Behavior feedback-based network space mapping method and system for gateway device communication
By introducing a behavioral feedback mechanism and trapping nodes to obtain real access behavior, and dynamically adjusting the mapping strategy, the problem of inaccurate mapping results for key infrastructure equipment in existing technologies is solved. This enables accurate mapping and dynamic adaptation of key infrastructure equipment, improving the accuracy of mapping results and resource utilization efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XI AN JIAOTONG UNIV
- Filing Date
- 2026-04-22
- Publication Date
- 2026-06-09
AI Technical Summary
Existing cyberspace mapping technologies lack the accuracy and specificity of mapping results in critical equipment scenarios, making it difficult to dynamically adapt to network changes, resulting in inaccurate risk assessments and wasted resources.
An intelligent surveying and mapping mechanism based on behavioral feedback is introduced. By acquiring surveying and mapping data of key equipment, suspected equipment is analyzed and screened. A trapping mechanism is introduced to obtain behavioral feedback information, and the surveying and mapping strategy is dynamically adjusted to improve the accuracy and practicality of the surveying and mapping results.
It enables accurate mapping of critical devices, distinguishes between network-exposed devices and attack targets, dynamically adapts to network changes, reduces the impact on device operation, and improves the accuracy of mapping results and resource utilization efficiency.
Smart Images

Figure CN122179230A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of electronic digital processing technology, specifically relating to a spatial mapping method and system for key-based device communication networks based on behavioral feedback. Background Technology
[0002] As critical infrastructure sectors such as energy, power, transportation, and industrial manufacturing connect to the internet or dedicated networks, the scale and complexity of critical information infrastructure equipment exposed in cyberspace are constantly increasing. In actual security operation and maintenance and supervision scenarios, relevant management units not only need to understand the distribution, communication protocols, and external service status of critical infrastructure equipment in cyberspace, but also need to assess their potential security risks to provide a basis for compliance inspections and protection decisions. Therefore, technical personnel are required to conduct continuous and accurate cyberspace mapping of network assets in critical infrastructure scenarios without affecting the operation of existing network services.
[0003] Existing cyberspace mapping technologies primarily rely on active scanning or passive data collection methods to identify the IP (Internet Protocol), port, and protocol characteristics of network assets. While these technologies can achieve asset visibility, they still have significant shortcomings in critical infrastructure device scenarios. On the one hand, mapping results mainly reflect the network reachability of assets, making it difficult to distinguish between devices that are merely statically exposed and high-risk devices that have been actively targeted by attackers, resulting in inaccurate risk assessments. On the other hand, general scanning strategies do not fully consider the differences in communication protocols, service interactions, and operational characteristics of critical infrastructure devices, easily leading to misidentification or omissions, and potentially impacting the stable operation of these devices. Furthermore, existing mapping processes often employ fixed cycles and strategies, resulting in static mapping results that fail to reflect the exposure status and risk changes of critical infrastructure devices in cyberspace in a timely manner.
[0004] The root cause of the aforementioned problems lies in the lack of differentiated design for the characteristics of key-point equipment in existing surveying and mapping schemes, and the absence of an effective feedback mechanism for dynamic optimization of surveying and mapping strategies. Therefore, it is necessary to propose a spatial surveying method for key-point equipment communication networks based on behavioral feedback. By optimizing and adjusting the surveying and mapping process, the accuracy and practicality of key-point equipment surveying results can be improved to better meet actual business needs. Summary of the Invention
[0005] The purpose of this invention is to overcome the problems of insufficient accuracy, lack of specificity, and inability to dynamically adapt to network changes in existing cyberspace mapping technologies for critical infrastructure devices. This invention provides a method and system for cyberspace mapping of communication networks for critical infrastructure devices based on behavioral feedback. Building upon traditional cyberspace mapping, this method introduces an intelligent mapping mechanism tailored to the characteristics of critical infrastructure devices, achieving accurate mapping of these devices through a multi-stage collaborative approach.
[0006] To achieve the above objectives, the present invention adopts the following technical solution: In a first aspect, the present invention provides a spatial mapping method for key-based device communication networks based on behavioral feedback, comprising the following steps: Acquire survey data of key infrastructure equipment; The obtained mapping data of key infrastructure equipment is analyzed and processed to identify and screen suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain the classification and labeling results of different mapping objects; the mapping objects are network communication entities identified in the mapping process. The surveying strategy parameters are obtained based on the classification and identification results of different surveying objects; For suspected key-point devices that have been identified and screened, a trapping mechanism is introduced to generate a trapping strategy. The deployed trapping nodes obtain behavioral feedback information that can reflect the real access and supply behavior. Based on the surveying strategy parameters and behavioral feedback information, the current surveying strategy is dynamically adjusted to obtain the dynamically adjusted surveying strategy. Based on the dynamically adjusted mapping strategy, cyberspace mapping is performed to obtain the cyberspace mapping results of key equipment.
[0007] In the step of acquiring the mapping data of the key infrastructure device, the acquired mapping data of the key infrastructure device includes: network IP address and connectivity status, port open status, communication protocol response characteristics, service interaction information, and mapping cycle.
[0008] The method for parsing and processing the acquired mapping data of key infrastructure equipment, identifying and screening suspected key infrastructure equipment, and classifying and labeling the mapping data to obtain classification and labeling results for different mapping objects is as follows: Based on the pre-established key infrastructure equipment characteristic rules, the communication protocol response characteristics and service interaction information contained in the mapping data are compared and analyzed with the characteristics that meet industrial control requirements to screen out suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain classification and labeling results for different mapping objects.
[0009] The method for obtaining surveying strategy parameters based on the classification and identification results of different surveying objects is as follows: For each surveying object, maintain its surveying status record in different surveying cycles, and treat the network communication entity that is continuously surveyed as an asset. The asset has an identifiable network IP address, communication protocol response characteristics, or service interaction characteristics. By comparing the surveying status records of adjacent surveying periods, the changes in the surveying status records of the surveyed object within adjacent periods are obtained, and the changes in the surveying status records are converted into change indicators used to characterize the stability or volatility of assets. After obtaining the change indicators, and combining the classification and identification results of the surveyed objects, differentiated weight parameters are allocated to different categories of assets. Based on the aforementioned change indicators and weight parameters, the mapping priority corresponding to each mapping object is calculated. Based on the surveying priority, the surveying object is mapped to a preset strategy range, and corresponding surveying strategy parameters are generated.
[0010] The method for introducing a trapping mechanism to generate a trapping strategy for the identified and screened suspected key-point devices, and obtaining behavioral feedback information that can reflect the actual access and supply behavior through the deployed trapping nodes, is as follows: Based on the mapping data of suspected key equipment, a corresponding trapping strategy is generated; The trapping strategy is distributed to the trapping nodes; After receiving the trapping strategy, the trapping node simulates the corresponding protocol or service interaction process to obtain behavioral feedback information that can reflect the real access and supply behavior.
[0011] After receiving the trapping strategy, the trapping node simulates the corresponding protocol or service interaction process according to the trapping strategy to obtain behavioral feedback information that can reflect the actual access and supply behavior. The method is as follows: When the trapping strategy reaches the trapping node, the trapping node establishes a communication connection with the access party according to the preset interaction rules. Without affecting the real business system, it responds to the access request, thereby undertaking scanning, probing or attack behavior against key devices.
[0012] The method for dynamically adjusting the current surveying strategy based on the surveying strategy parameters and behavioral feedback information to obtain the dynamically adjusted surveying strategy is as follows: When the access or attack attention of a certain type of surveying object exceeds a preset threshold, the priority of that type of surveying object in subsequent surveying tasks is increased, and the surveying frequency or detection depth is increased; when the surveying object remains stable and no abnormal behavior feedback is observed, its surveying frequency is reduced.
[0013] Secondly, the present invention provides a spatial mapping system for key-based device communication networks based on behavioral feedback, comprising: The scanning execution module is used to acquire survey data of key infrastructure equipment; The key-based identification and classification module is used to analyze and process the acquired mapping data of key-based devices, identify and screen out suspected key-based devices, and classify and label the mapping data to obtain classification and labeling results for different mapping objects; the mapping objects are network communication entities identified during the mapping process. The surveying strategy generation module obtains surveying strategy parameters based on the classification and identification results of different surveying objects. The trapping linkage and behavior feedback processing module is used to introduce a trapping mechanism to generate a trapping strategy for suspected key devices that have been identified and screened. It obtains behavior feedback information that can reflect real access and supply behavior through the deployed trapping nodes. The intelligent strategy engine module is used to dynamically adjust the current surveying strategy based on the surveying strategy parameters and behavioral feedback information, so as to obtain the dynamically adjusted surveying strategy. The execution module is used to perform cyberspace mapping based on the dynamically adjusted mapping strategy and obtain the cyberspace mapping results of key equipment.
[0014] Thirdly, the present invention provides an electronic device including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform steps of a spatial mapping method for a key-based device communication network based on behavioral feedback.
[0015] Fourthly, the present invention provides a storage medium storing a computer program thereon, wherein the computer program, when executed by a processor, implements the steps of a behavior feedback-based spatial mapping method for communication networks of key-based devices.
[0016] Compared with the prior art, the present invention has the following beneficial effects: This invention provides a network space mapping method for key-based devices (KPDs) based on behavioral feedback. It categorizes suspected KPDs by their network IP addresses, connectivity status, port openness, communication protocol response characteristics, and service interaction information, and matches different mapping strategies to different levels of KPDs. This ensures mapping effectiveness while reducing the impact on the operational stability of KPDs. Access behaviors and interaction characteristics collected by decoy nodes are incorporated into the network space mapping process. By analyzing the correlation between decoy behaviors and the characteristics of the mapped objects, the mapping results are verified and corrected, enabling the mapping results to distinguish between KPDs that are merely exposed on the network and those that have been attacked and targeted, thus improving the accuracy of the mapping results. Furthermore, this invention continuously accumulates and analyzes historical mapping data and decoy feedback information, dynamically adjusting the scanning frequency, scanning order, and mapping range during the mapping process. This allows the mapping process to adaptively optimize with changes in the network space environment, avoiding mapping delays or resource waste caused by fixed strategies.
[0017] Furthermore, this invention does not rely solely on a single, fixed scanning strategy to identify cyberspace assets. Instead, it uses key-point devices as the core mapping object and combines their communication protocols, service characteristics, and operational features to construct a differentiated mapping process. During the mapping process, by analyzing historical mapping results and interaction behavior characteristics, the scanning strategy, mapping sequence, and mapping depth are intelligently adjusted, thereby improving the accuracy of key-point device identification without affecting the normal operation of the key-point devices.
[0018] Furthermore, this invention introduces a behavioral feedback mechanism based on decoys during the mapping process, using abnormal access or attack behaviors in cyberspace as important references for the mapping results, thereby correcting and optimizing the mapping conclusions. Through this method, this invention achieves dynamic mapping of the cyberspace status of critical infrastructure devices, enabling the mapping results to not only reflect the objective existence of these devices but also their risk characteristics in the real network environment, thus meeting the requirements of actual business operations for the accuracy and practicality of critical infrastructure device mapping.
[0019] Furthermore, when outputting the surveying results, this invention not only provides basic asset information of key equipment, but also combines the feature information obtained during the surveying process and the trapping behavior to associate and identify the potential risk status of key equipment, so that the surveying results can directly serve subsequent security assessments and protection decisions. Attached Figure Description
[0020] Figure 1 This is a schematic diagram of the method flow of the present invention; Figure 2 This is the topology diagram in Embodiment 2 of the present invention; Figure 3 This is a system diagram of Embodiment 3 of the present invention. Detailed Implementation
[0021] To further understand the content of this invention, the invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the embodiments are merely illustrative and not limiting of the invention.
[0022] Example 1 A method for spatial mapping of key-based device communication networks based on behavioral feedback includes the following steps: S1: Obtain survey data for key infrastructure equipment; S2: The obtained mapping data of key infrastructure equipment is analyzed and processed to identify and screen suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain the classification and labeling results of different mapping objects; the mapping objects are the network communication entities identified in the mapping process. S3: Obtain surveying strategy parameters based on the classification and identification results of different surveying objects; S4: For suspected key-based devices that have been identified and screened, a trapping mechanism is introduced to generate a trapping strategy. Through the deployed trapping nodes, behavioral feedback information that can reflect real access and supply behavior is obtained. S5; Based on the surveying strategy parameters and behavioral feedback information, dynamically adjust the current surveying strategy to obtain the dynamically adjusted surveying strategy. S6: Based on the dynamically adjusted mapping strategy, perform cyberspace mapping to obtain the cyberspace mapping results of key equipment.
[0023] Specifically, in S1, mapping data from key infrastructure devices is acquired, and active mapping operations are performed on the target network space according to the mapping task parameters configured in the management console. The mapping data from key infrastructure devices includes at least: network IP address and connectivity status, port openness, communication protocol response characteristics, service interaction information, and mapping cycle.
[0024] Based on the mapping task parameters configured in the management console, the mapping server initiates probe requests to various network addresses in the target network. During the probe process, it collects the network IP addresses and connectivity status, port openness, communication protocol response characteristics, and service interaction information of the target key infrastructure devices. The collection process is not a simple connectivity test, but rather combines protocol interaction rules to obtain response fields that can characterize the type and service characteristics of key infrastructure devices. The mapping server stores the collected raw probe results along with the corresponding time information and probe parameters to form the raw dataset for cyberspace mapping.
[0025] Specifically, in S2, the acquired mapping data of key infrastructure equipment is analyzed and processed to identify and screen out suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain the classification and labeling results of different mapping objects.
[0026] After obtaining the raw dataset for cyberspace mapping, the mapping data within the dataset is parsed and processed. Based on pre-established key-based equipment characteristic rules, the communication protocol response features, service interaction information, and service field combinations contained in the mapping data are compared and analyzed to determine whether the mapping data meets specific industrial control protocol characteristics, service response characteristics, or field combination characteristics. The mapping data is then identified and classified, and assets that meet the key-based equipment characteristic rules are marked as suspected key-based equipment. Simultaneously, classification labels and confidence information are generated for different mapping data, resulting in classification labels for different mapping objects. These labels are used for differentiated processing of subsequent mapping strategies, thereby avoiding the application of a uniform mapping method to all assets. The mapping object refers to the network communication entity identified during the mapping process.
[0027] Preferably, the pre-built key-based device characteristic rules include communication protocol characteristics, service fingerprint characteristics, and interaction behavior characteristics.
[0028] Specifically, in S3, the mapping strategy parameters are obtained based on the classification and identification results of different mapping objects.
[0029] 1) Maintain a mapping status record for each mapping object within different mapping cycles, and establish a full lifecycle mapping status record archive. The mapping status record includes at least a set of open ports, a set of protocol types, and service characteristic identifiers; treat the network communication entities that are continuously being mapped as assets, and the assets have identifiable network IP addresses, communication protocol response characteristics, or service interaction characteristics.
[0030] 2) Compare the mapping status records of adjacent mapping periods to obtain the changes in the mapping status records of the mapping object in adjacent periods, and convert the changes into change indicators used to characterize the stability or volatility of the asset; the changes in the mapping status records refer to the set of states in which the network attributes (such as open ports, active services, protocol fingerprints, etc.) of the same mapping object (or network asset) are added, reduced or changed in adjacent mapping periods, which are used to quantify the dynamics of the asset in cyberspace.
[0031] 3) After obtaining the change indicators, combine the classification and identification results of the survey objects, configure differentiated weight parameters for different categories of survey objects, so that the survey objects related to key equipment have a higher priority in subsequent surveys; 4) Based on the aforementioned change indicators and weight parameters, calculate the surveying priority for each surveying object, which is used to uniformly characterize the importance of the surveying object in subsequent surveying tasks; wherein, the calculation method for the surveying priority is as follows: Surveying priority = k * change index * weight parameter, where k is the time decay factor. If an asset remains unchanged for a long time, its priority will slowly decrease over time to avoid resources being occupied by assets that have not changed for a long period of time.
[0032] 5) Map the surveying object to a preset strategy range according to the surveying priority, and generate corresponding surveying strategy parameters, wherein the surveying strategy parameters include at least one or more of surveying order, surveying frequency or surveying depth; The preset strategy ranges include: High-heat areas, with a mapping priority > 0.8, correspond to a "high-frequency + full-scale" strategy. Probes are performed every 15 minutes, covering all ports and deep protocol interactions. In the medium-hot zone, with a mapping priority of 0.3 to 0.8, a "medium frequency + sampling" strategy is employed. Detection is performed once per hour, with a focus on detecting changes at high-risk ports. Low-heat areas have a mapping priority of ≤0.3, corresponding to a "low-frequency + lightweight" strategy. Detection is performed once a day or week, focusing only on survival detection and scanning of key ports.
[0033] 6) Generate dynamic adjustment strategies for subsequent surveying tasks based on the surveying strategy parameters. In the task queue, high-priority assets are prioritized for execution, ensuring that critical changes are detected immediately. After this round of surveying is completed, the new status record will re-enter step 1, forming a closed-loop autonomous system of perception-analysis-decision-execution.
[0034] By employing the above methods, the historical mapping status of the surveyed object directly participates in the generation of subsequent mapping strategies, thereby achieving dynamic adjustments to the mapping process. By comparing mapping status records from adjacent mapping cycles, the dynamic changes of network communication entities can be keenly captured. Simultaneously, by assigning differentiated weights based on asset classification, the calculated mapping priority accurately reflects the real-time risk level and importance of the asset, thus automatically matching the optimal mapping strategy. This not only significantly improves the utilization efficiency of mapping resources but also enhances the predictability and proactivity of network asset management, providing more scientific data support for network security situational awareness.
[0035] Specifically, in S4, for suspected critical devices that have been identified and screened, this invention introduces a decoy mechanism during the cyberspace mapping process to obtain behavioral feedback information that reflects actual access and attack behaviors. The decoy mechanism is implemented collaboratively by the mapping server and one or more decoy nodes, where each decoy node operates as an independent interactive response unit.
[0036] S41: Generate a corresponding trapping strategy based on the mapping data of suspected key-based devices. The trapping strategy includes at least the communication protocol type to be simulated, service interaction process, response field rules, and behavior recording range, and assigns a unique strategy identifier to each trapping strategy.
[0037] S42: The trapping strategy is distributed to the trapping node, so that the trapping node provides an interactive interface consistent with the target protocol or service characteristics at a specified network location.
[0038] S43: After receiving the trapping strategy, the trapping node simulates the corresponding protocol or service interaction process according to the trapping strategy to obtain behavioral feedback information that can reflect the real access and supply behavior. When an external access request (trapping strategy) arrives at the trapping node, the trapping node establishes a communication connection with the accessing party according to the preset interaction rules, and responds to the access request without affecting the real business system, thereby undertaking possible scanning, probing or attack behaviors against key devices.
[0039] Furthermore, during the interaction, the trapping node records the entire external access behavior. The recorded behavioral feedback information includes at least the access source address, access time, access frequency, protocol interaction sequence, request field content, and abnormal interaction characteristics, and also carries the trapping strategy identifier information that triggered the interaction behavior in the record. For access behaviors that do not conform to the normal protocol interaction process, the trapping node will also mark their abnormal type for subsequent analysis.
[0040] Furthermore, after the trapping node transmits the recorded behavioral feedback information back to the mapping server according to a preset data format, it parses and organizes the behavioral feedback information. Based on the trapping strategy identification information, it associates the behavioral feedback information with the corresponding suspected key-based device mapping objects. It further combines the protocol interaction sequence and abnormal interaction characteristics in the behavioral feedback information with the communication protocol response characteristics and service interaction information of the mapping objects for consistency verification, thereby determining the mapping object corresponding to the behavioral feedback information. After completing the association, it extracts behavioral indicators that reflect access patterns, interaction intensity, and abnormal interaction characteristics from the behavioral feedback information. This behavioral feedback information is used as important feedback information in the mapping process to characterize whether the mapping object has received actual access or attack attention, i.e., access or attack attention level.
[0041] In this way, the present invention uses trapping nodes to transform real access behaviors in cyberspace that are difficult to obtain through active scanning into quantifiable and correlated feedback data, so that the mapping process can combine real behavioral signals to correct and optimize the mapping results, rather than relying solely on static scanning information.
[0042] Specifically, in S5, after acquiring behavioral feedback information, a comprehensive analysis is performed on the mapping strategy parameters and the trapping behavioral feedback information. By comparing the exposure changes of different mapping objects over historical periods and their corresponding behavioral feedback results, it is determined whether the current mapping strategy needs to be adjusted.
[0043] When the access or attack attention of a certain type of mapping object exceeds a preset threshold, the priority of that type of mapping object in subsequent mapping tasks will be increased, and the mapping frequency or detection depth will be appropriately increased. When a mapping object remains stable for a long period of time and no abnormal behavior feedback is observed, its mapping frequency will be reduced, thereby reducing resource consumption. Through the above methods, the mapping strategy can be continuously optimized according to changes in the actual network environment, achieving intelligent adjustment.
[0044] Specifically, in S6, after adjusting the mapping strategy, the mapping server of this invention summarizes the data generated in each stage and outputs the final network space mapping results of the key-based devices. The network space mapping results include the network distribution information, service and protocol characteristics, historical changes, and risk identification information associated with the feedback of the trapping behavior of the key-based devices.
[0045] The mapping server provides the above-mentioned cyberspace mapping results to the management console for display and query, and supports retrieval and export according to asset type, protocol category or risk level, thereby providing a reliable basis for security assessment, risk investigation and protection decisions of critical equipment.
[0046] The method proposed in this invention is applicable to scenarios involving the continuous discovery, identification, and risk assessment of critical devices in cyberspace, and is particularly suitable for industries with high requirements for the accuracy, real-time performance, and security of mapping results. Specific application areas include, but are not limited to, the following: 1) Power and energy infrastructure: In this field, the present invention can be used to perform cyberspace mapping on power dispatching systems, substation automation equipment and their communication interfaces, identify their externally exposed protocols and services, and identify potentially risky equipment based on the mapping results, thus providing a supporting basis for the safe operation and maintenance of power systems.
[0047] 2) Traffic and Rail Transit Control: This invention can be applied to cyberspace mapping of rail transit signaling systems and traffic control equipment. By identifying their network exposure characteristics, it can assist management units in understanding the network access status and operating status of key equipment.
[0048] 3) Industrial Manufacturing and Industrial Internet: In industrial manufacturing scenarios, this invention can be used to map industrial control systems, production line control equipment and their network services to form an industrial asset network view, which can be used to support enterprises in carrying out safety assessments and asset management.
[0049] 4) Water conservancy, municipal and public utilities: This invention can be used to perform cyberspace mapping on key equipment such as water monitoring systems and municipal facility monitoring equipment, helping operation and maintenance personnel to identify the network exposure of key equipment and assess its potential security risks.
[0050] 5) Security supervision of critical information infrastructure: In regulatory scenarios, this invention can be used to centrally map the cyberspace status of critical infrastructure equipment within a jurisdiction, forming an asset list and risk overview of critical infrastructure equipment, providing technical support for regulatory inspections and compliance assessments.
[0051] 6) Network security operation and maintenance: This invention can be integrated into a security operation system, continuously mapping key equipment and related assets, dynamically updating asset status information, and providing basic data for daily security operation and maintenance and incident response.
[0052] 7) Network attack and defense drills and security assessments: During attack and defense drills or security assessments, this invention can be used to map key devices in the target network, assess changes in their exposure surface, and analyze the effectiveness of the drills and the defense capabilities.
[0053] In the aforementioned application areas, by introducing the intelligent network space mapping method for key-based devices of this invention, continuous and accurate acquisition of the network exposure status of key-based devices can be achieved. Combined with a dynamic adjustment mechanism during the mapping process, the reliability and practicality of the mapping results are improved. This method helps various industries to more clearly understand the network space distribution of key-based devices, reduce blind spots in security management, and provide effective support for risk assessment and protection decisions.
[0054] Example 2 This embodiment deploys the system using a combination of a surveying platform, a management console, and trap nodes. The surveying platform is responsible for asset detection, identification, intelligent scheduling, result aggregation, and risk correlation; the management console is used to configure strategies, view results, and export reports; and the trap nodes are used to receive and record suspicious access behaviors, providing behavioral feedback for the surveying results.
[0055] I. The server / client division is as follows: Client: Web (World Wide Web) management console (browser) or desktop client; responsible for: policy configuration, task assignment, task viewing, result display, alarm subscription, and report export.
[0056] Server-side: Surveying platform cluster (can be standalone or distributed); responsible for: scanning and fingerprint recognition, key equipment identification and classification, trapping linkage, strategy adaptation, data storage, risk association, and interface services.
[0057] Decoy Nodes: Can be deployed in the DMZ (Demilitarized Zone, a logical buffer network area) / boundary or a designated monitoring segment; Responsibilities include: protocol simulation, interaction recording, log / event reporting, and behavior tag generation. Topology diagram as follows: Figure 2 As shown.
[0058] II. Key Interactions: The client submits mapping tasks (network segment, port / protocol range, frequency, key device priority strategy, etc.) to the server through API (Application Programming Interface).
[0059] The server-side policy engine sends tasks to the scanning executor to perform active probing and return data to the database. If the scan hits a suspected key feature, the server will synchronize the policy to the trapping node (enabling the corresponding protocol simulation / interaction recording). The trapping node accepts external access and returns behavior logs.
[0060] The server integrates "scanning results + trapping behavior feedback" to update asset profiles and risk indicators, which are then displayed in the console.
[0061] III. Module Division This embodiment divides the software implementation into the following modules (all running on the server side, except for the management console): The task orchestration module is used to receive console tasks, generate scanning subtasks, set priorities, and distribute them to executors; The scanning execution module is used to acquire survey data of key infrastructure equipment; The key-based identification and classification module is used to analyze and process the acquired mapping data of key-based devices, identify and screen out suspected key-based devices, and classify and label the mapping data to obtain classification and labeling results for different mapping objects; the mapping objects are network communication entities identified during the mapping process. The surveying strategy generation module is used to obtain surveying strategy parameters based on the classification and identification results of different surveying objects. The trapping linkage and behavior feedback processing module is used to introduce a trapping mechanism to generate a trapping strategy for suspected key devices that have been identified and screened. It obtains behavior feedback information that can reflect real access and supply behavior through the deployed trapping nodes. The intelligent strategy engine module is used to dynamically adjust the current surveying strategy based on the surveying strategy parameters and behavioral feedback information, so as to obtain the dynamically adjusted surveying strategy. The execution module is used to perform cyberspace mapping based on the dynamically adjusted mapping strategy and obtain the cyberspace mapping results of key equipment.
[0062] The data storage and retrieval module includes an asset database, fingerprint database, behavior database, strategy database, task database, and full-text / vector retrieval index; The display and reporting module includes asset view, risk view, trend analysis, and export interface.
[0063] Example 3 like Figure 3 As shown, the present invention also provides an electronic device 100 for a spatial mapping method for a key-based device communication network based on behavioral feedback; the electronic device 100 includes a memory 101, at least one processor 102, a computer program 103 stored in the memory 101 and executable on the at least one processor 102, and at least one communication bus 104.
[0064] The memory 101 can be used to store the computer program 103. The processor 102 implements the steps of the behavior feedback-based spatial mapping method for communication networks of key devices described in Embodiment 1 by running or executing the computer program stored in the memory 101 and calling the data stored in the memory 101. The memory 101 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function (such as sound playback function, image playback function, etc.), etc.; the data storage area may store data created according to the use of the electronic device 100 (such as audio data), etc. In addition, the memory 101 may include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other non-volatile solid-state storage device.
[0065] The at least one processor 102 may be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The processor 102 may be a microprocessor or any conventional processor. The processor 102 is the control center of the electronic device 100, connecting various parts of the electronic device 100 via various interfaces and lines.
[0066] The memory 101 in the electronic device 100 stores multiple instructions to implement a spatial mapping method for a key-based device communication network based on behavioral feedback, and the processor 102 can execute the multiple instructions to achieve the following: Acquire survey data of key infrastructure equipment; The obtained mapping data of key infrastructure equipment is analyzed and processed to identify and screen suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain the classification and labeling results of different mapping objects. The surveying strategy parameters are obtained based on the classification and identification results of different surveying objects; For suspected key-point devices that have been identified and screened, a trapping mechanism is introduced to generate a trapping strategy. The deployed trapping nodes obtain behavioral feedback information that can reflect the real access and supply behavior. Based on the surveying strategy parameters and behavioral feedback information, the current surveying strategy is dynamically adjusted to obtain the dynamically adjusted surveying strategy. Based on the dynamically adjusted mapping strategy, cyberspace mapping is performed to obtain the cyberspace mapping results of key equipment.
[0067] Example 4 If the modules / units integrated in the electronic device 100 are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a portable hard drive, a magnetic disk, an optical disk, a computer memory, and a read-only memory (ROM).
[0068] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0069] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1A device that provides the functions specified in one or more boxes.
[0070] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0071] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0072] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.
Claims
1. A spatial mapping method for key-based device communication networks based on behavioral feedback, characterized in that, Includes the following steps: Acquire survey data of key infrastructure equipment; The obtained mapping data of key infrastructure equipment is analyzed and processed to identify and screen suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain the classification and labeling results of different mapping objects; the mapping objects are network communication entities identified in the mapping process. The surveying strategy parameters are obtained based on the classification and identification results of different surveying objects; For suspected key-point devices that have been identified and screened, a trapping mechanism is introduced to generate a trapping strategy. The deployed trapping nodes obtain behavioral feedback information that can reflect the real access and supply behavior. Based on the surveying strategy parameters and behavioral feedback information, the current surveying strategy is dynamically adjusted to obtain the dynamically adjusted surveying strategy. Based on the dynamically adjusted mapping strategy, cyberspace mapping is performed to obtain the cyberspace mapping results of key equipment.
2. The method for spatial mapping of key-based device communication networks based on behavioral feedback according to claim 1, characterized in that, In the step of acquiring the mapping data of the key infrastructure device, the acquired mapping data of the key infrastructure device includes: network IP address and connectivity status, port open status, communication protocol response characteristics, service interaction information, and mapping cycle.
3. The spatial mapping method for key-based device communication networks based on behavioral feedback according to claim 2, characterized in that, The method for parsing and processing the acquired mapping data of key infrastructure equipment, identifying and screening suspected key infrastructure equipment, and classifying and labeling the mapping data to obtain classification and labeling results for different mapping objects is as follows: Based on the pre-established key infrastructure equipment characteristic rules, the communication protocol response characteristics and service interaction information contained in the mapping data are compared and analyzed with the characteristics that meet industrial control requirements to screen out suspected key infrastructure equipment, and the mapping data is classified and labeled to obtain classification and labeling results for different mapping objects.
4. The method for spatial mapping of key-based device communication networks based on behavioral feedback according to claim 1, characterized in that, The method for obtaining surveying strategy parameters based on the classification and identification results of different surveying objects is as follows: For each surveying object, maintain its surveying status record in different surveying cycles, and treat the network communication entity that is continuously surveyed as an asset. The asset has an identifiable network IP address, communication protocol response characteristics, or service interaction characteristics. By comparing the surveying status records of adjacent surveying periods, the changes in the surveying status records of the surveyed object within adjacent periods are obtained, and the changes in the surveying status records are converted into change indicators used to characterize the stability or volatility of assets. After obtaining the change indicators, and combining the classification and identification results of the surveyed objects, differentiated weight parameters are allocated to different categories of assets. Based on the aforementioned change indicators and weight parameters, the mapping priority corresponding to each mapping object is calculated. Based on the surveying priority, the surveying object is mapped to a preset strategy range, and corresponding surveying strategy parameters are generated.
5. The method for spatial mapping of key-based device communication networks based on behavioral feedback according to claim 1, characterized in that, The method for introducing a trapping mechanism to generate a trapping strategy for the identified and screened suspected key-point devices, and obtaining behavioral feedback information that can reflect the actual access and supply behavior through the deployed trapping nodes, is as follows: Based on the mapping data of suspected key equipment, a corresponding trapping strategy is generated; The trapping strategy is distributed to the trapping nodes; After receiving the trapping strategy, the trapping node simulates the corresponding protocol or service interaction process to obtain behavioral feedback information that can reflect the real access and supply behavior.
6. The spatial mapping method for key-based device communication networks based on behavioral feedback according to claim 5, characterized in that, After receiving the trapping strategy, the trapping node simulates the corresponding protocol or service interaction process according to the trapping strategy to obtain behavioral feedback information that can reflect the actual access and supply behavior. The method is as follows: When the trapping strategy reaches the trapping node, the trapping node establishes a communication connection with the access party according to the preset interaction rules. Without affecting the real business system, it responds to the access request, thereby undertaking scanning, probing or attack behavior against key devices.
7. The method for spatial mapping of key-based device communication networks based on behavioral feedback according to claim 6, characterized in that, The method for dynamically adjusting the current surveying strategy based on the surveying strategy parameters and behavioral feedback information to obtain the dynamically adjusted surveying strategy is as follows: When the access or attack attention of a certain type of surveying object exceeds a preset threshold, the priority of that type of surveying object in subsequent surveying tasks is increased, and the surveying frequency or detection depth is increased; when the surveying object remains stable and no abnormal behavior feedback is observed, its surveying frequency is reduced.
8. A spatial mapping system for key-based device communication networks based on behavioral feedback, comprising a spatial mapping method for key-based device communication networks based on behavioral feedback as described in any one of claims 1 to 7, characterized in that, include: The scanning execution module is used to acquire survey data of key infrastructure equipment; The key-based identification and classification module is used to analyze and process the acquired mapping data of key-based devices, identify and screen out suspected key-based devices, and classify and label the mapping data to obtain classification and labeling results for different mapping objects; the mapping objects are network communication entities identified during the mapping process. The surveying strategy generation module is used to obtain surveying strategy parameters based on the classification and identification results of different surveying objects. The trapping linkage and behavior feedback processing module is used to introduce a trapping mechanism to generate a trapping strategy for suspected key devices that have been identified and screened. It obtains behavior feedback information that can reflect real access and supply behavior through the deployed trapping nodes. The intelligent strategy engine module is used to dynamically adjust the current surveying strategy based on the surveying strategy parameters and behavioral feedback information, so as to obtain the dynamically adjusted surveying strategy. The execution module is used to perform cyberspace mapping based on the dynamically adjusted mapping strategy and obtain the cyberspace mapping results of key equipment.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the spatial mapping method for key-based device communication networks based on behavioral feedback as described in any one of claims 1 to 7.
10. A storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of the spatial mapping method for key-based device communication networks based on behavioral feedback as described in any one of claims 1 to 7.