ICMP protocol to detect the IP to discover the surviving hosts in the IP segment and add the surviving host IP to the list; for the non-surviving IP, use the TCP protocol again to detect the data packets sent to the specific port. This can both Significantly increasing the recognition speed can also increase the recognition accuracy. Among them, step 1.1 is specifically:
步骤1.11:由于ICMP数据包发送和接收速度快,所以先使用ICMP协议扫描,对扫描IP段发送ICMP数据包,将有返回数据的ip划定为存活主机ip,将存活ip加入列表进行后续扫描。Step 1.11: Since ICMP packets are sent and received very quickly, we first use the ICMP protocol to scan, send ICMP packets to the scanned IP segments, classify the IPs with returned data as surviving host IPs, and add the surviving IPs to the list for subsequent scanning. .
步骤1.12:部分主机会对ICMP协议进行拦截,所以未识别出的主机再次使用TCP协议进行探测,TCP是可靠的面向连接的协议,一个完整的TCP会话每个过程都有不同的状态,使用TCP协议向特定端口发送数据,根据连接数据判断主机是否存活。Step 1.12: Some hosts will intercept the ICMP protocol, so the unrecognized hosts will use the TCP protocol for detection again. TCP is a reliable connection-oriented protocol. Each process of a complete TCP session has different states. Use TCP The protocol sends data to a specific port and determines whether the host is alive based on the connection data.
步骤1.2:对存活主机端口发送TCP数据包,根据返回包内容判断主机开放端口,其中,步骤1.2具体为:Step 1.2: Send a TCP packet to the surviving host port, and determine the open port of the host based on the content of the returned packet. Step 1.2 is specifically as follows:
步骤1.21:对存活主机IP进行端口存活探测,根据TCP协议,处于关闭 状态的端口,在收到探测包时会响应RST包,而处于侦听状态的端口则忽略此探测包,根据探测包中各标志位设置的不同,TCP隐蔽扫描又分为SYN/ACK扫描、FIN扫描、XMAS(圣诞树)扫描和NULL扫描四种,SYN/ACK扫描和FIN扫描均绕过TCP三次握手过程的第一步,直接给目的端口发送SYN/ACK包或者FIN包,因为TCP是基于连接的协议,目标主机认为发送方在第一步中应该发送的SYN包没有送出,从而定义这次连接过程错误,会发送一个RST包以重置连接,而这正是扫描需要的结果,只要有响应,就说明目标系统存在,且目标端口处于关闭状态。Step 1.21: Perform port survival detection on the surviving host IP. According to the TCP protocol, it is closed. The port in the state will respond to the RST packet when receiving the detection packet, while the port in the listening state will ignore the detection packet. According to the different flag bit settings in the detection packet, TCP covert scanning is divided into SYN/ACK scanning, There are four types of FIN scanning, XMAS (Christmas tree) scanning and NULL scanning. SYN/ACK scanning and FIN scanning bypass the first step of the TCP three-way handshake process and directly send SYN/ACK packets or FIN packets to the destination port, because TCP is based on The connection protocol. The target host believes that the SYN packet that the sender should send in the first step has not been sent, thus defining an error in the connection process. It will send a RST packet to reset the connection, and this is the result required for scanning. As long as If there is a response, it means that the target system exists and the target port is closed.
步骤2:将存活主机开放端口识别结果加入到特征库,对开放端口进行指纹识别。Step 2: Add the identification results of the open ports of the surviving host to the signature database and perform fingerprint identification on the open ports.
步骤2.1:对开放端口发送特定TCP数据包,将端口返回数据内容加入规则库,根据数据特征来判断端口运行的服务,其中,步骤2.1具体为:Step 2.1: Send a specific TCP data packet to the open port, add the data returned by the port to the rule base, and determine the service running on the port based on the data characteristics. Step 2.1 is specifically as follows:
步骤2.11:由于不同的服务ftp,http会有不同的返回结果,根据这些结果作为指纹,与数据库的指纹匹配,来识别出该端口对应的服务并做标记。Step 2.11: Due to different service ftp, http will have different return results. These results are used as fingerprints and matched with the fingerprints of the database to identify and mark the service corresponding to the port.
步骤2.2:对于使用W服务的端口再行进行指纹识别,来判断运行的WEB服务类型,其中,步骤2.2具体为:Step 2.2: Perform fingerprint identification on the port using the W service to determine the type of running WEB service. Step 2.2 is specifically as follows:
步骤2.21:由于WEB系统多种多样,将对步骤2.1中端口识别为http和https的端口再次进行WEB指纹识别,WEB系统在静态文件(例如html、js、css)中会包含一些特征字符串,即使没有,固定url文件也是一种特征字符;例如wordpress会在robots.txt中会包含wp-admin之类,默认样式会在首页中包含generator=wordpress xx,页面中会包含wp-content路径等等,以此类推,几乎所有WEB都会有类似的指纹特征,识别WEB指纹的方式,通过获取一段特定的路径,判断该路径下的返回文本(通过md5或者正则表达式),在指纹库中存 在相对应的指纹,即可判别该URL所属于的WEB应用。Step 2.21: Since there are various WEB systems, the ports identified as http and https in step 2.1 will be fingerprinted again. The WEB system will contain some characteristic strings in static files (such as html, js, css). Even if not, the fixed URL file is also a characteristic character; for example, WordPress will include wp-admin in robots.txt, the default style will include generator = wordpress xx on the homepage, the page will include wp-content path, etc. , and by analogy, almost all WEBs will have similar fingerprint characteristics. The way to identify WEB fingerprints is to obtain a specific path, determine the return text under the path (through md5 or regular expressions), and store it in the fingerprint library. Based on the corresponding fingerprint, the WEB application to which the URL belongs can be identified.
步骤3:根据识别出的服务发送特定数据包,将返回内容进判断,以此来检测是否包含指定服务漏洞,其中,步骤3具体为:Step 3: Send a specific data packet based on the identified service, and judge the returned content to detect whether it contains the specified service vulnerability. Step 3 is specifically as follows:
步骤3.1:基于脆弱点数据库的扫描,首先构造扫描的环境模型,对系统中可能存在的脆弱点、过往黑客攻击案例和系统管理员的安全配置进行建模与分析,其次基于分析的结果,生成一套标准的脆弱点数据库及匹配模式,最后由程序基于脆弱点数据库及匹配模式自动进行扫描工作,脆弱点扫描的准确性取决于脆弱点数据库的完整性及有效性。Step 3.1: Scan based on the vulnerability database. First, construct the scanning environment model, model and analyze the possible vulnerabilities in the system, past hacker attack cases and the security configuration of the system administrator. Secondly, based on the analysis results, generate A set of standard vulnerability database and matching patterns. Finally, the program automatically performs scanning based on the vulnerability database and matching patterns. The accuracy of vulnerability scanning depends on the integrity and effectiveness of the vulnerability database.
步骤3.2:基于插件的扫描,插件是由脚本语言编写的子程序模块,扫描程序可以通过调用插件来执行扫描,添加新的功能插件可以使扫描程序增加新的功能,或者增加可扫描脆弱点的类型与数量,也可以升级插件来更新脆弱点的特征信息,从而得到更为准确的结果,插件技术使脆弱点扫描软件的升级维护变得相对简单,而专用脚本语言的使用也简化了编写新插件的编程工作,使弱点扫描软件具有很强的扩展性。Step 3.2: Plug-in-based scanning. Plug-ins are subroutine modules written in scripting languages. The scanner can perform scanning by calling the plug-in. Adding new functions plug-ins can enable the scanner to add new functions or add vulnerability points that can be scanned. Type and quantity, you can also upgrade the plug-in to update the characteristic information of the vulnerability points, so as to obtain more accurate results. The plug-in technology makes the upgrade and maintenance of the vulnerability scanning software relatively simple, and the use of a dedicated script language also simplifies the writing of new The programming work of plug-ins makes the vulnerability scanning software highly scalable.
步骤4:根据检测出的漏洞指定相对应的防御方法,其中,步骤4具体为:Step 4: Specify corresponding defense methods based on the detected vulnerabilities. Step 4 is specifically:
步骤4.1:漏洞修复阶段为安全人员和运维人员相互配合;将步骤3检测出的漏洞显示在WEB端供运维人员查看,当运维人员把待修复漏洞转换到已修复转态,安全人员必须要对漏洞修复情况进行复查,如果再次扫描发现漏洞依然存在,则归为修复失败,对于修复失败的漏洞要重新转换到漏洞发现状态,如果再次扫描漏洞不存在,则归为已验证状态,同时如果后期多次扫描过程中因为资产本身变化导致漏洞复现,漏洞状态转换为再次发现,对于再次发现的漏洞要及时转至待修复状态。Step 4.1: The vulnerability repair phase involves the cooperation between security personnel and operation and maintenance personnel; the vulnerabilities detected in step 3 are displayed on the WEB side for operation and maintenance personnel to view. When the operation and maintenance personnel convert the vulnerability to be repaired to the repaired state, the security personnel The vulnerability repair situation must be reviewed. If the vulnerability still exists after scanning again, it will be classified as a repair failure. Vulnerabilities that failed to be repaired must be converted back to the vulnerability discovery state. If the vulnerability does not exist after scanning again, it will be classified as verified. At the same time, if the vulnerability reappears due to changes in the asset itself during multiple scanning processes in the later period, the vulnerability status will be converted to rediscovered, and the rediscovered vulnerability must be promptly transferred to the pending repair status.
步骤5:监控内网资产,防御新的入侵及漏洞,其中,步骤5具体为: Step 5: Monitor intranet assets and defend against new intrusions and vulnerabilities. Step 5 is specifically:
步骤5.1:将电脑里流过内存的数据与云端病毒库(包含病毒定义)的特征码相比较,以判断是否为病毒,使用启发技术,在原有的特征值识别技术基础上,根据反病毒样本分析可疑程序样本,在没有符合特征值比对时,根据反编译后程序代码所调用的win32API函数情况(特征组合、出现频率等)判断程序的具体目的是否为病毒、恶意软件,符合判断条件即报警提示用户发现可疑程序,达到防御未知病毒、恶意软件的目的,解决了单一通过特征值比对存在的缺陷,采用人工智能算法,具备“自学习、自进化”能力,无需频繁升级特征库,就能免疫大部分的变种病毒,通过网状的大量客户端对网络中软件行为的异常监测,获取互联网中木马、恶意程序的最新信息,推送到服务端进行自动分析和处理,再把病毒和木马的解决方案分发到每一个客户端。Step 5.1: Compare the data flowing through the computer's memory with the signatures of the cloud virus database (including virus definitions) to determine whether it is a virus. Use heuristic technology and use anti-virus samples based on the original feature value recognition technology. Analyze suspicious program samples, and when there is no comparison of characteristic values, determine whether the specific purpose of the program is a virus or malware based on the win32API functions called by the decompiled program code (feature combination, frequency of occurrence, etc.). If the judgment conditions are met, that is The alarm prompts users to find suspicious programs to prevent unknown viruses and malware. It solves the shortcomings of single feature value comparison. It adopts artificial intelligence algorithms and has the ability of "self-learning and self-evolution", eliminating the need to frequently upgrade the feature library. It can be immune to most mutant viruses. Through a large number of meshed clients, it can monitor abnormal software behavior in the network, obtain the latest information on Trojans and malicious programs on the Internet, push it to the server for automatic analysis and processing, and then combine the viruses and The Trojan's solution is distributed to every client.
步骤6:将步骤1-5的结果输入到WEB页面,方便使用者管理,其中,步骤6具体为:Step 6: Enter the results of steps 1-5 into the WEB page to facilitate user management. Step 6 is specifically:
步骤6.1:将步骤1-5的结果导入到数据库中,并在WEB一可视化的形式展示给用户,供用户实时监控内部网络资产状态。Step 6.1: Import the results of steps 1-5 into the database and display them to users in a WEB-visualized form for users to monitor the status of internal network assets in real time.
本发明为网络资产的监管引擎,首先使用ICMP和TCP协议对网络资产进行发现,然后将这些资产进行指纹识别和漏洞识别,并对存在漏洞的设备进行修复,实时防御网络入侵。The invention is a monitoring engine for network assets. It first uses ICMP and TCP protocols to discover network assets, then conducts fingerprint identification and vulnerability identification on these assets, and repairs equipment with vulnerabilities to prevent network intrusion in real time.
本发明对Web资产、操作系统、中间件、网络设备、安全设备和物联网设备等各类软硬件网络资产进行多维度的精准画像,建立全面的资产信息库,可以有效弥补用户传统资产管理方式的不足,帮助用户打通信息化管理的流程,提升安全运维的工作效率,进而准确发现未知资产并及时处置,做到及时的风险清零,其中最大的优势是自动、持续的监测分析,及时发现重要的安全风险,延展性强,方便对接企业现有的管理系统。 This invention performs multi-dimensional accurate portraits of various software and hardware network assets such as Web assets, operating systems, middleware, network equipment, security equipment, and Internet of Things equipment, and establishes a comprehensive asset information database, which can effectively complement users' traditional asset management methods. It helps users open up the information management process, improve the efficiency of security operation and maintenance, accurately discover unknown assets and dispose of them in a timely manner, and achieve timely risk clearance. The biggest advantage is automatic and continuous monitoring and analysis, timely Discover important security risks and have strong scalability, making it easy to connect with the company's existing management system.
以上所述是结合具体实施方式对本发明所作的进一步详细说明,不能认定本发明具体实施仅局限于此;对于本发明所属及相关技术领域的技术人员来说,在基于本发明技术方案思路前提下,所作的拓展以及操作方法、数据的替换,都应当落在本发明保护范围之内。 The above is a further detailed description of the present invention in combination with specific implementation modes, and it cannot be concluded that the specific implementation of the present invention is limited to this; for those skilled in the technical fields to which the present invention belongs and related, on the premise of thinking based on the technical solution of the present invention , the expansions made and the replacement of operating methods and data should all fall within the protection scope of the present invention.

Claims (9)

  1. 一种网络资产的监管引擎,其特征在于,主要包括以下具体步骤:A network asset supervision engine is characterized by mainly including the following specific steps:
    步骤1:网络服务识别;Step 1: Network service identification;
    步骤1.1:使用ICMP协议对IP进行探测,用于发现IP段中的存活主机,将存活主机ip加入列表;对于未存活的ip再次使用TCP协议对特定端口发送数据包进行探测,这样既能大幅度提升识别速度又能增加识别准确率;Step 1.1: Use the ICMP protocol to detect the IP to discover the surviving hosts in the IP segment and add the surviving host IP to the list; for the non-surviving IP, use the TCP protocol again to detect the data packets sent to the specific port. This can both The greatly improved recognition speed can also increase the recognition accuracy;
    步骤1.2:对存活主机端口发送TCP数据包,根据返回包内容判断主机开放端口;Step 1.2: Send a TCP packet to the surviving host port, and determine the open port of the host based on the content of the returned packet;
    步骤2:将存活主机开放端口识别结果加入到特征库,对开放端口进行指纹识别;Step 2: Add the identification results of the open ports of the surviving hosts to the feature database and perform fingerprint identification on the open ports;
    步骤2.1:对开放端口发送特定TCP数据包,将端口返回数据内容加入规则库,根据数据特征来判断端口运行的服务;Step 2.1: Send a specific TCP packet to the open port, add the data returned by the port to the rule base, and determine the service running on the port based on the data characteristics;
    步骤2.2:对于使用W服务的端口再行进行指纹识别,来判断运行的WEB服务类型;Step 2.2: Perform fingerprint identification on the port using the W service to determine the type of running WEB service;
    步骤3:根据识别出的服务发送特定数据包,将返回内容进判断,以此来检测是否包含指定服务漏洞;Step 3: Send specific data packets based on the identified services, and judge the returned content to detect whether it contains specified service vulnerabilities;
    步骤4:根据检测出的漏洞指定相对应的防御方法;Step 4: Specify corresponding defense methods based on the detected vulnerabilities;
    步骤5:监控内网资产,防御新的入侵及漏洞;Step 5: Monitor intranet assets to defend against new intrusions and vulnerabilities;
    步骤6:将步骤1-5的结果输入到WEB页面,方便使用者管理。Step 6: Input the results of steps 1-5 into the WEB page to facilitate user management.
  2. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤1.1具体为:A network asset supervision engine according to claim 1, characterized in that said step 1.1 is specifically:
    步骤1.11:由于ICMP数据包发送和接收速度快,所以先使用ICMP协议扫描,对扫描IP段发送ICMP数据包,将有返回数据的ip划定为存活主机ip,将存活ip加入列表进行后续扫描; Step 1.11: Since ICMP packets are sent and received very quickly, we first use the ICMP protocol to scan, send ICMP packets to the scanned IP segments, classify the IPs with returned data as surviving host IPs, and add the surviving IPs to the list for subsequent scanning. ;
    步骤1.12:部分主机会对ICMP协议进行拦截,所以未识别出的主机再次使用TCP协议进行探测,TCP是可靠的面向连接的协议,一个完整的TCP会话每个过程都有不同的状态,使用TCP协议向特定端口发送数据,根据连接数据判断主机是否存活。Step 1.12: Some hosts will intercept the ICMP protocol, so the unrecognized hosts will use the TCP protocol for detection again. TCP is a reliable connection-oriented protocol. Each process of a complete TCP session has different states. Use TCP The protocol sends data to a specific port and determines whether the host is alive based on the connection data.
  3. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤1.2具体为:A network asset supervision engine according to claim 1, characterized in that step 1.2 is specifically:
    步骤1.21:对存活主机IP进行端口存活探测,根据TCP协议,处于关闭状态的端口,在收到探测包时会响应RST包,而处于侦听状态的端口则忽略此探测包,根据探测包中各标志位设置的不同,TCP隐蔽扫描又分为SYN/ACK扫描、FIN扫描、XMAS(圣诞树)扫描和NULL扫描四种,SYN/ACK扫描和FIN扫描均绕过TCP三次握手过程的第一步,直接给目的端口发送SYN/ACK包或者FIN包,因为TCP是基于连接的协议,目标主机认为发送方在第一步中应该发送的SYN包没有送出,从而定义这次连接过程错误,会发送一个RST包以重置连接,而这正是扫描需要的结果,只要有响应,就说明目标系统存在,且目标端口处于关闭状态。Step 1.21: Perform port survival detection on the surviving host IP. According to the TCP protocol, the port in the closed state will respond to the RST packet when receiving the detection packet, while the port in the listening state ignores the detection packet. According to the detection packet Depending on the settings of each flag bit, TCP covert scanning is divided into four types: SYN/ACK scanning, FIN scanning, XMAS (Christmas tree) scanning and NULL scanning. Both SYN/ACK scanning and FIN scanning bypass the first step of the TCP three-way handshake process. , send SYN/ACK packet or FIN packet directly to the destination port. Because TCP is a connection-based protocol, the target host thinks that the SYN packet that the sender should send in the first step has not been sent, thus defining an error in the connection process this time and will send An RST packet to reset the connection, which is exactly what the scan needs. As long as there is a response, it means that the target system exists and the target port is closed.
  4. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤2.1具体为:A network asset supervision engine according to claim 1, characterized in that step 2.1 is specifically:
    步骤2.11:由于不同的服务ftp,http会有不同的返回结果,根据这些结果作为指纹,与数据库的指纹匹配,来识别出该端口对应的服务并做标记。Step 2.11: Due to different service ftp, http will have different return results. These results are used as fingerprints and matched with the fingerprints of the database to identify and mark the service corresponding to the port.
  5. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤2.2具体为:A network asset supervision engine according to claim 1, characterized in that step 2.2 is specifically:
    步骤2.21:由于WEB系统多种多样,将对步骤2.1中端口识别为http和https的端口再次进行WEB指纹识别,WEB系统在静态文件(例如html、js、css) 中会包含一些特征字符串,即使没有,固定url文件也是一种特征字符;例如wordpress会在robots.txt中会包含wp-admin之类,默认样式会在首页中包含generator=wordpress xx,页面中会包含wp-content路径等等,以此类推,几乎所有WEB都会有类似的指纹特征,识别WEB指纹的方式,通过获取一段特定的路径,判断该路径下的返回文本(通过md5或者正则表达式),在指纹库中存在相对应的指纹,即可判别该URL所属于的WEB应用。Step 2.21: Due to the variety of WEB systems, the ports identified as http and https in step 2.1 will be subjected to WEB fingerprint identification again. The WEB system is in static files (such as html, js, css) will contain some characteristic strings, even if not, the fixed url file is also a characteristic character; for example, wordpress will include wp-admin in robots.txt, and the default style will include generator=wordpress xx on the homepage. In the page Will include wp-content path, etc., and so on. Almost all WEB will have similar fingerprint characteristics. The way to identify WEB fingerprint is to obtain a specific path and determine the return text under the path (through md5 or regular expression ), if there is a corresponding fingerprint in the fingerprint database, the WEB application to which the URL belongs can be determined.
  6. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤3具体为:A network asset supervision engine according to claim 1, characterized in that step 3 is specifically:
    步骤3.1:基于脆弱点数据库的扫描,首先构造扫描的环境模型,对系统中可能存在的脆弱点、过往黑客攻击案例和系统管理员的安全配置进行建模与分析,其次基于分析的结果,生成一套标准的脆弱点数据库及匹配模式,最后由程序基于脆弱点数据库及匹配模式自动进行扫描工作,脆弱点扫描的准确性取决于脆弱点数据库的完整性及有效性;Step 3.1: Scan based on the vulnerability database. First, construct the scanning environment model, model and analyze the possible vulnerabilities in the system, past hacker attack cases and the security configuration of the system administrator. Secondly, based on the analysis results, generate A set of standard vulnerability database and matching patterns. Finally, the program automatically performs scanning based on the vulnerability database and matching patterns. The accuracy of vulnerability scanning depends on the integrity and effectiveness of the vulnerability database;
    步骤3.2:基于插件的扫描,插件是由脚本语言编写的子程序模块,扫描程序可以通过调用插件来执行扫描,添加新的功能插件可以使扫描程序增加新的功能,或者增加可扫描脆弱点的类型与数量,也可以升级插件来更新脆弱点的特征信息,从而得到更为准确的结果,插件技术使脆弱点扫描软件的升级维护变得相对简单,而专用脚本语言的使用也简化了编写新插件的编程工作,使弱点扫描软件具有很强的扩展性。Step 3.2: Plug-in-based scanning. Plug-ins are subroutine modules written in scripting languages. The scanner can perform scanning by calling the plug-in. Adding new functions plug-ins can enable the scanner to add new functions or add vulnerability points that can be scanned. Type and quantity, you can also upgrade the plug-in to update the characteristic information of the vulnerability points, so as to obtain more accurate results. The plug-in technology makes the upgrade and maintenance of the vulnerability scanning software relatively simple, and the use of a dedicated script language also simplifies the writing of new The programming work of plug-ins makes the vulnerability scanning software highly scalable.
  7. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤4具体为:A network asset supervision engine according to claim 1, characterized in that step 4 is specifically:
    步骤4.1:漏洞修复阶段为安全人员和运维人员相互配合;将步骤3检测出的漏洞显示在WEB端供运维人员查看,当运维人员把待修复漏洞转换到已修复 转态,安全人员必须要对漏洞修复情况进行复查,如果再次扫描发现漏洞依然存在,则归为修复失败,对于修复失败的漏洞要重新转换到漏洞发现状态,如果再次扫描漏洞不存在,则归为已验证状态,同时如果后期多次扫描过程中因为资产本身变化导致漏洞复现,漏洞状态转换为再次发现,对于再次发现的漏洞要及时转至待修复状态。Step 4.1: The vulnerability repair phase involves the cooperation between security personnel and operation and maintenance personnel; the vulnerabilities detected in step 3 are displayed on the WEB side for operation and maintenance personnel to view. When the operation and maintenance personnel convert the vulnerability to be repaired to the one that has been repaired, When the situation changes, security personnel must review the vulnerability repair status. If the vulnerability still exists after scanning again, it will be classified as a repair failure. For the vulnerability that failed to be repaired, it must be converted back to the vulnerability discovery state. If the vulnerability does not exist after scanning again, it will be classified as a repair failure. It is in the verified state. At the same time, if the vulnerability reappears due to changes in the asset itself during multiple scanning processes in the later period, the vulnerability status will be converted to rediscovered. Vulnerabilities discovered again must be transferred to the pending state in a timely manner.
  8. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤5具体为:A network asset supervision engine according to claim 1, characterized in that step 5 is specifically:
    步骤5.1:将电脑里流过内存的数据与云端病毒库(包含病毒定义)的特征码相比较,以判断是否为病毒,使用启发技术,在原有的特征值识别技术基础上,根据反病毒样本分析可疑程序样本,在没有符合特征值比对时,根据反编译后程序代码所调用的win32API函数情况(特征组合、出现频率等)判断程序的具体目的是否为病毒、恶意软件,符合判断条件即报警提示用户发现可疑程序,达到防御未知病毒、恶意软件的目的,解决了单一通过特征值比对存在的缺陷,采用人工智能算法,具备“自学习、自进化”能力,无需频繁升级特征库,就能免疫大部分的变种病毒,通过网状的大量客户端对网络中软件行为的异常监测,获取互联网中木马、恶意程序的最新信息,推送到服务端进行自动分析和处理,再把病毒和木马的解决方案分发到每一个客户端。Step 5.1: Compare the data flowing through the computer's memory with the signatures of the cloud virus database (including virus definitions) to determine whether it is a virus. Use heuristic technology and use anti-virus samples based on the original feature value recognition technology. Analyze suspicious program samples, and when there is no comparison of characteristic values, determine whether the specific purpose of the program is a virus or malware based on the win32API functions called by the decompiled program code (feature combination, frequency of occurrence, etc.). If the judgment conditions are met, that is The alarm prompts users to find suspicious programs to prevent unknown viruses and malware. It solves the shortcomings of single feature value comparison. It adopts artificial intelligence algorithms and has the ability of "self-learning and self-evolution", eliminating the need to frequently upgrade the feature library. It can be immune to most mutant viruses. Through a large number of meshed clients, it can monitor abnormal software behavior in the network, obtain the latest information on Trojans and malicious programs on the Internet, push it to the server for automatic analysis and processing, and then combine the viruses and The Trojan's solution is distributed to every client.
  9. 根据权利要求1所述的一种网络资产的监管引擎,其特征在于,所述步骤6具体为:A network asset supervision engine according to claim 1, characterized in that step 6 is specifically:
    步骤6.1:将步骤1-5的结果导入到数据库中,并在WEB一可视化的形式展示给用户,供用户实时监控内部网络资产状态。 Step 6.1: Import the results of steps 1-5 into the database and display them to users in a WEB-visualized form for users to monitor the status of internal network assets in real time.
PCT/CN2023/088595 2022-06-17 2023-04-17 Supervision engine for network assets WO2023241202A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210690331.7A CN115208634A (en) 2022-06-17 2022-06-17 Supervision engine of network assets
CN202210690331.7 2022-06-17

Publications (1)

Publication Number Publication Date
WO2023241202A1 true WO2023241202A1 (en) 2023-12-21

Family

ID=83576253

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/088595 WO2023241202A1 (en) 2022-06-17 2023-04-17 Supervision engine for network assets

Country Status (2)

Country Link
CN (1) CN115208634A (en)
WO (1) WO2023241202A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117768561A (en) * 2024-02-22 2024-03-26 北京暖流科技有限公司 method for automatically identifying equipment communication protocol and information acquisition system
CN118158061A (en) * 2024-02-26 2024-06-07 江苏虢安科技有限公司 Data content confidentiality checking system and checking method

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208634A (en) * 2022-06-17 2022-10-18 江苏信息职业技术学院 Supervision engine of network assets
CN116471130B (en) * 2023-06-20 2023-11-10 荣耀终端有限公司 Network asset detection method and device
CN116738442B (en) * 2023-08-10 2023-12-08 北京安博通科技股份有限公司 Defensive vulnerability scanning detection method and device, electronic equipment and medium
CN117411764B (en) * 2023-10-17 2024-07-02 广州安润信息科技有限公司 Intranet asset monitoring method, device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030195861A1 (en) * 2002-01-15 2003-10-16 Mcclure Stuart C. System and method for network vulnerability detection and reporting
CN103902913A (en) * 2012-12-28 2014-07-02 百度在线网络技术(北京)有限公司 Method and device for carrying out safety processing on web application
CN105389511A (en) * 2015-12-29 2016-03-09 北京金山安全软件有限公司 Virus checking and killing method and device and electronic equipment
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
CN108011893A (en) * 2017-12-26 2018-05-08 广东电网有限责任公司信息中心 A kind of asset management system based on networked asset information gathering
CN110661669A (en) * 2019-10-11 2020-01-07 云南电网有限责任公司德宏供电局 Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols
CN114338068A (en) * 2021-05-31 2022-04-12 深圳市亿威尔信息技术股份有限公司 Multi-node vulnerability scanning method and device, electronic equipment and storage medium
CN115208634A (en) * 2022-06-17 2022-10-18 江苏信息职业技术学院 Supervision engine of network assets

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7346922B2 (en) * 2003-07-25 2008-03-18 Netclarity, Inc. Proactive network security system to protect against hackers
CN109088790A (en) * 2018-07-20 2018-12-25 南京方恒信息技术有限公司 A kind of scanning of multi engine exposed assets and management system
CN109033844A (en) * 2018-09-10 2018-12-18 四川长虹电器股份有限公司 Automation vulnerability detection system and method based on port identification
CN110324310B (en) * 2019-05-21 2022-04-29 国家工业信息安全发展研究中心 Network asset fingerprint identification method, system and equipment
CN112468360A (en) * 2020-11-13 2021-03-09 北京安信天行科技有限公司 Asset discovery identification and detection method and system based on fingerprint
CN112769635B (en) * 2020-12-10 2022-04-15 青岛海洋科学与技术国家实验室发展中心 Service identification method and device for multi-granularity feature analysis
CN113486358B (en) * 2021-07-09 2023-06-02 建信金融科技有限责任公司 Vulnerability detection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030195861A1 (en) * 2002-01-15 2003-10-16 Mcclure Stuart C. System and method for network vulnerability detection and reporting
CN103902913A (en) * 2012-12-28 2014-07-02 百度在线网络技术(北京)有限公司 Method and device for carrying out safety processing on web application
CN105389511A (en) * 2015-12-29 2016-03-09 北京金山安全软件有限公司 Virus checking and killing method and device and electronic equipment
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
CN108011893A (en) * 2017-12-26 2018-05-08 广东电网有限责任公司信息中心 A kind of asset management system based on networked asset information gathering
CN110661669A (en) * 2019-10-11 2020-01-07 云南电网有限责任公司德宏供电局 Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols
CN114338068A (en) * 2021-05-31 2022-04-12 深圳市亿威尔信息技术股份有限公司 Multi-node vulnerability scanning method and device, electronic equipment and storage medium
CN115208634A (en) * 2022-06-17 2022-10-18 江苏信息职业技术学院 Supervision engine of network assets

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JIA-LIN HUANG, YAO JING-ZHOU, ZHOU TING: "Research on Network Scanning Principles", COMPUTER TECHNOLOGY AND DEVELOPMENT, vol. 17, no. 6, 10 June 2007 (2007-06-10), pages 147 - 150, XP093117076 *
YANG, AHUI: " Network Security and Active Defense", SCIENCE AND TECHNOLOGY INNOVATION HERALD, SHIJIE ZHISHI CHUBANSHE, CN, no. 26, 11 September 2010 (2010-09-11), CN , pages 35 - 36, XP009551097, ISSN: 1674-098X, DOI: 10.16660/j.cnki.1674-098x.2010.26.051 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117768561A (en) * 2024-02-22 2024-03-26 北京暖流科技有限公司 method for automatically identifying equipment communication protocol and information acquisition system
CN117768561B (en) * 2024-02-22 2024-04-23 北京暖流科技有限公司 Method for automatically identifying equipment communication protocol and information acquisition system
CN118158061A (en) * 2024-02-26 2024-06-07 江苏虢安科技有限公司 Data content confidentiality checking system and checking method

Also Published As

Publication number Publication date
CN115208634A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
WO2023241202A1 (en) Supervision engine for network assets
US11102223B2 (en) Multi-host threat tracking
US11818146B2 (en) Framework for investigating events
Marchal et al. A big data architecture for large scale security monitoring
US10581880B2 (en) System and method for generating rules for attack detection feedback system
Kaur et al. Automatic attack signature generation systems: A review
Trajanovski et al. An automated and comprehensive framework for IoT botnet detection and analysis (IoT-BDA)
KR20120072120A (en) Method and apparatus for diagnosis of malicious file, method and apparatus for monitoring malicious file
US20240259414A1 (en) Comprehensible threat detection
Zammit A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data
Zurutuza et al. A data mining approach for analysis of worm activity through automatic signature generation
Paul et al. Survey of polymorphic worm signatures
Adamczyk et al. Dataset Generation Framework for Evaluation of IoT Linux Host–Based Intrusion Detection Systems
Meenakshi et al. Literature survey on log-based anomaly detection framework in cloud
Tudosi et al. Design and Implementation of an Automated Dynamic Rule System for Distributed Firewalls.
Davis Botnet detection using correlated anomalies
Tang The generation of attack signatures based on virtual honeypots
Anbar et al. NADTW: new approach for detecting TCP worm
Kostopoulos Machine learning-based near real time intrusion detection and prevention system using eBPF.
Arabo Distributed ids using agents: an agent-based detection system to detect passive and active threats to a network
Sagala et al. Industrial control system security-malware botnet detection
KR102674440B1 (en) Anomaly detection method using intelligent whitelist
Zhang et al. A Survey of Traditional and Machine Learning-based Malware Detection Techniques
Tran A Dynamic Scalable Parallel Network-based Intrusion Detection System using Intelligent Rule Ordering
Paulins IMPROVING INTRUSION DETECTION INTELLIGENCE BY OPEN DATA USAGE

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23822773

Country of ref document: EP

Kind code of ref document: A1