CN110311931A - Assets automatic discovering method and device - Google Patents

Assets automatic discovering method and device Download PDF

Info

Publication number
CN110311931A
CN110311931A CN201910715038.XA CN201910715038A CN110311931A CN 110311931 A CN110311931 A CN 110311931A CN 201910715038 A CN201910715038 A CN 201910715038A CN 110311931 A CN110311931 A CN 110311931A
Authority
CN
China
Prior art keywords
assets
information
engine
discovery
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910715038.XA
Other languages
Chinese (zh)
Inventor
薛磊
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201910715038.XA priority Critical patent/CN110311931A/en
Publication of CN110311931A publication Critical patent/CN110311931A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of assets automatic discovering method and devices, it is related to the technical field of information security, it include: to be configured based on default engine allocation list to assets discovery enforcement engine, the assets discovery enforcement engine includes one of traffic probe engine, port scan engine, Web log mining engine or a variety of;Utilize the assets information in the assets discovery enforcement engine discovery preset range of configuration.The present invention by traffic probe, port scan and Web log mining combine in the way of find networked asset automatically, and then realize monitoring, user facilitated to be managed and safeguard the networked asset under oneself compass of competency.

Description

Assets automatic discovering method and device
Technical field
The present invention relates to field of information security technology, more particularly, to a kind of assets automatic discovering method and device.
Background technique
With the landing of the files such as network security method, China is being gradually increased the dynamics that networked asset is supervised, each row Each industry also starts to pay attention to networked asset management.Currently in networked asset management work, because the real-time change of networked asset, returning The variation of category unit and person liable will lead to labor management networked asset, and there are hysteresis qualitys, and the general asset management system is to adopt Formula is manually reported, therefore, the real-time status variation of assets can not be showed in time.
Summary of the invention
The purpose of the present invention is to provide a kind of assets automatic discovering method and devices, can find networked asset automatically, And then realize monitoring, facilitate user to be managed and safeguard the networked asset under oneself compass of competency.
A kind of assets automatic discovering method provided by the invention, wherein include: that assets are sent out based on default engine allocation list Existing enforcement engine is configured, and the assets discovery enforcement engine includes traffic probe engine, port scan engine, Web log mining One of engine is a variety of;Utilize the assets information in the assets discovery enforcement engine discovery preset range of configuration.
Further, carrying out configuration to assets discovery enforcement engine based on default engine allocation list includes: based on described pre- If engine allocation list configures the first configuration information to the traffic probe engine, first configuration information includes public service Filter white list;Or, based on the default engine allocation list to the port scan engine configure the second configuration information, described second Configuration information includes following one or more: IP, IP section, domain name, the ownership unit, person liable of port to be scanned;Or, based on institute It states default engine allocation list and third configuration information is configured to the Web log mining engine, the third configuration information includes that log is returned Collect address.
Further, the assets discovery enforcement engine includes traffic probe engine, and the assets information includes flow letter Breath;Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising: visited using the flow It surveys engine and obtains the network flow of default network interface, and grab data on flows packet from the network flow;To the data on flows Packet is analyzed, and determines flow information.
Further, the data on flows packet is analyzed, determines that flow information includes: based on the data on flows packet Determine the protocol header and request header of the data on flows packet;It is read in the request header according to the protocol rule of the protocol header Request data;Based on the request data, data on flows encapsulating is dressed up to the flow information of multi-component system data mode.
Further, the assets discovery enforcement engine includes port scan engine, and the assets information includes port letter Breath;Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising: swept using the port It retouches engine and scans the port to be scanned preset in scanning range, find port data;The port data is packaged into multi-component system The port information of data mode.
Further, the assets discovery enforcement engine includes Web log mining engine, and the assets information includes log letter Breath;Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising: dug using the log Pick engine excavates the default log collected, and screening obtains the log information for meeting default access conditions.
Further, method further include: by the assets information with managed the assets information of management in asset library into Row comparison, obtains comparing result;According to the comparing result, the processing mode of the assets information is determined.
Further, according to the comparing result, if determining, the processing mode of the assets information includes: the comparison knot Fruit is that the assets information is identical with the assets information that managed, then carries out discard processing to the assets information;If The comparing result is that the assets information and the assets information that managed be not completely identical, then adds the assets information It has been managed in asset library to described;If the comparing result is the assets information and described has managed assets information part phase Together, then assets information has been managed using assets information update is described.
A kind of assets provided by the invention find device automatically, wherein include: configuration module, for based on default engine Allocation list configures assets discovery enforcement engine, and assets discovery enforcement engine includes that traffic probe engine, port are swept Retouch one of engine, Web log mining engine or a variety of;Discovery module is found for the assets discovery enforcement engine using configuration Assets information in preset range.
Further, device further include: contrast module, for the assets information and the pipe in asset library will to have been managed Reason assets information compares, and obtains comparing result;Determining module, for determining the assets letter according to the comparing result The processing mode of breath.
The present invention provides a kind of assets automatic discovering method and device, finds to execute to assets based on default engine allocation list Engine is configured, and assets discovery enforcement engine includes traffic probe engine, port scan engine, one in Web log mining engine Kind is a variety of;Utilize the assets information in the assets discovery enforcement engine discovery preset range of configuration.The present invention is visited using flow The mode that survey, port scan and Web log mining combine finds networked asset automatically, and then realizes monitoring, facilitates user for certainly Networked asset under own compass of competency is managed and safeguards.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of assets automatic discovering method provided in an embodiment of the present invention;
Fig. 2 is processing mode of the embodiment of the present invention to flow information;
Fig. 3 is the flow chart of another assets automatic discovering method provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram that a kind of assets provided in an embodiment of the present invention find device automatically;
Fig. 5 is the structural schematic diagram of another assets discovery system provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of assets discovery system provided in an embodiment of the present invention.
Icon:
11- configuration module;12- discovery module;13- contrast module;14- determining module.
Specific embodiment
Technical solution of the present invention is clearly and completely described below in conjunction with embodiment, it is clear that described reality Applying example is a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, the common skill in this field Art personnel every other embodiment obtained without making creative work belongs to the model that the present invention protects It encloses.
With universal and business the development of Internet, all trades and professions a large amount of internet money because interconnection networking has expedited the emergence of It produces.These networked assets also bring the problem of management aspect while providing various services.For example, current network Assets Reorganization Taking Reason is faced with a major issue: quantity, IP distribution, assets class for oneself responsible or compass of competency networked asset Type, survival, affiliated person liable etc. are unclear, and manually counting causes the real-time state of labor intensive and asset management to be controlled Bad, all there is hysteresis quality in the operations such as newly-increased or deletion, bring very hang-up to networked asset management.
That is, in networked asset management work, due to the real-time change of networked asset, ownership unit and person liable Variation, lead to be difficult the management for using labor management networked asset to meet networked asset again, wherein networked asset it is real-time Variation includes: domain name variation, IP variation and service state change etc..And the general asset management system is to report formula using artificial , the real-time status variation of networked asset can not be showed in time.
Therefore, the networked asset management of mainstream at present generally uses manual record mode or declares with networked asset flat Platform management, such way to manage do not adapt to the networked asset management of current quantity grade at present.Based on this, the present invention is real A kind of assets automatic discovering method and device for applying example offer can find automatically, manage and sorter network assets, improve reality When property and reliability.
For convenient for understanding the present embodiment, first to a kind of side of discovery automatically of assets disclosed in the embodiment of the present invention Method describes in detail.
Embodiment one:
Referring to Fig.1, a kind of assets automatic discovering method provided in an embodiment of the present invention, wherein may comprise steps of:
Step S101 configures assets discovery enforcement engine based on default engine allocation list, and assets discovery, which executes, draws It holds up including one of traffic probe engine, port scan engine, Web log mining engine or a variety of;
In embodiments of the present invention, assets find that enforcement engine can carry out just before work based on default engine allocation list Beginningization configuration, and different configuration informations can be configured for different assets discovery enforcement engines.
Step S102 utilizes the assets information in the assets discovery enforcement engine discovery preset range of configuration.
In embodiments of the present invention, assets information includes but is not limited to: flow information, port information and log information.No Same assets discovery enforcement engine finds different assets informations, for example, traffic probe engine is for finding flow information, port Scanning engine is for finding port information, and Web log mining engine is for finding log information.
It should be noted that in order in the case where being manually not involved in or participating in less, as much as possible, accurate discovery Networked asset within the scope of user network, wherein user network includes but is not limited to local area network, public network, and the present invention is real Example is applied using the flow information of drainage local area network outlet and parsing excavation is carried out to flow information, to IP, IP section of user configuration Port timing scan is carried out with domain name and is monitored, and carries out Web log mining to having the access log that network access collects, wherein Web log mining can be the supplement of assets automatic discovering method.
A kind of assets automatic discovering method provided by the invention first executes assets discovery based on default engine allocation list and draws It holds up and is configured, then utilize the assets information in the assets discovery enforcement engine discovery preset range of configuration.The present invention is implemented Example by traffic probe, port scan and Web log mining combine in the way of find networked asset automatically, and then realize monitoring, side Just user is managed and safeguards for the networked asset under oneself compass of competency.
Further, step S101 may comprise steps of:
The first configuration information is configured to flow detection engine based on default engine allocation list, the first configuration information includes public Service filtering white list;Or, configuring the second configuration information to port scanning engine based on default engine allocation list, second matches confidence Breath includes following one or more: IP, IP section, domain name, the ownership unit, person liable of port to be scanned;Or, based on default engine Allocation list configures third configuration information to Web log mining engine, and third configuration information includes that log collects address.
In embodiments of the present invention, assets discovery enforcement engine is configured based on default engine allocation list, it can be true Determine the discovery range of assets.
Further, assets discovery enforcement engine includes traffic probe engine, and assets information includes flow information;Step S102 may comprise steps of:
The network flow of default network interface is obtained using traffic probe engine, and data on flows packet is grabbed from network flow;
Flow data packet is analyzed, determines flow information.
In embodiments of the present invention, flow data packet is analyzed, determines that flow information may comprise steps of:
The protocol header and request header of data on flows packet are determined based on data on flows packet;
According to the request data in the protocol rule read requests head of protocol header;
Based on request data, data on flows encapsulating is dressed up to the flow information of multi-component system data mode.
In embodiments of the present invention, after configuring the first configuration information to flow detection engine based on default engine allocation list, The detection of flow information may be implemented in configured traffic probe engine, and traffic probe engine can grab data packet, wherein number It can be the data packet comprising flow information according to packet, it is specific: step 1, to do Port Mirroring in core switch, core is exchanged All flow informations of other ports of machine all copy to the network interface of traffic probe engine;Step 2, traffic probe engine utilizes itself Network interface carry out data packet crawl, grasping means may include tcpdump order;Step 3, using traffic probe engine to crawl Obtained data packet carries out next step analysis.
The embodiment of the present invention can the assets information different according to specific demand analysis first parsed by taking web assets as an example Request header in data packet determines whether the protocol header of web assets is http agreement, example according to the judgment mode of http agreement Such as: whether first trip data meet " GET/HTTP/1.0 ", then according to the protocol rule read requests data of http agreement and encapsulate It is as follows at 5 tuple datas:
Above-mentioned IP is destination address IP, and the flow packet of crawl can not determine client or source station, can only determine it is mesh Mark address.Since flow packet can only determine destination address and source address, it is thus impossible to determine which is network server, such as: If server, in the network segment of Intranet, destination address is that Intranet IP may determine that out;If server is the network segment in outer net, Such as surf the Internet in Ali's cloud department, then it cannot be judged whether to be server according to destination address IP.LAN subscriber is at work The server on oneself server can be accessed, if server, in outer net, destination address is outer net address and the destination address It is our unit's assets.Since flow information can not judge that server is in Intranet or outer net, it is possible to according to multiple indexs Collective reference assessment, judges whether the data on flows is server assets:
If destination address is present in public service filtering white list, directly abandons and do not consider;If destination address IP It is Intranet IP, then is that the probability of server address is larger.
Judge whether difference IP access is all the same port IP+ within the unit time, if so, the above-mentioned port IP+ has It may be our unit's server address.Threshold value S can be set in the embodiment of the present invention, and threshold value S can be indicated: more than 10 in 1 hour A difference IP accesses the same port IP+.Personnel due to being not excluded for Intranet access the server (such as hundred of the same other unit Degree), therefore, it can use public service filtering white list to filter this kind of situation.Judge whether data packet destination IP is configuring IP, IP section and domain name list in, if it is present being largely the asset server of our unit.
On an hourly basis or daily (adjustable) the timing re-scheduling by 5 tuple datas of above-mentioned book server assets, and be sent to Assets find center, carry out next step judgement by assets discovery center, specific judgment method such as Fig. 2:
Assets find center referred to as discovery library in Fig. 2, if 5 tuple datas of flow information and having managed asset library In the assets information of management it is inconsistent, then by the direct matching unit of flow information and be added to and managed asset library.
Assets information has been managed as 5 tuple datas of flow information if having managed and having existed in asset library, it will stream It measures information and carries out discard processing, if managed assets information and 5 tuple datas only part, judge that the data of variation are It is no through manual confirmation, if through manual confirmation, new assets more new record, if directly covering has been not through manual confirmation Manage the legacy data in asset library.
Further, assets discovery enforcement engine includes port scan engine, and assets information includes port information;Step S102 may comprise steps of:
The port to be scanned in default scanning range is scanned using port scan engine, finds port data;
Port data is packaged into the port information of multi-component system data mode.
In embodiments of the present invention, the assets by network access can be obtained in such a way that flow assets are found It takes, but for being difficult to find by way of flow without common website or corpse website etc., therefore, can pass through The mode of port detection finds these assets, the specific steps are as follows:
Configuration of IP, IP sections and port to be scanned, if without configuration, the common port of default scan, such as 80/ 3306/6379/8080/22 etc..The scan period is configured according to customer demand, the scan period includes single sweep operation and intermittent scanning. If asset transition is bigger, the period that can be set is short, conversely, the length of period setting.If requiring artificially to drive every time Detection, then be configured to single sweep operation, then IP, the IP sections of corresponding unit informations of setting selection, can be right using unit information It was found that assets carry out storage dividing unit automatically, later period artificial selection unit also can be set and be put in storage again, after being provided with The mission dispatching is scanned to port scan engine.Task can refer to that one scan task of creation records and is issued to port Scanning engine, scan task record issue time etc. comprising scanning port, IP, IP sections and domain name and task creation.Using task Form each scanning result can be carried out tracking convenient for investigation.The assets that port scan engine will be seen that are saved to having managed When managing asset library, every assets information carries the ID of this subtask.Port scan engine by namp order to IP, IP sections into The scanning of row designated port is task ID for scanning the port encapsulation come, and IP, the triple data of port, which are back to, have been managed Asset library.Re-scheduling is carried out before storage, then for be arranged unit assets information can by assets find center or Human-edited, which enters, has managed asset library.
Further, assets discovery enforcement engine includes Web log mining engine, and assets information includes log information;Step S102 may comprise steps of:
The default log collected is excavated using Web log mining engine, screening obtains the day for meeting default access conditions Will information.
In embodiments of the present invention, Web log mining is to do to the supplement of flow excavation, port scan for equipment such as waf The user that log collects can open this mode.The scanning that the log collected is timed is excavated, it then will be qualified Data are sent to assets discovery center and carry out next step operation.Condition is the log that filtering can not access, and filtering cannot form five The log of tuple data.Specific screening mode is as follows: it is directed to web request, by taking Ali's cloud waf log as an example:
Step 1, the log that filtering log information, i.e. filtered access 404 can not find;
Step 2, log information is separated, screening obtains real_client_ip (real IP of client), upstream_ Ip (source station IP corresponding to solicited message, multiple source addresses split into a plurality of, split the assets information of port), matched_ The compositions such as host (domain name of WAF protection configuration, if it is IP access then value IP thus) five-tuple data (client ip, Source station IP, source station port, domain name, request protocol);
Step 3, five-tuple data are imported after investigation and has managed asset library, the money of method can be found to other assets Production is improved and is supplemented.If such as log information can be matched with the property match source station IP that port scan engine is found On, then it can use the domain-name information that log information improves the assets of port scan engine discovery, to having managed in asset library not Existing log information can directly create new entry directly storage and handle.
Further, referring to Fig. 3, method further include:
Assets information is compared with the assets information of management managed in asset library, is compared by step S103 As a result;
Step S104 determines the processing mode of assets information according to comparing result.
In embodiments of the present invention, step S104 may include following processing mode:
If comparing result is that assets information is identical with assets information has been managed, assets information is carried out at discarding Reason;
If comparing result is assets information and to have managed assets information completely not identical, assets information is added to and has been managed It manages in asset library;
If comparing result is that assets information is identical with assets information part has been managed, managed using assets information update Assets information.
The embodiment of the present invention can be based on the various dimensions such as flow information, port information, log information, various assets letter Breath realizes automation, quantitation discovery assets using multiple and different assets discovery enforcement engines, and then can monitor, manage It gets a haircut existing assets.The embodiment of the present invention can also balance between artificial and automatic, as much as possible the energy of promotion assets discovery Power, and then improve accuracy.
Embodiment two:
Referring to Fig. 4, the embodiment of the present invention provides a kind of assets and finds device automatically, wherein may include with lower module:
Configuration module 11, for being configured based on default engine allocation list to assets discovery enforcement engine, assets discovery Enforcement engine includes one of traffic probe engine, port scan engine, Web log mining engine or a variety of;
Discovery module 12, for the assets information in the assets discovery enforcement engine discovery preset range using configuration.
A kind of assets provided by the invention find device automatically, are based on default engine allocation list to assets using configuration module It was found that enforcement engine is configured, the assets information in discovery module discovery preset range is then utilized.Benefit of the embodiment of the present invention Networked asset is found automatically with the mode that traffic probe, port scan and Web log mining combine, and then realizes monitoring, facilitates use Family is managed and safeguards for the networked asset under oneself compass of competency.
The present invention provide it is a kind of based on traffic probe, port scan and log information monitoring excavate networked asset send out automatically Existing device, can help user to find and manage automatically the assets under administration, real-time and confidence level be improved, to the state of assets A large amount of work has been done in terms of Classification Management, has allowed user can be convenient for networked asset management.
Further, configuration module 11 may include with lower unit:
First configuration unit, for configuring the first configuration information to flow detection engine based on default engine allocation list, the One configuration information includes public service filtering white list;Or, the second configuration unit, for being based on default engine allocation list to port Scanning engine configures the second configuration information, and the second configuration information includes following one or more: IP, IP section of port to be scanned, Domain name, ownership unit, person liable;Or, third configuration unit, for being configured based on default engine allocation list to Web log mining engine Third configuration information, third configuration information include that log collects address.
Further, assets discovery enforcement engine includes traffic probe engine, and assets information includes flow information;It was found that mould Block 12 may include with lower unit:
Picking unit for being obtained the network flow of default network interface using traffic probe engine, and is grabbed from network flow Take data on flows packet;
Determination unit determines flow information for analyzing flow data packet.
Further, determination unit includes following subelement:
Subelement is determined, for determining the protocol header and request header of data on flows packet based on data on flows packet;
Reading subunit, for the request data in the protocol rule read requests head according to protocol header;
Subelement is encapsulated, for being based on request data, the flow that multi-component system data mode is dressed up in data on flows encapsulating is believed Breath.
Further, assets discovery enforcement engine includes port scan engine, and assets information includes port information;It was found that mould Block 12 may include with lower unit:
Scanning element finds port for scanning the port to be scanned in default scanning range using port scan engine Data;
Encapsulation unit, for port data to be packaged into the port information of multi-component system data mode.
Further, assets discovery enforcement engine includes Web log mining engine, and assets information includes log information;It was found that mould Block 12 may include with lower unit:
Unit is excavated, for excavating using Web log mining engine to the default log collected, screening obtains meeting pre- If the log information of access conditions.
Further, referring to Fig. 5, device further include:
Contrast module 13 is obtained for comparing assets information with the assets information of management managed in asset library To comparing result;
Determining module 14, for determining the processing mode of assets information according to comparing result.
Further, determining module 14 may include with lower unit:
Discarding unit believes assets if being that assets information is identical with assets information has been managed for comparing result Breath carries out discard processing;
Adding unit, if being assets information for comparing result and to have managed assets information completely not identical, by assets Information, which is added to, have been managed in asset library;
Updating unit utilizes assets if being that assets information is identical with assets information part has been managed for comparing result Information update has managed assets information.
Embodiment three:
Referring to Fig. 6, it may include following three parts that the embodiment of the present invention, which provides a kind of assets and finds apparatus system automatically: Assets excavate part, assets initial configuration part and asset monitoring part, specific as shown in Figure 6:
Assets discovery center in the present embodiment can be referred to as the discovery of the assets in figure, managed asset library and be properly termed as Networked asset in figure.
It should be noted that three kinds of Web log mining, traffic probe and port scan discovery channels are not carried out sequence, and every The assets information of kind discovery channel is all present in the assets discovery respective table in center before not entering to have managed asset library.Entering When managing asset library, first judge that the assets information of discovery whether there is in having managed asset library, if from a kind of channel Assets, which have been introduced into, has managed asset library, then when other channels find the same assets information again, can compare assets information Content, according to assets information and managed whether assets information consistent to determine that assets information is updated into having managed asset library again, Or it directly abandons.
In embodiments of the present invention, three kinds of assets discovery enforcement engines can just be opened in engine allocation list initial configuration Beginning work, concrete configuration mode are as follows: the present embodiment can configure public service to flow detection engine and filter white list, such as Baidu www.***.com is clearly not can directly excluding for Unit Assets.The present embodiment can to port scanning engine To configure the IP of port to be scanned, domain name, IP sections and corresponding ownership unit and person liable, scanning port list.This implementation Example can collect address to Web log mining engine configuration log.
The assets of three kinds of channels discovery can be first stored in the library table at assets discovery center, wherein different channel discoveries Assets are to enter to have managed asset library respectively, and the assets information of scanning port channel discovery is triple data, triple data Corresponding assets information field is fewer than the assets information field that other two kinds of channels are found.
The assets information at assets discovery center is compared with the assets information of management managed in asset library, is updated It has managed asset library (i.e. then update part field updates) or has abandoned.
Asset monitoring is to the assets information real time monitoring managed in asset library, more new state.For in assets discovery The assets information of the heart has uncertainty, cannot be confirmed whether to be the assets for belonging to the range that user to be managed, only by using Family confirmation storage or user, which open to be put in storage to enter from assets discovery center automatically, has managed asset library.It has managed in asset library Assets information can refer to user's assets really to be managed in practical business.Management method may include: daily to IP, The port domain+ accesses test, for the assets informations of n times (settable adjusting) can not be accessed labeled as can not access, It is found and is cleared up convenient for client.
For the discovery of traffic probe engine assets if there is unreasonable or complete incorrect assets, can be by matching Filtering white list is set to exclude, adjusts threshold value S to promote the confidence level of assets information.
The embodiment of the present invention may be implemented to send out automatically based on the mode that flow monitoring, port scan and Web log mining combine Now with monitoring networked asset, user is facilitated to be managed and safeguard the assets under oneself compass of competency.
The flow chart and block diagram in the drawings show the method and apparatus structures of multiple embodiments of the invention.This point On, each box in flowchart or block diagram can represent a part of a module, section or code, the module, journey Sequence section or a part of code include one or more executable instructions for implementing the specified logical function.It should also be as infusing Meaning, in some implementations as replacements, function marked in the box can also be in a different order than that indicated in the drawings Occur.For example, two continuous boxes can actually be basically executed in parallel, they can also hold in the opposite order sometimes Row, this depends on the function involved.It is also noted that each box and block diagram in block diagram and or flow chart and/ Or the combination of the box in flow chart, it can be with the defined function of execution or the dedicated hardware based system of movement come real It is existing, or can realize using a combination of dedicated hardware and computer instructions.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description It with the specific work process of device, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), arbitrary access are deposited The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic or disk.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical", The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to Convenient for description the present invention and simplify description, rather than the device or element of indication or suggestion meaning must have a particular orientation, It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ", " third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (10)

1. a kind of assets automatic discovering method characterized by comprising
Assets discovery enforcement engine is configured based on default engine allocation list, the assets discovery enforcement engine includes flow One of detection engine, port scan engine, Web log mining engine are a variety of;
Utilize the assets information in the assets discovery enforcement engine discovery preset range of configuration.
2. the method according to claim 1, wherein finding enforcement engine to assets based on default engine allocation list Carrying out configuration includes:
The first configuration information, first configuration information are configured to the traffic probe engine based on the default engine allocation list White list is filtered including public service;
Or,
The second configuration information, second configuration information are configured to the port scan engine based on the default engine allocation list Including following one or more: IP, IP section, domain name, the ownership unit, person liable of port to be scanned;
Or,
Third configuration information, the third configuration information are configured to the Web log mining engine based on the default engine allocation list Address is collected including log.
3. the method according to claim 1, wherein assets discovery enforcement engine includes that traffic probe draws It holds up, the assets information includes flow information;
Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising:
The network flow of default network interface is obtained using the traffic probe engine, and grabs data on flows from the network flow Packet;
The data on flows packet is analyzed, determines flow information.
4. according to the method described in claim 3, determining that flow is believed it is characterized in that, analyze the data on flows packet Breath includes:
The protocol header and request header of the data on flows packet are determined based on the data on flows packet;
The request data in the request header is read according to the protocol rule of the protocol header;
Based on the request data, data on flows encapsulating is dressed up to the flow information of multi-component system data mode.
5. the method according to claim 1, wherein assets discovery enforcement engine includes that port scan draws It holds up, the assets information includes port information;
Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising:
The port to be scanned in default scanning range is scanned using the port scan engine, finds port data;
The port data is packaged into the port information of multi-component system data mode.
6. the method according to claim 1, wherein assets discovery enforcement engine includes that Web log mining draws It holds up, the assets information includes log information;
Assets information in the assets discovery enforcement engine discovery preset range using configuration, comprising:
The default log collected is excavated using the Web log mining engine, screening obtains the day for meeting default access conditions Will information.
7. the method according to claim 1, wherein method further include:
The assets information is compared with the assets information of management managed in asset library, obtains comparing result;
According to the comparing result, the processing mode of the assets information is determined.
8. the method according to the description of claim 7 is characterized in that determining the assets information according to the comparing result Processing mode includes:
If the comparing result is that the assets information is identical with the assets information that managed, to the assets information Carry out discard processing;
If the comparing result is that the assets information and the assets information that managed be not completely identical, the assets are believed Breath is added to described managed in asset library;
If the comparing result is that the assets information is identical with the assets information part that managed, believed using the assets Breath has managed assets information described in updating.
9. a kind of assets find device automatically characterized by comprising
Configuration module, for being configured based on default engine allocation list to assets discovery enforcement engine, the assets discovery is held Row engine includes one of traffic probe engine, port scan engine, Web log mining engine or a variety of;
Discovery module, for the assets information in the assets discovery enforcement engine discovery preset range using configuration.
10. device according to claim 9, which is characterized in that device further include:
Contrast module is obtained for comparing the assets information with the assets information of management managed in asset library Comparing result;
Determining module, for determining the processing mode of the assets information according to the comparing result.
CN201910715038.XA 2019-08-02 2019-08-02 Assets automatic discovering method and device Pending CN110311931A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910715038.XA CN110311931A (en) 2019-08-02 2019-08-02 Assets automatic discovering method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910715038.XA CN110311931A (en) 2019-08-02 2019-08-02 Assets automatic discovering method and device

Publications (1)

Publication Number Publication Date
CN110311931A true CN110311931A (en) 2019-10-08

Family

ID=68083058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910715038.XA Pending CN110311931A (en) 2019-08-02 2019-08-02 Assets automatic discovering method and device

Country Status (1)

Country Link
CN (1) CN110311931A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830501A (en) * 2019-11-25 2020-02-21 杭州安恒信息技术股份有限公司 Website asset detection method based on DNS traffic
CN111030887A (en) * 2019-12-19 2020-04-17 杭州安恒信息技术股份有限公司 Web server discovery method and device and electronic equipment
CN111181775A (en) * 2019-12-17 2020-05-19 杭州安恒信息技术股份有限公司 Integrated operation and maintenance management alarm method based on automatic host asset discovery
CN111343167A (en) * 2020-02-19 2020-06-26 北京天融信网络安全技术有限公司 Information processing method based on network and electronic equipment
CN111399893A (en) * 2020-03-20 2020-07-10 深信服科技股份有限公司 Service information updating method, device, equipment and computer readable storage medium
CN111431753A (en) * 2020-04-02 2020-07-17 深信服科技股份有限公司 Asset information updating method, device, equipment and storage medium
CN111694588A (en) * 2020-06-11 2020-09-22 浙江军盾信息科技有限公司 Engine upgrade detection method and device, computer equipment and readable storage medium
CN112235248A (en) * 2020-09-17 2021-01-15 杭州安恒信息技术股份有限公司 Web application firewall protection site collection method and device and electronic device
CN112685406A (en) * 2020-12-22 2021-04-20 中通天鸿(北京)通信科技股份有限公司 Monitoring system for ascertaining use state of cloud platform assets in real time
CN113923024A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Asset property identification method and device based on network flow mirror image
CN114003469A (en) * 2021-12-30 2022-02-01 北京微步在线科技有限公司 Asset monitoring method and device
CN114124475A (en) * 2021-11-05 2022-03-01 武汉思普崚技术有限公司 Network asset port scanning and service identification method and device
CN115277826A (en) * 2022-05-23 2022-11-01 深圳铸泰科技有限公司 Discovery method and system of Internet of things equipment
CN116225829A (en) * 2022-12-14 2023-06-06 智网安云(武汉)信息技术有限公司 Network asset information monitoring method, device and storage device
CN116225829B (en) * 2022-12-14 2024-05-24 智网安云(武汉)信息技术有限公司 Network asset information monitoring method, device and storage device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130275574A1 (en) * 2012-04-11 2013-10-17 Mcafee, Inc. Asset detection system
CN106095954A (en) * 2016-06-14 2016-11-09 成都镜杰科技有限责任公司 Data base management method for enterprise supply chain
US20170207990A1 (en) * 2016-01-19 2017-07-20 Tektronix, Inc. Reducing an amount of captured network traffic data to analyze
CN107579876A (en) * 2017-09-15 2018-01-12 ***通信集团广东有限公司 A kind of automatic detection analysis method and device of assets increment
CN108712396A (en) * 2018-04-27 2018-10-26 广东省信息安全测评中心 Networked asset management and loophole governing system
CN108810034A (en) * 2018-08-20 2018-11-13 杭州安恒信息技术股份有限公司 A kind of safety protecting method of industrial control system information assets
CN109040037A (en) * 2018-07-20 2018-12-18 南京方恒信息技术有限公司 A kind of safety auditing system based on strategy and rule

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130275574A1 (en) * 2012-04-11 2013-10-17 Mcafee, Inc. Asset detection system
US20170207990A1 (en) * 2016-01-19 2017-07-20 Tektronix, Inc. Reducing an amount of captured network traffic data to analyze
CN106095954A (en) * 2016-06-14 2016-11-09 成都镜杰科技有限责任公司 Data base management method for enterprise supply chain
CN107579876A (en) * 2017-09-15 2018-01-12 ***通信集团广东有限公司 A kind of automatic detection analysis method and device of assets increment
CN108712396A (en) * 2018-04-27 2018-10-26 广东省信息安全测评中心 Networked asset management and loophole governing system
CN109040037A (en) * 2018-07-20 2018-12-18 南京方恒信息技术有限公司 A kind of safety auditing system based on strategy and rule
CN108810034A (en) * 2018-08-20 2018-11-13 杭州安恒信息技术股份有限公司 A kind of safety protecting method of industrial control system information assets

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830501A (en) * 2019-11-25 2020-02-21 杭州安恒信息技术股份有限公司 Website asset detection method based on DNS traffic
CN111181775A (en) * 2019-12-17 2020-05-19 杭州安恒信息技术股份有限公司 Integrated operation and maintenance management alarm method based on automatic host asset discovery
CN111181775B (en) * 2019-12-17 2023-01-31 杭州安恒信息技术股份有限公司 Integrated operation and maintenance management alarm method based on automatic host asset discovery
CN111030887A (en) * 2019-12-19 2020-04-17 杭州安恒信息技术股份有限公司 Web server discovery method and device and electronic equipment
CN111030887B (en) * 2019-12-19 2021-11-05 杭州安恒信息技术股份有限公司 Web server discovery method and device and electronic equipment
CN111343167A (en) * 2020-02-19 2020-06-26 北京天融信网络安全技术有限公司 Information processing method based on network and electronic equipment
CN111399893A (en) * 2020-03-20 2020-07-10 深信服科技股份有限公司 Service information updating method, device, equipment and computer readable storage medium
CN111431753A (en) * 2020-04-02 2020-07-17 深信服科技股份有限公司 Asset information updating method, device, equipment and storage medium
CN111694588B (en) * 2020-06-11 2022-05-20 杭州安恒信息安全技术有限公司 Engine upgrade detection method and device, computer equipment and readable storage medium
CN111694588A (en) * 2020-06-11 2020-09-22 浙江军盾信息科技有限公司 Engine upgrade detection method and device, computer equipment and readable storage medium
CN112235248A (en) * 2020-09-17 2021-01-15 杭州安恒信息技术股份有限公司 Web application firewall protection site collection method and device and electronic device
CN112235248B (en) * 2020-09-17 2023-04-21 杭州安恒信息技术股份有限公司 Web application firewall protection site collection method and device and electronic device
CN112685406A (en) * 2020-12-22 2021-04-20 中通天鸿(北京)通信科技股份有限公司 Monitoring system for ascertaining use state of cloud platform assets in real time
CN113923024A (en) * 2021-10-09 2022-01-11 京东科技信息技术有限公司 Asset property identification method and device based on network flow mirror image
CN114124475A (en) * 2021-11-05 2022-03-01 武汉思普崚技术有限公司 Network asset port scanning and service identification method and device
CN114003469A (en) * 2021-12-30 2022-02-01 北京微步在线科技有限公司 Asset monitoring method and device
CN115277826A (en) * 2022-05-23 2022-11-01 深圳铸泰科技有限公司 Discovery method and system of Internet of things equipment
CN116225829A (en) * 2022-12-14 2023-06-06 智网安云(武汉)信息技术有限公司 Network asset information monitoring method, device and storage device
CN116225829B (en) * 2022-12-14 2024-05-24 智网安云(武汉)信息技术有限公司 Network asset information monitoring method, device and storage device

Similar Documents

Publication Publication Date Title
CN110311931A (en) Assets automatic discovering method and device
US10841365B2 (en) Mapping application dependencies in a computer network
CN107579876A (en) A kind of automatic detection analysis method and device of assets increment
US7543054B1 (en) Minimalist data collection for high-speed network data monitoring based on protocol trees
US20160359701A1 (en) Parallel coordinate charts for flow exploration
US10469342B2 (en) Logical network traffic analysis
CN107818150A (en) A kind of log audit method and device
CN109376532A (en) Power network security monitoring method and system based on the analysis of ELK log collection
CN101990003B (en) User action monitoring system and method based on IP address attribute
US7606895B1 (en) Method and apparatus for collecting network performance data
CN106941480A (en) With the integrating security system for threatening visualization and automatic safe equipment to control
EP2388703A1 (en) Techniques for evaluating and managing cloud networks
US11044170B2 (en) Network migration assistant
Willinger et al. A pragmatic approach to dealing with high-variability in network measurements
CN104778642A (en) Data processing method, server and monitoring system for campus users based on WiFi
US20190230112A1 (en) Mechanism for identifying differences between network snapshots
US10826803B2 (en) Mechanism for facilitating efficient policy updates
CN113382019B (en) Flow data processing method
CN110011869A (en) Control device, method and computer readable storage medium
CN107820214A (en) A kind of user trajectory analysis system based on time suboptimal control
US20230308452A1 (en) Method for verifying security technology deployment efficacy across a computer network
CN115297007A (en) Construction method and system of network space asset information map for cooperative network
CN109997337A (en) Network health information visuallization
Cisco CiscoAcctMonitor.idl
US20220038352A1 (en) Network Directionality Mapping System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191008