[go: up one dir, main page]

CN107733581B - Rapid internet asset feature detection method and device based on whole network environment - Google Patents

Rapid internet asset feature detection method and device based on whole network environment Download PDF

Info

Publication number
CN107733581B
CN107733581B CN201710944839.4A CN201710944839A CN107733581B CN 107733581 B CN107733581 B CN 107733581B CN 201710944839 A CN201710944839 A CN 201710944839A CN 107733581 B CN107733581 B CN 107733581B
Authority
CN
China
Prior art keywords
target
return
value
port number
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710944839.4A
Other languages
Chinese (zh)
Other versions
CN107733581A (en
Inventor
史光庭
范渊
莫金友
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201710944839.4A priority Critical patent/CN107733581B/en
Publication of CN107733581A publication Critical patent/CN107733581A/en
Application granted granted Critical
Publication of CN107733581B publication Critical patent/CN107733581B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/1607Details of the supervisory signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/1607Details of the supervisory signal
    • H04L1/1671Details of the supervisory signal the supervisory signal being transmitted together with control information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0823Errors, e.g. transmission errors
    • H04L43/0829Packet loss
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供的基于全网环境下的快速互联网资产特征探测方法及装置,属于网络安全领域。根据目标IP和目标端口号生成序列号值,从而基于所述序列号值生成TCP报文,再将所述TCP报文并发至目标端口上进行扫描探测,从而有效地提高了发送效率,通过获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文,从而对所述应答报文进行解析,以判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配,当匹配时,最后通过识别应答数据所对应的服务类型,使得用户能够快速对互联网资产识别,有效地帮助用户对全网环境下做有效的安全风险评估。

Figure 201710944839

The method and device for fast Internet asset feature detection based on the whole network environment provided by the embodiments of the present invention belong to the field of network security. A sequence number value is generated according to the target IP and the target port number, thereby generating a TCP packet based on the sequence number value, and then the TCP packet is concurrently sent to the target port for scanning and detection, thereby effectively improving the transmission efficiency. The target server corresponding to the target port parses the response message based on the response message returned by the TCP message to determine whether the target IP corresponding to the serial number value is the same as the returned IP The address matches and whether the target port number corresponding to the serial number value matches the return port number. When matching, the service type corresponding to the response data is finally identified, enabling users to quickly identify Internet assets, effectively helping users Users make effective security risk assessments in the entire network environment.

Figure 201710944839

Description

基于全网环境下的快速互联网资产特征探测方法及装置Method and device for fast Internet asset feature detection based on the whole network environment

技术领域technical field

本发明涉及网络安全领域,具体而言,涉及基于全网环境下的快速互联网资产特征探测方法及装置。The present invention relates to the field of network security, and in particular, to a method and device for detecting characteristics of fast Internet assets based on an entire network environment.

背景技术Background technique

在信息全球化高速发展的互联网环境下,个人可以快速的部署网站,企业可以很快在网络中部署各种服务器例如WEB服务器DNS服务器等。同时对于网络中的黑客(本文指非法收集,窃取相对有价值资料的人)会针对服务器去攻击,窃取企业资料,敏感信息。导致网络安全风险的产生,同时在大数据的高速发展下,黑客也更容易利用大数据的攻击方式来攻击不同的服务器。In the Internet environment with the rapid development of information globalization, individuals can quickly deploy websites, and enterprises can quickly deploy various servers in the network, such as WEB servers, DNS servers, etc. At the same time, hackers in the network (this article refers to those who illegally collect and steal relatively valuable information) will attack the server to steal corporate information and sensitive information. This leads to the generation of network security risks. At the same time, with the rapid development of big data, it is easier for hackers to use big data attack methods to attack different servers.

在企业网络安全中,网络资产统计是信息安全的基础,只有了解了自己的网络资产才能进一步对信息安全做规划,以及部署安全设备。通常情况下用户对内网进行人工资产统计,和使用扫描器对服务器,PC电脑,端口扫描进行资产统计。传统的网络扫描通常利用SYN包SYN(synchronous)是TCP/IP建立连接时使用的握手信号。在客户机和服务器之间建立正常的TCP(传输控制协议)网络连接时,客户机首先发出一个SYN消息,服务器使用SYN+ACK应答表示接收到了这个消息,最后客户机再以ACK消息响应。这样在客户机和服务器之间才能建立起可靠的TCP连接,数据才可以在客户机和服务器之间传递。然而现有技术中存在无法针对全网快速扫描和资产探测的技术问题。In enterprise network security, network asset statistics are the basis of information security. Only by knowing your own network assets can you further plan for information security and deploy security equipment. Usually, users perform manual asset statistics on the intranet, and use scanners to perform asset statistics on servers, PCs, and ports. Traditional network scanning usually uses the SYN packet SYN (synchronous) is a handshake signal used by TCP/IP to establish a connection. When a normal TCP (Transmission Control Protocol) network connection is established between the client and the server, the client first sends a SYN message, the server responds with SYN+ACK to indicate that it has received the message, and finally the client responds with an ACK message. In this way, a reliable TCP connection can be established between the client and the server, and data can be transmitted between the client and the server. However, there is a technical problem in the prior art that it is impossible to quickly scan and detect assets for the entire network.

发明内容SUMMARY OF THE INVENTION

本发明提供基于全网环境下的快速互联网资产特征探测方法及装置,旨在改善上述技术问题。The present invention provides a method and device for fast Internet asset feature detection based on the whole network environment, aiming at improving the above technical problems.

本发明提供的基于全网环境下的快速互联网资产特征探测方法,包括:根据目标IP和目标端口号生成序列号值;基于所述序列号值生成TCP报文;将所述TCP报文发送至所述目标端口号所对应的目标端口;获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文;获取所述应答报文所携带的返回IP地址和返回端口号;判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配;若是,获取所述应答报文所携带的应答数据;识别所述应答数据所对应的服务类型。The method for detecting characteristics of fast Internet assets based on the whole network environment provided by the present invention includes: generating a sequence number value according to a target IP and a target port number; generating a TCP message based on the sequence number value; sending the TCP message to the target port corresponding to the target port number; obtain the response message returned by the target server corresponding to the target port based on the TCP message; obtain the return IP address and the return port number carried by the response message ; Judge whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number; Response data carried; identify the service type corresponding to the response data.

优选地,所述的根据目标IP和目标端口号生成序列号值,包括:所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。Preferably, the generating a sequence number value according to the target IP and the target port number includes: the sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value.

优选地,所述的获取所述应答报文所携带的返回IP地址和返回端口号,包括:获取所述应答报文所携带的确认字符所对应的确认值;对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。Preferably, the acquiring the return IP address and the return port number carried in the response packet includes: acquiring the confirmation value corresponding to the confirmation character carried in the response packet; performing a reverse operation on the confirmation value , to obtain the return IP address and return port number corresponding to the confirmation value.

优选地,所述的识别所述应答数据所对应的服务类型,包括:获取所述应答数据所携带的特征字符;查找所述特征字符所对应的服务类型。Preferably, the identifying the service type corresponding to the response data includes: acquiring characteristic characters carried by the response data; searching for the service type corresponding to the characteristic characters.

优选地,所述的识别所述应答数据所对应的服务类型,之后还包括:将所述应答数据存储到本地。Preferably, the identifying the service type corresponding to the response data further includes: storing the response data locally.

本发明提供的基于全网环境下的快速互联网资产特征探测装置,包括:第一数据获取单元,用于根据目标IP和目标端口号生成序列号值;报文生成单元,用于基于所述序列号值生成TCP报文;报文发送单元,用于将所述TCP报文发送至所述目标端口号所对应的目标端口;报文获取单元,用于获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文;第二数据获取单元,用于获取所述应答报文所携带的返回IP地址和返回端口号;数据处理单元,用于判断所述序列号值所对应的所述目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的所述目标端口号是否与所述返回端口号匹配;执行单元,用于若是,获取所述应答报文所携带的应答数据;识别单元,用于识别所述应答数据所对应的服务类型。The device for detecting the characteristics of fast Internet assets based on the whole network environment provided by the present invention includes: a first data acquisition unit, which is used to generate a serial number value according to the target IP and the target port number; The number value generates a TCP message; the message sending unit is used to send the TCP message to the target port corresponding to the target port number; the message acquisition unit is used to obtain the target server corresponding to the target port number Based on the response message returned by the TCP message; the second data acquisition unit is used to acquire the return IP address and the return port number carried in the response message; the data processing unit is used to determine the serial number value Whether the corresponding target IP matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number; the execution unit is configured to, if so, obtain the response message The response data carried by the text; the identification unit is used to identify the service type corresponding to the response data.

优选地,所述的第一数据获取单元具体用于:所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。Preferably, the first data acquisition unit is specifically configured to: the sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value.

优选地,所述第二数据获取单元具体用于:获取所述应答报文所携带的确认字符所对应的确认值;对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。Preferably, the second data acquisition unit is specifically configured to: acquire the confirmation value corresponding to the confirmation character carried in the response message; perform a reverse operation on the confirmation value to obtain the return corresponding to the confirmation value IP address and return port number.

优选地,所述识别单元具体用于:获取所述应答数据所携带的特征字符;查找所述特征字符所对应的服务类型。Preferably, the identifying unit is specifically configured to: acquire the characteristic characters carried by the response data; and find the service type corresponding to the characteristic characters.

优选地,所述识别单元之后,还包括:存储单元,用于将所述应答数据存储到本地。Preferably, after the identification unit, it further includes: a storage unit, configured to store the response data locally.

上述本发明提供的基于全网环境下的快速互联网资产特征探测方法及装置,根据目标IP和目标端口号生成序列号值,从而基于所述序列号值生成TCP报文,再将所述报文并发至目标端口上进行扫描探测,从而有效地提高了发送效率,通过获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文,从而对所述应答报文进行解析,以判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配,当匹配时,最后通过识别应答数据所对应的服务类型,使得用户能够快速对互联网资产识别,有效地帮助用户对全网环境下做有效的安全风险评估。The above-mentioned method and device for detecting the characteristics of fast Internet assets based on the whole network environment provided by the present invention generate a serial number value according to the target IP and the target port number, thereby generating a TCP message based on the serial number value, and then converting the message Concurrently to the target port for scanning and detection, thereby effectively improving the sending efficiency, by obtaining the response message returned by the target server corresponding to the target port based on the TCP message, the response message is parsed , to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number, when matching, finally respond by identifying The type of service corresponding to the data enables users to quickly identify Internet assets and effectively help users make effective security risk assessments in the entire network environment.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the embodiments. It should be understood that the following drawings only show some embodiments of the present invention, and therefore do not It should be regarded as a limitation of the scope, and for those of ordinary skill in the art, other related drawings can also be obtained according to these drawings without any creative effort.

图1为本发明实施例提供的一种电子设备的结构框图;1 is a structural block diagram of an electronic device according to an embodiment of the present invention;

图2为本发明第一实施例提供的基于全网环境下的快速互联网资产特征探测方法的流程图;FIG. 2 is a flowchart of a method for detecting characteristics of fast Internet assets based on a network-wide environment provided by the first embodiment of the present invention;

图3为图2所示的基于全网环境下的快速互联网资产特征探测方法中的TCP报文发送示意图;3 is a schematic diagram of sending a TCP message in the method for detecting characteristics of fast Internet assets based on the entire network environment shown in FIG. 2;

图4为图2所示的基于全网环境下的快速互联网资产特征探测方法中的目标服务器返回应答报文示意图;FIG. 4 is a schematic diagram of the response message returned by the target server in the fast Internet asset feature detection method based on the whole network environment shown in FIG. 2;

图5为图2所示的基于全网环境下的快速互联网资产特征探测方法中的服务类型识别示意图;Fig. 5 is the service type identification schematic diagram in the fast Internet asset feature detection method based on the whole network environment shown in Fig. 2;

图6为本发明第二实施例提供的基于全网环境下的快速互联网资产特征探测方法的流程图;FIG. 6 is a flowchart of a method for detecting characteristics of fast Internet assets based on a network-wide environment provided by the second embodiment of the present invention;

图7为本发明第三实施例提供的基于全网环境下的快速互联网资产特征探测装置的功能模块示意图;7 is a schematic diagram of functional modules of a device for detecting characteristics of fast Internet assets based on a network-wide environment provided by a third embodiment of the present invention;

图8为本发明第四实施例提供的基于全网环境下的快速互联网资产特征探测装置的功能模块示意图。FIG. 8 is a schematic diagram of functional modules of a device for detecting characteristics of fast Internet assets based on an entire network environment provided by a fourth embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention. Thus, the following detailed description of the embodiments of the invention provided in the accompanying drawings are not intended to limit the scope of the invention as claimed, but are merely representative of selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

如图1所示,为本发明实施例提供的一种电子设备的结构框图。所述电子设备300包括基于全网环境下的快速互联网资产特征探测装置、存储器302、存储控制器303、处理器304及外设接口305。As shown in FIG. 1 , it is a structural block diagram of an electronic device provided by an embodiment of the present invention. The electronic device 300 includes a fast Internet asset feature detection device based on an entire network environment, a memory 302 , a storage controller 303 , a processor 304 and a peripheral interface 305 .

所述存储器302、存储控制器303、处理器304及外设接口305各元件相互之间直接或间接地电性连接,以实现数据的传输或交互。例如,这些元件相互之间可通过一条或多条通讯总线或信号线实现电性连接。所述基于全网环境下的快速互联网资产特征探测装置包括至少一个可以软件或固件(firmware)的形式存储于所述存储器302中或固化在所述电子设备300的操作系统(operating system,OS)中的软件功能模块。所述处理器304用于执行存储器302中存储的可执行模块,例如所述基于全网环境下的快速互联网资产特征探测装置包括的软件功能模块或计算机程序。The elements of the memory 302 , the storage controller 303 , the processor 304 and the peripheral interface 305 are directly or indirectly electrically connected to each other to realize data transmission or interaction. For example, these elements may be electrically connected to each other through one or more communication buses or signal lines. The device for detecting characteristics of fast Internet assets based on the entire network environment includes at least one operating system (operating system, OS) that can be stored in the memory 302 or solidified in the electronic device 300 in the form of software or firmware (firmware). software function modules in . The processor 304 is configured to execute executable modules stored in the memory 302, for example, software function modules or computer programs included in the apparatus for detecting characteristics of fast Internet assets based on a whole network environment.

其中,存储器302可以是,但不限于,随机存取存储器(Random Access Memory,RAM),只读存储器(Read Only Memory,ROM),可编程只读存储器(Programmable Read-Only Memory,PROM),可擦除只读存储器(Erasable Programmable Read-Only Memory,EPROM),电可擦除只读存储器(Electric Erasable Programmable Read-Only Memory,EEPROM)等。其中,存储器302用于存储程序,所述处理器304在接收到执行指令后,执行所述程序,前述本发明实施例任一实施例揭示的流过程定义的服务器100所执行的方法可以应用于处理器304中,或者由处理器304实现。Wherein, the memory 302 may be, but not limited to, random access memory (Random Access Memory, RAM), read only memory (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only Memory, PROM), or Erasable Programmable Read-Only Memory (EPROM), Electrical Erasable Programmable Read-Only Memory (EEPROM), etc. The memory 302 is used to store a program, and the processor 304 executes the program after receiving the execution instruction. The method executed by the server 100 for stream process definition disclosed in any of the foregoing embodiments of the present invention can be applied to in the processor 304 or implemented by the processor 304 .

处理器304可能是一种集成电路芯片,具有信号的处理能力。上述的处理器304可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 304 may be an integrated circuit chip with signal processing capability. The above-mentioned processor 304 may be a general-purpose processor, including a central processing unit (CPU for short), a network processor (NP for short), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component. Various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

所述外设接口305将各种输入/输入装置耦合至处理器304以及存储器302。在一些实施例中,外设接口305、处理器304以及存储控制器303可以在单个芯片中实现。在其他一些实例中,他们可以分别由独立的芯片实现。The peripherals interface 305 couples various input/input devices to the processor 304 and the memory 302 . In some embodiments, peripheral interface 305, processor 304, and memory controller 303 may be implemented in a single chip. In other instances, they may be implemented by separate chips.

请参阅图2,是本发明第一实施例提供的基于全网环境下的快速互联网资产特征探测方法的流程图。下面将对图2所示的具体流程进行详细阐述。Please refer to FIG. 2 , which is a flowchart of a method for fast Internet asset feature detection based on an entire network environment provided by the first embodiment of the present invention. The specific flow shown in FIG. 2 will be described in detail below.

步骤S101,根据目标IP和目标端口号生成序列号值。Step S101, generating a serial number value according to the target IP and the target port number.

作为一种实施方式,在全网环境下,在本地构造目标IP以及目标端口号,从而根据所述目标IP和所述目标端口号生成序列号值。具体的,所述序列号值满足:SEQ值=目标IP+目标端口。其中,SEQ(Sequence Number)值表示所述序列号值。所述目标IP表示所述目标IP的地址,所述目标端口表示所述目标端口的端口号。例如,在本地随意构造一个目标IP为1.1.1.1,目标端口号为1,此时,SEQ值=(1.1.1.1+1)=123456。又如,在本地随意构造一个目标IP为253.253.253.253,目标端口号为65533,此时,SEQ值=(253.253.253.253+65533)=56789。其中,根据预设规则使得所述目标IP加上所述目标端口为一个数值。As an implementation manner, in a network-wide environment, a target IP and a target port number are constructed locally, so as to generate a serial number value according to the target IP and the target port number. Specifically, the sequence number value satisfies: SEQ value=target IP+target port. The SEQ (Sequence Number) value represents the sequence number value. The target IP represents the address of the target IP, and the target port represents the port number of the target port. For example, if a target IP is arbitrarily constructed locally as 1.1.1.1, and the target port number is 1, at this time, the SEQ value=(1.1.1.1+1)=123456. For another example, if a target IP is arbitrarily constructed locally as 253.253.253.253, and the target port number is 65533, at this time, the SEQ value=(253.253.253.253+65533)=56789. Wherein, according to a preset rule, the target IP plus the target port is a numerical value.

其中,所述序列号值是指TCP(Transmission Control Protocol)协议中的序列号所对应的数值。The serial number value refers to a value corresponding to the serial number in the TCP (Transmission Control Protocol) protocol.

步骤S102,基于所述序列号值生成TCP报文。Step S102, generating a TCP packet based on the sequence number value.

其中,TCP报文是指包含有所述序列号值的并基于传输控制协议的报文。The TCP message refers to a message containing the sequence number value and based on the Transmission Control Protocol.

作为一种实施方式,将所述序列号值插入所述TCP包头,以生成所述TCP报文。As an implementation manner, the sequence number value is inserted into the TCP packet header to generate the TCP packet.

步骤S103,将所述TCP报文发送至所述目标端口号所对应的目标端口。Step S103, sending the TCP packet to the target port corresponding to the target port number.

在本实施例中,优选地,通过并发的方式将所述TCP报文发送至所述目标端口号所对应的目标端口上,如图3所示。In this embodiment, preferably, the TCP packet is sent to the target port corresponding to the target port number in a concurrent manner, as shown in FIG. 3 .

在本实施例中,为了快速提高发送效率,不在单独等待返回包,优选地,开放单独端口,以等待所述目标服务器持续回报。In this embodiment, in order to quickly improve the sending efficiency, instead of waiting for a return packet alone, preferably, a separate port is opened to wait for the target server to continue to report back.

在本实施例中,优选地,在步骤S103之后,还包括持续等待所述目标服务器返回数据。In this embodiment, preferably, after step S103, the method further includes continuously waiting for the target server to return data.

步骤S104,获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文。Step S104: Obtain a response message returned by the target server corresponding to the target port based on the TCP message.

其中,所述TCP报文作为探测包,用于对所述目标IP端口进行探测,如图4所示。The TCP packet is used as a detection packet to detect the target IP port, as shown in FIG. 4 .

步骤S105,获取所述应答报文所携带的返回IP地址和返回端口号。Step S105: Obtain the return IP address and return port number carried in the response packet.

其中,所述返回IP地址是指所述应答报文所携带的IP地址。所述返回端口号是指所述应答报文所携带的端口号。The returned IP address refers to the IP address carried in the response packet. The return port number refers to the port number carried in the response packet.

作为一种实施方式,获取所述应答报文所携带的确认字符所对应的确认值;对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。As an implementation manner, the confirmation value corresponding to the confirmation character carried in the response packet is obtained; the reverse operation is performed on the confirmation value to obtain the return IP address and return port number corresponding to the confirmation value.

其中,确认字符是指所述应答报文所携带的ACK(Acknowledgement)。通过对所述ACK做逆向运算,从而获取所述ACK所对应的返回IP地址和返回端口号。Wherein, the confirmation character refers to the ACK (Acknowledgement) carried in the response message. By performing a reverse operation on the ACK, the return IP address and return port number corresponding to the ACK are obtained.

步骤S106,判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配。Step S106, judging whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number.

在本实施例中,例如,所述应答报文所携带的IP地址为10.0.0.1,端口为80。将ACK值减1得到SEQ值,即所述SEQ值=ACK值-1,通过逆向算法还原出所述ACK值所对应的目标IP和目标端口号。将目标IP与所述应答报文所携带的返回IP地址进行比对以及将目标端口号与所述应答报文所携带的返回端口号进行比对。从而判断所述目标IP与所述应答报文所携带的返回IP地址是否相同以及目标端口号与所述应答报文所携带的返回端口号是否相同。In this embodiment, for example, the IP address carried in the response packet is 10.0.0.1, and the port is 80. The SEQ value is obtained by subtracting 1 from the ACK value, that is, the SEQ value=ACK value-1, and the target IP and target port number corresponding to the ACK value are restored through a reverse algorithm. The target IP is compared with the return IP address carried in the response message, and the target port number is compared with the return port number carried in the response message. Thus, it is judged whether the target IP is the same as the return IP address carried in the response packet and whether the target port number is the same as the return port number carried in the response packet.

步骤S107,若是,获取所述应答报文所携带的应答数据。Step S107, if yes, obtain the response data carried in the response message.

在本实施例中,如果相同,即表示目标服务器正确应答了所述TCP报文,即可判定为目标端口开放。以及获取所述应答报文所携带的应答数据。In this embodiment, if they are the same, it means that the target server has correctly responded to the TCP message, and it can be determined that the target port is open. and acquiring the response data carried in the response message.

如果不同,即表示目标服务器应答的报文不是所述TCP报文,则丢弃数据。If they are different, it means that the packet replied by the target server is not the TCP packet, and the data is discarded.

步骤S108,识别所述应答数据所对应的服务类型。Step S108, identifying the service type corresponding to the response data.

其中,所述服务类型可以是http服务、ftp服务、telnet服务和/或SMTP服务。在此,不作具体限定。Wherein, the service type may be http service, ftp service, telnet service and/or SMTP service. Here, no specific limitation is made.

作为一种实施方式,获取所述应答数据所携带的特征字符;查找所述特征字符所对应的服务类型。如图5所示,不同服务器所返回的不同服务类型。As an implementation manner, the characteristic characters carried by the response data are acquired; the service type corresponding to the characteristic characters is searched. As shown in Figure 5, different service types returned by different servers.

其中,所述特征字符是指所述应答数据中所携带的字符串。例如,http服务中,在返回应答数据中所携带字符串“HTTP/1.1 200Forbidden”。又如,ftp服务在返回包中携带字符串“"data":"220----------Welcometo Pure-FTPd[privsep]”。在此,不作具体限定。Wherein, the characteristic character refers to a character string carried in the response data. For example, in the http service, the string "HTTP/1.1 200Forbidden" is carried in the returned response data. For another example, the ftp service carries the string ""data" in the returned packet: "220----------Welcometo Pure-FTPd[privsep]", which is not specifically limited here.

所述的查找所述特征字符所对应的服务类型是指如当所述应答数据中头部携带“HTTP/1.1 200”,则判定目标IP和目标端口号开放的服务是HTTP服务。The searching for the service type corresponding to the characteristic character means that if the header of the response data carries "HTTP/1.1 200", it is determined that the service whose target IP and target port number are open is the HTTP service.

请参阅图6,是本发明第二实施例提供的基于全网环境下的快速互联网资产特征探测方法的流程图。下面将对图6所示的具体流程进行详细阐述。Please refer to FIG. 6 , which is a flowchart of a method for fast Internet asset feature detection based on a network-wide environment provided by the second embodiment of the present invention. The specific flow shown in FIG. 6 will be described in detail below.

步骤S201,根据目标IP和目标端口号生成序列号值。Step S201, generating a serial number value according to the target IP and the target port number.

步骤S202,基于所述序列号值生成TCP报文。Step S202, generating a TCP packet based on the sequence number value.

步骤S203,将所述TCP报文发送至所述目标端口号所对应的目标端口。Step S203, sending the TCP packet to the target port corresponding to the target port number.

步骤S204,获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文。Step S204: Acquire a response message returned by the target server corresponding to the target port based on the TCP message.

步骤S205,获取所述应答报文所携带的返回IP地址和返回端口号。Step S205: Obtain the return IP address and return port number carried in the response packet.

步骤S206,判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配。Step S206, judging whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number.

步骤S207,若是,获取所述应答报文所携带的应答数据。Step S207, if yes, obtain the response data carried in the response message.

步骤S208,识别所述应答数据所对应的服务类型。Step S208, identifying the service type corresponding to the response data.

步骤S201至步骤S208的具体实施方式请参照第一实施例中所对应的步骤,在此,不再赘述。For specific implementation manners of steps S201 to S208, please refer to the corresponding steps in the first embodiment, which are not repeated here.

步骤S209,将所述应答数据存储到本地。Step S209, the response data is stored locally.

在本实施例中,将满足步骤S206的所述应答报文所携带的应答数据且所述应答数据已经被识别出服务类型的数据进行存储到本地。In this embodiment, the response data carried in the response message satisfying step S206 and the response data having identified the service type is stored locally.

请参阅图7,是本发明第三实施例提供的基于全网环境下的快速互联网资产特征探测装置的功能模块示意图。所述快速互联网资产特征探测装置400包括:第一数据获取单元410、报文生成单元420、报文发送单元430、报文获取单元440、第二数据获取单元450、数据处理单元460、执行单元470和识别单元480。Please refer to FIG. 7 , which is a schematic diagram of functional modules of a device for detecting characteristics of fast Internet assets based on a whole network environment provided by a third embodiment of the present invention. The fast Internet asset feature detection device 400 includes: a first data acquisition unit 410, a message generation unit 420, a message transmission unit 430, a message acquisition unit 440, a second data acquisition unit 450, a data processing unit 460, and an execution unit 470 and identification unit 480.

第一数据获取单元410,用于根据目标IP和目标端口号生成序列号值。The first data acquisition unit 410 is configured to generate a serial number value according to the target IP and the target port number.

其中,所述的第一数据获取单元410具体用于:所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。The first data acquisition unit 410 is specifically configured to: the sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value.

报文生成单元420,用于基于所述序列号值生成TCP报文。The message generating unit 420 is configured to generate a TCP message based on the sequence number value.

报文发送单元430,用于将所述TCP报文发送至所述目标端口号所对应的目标端口。The message sending unit 430 is configured to send the TCP message to the target port corresponding to the target port number.

报文获取单元440,用于获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文。The message obtaining unit 440 is configured to obtain the response message returned by the target server corresponding to the target port based on the TCP message.

第二数据获取单元450,用于获取所述应答报文所携带的返回IP地址和返回端口号。The second data obtaining unit 450 is configured to obtain the return IP address and return port number carried in the response message.

其中,所述第二数据获取单元450具体用于:获取所述应答报文所携带的确认字符所对应的确认值;对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。The second data acquisition unit 450 is specifically configured to: acquire the confirmation value corresponding to the confirmation character carried in the response message; perform a reverse operation on the confirmation value to acquire the return corresponding to the confirmation value IP address and return port number.

数据处理单元460,用于判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配。The data processing unit 460 is configured to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number.

执行单元470,用于若是,获取所述应答报文所携带的应答数据。The executing unit 470 is configured to obtain the response data carried in the response packet if yes.

识别单元480,用于识别所述应答数据所对应的服务类型。The identifying unit 480 is configured to identify the service type corresponding to the response data.

请参阅图8,是本发明第四实施例提供的基于全网环境下的快速互联网资产特征探测装置的功能模块示意图。所述快速互联网资产特征探测装置500包括:第一数据获取单元510、报文生成单元520、报文发送单元530、报文获取单元540、第二数据获取单元550、数据处理单元560、执行单元570、识别单元580和存储单元590。Please refer to FIG. 8 , which is a schematic diagram of functional modules of a device for detecting characteristics of fast Internet assets based on a network-wide environment provided by the fourth embodiment of the present invention. The fast Internet asset feature detection device 500 includes: a first data acquisition unit 510, a message generation unit 520, a message transmission unit 530, a message acquisition unit 540, a second data acquisition unit 550, a data processing unit 560, and an execution unit 570 , an identification unit 580 and a storage unit 590 .

第一数据获取单元510,用于根据目标IP和目标端口号生成序列号值。The first data acquisition unit 510 is configured to generate a serial number value according to the target IP and the target port number.

其中,所述的第一数据获取单元510具体用于:所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。The first data acquisition unit 510 is specifically configured to: the sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value.

报文生成单元520,用于基于所述序列号值生成TCP报文。The message generating unit 520 is configured to generate a TCP message based on the sequence number value.

报文发送单元530,用于将所述TCP报文发送至所述目标端口号所对应的目标端口。The message sending unit 530 is configured to send the TCP message to the target port corresponding to the target port number.

报文获取单元540,用于获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文。The message obtaining unit 540 is configured to obtain the response message returned by the target server corresponding to the target port based on the TCP message.

第二数据获取单元550,用于获取所述应答报文所携带的返回IP地址和返回端口号。The second data obtaining unit 550 is configured to obtain the return IP address and return port number carried in the response message.

其中,所述第二数据获取单元550具体用于:获取所述应答报文所携带的确认字符所对应的确认值;对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。Wherein, the second data acquisition unit 550 is specifically configured to: acquire the confirmation value corresponding to the confirmation character carried in the response message; perform a reverse operation on the confirmation value to acquire the return corresponding to the confirmation value IP address and return port number.

数据处理单元560,用于判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配。The data processing unit 560 is configured to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number.

执行单元570,用于若是,获取所述应答报文所携带的应答数据。The execution unit 570 is configured to obtain the response data carried in the response packet if yes.

识别单元580,用于识别所述应答数据所对应的服务类型。The identifying unit 580 is configured to identify the service type corresponding to the response data.

存储单元590,用于将所述应答数据存储到本地。The storage unit 590 is configured to store the response data locally.

综上所述,本发明提供的基于全网环境下的快速互联网资产特征探测方法及装置,根据目标IP和目标端口号生成序列号值,从而基于所述序列号值生成TCP报文,再将所述报文并发至目标端口上进行扫描探测,从而有效地提高了发送效率,通过获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文,从而对所述应答报文进行解析,以判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配,当匹配时,最后通过识别应答数据所对应的服务类型,使得用户能够快速对互联网资产识别,有效地帮助用户对全网环境下做有效的安全风险评估。To sum up, the method and device for fast Internet asset feature detection based on the whole network environment provided by the present invention generate a serial number value according to the target IP and the target port number, so as to generate a TCP message based on the serial number value, and then The message is concurrently sent to the target port for scanning and detection, thereby effectively improving the sending efficiency. By obtaining the response message returned by the target server corresponding to the target port based on the TCP message, the response The message is parsed to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number. When matching, Finally, by identifying the service type corresponding to the response data, users can quickly identify Internet assets and effectively help users make effective security risk assessments in the entire network environment.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,也可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,附图中的流程图和框图显示了根据本发明的多个实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现方式中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may also be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality and possible implementations of apparatuses, methods and computer program products according to various embodiments of the present invention. operate. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function(s) executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or actions , or can be implemented in a combination of dedicated hardware and computer instructions.

另外,在本发明各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。In addition, each functional module in each embodiment of the present invention may be integrated to form an independent part, or each module may exist independently, or two or more modules may be integrated to form an independent part.

所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。If the functions are implemented in the form of software function modules and sold or used as independent products, they may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes . It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention. It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further definition and explanation in subsequent figures.

Claims (10)

1.一种基于全网环境下的快速互联网资产特征探测方法,其特征在于,包括:1. based on the fast Internet asset feature detection method under the whole network environment, it is characterized in that, comprising: 根据目标IP和目标端口号生成序列号值;Generate serial number value based on target IP and target port number; 基于所述序列号值生成TCP报文;generating a TCP message based on the sequence number value; 将所述TCP报文发送至所述目标端口号所对应的目标端口;sending the TCP message to the target port corresponding to the target port number; 获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文;Obtain the response message returned by the target server corresponding to the target port based on the TCP message; 获取所述应答报文所携带的返回IP地址和返回端口号;Obtain the return IP address and return port number carried by the response message; 判断所述序列号值所对应的目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的目标端口号是否与所述返回端口号匹配;Determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number; 若是,获取所述应答报文所携带的应答数据;If so, obtain the response data carried by the response message; 识别所述应答数据所对应的服务类型,所述服务类型为http服务、ftp服务、telnet服务和/或SMTP服务。Identify the service type corresponding to the response data, where the service type is http service, ftp service, telnet service and/or SMTP service. 2.根据权利要求1所述的方法,其特征在于,所述的根据目标IP和目标端口号生成序列号值,包括:2. method according to claim 1, is characterized in that, described generating serial number value according to target IP and target port number, comprises: 所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。The sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value. 3.根据权利要求1所述的方法,其特征在于,所述的获取所述应答报文所携带的返回IP地址和返回端口号,包括:3. method according to claim 1, is characterized in that, described obtaining the return IP address and return port number that described response message carries, comprise: 获取所述应答报文所携带的确认字符所对应的确认值;Obtain the confirmation value corresponding to the confirmation character carried by the response message; 对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。Perform a reverse operation on the confirmation value to obtain the return IP address and return port number corresponding to the confirmation value. 4.根据权利要求1所述的方法,其特征在于,所述的识别所述应答数据所对应的服务类型,包括:4. The method according to claim 1, wherein the identifying the service type corresponding to the response data comprises: 获取所述应答数据所携带的特征字符;Obtain the characteristic characters carried by the response data; 查找所述特征字符所对应的服务类型。Find the service type corresponding to the characteristic character. 5.根据权利要求1所述的方法,其特征在于,所述的识别所述应答数据所对应的服务类型,之后还包括:5. The method according to claim 1, wherein the identifying the service type corresponding to the response data further comprises: 将所述应答数据存储到本地。Store the response data locally. 6.一种基于全网环境下的快速互联网资产特征探测装置,其特征在于,包括:6. A device for detecting features of fast Internet assets based on an entire network environment, characterized in that, comprising: 第一数据获取单元,用于根据目标IP和目标端口号生成序列号值;The first data acquisition unit is used to generate the serial number value according to the target IP and the target port number; 报文生成单元,用于基于所述序列号值生成TCP报文;a message generating unit, configured to generate a TCP message based on the sequence number value; 报文发送单元,用于将所述TCP报文发送至所述目标端口号所对应的目标端口;a message sending unit, configured to send the TCP message to the target port corresponding to the target port number; 报文获取单元,用于获取所述目标端口所对应的目标服务器基于所述TCP报文所返回的应答报文;a message obtaining unit, configured to obtain the response message returned by the target server corresponding to the target port based on the TCP message; 第二数据获取单元,用于获取所述应答报文所携带的返回IP地址和返回端口号;A second data acquisition unit, configured to acquire the return IP address and the return port number carried by the response message; 数据处理单元,用于判断所述序列号值所对应的所述目标IP是否与所述返回IP地址匹配以及所述序列号值所对应的所述目标端口号是否与所述返回端口号匹配;a data processing unit, configured to determine whether the target IP corresponding to the serial number value matches the return IP address and whether the target port number corresponding to the serial number value matches the return port number; 执行单元,用于若是,获取所述应答报文所携带的应答数据;an execution unit, configured to obtain the response data carried by the response message if it is; 识别单元,用于识别所述应答数据所对应的服务类型,所述服务类型为http服务、ftp服务、telnet服务和/或SMTP服务。An identification unit, configured to identify a service type corresponding to the response data, where the service type is http service, ftp service, telnet service and/or SMTP service. 7.根据权利要求6所述的装置,其特征在于,所述的第一数据获取单元具体用于:7. The device according to claim 6, wherein the first data acquisition unit is specifically used for: 所述序列号值满足:SEQ值=目标IP+目标端口,其中,所述SEQ(Sequence Number)值表示所述序列号值。The sequence number value satisfies: SEQ value=target IP+target port, wherein the SEQ (Sequence Number) value represents the sequence number value. 8.根据权利要求6所述的装置,其特征在于,所述第二数据获取单元具体用于:8. The device according to claim 6, wherein the second data acquisition unit is specifically used for: 获取所述应答报文所携带的确认字符所对应的确认值;Obtain the confirmation value corresponding to the confirmation character carried by the response message; 对所述确认值做逆向运算,以获取所述确认值所对应的返回IP地址和返回端口号。Perform a reverse operation on the confirmation value to obtain the return IP address and return port number corresponding to the confirmation value. 9.根据权利要求6所述的装置,其特征在于,所述识别单元具体用于:9. The device according to claim 6, wherein the identification unit is specifically used for: 获取所述应答数据所携带的特征字符;Obtain the characteristic characters carried by the response data; 查找所述特征字符所对应的服务类型。Find the service type corresponding to the characteristic character. 10.根据权利要求6所述的装置,其特征在于,所述识别单元之后,还包括:10. The device according to claim 6, characterized in that, after the identifying unit, further comprising: 存储单元,用于将所述应答数据存储到本地。The storage unit is used to store the response data locally.
CN201710944839.4A 2017-10-11 2017-10-11 Rapid internet asset feature detection method and device based on whole network environment Active CN107733581B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710944839.4A CN107733581B (en) 2017-10-11 2017-10-11 Rapid internet asset feature detection method and device based on whole network environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710944839.4A CN107733581B (en) 2017-10-11 2017-10-11 Rapid internet asset feature detection method and device based on whole network environment

Publications (2)

Publication Number Publication Date
CN107733581A CN107733581A (en) 2018-02-23
CN107733581B true CN107733581B (en) 2020-12-25

Family

ID=61210319

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710944839.4A Active CN107733581B (en) 2017-10-11 2017-10-11 Rapid internet asset feature detection method and device based on whole network environment

Country Status (1)

Country Link
CN (1) CN107733581B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109118118A (en) * 2018-09-06 2019-01-01 平安科技(深圳)有限公司 Methods of risk assessment, storage medium and the server of business event
CN111385260B (en) * 2018-12-28 2022-01-25 广州市百果园信息技术有限公司 Port detection method, system, server and storage medium
CN110677414A (en) * 2019-09-27 2020-01-10 北京知道创宇信息技术股份有限公司 Network detection method and device, electronic equipment and computer readable storage medium
CN111726337A (en) * 2020-05-14 2020-09-29 北京邮电大学 A kind of equipment asset detection method and device
CN115914046B (en) * 2021-08-10 2024-12-13 国家计算机网络与信息安全管理中心 VoIP gateway identification method, device, equipment and storage medium
CN115914056B (en) * 2021-08-10 2024-12-17 国家计算机网络与信息安全管理中心 Network telephone service end identification method, device and system and electronic equipment
CN113872953B (en) * 2021-09-18 2024-03-26 杭州迪普信息技术有限公司 Access message processing method and device
CN114513329A (en) * 2021-12-31 2022-05-17 徐工汉云技术股份有限公司 Industrial Internet information security assessment method and device
CN114584477B (en) * 2022-02-10 2023-06-27 烽台科技(北京)有限公司 Industrial control asset detection method, device, terminal and storage medium
CN117499267B (en) * 2023-12-29 2024-03-26 深圳万物安全科技有限公司 Asset mapping method and device for network equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100934138B1 (en) * 2002-05-06 2009-12-29 퀄컴 인코포레이티드 System and method for registering IP address of wireless communication device
CN203492034U (en) * 2013-05-13 2014-03-19 北京百度网讯科技有限公司 Data center server and asset management system, and server management device
CN105373899A (en) * 2015-12-03 2016-03-02 广州云新信息技术有限公司 Server asset management method and apparatus
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
CN106888106A (en) * 2015-12-16 2017-06-23 国家电网公司 The extensive detecting system of IT assets in intelligent grid
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100934138B1 (en) * 2002-05-06 2009-12-29 퀄컴 인코포레이티드 System and method for registering IP address of wireless communication device
CN203492034U (en) * 2013-05-13 2014-03-19 北京百度网讯科技有限公司 Data center server and asset management system, and server management device
CN105373899A (en) * 2015-12-03 2016-03-02 广州云新信息技术有限公司 Server asset management method and apparatus
CN106888106A (en) * 2015-12-16 2017-06-23 国家电网公司 The extensive detecting system of IT assets in intelligent grid
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
智能盘点提高资产管理效率;屠萍,祝海云;《通信企业管理》;20160810;全文 *

Also Published As

Publication number Publication date
CN107733581A (en) 2018-02-23

Similar Documents

Publication Publication Date Title
CN107733581B (en) Rapid internet asset feature detection method and device based on whole network environment
US11019094B2 (en) Methods and systems for malicious message detection and processing
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US10157280B2 (en) System and method for identifying security breach attempts of a website
US9736178B1 (en) Systems and methods for detecting suspicious internet addresses
US8839401B2 (en) Malicious message detection and processing
US9344449B2 (en) Risk ranking referential links in electronic messages
US20140189349A1 (en) Decrypting Files for Data Leakage Protection in an Enterprise Network
CN103338211A (en) Malicious URL (unified resource locator) authenticating method and device
JP6904709B2 (en) Technology for detecting malicious electronic messages
US9740858B1 (en) System and method for identifying forged emails
US11349868B2 (en) Detection of spoofed internally-addressed email using trusted third party's SPF records
CN110213284A (en) Detection method, system and the relevant apparatus of SSH server weak passwurd loophole
WO2022081234A1 (en) Malware detection and mitigation via a forward proxy server
CN102098285A (en) Method and device for preventing phishing attacks
EP3195140B1 (en) Malicious message detection and processing
US8438637B1 (en) System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device
WO2024113953A1 (en) C2 server identification method and apparatus, electronic device, and readable storage medium
CN112217762B (en) Malicious encrypted traffic identification method and device based on purpose
CN107360196B (en) Attack detection method, device and terminal device
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
JPWO2018143096A1 (en) Request control device, request control method, and request control program
CN113904843A (en) Method and device for analyzing abnormal DNS (Domain name Server) behaviors of terminal
JP2009176137A (en) Virus suffering range prediction system
CN107733907A (en) Dynamic protection method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310000 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant after: Dbappsecurity Co.,Ltd.

Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Applicant before: DBAPPSECURITY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20180223

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043369

Denomination of invention: Fast Internet asset feature detection method and device based on the whole network environment

Granted publication date: 20201225

License type: Common License

Record date: 20241231

EE01 Entry into force of recordation of patent licensing contract