CN112688973A - Network space asset description method based on fingerprint technology - Google Patents
Network space asset description method based on fingerprint technology Download PDFInfo
- Publication number
- CN112688973A CN112688973A CN202110300746.4A CN202110300746A CN112688973A CN 112688973 A CN112688973 A CN 112688973A CN 202110300746 A CN202110300746 A CN 202110300746A CN 112688973 A CN112688973 A CN 112688973A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- cyberspace
- application layer
- assets
- protocol stack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network space asset description method based on a fingerprint technology, which comprises the following steps: describing the network space assets through the constructed equipment fingerprint model; the device fingerprint model is formed by combining different protocol stack fingerprints and at least one application layer fingerprint, and is shown in the following formula: FP(apparatus)=FP(protocol stack fingerprint)+{FP1(application layer fingerprint)…FPn(application layer fingerprint)}. Different cyberspace assets are expressed through an equipment fingerprint model formed by combining different protocol stack fingerprints and at least one application layer fingerprint, so that the expression of the cyberspace assets has standard and normative properties, and the subsequent identification and classification of the cyberspace assets are facilitated.
Description
Technical Field
The invention relates to the technical field of network space asset description, in particular to a network space asset description method based on a fingerprint technology.
Background
With the rise of the concepts of the internet of things, the 5G network and the cyberspace, cyberspace assets are gradually developed into new fields. The definition of information assets in ISO27001 has not been able to accommodate the evolving demands of network space.
ISO27001 classifies assets including: 1) information assets, database files, system documents, user manuals, training materials, operational or support procedures, etc. 2) Software assets: applications, system software, development tools, and utilities. 3) And (3) entity assets: computer device (processor, monitor, notebook, modem) 4) written document: including system files, instruction manuals, various programs and guide files, contract books, etc.; 5) service: computing and communication services, general-purpose devices such as heaters, lighting, power supplies, and air conditioners.
The comb ISO27001 defines information assets, and the discovery information asset definition describes related goals related to informatization from a static dimension. However, the expression form of the cyberspace asset is a behavior state expressed based on a TCP/IP protocol stack, and the information asset with the network behavior expression characteristic is called the cyberspace asset.
CyberSpace (CyberSpace) assets are distinct from information assets, and CyberSpace assets are representations of information assets in CyberSpace. The identification of the cyberspace assets is the first step of cyberspace management, however, the information asset category defined by ISO27001 cannot correctly describe the cyberspace assets, and meanwhile, the industry boundary has no unified standard definition and related specifications for the cyberspace assets, so that the cyberspace asset identification and classification have respective aspects.
Disclosure of Invention
An object of the present invention is to solve at least the above problems and to provide at least the advantages described later.
It is still another object of the present invention to provide a method for describing cyberspace assets based on fingerprint technology, which expresses different cyberspace assets through a device fingerprint model composed of different protocol stack fingerprints and at least one application layer fingerprint combination, so that the expression of cyberspace assets has standardization and normalization, and facilitates the subsequent identification and classification of cyberspace assets.
To achieve these objects and other advantages and in accordance with the purpose of the invention, as embodied and broadly described herein, there is provided a method for describing a cyberspace asset based on a fingerprint technology, comprising:
describing the network space assets through the constructed equipment fingerprint model;
the device fingerprint model is formed by combining different protocol stack fingerprints and at least one application layer fingerprint, as shown in formula 1:
FP(apparatus)=FP(protocol stack fingerprint)+ { FP1(application layer fingerprint)… FPn(application layer fingerprint)Equation 1.
Preferably, in the method for describing a cyberspace asset based on a fingerprint technology, the protocol stack fingerprint at least includes a TOS field of an IP Header, a TTL variable, a DF flag bit of the IP Header, and four factors of Windows/Windows Size; the application layer fingerprint at least comprises two factors of a service name and a service version number.
A cyberspace asset description device based on fingerprint technology comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the cyberspace asset description method based on fingerprint technology as described above when executing the computer program.
A computer-readable storage medium, storing a computer program which, when executed by a processor, implements the steps of the method for network-space asset description based on fingerprinting technology as described above.
The invention at least comprises the following beneficial effects:
in the method for describing the cyberspace asset based on the fingerprint technology, the cyberspace asset is the expression of the information asset in the cyberspace, in short, the information asset which is in an operable state and has a network exposed surface is called the cyberspace asset, and the exposed surface of the cyberspace asset is expressed as three basic elements of an IP address, a protocol and a service port, so that different cyberspace assets in the current cyberspace are expressed by an equipment fingerprint model which is formed by combining different protocol stack fingerprints and at least one application layer fingerprint based on a TCP/IP protocol model, the expression of the cyberspace asset has standard and normative, and the subsequent identification and classification of the cyberspace asset are convenient.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Drawings
FIG. 1 is a fingerprint classification model of a cyberspace asset description method based on fingerprint technology according to the present invention;
FIG. 2 is a diagram of TCP/IP data format.
Detailed Description
The present invention is further described in detail below with reference to the attached drawings so that those skilled in the art can implement the invention by referring to the description text.
It should be understood that terms such as "having," "including," and "comprising," as used herein, do not preclude the presence or addition of one or more other elements or groups thereof, and that various approximations, non-ideal modifications, or changes in the configuration of non-critical elements are within the scope of the present application.
As shown in fig. 1, the present invention provides a method for describing a cyberspace asset based on a fingerprint technology, which includes:
describing the network space assets through the constructed equipment fingerprint model;
the device fingerprint model is formed by combining different protocol stack fingerprints and at least one application layer fingerprint, as shown in formula 1:
FP(apparatus)=FP(protocol stack fingerprint)+ { FP1(application layer fingerprint)… FPn(application layer fingerprint)Equation 1.
In the above scheme, the TCP/IP protocol is an important part of the implementation of the operating system, or the TCP/IP characteristics and characteristics represent different types of operating systems, and the application layer fingerprint is an abstract expression of the application layer service, and the application and the expression methods are different. The application layer sends the associated data packet according to the opened service port, and detects the obtained response data packet, so as to judge the application layer attribute of the response target, and can obtain information such as a service name, a service version number and the like. For example, as shown in fig. 1, the fingerprint of a Juniper firewall device is described as: juniper SRX3600 = FreeBSD + AppWeb + PostgreSQL + title.
In a preferred scheme, the protocol stack fingerprint at least comprises a TOS field of an IP Header, a TTL variable, a DF zone bit of the IP Header and four factors of Windows/Windows Size; the application layer fingerprint at least comprises two factors of a service name and a service version number.
In the above solution, fig. 2 is a format diagram of a TCP/IP packet, and when analyzing the format of the TCP/IP packet, 13 variables of 20 bytes of the IP Header form a behavior combination below the network layer of the operating system; the 13 variables 20 bytes of the TCP Header form the network layer representation of the transport layer, and one or more of these total 26 variables form the core elements of the protocol stack identifying the operating system. The TOS field of the IP Header, the TTL variable, the DF flag of the IP Header, and the Windows/Windows Size may be considered as main elements for identification, specifically because: the TOS field has four different values: minimize Delay, Maximize Throughput, Maximize Reliability, and Minimize money Cost; TTL is a variable that traditionally marks different operating systems. For example: windows defaults to 128, Linux defaults to 64, and so on; the DF bit of the IP Header is a mark for setting whether to fragment or not, not fragment or multi-fragment, and the DF bit is processed differently when different protocol stacks process different data packets; and the field Windows/Windows Size is used to indicate the Size of the TCP stack buffer packet, and different operating systems have different processing methods for WSS and Windows, as shown in table 1:
TABLE 1 different operating System protocol Stack characteristics
It can be seen that the protocol stack fingerprint is identified by a relatively accurate method, and by analyzing the exposed surfaces of different operating systems, the port and the service are only exposed information, and the port and the service depend on the TCP/IP protocol stack implementation.
Such as Ripple20 from the last burst: the Treck TCP/IP protocol stack is widely used in embedded and internet of things devices, affecting multiple industries including medical, transportation, energy, telecommunications, industrial control, retail, and commerce, involving well-known vendors including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, etc. Then how to quickly and accurately identify the device using the Ripple20 protocol stack. It was found that the Treck protocol stack customized a type 165(0xa5) ICMP packet and responded with a type 166 ICMP packet once a 165 ICMP packet is received. Sending an ICMP packet with type =0xa5 and code =0 to a target system, and receiving ICMP response packet data returned by the target, wherein type =0xa6 and code =0, six bytes after the 9 th byte of the ICMP packet are 0x01,0x51,0x35,0x28,0x57,0x32 (large end) or 0x51,0x01,0x28,0x35,0x32 and 0x57 (small end). And if the condition is met, the target equipment is indicated to be a Treck protocol stack.
And the application layer sends a related data packet to the open service port and detects the obtained response data packet, so that the application layer attribute of the response target is judged, and information such as the service name, the service version number and the like can be obtained. Such as the target system opening 3389 port, by detecting 3389 negotiation protocol for sending TCP, and confirming 3389 whether it is RDP protocol by feedback.
A cyberspace asset description device based on fingerprint technology comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the cyberspace asset description method based on fingerprint technology as described above when executing the computer program.
In the above scheme, the network space asset description device based on fingerprint technology may be a robot. The fingerprint-based cyber-space asset description device may include, but is not limited to, a processor, a memory, for example, the fingerprint-based cyber-space asset description device may also include an input-output device, a network access device, a bus, etc. The processor may be a central processing unit, other general purpose processors, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The storage may be an internal storage unit of the webspace asset description device based on the fingerprint technology, for example, a hard disk or a memory of the webspace asset description device based on the fingerprint technology. The memory may also be an external storage device of the network space asset description device based on fingerprint technology, such as a plug-in hard disk, a smart memory card, a secure digital card, a flash memory card, etc. provided on the network space asset description device based on fingerprint technology.
A computer-readable storage medium, storing a computer program which, when executed by a processor, implements the steps of the method for network-space asset description based on fingerprinting technology as described above.
In the above solution, the memory may further include both an internal storage unit and an external storage device of the webspace asset description device based on the fingerprint technology, and the memory is used for storing the computer program and other programs and data required by the webspace asset description device based on the fingerprint technology.
While embodiments of the invention have been described above, it is not limited to the applications set forth in the description and the embodiments, which are fully applicable in various fields of endeavor to which the invention pertains, and further modifications may readily be made by those skilled in the art, it being understood that the invention is not limited to the details shown and described herein without departing from the general concept defined by the appended claims and their equivalents.
Claims (4)
1. A network space asset description method based on fingerprint technology is characterized by comprising the following steps:
describing the network space assets through the constructed equipment fingerprint model;
the device fingerprint model is formed by combining different protocol stack fingerprints and at least one application layer fingerprint, as shown in formula 1:
FP(apparatus)=FP(protocol stack fingerprint)+ { FP1 (application layer fingerprint)… FPn (application layer fingerprint)Equation 1.
2. The method for describing cyberspace assets based on fingerprint technology according to claim 1, wherein the protocol stack fingerprint comprises at least TOS field of IP Header, TTL variable, DF flag bit of IP Header, and Windows/Windows Size four factors; the application layer fingerprint at least comprises two factors of a service name and a service version number.
3. A cyberspace asset description device based on fingerprinting technology, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor, when executing the computer program, implements the steps of the method according to any of claims 1 and 2.
4. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 and 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110300746.4A CN112688973A (en) | 2021-03-22 | 2021-03-22 | Network space asset description method based on fingerprint technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110300746.4A CN112688973A (en) | 2021-03-22 | 2021-03-22 | Network space asset description method based on fingerprint technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112688973A true CN112688973A (en) | 2021-04-20 |
Family
ID=75455706
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110300746.4A Pending CN112688973A (en) | 2021-03-22 | 2021-03-22 | Network space asset description method based on fingerprint technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688973A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114070760A (en) * | 2021-11-16 | 2022-02-18 | 北京知道创宇信息技术股份有限公司 | Network space asset mapping method and device, network space asset database and computer readable storage medium |
| CN115048997A (en) * | 2022-06-10 | 2022-09-13 | 国网福建省电力有限公司 | SVM-based Internet of things equipment identification and fingerprint dimension reduction method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7801980B1 (en) * | 2003-05-12 | 2010-09-21 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network |
| CN109726763A (en) * | 2018-12-29 | 2019-05-07 | 北京神州绿盟信息安全科技股份有限公司 | A kind of information assets recognition methods, device, equipment and medium |
-
2021
- 2021-03-22 CN CN202110300746.4A patent/CN112688973A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7801980B1 (en) * | 2003-05-12 | 2010-09-21 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network |
| CN109726763A (en) * | 2018-12-29 | 2019-05-07 | 北京神州绿盟信息安全科技股份有限公司 | A kind of information assets recognition methods, device, equipment and medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114070760A (en) * | 2021-11-16 | 2022-02-18 | 北京知道创宇信息技术股份有限公司 | Network space asset mapping method and device, network space asset database and computer readable storage medium |
| CN115048997A (en) * | 2022-06-10 | 2022-09-13 | 国网福建省电力有限公司 | SVM-based Internet of things equipment identification and fingerprint dimension reduction method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112688973A (en) | Network space asset description method based on fingerprint technology | |
| US8161468B2 (en) | Processing of expressions | |
| US8881271B2 (en) | System and method for forensic identification of elements within a computer system | |
| CN108494622A (en) | Monitoring rules configuration method, device and server | |
| CN107818077A (en) | A kind of sensitive content recognition methods and device | |
| US10970391B2 (en) | Classification method, classification device, and classification program | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN112787875B (en) | Equipment identification method, device and equipment, and storage medium | |
| CN115017441A (en) | Asset classification method and device, electronic equipment and storage medium | |
| CN112839055B (en) | Network application identification method and device for TLS encrypted traffic and electronic equipment | |
| CN115442259A (en) | System identification method and device | |
| KR102189127B1 (en) | A unit and method for processing rule based action | |
| CN114896293A (en) | Data integration management method and device, storage medium and electronic equipment | |
| CN117171711B (en) | Cloud platform-based enterprise internal and external data fusion sharing method and system | |
| CN113630418A (en) | Network service identification method, device, equipment and medium | |
| CN117591485A (en) | Solid state disk operation control system and method based on data identification | |
| CN109918277A (en) | Electronic device, the evaluation method of system log cluster analysis result and storage medium | |
| JP4649523B2 (en) | Access control system | |
| CN112436980A (en) | Method, device and equipment for reading test data packet and storage medium | |
| CN110134909B (en) | Curved surface drawing method, equipment, storage medium and device | |
| CN116866047A (en) | Method, medium and device for determining malicious equipment in industrial equipment network | |
| CN115225328B (en) | Page access data processing method and device, electronic equipment and storage medium | |
| CN113595959B (en) | Network traffic data processing method and server | |
| Thomsen et al. | Smart lamp or security camera? Automatic identification of IoT devices | |
| Taghiyarrenani et al. | Domain adaptation with maximum margin criterion with application to network traffic classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210420 |
|
| RJ01 | Rejection of invention patent application after publication |