CN112995207A - Fingerprint identification and exposed surface risk assessment method for network assets - Google Patents

Fingerprint identification and exposed surface risk assessment method for network assets Download PDF

Info

Publication number
CN112995207A
CN112995207A CN202110410865.5A CN202110410865A CN112995207A CN 112995207 A CN112995207 A CN 112995207A CN 202110410865 A CN202110410865 A CN 202110410865A CN 112995207 A CN112995207 A CN 112995207A
Authority
CN
China
Prior art keywords
fingerprint
network asset
identification
fingerprints
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110410865.5A
Other languages
Chinese (zh)
Other versions
CN112995207B (en
Inventor
王照旗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Webray Beijing Network Safety Technology Co ltd
Original Assignee
Webray Beijing Network Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Webray Beijing Network Safety Technology Co ltd filed Critical Webray Beijing Network Safety Technology Co ltd
Priority to CN202110410865.5A priority Critical patent/CN112995207B/en
Publication of CN112995207A publication Critical patent/CN112995207A/en
Application granted granted Critical
Publication of CN112995207B publication Critical patent/CN112995207B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2291User-Defined Types; Storage management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/282Hierarchical databases, e.g. IMS, LDAP data stores or Lotus Notes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The invention discloses a fingerprint identification and exposed surface risk assessment method for network assets, wherein the fingerprint identification method is determined by four-stage extraction and weighting of system fingerprints, and comprises the following steps: interactively identifying the primary identification of the operating system of the network asset to be determined through a TCP (Transmission control protocol); obtaining the secondary identification of the operating system through analyzing the key characteristics of the application layer protocol of the network assets; matching key features of a protocol of the network asset with the layered fingerprint library to obtain three-level identification of the operating system; associating the layered fingerprint database for matching according to the identification result of the DPI to obtain the four-level identification of the operating system; the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints. The network asset system fingerprint is identified in a grading way and judged comprehensively, so that single-point identification during network asset identification is avoided, and the false alarm rate is reduced.

Description

Fingerprint identification and exposed surface risk assessment method for network assets
Technical Field
The invention relates to the technical field of network security, service and big data, in particular to a fingerprint identification and exposed surface risk assessment method for network assets.
Background
With the rapid development of networks and mobile internet, the number of layers of network problems is infinite, and meanwhile, the national degree of importance on the networks is higher and higher, especially on the network security.
With the advent of the 5G era of the large Internet, network access equipment, services and applications are rapidly increased, and meanwhile, highly centralized security risks are brought, so that systematic supervision is very important as a key component for the stable operation of the network.
The existing network asset identification method generally has the problems of single-point identification, high false alarm rate, single fingerprint and incapability of forming systematization, such as: fingerprint detection based on an NMAP mechanism is mainly based on application characteristic identification, namely single-point identification, and certain misjudgment exists; fingerprint identification based on DHCP protocol mainly aims at intranet PC and server, and the system version false alarm rate is high; key technology fingerprint parameter identification based on HTTP protocol analysis mainly aims at WEB fingerprints, and the fingerprints are single; and so on.
Therefore, how to efficiently, reliably and finely extract and identify the network asset fingerprints and establish a complete asset fingerprint wind control system is a huge challenge for current enterprises, organizations and countries.
Disclosure of Invention
An object of the present invention is to solve at least the above problems and to provide at least the advantages described later.
The invention also aims to provide a fingerprint identification method based on a layered fingerprint library, which avoids single-point identification during network asset identification and reduces false alarm rate by carrying out hierarchical identification and comprehensive judgment on network asset system fingerprints.
The invention also aims to provide an evaluation method of the fingerprint exposure face risk, which is realized based on the layering of fingerprints, so that the fingerprint exposure risk of the network assets is effectively evaluated, and the management and control of the assets of enterprises, organizations and countries are facilitated.
To achieve these objects and other advantages and in accordance with the purpose of the invention, as embodied and broadly described, the present invention provides a method for fingerprinting a network asset, which determines a system fingerprint of the network asset by four-stage extraction and weighting, including:
primary identification: interactively identifying an operating system of the network asset to be determined through a TCP (Transmission control protocol);
secondary identification: obtaining an operating system of the network asset to be determined through analyzing key characteristics of an application layer protocol of the network asset;
and (3) tertiary identification: matching key features of a protocol of the network asset with the layered fingerprint library to obtain an operating system of the network asset to be determined;
four-stage identification: associating the layered fingerprint database for matching through the identification result of the DPI to obtain an operating system of the network asset to be determined;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
Preferably, in the method for fingerprint identification of a network asset, the system fingerprint of the network asset is determined by four-stage extraction and weighting, and the hardware fingerprint, the IP geographical location, the service fingerprint and the application fingerprint of the network asset are also identified.
Preferably, in the method for fingerprinting a network asset, the DPI identification result includes: protocol and application type.
Preferably, in the method for fingerprint identification of a network asset, the development technology, component service, operating system, device distribution, device affiliation, and device manufacturer information of the network asset to be determined are obtained from the system fingerprint, hardware fingerprint, IP geographical location, service fingerprint, and application fingerprint of the network asset to be determined.
A fingerprint identification system for network assets specifically comprises:
the first-level fingerprint identification unit is used for performing first-level identification on an operating system of the network asset to be determined through TCP protocol interaction;
the secondary fingerprint identification unit is used for carrying out secondary identification on the operating system of the network asset to be determined through analyzing the key characteristics of the application layer protocol of the network asset;
the three-level fingerprint identification unit is used for carrying out three-level identification on the operating system of the network asset to be determined by matching key features of a protocol of the network asset with the layered fingerprint database;
the four-level fingerprint identification unit is used for associating the layered fingerprint library for matching according to the identification result of the DPI and carrying out four-level identification on the operating system of the network asset to be determined;
the judging unit receives the identification results respectively by the first-level fingerprint processing unit to the fourth-level fingerprint processing unit, weights the identification results according to the fingerprint accuracy of the layered fingerprint library and the similarity of each identification result, determines the final identification result and outputs the final identification result;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
Preferably, the fingerprint identification system for a network asset further includes:
a hardware fingerprint extraction unit that extracts a hardware fingerprint of the network asset;
the service fingerprint identification unit is used for carrying out service matching on the Payload and the key bit data thereof and the hierarchical fingerprint library to identify the service fingerprint of the network asset;
and the application fingerprint identification unit is used for carrying out application fingerprint matching on the application type of the network asset and the layered fingerprint library so as to identify the application fingerprint of the network asset.
Preferably, in the fingerprint identification system for a network asset, the identification result of the DPI includes: protocol and application type.
Preferably, in the fingerprint identification system of the network asset, the development technology, component service, operating system, device distribution, device affiliation, and device vendor information of the network asset to be determined are obtained from the system fingerprint, hardware fingerprint, service fingerprint, and application fingerprint of the network asset to be determined.
After the exposure risk indexes of the fingerprints of each layer are determined hierarchically according to the constitution types of the fingerprints of the network asset to be evaluated, the comprehensive risk index is obtained by comprehensively evaluating the exposure risk indexes of the fingerprints of each layer, and the fingerprint exposure risk of the network asset to be evaluated is evaluated by using the comprehensive risk index, specifically comprising the following steps:
determining a basic fingerprint exposure risk index of the network asset to be evaluated according to the fingerprint type and the fingerprint data of the network asset to be evaluated;
determining a hardware fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the hardware fingerprint of the network asset to be evaluated with a major vulnerability;
determining a system fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the system fingerprint of the network asset to be evaluated with a major vulnerability;
determining a service fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the service fingerprint of the network asset to be evaluated with a major vulnerability;
determining an application fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the application fingerprints of the network asset to be evaluated with major vulnerabilities;
comprehensively evaluating the basic fingerprint exposure index, the hardware fingerprint exposure index, the system fingerprint exposure index and the service fingerprint exposure index of the network asset to be evaluated and the application fingerprint exposure index to obtain a comprehensive risk index;
and evaluating the fingerprint exposure surface risk of the network asset to be evaluated by utilizing the comprehensive risk index.
The invention at least comprises the following beneficial effects:
the network asset fingerprint identification method is realized based on the layered fingerprint database, and through the hierarchical identification and comprehensive judgment of the system fingerprint of the network asset, the single-point identification during the identification of the network asset is avoided, and the false alarm rate is reduced.
The fingerprint exposure surface risk assessment method is realized based on the layering of fingerprints, so that the fingerprint exposure risk of the network assets is effectively assessed, and the asset management and control of enterprises, organizations and countries are assisted.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
FIG. 1 is a flow chart of a method of fingerprinting a network asset in accordance with the present invention;
FIG. 2 is a diagram of a framework for constructing a hierarchical fingerprint library;
fig. 3 is a block diagram of a framework of a fingerprint identification system for a network asset according to the present invention.
Detailed Description
The present invention is further described in detail below with reference to the attached drawings so that those skilled in the art can implement the invention by referring to the description text.
It should be understood that terms such as "having," "including," and "comprising," as used herein, do not preclude the presence or addition of one or more other elements or groups thereof, and that various approximations, non-ideal modifications, or changes in the configuration of non-critical elements are within the scope of the present application.
As shown in fig. 1 and fig. 2, the present invention provides a method for fingerprint identification of a network asset, which determines a system fingerprint of the network asset in a four-stage extraction and weighting manner, and specifically includes:
primary identification: interactively identifying an operating system of the network asset to be determined through a TCP (Transmission control protocol);
secondary identification: obtaining an operating system of the network asset to be determined through analyzing key characteristics of an application layer protocol of the network asset;
and (3) tertiary identification: matching key features of a protocol of the network asset with the layered fingerprint library to obtain an operating system of the network asset to be determined;
four-stage identification: associating the layered fingerprint database for matching through the identification result of the DPI to obtain an operating system of the network asset to be determined;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
In the above scheme, the fingerprint of the network asset usually includes a hardware fingerprint belonging to a data link layer, a system fingerprint belonging to a TCP layer, a service fingerprint belonging to an application layer, and an application fingerprint, so that the fingerprint of the network asset can be expressed hierarchically according to the composition type of the fingerprint, that is, a fingerprint hierarchical model representing each network asset is formed by hierarchically expressing the fingerprint of the network asset according to the composition type, that is, the hardware fingerprint, the system fingerprint, the service fingerprint, and the application fingerprint, and the fingerprint hierarchical model is centrally stored, so that a hierarchical fingerprint library can be formed.
The method realizes the fingerprint identification of the network assets based on the layered fingerprint database accumulated for a long time, namely, four-stage identification is carried out on the system fingerprints of the network assets, and the final system fingerprint information is determined by weighting the identification results of all stages, thereby realizing the multi-point identification and comprehensive judgment of the system fingerprints of the network assets, and leading the accuracy of the extracted fingerprints to be higher and more reliable.
Specifically, the method comprises the following steps: the first level identification utilizes TCP protocol to interactively identify the operating system of the network asset to be determined, the second level identification utilizes DPI to identify the protocol type, the operating system of the network asset to be determined is identified from the concrete protocol content, the third level identification is matched with the layered fingerprint library through the key characteristics of the protocol of the network asset to obtain the operating system of the network asset, then, the four-stage identification obtains the operating system through the matching of the identification result of the DPI and the layered fingerprint library, and finally, the final operating system of the network asset to be determined is judged by performing weighted analysis on the operating system of the four-level identification, so that the accurate identification of the network asset fingerprint is realized by combining multipoint identification and a hierarchical fingerprint library, and the information of development technology, component service, operating system and the like of the network assets is effectively predicted, and the identification and management of the network assets are facilitated.
In a preferred scheme, besides determining the system fingerprint of the network asset in a four-stage extraction and weighting mode, the hardware fingerprint, the IP geographic position, the service fingerprint and the application fingerprint of the network asset are also identified.
In the scheme, the hardware fingerprint is an MAC fingerprint which can indicate an MAC library of the network asset, namely a manufacturer; IP geographical location, which can increase the expression of IP attributes of network assets; the system fingerprint is produced by TCP layer information and comprises windows, versions, linux, versions and other operating systems; the service fingerprint is produced according to payload and comprises a Nginx service, an Apache service, an FTP service and the like; the application fingerprint pointer pair describes the fingerprint of the application, if FTP application exists for FTP service, the FTP application has the characteristics of FTP uploading and FTP downloading, and the fingerprint is characterized as the application fingerprint; therefore, by extracting the hardware fingerprint, the IP geographical position, the system fingerprint, the service fingerprint and the application fingerprint of the network asset, the integrity of the network asset fingerprint can be improved, and the network asset can be comprehensively expressed conveniently.
In a preferred embodiment, the identification result of the DPI includes: protocol and application type.
In the above scheme, DPI identifies the protocol and application type that can identify the network asset.
In a preferred scheme, the development technology, component service, operating system, device distribution, device attribution and device manufacturer information of the network asset to be determined are obtained from the system fingerprint, hardware fingerprint, IP geographical location, service fingerprint and application fingerprint of the network asset to be determined.
As shown in fig. 3, a fingerprint identification system for a network asset specifically includes:
the first-level fingerprint identification unit is used for performing first-level identification on an operating system of the network asset to be determined through TCP protocol interaction;
the secondary fingerprint identification unit is used for carrying out secondary identification on the operating system of the network asset to be determined through analyzing the key characteristics of the application layer protocol of the network asset;
the three-level fingerprint identification unit is used for carrying out three-level identification on the operating system of the network asset to be determined by matching key features of a protocol of the network asset with the layered fingerprint database;
the four-level fingerprint identification unit is used for associating the layered fingerprint library for matching according to the identification result of the DPI and carrying out four-level identification on the operating system of the network asset to be determined;
the judging unit receives the identification results respectively by the first-level fingerprint processing unit to the fourth-level fingerprint processing unit, weights the identification results according to the fingerprint accuracy of the layered fingerprint library and the similarity of each identification result, determines the final identification result and outputs the final identification result;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
In the scheme, the network asset fingerprint identification system based on the long-term accumulated hierarchical fingerprint library identifies the system fingerprint of the network asset at four levels, and weights the identification results at all levels to determine the final system fingerprint information, so that the multipoint identification and comprehensive judgment of the network asset system fingerprint are realized, and the extracted fingerprint has higher accuracy and is more reliable.
Specifically, the method comprises the following steps: the method comprises the steps that a primary fingerprint identification unit interactively identifies an operating system of a network asset to be determined by utilizing a TCP protocol, a secondary fingerprint identification unit identifies the operating system of the network asset to be determined from specific protocol contents through a protocol type identified by a DPI, a tertiary fingerprint identification unit matches a layered fingerprint library through key characteristics of a protocol of the network asset to obtain the operating system of the network asset, then, a fourth-stage identification unit matches the identification result of the DPI with the layered fingerprint library to obtain the operating system, and finally, a judgment unit judges a final operating system of the network asset to be determined through weighting and credibility measurement of the operating system identified by the fourth-stage identification unit Information such as component services, operating systems and the like is effectively predicted, and identification and management of network assets are facilitated.
In a preferred embodiment, the method further comprises:
a hardware fingerprint extraction unit that extracts a hardware fingerprint of the network asset;
the service fingerprint identification unit is used for carrying out service matching on the Payload and the key bit data thereof and the hierarchical fingerprint library to identify the service fingerprint of the network asset;
and the application fingerprint identification unit is used for carrying out application fingerprint matching on the application type of the network asset and the layered fingerprint library so as to identify the application fingerprint of the network asset.
In the scheme, the hardware fingerprint, the service fingerprint and the application fingerprint of the network asset are respectively extracted through the hardware fingerprint extraction unit, the service fingerprint identification unit and the application fingerprint identification unit, so that the integrity of the network asset fingerprint is improved, and the network asset can be comprehensively expressed conveniently.
In a preferred embodiment, the identification result of the DPI includes: protocol and application type.
In a preferred scheme, the development technology, the component service, the operating system, the equipment distribution, the equipment attribution and the equipment manufacturer information of the network asset to be determined are obtained from the system fingerprint, the hardware fingerprint, the service fingerprint and the application fingerprint of the network asset to be determined.
After the exposure risk indexes of the fingerprints of each layer are determined hierarchically according to the constitution types of the fingerprints of the network asset to be evaluated, the comprehensive risk index is obtained by comprehensively evaluating the exposure risk indexes of the fingerprints of each layer, and the fingerprint exposure risk of the network asset to be evaluated is evaluated by using the comprehensive risk index, specifically comprising the following steps:
determining a basic fingerprint exposure risk index of the network asset to be evaluated according to the fingerprint type and the fingerprint data of the network asset to be evaluated;
determining a hardware fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the hardware fingerprint of the network asset to be evaluated with a major vulnerability;
determining a system fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the system fingerprint of the network asset to be evaluated with a major vulnerability;
determining a service fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the service fingerprint of the network asset to be evaluated with a major vulnerability;
determining an application fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the application fingerprints of the network asset to be evaluated with major vulnerabilities;
comprehensively evaluating the basic fingerprint exposure index, the hardware fingerprint exposure index, the system fingerprint exposure index and the service fingerprint exposure index of the network asset to be evaluated and the application fingerprint exposure index to obtain a comprehensive risk index;
and evaluating the fingerprint exposure risk of the network asset to be evaluated by utilizing the comprehensive risk index.
In the scheme, the fingerprint exposure risk of the network assets is effectively evaluated based on the layered realization of the fingerprints, an effective asset fingerprint risk evaluation system is established, the fingerprint exposure risk condition is evaluated, and the asset management and control of enterprises, organizations and countries can be assisted.
While embodiments of the invention have been described above, it is not limited to the applications set forth in the description and the embodiments, which are fully applicable in various fields of endeavor to which the invention pertains, and further modifications may readily be made by those skilled in the art, it being understood that the invention is not limited to the details shown and described herein without departing from the general concept defined by the appended claims and their equivalents.

Claims (9)

1. A fingerprint identification method for network assets is characterized in that system fingerprints of the network assets are determined in a four-stage extraction and weighting mode, and specifically comprises the following steps:
primary identification: interactively identifying an operating system of the network asset to be determined through a TCP (Transmission control protocol);
secondary identification: obtaining an operating system of the network asset to be determined through analyzing key characteristics of an application layer protocol of the network asset;
and (3) tertiary identification: matching key features of a protocol of the network asset with the layered fingerprint library to obtain an operating system of the network asset to be determined;
four-stage identification: associating the layered fingerprint database for matching through the identification result of the DPI to obtain an operating system of the network asset to be determined;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
2. The method of claim 1, wherein the hardware fingerprint, the IP geolocation, the service fingerprint, and the application fingerprint of the network asset are identified in addition to the system fingerprint of the network asset being determined in a four-level extraction and weighting manner.
3. The method of fingerprinting a network asset according to claim 1, wherein the identification result of the DPI comprises: protocol and application type.
4. The method of claim 2, wherein the system fingerprint, the hardware fingerprint, the IP geographical location, the service fingerprint, and the application fingerprint of the network asset to be determined are used to obtain the development technology, the component service, the operating system, the device distribution, the device affiliation, and the device vendor information of the network asset to be determined.
5. A system for fingerprinting a network asset, comprising:
the first-level fingerprint identification unit is used for performing first-level identification on an operating system of the network asset to be determined through TCP protocol interaction;
the secondary fingerprint identification unit is used for carrying out secondary identification on the operating system of the network asset to be determined through analyzing the key characteristics of the application layer protocol of the network asset;
the three-level fingerprint identification unit is used for carrying out three-level identification on the operating system of the network asset to be determined by matching key features of a protocol of the network asset with the layered fingerprint database;
the four-level fingerprint identification unit is used for associating the layered fingerprint library for matching according to the identification result of the DPI and carrying out four-level identification on the operating system of the network asset to be determined;
the judging unit receives the identification results respectively by the first-level fingerprint processing unit to the fourth-level fingerprint processing unit, weights the identification results according to the fingerprint accuracy of the layered fingerprint library and the similarity of each identification result, determines the final identification result and outputs the final identification result;
the layered fingerprint database is a database which stores the fingerprints of the network assets in a layered mode according to hardware fingerprints, system fingerprints, service fingerprints and application fingerprints.
6. The system for fingerprinting a network asset as recited in claim 5, further comprising:
a hardware fingerprint extraction unit that extracts a hardware fingerprint of the network asset;
the service fingerprint identification unit is used for carrying out service matching on the Payload and the key bit data thereof and the hierarchical fingerprint library to identify the service fingerprint of the network asset;
and the application fingerprint identification unit is used for carrying out application fingerprint matching on the application type of the network asset and the layered fingerprint library so as to identify the application fingerprint of the network asset.
7. The system for fingerprinting a network asset according to claim 5, wherein the identification result of the DPI comprises: protocol and application type.
8. The system for fingerprinting of a network asset as claimed in claim 6, characterized in that the development technique, component services, operating system, device distribution, device attribution, and device vendor information of the network asset to be determined are derived from the system fingerprint, hardware fingerprint, service fingerprint, and application fingerprint of the network asset to be determined.
9. An evaluation method of fingerprint exposure face risk applied to the fingerprint identification system of the network asset according to any one of claims 5-8, characterized in that after the exposure risk indexes of the fingerprints of each layer are determined hierarchically according to the constitution type of the fingerprint of the network asset to be evaluated, a comprehensive risk index is obtained by comprehensively evaluating the exposure risk indexes of the fingerprints of each layer, and the comprehensive risk index is used for evaluating the fingerprint exposure risk of the network asset to be evaluated, which specifically comprises the following steps:
determining a basic fingerprint exposure risk index of the network asset to be evaluated according to the fingerprint type and the fingerprint data of the network asset to be evaluated;
determining a hardware fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the hardware fingerprint of the network asset to be evaluated with a major vulnerability;
determining a system fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the system fingerprint of the network asset to be evaluated with a major vulnerability;
determining a service fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the service fingerprint of the network asset to be evaluated with a major vulnerability;
determining an application fingerprint exposure risk index of the network asset to be evaluated based on a vulnerability risk level by associating and matching the application fingerprints of the network asset to be evaluated with major vulnerabilities;
comprehensively evaluating the basic fingerprint exposure index, the hardware fingerprint exposure index, the system fingerprint exposure index and the service fingerprint exposure index of the network asset to be evaluated and the application fingerprint exposure index to obtain a comprehensive risk index;
and evaluating the fingerprint exposure surface risk of the network asset to be evaluated by utilizing the comprehensive risk index.
CN202110410865.5A 2021-04-16 2021-04-16 Fingerprint identification and exposed surface risk assessment method for network assets Active CN112995207B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110410865.5A CN112995207B (en) 2021-04-16 2021-04-16 Fingerprint identification and exposed surface risk assessment method for network assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110410865.5A CN112995207B (en) 2021-04-16 2021-04-16 Fingerprint identification and exposed surface risk assessment method for network assets

Publications (2)

Publication Number Publication Date
CN112995207A true CN112995207A (en) 2021-06-18
CN112995207B CN112995207B (en) 2021-09-10

Family

ID=76340804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110410865.5A Active CN112995207B (en) 2021-04-16 2021-04-16 Fingerprint identification and exposed surface risk assessment method for network assets

Country Status (1)

Country Link
CN (1) CN112995207B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826671A (en) * 2022-03-18 2022-07-29 中国人民解放军国防科技大学 Network asset identification method and device based on fingerprint hierarchical matching
CN115242692A (en) * 2022-07-08 2022-10-25 北京华顺信安科技有限公司 Network asset custom protocol identification method, device, terminal and storage medium
CN117376037A (en) * 2023-12-08 2024-01-09 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108011893A (en) * 2017-12-26 2018-05-08 广东电网有限责任公司信息中心 A kind of asset management system based on networked asset information gathering
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment
CN110430191A (en) * 2019-08-06 2019-11-08 合肥优尔电子科技有限公司 Safe early warning method and device in dispatch data net based on protocol identification
CN112468360A (en) * 2020-11-13 2021-03-09 北京安信天行科技有限公司 Asset discovery identification and detection method and system based on fingerprint

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180262521A1 (en) * 2017-03-13 2018-09-13 Molbase (Shanghai) Biotechnology Co., Ltd Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN108011893A (en) * 2017-12-26 2018-05-08 广东电网有限责任公司信息中心 A kind of asset management system based on networked asset information gathering
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment
CN110430191A (en) * 2019-08-06 2019-11-08 合肥优尔电子科技有限公司 Safe early warning method and device in dispatch data net based on protocol identification
CN112468360A (en) * 2020-11-13 2021-03-09 北京安信天行科技有限公司 Asset discovery identification and detection method and system based on fingerprint

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826671A (en) * 2022-03-18 2022-07-29 中国人民解放军国防科技大学 Network asset identification method and device based on fingerprint hierarchical matching
CN114826671B (en) * 2022-03-18 2023-11-03 中国人民解放军国防科技大学 Network asset identification method and device based on hierarchical matching of fingerprints
CN115242692A (en) * 2022-07-08 2022-10-25 北京华顺信安科技有限公司 Network asset custom protocol identification method, device, terminal and storage medium
CN117376037A (en) * 2023-12-08 2024-01-09 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets
CN117376037B (en) * 2023-12-08 2024-02-23 山东星维九州安全技术有限公司 Method, device and storage medium for classifying and scanning network assets

Also Published As

Publication number Publication date
CN112995207B (en) 2021-09-10

Similar Documents

Publication Publication Date Title
CN112995207B (en) Fingerprint identification and exposed surface risk assessment method for network assets
CN110233849B (en) Method and system for analyzing network security situation
CN110620759A (en) Network security event hazard index evaluation method and system based on multidimensional correlation
CN111163057A (en) User identification system and method based on heterogeneous information network embedding algorithm
US20150096026A1 (en) Cyber security
CN110020687B (en) Abnormal behavior analysis method and device based on operator situation perception portrait
CN116305168B (en) Multi-dimensional information security risk assessment method, system and storage medium
CN111092862A (en) Method and system for detecting abnormal communication flow of power grid terminal
CN111400357A (en) Method and device for identifying abnormal login
CN113312417B (en) Data processing method applied to big data and cloud computing and big data service platform
CN110648172B (en) Identity recognition method and system integrating multiple mobile devices
CN112491779A (en) Abnormal behavior detection method and device and electronic equipment
CN110162958B (en) Method, apparatus and recording medium for calculating comprehensive credit score of device
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
Yang et al. Intrusion detection: A model based on the improved vision transformer
Sen et al. On using contextual correlation to detect multi-stage cyber attacks in smart grids
CN115987544A (en) Network security threat prediction method and system based on threat intelligence
CN110225009B (en) Proxy user detection method based on communication behavior portrait
KR20080079767A (en) A standardization system and method of event types in real time cyber threat with large networks
Bai et al. Refined identification of hybrid traffic in DNS tunnels based on regression analysis
CN111049828A (en) Network attack detection and response method and system
CN117640494A (en) Internet asset topological relation identification method, device, equipment and medium
Zhang et al. DDoS attack security situation assessment model using fusion feature based on fuzzy C-means clustering algorithm
CN111782908A (en) WEB violation operation behavior detection method based on data mining cluster analysis
Francois et al. Machine learning techniques for passive network inventory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant