计量实验室内部网络资产主被动协同探测技术的研究与分析

Internal Network Assets of Active and Passive Collaborative DetectionTechnology Research and Analysis of Measurement Laboratory

内部网络在网络空间中普遍存在,一些重要机构的内部网络常常与互联网物理隔离或逻辑隔离。这在传统的基于边界的安全模型中已经足够安全,但在新型的零信任安全模型的视角,网络依然存在外部或内的威胁。如何及时发现内部网络中存在的漏洞和隐患,如何准确识别网络中的攻击事件,如何有效判断网络中的异常行为,进而提升网络的主动防御能力,已成为当前网络安全亟待解决的重要问题之一。通过引入网络探测的概念,探讨了网络资产主动探测、被动探测的概念,针对内网安全管理,被动探测和主动探测各自有其优点和缺点。被动探测可以无需对目标主机进行干扰,不容易产生风险,但是其获取信息的效率和完整性不如主动探测。主动探测可以更加全面地了解内网内的资产和风险,但是会产生一定的干扰和风险。结合网络异常流量智能分类与检测方法,提升内部网络的主动防御能力,从攻击者和防护者的双重视角,及时了解网络内资产组成、发现网络存在的脆弱点、分析存在的异常行为,在应用传统的主机发现、端口探测、服务及版本探测、操作系统探测及网络拓扑探测的基础上,通过对网络资产存量和增量数据进行比对,结合网络异常流量检测与分析技术,提出被动探测限制主动探测范围,异常数据流检测补充主被动探测结果的主被动协同探测模型,对于降低网络资产探测时内部网络噪声有明显的作用,为内部网络安全和数据安全提供了更高的防御能力。内网资产被动探测的主要目的是实现网络流量镜像抓包及利用Wireshark抓包后生成包含五元组信息(源IP、目的IP、源端口、目的端口、时间戳)的资源探测子表。为了实现该功能,使用了较为轻量级的python编程语言,利用Scapy库、Pyshark库及Wireshark工具实现网络流量包的抓取及对五元组信息的提取,利用CSV库实现了对提取数据的编辑存储。主动探测实现的功能主要有对内网段进行扫描、通过对比对异常流量进行筛选并发现异常主机、内网端口扫描等。通过多线程技术、优化数据预处理和数据分析的策略,可以有效地提高被动和主动探测速度和效率。在实际应用中,应根据具体情况确定优化策略,并结合实际情况进行调整和改善。内网资产探测技术的应用范围非常广泛,对于保障内网安全和提升网络安全水平都非常重要,能够帮助企事业单位及时发现网络中的安全威胁和漏洞,从而采取相应的安全措施进行保护。

Internal networks are ubiquitous in cyberspace,and the internal networks of some important institutions are often physically or logically isolated from the Internet.In the traditional boundary-based security model,but from the perspective of the new zero-trust security model,the network still has external or internal threats.How to timely find the loopholes and hidden dangers in the internal network,how to accurately identify the attack events in the network,how to effectively judge the abnormal behavior in the network,and then improve the active defense ability of the network,has become one of the important problems to be solved in the current network security.By introducing the concept of network detection,the concept of active detection and passive detection of network assets is discussed.For Intranet security management,passive detection and active detection have their own advantages and disadvantages.Passive detection can not interfere with the target host and is not easy to produce risks,but the efficiency and integrity of obtaining information are not as good as that of active detection. Active detection can have a more comprehensive understanding of the assetsand risks in the Intranet, but it will produce certain interference and risks.Combined with the intelligent classification and detection method of the abnormal network traffic, improve the active defensecapability of the internal networks, from the dual perspective of the attacker and the protector, timely understand thecomposition of assets in the network, discover the fragile points of the network, analyze the abnormal behaviors, Based on theapplication of traditional host discovery, port detection, service and version detection, operating system detection and networktopology detection, by comparing the stock of network assets with the incremental data, combined with the network abnormaltraffic detection and analysis technology, proposed that the passive detection limits the active detection range, anomalous dataflow detection complements the active and passive cooperative detection model of active and passive detection results. It has anobvious effect on reducing the internal network noise when detecting network assets, it provides a higher defense capability forinternal network security and data security.The main purpose of passive detection of Intranet assets is to realize the network traffic mirror capture packet andgenerate a resource detection subtable containing five yuan group information (source ip, destination ip, source port,source port, destination port, timestamp) after using wireshark capture packet. In order to realize this function, therelatively lightweight python programming language is used, and capture library, pyshark library and wireshark toolsare used to realize the capture of network traffic package and the extraction of five information, and realize the editingand storage of extracted data with csv library. The main functions of active detection are scanning internal networksegment, screening abnormal flow and finding abnormal host, scanning Intranet port, etc.Multi-threading techniques, strategies to optimize data preprocessing and processing, and data analysis. In practicalapplication, the optimization strategy should be determined according to the specific situation, and adjusted andimproved according to the actual situation. The application scope of intranet asset detection technology is very wide,which is very important to ensure the intranet security and improve the level of network security. It can help enterprisesand institutions to find the security threats and vulnerabilities in the network in time, so as to take correspondingsecurity measures to protect it.