CN116455632B - Target identification method based on active and passive data fusion analysis - Google Patents
Target identification method based on active and passive data fusion analysis Download PDFInfo
- Publication number
- CN116455632B CN116455632B CN202310404500.0A CN202310404500A CN116455632B CN 116455632 B CN116455632 B CN 116455632B CN 202310404500 A CN202310404500 A CN 202310404500A CN 116455632 B CN116455632 B CN 116455632B
- Authority
- CN
- China
- Prior art keywords
- data
- passive
- active
- result
- recognition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The application relates to the technical field of network security, and provides a target identification method based on active and passive data fusion analysis, which comprises the following steps: transmitting detection data to a detection target; receiving response data of the target as active identification data; collecting network flow of a detection target, and performing feature analysis to obtain passive identification data; inputting the active identification data and the passive identification data into an active-passive fusion model to perform depth association fusion, and outputting a first identification result; conducting guide feature recognition on the active recognition data and the passive recognition data; collecting guide data to generate a second recognition result; and combining the first recognition result and the second recognition result to generate a target recognition result. The method solves the problem of low collaborative work efficiency caused by simple interaction mode in the process of fusing active detection and passive detection data, and can realize efficient collaborative fusion in flow and automation, thereby improving the efficiency of active and passive collaborative work.
Description
Technical Field
The application relates to the technical field of network security, in particular to a target identification method based on active and passive data fusion analysis.
Background
The active detection refers to a technology of actively sending detection data to a detection target and realizing information detection according to the response of the target, the passive detection refers to a technology of collecting the flow of a target network and analyzing the fingerprint characteristics in an application layer protocol data packet in the flow so as to realize the passive detection of network asset information. At present, the combination of the active detection mode and the passive detection mode is not advanced thought, and a successful case exists, but the former case only realizes the manual combination of two resources, so that the active and passive cooperative work efficiency is not high.
In summary, in the prior art, there is a problem that the collaborative work efficiency is low due to the simple interaction mode in the process of fusing the active detection data and the passive detection data.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method for identifying targets based on active-passive data fusion analysis.
A target recognition method based on active-passive data fusion analysis, the method comprising: determining a detection target and sending detection data to the detection target; receiving response data of the target, and taking the response data as active identification data; collecting network flow of the detection target, performing feature analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network flow to obtain an analysis result, and taking the analysis result as passive identification data; inputting the active identification data and the passive identification data into an active and passive fusion model to perform depth association fusion, and outputting a first identification result; respectively carrying out guide feature recognition on the active recognition data and the passive recognition data; collecting guide data based on the guide feature recognition result to generate a second recognition result; and generating a target recognition result of the detection target by combining the first recognition result and the second recognition result.
In one embodiment, further comprising: performing feature analysis of flow filtering conditions on the detection targets based on the active identification data; taking the feature analysis result as a passive guide feature recognition result; taking the passive guide characteristic recognition result as a filtering condition to carry out data filtering analysis; and generating a guide passive identification result, and obtaining the second identification result based on the guide passive identification result.
In one embodiment, further comprising: carrying out communication relation mining on the detection targets based on the passive identification data to obtain communication equipment; transmitting active detection data to the communication equipment, and collecting active detection information; and obtaining the second identification result according to the guiding passive identification result and the active detection information.
In one embodiment, further comprising: performing pointing characteristic recognition of the detection target based on the passive recognition data, wherein the pointing characteristic comprises URL, API and vulnerability characteristics; performing active pointing detection of the detection target according to the identified pointing characteristics; generating auxiliary active identification data based on the active pointing detection result; and obtaining the second recognition result according to the auxiliary active recognition data, the guiding passive recognition result and the active detection information.
In one embodiment, the method further comprises obtaining attribute data and source data of the data; determining the data primary-secondary relationship of the active identification data and the passive identification data according to the attribute data and the source data, and generating primary-secondary proportion values of the data;
and cooperatively inputting the main and auxiliary proportion values into the main and passive fusion model to perform depth association fusion, and outputting the first identification result.
In one embodiment, further comprising: carrying out data conflict judgment through a conflict judgment module of the active and passive fusion model; when conflict data exist, carrying out reliability calculation on the data according to a reliability evaluation algorithm; performing data selection of conflict data according to the reliability calculation result; and completing the depth association fusion of the data through the data selection result.
In one embodiment, further comprising: setting an abnormality discrimination threshold; when any identification result in the first identification result and the second identification result meets the abnormality discrimination threshold, carrying out abnormality reservation of the corresponding identification result; and after carrying out anomaly verification on the anomaly retention, determining a target identification result of the detection target.
A target recognition system based on active-passive data fusion analysis, comprising:
the detection data transmission module is used for determining a detection target and transmitting detection data to the detection target;
the response data receiving module is used for receiving response data of the target and taking the response data as active identification data;
the passive data acquisition module is used for acquiring network traffic of the detection target, carrying out characteristic analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network traffic to obtain an analysis result, and taking the analysis result as passive identification data;
the first recognition result output module is used for inputting the active recognition data and the passive recognition data into an active and passive fusion model to perform deep association fusion and outputting a first recognition result;
the guide feature recognition module is used for respectively carrying out guide feature recognition on the active recognition data and the passive recognition data;
the second recognition result generation module is used for collecting guide data based on the guide feature recognition result and generating a second recognition result;
the target recognition result generation module is used for combining the first recognition result and the second recognition result to generate a target recognition result of the detection target.
The target identification method based on the active and passive data fusion analysis can solve the problem of low collaborative work efficiency caused by simple interaction mode in the process of fusing active detection and passive detection data, and firstly, response data of a detection target is received as active identification data; then collecting network flow of a detection target, carrying out fingerprint feature analysis on protocol data packets of HTT P, FTP and SMTP in an application layer in the network flow, and taking a feature analysis result as passive identification data; constructing an active-passive fusion model, inputting the active identification data and the passive identification data into the active-passive fusion model for deep association fusion, and obtaining a first identification result; by constructing an active-passive fusion model to carry out depth association fusion, when the active-passive acquired data conflict, factors and judgment elements influencing the value of the data can be extracted, and the conflict data can be corrected; performing guide feature recognition on the active recognition data and the passive recognition data, and performing guide data acquisition according to a guide feature recognition result to generate a second recognition result; and finally, combining the first recognition result and the second recognition result to generate a target recognition result of the detection target. The method can realize efficient collaborative integration of flow and automation, thereby improving the efficiency of active and passive collaborative work.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
FIG. 1 is a schematic flow chart of a target recognition method based on active and passive data fusion analysis;
FIG. 2 is a schematic flow chart of obtaining a second recognition result in a target recognition method based on active and passive data fusion analysis;
FIG. 3 is a schematic flow chart of outputting a first recognition result in a target recognition method based on active and passive data fusion analysis;
fig. 4 is a schematic structural diagram of a target recognition system based on active-passive data fusion analysis.
Reference numerals illustrate: the system comprises a detection data sending module 1, a response data receiving module 2, a passive data obtaining module 3, a first identification result output module 4, a guide characteristic identification module 5, a second identification result generation module 6 and a target identification result generation module 7.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
As shown in fig. 1, the present application provides a target recognition method based on active and passive data fusion analysis, which includes:
step S100: determining a detection target and sending detection data to the detection target;
step S200: receiving response data of the target, and taking the response data as active identification data;
specifically, a detection target is determined, wherein the detection target refers to a target network needing asset discovery, and a detection data packet is actively sent to network assets of the target network. And then receiving a response data packet sent by the target network, extracting target characteristics of the corresponding data packet, obtaining response data, wherein the response data comprises information such as an operating system, an open port, a vulnerability and the like of a server, and taking the response data as active identification data. Network assets and topological structures of the target network exposed on the Internet side, IP, ports, an operating system, a server component and version of a network asset node, whether vulnerabilities exist or not and other situation data can be obtained through active detection.
Step S300: collecting network flow of the detection target, performing feature analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network flow to obtain an analysis result, and taking the analysis result as passive identification data;
specifically, the network traffic of the detection target is collected, fingerprint features in a protocol data packet of HTTP, FTP, SMTP in an application layer in the network traffic are analyzed, the fingerprint features comprise protocol features such as special fields of a canner or an IP, TCP three-way handshake, DHCP and the like, and analysis results are obtained, and the analysis results comprise an IP protocol, a DH CP protocol and the like. And taking the analysis result as passive identification data. And by obtaining the passive identification data, support is provided for the next step of active and passive data fusion analysis.
Step S400: inputting the active identification data and the passive identification data into an active and passive fusion model to perform depth association fusion, and outputting a first identification result;
as shown in fig. 2, in one embodiment, the step S400 of the present application further includes:
step S410: obtaining attribute data and source data of the data;
step S420: determining the data primary-secondary relationship of the active identification data and the passive identification data according to the attribute data and the source data, and generating primary-secondary proportion values of the data;
step S430: and cooperatively inputting the main and auxiliary proportion values into the main and passive fusion model to perform depth association fusion, and outputting the first identification result.
Specifically, an active-passive fusion model is constructed, the active-passive fusion model comprises five layers of target situation data models and a conflict judging module, the five layers refer to five layers of geography, physics, logic, application and society, and acquired data are fused according to different attributes of different layers through the five layers of target situation data models. Inputting the active identification data and the passive identification data into an active and passive fusion model, firstly extracting data attributes and sources of the active identification data and the passive identification data to obtain attribute data and source data of the data, wherein the attributes refer to target attributes in the five levels, such as: in the application layer, the target attribute includes a plurality of attributes such as an operating system name, a service name, an application name, a software type, and the like. The source data refers to a data acquisition path, and the data acquisition path comprises two modes of passive detection and active detection.
And then determining the data main and auxiliary relationship of the active identification data and the passive identification data according to the attribute data and the source data, wherein the data main and auxiliary relationship refers to taking data with higher accuracy as main data and taking data with lower accuracy as auxiliary data. The accuracy can be judged according to the historical data attribute and the source. For example: in the target attribute of the service name of the application layer, according to the accuracy of the historical acquired data, the accuracy of the target attribute acquired actively is larger than that acquired passively, and in the target attribute of the service name, the accuracy of the data acquired actively is larger than that acquired passively. And generating a main-auxiliary proportion value of the data according to the main-auxiliary relationship of the data, wherein the main-auxiliary proportion value refers to the proportion of the active identification data and the passive identification data in the main relationship of the data. And cooperatively inputting the main and auxiliary proportion values into the main and passive fusion model. By generating the main and auxiliary ratio values, the accuracy of the data fusion result can be improved.
In one embodiment, step S430 of the present application further includes:
step S431: carrying out data conflict judgment through a conflict judgment module of the active and passive fusion model;
step S432: when conflict data exist, carrying out reliability calculation on the data according to a reliability evaluation algorithm;
step S433: performing data selection of conflict data according to the reliability calculation result;
step S434: and completing the depth association fusion of the data through the data selection result.
Specifically, the conflict judging module of the active and passive fusion models is used for carrying out data conflict judgment on the active identification data and the passive identification data, when conflict data exist, the conflict data refer to the condition that the active identification data is inconsistent with the passive identification data, a reliability evaluation algorithm is constructed, the reliability evaluation algorithm can be set in a self-defining mode based on indexes such as the primary and auxiliary proportion value, the data integrity, the data reliability and the data relevance, and the reliability calculation is carried out on the conflict data according to the reliability evaluation algorithm, so that a data reliability calculation result is obtained. And taking the data with high reliability in the reliability calculation result as final selection data of conflict data, completing depth association fusion of the data according to the data selection result, and outputting a first identification result. By selecting the data of the conflict data according to the reliability calculation result, the data with higher data value can be obtained under the situation that the active and passive acquired data conflict, thereby realizing the correction of the conflict data.
Step S500: respectively carrying out guide feature recognition on the active recognition data and the passive recognition data;
specifically, the active recognition data and the passive recognition data are subjected to guide feature recognition, wherein the guide feature recognition refers to active recognition through the passive recognition guide support, and passive recognition through the active recognition guide support.
Step S600: collecting guide data based on the guide feature recognition result to generate a second recognition result;
as shown in fig. 3, in one embodiment, the step S600 of the present application further includes:
step S610: performing feature analysis of flow filtering conditions on the detection targets based on the active identification data;
step S620: taking the feature analysis result as a passive guide feature recognition result;
step S630: taking the passive guide characteristic recognition result as a filtering condition to carry out data filtering analysis;
step S640: and generating a guide passive identification result, and obtaining the second identification result based on the guide passive identification result.
Specifically, when passive traffic analysis is performed, a huge number of communication nodes, communication protocols and communication data packets exist in traffic, and clear traffic filtering conditions are absent, so that the analysis is not performed. And performing feature analysis of flow filtering conditions on the detection target according to the active identification data to obtain feature analysis results, for example: the internet side asset list in the active identification data can be used as a screening condition of the passive flow analysis, and can be submitted to the passive analysis for internal communication relation mining, sensitive information mining, cross-validation and expansion of target attributes and the like. And taking the characteristic analysis result as a passive guide characteristic recognition result, taking the passive guide characteristic recognition result as a filtering condition, and carrying out data filtering analysis to generate a guide passive recognition result. For example: the active identification data comprises a certain Web server in a target network, and the IP and domain name of the Web server are submitted as starting parameters to carry out passive flow analysis; the passive flow analysis takes the IP and domain name of the Web server as filtering conditions, and extracts communication IP and HTTP protocol data communicated with the Web server from the flow; the active identification data can be used as a filtering condition for passive flow analysis, so that uncertainty of a passive analysis target can be solved, and efficiency and accuracy of passive identification result acquisition are improved.
In one embodiment, step S600 of the present application further includes:
step S650: carrying out communication relation mining on the detection targets based on the passive identification data to obtain communication equipment;
step S660: transmitting active detection data to the communication equipment, and collecting active detection information;
step S670: and obtaining the second identification result according to the guiding passive identification result and the active detection information.
Specifically, the communication relation mining is performed on the detection target according to the passive identification data, wherein the communication relation mining refers to mining data such as a plurality of servers IP (Internet protocol) and the like which have communication relation with a server on the target Internet side in communication relation analysis of the server, and communication equipment is obtained. And then, sending active detection data to the communication equipment according to the server IP, and collecting information of the server IP to obtain active detection information. Through the communication relation mining of the passive identification data on the detection targets, target asset attributes which cannot be obtained through active detection can be extracted from the flow data, situation data such as internal network topological structures and the like can be obtained, and the supplement and the improvement of the attribute data of the detection targets can be realized.
In one embodiment, step S600 of the present application further includes:
step S680: performing pointing characteristic recognition of the detection target based on the passive recognition data, wherein the pointing characteristic comprises URL, API and vulnerability characteristics;
step S690: performing active pointing detection of the detection target according to the identified pointing characteristics;
step S6100: generating auxiliary active identification data based on the active pointing detection result;
step S6110: and obtaining the second recognition result according to the auxiliary active recognition data, the guiding passive recognition result and the active detection information.
Specifically, the pointing characteristic of the detection target is identified according to the passive identification data, wherein the pointing characteristic comprises URL, API and vulnerability. And then, carrying out active pointing detection on the detection target according to a pointing characteristic recognition result, and generating auxiliary active recognition data according to the active pointing detection result. By generating auxiliary active identification data, the vulnerability detection of the active detection on the target network can be supported, so that the depth and the accuracy of the active detection target selection are improved. And finally, obtaining a second identification result according to the auxiliary active identification data, the guiding passive identification result and the active detection information.
Step S700: and generating a target recognition result of the detection target by combining the first recognition result and the second recognition result.
In one embodiment, step S700 of the present application further comprises:
step S710: setting an abnormality discrimination threshold;
step S720: when any identification result in the first identification result and the second identification result meets the abnormality discrimination threshold, carrying out abnormality reservation of the corresponding identification result;
step S730: and after carrying out anomaly verification on the anomaly retention, determining a target identification result of the detection target.
Specifically, an abnormality discrimination threshold is set, the abnormality discrimination threshold can be set by a person skilled in the art in a self-defined manner, the first recognition result and the second recognition result are judged according to the abnormality discrimination threshold, when any recognition result in the first recognition result and the second recognition result meets the abnormality discrimination threshold, the any recognition result meeting the abnormality threshold is subjected to abnormality retention, the any recognition result is subjected to abnormality verification, the abnormality verification can be performed through detection in another recognition mode, and finally, the target recognition result of the detection target is determined according to the abnormality verification result. The method solves the problem of low collaborative work efficiency caused by simple interaction mode in the process of fusing the active detection data and the passive detection data, and can realize efficient collaborative fusion in flow and automation, thereby improving the efficiency of active and passive collaborative work.
In one embodiment, as shown in FIG. 4, there is provided an object recognition system based on active-passive data fusion analysis, comprising: the device comprises a detection data sending module 1, a response data receiving module 2, a passive data obtaining module 3, a first identification result output module 4, a guide characteristic identification module 5, a second identification result generating module 6 and a target identification result generating module 7, wherein:
the detection data transmission module 1 is used for determining a detection target and transmitting detection data to the detection target;
the response data receiving module 2 is used for receiving response data of the target, and the response data is used as active identification data;
the passive data acquisition module 3 is used for acquiring network traffic of the detection target, performing feature analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network traffic to obtain an analysis result, and taking the analysis result as passive identification data;
the first recognition result output module 4 is used for inputting the active recognition data and the passive recognition data into an active and passive fusion model to perform depth association fusion, and outputting a first recognition result;
the guiding feature recognition module 5 is used for respectively carrying out guiding feature recognition on the active recognition data and the passive recognition data by the guiding feature recognition module 5;
the second recognition result generation module 6 is used for collecting guide data based on the guide feature recognition result and generating a second recognition result;
and the target recognition result generation module 7 is used for combining the first recognition result and the second recognition result to generate a target recognition result of the detection target.
In one embodiment, the system further comprises:
the characteristic analysis module is used for carrying out characteristic analysis on flow filtering conditions on the detection targets based on the active identification data;
the passive guide feature recognition result obtaining module is used for taking the feature analysis result as a passive guide feature recognition result;
the data filtering and analyzing module is used for taking the passive guide characteristic recognition result as a filtering condition to carry out data filtering and analyzing;
the second recognition result obtaining module is used for generating a guide passive recognition result and obtaining the second recognition result based on the guide passive recognition result.
In one embodiment, the system further comprises:
the communication relation mining module is used for mining the communication relation of the detection target based on the passive identification data to obtain communication equipment;
the active detection information collection module is used for sending active detection data to the communication equipment and collecting active detection information;
the second recognition result obtaining module is used for obtaining the second recognition result according to the guiding passive recognition result and the active detection information.
In one embodiment, the system further comprises:
the directional characteristic recognition module is used for recognizing the directional characteristic of the detection target based on the passive recognition data, wherein the directional characteristic comprises URL, API and vulnerability characteristics;
the active pointing detection module is used for performing active pointing detection on the detection target according to the identified pointing characteristics;
the auxiliary active identification data generation module is used for generating auxiliary active identification data based on an active pointing detection result;
the second recognition result obtaining module is used for obtaining the second recognition result according to the auxiliary active recognition data, the guide passive recognition result and the active detection information.
In one embodiment, the system further comprises:
the data information acquisition module is used for acquiring attribute data and source data of the data;
the data primary-secondary relation determining module is used for determining the primary-secondary relation of the active identification data and the passive identification data according to the attribute data and the source data and generating primary-secondary proportion values of the data;
and the first recognition result output module is used for inputting the main and auxiliary proportion values into the main and passive fusion model in a cooperative manner to perform depth association fusion and outputting the first recognition result.
In one embodiment, the system further comprises:
the data conflict judging module is used for judging the data conflict through the conflict judging module of the active and passive fusion model;
the credibility calculation module is used for calculating the credibility of the data according to the credibility evaluation algorithm when conflict data exist;
the data selection module is used for selecting data of conflict data according to the reliability calculation result;
and the depth association fusion module is used for completing the depth association fusion of the data through the data selection result.
In one embodiment, the system further comprises:
the abnormality judgment threshold setting module is used for setting an abnormality judgment threshold;
the abnormality reservation module is used for performing abnormality reservation of the corresponding identification result when any identification result in the first identification result and the second identification result meets the abnormality judgment threshold;
and the target identification result determining module is used for determining the target identification result of the detection target after carrying out anomaly verification on the anomaly reservation.
In summary, the application provides a target identification method based on active and passive data fusion analysis, which has the following technical effects:
1. the method solves the problem of low collaborative work efficiency caused by simple interaction mode in the process of fusing active detection and passive detection data, and can realize efficient collaborative fusion of flow and automation, thereby improving the efficiency of active and passive collaborative work.
2. By selecting the data of the conflict data according to the reliability calculation result, the data with higher data value can be obtained under the situation that the active and passive acquired data conflict, thereby realizing the correction of the conflict data.
3. The active identification data can be used as a filtering condition for passive flow analysis, so that uncertainty of a passive analysis target can be solved, and efficiency and accuracy of passive identification result acquisition are improved. Through the communication relation mining of the passive identification data on the detection targets, target asset attributes which cannot be obtained through active detection can be extracted from the flow data, situation data such as internal network topological structures and the like can be obtained, and the supplement and the improvement of the attribute data of the detection targets can be realized.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (6)
1. A target recognition method based on active and passive data fusion analysis, the method comprising:
determining a detection target and sending detection data to the detection target;
receiving response data of the target, and taking the response data as active identification data;
collecting network flow of the detection target, performing feature analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network flow to obtain an analysis result, and taking the analysis result as passive identification data;
inputting the active identification data and the passive identification data into an active and passive fusion model to perform depth association fusion, and outputting a first identification result;
respectively carrying out guide feature recognition on the active recognition data and the passive recognition data;
collecting guide data based on the guide feature recognition result to generate a second recognition result;
generating a target recognition result of the detection target by combining the first recognition result and the second recognition result;
wherein outputting the first recognition result includes:
obtaining attribute data and source data of the data;
determining the data primary-secondary relationship of the active identification data and the passive identification data according to the attribute data and the source data, and generating primary-secondary proportion values of the data;
the main and auxiliary proportion values are cooperatively input into the main and passive fusion model to carry out depth association fusion, and the first recognition result is output, wherein the method comprises the following steps:
carrying out data conflict judgment through a conflict judgment module of the active and passive fusion model;
when conflict data exist, carrying out reliability calculation on the data according to a reliability evaluation algorithm;
performing data selection of conflict data according to the reliability calculation result;
and finishing the depth association fusion of the data through the data selection result, and outputting a first identification result.
2. The method of claim 1, wherein the method further comprises:
performing feature analysis of flow filtering conditions on the detection targets based on the active identification data;
taking the feature analysis result as a passive guide feature recognition result;
taking the passive guide characteristic recognition result as a filtering condition to carry out data filtering analysis;
and generating a guide passive identification result, and obtaining the second identification result based on the guide passive identification result.
3. The method of claim 2, wherein the method further comprises:
carrying out communication relation mining on the detection targets based on the passive identification data to obtain communication equipment;
transmitting active detection data to the communication equipment, and collecting active detection information;
and obtaining the second identification result according to the guiding passive identification result and the active detection information.
4. A method as claimed in claim 3, wherein the method further comprises:
performing pointing characteristic recognition of the detection target based on the passive recognition data, wherein the pointing characteristic comprises URL, API and vulnerability characteristics;
performing active pointing detection of the detection target according to the identified pointing characteristics;
generating auxiliary active identification data based on the active pointing detection result;
and obtaining the second recognition result according to the auxiliary active recognition data, the guiding passive recognition result and the active detection information.
5. The method of claim 1, wherein the method further comprises:
setting an abnormality discrimination threshold;
when any identification result in the first identification result and the second identification result meets the abnormality discrimination threshold, carrying out abnormality reservation of the corresponding identification result;
and after carrying out anomaly verification on the anomaly retention, determining a target identification result of the detection target.
6. A target recognition system based on active-passive data fusion analysis, the system comprising:
the detection data transmission module is used for determining a detection target and transmitting detection data to the detection target;
the response data receiving module is used for receiving response data of the target and taking the response data as active identification data;
the passive data acquisition module is used for acquiring network traffic of the detection target, carrying out characteristic analysis on a protocol data packet of HTTP, FTP, SMTP in an application layer in the network traffic to obtain an analysis result, and taking the analysis result as passive identification data;
the first recognition result output module is used for inputting the active recognition data and the passive recognition data into an active and passive fusion model to perform deep association fusion and outputting a first recognition result;
the guide feature recognition module is used for respectively carrying out guide feature recognition on the active recognition data and the passive recognition data;
the second recognition result generation module is used for collecting guide data based on the guide feature recognition result and generating a second recognition result;
the target recognition result generation module is used for combining the first recognition result and the second recognition result to generate a target recognition result of the detection target;
wherein, the first recognition result output module includes:
the data information acquisition module is used for acquiring attribute data and source data of the data;
the data primary-secondary relation determining module is used for determining the primary-secondary relation of the active identification data and the passive identification data according to the attribute data and the source data and generating primary-secondary proportion values of the data;
the first recognition result output module is used for inputting the main and auxiliary proportion values into the main and passive fusion model in a cooperative mode to perform depth association fusion and outputting the first recognition result;
the data conflict judging module is used for judging the data conflict through the conflict judging module of the active and passive fusion model;
the credibility calculation module is used for calculating the credibility of the data according to the credibility evaluation algorithm when conflict data exist;
the data selection module is used for selecting data of conflict data according to the reliability calculation result;
and the depth association fusion module is used for completing the depth association fusion of the data through the data selection result and outputting a first identification result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310404500.0A CN116455632B (en) | 2023-04-14 | Target identification method based on active and passive data fusion analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310404500.0A CN116455632B (en) | 2023-04-14 | Target identification method based on active and passive data fusion analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116455632A CN116455632A (en) | 2023-07-18 |
| CN116455632B true CN116455632B (en) | 2023-10-13 |
Family
ID=
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110474906A (en) * | 2019-08-16 | 2019-11-19 | 国家计算机网络与信息安全管理中心 | Master based on closed loop feedback passively combines cyberspace target depth digging technology |
| CN111555988A (en) * | 2020-04-26 | 2020-08-18 | 深圳供电局有限公司 | Big data-based network asset mapping and discovering method and device |
| CN112965598A (en) * | 2021-03-03 | 2021-06-15 | 北京百度网讯科技有限公司 | Interaction method, device, system, electronic equipment and storage medium |
| CN114389848A (en) * | 2021-12-17 | 2022-04-22 | 上海矢安科技有限公司 | Automatic detection method for intranet attack surface |
| CN115664739A (en) * | 2022-10-17 | 2023-01-31 | 山东大学 | Active user identity attribute detection method and system based on flow characteristic matching |
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110474906A (en) * | 2019-08-16 | 2019-11-19 | 国家计算机网络与信息安全管理中心 | Master based on closed loop feedback passively combines cyberspace target depth digging technology |
| CN111555988A (en) * | 2020-04-26 | 2020-08-18 | 深圳供电局有限公司 | Big data-based network asset mapping and discovering method and device |
| CN112965598A (en) * | 2021-03-03 | 2021-06-15 | 北京百度网讯科技有限公司 | Interaction method, device, system, electronic equipment and storage medium |
| CN114389848A (en) * | 2021-12-17 | 2022-04-22 | 上海矢安科技有限公司 | Automatic detection method for intranet attack surface |
| CN115664739A (en) * | 2022-10-17 | 2023-01-31 | 山东大学 | Active user identity attribute detection method and system based on flow characteristic matching |
Non-Patent Citations (3)
| Title |
|---|
| 一种面向未知攻击的安全威胁发现技术研究;吴进;戴海彬;;通信管理与技术(04);全文 * |
| 流量混淆技术及相应识别、追踪技术研究综述;姚忠将;葛敬国;张潇丹;郑宏波;邹壮;孙焜焜;许子豪;;软件学报(10);全文 * |
| 粟栗.多传感器数据融合方法在军事信息领域的应用.舰船科学技术.2013,(第06期),全文. * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8307441B2 (en) | Log-based traceback system and method using centroid decomposition technique | |
| CN112019574A (en) | Abnormal network data detection method and device, computer equipment and storage medium | |
| Mao et al. | MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion | |
| Soleimani et al. | Real-time identification of three Tor pluggable transports using machine learning techniques | |
| Fei et al. | The abnormal detection for network traffic of power iot based on device portrait | |
| CN111555988A (en) | Big data-based network asset mapping and discovering method and device | |
| CN108712369B (en) | Multi-attribute constraint access control decision system and method for industrial control network | |
| KR101210622B1 (en) | Method for detecting ip shared router and system thereof | |
| CN116455632B (en) | Target identification method based on active and passive data fusion analysis | |
| CN114401097A (en) | Method for identifying HTTPS service traffic based on SSL certificate fingerprint | |
| Miller et al. | The impact of different botnet flow feature subsets on prediction accuracy using supervised and unsupervised learning methods | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method | |
| CN117640494A (en) | Internet asset topological relation identification method, device, equipment and medium | |
| CN115001790B (en) | Device fingerprint-based secondary authentication method and device and electronic device | |
| CN116455632A (en) | Active and passive data based target identification method for fusion analysis | |
| KR20190061258A (en) | System for analyzing and recognizing network security state using network traffic flow | |
| CN117040824A (en) | Network threat detection method and system | |
| CN111917760A (en) | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis | |
| CN111200543A (en) | Encryption protocol identification method based on active service detection engine technology | |
| CN116346434A (en) | Method and system for improving monitoring accuracy of network attack behavior of power system | |
| CN113726809B (en) | Internet of things equipment identification method based on flow data | |
| CN111865724A (en) | Information acquisition control implementation method for video monitoring equipment | |
| CN111669376B (en) | Method and device for identifying safety risk of intranet | |
| CN114969178B (en) | Distributed data processing method and device | |
| Yao et al. | Research on Detection and Identification Technology of Intelligent Devices in Cyberspace: A Survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |