基于扫描和流量分析的网络资产测绘技术改进
Improvement of network asset mapping technology based on scanning and traffic analysis
王进福 1苏成悦 1何榕礼1
作者信息
摘要
[目的/意义]提出一种基于组合扫描与镜像流量分析的网络空间资产测绘技术改进方法,快速、准确地测绘未知资产.[方法/过程]结合多进程ICMP扫描和多线程Python-Scapy实现SYN扫描,探测存活主机和端口,使用Python-Nmap、Wappalyzer深度识别指纹和服务,缩短资产测绘时间并获得资产端口、服务和指纹信息等.通过镜像流量分析,使用Zeek从网卡中抓取流量,并生成日志筛选资产信息,作为组合扫描结果的补充.[结果/结论]资产测绘方法与TCP扫描相比,速度提升约50%,对系统消耗较小,测绘出的端口数量和准确度有较大提升.
Abstract
[Purpose/Significance]An improved method for cyberspace asset mapping technology based on combined scanning and mirror traffic analysis is proposed to quickly and accurately map unknown assets.[Method/Process]Combined scanning combines multi-process ICMP scanning and SYN scanning implemented by multi-threaded Python-Scapy to detect surviving hosts and ports,and uses Python-Nmap and Wappalyzer to deeply identify fingerprints and services,shorten asset mapping time and obtain asset ports,services and fingerprint information,etc.;Mirror traffic analysis uses Zeek to capture traffic from the network card and generate log filtering asset information as a supplement to the combined scan results.[Results/Conclusion]Tests show that the asset mapping method in this article is about 50%faster than TCP scanning,consumes less on the system,and has a higher improvement in the number and accuracy of mapped ports.
关键词
网络空间资产测绘/网络安全/无状态扫描/指纹识别/流量分析/并发处理Key words
cyberspace asset mapping/cyber security/stateless scanning/fingerprint identification/traffic analysis/concurrent processing引用本文复制引用
出版年
2024
NETL
NSTL
万方数据