CN108418727B - Method and system for detecting network equipment - Google Patents
Method and system for detecting network equipment Download PDFInfo
- Publication number
- CN108418727B CN108418727B CN201810077929.2A CN201810077929A CN108418727B CN 108418727 B CN108418727 B CN 108418727B CN 201810077929 A CN201810077929 A CN 201810077929A CN 108418727 B CN108418727 B CN 108418727B
- Authority
- CN
- China
- Prior art keywords
- port
- network
- ports
- identification
- decision tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a method and a system for detecting network equipment, wherein the method comprises the following steps: acquiring a detection sequence of ports when the network equipment is detected according to the sequence of decision tree nodes of the network ports; according to the detection sequence of the ports, sequentially detecting the network equipment until the network equipment is detected and identified; and when the decision tree of the network port is respectively corresponding to the ports with the utilization rate from high to low when the network equipment is detected from the root node to each child node. The method provided by the invention carries out priority sequencing on the given network ports when network equipment is detected, so that when equipment is updated each time, all the ports do not need to be detected for one internet equipment, and only the ports need to be detected according to the port sequence given by the decision tree, so that the equipment information can be updated at a higher speed and with fewer resources.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a system for detecting a network device.
Background
With the popularization of network devices, more and more terminal devices are accessed to the network to provide services for people. For example, in the internet of things system, various smart phones, computers, and various internet of things devices accessing to a network space. While these devices bring convenience, they also bring corresponding safety hazards. In order to better master the cyberspace asset distribution state and the threat risk situation, it is a necessary means to rapidly detect and identify cyberspace devices.
Due to the dynamic nature of the network space addresses, the information of each network device needs to be updated periodically. A current commonly used update method is to re-probe each port in a given port set of the device.
In the prior art, each port needs to be detected each time the device information is updated, and most network terminal devices can simultaneously support connection and transmission of a plurality of different types of ports.
Disclosure of Invention
In order to solve the problem that in the prior art, when network equipment is updated, each equipment needs to detect all ports, so that the consumption of resources and bandwidth is very large, a method and a system for detecting the network equipment are provided.
According to an aspect of the present invention, there is provided a method of probing a network device, comprising:
s1, obtaining the detection sequence of the ports when detecting the network equipment according to the sequence of the decision tree nodes of the network ports;
s2, sequentially detecting the network equipment according to the detection sequence of the ports until the network equipment is detected and identified;
and when the decision tree of the network port is respectively corresponding to the ports with the utilization rate from high to low when the network equipment is detected from the root node to each child node.
Wherein, before the step S1, the method further includes:
and constructing a decision tree of the network ports according to the historical data of the plurality of network devices for identifying each port in all given ports.
Wherein the constructing a decision tree of a network port specifically includes:
receiving a port slogan of the network equipment at each port, and identifying the port slogan of each port to obtain an identification result of each port; constructing a port identification state vector of the network equipment according to the identification result of each port; constructing a decision tree selection model of a network port according to port identification state vectors for port identification of a plurality of different network devices; wherein the identification result comprises identifiable, unidentifiable and unknown; wherein, the identification result comprises: one or more of a device type, a device brand, a device model number, a device firmware version number, a device port open service version number are identified.
The identifying the port slogan of each port and obtaining the identification result of each port specifically include:
detecting a plurality of given ports of the network equipment to respectively obtain a port slogan of each port; and identifying and classifying the port slogans to obtain an identification result in the port detection of the network equipment.
Wherein the constructing the port identification state vector of the network device specifically includes:
judging the identification result of the equipment according to the identification result of each port; and forming a port identification state vector by using the identification result of the port and the identification result of the equipment, wherein each column in the port identification state vector represents the identification result of one port.
Specifically, the identification result is that when the port slogan acquired by the network device in any one port is identifiable, the device identification state is determined to be identifiable; the step of making the network device unrecognizable in the recognition result is specifically that when the network device cannot obtain the recognizable port slogan at all ports, the device recognition state is determined to be unrecognizable; the unknown in the identification result is specifically that, when the network device is not open to all the ports in the port set, it is determined that the device identification state is unknown.
The constructing a decision tree classification model of a network port according to the port identification state vector for port identification of a plurality of different network devices specifically includes:
carrying out port identification on a plurality of different network devices to obtain port identification state vectors of the plurality of network devices and constructing an identification state matrix; calculating the information gain of each port according to the port identification state vector, and selecting the port with the largest information gain as a root node of a decision tree; and recalculating the information gain of each residual port for the ports except the root node, selecting the port with the largest information gain as a child node until the end condition of the decision tree generation is met, and obtaining the final decision tree selected by the port.
The decision tree generation ending condition is specifically as follows: and when the nodes of the constructed decision tree can identify all network devices, or the information gain is smaller than a preset threshold, stopping the construction of the decision tree.
Wherein, the identifying and classifying the port slogans specifically comprises: classifying the port slogans using device fingerprints; or classifying the port slogans by using a trained classifier in a machine learning mode.
According to another aspect of the present invention, there is provided a system for probing a network device, comprising:
the port sequence selection module is used for obtaining the detection sequence of the ports when the network equipment is detected according to the sequence of the decision tree nodes of the network ports;
the equipment identification module is used for sequentially detecting the network equipment according to the detection sequence of the ports until the network equipment is detected and identified;
and when the decision tree of the network port is respectively corresponding to the ports with the utilization rate from high to low when the network equipment is detected from the root node to each child node.
The method provided by the invention carries out priority sequencing on the given network ports when network equipment is detected, so that when equipment is updated each time, all the ports do not need to be detected for one internet equipment, and only the ports need to be detected according to the port sequence given by the decision tree, so that the equipment information can be updated at a higher speed and with fewer resources.
Drawings
Fig. 1 is a flowchart of a method for detecting a network device according to an embodiment of the present invention;
fig. 2 is a flowchart of a decision tree construction method in a method for detecting a network device according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a decision tree construction in a method for detecting a network device according to another embodiment of the present invention;
fig. 4 is a block diagram of a system for detecting a network device according to another embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting a network device according to an embodiment of the present invention, where the method includes:
s1, according to the order of the decision tree nodes of the network ports, the detection order of the ports when the network equipment is detected is obtained. And when the decision tree of the network port is respectively corresponding to the ports with the utilization rate from high to low when the network equipment is detected from the root node to each child node.
Specifically, by using a pre-constructed decision tree of a network port, when network equipment detection is required, a detection sequence of the port is obtained through a node sequence of the decision tree, wherein the decision tree of the network port corresponds to the network port with the utilization rate from high to low from a root node to each child node. That is, the root node of the decision tree corresponds to the port with the highest utilization rate in all the port sets, and the arrangement order of the child nodes represents that the utilization rate of the ports is from high to low in other remaining ports. For example, in a decision tree of a port, a network port corresponding to a root node is a port 80 commonly opened by an http protocol, and ports corresponding to child nodes are a port 21 commonly opened by an ftp protocol and a port 23 commonly opened by a telnet protocol, so that when network device detection is performed, the use sequence of the ports is 80, 21, and 23.
The port utilization rate is specifically a port with the highest utilization rate in a network environment, which can detect the most network devices and identify the port of the most network devices, or a port attribute has better classification capability for the final identification state of the network devices, and when the information gain is the maximum, the port is the port with the highest utilization rate. And S2, sequentially detecting the network equipment according to the detection sequence of the ports until the network equipment is detected and identified.
Specifically, during network probing, the network devices are sequentially probed through the ports sequentially arranged according to the port probing sequence determined in S1 until the network devices are detected and identified. For example, when a certain network device is probed, the device is first probed through the 80 port, if the device information is successfully obtained during probing, the probing of the device can be stopped, if the device information is not recognized by probing, the device is continuously probed through the 21 port, if the probing is successful, the probing is stopped, and if the probing is failed, the probing through the next sequential port is continued until the probing host successfully obtains the information of the network device.
By the method, when the network equipment is detected, the given network ports are subjected to priority sequencing, so that when the equipment is updated each time, all the ports do not need to be detected for one internet equipment, only the ports need to be detected according to the port sequence given by the decision tree, and the equipment information can be updated at a higher speed and with fewer resources.
On the basis of the above embodiment, the step S1 is preceded by:
and constructing a decision tree of the network ports according to the historical data of the plurality of network devices for identifying each port in all given ports.
Wherein the constructing a decision tree of a network port specifically includes:
receiving a port slogan of the network equipment at each port, and identifying the port slogan of each port to obtain an identification result of each port; constructing a port identification state vector of the network equipment according to the identification result of each port; constructing a decision tree selection model of a network port according to port identification state vectors for port identification of a plurality of different network devices;
wherein the identification result comprises identifiable, unidentifiable and unknown; the identification result can be identified and comprises: one or more of a device type, a device brand, a device model number, a device firmware version number, a device port open service version number are identified.
The identification result is specifically that when the port slogan acquired by the network device in any one port is identifiable, the device identification state is determined to be identifiable;
the step of making the network device unrecognizable in the recognition result is specifically that when the network device cannot obtain the recognizable port slogan at all ports, the device recognition state is determined to be unrecognizable;
the unknown in the identification result is specifically that, when the network device is not open to all the ports in the port set, it is determined that the device identification state is unknown.
Specifically, a plurality of ports of the device in the network space are scanned to obtain slogan information of each port, where the ports at least include a port set constructed by a plurality of ports, such as a port 80 commonly opened in an http protocol, a port 21 commonly opened in an ftp protocol, a port 23 commonly opened in a telnet protocol, a port 22 commonly opened in an ssh protocol, a port 554 commonly opened in an rtsp protocol, a port 3702 commonly opened in an onvif protocol, and an 8080 port commonly used in proxy service.
The method for collecting the slogans for the network equipment comprises but is not limited to the use of Masscan, Zmap, Nmap and Zgram scanning detection tools. After the device is subjected to port scanning, the port slogan of the device at each port can be obtained, for example, the first device is subjected to scanning in the given port 80, 21, 22, 23, 554, so that the port slogan of the first device at each port can be obtained, and since the port set includes 5 ports, there are 5 port slogans obtained in total.
After the obtained identification result of the network device at each port is obtained, the identification state of the device in the network space can be determined according to the identification result, and a port identification state vector can be further constructed.
For example, a first device, a port banner for which information about the first device is available at 80, a port banner for which information is available at 21, 22, 23 is unidentifiable, and a port banner for which information is available at 554 is unopened. According to the identification result state of the port, a vector with 1-by-6 dimensions, such as [ T, F, F, T, N, T ], can be obtained, wherein the first 5 columns in the vector represent the identification state of one port, and the last column represents the identification state of the first device in the network space.
The recognition result of the detection tool includes, but is not limited to, the following attributes of the device: device type, device brand, device manufacturer, device model, device firmware number, port open service version number, and the like. The port identification state is marked as identifiable for any one of attributes capable of identifying the type, the brand, the model and the firmware version number, and if the identification result is not contained in the attributes, the port identification state is marked as unidentifiable; and if the port slogan of the equipment is not acquired, marking the port identification state as unknown.
According to the identification result of the equipment at each port, if the identification state of the equipment at any port in the port set is identifiable, the identification state of the equipment is identifiable; if the device does not have a port which is in a recognizable state and at least one port is in an unrecognizable state, the recognition state of the device is unrecognizable; if the states of all ports of the device are unknown, the device is unknown.
After port identification is carried out on a plurality of different devices, port identification vectors and device identification vectors of the devices in a network space can be obtained, a port with the largest device identification effect is selected as a root node of a decision tree to be split, then iteration is carried out on child nodes, ports except for the port of the root node in a port set are selected, child nodes are constructed, and the process is iterated continuously until a complete decision tree classification model is formed. The sequence of the nodes of the decision tree is the optimized network equipment port detection sequence.
By the method, the decision tree for port selection is constructed in a decision optimization mode, when the equipment information in the network is updated, each port of a given port set does not need to be detected, only the detection is needed according to the port sequence of the decision tree, and the equipment information can be updated at a higher speed and with fewer resources.
On the basis of the foregoing embodiment, the identifying the port slogan of each port, and obtaining the identification result of each port specifically includes:
detecting a plurality of given ports of the network equipment to respectively obtain a port slogan of each port; and identifying and classifying the port slogans to obtain an identification result in the port detection of the network equipment.
Specifically, the slogan of each port is identified by using an equipment identification tool to obtain the identification result of the equipment at each port, and the identification result of each port is classified into three identification states of identifiable, unidentifiable and unknown. Also, according to the identification state of each port, the identification state of the device in the network space can be determined, and the identification states are also divided into three identification states of identification, unrecognizable state and unknown state.
For example, in the process of identifying a port of a first device, if the port slogan information of the 80 port contains the device firmware number information of the first device and the port slogan information of other ports are all unidentifiable information, the identification result of the first device is judged to be identifiable; the port slogan information obtained by the second equipment at the ports 80 and 21 can not be identified, and meanwhile, the port slogan information is not collected at the ports 22, 23 and 554, so that the identification state of the second equipment is unidentifiable; and the third equipment does not acquire the port slogan information at all the ports, and the identification state of the third equipment is unknown.
Through the method, the identification information of each device in the network space at each port is classified, and the port opening information and the port identification result information of the device in the network space are obtained.
On the basis of the foregoing embodiment, the constructing a port identification state vector of the network device specifically includes:
judging the identification result of the equipment according to the identification result of each port;
and forming a port identification state vector by using the identification result of the port and the identification result of the equipment, wherein each column in the port identification state vector represents the identification result of one port.
Specifically, according to the identification result of the device at each port, if the identification state of the device at any one port in the port set is identifiable, the identification state of the device is identifiable; if the device does not have a port which is in a recognizable state and at least one port is in an unrecognizable state, the recognition state of the device is unrecognizable; if the states of all ports of the device are unknown, the device is unknown.
For example, in the process of identifying a port of a first device, if the port slogan information of the 80 port contains the device firmware number information of the first device and the port slogan information of other ports are all unidentifiable information, the identification result of the first device is judged to be identifiable; the port slogan information obtained by the second equipment at the ports 80 and 21 can not be identified, and meanwhile, the port slogan information is not collected at the ports 22, 23 and 554, so that the identification state of the second equipment is unidentifiable; and the third equipment does not acquire the port slogan information at all the ports, and the identification state of the third equipment is unknown.
After the port identification information of the equipment is obtained, an equipment identification state vector is constructed according to the identification result of the equipment in each port and the identification result of the equipment in a network space. For example, in a network space where the device port set is 80, 21, 22, 23, 554, the result of identifying the first device may generate a 1 × 6-dimensional vector [ T, F, T, N, T ], where the first five columns of the vector represent the identification status corresponding to each port in the device port set, and the last column represents the identification status of the device. In the vector, T is a recognizable state, F is an unrecognizable state, and N is an unknown state.
By the method, the recognition state of the equipment in the network space is expressed in a vector form, and a basis is provided for the construction of the decision tree.
On the basis of the above embodiment, the constructing a decision tree classification model of a network port according to a port identification state vector for port identification of a plurality of different network devices specifically includes:
and carrying out port identification on a plurality of different network devices, obtaining port identification state vectors of the plurality of network devices, and constructing an identification state matrix. Calculating the information gain of each port according to the port identification state vector, and selecting the port with the largest information gain as a root node of a decision tree; and recalculating the information gain of each residual port for the ports except the root node, selecting the port with the largest information gain as a child node until the end condition of the decision tree generation is met, and obtaining the final decision tree selected by the port.
The decision tree generation ending condition is specifically as follows: and when the nodes of the constructed decision tree can identify all network devices, or the information gain is smaller than a preset threshold, stopping the construction of the decision tree.
Specifically, after a plurality of devices are identified, a port identification state vector of each device can be obtained, and an identification state matrix is further constructed, and when the device port set is 80, 21, 22, 23, 554, after M devices are identified, an M × 6 identification state matrix can be constructed.
For feature selection, if a certain port attribute has better classification capability for the final identification state of the network device, the feature is selected to be classified first, in this embodiment, the largest feature is used for classification, and the information gain formula is as follows: g (D, a) ═ H (D) -H (D | a), where a is the port state attribute, D is the device final state attribute, H (D) is the information entropy of the device final identification state, and H (D | a) is the empirical condition entropy of the final identification state given port a.
Calculating the information gains of all possible ports from the root node to the node, selecting the port with the maximum information gain as the characteristic of the node, and establishing sub-nodes according to different values of the characteristic; then recursively calling the above method for the sub-nodes to construct a decision tree; until no port features are selectable, decision tree generation ends.
By the method, the network equipment after decision optimization is scanned and detected, so that the frequency of port detection is reduced, and the detected equipment ports are also reduced. So that the device information can be updated with fewer resources and at a faster rate.
Specifically, when no port feature can be selected, the node of the constructed decision tree can identify all devices, that is, the construction of the decision tree can be stopped, and the port provided by the existing decision tree is sufficient to update information of all devices. In another method, when most of the devices can be identified by the port sequence provided by the decision tree and the remaining few devices need to use a special port, the information gain of the port is small, and therefore, when the information gain of the remaining port is calculated to be smaller than the preset threshold, the construction of the decision tree can also be stopped.
On the basis of the foregoing embodiments, the identifying and classifying the port slogans specifically includes: classifying the port slogans using device fingerprints; or classifying the port slogans by using a trained classifier in a machine learning mode.
Specifically, when the slogans of the ports are classified, methods that can be used include, but are not limited to, using a device fingerprint identification method and a machine learning identification method, classifying the slogans of the ports through device fingerprints to obtain an identification state of each port, or classifying received information of the slogans of the ports through a trained classifier.
In another embodiment of the present invention, the state of the recognition result obtained for {80, 21, 22, 23, 554} for the device port set is used as an example to describe the decision tree generation process in detail. The specific implementation process is shown in fig. 2 and 3.
Each device can obtain a 1 x 6 dimensional vector, such as [ T, F, T, N, T ], according to the identification result state of its port, the first 5 columns of the vector represent the identification state corresponding to each port in the {80, 21, 22, 23, 554} set, and the last 1 column represents the identification state of the device. Wherein T is an identifiable state, F is an unidentifiable state, and N is an unknown state. In the present embodiment, there are 8 devices, and an 8 × 6 identification state matrix can be formed.
For feature selection, if a port attribute has better classification capability for the final recognition state of the device, the feature is selected first for classification. The largest feature is used for classification. The information gain formula is: g (D, a) ═ H (D) -H (D | a), where: a is port state attribute, D is device final state attribute, H (D) is information entropy of device final identification state, and H (D | A) is empirical condition entropy of final identification state under a given port A.
Calculating the information gains of all possible ports from the root node to the node, selecting the port with the maximum information gain as the characteristic of the node, and establishing sub-nodes according to different values of the characteristic; then recursively calling the above method for the sub-nodes to construct a decision tree; until no port features are selectable, decision tree generation ends. By sorting the ports of the spanning decision tree, a device port probing order can be obtained. The port probing sequence in this example is 80, 21.
By the method, a decision tree for equipment port detection is constructed, and when equipment is updated, the frequency of port detection is reduced and the detected equipment ports are also reduced through the decision tree. So that the device information can be updated with fewer resources and at a faster rate.
Referring to fig. 4, fig. 4 is a block diagram of a system for detecting a network device according to another embodiment of the present invention, where the system includes: a port order selection module 41 and a device identification module 42.
The port sequence selection module 41 is configured to obtain a detection sequence of the ports when detecting the network device according to a sequence of the decision tree nodes of the network ports.
And when the decision tree of the network port is from the root node to each child node and respectively corresponds to the port with the utilization rate from high to low when the network equipment is detected.
Specifically, by using a pre-constructed decision tree of a network port, when network equipment detection is required, a detection sequence of the port is obtained through a node sequence of the decision tree, wherein the decision tree of the network port corresponds to the network port with the utilization rate from high to low from a root node to each child node. That is, the root node of the decision tree corresponds to the port with the highest utilization rate in all the port sets, and the arrangement order of the child nodes represents that the utilization rate of the ports is from high to low in other remaining ports. For example, in a decision tree of a port, a network port corresponding to a root node is a port 80 commonly opened by an http protocol, and ports corresponding to child nodes are a port 21 commonly opened by an ftp protocol and a port 23 commonly opened by a telnet protocol, so that when network device detection is performed, the use sequence of the ports is 80, 21, and 23.
The device identification module 42 is configured to sequentially detect the network devices according to the detection sequence of the ports until the network devices are detected and identified.
Specifically, during network probing, the network devices are sequentially probed through the ports sequentially arranged according to the port probing sequence determined in S1 until the network devices are detected and identified. For example, when a certain network device is detected, the device is detected through the 80 port, if the device information is successfully obtained during the detection, the detection of the device can be stopped, if the device information is not detected, the device is continuously detected through the 21 port, if the detection is successful, the detection is stopped, and if the detection is failed, the detection is continuously performed through the next sequential port until the detection host successfully obtains the information of the network device.
Through the system, when network detection is carried out, priority sequencing is carried out on the given network ports, so that when equipment is updated each time, all the ports do not need to be detected for one internet equipment, detection is carried out only according to the port sequence given by the decision tree, and equipment information can be updated at a higher speed and with fewer resources.
On the basis of the above embodiment, the system further includes a decision tree construction module, configured to construct a decision tree of a network port according to historical data that a plurality of network devices identify in all given ports, each port.
Specifically, a plurality of ports of the device in the network space are scanned to obtain slogan information of each port, where the ports at least include a port set constructed by a plurality of ports, such as a port 80 commonly opened in an http protocol, a port 21 commonly opened in an ftp protocol, a port 23 commonly opened in a telnet protocol, a port 22 commonly opened in an ssh protocol, a port 554 commonly opened in an rtsp protocol, a port 3702 commonly opened in an onvif protocol, and an 8080 port commonly used in proxy service.
The method for collecting the slogans for the network equipment comprises but is not limited to the use of Masscan, Zmap, Nmap and Zgram scanning detection tools. After the device is subjected to port scanning, the port slogan of the device at each port can be obtained, for example, the first device is subjected to scanning in the given port 80, 21, 22, 23, 554, so that the port slogan of the first device at each port can be obtained, and since the port set includes 5 ports, there are 5 port slogans obtained in total.
After the obtained identification result of the device at each port is obtained, the identification state of the device in the network space can be judged according to the identification result, and a port identification state vector can be further constructed.
The recognition result of the detection tool includes, but is not limited to, the following attributes of the device: device type, device brand, device manufacturer, device model, device firmware number, port open service version number, and the like. The port identification state is marked as identifiable for any one of attributes capable of identifying the type, the brand, the model and the firmware version number, and if the identification result is not contained in the attributes, the port identification state is marked as unidentifiable; and if the port slogan of the equipment is not acquired, marking the port identification state as unknown.
According to the identification result of the equipment at each port, if the identification state of the equipment at any port in the port set is identifiable, the identification state of the equipment is identifiable; if the device does not have a port which is in a recognizable state and at least one port is in an unrecognizable state, the recognition state of the device is unrecognizable; if the states of all ports of the device are unknown, the device is unknown.
After port identification is carried out on a plurality of different devices, port identification vectors and device identification vectors of the devices in a network space can be obtained, a port with the largest device identification effect is selected as a root node of a decision tree to be split, then iteration is carried out on child nodes, ports except for the port of the root node in a port set are selected, child nodes are constructed, and the process is iterated continuously until a complete decision tree classification model is formed. The sequence of the nodes of the decision tree is the optimized network equipment port detection sequence.
Through the system, the decision tree for port selection is constructed in a decision optimization mode, when the equipment information in the network is updated, each port of a given port set does not need to be detected, only the detection is needed according to the port sequence of the decision tree, and the equipment information can be updated at a higher speed and with fewer resources.
Finally, the method of the present application is only a preferred embodiment and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of probing a network device, comprising:
s1, obtaining the detection sequence of the ports when detecting the network equipment according to the sequence of the decision tree nodes of the network ports;
s2, sequentially detecting the network equipment according to the detection sequence of the ports until the network equipment is detected and identified;
when the decision tree of the network port is from a root node to each child node, the ports with the utilization rate from high to low are respectively and correspondingly detected by the network device;
in a network environment, the port with the highest utilization rate can be detected and identified by the most network devices; alternatively, the first and second electrodes may be,
the port attribute has the highest classification capability for the final identification state of the network device and the information gain of the port attribute is the largest, and the port is the port with the highest utilization rate.
2. The method according to claim 1, wherein the step S1 is preceded by:
and constructing a decision tree of the network ports according to the historical data of the plurality of network devices for identifying each port in all given ports.
3. The method according to claim 2, wherein the constructing a decision tree for a network port specifically comprises:
receiving a port slogan of the network equipment at each port, and identifying the port slogan of each port to obtain an identification result of each port;
constructing a port identification state vector of the network equipment according to the identification result of each port;
constructing a decision tree selection model of a network port according to port identification state vectors for port identification of a plurality of different network devices;
wherein the identification result comprises identifiable, unidentifiable and unknown;
wherein, the identification result comprises: one or more of a device type, a device brand, a device model number, a device firmware version number, a device port open service version number are identified.
4. The method according to claim 3, wherein the identifying the port slogan of each port and obtaining the identification result of each port specifically comprises:
detecting a plurality of given ports of the network equipment to respectively obtain a port slogan of each port;
and identifying and classifying the port slogans to obtain an identification result in the port detection of the network equipment.
5. The method according to claim 4, wherein the constructing the port identification status vector of the network device specifically comprises:
judging the identification result of the equipment according to the identification result of each port;
and forming a port identification state vector by using the identification result of the port and the identification result of the equipment, wherein each column in the port identification state vector represents the identification result of one port.
6. The method according to claim 3, wherein the identification result is identifiable, specifically, when the port slogan acquired by the network device in any one port is identifiable, the device identification status is determined to be identifiable;
the step of making the network device unrecognizable in the recognition result is specifically that when the network device cannot obtain the recognizable port slogan at all ports, the device recognition state is determined to be unrecognizable;
the unknown in the identification result is specifically that, when the network device is not open to all the ports in the port set, it is determined that the device identification state is unknown.
7. The method of claim 3, wherein constructing the decision tree classification model of the network port according to the port identification state vector for port identification of the plurality of different network devices specifically comprises:
carrying out port identification on a plurality of different network devices to obtain port identification state vectors of the plurality of network devices and constructing an identification state matrix;
calculating the information gain of each port according to the port identification state vector, and selecting the port with the largest information gain as a root node of a decision tree;
and recalculating the information gain of each residual port for the ports except the root node, selecting the port with the largest information gain as a child node until the end condition of the decision tree generation is met, and obtaining the final decision tree selected by the port.
8. The method according to claim 7, wherein the decision tree generation end condition is specifically: and when the nodes of the constructed decision tree can identify all network devices, or the information gain is smaller than a preset threshold, stopping the construction of the decision tree.
9. The method according to claim 4, wherein the identifying and classifying the port slogans specifically comprises: classifying the port slogans using device fingerprints; or classifying the port slogans by using a trained classifier in a machine learning mode.
10. A system for probing a network device, comprising:
the port sequence selection module is used for obtaining the detection sequence of the ports when the network equipment is detected according to the sequence of the decision tree nodes of the network ports;
the equipment identification module is used for sequentially detecting the network equipment according to the detection sequence of the ports until the network equipment is detected and identified;
when the decision tree of the network port is from a root node to each child node, the ports with the utilization rate from high to low are respectively and correspondingly detected by the network device;
in a network environment, the port with the highest utilization rate can be detected and identified by the most network devices; alternatively, the first and second electrodes may be,
the port attribute has the highest classification capability for the final identification state of the network device and the information gain of the port attribute is the largest, and the port is the port with the highest utilization rate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810077929.2A CN108418727B (en) | 2018-01-26 | 2018-01-26 | Method and system for detecting network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810077929.2A CN108418727B (en) | 2018-01-26 | 2018-01-26 | Method and system for detecting network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108418727A CN108418727A (en) | 2018-08-17 |
| CN108418727B true CN108418727B (en) | 2020-04-24 |
Family
ID=63126246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810077929.2A Active CN108418727B (en) | 2018-01-26 | 2018-01-26 | Method and system for detecting network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108418727B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110380925B (en) * | 2019-06-28 | 2021-02-02 | 中国科学院信息工程研究所 | Port selection method and system in network equipment detection |
| CN112016635B (en) * | 2020-10-16 | 2021-02-19 | 腾讯科技(深圳)有限公司 | Device type identification method and device, computer device and storage medium |
| CN112769635B (en) * | 2020-12-10 | 2022-04-15 | 青岛海洋科学与技术国家实验室发展中心 | Service identification method and device for multi-granularity feature analysis |
| CN113037705B (en) * | 2020-12-30 | 2022-07-15 | 智网安云(武汉)信息技术有限公司 | Network terminal port scanning method and network terminal port scanning system |
| CN115442259A (en) * | 2022-08-30 | 2022-12-06 | 奇安信网神信息技术(北京)股份有限公司 | System identification method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8775584B2 (en) * | 2003-04-29 | 2014-07-08 | Microsoft Corporation | Method and apparatus for discovering network devices |
| CN101714926B (en) * | 2009-11-02 | 2013-01-30 | 福建星网锐捷网络有限公司 | Method, device and system for managing network equipment |
| US10033583B2 (en) * | 2014-04-22 | 2018-07-24 | International Business Machines Corporation | Accelerating device, connection and service discovery |
| CN106998299B (en) * | 2016-01-22 | 2019-10-18 | 华为技术有限公司 | The recognition methods of the network equipment, apparatus and system in data center network |
-
2018
- 2018-01-26 CN CN201810077929.2A patent/CN108418727B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108418727A (en) | 2018-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108418727B (en) | Method and system for detecting network equipment | |
| CN110730140B (en) | Deep learning flow classification method based on combination of space-time characteristics | |
| CN109639481B (en) | Deep learning-based network traffic classification method and system and electronic equipment | |
| CN109842588B (en) | Network data detection method and related equipment | |
| CN110380925B (en) | Port selection method and system in network equipment detection | |
| EP2485433A1 (en) | A method and apparatus for extracting data | |
| CN111191767A (en) | Vectorization-based malicious traffic attack type judgment method | |
| CN110061931B (en) | Industrial control protocol clustering method, device and system and computer storage medium | |
| CN110493262B (en) | Classification-improved network attack detection method and system | |
| CN114553591B (en) | Training method of random forest model, abnormal flow detection method and device | |
| CN111835763A (en) | DNS tunnel traffic detection method and device and electronic equipment | |
| CN113205134A (en) | Network security situation prediction method and system | |
| CN115277113A (en) | Power grid network intrusion event detection and identification method based on ensemble learning | |
| CN109347785A (en) | A kind of terminal type recognition methods and device | |
| CN111553241A (en) | Method, device and equipment for rejecting mismatching points of palm print and storage medium | |
| CN112383488B (en) | Content identification method suitable for encrypted and non-encrypted data streams | |
| CN113079186A (en) | Industrial network boundary protection method and system based on industrial control terminal feature recognition | |
| CN112671614A (en) | Associated system connectivity test method, system, device and storage medium | |
| CN116192527A (en) | Attack flow detection rule generation method, device, equipment and storage medium | |
| CN112688897A (en) | Traffic identification method and device, storage medium and electronic equipment | |
| CN110620682B (en) | Resource information acquisition method and device, storage medium and terminal | |
| CN114900835A (en) | Malicious traffic intelligent detection method and device and storage medium | |
| CN114500387A (en) | Mobile application traffic identification method and system based on machine learning | |
| CN111901282A (en) | Method for generating malicious code flow behavior detection structure | |
| CN110674010B (en) | Intelligent device application program identification method based on session length probability distribution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |