Search

CN-121984767-A - Self-adaptive scanning method and device

CN121984767ACN 121984767 ACN121984767 ACN 121984767ACN-121984767-A

Abstract

The embodiment of the application provides a self-adaptive scanning method and device, and relates to the technical field of network security. The method comprises the steps of obtaining a scanning task aiming at a target network, judging the type of the scanning task to be port detection scanning or vulnerability scanning according to configuration information of the scanning task, determining a corresponding user state protocol stack instance according to the type of the scanning task, executing scanning based on the selected user state protocol stack instance, and returning a scanning result. Therefore, the method can accurately route two tasks of a port detection scanning scene and a vulnerability scanning scene to corresponding simple or complete user state protocol stack examples for processing. The method can realize higher throughput and lower resource cost in a port detection scanning scene, and can avoid the problem of message reflux mismatch under the parallel of kernel bottleneck and multiple queues while ensuring the reliability of complete protocol interaction in a vulnerability scanning scene.

Inventors

  • SUN KAI
  • WANG QINGLIANG

Assignees

  • 北京启明星辰信息安全技术有限公司
  • 北京网御星云信息技术有限公司
  • 启明星辰信息技术集团股份有限公司

Dates

Publication Date
20260505
Application Date
20260210

Claims (10)

  1. 1. An adaptive scanning method, the method comprising: Acquiring a scanning task aiming at a target network; Judging the type of the scanning task to be port detection scanning or vulnerability scanning according to the configuration information of the scanning task; Determining a corresponding user state protocol stack instance according to the scanning task type, wherein when the scanning task type is the port detection scanning, a simple user state protocol stack instance is determined; And executing scanning based on the selected user state protocol stack instance and returning a scanning result, wherein the user state protocol stack instance is a transmission control protocol/internet protocol (TCP/IP) protocol stack instance which is realized based on a user state network framework and is isolated from a kernel protocol stack, and a plurality of user state protocol stack instances are operated at the same time, and each user state protocol stack instance is bound with an independent Central Processing Unit (CPU) core and a network card receiving queue.
  2. 2. The method of claim 1, wherein the determining, according to the configuration information of the scan task, that the scan task type is a port probe scan or a vulnerability scan, comprises: Judging the type of the scanning task to be port detection scanning or vulnerability scanning according to any judging basis of the core scanning strategy of the scanning task, whether the scanning task needs to establish a complete Transmission Control Protocol (TCP) connection or not and whether the scanning task needs to perform application layer protocol interaction or not.
  3. 3. The method of claim 1, wherein when the selected user state protocol stack instance is the simple user state protocol stack instance, the performing scanning based on the selected user state protocol stack instance and returning a scanning result comprises: constructing a TCP SYN message comprising a target Internet protocol address IP and a target port number according to the configuration information of the scanning task; Distributing the TCP SYN message to an internal transmission queue of the simple user mode protocol stack instance according to a load balancing strategy, so that the internal transmission queue of the simple user mode protocol stack instance directly transmits the TCP SYN message to a network medium through a data plane development suite (DPDK); Monitoring a returned network message; And if the network message is a SYN+ACK message, recording corresponding quintuple information into a cache pool, wherein the quintuple information comprises the target IP and a target port, and the target port is a scanning result.
  4. 4. The method of claim 1, wherein when the selected user state protocol stack instance is the complete user state protocol stack instance, the performing scanning based on the selected user state protocol stack instance and returning a scanning result comprises: initiating a creation request comprising a TCP socket; Determining the complete user mode protocol stack instance and a receiving queue bound by the complete user mode protocol stack instance; Routing a creation request comprising the TCP socket to the complete user mode protocol stack instance, so that the complete user mode protocol stack instance creates a corresponding socket context structure for the TCP socket; Completing TCP three-way handshake in the complete user state protocol stack instance by calling a connection operation to establish connection between the complete user state protocol stack instance and a target service; And determining whether the target service has vulnerability based on the returned data received according to the connection, and generating a vulnerability diagnosis report, wherein the vulnerability diagnosis report is the scanning result.
  5. 5. The method of claim 4, wherein said completing a TCP three-way handshake in said full user state protocol stack instance comprises: And determining a local source port which is matched with the selected queue and is available so that the complete user state protocol stack instance can complete TCP three-way handshake by using the local source port, wherein the determination mode of the local source port is as follows: constructing connected quintuple information according to the scanning task; determining a candidate source port matched with the target receiving queue identification according to the target receiving queue identification; determining whether the candidate source port is occupied or unavailable; If not, determining the candidate source port as the local source port; If yes, the step of determining the candidate source port matched with the target receiving queue identification is re-executed according to a quick prediction algorithm based on the palindromic symmetry rule.
  6. 6. The self-adaptive scanning device is characterized by comprising a task acquisition module, an information judgment module, an instance determination module and a result return module; the task acquisition module is used for acquiring a scanning task aiming at a target network; the information judging module is used for judging the type of the scanning task to be port detection scanning or vulnerability scanning according to the configuration information of the scanning task; The instance determining module is used for determining a corresponding user state protocol stack instance according to the scanning task type, wherein when the scanning task type is the port detection scanning, a simple user state protocol stack instance is determined; The result return module is used for executing scanning based on the selected user state protocol stack instance and returning a scanning result, wherein the user state protocol stack instance is a transmission control protocol/internet protocol (TCP/IP) protocol stack instance which is realized based on a user state network framework and is isolated from a kernel protocol stack, and a plurality of user state protocol stack instances are operated at the same time, and each user state protocol stack instance is bound with an independent Central Processing Unit (CPU) core and a network card receiving queue.
  7. 7. The apparatus of claim 6, wherein the information judging module is specifically configured to judge that the type of the scanning task is port detection scanning or vulnerability scanning according to any one of a core scanning policy of the scanning task, whether the scanning task needs to establish a complete transmission control protocol TCP connection, and whether the scanning task needs to perform application layer protocol interaction.
  8. 8. The apparatus of claim 6, wherein when the selected user state protocol stack instance is the simple user state protocol stack instance, the result return module is specifically configured to construct a TCP SYN message including a target internet protocol address IP and a target port number according to configuration information of the scanning task, allocate the TCP SYN message to an internal transmission queue of the simple user state protocol stack instance according to a load balancing policy, so that the internal transmission queue of the simple user state protocol stack instance directly transmits the TCP SYN message to a network medium through a data plane development suite DPDK, monitor the returned network message, record corresponding quintuple information to a cache pool if the network message is a syn+ack message, and the quintuple information includes the target IP and a target port, where the target port is a scanning result.
  9. 9. The apparatus of claim 6, wherein when the selected user state protocol stack instance is the complete user state protocol stack instance, the result return module is specifically configured to initiate a creation request including a TCP socket, determine a receive queue for the complete user state protocol stack instance and its binding, route the creation request including the TCP socket to the complete user state protocol stack instance to cause the complete user state protocol stack instance to create a corresponding socket context structure for the TCP socket, complete a TCP three-way handshake in the complete user state protocol stack instance by invoking a connection operation to establish a connection between the complete user state protocol stack instance and a target service, determine whether the target service has a vulnerability based on return data received according to the connection, and generate a vulnerability diagnosis report, the vulnerability diagnosis report being the scan result.
  10. 10. The apparatus of claim 9, wherein the result return module is specifically configured to determine a local source port that matches the selected queue and that is available to enable the full user state protocol stack instance to complete a TCP three-way handshake using the local source port, wherein the local source port determination unit is configured to construct connected five-tuple information according to a scan task, determine a candidate source port that matches the target receive queue identification according to the target receive queue identification, determine whether the candidate source port is occupied or unavailable, and if not, determine that the candidate source port is the local source port, and if so, re-execute the step of determining the candidate source port that matches the target receive queue identification according to a fast prediction algorithm based on a rule of palindromic symmetry.

Description

Self-adaptive scanning method and device Technical Field The present application relates to the field of network security technologies, and in particular, to a self-adaptive scanning method and device. Background As the scale of networks continues to expand, the importance of network scanning technology as an indispensable core technology in network security protection systems is increasingly highlighted. The core function of network scanning is to detect the port open state, service running condition and vulnerability of the target network, and provide key basis for system administrators to develop security evaluation and vulnerability repair. Currently, the main network scanning tasks are mainly divided into two types, namely port detection scanning and vulnerability scanning. However, the prior art cannot accurately distinguish two scene tasks of port detection scanning and vulnerability scanning and route the tasks to an adaptive protocol stack instance for processing, and has obvious scene adaptation defects. Disclosure of Invention Based on the problems, the application provides a self-adaptive scanning method and a self-adaptive scanning device, which can accurately distinguish two scene tasks of port detection scanning and vulnerability scanning and route the tasks to an adaptive protocol stack instance for processing. The embodiment of the application discloses the following technical scheme: In a first aspect, the present application discloses an adaptive scanning method, the method comprising: Acquiring a scanning task aiming at a target network; Judging the type of the scanning task to be port detection scanning or vulnerability scanning according to the configuration information of the scanning task; Determining a corresponding user state protocol stack instance according to the scanning task type, wherein when the scanning task type is the port detection scanning, a simple user state protocol stack instance is determined; And executing scanning based on the selected user state protocol stack instance and returning a scanning result, wherein the user state protocol stack instance is a transmission control protocol/internet protocol (TCP/IP) protocol stack instance which is realized based on a user state network framework and is isolated from a kernel protocol stack, and a plurality of user state protocol stack instances are operated at the same time, and each user state protocol stack instance is bound with an independent Central Processing Unit (CPU) core and a network card receiving queue. Optionally, the determining, according to the configuration information of the scan task, the type of the scan task to be port detection scan or vulnerability scan includes: Judging the type of the scanning task to be port detection scanning or vulnerability scanning according to any judging basis of the core scanning strategy of the scanning task, whether the scanning task needs to establish a complete Transmission Control Protocol (TCP) connection or not and whether the scanning task needs to perform application layer protocol interaction or not. Optionally, when the selected user state protocol stack instance is the simple user state protocol stack instance, the performing scanning based on the selected user state protocol stack instance and returning a scanning result includes: constructing a TCP SYN message comprising a target Internet protocol address IP and a target port number according to the configuration information of the scanning task; Distributing the TCP SYN message to an internal transmission queue of the simple user mode protocol stack instance according to a load balancing strategy, so that the internal transmission queue of the simple user mode protocol stack instance directly transmits the TCP SYN message to a network medium through a data plane development suite (DPDK); Monitoring a returned network message; And if the network message is a SYN+ACK message, recording corresponding quintuple information into a cache pool, wherein the quintuple information comprises the target IP and a target port, and the target port is a scanning result. Optionally, when the selected user state protocol stack instance is the complete user state protocol stack instance, the performing scanning based on the selected user state protocol stack instance and returning a scanning result includes: initiating a creation request comprising a TCP socket; Determining the complete user mode protocol stack instance and a receiving queue bound by the complete user mode protocol stack instance; Routing a creation request comprising the TCP socket to the complete user mode protocol stack instance, so that the complete user mode protocol stack instance creates a corresponding socket context structure for the TCP socket; Completing TCP three-way handshake in the complete user state protocol stack instance by calling a connection operation to establish connection between the complete user state protocol stack instance and a