Search

CN-121984787-A - Construction method, construction device, computer equipment and medium of network asset fingerprint

CN121984787ACN 121984787 ACN121984787 ACN 121984787ACN-121984787-A

Abstract

The embodiment of the invention provides a method, a device, computer equipment and a medium for constructing network asset fingerprints, wherein the method comprises the steps of generating initial structured fingerprint data based on basic asset information, matching known fingerprint information in the initial structured fingerprint data with trigger rules in configuration information of all tools, scheduling the successfully matched tools to scan target network assets, updating the fingerprint information scanned by the scheduled tools into the structured fingerprint data, monitoring data update in the structured fingerprint data, carrying out recursive trigger scheduling of the tools according to updated incremental data, ending a scanning task until the fact that the data in the structured fingerprint data is not updated or the updated incremental data is not matched with the trigger rules of all the tools is monitored, and taking the current structured fingerprint data as the final network asset fingerprint of the target network asset. The scheme improves the effectiveness and the accuracy of scanning and improves the resource efficiency or the scanning accuracy.

Inventors

  • Xiong Fangchengcheng
  • LI NING
  • LI JI
  • ZHAO YUANJIE
  • LI KE
  • CHEN YOULEI
  • LIANG LULU
  • HU WEI

Assignees

  • 北京源堡科技有限公司

Dates

Publication Date
20260505
Application Date
20260407

Claims (10)

  1. 1. A method for constructing a network asset fingerprint, comprising: receiving basic asset information of an input target network asset, and generating initial structured fingerprint data based on the basic asset information, wherein the structured fingerprint data comprises a plurality of structural layers related to the target network asset, each structural layer comprises one or more sub-data structures, and each sub-data structure comprises a type of fingerprint information item of the structural layer; matching known fingerprint information in the initial structured fingerprint data with trigger rules in configuration information of all tools, scheduling the successfully matched tools to scan the target network asset, updating the fingerprint information scanned by the scheduled tools into the structured fingerprint data, monitoring data update in the structured fingerprint data, performing recursive trigger scheduling of the tools according to the updated incremental data and updating the data in the structured fingerprint data according to the fingerprint information output by the scheduled tools, wherein the configuration information of each tool is input by a user, and the trigger rules comprise the mapping relation between the logic relation of one or more fingerprint information items in the structured fingerprint data and each tool; and ending the scanning task until the fact that the data in the structured fingerprint data are not updated or the updated incremental data are not matched with the triggering rules of all tools is monitored, and taking the current structured fingerprint data as the final network asset fingerprint of the target network asset, wherein the final network asset fingerprint is a three-dimensional network asset fingerprint capable of reflecting the internal logic dependency relationship of the target network asset.
  2. 2. The method of claim 1, wherein listening for data updates in the structured fingerprint data, performing recursive triggered scheduling of the tool based on the updated delta data and updating data in the structured fingerprint data based on fingerprint information output by the scheduling tool, comprises: The following steps are circularly executed until no update of the data in the structured fingerprint data or mismatching of the updated incremental data with the triggering rules of all tools is monitored: Monitoring whether the data in the current structured fingerprint data is updated or not; if yes, matching the updated incremental data with triggering rules in the configuration information of each tool, and scheduling the tools to execute scanning operation on the target network asset according to a scheduling strategy in the configuration information of each successfully matched tool, wherein the scheduling strategy comprises a scheduling mode of the tools and parameters to be transferred; Updating the scanned fingerprint information to the data of the fingerprint information items of the corresponding sub-data structures of the corresponding structure layers in the structured fingerprint data according to the analysis configuration in the configuration information of the scheduled tool, wherein the analysis configuration is used for defining the mode of acquiring the output data of the tool and the operation strategy of the output data.
  3. 3. The method of claim 2, wherein updating the scanned-out fingerprint information according to the parsed configuration in the configuration information of the scheduled tool to data of the fingerprint information item of the corresponding sub-data structure of the corresponding structural layer in the structured fingerprint data comprises: Each scheduled tool outputs fingerprint information and corresponding confidence; And updating the data of the fingerprint information items of the corresponding sub-data structures of the corresponding structural layers in the structured fingerprint data based on the fingerprint information with the confidence meeting the confidence requirement according to the confidence requirement in the configuration information of the scheduled tool.
  4. 4. A method according to claim 3, wherein updating the data of the fingerprint information items of the corresponding sub-data structures of the corresponding structure layers in the structured fingerprint data based on the fingerprint information whose confidence meets the confidence requirement in the configuration information of the scheduled tool, comprises: Calculating to obtain posterior confidence coefficient of the fingerprint information according to prior confidence coefficient of the tool provided by configuration information of the scheduled tool and actual confidence coefficient of the fingerprint information output by the tool; And comparing the posterior confidence coefficient with a confidence coefficient threshold value of a corresponding fingerprint information item in the structured fingerprint data, and updating the data of the fingerprint information item of the corresponding sub-data structure of the corresponding structural layer in the structured fingerprint data based on the fingerprint information with the posterior confidence coefficient larger than the confidence coefficient threshold value.
  5. 5. The method of any of claims 1 to 4, wherein generating initial structured fingerprint data based on the base asset information comprises: Generating a plurality of structural layers, wherein the structural layers comprise a basic structural layer, a transmission structural layer and an application structural layer; Generating a plurality of first sub-data structures in the base structure layer, wherein the plurality of first sub-data structures comprise a basic attribute data structure, a physical device data structure and an operating system data structure; Generating a plurality of second sub-data structures in the transport structure layer, wherein the plurality of second sub-data structures comprise a transport protocol data structure and an encryption protocol data structure; A plurality of third sub-data structures is generated in the application structure layer, the plurality of third sub-data structures including an application protocol data structure, a product data structure, and a component data structure.
  6. 6. The method of claim 5, wherein the tools include an asset discovery tool, a fingerprint identification tool, and a scanning tool.
  7. 7. A device for constructing a network asset fingerprint, comprising: An input module for receiving basic asset information of an input target network asset, generating initial structured fingerprint data based on the basic asset information, wherein the structured fingerprint data comprises a plurality of structural layers related to the target network asset, each structural layer comprises one or more sub-data structures, and each sub-data structure comprises a type of fingerprint information item of the corresponding structural layer; The scheduling module is used for matching the known fingerprint information in the initial structured fingerprint data with triggering rules in configuration information of all tools, scheduling the tools which are successfully matched to scan the target network asset, updating the fingerprint information scanned by the scheduled tools into the structured fingerprint data, monitoring data updating in the structured fingerprint data, performing recursive triggering scheduling on the tools according to the updated incremental data and updating the data in the structured fingerprint data according to the fingerprint information output by the scheduling tools, wherein the configuration information of each tool is input by a user, and the triggering rules comprise mapping relations between one or more fingerprint information items in the structured fingerprint data and each tool; And the fingerprint construction module is used for ending the scanning task until the condition that the data in the structured fingerprint data is not updated or the updated incremental data is not matched with the triggering rules of all tools is monitored, and taking the current structured fingerprint data as the final network asset fingerprint of the target network asset, wherein the final network asset fingerprint is a three-dimensional network asset fingerprint capable of reflecting the internal logic dependency relationship of the target network asset.
  8. 8. The apparatus of claim 7, wherein the scheduling module is configured to cycle through the following steps until no update of the data in the structured fingerprint data is monitored or no update of the incremental data matches the trigger rules of all tools: Monitoring whether the data in the current structured fingerprint data is updated or not; if yes, matching the updated incremental data with triggering rules in the configuration information of each tool, and scheduling the tools to execute scanning operation on the target network asset according to a scheduling strategy in the configuration information of each successfully matched tool, wherein the scheduling strategy comprises a scheduling mode of the tools and parameters to be transferred; Updating the scanned fingerprint information to the data of the fingerprint information items of the corresponding sub-data structures of the corresponding structure layers in the structured fingerprint data according to the analysis configuration in the configuration information of the scheduled tool, wherein the analysis configuration is used for defining the mode of acquiring the output data of the tool and the operation strategy of the output data.
  9. 9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of constructing a network asset fingerprint according to any one of claims 1 to 6 when the computer program is executed by the processor.
  10. 10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program that performs the method of constructing a network asset fingerprint as claimed in any one of claims 1 to 6.

Description

Construction method, construction device, computer equipment and medium of network asset fingerprint Technical Field The present invention relates to the field of network security scanning technologies, and in particular, to a method and apparatus for constructing a network asset fingerprint, a computer device, and a medium. Background In the field of network security scanning, an asset fingerprint is not only a component part for constructing an asset representation, but also is important to be used as key information after the advance and the departure, so that related personnel such as network security operation and maintenance/penetration test can find possible security defects (loopholes) based on known network assets. For example, if a Web service fingerprint is identified as being present in the target asset, the Web application vulnerability scanning tool is invoked to perform an automated scan to discover possible security vulnerabilities, if a database service fingerprint is identified as being present in the target asset, a weak password explosion is attempted to find out those accounts that use a weak password, and so on. However, it is impractical to use a single web-safe scanning tool to discover all security flaws, and in practice, in either web-safe operation or penetration testing, the relevant personnel will typically use a large number of different tools in combination to discover all types of problems as comprehensively as possible. The development standards of these tools are different, and users can only make batch calls based on simple classification rules, for example, both general Web vulnerability scanning tools and special scanning tools for specific Web applications can be generally classified into a "Web leaky-scan" type, all the "Web leaky-scan" type tools are linearly executed after fingerprints of the Web applications are found, and the users also need to integrate the output information of these tools to obtain valuable security assessment results. In this set of processes, due to lack of unified standards, it is difficult for each scanning tool to utilize known refined fingerprint information, and further, it is impossible to perform deep scanning on the basis of found information of other scanning tools, so that invalid scanning tasks may be performed for assets that do not actually have the preconditions of an attack, resulting in resource consumption without any output, or False Positive (False Positive) output due to preconditions errors. As shown in fig. 1, the automated scanning system under the prior art scheme generally includes a user input module, an asset discovery module, a fingerprint identification module, a task scheduling module, a plug-in tool module, and a reporting module. Wherein: The user input module is used for receiving basic information input provided by a user, including an IP address, a domain name, a website URL and the like; the asset discovery module is used for expanding and discovering more network asset information on the basis of user input information; the fingerprint identification module is used for identifying fingerprint characteristics of the network asset information and marking corresponding fingerprint labels (Tags) at the same time; The task scheduling module is a key for solving the problem of the current multi-tool call in the technical scheme, and mainly realizes relatively fine unidirectional tool scheduling based on the label mapping of preset logic (namely, the label marked on the asset by the fingerprint identification module is mapped to different tools), and after the scheduling based on the label mapping is completed, the system linearly executes various tools and records and outputs the tools, and finally provides a complete scanning result for the user through the reporting module. Compared with the traditional wide spread network type scheduling, the above technical scheme can alleviate the resource consumption or false report problem faced by the prior art to a certain extent through label mapping management, but has the following defects: 1. In order to facilitate label mapping in task scheduling, the output of the fingerprint identification module is usually a flattened label, which is beneficial to linear task execution, but lacks the expression of inherent causal association between different fingerprints, can not provide information three-dimensional presentation under a professional viewing angle for a user, and is difficult to support high-order decisions; 2. The problem of data island inevitably exists in the tasks of linear execution, namely, all tools are isolated from each other, data communication is absent, one tool cannot be shared with other tools even if a new discovery exists, and the execution premise of the tool is corrected to improve the resource efficiency or the scanning accuracy; 3. The state backtracking is difficult because the fingerprint identification in the prior art is stateless, if the